CN110266680B - An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics - Google Patents

An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics Download PDF

Info

Publication number
CN110266680B
CN110266680B CN201910519203.4A CN201910519203A CN110266680B CN 110266680 B CN110266680 B CN 110266680B CN 201910519203 A CN201910519203 A CN 201910519203A CN 110266680 B CN110266680 B CN 110266680B
Authority
CN
China
Prior art keywords
industrial
tree
behavior
similarity
industrial communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910519203.4A
Other languages
Chinese (zh)
Other versions
CN110266680A (en
Inventor
万明
宋岩
景源
王俊陆
刘允
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Bangcui Technology Co ltd
Original Assignee
Liaoning University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Liaoning University filed Critical Liaoning University
Priority to CN201910519203.4A priority Critical patent/CN110266680B/en
Publication of CN110266680A publication Critical patent/CN110266680A/en
Application granted granted Critical
Publication of CN110266680B publication Critical patent/CN110266680B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the method, communication data in an industrial control network are analyzed and industrial communication behavior characteristics are extracted according to an industrial communication interaction mode and an industrial protocol, a behavior characteristic tree is constructed according to the characteristics, intra-tree similarity measurement and inter-tree similarity measurement are respectively carried out, and accordingly abnormal communication conditions in the industrial control network are found. The method can comprehensively consider general network behavior characteristics and industrial protocol semantic characteristics, detect industrial communication abnormity caused by malicious attack or misoperation and generate alarm through real-time analysis and abnormity judgment of industrial communication data, and ensure the safety of an industrial control system.

Description

Industrial communication anomaly detection method based on dual similarity measurement
Technical Field
The invention relates to the technical field of industrial control system network security, in particular to an industrial communication abnormity detection method based on dual similarity measurement.
Background
The information safety risk of the current industrial control system in China is particularly prominent, and the situation is very severe. According to the safety report of the network emergency response group of the industrial control system under the U.S. department of homeland safety, the information safety event of the industrial control system has a stepwise increasing trend in recent years, wherein the occupation ratio of industries such as energy, manufacturing and the like is the largest. Especially, in recent years, the integration of the internet and the industrial control system breaks the original inherent closure of the industrial system, and the information security problem is increasingly revealed.
The industrial control system is a business process management and control system which is formed by various automatic control components and process control components for collecting and monitoring real-time data and ensures the automatic operation of industrial infrastructure and the process control and monitoring. Compared with the traditional network and information system, most industrial control systems need to consider various factors such as application environment, control management and the like during development and design, efficiency and real-time characteristics are considered firstly, functional safety is only concerned at the beginning of the establishment of the industrial control system, related design for information safety is lacked, and the industrial control system is generally lack of effective industrial safety defense and data communication secrecy measures. In addition, the information security of the industrial control system must preferentially ensure the availability and reliability of all system components, and the traditional IT information security technology, such as a firewall, virus software, and the like, cannot adapt to the characteristics of the industrial control system and cannot be directly applied to the industrial control system.
To this end, researchers have set out to develop information security technologies adapted to the characteristics of the industrial control system itself, typically including: industrial firewalls, industrial gatekeepers, industrial software white-listing techniques, industrial intrusion detection, and the like. The industrial intrusion detection comprises two parts of feature detection and abnormal detection, the abnormal detection realizes abnormal behavior discovery through matching with normal behaviors, and unknown attacks can be effectively detected without knowing the feature form of the attacks in advance on the premise of not interfering the real-time performance and the availability of an industrial control system, so that the unknown attacks are consistently approved by researchers. The current abnormity detection method aiming at the industrial control system mainly relates to three types: statistical-based methods, knowledge-based methods, and machine learning-based methods. The machine learning-based method comprises the technologies of clustering, neural networks, Bayesian algorithms, genetic algorithms, fuzzy logic, support vector machines and the like. Generally, the methods are based on the characteristics of industrial communication behaviors, and adopt an unsupervised or semi-supervised means to acquire communication data in an industrial control network for analysis, construct a normal communication behavior model, and judge whether an abnormality occurs or not by calculating the deviation from the normal communication behavior model.
The industrial anomaly detection method usually provides anomaly detection capability only from one side of industrial network communication, for example, many statistical-based methods adopt a CUSUM algorithm to calculate an anomaly change point of industrial communication flow, and machine learning-based methods realize anomaly discovery aiming at changes (such as changes of function codes) of certain industrial activity, so that all-around consideration of all industrial communication characteristics is lacked, the anomaly detection capability is limited, and meanwhile, the anomaly detection engine method also has one-sidedness in application.
Disclosure of Invention
The invention further aims to provide an industrial communication anomaly detection method based on dual similarity measurement, which analyzes communication data in an industrial control network and extracts industrial communication behavior characteristics according to an industrial communication interaction mode and an industrial protocol, constructs a behavior characteristic tree through the characteristics, and respectively measures intra-tree similarity and inter-tree similarity so as to find abnormal communication conditions in the industrial control network. According to the method, through two similarity measurement algorithms in the tree and between the trees, the anomaly detection capability can be effectively and comprehensively improved, known attacks and unknown attacks in industrial network communication can be found in real time, and the safety of an industrial system, a network and equipment is protected.
In order to achieve the purpose, the invention adopts the technical scheme that: a double similarity measurement-based industrial communication anomaly detection method is characterized by comprising the following steps:
1) classification and selection of industrial communication behavior features: dividing industrial communication data into different message samples according to the same time interval, and extracting industrial communication behavior characteristics according to a protocol of an industrial communication protocol and an industrial communication interaction mode to form a characteristic space;
2) constructing an industrial behavior feature tree: respectively constructing a main branch, a secondary branch and a leaf node of the industrial behavior feature tree according to the feature space of each message sample, so that each message sample is represented by one industrial behavior feature tree;
3) and (3) real-time anomaly discrimination of the double similarity measurement: and performing double similarity measurement calculation on the industrial behavior characteristic tree of each message sample, comparing the calculation result with an intra-tree measurement threshold and an inter-tree measurement threshold respectively, judging whether abnormality occurs and giving an alarm.
In the step 1), the industrial communication behavior characteristics are divided into two types: general network behavior characteristics, industrial protocol semantic characteristics.
The general network behavior characteristics describe the characteristics of the message samples when the message samples are transmitted in the network, and comprise the following steps: packet rate, average packet size, IP to port mapping, round trip delay for one access.
The industrial protocol semantic features are proprietary features extracted according to industrial protocol syntax and protocol specifications, and comprise function codes, coil or register addresses and coil or register field values.
In the step 2), the construction process of the industrial behavior feature tree is as follows:
2.1) creating a root and a trunk of the industrial behavior feature tree;
2.2) respectively creating two main branches on the tree trunk according to the two industrial communication behavior characteristics;
2.3) creating a secondary branch on each main branch for all the characteristics belonging to the main branch, such as creating a secondary branch representing the packet rate on the main branch representing the general network behavior characteristics;
2.4) on each sub-branch, taking each eigenvalue of the feature as a leaf node.
In the step 3), the real-time anomaly discrimination of the dual similarity measurement specifically performs two-way calculation:
3.1) the intra-tree similarity measure is directed at the measure between different features in the industrial behavior feature tree, wherein the industrial behavior feature number belongs to the same message sample;
3.2) inter-tree similarity measure measures between the industrial behavior feature trees for different message samples.
The similarity measurement in the tree adopts the Minkowski distance as a measurement algorithm; the inter-tree similarity measurement adopts cosine similarity as a measurement algorithm.
The similarity measurement in the tree adopts the Minkowski distance as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000031
wherein, P ═ P (P)1,p2,…,pN) And Q ═ Q (Q)1,q2,…,qN) And v is a variable parameter and is specifically adjusted according to actual conditions.
The inter-tree similarity measurement adopts cosine similarity as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000032
wherein x iskAnd ykRespectively representing the same kind of characteristic values in different industrial behavior characteristic trees.
In the step 3), the intra-tree metric threshold and the inter-tree metric threshold are rated values calculated by double similarity measurement by using industrial communication data.
The beneficial effects created by the invention are as follows:
1. compared with the prior art, the invention discloses and provides an industrial communication anomaly detection method based on dual similarity measurement, which not only considers the general network behavior characteristics in an industrial control network, but also analyzes the industrial protocol semantic characteristics, and enables the characteristic detection to be more comprehensive by constructing an industrial behavior characteristic tree, thereby greatly improving the anomaly detection capability.
2. The method adopts two algorithms of intra-tree similarity measurement and inter-tree similarity measurement, wherein the intra-tree similarity measurement aims at the measurement between different characteristics in the industrial behavior characteristic tree of the same message sample, the inter-tree similarity measurement aims at the measurement between the industrial behavior characteristic trees of different message samples, and the two measurement modes can effectively solve the industrial communication abnormity caused by malicious attack or misoperation.
3. The method is a monitoring and analyzing method of a third-party bypass, is mainly deployed at a mirror image port of an industrial switch, does not participate in the production and manufacturing process of an industrial control system, and therefore does not interfere with the real-time performance and the availability of industrial control.
4. The method can not only identify, detect and alarm the intrusion behavior and the unauthorized behavior which appear in the industrial network once, but also detect the unknown industrial network attack, and is suitable for the characteristics of the imperceptibility and the unpredictability of the unknown industrial network attack and the like.
Description of the drawings:
FIG. 1 is a schematic diagram of an embodiment of application deployment of the method in an industrial control network based on Modbus/TCP.
FIG. 2 is a schematic diagram of a basic model of the method of the present invention.
FIG. 3 is a schematic diagram of the main implementation process of the real-time anomaly detection in the method of the present invention.
FIG. 4 is a schematic diagram of an industrial behavior feature tree construction process of the method of the present invention.
Detailed Description
A double similarity measurement-based industrial communication anomaly detection method comprises the following steps:
1) classification and selection of industrial communication behavior features: the industrial communication data are divided into different message samples according to the same time interval, and the industrial communication behavior characteristics are extracted according to the protocol of the industrial communication protocol and the industrial communication interaction mode to form a characteristic space.
The industrial communication behavior characteristics are divided into two types: general network behavior characteristics, industrial protocol semantic characteristics.
The general network behavior characteristics describe the characteristics of message samples when transmitted in the network, including: packet rate, average packet size, IP to port mapping, round trip delay for one access.
The industrial protocol semantic features are proprietary features extracted according to industrial protocol syntax and protocol specifications, and comprise function codes, coil or register addresses and coil or register field values.
2) Constructing an industrial behavior feature tree: and respectively constructing a main branch, a secondary branch and a leaf node of the industrial behavior feature tree according to the feature space of each message sample, so that each message sample is represented by one industrial behavior feature tree.
The construction process of the industrial behavior feature tree is as follows:
2.1) creating a root and a trunk of the industrial behavior feature tree;
2.2) respectively creating two main branches on the tree trunk according to the two industrial communication behavior characteristics;
2.3) creating a secondary branch on each main branch for all the characteristics belonging to the main branch, such as creating a secondary branch representing the packet rate on the main branch representing the general network behavior characteristics;
2.4) on each sub-branch, taking each eigenvalue of the feature as a leaf node.
3) And (3) real-time anomaly discrimination of the double similarity measurement: and performing double similarity measurement calculation on the industrial behavior characteristic tree of each message sample, comparing the calculation result with an intra-tree measurement threshold and an inter-tree measurement threshold respectively, judging whether abnormality occurs and giving an alarm.
In the step 3), the real-time anomaly discrimination of the dual similarity measurement specifically performs two-way calculation:
3.1) the intra-tree similarity measurement aims at the measurement among different characteristics in an industrial behavior characteristic tree, wherein the industrial behavior characteristic number belongs to the same message sample, and the intra-tree similarity measurement adopts the Minkowski distance as a measurement algorithm; the similarity measurement in the tree adopts the Minkowski distance as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000051
wherein, P ═ P (P)1,p2,…,pN) And Q ═ Q (Q)1,q2,…,qN) And v is a variable parameter and is specifically adjusted according to actual conditions.
3.2) inter-tree similarity measure measures between the industrial behavior feature trees for different message samples; the inter-tree similarity measurement adopts cosine similarity as a measurement algorithm; the inter-tree similarity measurement adopts cosine similarity as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000052
wherein x iskAnd ykRespectively representing the same kind of characteristic values in different industrial behavior characteristic trees.
In the step 3), the intra-tree metric threshold and the inter-tree metric threshold are rated values calculated by double similarity measurement by using industrial communication data.
Example 1: the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method of the invention belongs to the field of information safety detection and protection of an industrial control system. FIG. 1 shows a schematic diagram of an embodiment of the method of the invention in Modbus/TCP-based industrial control network application deployment. As shown in the figure, the method can be used as a third-party monitoring method and is deployed on a mirror image port of an industrial switch, the industrial switch is responsible for Modbus/TCP communication work between a workstation (such as an operator station and an engineer station) and a master controller (such as a PLC and a DCS controller), the industrial switch copies all Modbus/TCP control communication data to the mirror image port of the industrial switch, and detection equipment applying the method captures the communication data of the mirror image port in real time, analyzes and detects the communication data, so that intrusion behaviors, unauthorized behaviors or misoperation behaviors mixed in the normal process operation process of an industrial control system are found, and an alarm is given. In this embodiment, the method of the present invention first captures a Modbus/TCP communication data stream between a workstation (Modbus/TCP master station) and a master (Modbus/TCP slave station), extracts general network behavior characteristics (including packet rate of Modbus/TCP data packets, average data packet size, mapping information from an IP address to a 503 port, round-trip delay of each control request, etc.) and industrial protocol semantic characteristics (including a function code, a coil address and a corresponding switch amount of a control request) of the Modbus/TCP communication data stream through deep parsing and feature extraction, and then constructs an industrial behavior feature tree through these characteristics, and performs anomaly detection by using a dual similarity metric algorithm.
The invention provides an industrial communication abnormity detection method based on dual similarity measurement. Referring to fig. 2, a basic model of an industrial communication anomaly detection method based on a dual similarity metric is shown. The model mainly comprises three parts, namely initialization preprocessing, abnormal detection model construction of dual similarity measurement and real-time abnormal detection. In the initialization preprocessing part, each industrial control communication protocol has a unique communication interaction mode according to different protocol specifications, and the specificity is often closely associated with a time factor, so that when the captured communication data is analyzed, the communication data with the same time interval is taken as a message sample, and meanwhile, the message sample is analyzed by adopting a deep packet analysis technology. In the abnormal detection model construction part of the dual similarity measurement, firstly, extracting and classifying the characteristics of message samples to obtain general network behavior characteristics and industrial protocol semantic characteristics, finally forming a characteristic space of industrial communication behaviors, establishing an industrial behavior characteristic tree according to the characteristic space, so that each message sample can be described by one industrial behavior characteristic tree, then, carrying out normalization processing on all the characteristics aiming at each industrial behavior characteristic tree, and respectively learning an intra-tree measurement threshold and an inter-tree measurement threshold by calculating through a dual similarity measurement mechanism, wherein the intra-tree similarity measurement aims at the measurement between different characteristics in the industrial behavior characteristic tree of the same message sample; the inter-tree similarity measure measures between the industrial behavior feature trees for different message samples. In the real-time anomaly detection part, referring to fig. 3, the main execution process of real-time anomaly detection is shown, transmission data in an industrial communication network is captured on line in real time, feature selection and extraction are carried out on the data, a corresponding industrial behavior feature tree is constructed, then dual similarity measurement mechanism calculation is carried out, and whether anomaly occurs or not is judged and an alarm is given according to the calculation result which is respectively compared with the measurement thresholds in the tree and between the trees. In the process of judging the abnormity, firstly, the intra-tree similarity measurement calculation is carried out, if the calculation result does not accord with the intra-tree measurement threshold, the abnormity is judged and an alarm is given, if the calculation result accords with the intra-tree measurement threshold, the inter-tree similarity measurement calculation is carried out, and if the calculation result does not accord with the inter-tree measurement threshold, the abnormity is judged and an alarm is given.
In the dual similarity measurement mechanism, the tree similarity measurement adopts the minkowski distance as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000061
wherein, P ═ P (P)1,p2,…,pN) And Q ═ Q (Q)1,q2,…,qN) And v is a variable parameter and can be adjusted according to specific actual conditions.
The inter-tree similarity measurement adopts cosine similarity as a measurement algorithm, and the calculation formula is as follows:
Figure BDA0002096073670000062
wherein x iskAnd ykRespectively representing the same kind of characteristic values in different industrial behavior characteristic trees.
Referring to fig. 4, a schematic diagram of a specific construction process of the industrial behavior feature tree in the method of the present invention is shown. And respectively constructing a main branch, a secondary branch and a leaf node of the industrial behavior feature tree according to the feature space of each message sample, so that each message sample is represented by one industrial behavior feature tree. The main implementation process is as follows:
the method comprises the following steps: creating a root and a trunk of an industrial behavior feature tree;
step two: respectively creating two main branches on a tree trunk, wherein one main branch represents general network behavior characteristics, and the other main branch represents industrial protocol semantic characteristics;
step three: analyzing the message sample by adopting technologies such as deep packet analysis and the like, acquiring all industrial communication behavior characteristics in the message sample, creating a corresponding secondary branch on the main branch for each characteristic belonging to general network behavior characteristics, and simultaneously creating a corresponding secondary branch on the main branch for each characteristic belonging to industrial protocol semantic characteristics;
step four: creating leaf nodes on each secondary branch, wherein each leaf node represents a characteristic value, and all characteristic values belonging to the same characteristic form all leaf nodes on the secondary branch;
step five: judging whether all the characteristics and characteristic values in the message sample have corresponding secondary branches and leaf nodes on the industrial behavior characteristic tree or not, and if so, completing construction of the industrial behavior characteristic tree; if not, the third step to the fifth step are repeatedly executed.

Claims (9)

1.一种基于双重相似性度量的工业通信异常检测方法,其特征在于,其步骤为:1. an industrial communication anomaly detection method based on double similarity measure, is characterized in that, its steps are: 1)工业通信行为特征的分类与选择:将工业通信数据按相同的时间间隔划分成不同的消息样本,依据工业通信协议的协议规约和工业通信交互方式,提取工业通信行为特征,构成特征空间;1) Classification and selection of industrial communication behavior characteristics: Divide industrial communication data into different message samples at the same time interval, and extract industrial communication behavior characteristics according to the protocol specifications of industrial communication protocols and industrial communication interaction methods to form a feature space; 2)构建工业行为特征树:根据每一个消息样本的特征空间,分别构建工业行为特征树的主分枝、次分枝和叶子节点,从而使每一个消息样本用一个工业行为特征树表示;2) Building an industrial behavior feature tree: According to the feature space of each message sample, construct the main branch, secondary branch and leaf node of the industrial behavior feature tree respectively, so that each message sample is represented by an industrial behavior feature tree; 3)双重相似性度量的实时异常判别:对每一个消息样本的工业行为特征树,进行双重相似性度量计算,将计算结果分别与树内度量门限和树间度量门限进行比较,判断是否出现异常并报警;3) Real-time abnormality discrimination of double similarity measure: carry out double similarity measure calculation for the industrial behavior feature tree of each message sample, and compare the calculation result with the intra-tree metric threshold and the inter-tree metric threshold respectively to judge whether there is an abnormality and call the police; 双重相似性度量的实时异常判别,具体进行两方面计算:The real-time anomaly discrimination of the dual similarity measure is calculated in two aspects: 3.1)树内相似性度量针对工业行为特征树中不同特征之间的度量,其中工业行为特征数属于同一消息样本;3.1) The similarity measure within the tree is the measure between different features in the industrial behavior feature tree, where the number of industrial behavior features belong to the same message sample; 3.2)树间相似性度量针对不同消息样本的工业行为特征树之间的度量。3.2) Inter-tree similarity measure It is a measure between industrial behavior feature trees of different message samples. 2.根据权利要求1所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述的步骤1)中,所述的工业通信行为特征分为两类:一般网络行为特征、工业协议语义特征。2. The method for detecting anomalies in industrial communication based on dual similarity measures according to claim 1, wherein in said step 1), the characteristics of industrial communication behaviors are divided into two categories: general network behaviors Features, industrial protocol semantic features. 3.根据权利要求2所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述的一般网络行为特征描述消息样本在网络传输时表现的特性,包括:包速率、平均包大小、IP到端口映射、一次访问的往返时延。3. The method for detecting anomalies in industrial communication based on double similarity measures according to claim 2, wherein the general network behavior characteristics describe the characteristics of the message samples during network transmission, including: packet rate, Average packet size, IP-to-port mapping, round-trip delay for an access. 4.根据权利要求2所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述的工业协议语义特征是依据工业协议语法和协议规范提取的专有特征,包括功能码、线圈或寄存器地址、线圈或寄存器域值。4. The method for detecting anomalies in industrial communication based on double similarity measurement according to claim 2, wherein the semantic feature of the industrial protocol is a proprietary feature extracted according to the industrial protocol syntax and protocol specification, including functional code, coil or register address, coil or register field value. 5.根据权利要求1所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述步骤2)中,工业行为特征树构建过程如下:5. a kind of industrial communication anomaly detection method based on double similarity measure according to claim 1, is characterized in that: in described step 2), industrial behavior characteristic tree construction process is as follows: 2.1)创建工业行为特征树的根和主干;2.1) Create the root and trunk of the industrial behavior feature tree; 2.2)根据两类工业通信行为特征,分别在树主干上创建两个主分枝;2.2) According to the two types of industrial communication behavior characteristics, two main branches are created on the trunk of the tree respectively; 2.3)在每个主分枝上,对属于该主分枝的所有特征创建次分枝,如在代表一般网络行为特征的主分枝上创建代表包速率的次分枝;2.3) On each main branch, create sub-branches for all features belonging to the main branch, such as creating sub-branches representing packet rates on the main branch representing general network behavior characteristics; 2.4)在每个次分枝上,将该特征的每一个特征值作为一个叶子节点。2.4) On each sub-branch, take each eigenvalue of the feature as a leaf node. 6.根据权利要求1所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述的树内相似性度量采用明可夫斯基距离作为度量算法;所述的树间相似性度量采用余弦相似度作为度量算法。6 . The method for detecting anomalies in industrial communication based on double similarity measures according to claim 1 , wherein: the similarity measure in the tree adopts Minkowski distance as a metric algorithm; the tree The cosine similarity is used as the measurement algorithm to measure the similarity between the two. 7.根据权利要求6所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述的树内相似性度量采用明可夫斯基距离作为度量算法,其计算公式如下:7. a kind of industrial communication anomaly detection method based on double similarity measure according to claim 6, is characterized in that: described similarity measure in tree adopts Minkowski distance as measuring algorithm, and its calculation formula is as follows :
Figure FDA0003162684730000021
Figure FDA0003162684730000021
 其中,P=(p1,p2,…,pN)和Q=(q1,q2,…,qN)分别代表同一工业行为特征树上特征空间中两种特征的特征值,v为可变参数,具体根据实际情况进行调节。Among them, P=(p 1 ,p 2 ,...,p N ) and Q=(q 1 ,q 2 ,...,q N ) represent the eigenvalues of two features in the feature space on the same industrial behavior feature tree, v It is a variable parameter, which can be adjusted according to the actual situation. 8.根据权利要求7所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:树间相似性度量采用余弦相似度作为度量算法,其计算公式如下:8. a kind of industrial communication anomaly detection method based on double similarity measure according to claim 7, is characterized in that: similarity measure between trees adopts cosine similarity as measuring algorithm, and its calculation formula is as follows:
Figure FDA0003162684730000022
Figure FDA0003162684730000022
 其中,xk和yk分别代表不同工业行为特征树中同类特征值。Among them, x k and y k represent the same eigenvalues in different industrial behavior feature trees, respectively. 9.根据权利要求1所述的一种基于双重相似性度量的工业通信异常检测方法,其特征在于:所述步骤3)中,树内度量门限和树间度量门限为利用工业通信数据经过双重相似性度量计算得出的额定值。9. a kind of industrial communication anomaly detection method based on double similarity metric according to claim 1, is characterized in that: in described step 3), in-tree metric threshold and inter-tree metric threshold are to utilize industrial communication data to pass through double metric threshold. The rating calculated by the similarity measure.
CN201910519203.4A 2019-06-17 2019-06-17 An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics Active CN110266680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910519203.4A CN110266680B (en) 2019-06-17 2019-06-17 An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910519203.4A CN110266680B (en) 2019-06-17 2019-06-17 An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics

Publications (2)

Publication Number Publication Date
CN110266680A CN110266680A (en) 2019-09-20
CN110266680B true CN110266680B (en) 2021-08-24

Family

ID=67918467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910519203.4A Active CN110266680B (en) 2019-06-17 2019-06-17 An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics

Country Status (1)

Country Link
CN (1) CN110266680B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110891055B (en) * 2019-11-20 2020-12-25 北京航空航天大学 Industrial control network white list abnormity detection method based on rule tree
CN111092889B (en) * 2019-12-18 2020-11-20 江苏美杜莎信息科技有限公司 Distributed data node abnormal behavior detection method and device and server
CN112968906B (en) * 2021-03-25 2022-02-18 湖南大学 Modbus TCP abnormal communication detection method and system based on multi-tuple
CN115098854A (en) * 2021-12-20 2022-09-23 中国科学院沈阳自动化研究所 An Intrusion Detection Method Integrating Process Behavior and Network Behavior

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106502234A (en) * 2016-10-17 2017-03-15 重庆邮电大学 Industrial control system method for detecting abnormality based on double skeleton patterns
CN107038380A (en) * 2017-04-14 2017-08-11 华中科技大学 A kind of leak detection method and system based on performance of program tree
CN107483455A (en) * 2017-08-25 2017-12-15 国家计算机网络与信息安全管理中心 A kind of network node abnormality detection method and system based on stream
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108804635A (en) * 2018-06-01 2018-11-13 广东电网有限责任公司 A kind of method for measuring similarity based on Attributions selection
CN108881277A (en) * 2018-07-10 2018-11-23 广东工业大学 The method, device and equipment of monitoring wireless sensor network node invasion
CN109190653A (en) * 2018-07-09 2019-01-11 四川大学 Malicious code family homology analysis technology based on semi-supervised Density Clustering
CN109413088A (en) * 2018-11-19 2019-03-01 中国科学院信息工程研究所 Threat Disposal Strategies decomposition method and system in a kind of network
CN109508733A (en) * 2018-10-23 2019-03-22 北京邮电大学 A kind of method for detecting abnormality based on distribution probability measuring similarity

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106502234A (en) * 2016-10-17 2017-03-15 重庆邮电大学 Industrial control system method for detecting abnormality based on double skeleton patterns
CN107038380A (en) * 2017-04-14 2017-08-11 华中科技大学 A kind of leak detection method and system based on performance of program tree
CN107483455A (en) * 2017-08-25 2017-12-15 国家计算机网络与信息安全管理中心 A kind of network node abnormality detection method and system based on stream
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108804635A (en) * 2018-06-01 2018-11-13 广东电网有限责任公司 A kind of method for measuring similarity based on Attributions selection
CN109190653A (en) * 2018-07-09 2019-01-11 四川大学 Malicious code family homology analysis technology based on semi-supervised Density Clustering
CN108881277A (en) * 2018-07-10 2018-11-23 广东工业大学 The method, device and equipment of monitoring wireless sensor network node invasion
CN109508733A (en) * 2018-10-23 2019-03-22 北京邮电大学 A kind of method for detecting abnormality based on distribution probability measuring similarity
CN109413088A (en) * 2018-11-19 2019-03-01 中国科学院信息工程研究所 Threat Disposal Strategies decomposition method and system in a kind of network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于改进的协同过滤相似性度量算法研究;占渊;肖蓉;缪仲凯;周双娥;《计算机测量与控制》;20171113 *
工业控制系统入侵检测技术的研究及发展综述;尚文利 安攀峰;万明;赵剑明;曾鹏;《计算机应用研究》;20170228 *

Also Published As

Publication number Publication date
CN110266680A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN110086810B (en) Fingerprint recognition method and device for passive industrial control equipment based on characteristic behavior analysis
CN110266680B (en) An Anomaly Detection Method for Industrial Communication Based on Double Similarity Metrics
CN107438052B (en) An Abnormal Behavior Detection Method for Unknown Industrial Communication Protocols
CN117411703B (en) A Modbus protocol-based industrial control network abnormal traffic detection method
CN106921676B (en) An Intrusion Detection Method Based on OPCClassic
CN108737410B (en) Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN113904862A (en) Distributed train control network intrusion detection method, system and storage medium
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN107370732A (en) System is found based on neutral net and the industrial control system abnormal behaviour of optimal recommendation
CN114143037B (en) Malicious encrypted channel detection method based on process behavior analysis
CN111181971B (en) System for automatically detecting industrial network attack
CN113067804A (en) Network attack detection method and device, electronic equipment and storage medium
CN111800419B (en) DDoS attack detection system and method in SDN environment
CN111294342A (en) Method and system for detecting DDos attack in software defined network
CN111224973A (en) Network attack rapid detection system based on industrial cloud
CN114513340A (en) A two-level DDoS attack detection and defense method in software-defined networks
CN118590289A (en) A network anomaly detection method based on federated learning and deep learning
CN113037748A (en) C and C channel hybrid detection method and system
CN111953504B (en) Abnormal flow detection method and device, and computer readable storage medium
Deng et al. Intrusion detection method based on support vector machine access of modbus TCP protocol
CN111490976B (en) A dynamic baseline management and monitoring method for industrial control network
Nakahara et al. Malware Detection for IoT Devices using Automatically Generated White List and Isolation Forest.
CN105791039B (en) A method and system for suspicious tunnel detection based on feature segment self-discovery
CN111651760A (en) A method and computer-readable storage medium for comprehensive analysis of equipment security status
CN112261041B (en) A multi-level distributed monitoring and anti-penetration system for power terminals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230404

Address after: 110167 room 246-113, floor 2, No. 109-1 (No. 109-1), quanyun Road, Shenyang area, China (Liaoning) pilot Free Trade Zone, Shenyang, Liaoning

Patentee after: Liaoning Industrial Control Technology Co.,Ltd.

Address before: 110000 58 Shenbei New Area Road South, Shenyang, Liaoning.

Patentee before: LIAONING University

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20231101

Address after: 110000 Room 301, No. 73, Yalujiang East Street, Huanggu District, Shenyang, Liaoning 1002

Patentee after: Shenyang bangcui Technology Co.,Ltd.

Address before: 110167 room 246-113, floor 2, No. 109-1 (No. 109-1), quanyun Road, Shenyang area, China (Liaoning) pilot Free Trade Zone, Shenyang, Liaoning

Patentee before: Liaoning Industrial Control Technology Co.,Ltd.