CN110266680A - A kind of industrial communication method for detecting abnormality based on dual similarity measurement - Google Patents
A kind of industrial communication method for detecting abnormality based on dual similarity measurement Download PDFInfo
- Publication number
- CN110266680A CN110266680A CN201910519203.4A CN201910519203A CN110266680A CN 110266680 A CN110266680 A CN 110266680A CN 201910519203 A CN201910519203 A CN 201910519203A CN 110266680 A CN110266680 A CN 110266680A
- Authority
- CN
- China
- Prior art keywords
- industrial
- tree
- similarity measurement
- feature
- dual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000005259 measurement Methods 0.000 title claims abstract description 79
- 238000004891 communication Methods 0.000 title claims abstract description 74
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000009977 dual effect Effects 0.000 title claims abstract description 38
- 230000005856 abnormality Effects 0.000 title claims abstract description 33
- 230000003542 behavioural effect Effects 0.000 claims abstract description 69
- 230000006855 networking Effects 0.000 claims abstract description 13
- 230000002452 interceptive effect Effects 0.000 claims abstract description 6
- 239000000284 extract Substances 0.000 claims abstract description 4
- 238000004364 calculation method Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 8
- 230000002547 anomalous effect Effects 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000012512 characterization method Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 24
- 230000002159 abnormal effect Effects 0.000 abstract description 8
- 238000010276 construction Methods 0.000 abstract description 5
- 238000010223 real-time analysis Methods 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 22
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012407 engineering method Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of industrial communication method for detecting abnormality based on dual similarity measurement, this method is according to industrial communication interactive mode and industrial protocol specification, analytical industry controls communication data in network and extracts industrial communication behavioural characteristic, pass through these feature construction behavioural characteristic trees, it carries out setting similarity measurement between interior similarity measurement and tree respectively, to find signal intelligence abnormal in industrial control network.The invention passes through above method, general networking behavioural characteristic and industrial protocol semantic feature can be comprehensively considered, pass through the real-time analysis and abnormal determination to industrial communication data, detection industrial communication exception as caused by malicious attack or maloperation simultaneously generates alarm, ensures industrial control system safety.
Description
Technical field
The present invention relates to industrial control system technical field of network security, more particularly to a kind of to be based on dual phase
The industrial communication method for detecting abnormality measured like property.
Background technique
The Information Security Risk hidden danger of current China industrial control system is especially prominent, situation very severe.According to the U.S.
The safety message of Department of Homeland Security subordinate industrial control system network emergency response group, in recent years for industrial control system
Information security events are in staged growth trend, and wherein the industries such as the energy, manufacture accounting is maximum.Especially in recent years internet with
The fusion of industrial control system, has broken the original intrinsic closure of industrial system, and information security issue therewith is also increasingly sudden and violent
Expose.
Industrial control system is by various automation control components and the process for being acquired and monitoring to real time data
Operation flow control system that control assembly collectively forms, ensuring industrial infrastructure automatic operating and process control and monitoring
System.Compared to traditional Network and information system, most of industrial control system needs to take into account using ring when developing design
Many factors, overriding concern efficiency and the real-time characteristics such as border, control management, and only closed at the beginning of industrial control system is established
Pouring functions safety, and lack the relevant design to information security, industrial control system is defendd general lack of effective industry security
And data communication secrecy provision.In addition, the information security of industrial control system must preferentially ensure the available of all system units
Property and reliability, traditional IT information security technology, such as firewall, bogusware is put, the spy of industrial control system can not be adapted to
Point, can be not applied directly in industrial control system.
For this purpose, researcher has set about carrying out the protecting information safety skill for being adapted to industrial control system own characteristic
Art typically comprises: industrial fireproof wall, industrial gateway, industrial software white list technology and industrial intrusion detection etc..Wherein work
Industry intrusion detection includes feature detection and abnormality detection two parts, and abnormality detection is different by the matching realization between normal behaviour
Chang Hangwei discovery, under the premise of not interfering instantaneity of industrial control system and availability, without understanding the feature of attack in advance
Unknown attack can be effectively detected in form, and the consistent approval of researcher has been obtained.At present for industrial control system
Method for detecting abnormality relates generally to three classes: Statistics-Based Method, Knowledge based engineering method and the method based on machine learning.Its
In the method based on machine learning again include cluster, neural network, bayesian algorithm, genetic algorithm, fuzzy logic, supporting vector
The technologies such as machine.Under normal circumstances, these methods are all from the feature of industrial communication behavior, by using unsupervised or half
The means of supervision, the communication data obtained in industrial control network are analyzed, construct normal communication behavior model, pass through meter
The deviation of calculation and normal communication behavior model discriminates whether to occur abnormal.
Above-mentioned industry method for detecting abnormality often only goes to provide abnormality detection from some side that industrial network communicates
Ability, such as many Statistics-Based Methods go to calculate anomalous variation point, the base of industrial communication flow using CUSUM algorithm
It is directed to variation (such as variation of function code) Lai Shixian anomaly of a certain industrial activity in the method for machine learning, is lacked pair
The comprehensive consideration of all industrial communication features, the ability of abnormality detection are limited, while in abnormality detection engine method
Also there is one-sidedness using upper.
Summary of the invention
The further object of the present invention is to provide a kind of industrial communication method for detecting abnormality based on dual similarity measurement,
According to industrial communication interactive mode and industrial protocol specification, analytical industry controls communication data in network and extracts industrial communication row
It is characterized, by these feature construction behavioural characteristic trees, carries out setting similarity measurement between interior similarity measurement and tree respectively, thus
It was found that signal intelligence abnormal in industrial control network.This method by tree in, tree between two kinds of similarity measurements quantity algorithms, Neng Gouyou
Effect, comprehensive promotion abnormality detection ability find the known and unknown attack in industrial network communication, safeguard industries system in real time
System, network and equipment safety.
To achieve the goals above, the technical solution that the invention uses are as follows: a kind of based on dual similarity measurement
Industrial communication method for detecting abnormality, which is characterized in that the steps include:
1) classification and selection of industrial communication behavioural characteristic: industrial communication data are divided into not by identical time interval
It is special to extract industrial communication behavior according to the agreement specification and industrial communication interactive mode of industrial communication protocol for same intelligence sample
Sign, constitutive characteristic space;
2) it constructs industrial behavioural characteristic tree: according to the feature space of each intelligence sample, it is special to construct industrial behavior respectively
Main branch, secondary branch and the leaf node of tree are levied, to make each intelligence sample with an industrial behavioural characteristic tree representation;
3) it the real-time anomalous discrimination of dual similarity measurement: to the industrial behavioural characteristic tree of each intelligence sample, carries out
Dual similarity measurement calculates, and by calculated result, metric threshold is compared between the interior metric threshold of tree and tree respectively, and judgement is
It is no exception occur and alarm.
In the step 1), the industrial communication behavioural characteristic is divided into two classes: general networking behavioural characteristic, industry association
Discuss semantic feature.
The characteristic that the general networking behavior characteristic characterization intelligence sample is showed in network transmission, comprising: packet rate,
The round-trip delay that average packet size, IP are accessed to port mapping, once.
The industrial protocol semantic feature is the proprietary feature extracted according to industrial protocol grammer and protocol specification, including
Function code, coil or register address, coil or register thresholding.
In the step 2), industrial behavioural characteristic tree building process is as follows:
2.1) root and trunk of industrial behavioural characteristic tree are created;
2.2) according to two class industrial communication behavioural characteristics, two main branches are created on tree trunk respectively;
2.3) on each main branch, to all feature-modelings time branch for belonging to the main branch, the net as representing
Creation represents the secondary branch of packet rate on the main branch of network behavioural characteristic;
2.4) on each secondary branch, using each characteristic value of this feature as a leaf node.
In the step 3), the real-time anomalous discrimination of dual similarity measurement, specific two aspects that carry out are calculated:
3.1) similarity measurement is directed to the measurement in industrial behavioural characteristic tree between different characteristic in setting, wherein industrial behavior
Characteristic belongs to same intelligence sample;
3.2) similarity measurement is for the measurement between the industrial behavioural characteristic tree of different messages sample between setting.
Similarity measurement is used as metric algorithm using Minkowski distance in the tree;Similarity measurements between the tree
Amount is using cosine similarity as metric algorithm.
Similarity measurement is used as metric algorithm using Minkowski distance in the tree, and calculation formula is as follows:
Wherein, P=(p1,p2,…,pN) and Q=(q1,q2,…,qN) respectively represent the same upper feature of industrial behavioural characteristic tree
The characteristic value of two kinds of features in space, v are variable element, are adjusted with specific reference to actual conditions.
For similarity measurement using cosine similarity as metric algorithm, calculation formula is as follows between tree:
Wherein, xkAnd ykRespectively represent homogenous characteristics value in different industrial behavioural characteristic trees.
In the step 3), setting metric threshold between interior metric threshold and tree is using industrial communication data by dual similar
The rated value that property metric calculation obtains.
The invention has the beneficial effect that
1. compared with prior art, the present disclosure provides a kind of, the industrial communication based on dual similarity measurement is abnormal
Detection method, this method not only allows for general networking behavioural characteristic in industrial control network, but also analyzes industrial protocol
Semantic feature substantially increases the energy of abnormality detection so that feature detection is more comprehensive by constructing industrial behavioural characteristic tree
Power.
2. the process employs two kinds of algorithms of similarity measurement between interior similarity measurement and tree are set, wherein similarity measurements in setting
Metering pin is to the measurement between different characteristic in the industrial behavioural characteristic tree of same intelligence sample, and similarity measurement is for difference between tree
Measurement between the industrial behavioural characteristic tree of intelligence sample, both metric forms can be effectively by malicious attack or maloperation institutes
Caused industrial communication is abnormal.
3. this method is a kind of monitoring and analysis method of third party's bypass, major deployments are at the mirror image end of industrial switch
Mouthful, be not involved in the manufacturing process of industrial control system, therefore will not real-time to Industry Control and availability do
It disturbs.
4. this method can not only identify the intrusion behavior and unauthorized behavior once occurred in industrial network,
Detection and alarm, while the attack of unknown industrial network can also be detected, adapt to unknown industrial network attack concealment and can not
The features such as predictive.
Detailed description of the invention:
Fig. 1 is the method for the present invention in the industrial control network application deployment embodiment schematic diagram based on Modbus/TCP.
Fig. 2 is the basic model schematic diagram of the method for the present invention.
Fig. 3 is the main implementation procedure schematic diagram of real-time abnormality detection in the method for the present invention.
Fig. 4 is the industrial behavioural characteristic tree building process schematic diagram of the method for the present invention.
Specific embodiment
A kind of industrial communication method for detecting abnormality based on dual similarity measurement, the steps include:
1) classification and selection of industrial communication behavioural characteristic: industrial communication data are divided into not by identical time interval
It is special to extract industrial communication behavior according to the agreement specification and industrial communication interactive mode of industrial communication protocol for same intelligence sample
Sign, constitutive characteristic space.
The industrial communication behavioural characteristic is divided into two classes: general networking behavioural characteristic, industrial protocol semantic feature.
The characteristic that general networking behavior characteristic characterization intelligence sample is showed in network transmission, comprising: packet rate, average packet
The round-trip delay that size, IP are accessed to port mapping, once.
Industrial protocol semantic feature is the proprietary feature extracted according to industrial protocol grammer and protocol specification, including function
Code, coil or register address, coil or register thresholding.
2) it constructs industrial behavioural characteristic tree: according to the feature space of each intelligence sample, it is special to construct industrial behavior respectively
Main branch, secondary branch and the leaf node of tree are levied, to make each intelligence sample with an industrial behavioural characteristic tree representation.
Industrial behavioural characteristic tree building process is as follows:
2.1) root and trunk of industrial behavioural characteristic tree are created;
2.2) according to two class industrial communication behavioural characteristics, two main branches are created on tree trunk respectively;
2.3) on each main branch, to all feature-modelings time branch for belonging to the main branch, the net as representing
Creation represents the secondary branch of packet rate on the main branch of network behavioural characteristic;
2.4) on each secondary branch, using each characteristic value of this feature as a leaf node.
3) it the real-time anomalous discrimination of dual similarity measurement: to the industrial behavioural characteristic tree of each intelligence sample, carries out
Dual similarity measurement calculates, and by calculated result, metric threshold is compared between the interior metric threshold of tree and tree respectively, and judgement is
It is no exception occur and alarm.
In the step 3), the real-time anomalous discrimination of dual similarity measurement, specific two aspects that carry out are calculated:
3.1) similarity measurement is directed to the measurement in industrial behavioural characteristic tree between different characteristic in setting, wherein industrial behavior
Characteristic belongs to same intelligence sample, and similarity measurement is used as metric algorithm using Minkowski distance in the tree;Tree
Interior similarity measurement is used as metric algorithm using Minkowski distance, and calculation formula is as follows:
Wherein, P=(p1,p2,…,pN) and Q=(q1,q2,…,qN) respectively represent the same upper feature of industrial behavioural characteristic tree
The characteristic value of two kinds of features in space, v are variable element, are adjusted with specific reference to actual conditions.
3.2) similarity measurement is for the measurement between the industrial behavioural characteristic tree of different messages sample between setting;The tree
Between similarity measurement using cosine similarity as metric algorithm;Similarity measurement is calculated using cosine similarity as measurement between tree
Method, calculation formula are as follows:
Wherein, xkAnd ykRespectively represent homogenous characteristics value in different industrial behavioural characteristic trees.
In the step 3), setting metric threshold between interior metric threshold and tree is using industrial communication data by dual similar
The rated value that property metric calculation obtains.
Embodiment 1: following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out
It clearly and completely describes, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
Every other embodiment, shall fall within the protection scope of the present invention.
Method of the invention belongs to the scope of industrial control system information security detection and protection.Fig. 1 shows the present invention
Method is in the industrial control network application deployment embodiment schematic diagram based on Modbus/TCP.As shown, the method for the present invention can
To be deployed on the mirror port of industrial switch as a kind of third-party monitor method, and industrial switch is responsible for work
It stands the Modbus/TCP communication work of (such as operator station, engineer station) and main controller (such as PLC, DCS controller), industry exchange
Machine copies all Modbus/TCP control communication data to its mirror port, catches in real time using the detection device of the method for the present invention
The communication data of mirror port, this communication data of analysis detection are obtained, so that discovery is mingled in industrial control system normal process behaviour
Intrusion behavior, unauthorized behavior either maloperation behavior during work, and alarm.In the present embodiment, side of the present invention
Method captures the communication of the Modbus/TCP between work station (Modbus/TCP main website) and main controller (Modbus/TCP slave station) first
Data flow extracts the general networking behavioural characteristic (packet of Modbus/TCP communication data stream by deep analysis and feature extraction
Include packet rate, average data packet size, the map information of IP address to 503 ports, every secondary control of Modbus/TCP data packet
The information such as the round-trip delay of request) and industrial protocol semantic feature (function code, coil address including control request and corresponding
Switching value), then by these feature construction industry behavioural characteristic trees, it is different to be utilized respectively dual similarity measurements quantity algorithm progress
Often detection.
The present invention provides a kind of industrial communication method for detecting abnormality based on dual similarity measurement.Referring to fig. 2, it shows
A kind of basic model of the industrial communication method for detecting abnormality based on dual similarity measurement.The model is broadly divided into initialization
Pretreatment, the abnormality detection model construction of dual similarity measurement and real-time abnormality detection three parts.In initialization pretreatment portion
Point, according to different agreement specifications, every kind of industry control communication protocol has a unique communication interaction mode, this species specificity often with
Time factor tight association, therefore when analyzing the communication data of capture, take the communication with same time interval
Data analyze intelligence sample as intelligence sample, while using deep packet analytic technique.In dual similarity measurement
Abnormality detection model construction part, first to intelligence sample carry out feature extraction and classifying, obtain general networking behavioural characteristic and
Industrial protocol semantic feature ultimately forms the feature space of industrial communication behavior, and according to this feature space, it is special to establish industrial behavior
Sign tree, in this way each intelligence sample can use an industrial behavioural characteristic tree description, then special for each industrial behavior
Sign tree, is normalized all features, calculates by dual similarity measurement mechanism, learns to set interior measurement door out respectively
Metric threshold between limit and tree, wherein similarity measurement is for different characteristic in the industrial behavioural characteristic tree of same intelligence sample in setting
Between measurement;Similarity measurement is for the measurement between the industrial behavioural characteristic tree of different messages sample between tree.Different in real time
Normal detection part shows the main implementation procedure of real-time abnormality detection referring to Fig. 3, passes through online capture industrial communication net in real time
Transmission data in network carry out character selection and abstraction to data, corresponding industrial behavioural characteristic tree are constructed, then by dual
Similarity measurement mechanism calculates, and according to calculated result between interior with tree respectively, tree compared with metric threshold, judges whether that appearance is abnormal simultaneously
Alarm.During abnormal determination, carry out setting interior similarity measurement calculating first, if calculated result, which is not met, measures door in tree
Limit, then be determined as exception and alarm, if meeting metric threshold in tree, carries out setting similarity measurement calculating, if calculated result
Metric threshold between setting is not met, then is determined as exception and alarms.
In dual similarity measurement mechanism, interior similarity measurement is set using Minkowski distance and is used as metric algorithm,
Its calculation formula is as follows:
Wherein, P=(p1,p2,…,pN) and Q=(q1,q2,…,qN) respectively represent the same upper feature of industrial behavioural characteristic tree
The characteristic value of two kinds of features in space, v are variable element, can be adjusted according to specific actual conditions.
For similarity measurement using cosine similarity as metric algorithm, calculation formula is as follows between tree:
Wherein, xkAnd ykRespectively represent homogenous characteristics value in different industrial behavioural characteristic trees.
Referring to fig. 4, the specific building process embodiment schematic diagram of industrial behavioural characteristic tree in the method for the present invention is shown.Root
According to the feature space of each intelligence sample, main branch, secondary branch and the leaf node of industrial behavioural characteristic tree are constructed respectively, from
And make each intelligence sample with an industrial behavioural characteristic tree representation.Main implementation procedure is as follows:
Step 1: the root and trunk of industrial behavioural characteristic tree are created;
Step 2: two main branches are respectively created on tree trunk, it is special that one of them main branch represents general networking behavior
Sign, another main branch represent industrial protocol semantic feature;
Step 3: intelligence sample is analyzed using technologies such as depth Packet analyzings, obtains all industrial communication rows in intelligence sample
It is characterized, to every kind of feature for belonging to general networking behavioural characteristic, corresponding branch is created on the main branch, while to category
In every kind of feature of industrial protocol semantic feature, corresponding branch is created on the main branch;
Step 4: creating leaf node on each secondary branch, wherein each leaf node represents a characteristic value, belongs to
All characteristic values of same feature constitute all leaf nodes on the secondary branch;
Step 5: judge in intelligence sample whether all features and characteristic value on industrial behavioural characteristic tree have had phase
The secondary branch and leaf node answered, if so, completing industrial behavioural characteristic tree building;If it is not, then repeating step 3~five.
Claims (10)
1. a kind of industrial communication method for detecting abnormality based on dual similarity measurement, which is characterized in that the steps include:
1) classification from selection of industrial communication behavioural characteristic: industrial communication data are divided by identical time interval different
Intelligence sample extracts industrial communication behavioural characteristic, structure according to the agreement specification and industrial communication interactive mode of industrial communication protocol
At feature space;
2) it constructs industrial behavioural characteristic tree: according to the feature space of each intelligence sample, constructing industrial behavioural characteristic tree respectively
Main branch, secondary branch and leaf node, to make each intelligence sample with an industrial behavioural characteristic tree representation;
3) it the real-time anomalous discrimination of dual similarity measurement: to the industrial behavioural characteristic tree of each intelligence sample, carries out dual
Similarity measurement calculates, and by calculated result, metric threshold is compared between the interior metric threshold of tree and tree respectively, judges whether
Now exception and alarm.
2. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 1, feature
Be: in the step 1), the industrial communication behavioural characteristic is divided into two classes: general networking behavioural characteristic, industrial protocol
Semantic feature.
3. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 2, feature
It is: the characteristic that the general networking behavior characteristic characterization intelligence sample is showed in network transmission, comprising: packet rate is put down
The round-trip delay that equal Bao great little, IP are accessed to port mapping, once.
4. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 2, feature
Be: the industrial protocol semantic feature is the proprietary feature extracted according to industrial protocol grammer and protocol specification, including function
Energy code, coil or register address, coil or register thresholding.
5. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 1, feature
Be: in the step 2), industrial behavioural characteristic tree building process is as follows:
2.1) root and trunk of industrial behavioural characteristic tree are created;
2.2) according to two class industrial communication behavioural characteristics, two main branches are created on tree trunk respectively;
2.3) on each main branch, to all feature-modelings time branch for belonging to the main branch, such as general networking row is being represented
Creation represents the secondary branch of packet rate on the main branch being characterized;
2.4) on each secondary branch, using each characteristic value of this feature as a leaf node.
6. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 1, feature
Be: in the step 3), the real-time anomalous discrimination of dual similarity measurement, specific two aspects that carry out are calculated:
3.1) similarity measurement is directed to the measurement in industrial behavioural characteristic tree between different characteristic in setting, wherein industrial behavioural characteristic
Number belongs to same intelligence sample;
3.2) similarity measurement is for the measurement between the industrial behavioural characteristic tree of different messages sample between setting.
7. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 6, feature
Be: similarity measurement is using Minkowski distance as metric algorithm in the tree;Similarity measurement between the tree
Using cosine similarity as metric algorithm.
8. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 7, feature
Be: for similarity measurement using Minkowski distance as metric algorithm, calculation formula is as follows in the tree:
Wherein, P=(p1,p2,…,pN) and Q=(q1,q2,…,qN) respectively represent the same upper feature space of industrial behavioural characteristic tree
In two kinds of features characteristic value, v is variable element, is adjusted with specific reference to actual conditions.
9. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 7, feature
Be: for similarity measurement using cosine similarity as metric algorithm, calculation formula is as follows between tree:
Wherein, xkAnd ykRespectively represent homogenous characteristics value in different industrial behavioural characteristic trees.
10. a kind of industrial communication method for detecting abnormality based on dual similarity measurement according to claim 1, feature
Be: in the step 3), setting metric threshold between interior metric threshold and tree is to pass through dual similitude using industrial communication data
The rated value that metric calculation obtains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910519203.4A CN110266680B (en) | 2019-06-17 | 2019-06-17 | Industrial communication anomaly detection method based on dual similarity measurement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910519203.4A CN110266680B (en) | 2019-06-17 | 2019-06-17 | Industrial communication anomaly detection method based on dual similarity measurement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110266680A true CN110266680A (en) | 2019-09-20 |
| CN110266680B CN110266680B (en) | 2021-08-24 |
Family
ID=67918467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910519203.4A Active CN110266680B (en) | 2019-06-17 | 2019-06-17 | Industrial communication anomaly detection method based on dual similarity measurement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110266680B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110891055A (en) * | 2019-11-20 | 2020-03-17 | 北京航空航天大学 | Industrial control network white list abnormity detection method based on rule tree |
| CN111092889A (en) * | 2019-12-18 | 2020-05-01 | 贾海芳 | Distributed data node abnormal behavior detection method and device and server |
| CN112968906A (en) * | 2021-03-25 | 2021-06-15 | 湖南大学 | Modbus TCP abnormal communication detection method and system based on multi-tuple |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
| CN107038380A (en) * | 2017-04-14 | 2017-08-11 | 华中科技大学 | A kind of leak detection method and system based on performance of program tree |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
| CN108804635A (en) * | 2018-06-01 | 2018-11-13 | 广东电网有限责任公司 | A kind of method for measuring similarity based on Attributions selection |
| CN108881277A (en) * | 2018-07-10 | 2018-11-23 | 广东工业大学 | The method, device and equipment of monitoring wireless sensor network node invasion |
| CN109190653A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | Malicious code family homology analysis technology based on semi-supervised Density Clustering |
| CN109413088A (en) * | 2018-11-19 | 2019-03-01 | 中国科学院信息工程研究所 | Threat Disposal Strategies decomposition method and system in a kind of network |
| CN109508733A (en) * | 2018-10-23 | 2019-03-22 | 北京邮电大学 | A kind of method for detecting abnormality based on distribution probability measuring similarity |
-
2019
- 2019-06-17 CN CN201910519203.4A patent/CN110266680B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
| CN107038380A (en) * | 2017-04-14 | 2017-08-11 | 华中科技大学 | A kind of leak detection method and system based on performance of program tree |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
| CN108804635A (en) * | 2018-06-01 | 2018-11-13 | 广东电网有限责任公司 | A kind of method for measuring similarity based on Attributions selection |
| CN109190653A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | Malicious code family homology analysis technology based on semi-supervised Density Clustering |
| CN108881277A (en) * | 2018-07-10 | 2018-11-23 | 广东工业大学 | The method, device and equipment of monitoring wireless sensor network node invasion |
| CN109508733A (en) * | 2018-10-23 | 2019-03-22 | 北京邮电大学 | A kind of method for detecting abnormality based on distribution probability measuring similarity |
| CN109413088A (en) * | 2018-11-19 | 2019-03-01 | 中国科学院信息工程研究所 | Threat Disposal Strategies decomposition method and system in a kind of network |
Non-Patent Citations (2)
| Title |
|---|
| 占渊;肖蓉;缪仲凯;周双娥: "基于改进的协同过滤相似性度量算法研究", 《计算机测量与控制》 * |
| 尚文利 安攀峰;万明;赵剑明;曾鹏: "工业控制系统入侵检测技术的研究及发展综述", 《计算机应用研究》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110891055A (en) * | 2019-11-20 | 2020-03-17 | 北京航空航天大学 | Industrial control network white list abnormity detection method based on rule tree |
| CN111092889A (en) * | 2019-12-18 | 2020-05-01 | 贾海芳 | Distributed data node abnormal behavior detection method and device and server |
| CN112968906A (en) * | 2021-03-25 | 2021-06-15 | 湖南大学 | Modbus TCP abnormal communication detection method and system based on multi-tuple |
| CN112968906B (en) * | 2021-03-25 | 2022-02-18 | 湖南大学 | Modbus TCP abnormal communication detection method and system based on multi-tuple |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110266680B (en) | 2021-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107438052B (en) | A kind of anomaly detection method towards unknown industrial communication protocol specification | |
| Zolanvari et al. | Effect of imbalanced datasets on security of industrial IoT using machine learning | |
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN110008713B (en) | Industrial control system vulnerability detection method and system | |
| CN109613899A (en) | A method of the industrial control system security risk assessment based on allocation list | |
| CN109861988A (en) | A kind of industrial control system intrusion detection method based on integrated study | |
| CN108737410B (en) | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association | |
| CN110266680A (en) | A kind of industrial communication method for detecting abnormality based on dual similarity measurement | |
| CN106817363B (en) | Intelligent ammeter abnormity detection method based on neural network | |
| CN106982235A (en) | A kind of power industry control network inbreak detection method and system based on IEC 61850 | |
| CN110120948B (en) | Illegal external connection monitoring method based on wireless and wired data stream similarity analysis | |
| CN113904862A (en) | Distributed train control network intrusion detection method, system and storage medium | |
| CN106230780B (en) | A kind of intelligent transformer substation information and control system safety analysis Evaluation Platform | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN112738063A (en) | Industrial control system network safety monitoring platform | |
| Kaouk et al. | A review of intrusion detection systems for industrial control systems | |
| Matoušek et al. | Efficient modelling of ICS communication for anomaly detection using probabilistic automata | |
| CN107104960A (en) | A kind of industrial control system intrusion detection method based on machine learning | |
| KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
| CN117411703A (en) | Modbus protocol-oriented industrial control network abnormal flow detection method | |
| CN110262420A (en) | A kind of distributed industrial control network security detection system | |
| CN107241307A (en) | The Network Isolation safety device and method of a kind of self study based on message content | |
| Hormann et al. | Detecting Anomalies by using Self-Organizing Maps in Industrial Environments. | |
| CN115550034B (en) | Service flow monitoring method and device for distribution network power monitoring system | |
| CN110995733A (en) | Intrusion detection system in industrial control field based on remote measuring technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230404 Address after: 110167 room 246-113, floor 2, No. 109-1 (No. 109-1), quanyun Road, Shenyang area, China (Liaoning) pilot Free Trade Zone, Shenyang, Liaoning Patentee after: Liaoning Industrial Control Technology Co.,Ltd. Address before: 110000 58 Shenbei New Area Road South, Shenyang, Liaoning. Patentee before: LIAONING University |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231101 Address after: 110000 Room 301, No. 73, Yalujiang East Street, Huanggu District, Shenyang, Liaoning 1002 Patentee after: Shenyang bangcui Technology Co.,Ltd. Address before: 110167 room 246-113, floor 2, No. 109-1 (No. 109-1), quanyun Road, Shenyang area, China (Liaoning) pilot Free Trade Zone, Shenyang, Liaoning Patentee before: Liaoning Industrial Control Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |