CN108763926B - Industrial control system intrusion detection method with safety immunity capability - Google Patents
Industrial control system intrusion detection method with safety immunity capability Download PDFInfo
- Publication number
- CN108763926B CN108763926B CN201810556731.2A CN201810556731A CN108763926B CN 108763926 B CN108763926 B CN 108763926B CN 201810556731 A CN201810556731 A CN 201810556731A CN 108763926 B CN108763926 B CN 108763926B
- Authority
- CN
- China
- Prior art keywords
- control system
- industrial control
- data
- intrusion detection
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/004—Artificial life, i.e. computing arrangements simulating life
- G06N3/006—Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
Abstract
The invention discloses an industrial control system intrusion detection method with safety immunity capability, which comprises an industrial control system data preprocessing model and an industrial control system intrusion detection model, wherein the industrial control system data preprocessing model is connected with the industrial control system intrusion detection model, and the industrial control system data preprocessing model comprises industrial control system data acquisition and industrial control system data feature extraction. The method is suitable for an intrusion detection system of an industrial control system, firstly, a kernel principal component analysis method is utilized to extract characteristics of industrial data to realize dimension reduction of the industrial data, then, a particle swarm algorithm with safety immunity capability is used for optimizing a single-class support vector machine to establish a more accurate intrusion detection model, the method can improve the accuracy of the intrusion detection model, reduce the false alarm rate and the false missing report rate, and also can reduce the training time of the intrusion detection model and the complexity of the intrusion detection model.
Description
Technical Field
The invention relates to an industrial control system intrusion detection method, in particular to an industrial control system intrusion detection method with safety immunity capability, and belongs to the technical field of industrial control system application.
Background
The industrial control system is a key infrastructure in the industrial field, and realizes the automatic operation and control of industrial production. With the deep convergence of automation and informatization in recent years, modern industrial control systems increasingly rely on operating systems, open protocols and communication technologies in the IT domain, which introduce their own vulnerabilities into industrial control systems. In addition, the safety problem of the industrial control system is more and more emphasized due to the frequent information safety accidents of the industrial control system, and the intrusion detection plays an important role as a first barrier for active defense. The intrusion detection of the industrial control system detects abnormal attack behavior operation by monitoring and analyzing the communication behavior of the system in real time, and carries out interception, alarm, system recovery and other operations before the attack behavior is damaged. And extracting data characteristics reflecting system behaviors according to the mode difference between normal behavior operation and human invasion attack behaviors, and identifying invasion attack behavior data through a designed detection algorithm so as to realize abnormal detection of the attack behaviors.
The industrial control system intrusion detection can be divided into two parts: the first part is the characteristic extraction and selection of industrial data, and the second part is the intrusion detection model established by using an intelligent algorithm on the basis of the industrial data after the characteristic extraction of the first part, so that abnormal attacks are detected. The industrial data has the characteristics of large volume, multiple sources, continuous sampling, low value density, high complexity, strong dynamic property and the like, and the analysis difficulty and the requirement on the analysis precision are relatively high. The high dimensionality of the industrial big data is caused by the multi-source and the complexity, and the dimensionality reduction of the industrial big data is needed for accurately analyzing and predicting the industrial big data. The characteristic extraction is a common characteristic dimension reduction method, and the principle is that a new low-dimensional space is constructed by utilizing an original characteristic space, redundant characteristics and irrelevant characteristics are eliminated, and the dimension of data is effectively reduced. The method has the advantages that the characteristics of industrial data are extracted, the dimensionality of the industrial data is reduced, the characteristics of large data volume and high latitude of an industrial control system are overcome, and the complexity of subsequent data modeling and processing is further reduced. Typical feature extraction methods include Principal Component Analysis (PCA) and the like. PCA is multidimensional orthogonal linear transformation based on statistical characteristics, is a multivariate statistical method, converts the multi-characteristic problem in a high-dimensional space into a low-dimensional space to form new few characteristics, replaces the original characteristics with the new characteristics for subsequent processing, converts the problem in the high-dimensional space into the low-dimensional space for processing, and requires to ensure that any newly obtained characteristic is a linear combination of the original characteristics in the PCA dimension reduction; the main components obtained after dimensionality reduction retain most of the information of the original characteristics; the main components are linearly independent. Because of high calculation efficiency and simple realization, PCA is a widely applied dimension reduction method. The main feature extraction method applied to data processing of industrial control system intrusion detection is also a principal component analysis method at present.
The industrial control system intrusion detection extracts data characteristics reflecting system behaviors according to mode differences of normal behavior operation and intrusion attack behaviors, and essentially classifies industrial data, namely normal industrial data and abnormal industrial data are distinguished. And a Support Vector Machine (SVM) is an algorithm for classifying data samples in positive and negative directions, and is just suitable for an intrusion detection model of an industrial control system, so that the SVM is widely used in the algorithm. For an industrial control system, industrial data is characterized by high dimensionality, strong relevance, most of the industrial data is normal data, less data in fault or critical state, difficult to obtain abnormal data, few samples and the like, a single-class support vector machine OCSVM is derived on the basis of the SVM and is used for solving the problem that only one type of sample can be used for training a classifier, and an OCSVM algorithm assumes a coordinate origin as an abnormal sample and constructs an optimal hyperplane in a feature space to realize the maximum separation of target data and the coordinate origin. The OCSVM has the advantages of short calculation time, less data samples which can be used for training, robustness to noise sample data, capability of establishing a more accurate classification model and the like, and is the classification method with the highest use frequency in the intrusion detection of the current industrial control system. The intrusion detection algorithm of the OCSVM-based industrial control system has the problems of long training time, poor capability of identifying unknown industrial abnormal behaviors and the like.
The industrial control system has high data real-time performance, large volume, high complexity and the like, and has strong nonlinear relation. The Principal Component Analysis (PCA) in data dimension reduction by feature extraction judges the variance consistency among variables by using the covariance matrix of the features, and finds out the optimal linear combination among the variables to replace the features, thereby achieving the purpose of dimension reduction. Most of the real-world complex data has nonlinear characteristics. The PCA is only suitable for data with a linear relationship, and for industrial data with a nonlinear characteristic, the linear relationship using the PCA is inefficient and cannot truly reflect the real characteristics of the industrial data, thereby resulting in low accuracy of the data after dimension reduction. The method introduces a kernel method on the basis of a linear feature extraction algorithm, and the kernel method is assumed that data in an original space may be nonlinear, but the nonlinear structure data is projected to a kernel space with higher dimension through kernel transformation, so that the data may become a linear structure. Although the sample point dimension is higher in kernel space, the actual computation is still performed in the original space by a kernel function or kernel matrix since the transformed high-dimensional samples need not be explicitly used. In this way, linear discrimination in the original space is expanded into nonlinear discrimination by kernel transformation. The Kernel Principal Component Analysis (KPCA) is the method which solves the low efficiency and inaccuracy of PCA processing nonlinear data and is suitable for the characteristics of industrial data of an industrial control system.
In the OCSVM algorithm of the single support vector machine, the selection of the kernel function parameter g and the parameter v for balancing normal data and abnormal data in the OCSVM is crucial, and different parameters lead to different decision functions, which directly affect the final detection result, so that the two parameters need to be optimized by using an intelligent algorithm. The grid search method is slow in optimization speed, local optimal solutions are easy to obtain, and the detection effect and the detection real-time performance of the OCSVM are seriously influenced; the PSO algorithm is simple and efficient, is easy to implement, has few parameters to be adjusted, can quickly converge to an optimal solution, can quickly and better obtain an optimization result, and can be widely applied. However, the basic particle swarm algorithm has the defects that as the number of iterations increases, the diversity of the population decreases, and the premature phenomenon is caused, so that the local optimal result may occur, the local minimum value is easy to fall into, the search accuracy is not high, and the like. Aiming at the defects that the particle swarm algorithm has low convergence speed and is easy to fall into a local optimal solution in the later convergence stage, the characteristic selection of industrial data in the existing industrial control system mainly uses a principal component analysis method, and the method is characterized by high efficiency, simple realization, linear data processing and the like, and has the defect that nonlinear data, especially the industrial data with high complexity and strong nonlinear relation, cannot be processed well. The existing industrial control system intrusion detection model optimizes a single support vector machine (OCSVM), such as PSO-OCSVM, by using an intelligent algorithm, but the algorithm has the defects that the algorithm cannot overcome the defects, namely the algorithm is easy to fall into a local minimum value, the searching precision is not high, the convergence speed is low, and the like, and the established model has low accuracy and certain false alarm rate and missing report rate. Therefore, an industrial control system intrusion detection method with safety immunity capability is provided for solving the problems.
Disclosure of Invention
The invention aims to solve the problems and provide an industrial control system intrusion detection method with safety immunity, which is suitable for an industrial control system intrusion detection system.
The invention realizes the aim through the following technical scheme, and the industrial control system intrusion detection method with the safety immunity capability comprises an industrial control system data preprocessing model and an industrial control system intrusion detection model, wherein the industrial control system data preprocessing model is connected with the industrial control system intrusion detection model, the industrial control system data preprocessing model comprises industrial control system data acquisition and industrial control system data characteristic extraction, and the detection method comprises the following steps:
the method comprises the following steps that firstly, relevant industrial data are collected from an industrial control system on site through industrial control system data collection, feature extraction is carried out on the collected original industrial data, the industrial control system feature extraction is to carry out necessary noise reduction screening on the original working data, redundant features and irrelevant features are eliminated, industrial data which can truly reflect the characteristics of the industrial control system are selected, and complexity of subsequent modeling is reduced;
step B, establishing an industrial control system intrusion detection model: b, establishing an industrial control system intrusion detection model by using an intelligent algorithm according to the industrial data processed in the step A;
step C, establishing an intrusion model by using a PSO-OCSVM algorithm with safe immunity, wherein the OCSVM algorithm establishes an industrial control system intrusion detection model by using the processed industrial data, and optimizes an OCSVM parameter v and a kernel function parameter g by using the PSO algorithm;
and D, optimizing the PSO by using an immune algorithm idea with safety immune capability to form a PSO-OCSVM algorithm based on the safety immune capability idea, thereby realizing the detection of the intrusion of the industrial control system.
Preferably, in the step a, a method using KPCA is selected for feature extraction.
The detection method comprises the following steps:
(1) reading original industrial control system data, namely sample data; selecting a kernel function, wherein the selected function kernel function comprises a linear sum function, a p-order polynomial kernel function, a Gaussian radial basis function kernel function and a multilayer perceptron kernel function; carrying out coring on the nonlinear industrial data so as to project original nonlinear sample data to a high-dimensional space to form linear sample data;
(2) standardizing the original sample data to enable the mean value to be 0, calculating a covariance matrix of the standardized data, and then calculating a characteristic value and a characteristic vector of the covariance matrix;
(3) the principal component analysis method considered that: sorting the eigenvalues from big to small, and selecting the top m items as a data matrix after dimensionality reduction according to the accumulated variance contribution rate of more than 90%;
(4) and multiplying the normalized data by the dimension reduction matrix to obtain final dimension reduction data Y.
(5) Establishing an industrial control system intrusion detection model by using dimension reduction data Y according to an OCSVM algorithm principle, wherein the selection of parameters g and v in the OCSVM algorithm influences the performance of the algorithm and further influences the accuracy of the intrusion detection model, a PSO algorithm is derived from the research on the predation behavior activity of a bird swarm, and the whole swarm is guided to migrate towards the optimal solution direction by sharing of individual information among the swarm;
(6) initializing relevant parameters according to a PSO algorithm, and initializing the position and the speed of a population to obtain the initial position and the speed of particles;
(7) calculating the fitness of the current-generation antibody, wherein the affinity is used for measuring the matching degree between the antigen and the antibody and representing the closeness degree of the solution solved by the current generation and the optimal solution;
(8) after an OCSVM model is established, calculating the classification accuracy of the OCSVM model, and assigning the classification accuracy of the OCSVM model to two extreme values, namely Pbest and Gbest of each particle; judging whether a termination condition is reached, if so, finishing the algorithm to obtain an optimal parameter; if not, generating immune memory cells, selecting a part of antibodies with higher affinity to store in a memory bank as the immune memory cells according to the size of the affinity;
(9) generating an immune vaccine, selecting two antibodies with the highest affinity to carry out intersection operation, and storing the obtained public subset part into a vaccine library to be used as the immune vaccine;
(10) updating the positions and the speeds of the particles to obtain n new particles after updating, and then randomly selecting q antibodies from the memory cells to form an antibody group with the scale of n + q antibodies;
(11) promotion or inhibition of antibodies; calculating the selection probability of the antibodies, and selecting n antibodies to form a new antibody group according to the selection probability; according to a certain proportion, the immune vaccine is used for carrying out immune vaccine inoculation operation on the antibody with lower affinity;
(12) immune selection, calculating the fitness value of the inoculated particles, if the fitness value is not the same as that before inoculation, abandoning the inoculation operation, and keeping the original value, otherwise, accepting the inoculation operation;
(13) returning to the step (7) to recalculate the affinity of the new antibody, and carrying out next judgment; finally, an industrial control system intrusion detection model of KPCA-PSO-OCSVM with optimal parameters and safety immune thought capability is obtained.
Preferably, the gaussian radial basis function kernel is selected in step (1).
The invention has the beneficial effects that:
(1) according to the invention, an immune evolution mechanism in an immune system is used for reference, the diversity of particle populations in a particle swarm algorithm is improved by introducing an antibody concentration regulation mechanism and immune selection operation in the immune algorithm, and the search space of the solution is expanded; the convergence speed and precision of the PSO algorithm are improved by adopting operations such as immunological memory, immunological vaccine and the like; and defining a new antibody concentration selection method, immune vaccine and other operations to help improve the solving efficiency of the algorithm, and obviously improving the convergence speed, the convergence precision and the like of the improved algorithm. The intrusion detection of the industrial control system is mainly divided into two parts: the method comprises the steps of firstly, selecting characteristics of industrial data in the industrial control system, and secondly, establishing an intrusion detection model of the industrial control system.
(2) The characteristic that the kernel principal component analysis method is used for processing the nonlinear data is introduced into an industrial control system intrusion detection model, the defect that the principal component analysis method cannot well process the nonlinear industrial data can be overcome, and the optimal feature selection of the industrial data in the industrial control system is realized.
(3) The particle swarm optimization OCSVM algorithm with the safe immunity capability can overcome the defects that the particle swarm optimization algorithm is low in convergence speed and easily falls into a local optimal solution in the later convergence stage, the method uses the immune evolution mechanism in an immune system for reference, improves the diversity of particle populations in the particle swarm optimization algorithm by introducing an antibody concentration regulation mechanism and immune selection operation in the immune algorithm, expands the search space of the solution, improves the convergence speed and accuracy of the PSO algorithm by adopting immune memory, immune vaccine and other operations, defines a new antibody concentration selection method, immune vaccine and other operations, and is used for helping to improve the solving efficiency of the algorithm. The method can establish a more accurate intrusion detection model, improve the accuracy of intrusion detection, reduce the false alarm rate and the missing report rate, improve the convergence speed and the convergence precision of the algorithm, and reduce the training time of the intrusion detection model and the complexity of the intrusion detection model. The method has certain reference significance to the existing industrial control system intrusion detection method.
Drawings
FIG. 1 is a block diagram of an intrusion detection model of a KPCA-PSO-OCSVM industrial control system with safety immunity capability;
fig. 2 is an algorithm framework diagram of the OCSVM parameter optimization performed by the PSO algorithm with secure immune capability.
1. An industrial control system data preprocessing model, and 2, an industrial control system intrusion detection model.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-2, an industrial control system intrusion detection method with safety immunity capability includes an industrial control system data preprocessing model (1) and an industrial control system intrusion detection model (2), where the industrial control system data preprocessing model (1) is connected to the industrial control system intrusion detection model (2), the industrial control system data preprocessing model (1) includes industrial control system data acquisition and industrial control system data feature extraction, and the detection method includes the following steps:
the method comprises the following steps that firstly, relevant industrial data are collected from an industrial control system on site through industrial control system data collection, feature extraction is carried out on the collected original industrial data, the industrial control system feature extraction is to carry out necessary noise reduction screening on the original working data, redundant features and irrelevant features are eliminated, industrial data which can truly reflect the characteristics of the industrial control system are selected, and complexity of subsequent modeling is reduced;
step B, establishing an industrial control system intrusion detection model: b, establishing an industrial control system intrusion detection model by using an intelligent algorithm according to the industrial data processed in the step A;
step C, establishing an intrusion model by using a PSO-OCSVM algorithm with safe immunity, wherein the OCSVM algorithm establishes an industrial control system intrusion detection model by using the processed industrial data, and optimizes an OCSVM parameter v and a kernel function parameter g by using the PSO algorithm;
and D, optimizing the PSO by using an immune algorithm idea with safety immune capability to form a PSO-OCSVM algorithm based on the safety immune capability idea, thereby realizing the detection of the intrusion of the industrial control system.
And selecting a KPCA method for feature extraction in the step A.
The detection method comprises the following steps:
(1) reading original industrial control system data, namely sample data; selecting a kernel function, wherein the selected function kernel function comprises a linear sum function, a p-order polynomial kernel function, a Gaussian radial basis function kernel function and a multilayer perceptron kernel function; carrying out coring on the nonlinear industrial data so as to project original nonlinear sample data to a high-dimensional space to form linear sample data;
(2) standardizing the original sample data to enable the mean value to be 0, calculating a covariance matrix of the standardized data, and then calculating a characteristic value and a characteristic vector of the covariance matrix;
(3) the principal component analysis method considered that: sorting the eigenvalues from big to small, and selecting the top m items as a data matrix after dimensionality reduction according to the accumulated variance contribution rate of more than 90%;
(4) and multiplying the normalized data by the dimension reduction matrix to obtain final dimension reduction data Y.
(5) Establishing an industrial control system intrusion detection model by using dimension reduction data Y according to an OCSVM algorithm principle, wherein the selection of parameters g and v in the OCSVM algorithm influences the performance of the algorithm and further influences the accuracy of the intrusion detection model, a PSO algorithm is derived from the research on the predation behavior activity of a bird swarm, and the whole swarm is guided to migrate towards the optimal solution direction by sharing of individual information among the swarm;
(6) initializing relevant parameters according to a PSO algorithm, and initializing the position and the speed of a population to obtain the initial position and the speed of particles;
(7) calculating the fitness of the current-generation antibody, wherein the affinity is used for measuring the matching degree between the antigen and the antibody and representing the closeness degree of the solution solved by the current generation and the optimal solution;
(8) after an OCSVM model is established, calculating the classification accuracy of the OCSVM model, and assigning the classification accuracy of the OCSVM model to two extreme values, namely Pbest and Gbest of each particle; judging whether a termination condition is reached, if so, finishing the algorithm to obtain an optimal parameter; if not, generating immune memory cells, selecting a part of antibodies with higher affinity to store in a memory bank as the immune memory cells according to the size of the affinity;
(9) generating an immune vaccine, selecting two antibodies with the highest affinity to carry out intersection operation, and storing the obtained public subset part into a vaccine library to be used as the immune vaccine;
(10) updating the positions and the speeds of the particles to obtain n new particles after updating, and then randomly selecting q antibodies from the memory cells to form an antibody group with the scale of n + q antibodies;
(11) promotion or inhibition of antibodies; calculating the selection probability of the antibodies, and selecting n antibodies to form a new antibody group according to the selection probability; according to a certain proportion, the immune vaccine is used for carrying out immune vaccine inoculation operation on the antibody with lower affinity;
(12) immune selection, calculating the fitness value of the inoculated particles, if the fitness value is not the same as that before inoculation, abandoning the inoculation operation, and keeping the original value, otherwise, accepting the inoculation operation;
(13) returning to the step (7) to recalculate the affinity of the new antibody, and carrying out next judgment; finally, an industrial control system intrusion detection model of KPCA-PSO-OCSVM with optimal parameters and safety immune thought capability is obtained.
Wherein, the Gaussian radial basis function kernel function is selected in the step (1).
The invention utilizes the characteristic that the kernel principal component analysis method processes the nonlinear data, introduces the kernel principal component analysis method into the intrusion detection model of the industrial control system, can solve the defect that the principal component analysis method cannot well process the nonlinear industrial data, and realizes the optimal characteristic selection of the industrial data in the industrial control system. The particle swarm optimization OCSVM algorithm with the safe immunity capability can overcome the defects that the particle swarm optimization algorithm is low in convergence speed and easily falls into a local optimal solution in the later convergence stage, the method references an immune evolution mechanism in an immune system, improves the diversity of particle populations in the particle swarm optimization algorithm by introducing an antibody concentration regulation mechanism and immune selection operation in the immune algorithm, expands the search space of the solution, improves the convergence speed and accuracy of the PSO algorithm by adopting immune memory, immune vaccine and other operations, defines a new antibody concentration selection method, immune vaccine and other operations, and is used for helping to improve the solving efficiency of the algorithm. The method can establish a more accurate intrusion detection model, improve the accuracy of intrusion detection, reduce the false alarm rate and the missing report rate, improve the convergence speed and the convergence precision of the algorithm, and reduce the training time of the intrusion detection model and the complexity of the intrusion detection model. The method has certain reference significance to the existing industrial control system intrusion detection method.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.
Claims (1)
1. An industrial control system intrusion detection method with safety immunity capability is characterized in that: including industrial control system data preprocessing model (1) and industrial control system intrusion detection model (2), industrial control system data preprocessing model (2) are connected in industrial control system data preprocessing model (1), industrial control system data preprocessing model (1) includes industrial control system data acquisition and industrial control system data characteristic extraction, and its detection method includes following step:
the method comprises the following steps that firstly, relevant industrial data are collected from an industrial control system on site through industrial control system data collection, feature extraction is carried out on the collected original industrial data, the industrial control system feature extraction is to carry out necessary noise reduction screening on the original working data, redundant features and irrelevant features are eliminated, industrial data which can truly reflect the characteristics of the industrial control system are selected, and complexity of subsequent modeling is reduced;
step B, establishing an industrial control system intrusion detection model: b, establishing an industrial control system intrusion detection model by using an intelligent algorithm according to the industrial data processed in the step A;
step C, establishing an intrusion model by using a PSO-OCSVM algorithm with safe immunity, wherein the OCSVM algorithm establishes an industrial control system intrusion detection model by using the processed industrial data, and optimizes an OCSVM parameter v and a kernel function parameter g by using the PSO algorithm;
step D, optimizing the PSO by using an immune algorithm thought with safe immune capacity to form a PSO-OCSVM algorithm based on the safe immune capacity thought, thereby realizing the detection of the invasion of the industrial control system;
selecting a KPCA method for feature extraction in the step A;
the detection method comprises the following steps:
(1) reading original industrial control system data, namely sample data; selecting a kernel function, wherein the selected function kernel function comprises a linear sum function, a p-order polynomial kernel function, a Gaussian radial basis function kernel function and a multilayer perceptron kernel function; carrying out coring on the nonlinear industrial data so as to project original nonlinear sample data to a high-dimensional space to form linear sample data;
(2) standardizing the original sample data to enable the mean value to be 0, calculating a covariance matrix of the standardized data, and then calculating a characteristic value and a characteristic vector of the covariance matrix;
(3) the principal component analysis method considered that: sorting the eigenvalues from big to small, and selecting the top m items as a data matrix after dimensionality reduction according to the accumulated variance contribution rate of more than 90%;
(4) multiplying the standardized data by a dimension reduction matrix to obtain final dimension reduction data Y;
(5) establishing an industrial control system intrusion detection model by using dimension reduction data Y according to an OCSVM algorithm principle, wherein the selection of parameters g and v in the OCSVM algorithm influences the performance of the algorithm and further influences the accuracy of the intrusion detection model, a PSO algorithm is derived from the research on the predation behavior activity of a bird swarm, and the whole swarm is guided to migrate towards the optimal solution direction by sharing of individual information among the swarm;
(6) initializing relevant parameters according to a PSO algorithm, and initializing the position and the speed of a population to obtain the initial position and the speed of particles;
(7) calculating the fitness of the current-generation antibody, wherein the affinity is used for measuring the matching degree between the antigen and the antibody and representing the closeness degree of the solution solved by the current generation and the optimal solution;
(8) after an OCSVM model is established, calculating the classification accuracy of the OCSVM model, and assigning the classification accuracy of the OCSVM model to two extreme values, namely Pbest and Gbest of each particle; judging whether a termination condition is reached, if so, finishing the algorithm to obtain an optimal parameter; if not, generating immune memory cells, selecting a part of antibodies with higher affinity to store in a memory bank as the immune memory cells according to the size of the affinity;
(9) generating an immune vaccine, selecting two antibodies with the highest affinity to carry out intersection operation, and storing the obtained public subset part into a vaccine library to be used as the immune vaccine;
(10) updating the positions and the speeds of the particles to obtain n new particles after updating, and then randomly selecting q antibodies from the memory cells to form an antibody group with the scale of n + q antibodies;
(11) promotion or inhibition of antibodies; calculating the selection probability of the antibodies, and selecting n antibodies to form a new antibody group according to the selection probability; according to a certain proportion, the immune vaccine is used for carrying out immune vaccine inoculation operation on the antibody with lower affinity;
(12) immune selection, calculating the fitness value of the inoculated particles, if the fitness value is not the same as that before inoculation, abandoning the inoculation operation, and keeping the original value, otherwise, accepting the inoculation operation;
(13) returning to the step (7) to recalculate the affinity of the new antibody, and carrying out next judgment; finally, an industrial control system intrusion detection model of KPCA-PSO-OCSVM with optimal parameters and safe immune thought capability is obtained;
and (3) selecting a Gaussian radial basis function kernel function in the step (1).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810556731.2A CN108763926B (en) | 2018-06-01 | 2018-06-01 | Industrial control system intrusion detection method with safety immunity capability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810556731.2A CN108763926B (en) | 2018-06-01 | 2018-06-01 | Industrial control system intrusion detection method with safety immunity capability |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108763926A CN108763926A (en) | 2018-11-06 |
| CN108763926B true CN108763926B (en) | 2021-11-12 |
Family
ID=64001730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810556731.2A Active CN108763926B (en) | 2018-06-01 | 2018-06-01 | Industrial control system intrusion detection method with safety immunity capability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108763926B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659482B (en) * | 2019-09-27 | 2022-03-25 | 吉林大学 | Industrial network intrusion detection method based on GAPSO-TWSVM |
| CN113641990A (en) * | 2021-06-21 | 2021-11-12 | 上海电力大学 | Intrusion detection method based on multi-innovation extended Kalman filtering |
| CN116170241A (en) * | 2023-04-26 | 2023-05-26 | 国家工业信息安全发展研究中心 | Intrusion detection method, system and equipment of industrial control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101056074A (en) * | 2007-05-18 | 2007-10-17 | 吉林大学 | An ultrasonic motor control method based on the immunity particle cluster algorithm |
| CN104009886A (en) * | 2014-05-23 | 2014-08-27 | 南京邮电大学 | Intrusion detection method based on SVM |
| CN104601565A (en) * | 2015-01-07 | 2015-05-06 | 天津理工大学 | Network intrusion detection classification method of intelligent optimization rules |
| CN105703963A (en) * | 2014-11-26 | 2016-06-22 | 中国科学院沈阳自动化研究所 | PSO-OCSVM based industrial control system communication behavior anomaly detection method |
| WO2018072351A1 (en) * | 2016-10-20 | 2018-04-26 | 北京工业大学 | Method for optimizing support vector machine on basis of particle swarm optimization algorithm |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100146299A1 (en) * | 2008-10-29 | 2010-06-10 | Ashwin Swaminathan | System and method for confidentiality-preserving rank-ordered search |
| CN101790251B (en) * | 2010-01-13 | 2011-05-11 | 北京邮电大学 | Wireless sensor node alliance generating method based on improved particle swarm optimization algorithm |
| CN101968853B (en) * | 2010-10-15 | 2013-06-05 | 吉林大学 | Improved immune algorithm based expression recognition method for optimizing support vector machine parameters |
| CN105022852A (en) * | 2014-04-29 | 2015-11-04 | 同济大学 | Method for solving product assembly sequence planning problem on the basis of immune particle swarm algorithm |
-
2018
- 2018-06-01 CN CN201810556731.2A patent/CN108763926B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101056074A (en) * | 2007-05-18 | 2007-10-17 | 吉林大学 | An ultrasonic motor control method based on the immunity particle cluster algorithm |
| CN104009886A (en) * | 2014-05-23 | 2014-08-27 | 南京邮电大学 | Intrusion detection method based on SVM |
| CN105703963A (en) * | 2014-11-26 | 2016-06-22 | 中国科学院沈阳自动化研究所 | PSO-OCSVM based industrial control system communication behavior anomaly detection method |
| CN104601565A (en) * | 2015-01-07 | 2015-05-06 | 天津理工大学 | Network intrusion detection classification method of intelligent optimization rules |
| WO2018072351A1 (en) * | 2016-10-20 | 2018-04-26 | 北京工业大学 | Method for optimizing support vector machine on basis of particle swarm optimization algorithm |
Non-Patent Citations (3)
| Title |
|---|
| KPCA-IPSO-OCSVM方法在工业控制系统入侵检测中的应用;陈冬阳等;《中国科技论文》;20190331;第14卷(第3期);第326-333页 * |
| 具有免疫响应能力的入侵防御关键技术研究;李勇征;《中国博士学位论文全文数据库 信息科技辑》;20131215(第12期);第I139-7页 * |
| 基于OCSVM的工业控制系统入侵检测算法研究;李琳;《中国优秀硕士学位论文全文数据库 信息科技辑》;20170515(第05期);第I139-24页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108763926A (en) | 2018-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104598813B (en) | Computer intrusion detection method based on integrated study and semi-supervised SVM | |
| CN107391598B (en) | Automatic threat information generation method and system | |
| CN106817248B (en) | APT attack detection method | |
| CN108763926B (en) | Industrial control system intrusion detection method with safety immunity capability | |
| CN109389180A (en) | A power equipment image-recognizing method and inspection robot based on deep learning | |
| CN109902740B (en) | Re-learning industrial control intrusion detection method based on multi-algorithm fusion parallelism | |
| CN107579846B (en) | Cloud computing fault data detection method and system | |
| CN112686775A (en) | Power network attack detection method and system based on isolated forest algorithm | |
| CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
| CN113376516A (en) | Medium-voltage vacuum circuit breaker operation fault self-diagnosis and early-warning method based on deep learning | |
| CN112491891B (en) | Network attack detection method based on hybrid deep learning in Internet of things environment | |
| CN112560596B (en) | Radar interference category identification method and system | |
| Song et al. | A method of intrusion detection based on woa-xgboost algorithm | |
| CN111881159B (en) | Fault detection method and device based on cost-sensitive extreme random forest | |
| CN114760098A (en) | CNN-GRU-based power grid false data injection detection method and device | |
| Yuan et al. | Intrusion detection model based on improved support vector machine | |
| More et al. | An experimental assessment of random Forest classification performance improvisation with sampling and stage wise success rate calculation | |
| Li et al. | Prediction of wind turbine blades icing based on CJBM with imbalanced data | |
| CN111797899B (en) | Low-voltage transformer area kmeans clustering method and system | |
| CN115953666B (en) | Substation site progress identification method based on improved Mask-RCNN | |
| Soheily-Khah et al. | Intrusion detection in network systems through hybrid supervised and unsupervised mining process-a detailed case study on the ISCX benchmark dataset | |
| Chao et al. | Research on network intrusion detection technology based on dcgan | |
| CN116400168A (en) | Power grid fault diagnosis method and system based on depth feature clustering | |
| CN113852612A (en) | Network intrusion detection method based on random forest | |
| CN112422505A (en) | Network malicious traffic identification method based on high-dimensional extended key feature vector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |