CN110602034B - Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM - Google Patents

Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM Download PDF

Info

Publication number
CN110602034B
CN110602034B CN201910609621.2A CN201910609621A CN110602034B CN 110602034 B CN110602034 B CN 110602034B CN 201910609621 A CN201910609621 A CN 201910609621A CN 110602034 B CN110602034 B CN 110602034B
Authority
CN
China
Prior art keywords
particle
protocol
connection
function code
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910609621.2A
Other languages
Chinese (zh)
Other versions
CN110602034A (en
Inventor
李肯立
边祥迪
周旭
阳王东
杨志邦
刘楚波
李克勤
张尧学
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN201910609621.2A priority Critical patent/CN110602034B/en
Publication of CN110602034A publication Critical patent/CN110602034A/en
Application granted granted Critical
Publication of CN110602034B publication Critical patent/CN110602034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention discloses a method for detecting S7 protocol abnormal communication behavior based on PSO-SVM, comprising the following steps: acquiring a connection from an industrial control network, wherein the connection comprises a plurality of S7 protocol communication data packets, analyzing each S7 protocol communication data packet to acquire a corresponding function code or sub-function code, forming a function code sequence corresponding to the connection by a plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection, and inputting the function code sequence corresponding to the connection into a trained S7 protocol anomaly detection model to acquire a detection result of the connection. The method can solve the technical problems that the existing abnormal communication behavior identification method cannot detect the abnormal communication behavior of the S7 protocol in the industrial control network and the identification rate is low because the relevance among a plurality of data packets in the same connection is not considered.

Description

Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM
Technical Field
The invention belongs to the field of industrial control network information security, and particularly relates to a method and a system for detecting S7 protocol abnormal communication behaviors based on a PSO-SVM.
Background
Industrial control networks typically communicate using proprietary protocols, which at the beginning of the design often only take functional requirements into account, and security is guaranteed by physical isolation. However, with the rapid advance of the industrial informatization process, the closure of the industrial control network is broken, inevitably, more and more industrial control networks are connected to public networks such as the internet, and the like, which also makes the security problem in the industrial control network more and more exposed obviously, since the 21 st century, a plurality of nuclear power stations and power systems in a plurality of countries in the world all suffer from excessively destructive network attacks, resulting in large-scale power failure. These cases show that industrial control networks are more vulnerable than traditional public networks and that security incidents can bring about more serious economic losses.
The traditional measures for preventing the industrial control network from being attacked by the network are mainly to analyze and identify the abnormal communication behaviors of the general internet protocols (such as HTTP, SMTP, DNS and the like), and to match according to the preset rules and characteristic values, thereby realizing simple security filtering.
However, the above abnormal communication behavior identification method has some technical problems that are not negligible: firstly, the method can only identify known abnormal communication behaviors based on expert experience, but cannot detect the abnormal communication behaviors of the S7 protocol in the industrial control network; secondly, since it does not consider the association between a plurality of packets in the same Connection (Connection), its recognition rate is low.
Disclosure of Invention
In view of the above defects or improvement needs in the prior art, the present invention provides a method and a system for detecting S7 protocol abnormal communication behavior based on PSO-SVM, and aims to solve the technical problems that the existing abnormal communication behavior identification method cannot detect S7 protocol abnormal communication behavior in an industrial control network, and the identification rate is low due to the fact that the correlation among a plurality of data packets in the same Connection (Connection) is not considered.
To achieve the above object, according to an aspect of the present invention, there is provided a method for detecting abnormal communication behavior of S7 protocol based on PSO-SVM, comprising the steps of:
(1) acquiring a connection from an industrial control network, wherein the connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
(2) and inputting the functional code sequence corresponding to the connection into a trained S7 protocol anomaly detection model to obtain a detection result of the connection.
Preferably, the function code or the sub-function code is located in a PDU Type field in the S7 protocol communication data packet, and when the PDU Type value in the PDU field is 1, the field is the function code, and when the PDU Type value in the PDU field is 7, the field is the sub-function code.
Preferably, the S7 protocol anomaly detection model is trained by the following process:
(2-1) acquiring a plurality of connections from the industrial control network, wherein each connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
(2-2) cutting the function code sequence corresponding to each connection obtained in the step (2-1) according to a preset cutting length to obtain a plurality of new function code sequences with equal length corresponding to the connection, wherein the new function code sequences corresponding to all the connections form an S7 protocol data set;
(2-3) randomly generating a particle group X ═ X1,X2,…,XN) Randomly generating the particle velocity V of the ith particle in the particle groupi=(ViC,V,V) Wherein N represents the total number of particles in the generated particle population, and XiIs by means of a three-dimensional vector (C)iii) Denotes i ∈ [1, N ∈ >]The initial values of the three vectors are random numbers;
(2-4) inputting the S7 protocol data set obtained in the step (2-2) into an SVM model for training to obtain the classification accuracy rate corresponding to each particle in the particle swarm obtained in the step (2-3), wherein a penalty factor in the SVM model is X of each particle in the step (2-3)iVector C iniThe two parameters to be optimized in the kernel function of the support vector machine are respectively the particles XiThe remaining two vectors τ ofiAnd σi
(2-5) taking the classification accuracy corresponding to each particle obtained in the step (2-4) as the fitness value F (X) of the particlei) According to the fitness value F (X)i) And calculating the individual extreme value P of the particle by using a PSO algorithmiAnd a population extremum G of the particle swarm:
(2-6) according to the individual extreme value and the group extreme value obtained in the step (2-5), repeatedly and iteratively updating the particle X according to the following formulaiAnd the particle velocity V of the particlesiUntil the particle X obtained by two iteration processesi K+1And Xi KIs determined by the difference F (X) between the fitness values ofi K+1)-F(Xi K) Until the mass ratio is less than 0.01%, obtaining a trained SVM model as an S7 protocol anomaly detection model;
Vi K+1=ωi·Vi K+c1·r1·(Pi-Xi K)+c2·r2·(G-Xi K)
Xi K+1=Xi K+Vi K+1
where the superscript K denotes the current number of iterations, ωiRepresenting the current inertia weight, the value of which is between 0 and 1, c1 and c2 are learning factors, r1 and r2 are random numbers between 0 and 1, and Xi KDenotes the ith particle, V, at the current number of iterations Ki KRepresenting the particle velocity of the ith particle for the current number of iterations K.
Preferably, in step (2-2), if the length of the functional code sequence is smaller than the preset cutting length, the functional code sequence is subjected to 0 complementing processing.
Preferably, the kernel function K is represented by the following formula:
K=(1-τ)·KPOLY+τ·KRBF
wherein τ represents a weight, and 0<τ<1,KPOLYRepresenting a global kernel whose dimension d is 3, KRBFRepresenting a local kernel function whose parameters to be optimized areEach particle XiThe remaining two vectors τ ofiAnd σi
Preferably, the current inertial weight ωiIs calculated by the following formula:
ωi=ωmax-(ωmaxmin)·K/Kmax
wherein ω ismaxRepresents the maximum value of the weight, which takes the value of 1, omegaminRepresents the minimum weight value, which is 0, KmaxAnd represents the maximum iteration number, which is a natural number greater than 100.
According to another aspect of the present invention, there is provided a system for detecting abnormal communication behavior of S7 protocol based on PSO-SVM, comprising:
a first module, configured to obtain a connection from an industrial control network, where the connection includes a plurality of S7 protocol communication data packets, and parse each S7 protocol communication data packet to obtain a corresponding function code or sub-function code, where the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
and the second module is used for inputting the functional code sequence corresponding to the connection into the trained S7 protocol anomaly detection model so as to obtain the detection result of the connection.
Preferably, the S7 protocol anomaly detection model is trained by the following modules:
the first submodule is used for acquiring a plurality of connections from an industrial control network, each connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or a corresponding sub-function code, and the plurality of function codes and the corresponding sub-function codes of all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
the second submodule is used for cutting the function code sequence corresponding to each connection obtained by the second submodule according to the preset cutting length so as to obtain a plurality of new function code sequences with equal length corresponding to the connection, and the new function code sequences corresponding to all the connections form an S7 protocol data set;
a third submodule for randomly generating a particle group X ═ (X)1,X2,…,XN) Randomly generating the particle velocity V of the ith particle in the particle groupi=(ViC,V,V) Wherein N represents the total number of particles in the generated particle population, and XiIs by means of a three-dimensional vector (C)iii) Denotes i ∈ [1, N ∈ >]The initial values of the three vectors are random numbers;
a fourth sub-module, configured to input the S7 protocol data set obtained by the second sub-module into an SVM model for training, so as to obtain a classification accuracy corresponding to each particle in the particle swarm obtained by the third sub-module, where a penalty factor in the SVM model is each particle X in step (2-3)iVector C iniThe two parameters to be optimized in the kernel function of the support vector machine are respectively the particles XiThe remaining two vectors τ ofiAnd σi
A fifth sub-module for taking the classification accuracy corresponding to each particle obtained by the fourth sub-module as the fitness value F (X) of the particlei) According to the fitness value F (X)i) And calculating the individual extreme value P of the particle by using a PSO algorithmiAnd a population extremum G of the particle swarm:
a sixth submodule for iteratively updating the particle X repeatedly according to the individual extremum and the group extremum obtained by the fifth submodule and the following formulaiAnd the particle velocity V of the particlesiUntil the particle X obtained by two iteration processesi K+1And Xi KIs determined by the difference F (X) between the fitness values ofi K+1)-F(Xi K) Until the mass ratio is less than 0.01%, obtaining a trained SVM model as an S7 protocol anomaly detection model;
Vi K+1=ωi·Vi K+c1·r1·(Pi-Xi K)+c2·r2·(G-Xi K)
Xi K+1=Xi K+Vi K+1
where the superscript K denotes the current number of iterations, ωiRepresenting the current inertia weight, the value of which is between 0 and 1, c1 and c2 are learning factors, r1 and r2 are random numbers between 0 and 1, and Xi KDenotes the ith particle, V, at the current number of iterations Ki KRepresenting the particle velocity of the ith particle for the current number of iterations K.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
1. the invention can realize the detection of the abnormal communication behavior of the S7 protocol in the industrial control network;
2. the invention adopts a circular cutting mode to convert the function codes analyzed by the data packets into the function code sequences with consistent length, and takes the function code sequences as the detection basis to fully embody the relevance among a plurality of data packets, thereby being capable of really realizing higher identification rate;
3. according to the method, the SVM model is selected for anomaly detection, so that an accurate judgment result can be generated for unknown communication behaviors, and meanwhile, the method can be ensured to have good learning capability and generalization capability by using the mixed kernel function in the construction process of the SVM model.
4. The method adopts the PSO algorithm with the linear decreasing inertial weight to automatically optimize the parameters of the SVM model, and can improve the classification accuracy of the SVM model, thereby further improving the recognition rate of the method.
Drawings
Fig. 1 is a flow chart of the method for detecting the abnormal communication behavior of the S7 protocol based on the PSO-SVM of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The method analyzes the S7 protocol, selects the functional code sequence as a research object, fully embodies the relevance among a plurality of data packets, utilizes the PSO-SVM algorithm to respectively model the normal communication behavior and the abnormal communication behavior aiming at the characteristics of limited functions and limited states in the industrial control network, avoids selecting and setting parameters by depending on expert experience, and can identify the unknown communication behavior. A feasible detection method for abnormal communication behavior of the S7 protocol is provided.
As shown in fig. 1, the method for detecting S7 protocol abnormal communication behavior based on PSO-SVM of the present invention includes the following steps:
(1) acquiring a Connection (Connection) from an industrial control network, wherein the Connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each Connection form a function code sequence corresponding to the Connection;
specifically, the function code or the sub-function code is located in a Protocol Data Unit (PDU) field in the S7 Protocol communication data packet, when a PDU Type value in the PDU field is 1, the field is the function code, and when the PDU Type value in the PDU field is 7, the field is the sub-function code, and both the function code and the sub-function code are 16-ary numbers.
(2) And inputting the functional code sequence corresponding to the connection into a trained S7 protocol anomaly detection model to obtain a detection result of the connection.
Specifically, the detection result is that the communication behavior corresponding to the connection is normal or abnormal.
The S7 protocol anomaly detection model in this step is obtained by training the following processes:
(2-1) acquiring a plurality of connections from the industrial control network, wherein each connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
for example, two connections, a1 and a2 respectively, are acquired, where a function code sequence is composed of a plurality of function codes and subfunction codes corresponding to all S7 protocol communication packets included in a1 (F1, F2, F3, F4, F5), and a function code sequence is composed of a plurality of function codes and subfunction codes corresponding to all S7 protocol communication packets included in a2 (F1, F2, F3).
(2-2) cutting the function code sequence corresponding to each connection obtained in the step (2-1) according to a preset cutting length to obtain a plurality of new function code sequences with equal lengths corresponding to the connection, wherein the new function code sequences corresponding to all the connections form an S7 protocol data set, and if the length of the function code sequence is smaller than the preset cutting length, performing 0 complementing processing on the function code sequence;
specifically, the cutting length n is freely set according to the user requirement, and the larger the value of n is, the more the accuracy of detecting the abnormal behavior can be improved, but the operation efficiency of the system can also be reduced, otherwise, the continuity of a certain operation cannot be fully reflected, and a large amount of conflicts of the obtained normal and abnormal function code sequence sets may be caused.
For example, if the value of n is 4, in the example used in step (1), the functional code sequence corresponding to the connection a1 is divided into two new functional code sequences (F1, F2, F3, F4) and (F2, F3, F4, F5), and if there are less than 4 elements in the functional code sequence corresponding to the connection a2, the new functional code sequences are obtained by padding with 0 (F1, F2, F3, 0).
(2-3) randomly generating a particle group X ═ X1,X2,…,XN) Randomly generating the particle velocity V of the ith particle in the particle groupi=(ViC,V,V) Wherein N represents the total number of particles in the generated particle population, and XiIs by means of a three-dimensional vector (C)iii) Denotes i ∈ [1, N ∈ >]The initial values of the three vectors are random numbers;
(2-4) inputting the S7 protocol data set obtained in the step (2-2) into a Support Vector Machine (SVM) model for training to obtain the classification accuracy rate corresponding to each particle in the particle swarm obtained in the step (2-3), wherein a penalty factor in the SVM model is each particle X in the step (2-3)iVector C iniThe two parameters to be optimized in the kernel function of the support vector machine are respectively the particles XiThe remaining two vectors τ ofiAnd σi
In this step, the S7 protocol data set is divided into 5 parts, wherein 4 parts are used for training the SVM model, and the other part is used for the classification accuracy rate obtained by subsequently verifying the SVM model.
Specifically, the kernel function K used in this step is represented by the following formula:
K=(1-τ)·KPOLY+τ·KRBF
wherein τ represents a weight, and 0<τ<1,KPOLYRepresenting a global kernel whose dimension d is 3, KRBFRepresenting a local kernel function whose parameters to be optimized are the individual particles XiThe remaining two vectors τ ofiAnd σi
Kernel functions are divided into two categories: the method comprises a local kernel function and a global kernel function, wherein the local kernel function (such as RBF kernel function) has strong learning ability, and the global kernel function (such as POLY kernel function) has strong generalization ability. In order to relatively improve the learning ability and generalization ability of the algorithm, the step constructs a mixed kernel function.
(2-5) taking the classification accuracy corresponding to each particle obtained in the step (2-4) as the fitness value F (X) of the particlei) According to the fitness value F (X)i) And calculating the individual extreme value P of the Particle by using Particle swarm optimization (PSO for short)iAnd a population extremum G of the particle swarm:
(2-6) according to the individual extreme value and the group extreme value obtained in the step (2-5), repeatedly and iteratively updating the particle X according to the following formulaiAnd the particle velocity V of the particlesiUp to front and backParticles X obtained by two iterative processesi K+1And Xi KIs determined by the difference F (X) between the fitness values ofi K+1)-F(Xi K) Until the mass ratio is less than 0.01%, obtaining a trained SVM model as an S7 protocol anomaly detection model;
Vi K+1=ωi·Vi K+c1·r1·(Pi-Xi K)+c2·r2·(G-Xi K)
Xi K+1=Xi K+Vi K+1
where the superscript K denotes the current number of iterations, ωiRepresents the current inertia weight, and takes the value between 0 and 1 (omega)iWhen the value is larger, the global search capability can be improved, the situation that the solution is trapped in a local optimal solution is avoided, but an accurate solution is not easily obtained), c1 and c2 are learning factors, the values of the learning factors are equal to 2, r1 and r2 are random numbers between 0 and 1, and X is a random numberi KDenotes the ith particle, V, at the current number of iterations Ki KRepresenting the particle velocity of the ith particle for the current number of iterations K.
Using linearly decreasing omegaiThe performance of the PSO algorithm can be improved, and the calculation formula is as follows:
ωi=ωmax-(ωmaxmin)·K/Kmax
wherein ω ismaxRepresents the maximum value of the weight, which takes the value of 1, omegaminRepresents the minimum weight value, which is 0, KmaxAnd represents the maximum iteration number, which is a natural number greater than 100.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (6)

1. A method for detecting S7 protocol abnormal communication behavior based on PSO-SVM is characterized by comprising the following steps:
(1) acquiring a connection from an industrial control network, wherein the connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
(2) inputting the functional code sequence corresponding to the connection into a trained S7 protocol anomaly detection model to obtain a detection result of the connection, wherein the S7 protocol anomaly detection model is trained by the following processes:
(2-1) acquiring a plurality of connections from the industrial control network, wherein each connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or sub-function code, and the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
(2-2) cutting the function code sequence corresponding to each connection obtained in the step (2-1) according to a preset cutting length to obtain a plurality of new function code sequences with equal length corresponding to the connection, wherein the new function code sequences corresponding to all the connections form an S7 protocol data set;
(2-3) randomly generating a particle group X ═ X1,X2,…,XN) Randomly generating the particle velocity V of the ith particle in the particle groupi=(ViC,V,V) Wherein N represents the total number of particles in the generated particle population, and XiIs by means of a three-dimensional vector (C)iii) Denotes i ∈ [1, N ∈ >]The initial values of the three vectors are random numbers;
(2-4) inputting the S7 protocol data set obtained in the step (2-2) into an SVM model for training to obtain the classification accuracy rate corresponding to each particle in the particle swarm obtained in the step (2-3), wherein a penalty factor in the SVM model is X of each particle in the step (2-3)iVector C iniKernel of support vector machineThe two parameters to be optimized in the function are each a particle XiThe remaining two vectors τ ofiAnd σi
(2-5) taking the classification accuracy corresponding to each particle obtained in the step (2-4) as the fitness value F (X) of the particlei) According to the fitness value F (X)i) And calculating the individual extreme value P of the particle by using a PSO algorithmiAnd a population extremum G of the particle swarm:
(2-6) according to the individual extreme value and the group extreme value obtained in the step (2-5), repeatedly and iteratively updating the particle X according to the following formulaiAnd the particle velocity V of the particlesiUntil the particle X obtained by two iteration processesi K+1And Xi KIs determined by the difference F (X) between the fitness values ofi K+1)-F(Xi K) Until the mass ratio is less than 0.01%, obtaining a trained SVM model as an S7 protocol anomaly detection model;
Vi K+1=ωi·Vi K+c1·r1·(Pi-Xi K)+c2·r2·(G-Xi K)
Xi K+1=Xi K+Vi K+1
where the superscript K denotes the current number of iterations, ωiRepresenting the current inertia weight, the value of which is between 0 and 1, c1 and c2 are learning factors, r1 and r2 are random numbers between 0 and 1, and Xi KDenotes the ith particle, V, at the current number of iterations Ki KRepresenting the particle velocity of the ith particle for the current number of iterations K.
2. The PSO-SVM based method for detecting S7 protocol abnormal communication behavior according to claim 1, wherein the function code or the sub-function code is located in a PDU Type field of the S7 protocol communication data packet, wherein the PDU Type field is the function code when the PDU Type value is 1, and the PDU Type field is the sub-function code when the PDU Type value is 7.
3. The method for detecting S7 protocol abnormal communication behavior based on the PSO-SVM as claimed in any one of claims 1-2, wherein in step (2-2), if the length of the functional code sequence is less than a preset cut length, the functional code sequence is subjected to a 0-complementing process.
4. The method for detecting S7 protocol abnormal communication behavior based on PSO-SVM as claimed in claim 1, wherein the kernel function K is expressed by the following formula:
K=(1-τ)·KPOLY+τ·KRBF
wherein τ represents a weight, and 0<τ<1,KPOLYRepresenting a global kernel whose dimension d is 3, KRBFRepresenting a local kernel function whose parameters to be optimized are the individual particles XiThe remaining two vectors τ ofiAnd σi
5. The method for detecting S7 protocol abnormal communication behavior based on PSO-SVM as claimed in claim 1, wherein the current inertial weight ω isiIs calculated by the following formula:
ωi=ωmax-(ωmaxmin)·K/Kmax
wherein ω ismaxRepresents the maximum value of the weight, which takes the value of 1, omegaminRepresents the minimum weight value, which is 0, KmaxAnd represents the maximum iteration number, which is a natural number greater than 100.
6. A system for detecting S7 protocol abnormal communication behavior based on PSO-SVM is characterized by comprising:
a first module, configured to obtain a connection from an industrial control network, where the connection includes a plurality of S7 protocol communication data packets, and parse each S7 protocol communication data packet to obtain a corresponding function code or sub-function code, where the plurality of function codes and sub-function codes corresponding to all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
a second module, configured to input the function code sequence corresponding to the connection into a trained S7 protocol anomaly detection model to obtain a detection result of the connection, where the S7 protocol anomaly detection model is obtained by training:
the first submodule is used for acquiring a plurality of connections from an industrial control network, each connection comprises a plurality of S7 protocol communication data packets, each S7 protocol communication data packet is analyzed to acquire a corresponding function code or a corresponding sub-function code, and the plurality of function codes and the corresponding sub-function codes of all S7 protocol communication data packets included in each connection form a function code sequence corresponding to the connection;
the second submodule is used for cutting the function code sequence corresponding to each connection obtained by the second submodule according to the preset cutting length so as to obtain a plurality of new function code sequences with equal length corresponding to the connection, and the new function code sequences corresponding to all the connections form an S7 protocol data set;
a third submodule for randomly generating a particle group X ═ (X)1,X2,…,XN) Randomly generating the particle velocity V of the ith particle in the particle groupi=(ViC,V,V) Wherein N represents the total number of particles in the generated particle population, and XiIs by means of a three-dimensional vector (C)iii) Denotes i ∈ [1, N ∈ >]The initial values of the three vectors are random numbers;
a fourth sub-module, configured to input the S7 protocol data set obtained by the second sub-module into an SVM model for training, so as to obtain a classification accuracy corresponding to each particle in the particle swarm obtained by the third sub-module, where a penalty factor in the SVM model is each particle X in step (2-3)iVector C iniTwo parameters to be optimized in the kernel function of the support vector machine are respectively the particles XiThe remaining two vectors τ ofiAnd σi
A fifth sub-module for taking the classification accuracy corresponding to each particle obtained by the fourth sub-module as the fitness value of the particleF(Xi) According to the fitness value F (X)i) And calculating the individual extreme value P of the particle by using a PSO algorithmiAnd a population extremum G of the particle swarm:
a sixth submodule for iteratively updating the particle X repeatedly according to the individual extremum and the group extremum obtained by the fifth submodule and the following formulaiAnd the particle velocity V of the particlesiUntil the particle X obtained by two iteration processesi K+1And Xi KIs determined by the difference F (X) between the fitness values ofi K+1)-F(Xi K) Until the mass ratio is less than 0.01%, obtaining a trained SVM model as an S7 protocol anomaly detection model;
Vi K+1=ωi·Vi K+c1·r1·(Pi-Xi K)+c2·r2·(G-Xi K)
Xi K+1=Xi K+Vi K+1
where the superscript K denotes the current number of iterations, ωiRepresenting the current inertia weight, the value of which is between 0 and 1, c1 and c2 are learning factors, r1 and r2 are random numbers between 0 and 1, and Xi KDenotes the ith particle, V, at the current number of iterations Ki KRepresenting the particle velocity of the ith particle for the current number of iterations K.
CN201910609621.2A 2019-07-08 2019-07-08 Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM Active CN110602034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910609621.2A CN110602034B (en) 2019-07-08 2019-07-08 Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910609621.2A CN110602034B (en) 2019-07-08 2019-07-08 Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM

Publications (2)

Publication Number Publication Date
CN110602034A CN110602034A (en) 2019-12-20
CN110602034B true CN110602034B (en) 2020-06-19

Family

ID=68852698

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910609621.2A Active CN110602034B (en) 2019-07-08 2019-07-08 Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM

Country Status (1)

Country Link
CN (1) CN110602034B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383563A (en) * 2020-12-03 2021-02-19 中国铁建重工集团股份有限公司 Intrusion detection method and related device
CN112910688B (en) * 2021-01-18 2021-11-23 湖南大学 OCSVM model-based communication behavior abnormal parallel detection method and system under HJ212 protocol
CN113037553B (en) * 2021-03-11 2021-12-14 湖南大学 IEC102 protocol communication behavior abnormity detection method and system based on IA-SVM
CN113139593B (en) * 2021-04-19 2022-06-21 湖南大学 Industrial control protocol message classification method and system based on conversation analysis
CN113516162A (en) * 2021-04-26 2021-10-19 湖南大学 OCSVM and K-means algorithm based industrial control system flow abnormity detection method and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10325150B2 (en) * 2012-08-29 2019-06-18 Eaton Intelligent Power Limited System and method for electric load identification and classification employing support vector machine
CN107070943B (en) * 2017-05-05 2020-02-07 兰州理工大学 Industrial internet intrusion detection method based on flow characteristic diagram and perceptual hash

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于行为模型的工控异常检测方法研究;宋站威等;《计算机科学》;20180131;第233-239页 *

Also Published As

Publication number Publication date
CN110602034A (en) 2019-12-20

Similar Documents

Publication Publication Date Title
CN110602034B (en) Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM
CN110445653B (en) Network state prediction method, device, equipment and medium
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
Abdullah et al. Enhanced intrusion detection system using feature selection method and ensemble learning algorithms
US8903749B2 (en) Method of identifying a protocol giving rise to a data flow
CN104901971A (en) Method and device for carrying out safety analysis on network behaviors
CN104394177A (en) Calculating method of attack target accessibility based on global attack graph
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
Ntalampiras et al. A fault diagnosis system for interdependent critical infrastructures based on HMMs
CN112702405A (en) Internet of things equipment identification method based on multi-protocol detection
Salih et al. Detection and classification of covert channels in IPv6 using enhanced machine learning
CN110719250B (en) Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN113821793A (en) Multi-stage attack scene construction method and system based on graph convolution neural network
Alhayali et al. Optimized machine learning algorithm for intrusion detection
CN110868312A (en) Industrial behavior anomaly detection method based on genetic algorithm optimization
Wang et al. Botnet detection using social graph analysis
CN111935185A (en) Method and system for constructing large-scale trapping scene based on cloud computing
Hlaing Feature selection and fuzzy decision tree for network intrusion detection
Chakraborty et al. Industrial control system device classification using network traffic features and neural network embeddings
Bharadwaj et al. Reduction techniques for model checking and learning in MDPs
Premkumar et al. Hybrid Deep Learning Model for Cyber-Attack Detection
Gu et al. Learning-based intrusion detection for high-dimensional imbalanced traffic
Alhaidari et al. Feature Pruning Method for hidden markov model-based anomaly detection: A Comparison of performance
Salih et al. New intelligent heuristic algorithm to mitigate security vulnerabilities in IPv6

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant