CN110659482A - Industrial network intrusion detection method based on GAPSO-TWSVM - Google Patents

Industrial network intrusion detection method based on GAPSO-TWSVM Download PDF

Info

Publication number
CN110659482A
CN110659482A CN201910922555.4A CN201910922555A CN110659482A CN 110659482 A CN110659482 A CN 110659482A CN 201910922555 A CN201910922555 A CN 201910922555A CN 110659482 A CN110659482 A CN 110659482A
Authority
CN
China
Prior art keywords
twsvm
data
intrusion detection
gapso
industrial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910922555.4A
Other languages
Chinese (zh)
Other versions
CN110659482B (en
Inventor
周原
李和林
刘明山
王迎
刘清忆
任彩琴
张圆圆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jilin University
Original Assignee
Jilin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jilin University filed Critical Jilin University
Priority to CN201910922555.4A priority Critical patent/CN110659482B/en
Publication of CN110659482A publication Critical patent/CN110659482A/en
Application granted granted Critical
Publication of CN110659482B publication Critical patent/CN110659482B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/12Computing arrangements based on biological models using genetic models
    • G06N3/126Evolutionary algorithms, e.g. genetic algorithms or genetic programming

Abstract

The invention relates to an industrial network intrusion detection method based on a GAPSO-TWSVM, which comprises the following steps: randomly selecting data in an industrial control intrusion detection standard data set as a training set and a testing set, and performing feature extraction on the data by using a PCA algorithm so as to reduce the dimensionality of the data; constructing a TWSVM industrial network intrusion detection classifier, training the TWSVM industrial network intrusion detection classifier by using a training set subjected to feature extraction, optimizing parameters by using a GAPSO algorithm, and detecting and classifying a test set by using the trained TWSVM industrial network intrusion detection classifier. The method can detect abnormal data in the industrial network data, has higher detection precision compared with the traditional industrial network intrusion detection algorithm, and can be better applied to the field of industrial network information security.

Description

Industrial network intrusion detection method based on GAPSO-TWSVM
Technical Field
The invention relates to the technical field of industrial network intrusion detection, in particular to an industrial network intrusion detection method based on a GAPSO-TWSVM.
Background
The industrial control system is an intelligent manufacturing system consisting of industrial production intelligent operation components and industrial computer equipment, and with the successive promotion of the strategies of industrial 4.0 and industrial internet, the industrial field has met with an industrial revolution of advocating intelligent manufacturing. However, with the development of industrialization and automation towards networking and informatization, more and more industrial control systems must be connected with an external network, the original closure of the industrial control system is thoroughly broken, various unsafe factors such as viruses and trojans enter the industrial control network along with normal information flow, so that safety problems such as information leakage and instruction tampering are caused, and the safety of industrial production is threatened. Intrusion detection technology, as an active security defense technology, can detect unauthorized operations or illegal intrusions in a network.
At present, the methods for detecting industrial network intrusion are generally classified into knowledge-based industrial network intrusion detection methods, protocol-based industrial network intrusion detection methods, device-based industrial network intrusion detection methods, and the like. Twin Support Vector Machines (TWSVMs) have strong generalization and calculation capabilities, and thus are widely applied to the field of machine learning. In practice, a large amount of redundant data exists in industrial network data, in order to remove redundancy in the data and reduce the time of model training, feature extraction is often required to be performed on original data, and Principal Component Analysis (PCA) is widely applied to the fields of data Analysis and image processing as a dimension reduction technology. In the design of the TWSVM model, selecting different parameters has a great influence on the final intrusion detection, so that the parameters are optimized by using a GAPSO Algorithm combining Genetic Algorithm (GA) and Particle Swarm Optimization (PSO).
Disclosure of Invention
The invention relates to an industrial network intrusion detection method based on a GAPSO-TWSVM, which comprises the steps of firstly utilizing a PCA algorithm to extract the characteristics of selected experimental data samples, reducing the dimension of data, then utilizing the TWSVM algorithm to construct an industrial network intrusion detection classifier, and utilizing the GAPSO algorithm to optimize all parameters of the TWSVM, thereby finally improving the intrusion detection performance.
An industrial network intrusion detection method based on a GAPSO-TWSVM is characterized by comprising the following steps:
step 1: selecting an industrial control intrusion detection standard data set as an industrial network intrusion detection data set used by the invention;
step 2: the value ranges of different characteristics of each piece of data of the industrial control intrusion detection standard data set are greatly different, so that each piece of data of the industrial control intrusion detection standard data set is normalized;
and step 3: performing feature selection on the preprocessed data by adopting a PCA (principal component analysis) dimension reduction algorithm, reducing the dimension of a data set, taking the data set after feature selection as the input of a TWSVM (two way support vector machine) classifier, and selecting a radial basis kernel function by using a kernel function of the TWSVM;
and 4, step 4: performing iterative optimization on parameters of the TWSVM by using a GAPSO algorithm;
and 5: and after determining the parameters of the TWSVM classifier, inputting data and evaluating the result output by the TWSVM classifier.
The invention has the beneficial effects that:
the industrial network intrusion detection method based on the GAPSO-TWSVM of the invention is characterized in that on the basis of extracting the experimental data features by means of a PCA algorithm, a TWSVM classification model is constructed, and each parameter of the TWSVM is optimized by the GAPSO algorithm, so that the algorithm performance of the industrial network intrusion detection is finally improved.
Drawings
FIG. 1 is an overall flow chart of an embodiment of the present invention;
FIG. 2 is a flowchart illustrating optimization parameters of the GAPSO algorithm according to an embodiment of the present invention;
FIG. 3 is a graph comparing the iteration times and training precision of the algorithm and the PSO-TWSVM algorithm and the GA-TWSVM algorithm according to the embodiment of the present invention;
FIG. 4 is a comparison graph of the detection rate, false alarm rate, missed alarm rate and model training time of the algorithm according to the embodiment of the present invention and the PSO-TWSVM algorithm and the GA-TWSVM algorithm;
Detailed Description
The present invention is described in further detail below with reference to the attached drawings so that those skilled in the art can implement the invention by referring to the description.
The invention provides an industrial network intrusion detection method based on a GAPSO-TWSVM, which comprises the following steps:
in the step 1: 5000 pieces of data in an industrial control intrusion detection standard data set are randomly selected as training samples of an experiment, wherein the number of normally recorded samples is 2000, the number of abnormally recorded samples is 3000, the number of test samples is 1000 pieces of samples in the industrial control intrusion detection standard data set are randomly selected, the number of normally recorded samples is 600, the number of abnormally recorded samples is 400, the dimension of each piece of data in the data set is 26 dimensions, and each piece of data has 26 characteristic attributes.
In the step 2: because the difference of different characteristic value ranges of the industrial control intrusion detection standard data is large, the normalization processing of the data needs to be carried out on the selected experimental data, the normalization interval is (0,1), and the calculation formula of the normalization is as follows:
Figure BDA0002217993020000021
wherein x is real data before data normalization, and x '' is data after normalization.
In the step 3: the feature selection method is a PCA dimension reduction algorithm, and the PCA uses the original 26 industrial features x1,x2,…x26Performing linear transformation to obtain 26 new industrial feature data sets, performing descending order arrangement according to variance contribution rate of each new principal component in a new feature vector space composed of 26 new principal components, and selecting m features from the new feature vector space to represent original number26 characteristics of the data set are adopted to achieve the purpose of data dimension reduction, and the number of the extracted characteristics is 10. The radial basis kernel function is:
Figure BDA0002217993020000022
in the step 4: and (3) optimizing TWSVM model parameters by using a GAPSO algorithm: radial basis function width σ and parameter c of TWSVM1,c2. The GAPSO algorithm comprises the following steps:
a. initializing a particle swarm, setting the size of the swarm, and randomly generating the position and the speed of the particle and the range of the position and the speed;
b. defining a fitness function, and calculating the fitness value of each particle according to the fitness function;
c. comparing the fitness value of the particle with the individual optimal value, and if the current fitness value is superior to the current particle optimal value, updating the current particle optimal value and taking the current particle optimal value as the current best position;
d. comparing the fitness value of each particle with the global optimum value, and if the fitness value is better, taking the fitness value as the current global optimum value;
e. and selecting and crossing the genetic operators. Mutation;
f. updating the position and the speed of the particles;
g. and c, judging whether the termination condition is met, if so, outputting the optimal solution, and if not, returning to the step b.
In the step 5: and performing performance evaluation on the detection result, wherein the adopted evaluation indexes are correct rate, false alarm rate, missing report rate and model training time, and the performance of the detection result is compared with a PSO-TWSVM algorithm and a GA-TWSVM algorithm.
The examples are as follows: firstly, normalization processing is carried out on selected experimental data, and the normalized interval is (0, 1). And (3) performing feature extraction on the normalized experimental data by using a PCA algorithm, namely performing dimension reduction on the experimental data, wherein the selected cumulative contribution rate is 95%. And according to the determined cumulative contribution rate, the number of the extracted features is 10, namely the dimension of the experimental data is reduced from the original 26 dimensions to 10 dimensions. Inputting the experimental data after feature extraction into a constructed TWSVM classifier, optimizing the parameters of the TWSVM model by using a GAPSO algorithm, and finally carrying out performance inspection on the trained TWSVM classifier by using a selected test set.
In order to verify the beneficial effects of the invention, four evaluation indexes are used for evaluation. The indexes are correct rate, false alarm rate, missing report rate and model training time, and the method is compared with a PSO-TWSVM algorithm and a GA-TWSVM algorithm
The invention relates to an industrial network intrusion detection method based on a GAPSO-TWSVM, which is characterized in that on the basis of extracting experimental data features by means of a PCA algorithm, a TWSVM detection classification model is constructed, model parameters are optimized by means of the GAPSO algorithm, and finally the algorithm performance of industrial network intrusion detection is improved.
While embodiments of the invention have been described above, it is not intended to be limited to the applications set forth in the specification and illustrated embodiments, but rather, may be applied to various fields of endeavor to which the invention has been applied and further modifications may readily occur to those skilled in the art, and it is therefore intended that the invention not be limited to the details shown and described herein, without departing from the general concept defined by the appended claims and their equivalents.

Claims (6)

1. An industrial network intrusion detection method based on a GAPSO-TWSVM is characterized by comprising the following steps:
step 1: selecting an industrial control intrusion detection standard data set as an industrial network intrusion detection data set used by the invention;
step 2: the value ranges of different characteristics of each piece of data of the industrial control intrusion detection standard data set are greatly different, so that each piece of data of the industrial control intrusion detection standard data set is normalized;
and step 3: performing feature selection on the preprocessed data by adopting a PCA (principal component analysis) dimension reduction algorithm, reducing the dimension of a data set, taking the data set after feature selection as the input of a TWSVM (two way support vector machine) classifier, and selecting a radial basis kernel function by using a kernel function of the TWSVM;
and 4, step 4: performing iterative optimization on parameters of the TWSVM by using a GAPSO algorithm;
and 5: and after determining the parameters of the TWSVM classifier, inputting data and evaluating the result output by the TWSVM classifier.
2. The method for detecting intrusion into an industrial network based on a GAPSO-TWSVM as claimed in claim 1, wherein in the step 1: 5000 pieces of data in an industrial control intrusion detection standard data set are randomly selected as training samples of an experiment, wherein the number of normally recorded samples is 2000, the number of abnormally recorded samples is 3000, the number of test samples is 1000 pieces of samples in the industrial control intrusion detection standard data set are randomly selected, the number of normally recorded samples is 600, the number of abnormally recorded samples is 400, the dimension of each piece of data in the data set is 26 dimensions, and each piece of data has 26 characteristic attributes.
3. The method for detecting intrusion into an industrial network based on a GAPSO-TWSVM as claimed in claim 1, wherein in the step 2: because the difference of different characteristic value ranges of the industrial control intrusion detection standard data is large, the normalization processing of the data needs to be carried out on the selected experimental data, the normalization interval is (0,1), and the calculation formula of the normalization is as follows:
Figure FDA0002217993010000011
wherein x is real data before data normalization, and x '' is data after normalization.
4. The method of claim 1, wherein the industrial network intrusion detection based on the GAPSO-TWSVM comprises: in the step 3: the feature selection method is a PCA dimension reduction algorithm, and the PCA uses the original 26 industrial features x1,x2,…x26Performing linear transformation to obtain 26 new industrial feature data sets, forming 26 new principal components into a new feature vector space, and making use of variance contribution of each new principal componentThe rate is arranged in a descending order, the first m characteristics can represent 26 characteristics of the original data set by properly selecting the first m characteristics, the purpose of reducing the dimension of the data is achieved, the number of the extracted characteristics is 10, and the radial basis kernel function is as follows:
Figure FDA0002217993010000012
5. the method of claim 1, wherein the industrial network intrusion detection based on the GAPSO-TWSVM comprises: in the step 4: and (3) optimizing TWSVM model parameters by using a GAPSO algorithm: radial basis function width σ and parameter c of TWSVM1,c2(ii) a The GAPSO algorithm comprises the following steps:
a. initializing a particle swarm, setting the size of the swarm, and randomly generating the position and the speed of the particle and the range of the position and the speed;
b. defining a fitness function, and calculating the fitness value of each particle according to the fitness function;
c. comparing the fitness value of the particle with the individual optimal value, and if the current fitness value is superior to the current particle optimal value, updating the current particle optimal value and taking the current particle optimal value as the current best position;
d. comparing the fitness value of each particle with the global optimum value, and if the fitness value is better, taking the fitness value as the current global optimum value;
e. selecting, crossing and mutating the genetic operator;
f. updating the position and the speed of the particles;
g. and c, judging whether the termination condition is met, if so, outputting the optimal solution, and if not, returning to the step b.
6. The method of claim 1, wherein the industrial network intrusion detection based on the GAPSO-TWSVM comprises: in the step 5: and performing performance evaluation on the detection result, wherein the adopted evaluation indexes are correct rate, false alarm rate, missing report rate and model training time, and the detection result is compared with the performance of a PSO-TWSVM algorithm and a GA-TWSVM algorithm.
CN201910922555.4A 2019-09-27 2019-09-27 Industrial network intrusion detection method based on GAPSO-TWSVM Active CN110659482B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910922555.4A CN110659482B (en) 2019-09-27 2019-09-27 Industrial network intrusion detection method based on GAPSO-TWSVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910922555.4A CN110659482B (en) 2019-09-27 2019-09-27 Industrial network intrusion detection method based on GAPSO-TWSVM

Publications (2)

Publication Number Publication Date
CN110659482A true CN110659482A (en) 2020-01-07
CN110659482B CN110659482B (en) 2022-03-25

Family

ID=69039410

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910922555.4A Active CN110659482B (en) 2019-09-27 2019-09-27 Industrial network intrusion detection method based on GAPSO-TWSVM

Country Status (1)

Country Link
CN (1) CN110659482B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221100A (en) * 2021-02-09 2021-08-06 上海大学 Countermeasure intrusion detection method for industrial internet boundary protection

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105703963A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 PSO-OCSVM based industrial control system communication behavior anomaly detection method
CN105718932A (en) * 2016-01-20 2016-06-29 中国矿业大学 Colorful image classification method based on fruit fly optimization algorithm and smooth twinborn support vector machine and system thereof
CN107229971A (en) * 2017-06-06 2017-10-03 西安电子科技大学 Optimal adaptive strategy decision-making technique based on GAPSO algorithms
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
CN108763926A (en) * 2018-06-01 2018-11-06 中国电子技术标准化研究院 A kind of industrial control system intrusion detection method with security immunization ability
CN108830428A (en) * 2018-07-04 2018-11-16 吉林大学 A kind of short-time wind speed prediction technique based on four parameter mixed kernel function LSSVM
CN109388944A (en) * 2018-11-06 2019-02-26 吉林大学 A kind of intrusion detection method based on KPCA and ELM
CN109902740A (en) * 2019-02-27 2019-06-18 浙江理工大学 It is a kind of based on more algorithm fusions it is parallel learn Industry Control intrusion detection method again
CN110149330A (en) * 2019-05-22 2019-08-20 潘晓君 PSO feature selecting weight intrusion detection method and system based on information gain

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105703963A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 PSO-OCSVM based industrial control system communication behavior anomaly detection method
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
CN105718932A (en) * 2016-01-20 2016-06-29 中国矿业大学 Colorful image classification method based on fruit fly optimization algorithm and smooth twinborn support vector machine and system thereof
CN107229971A (en) * 2017-06-06 2017-10-03 西安电子科技大学 Optimal adaptive strategy decision-making technique based on GAPSO algorithms
CN108763926A (en) * 2018-06-01 2018-11-06 中国电子技术标准化研究院 A kind of industrial control system intrusion detection method with security immunization ability
CN108830428A (en) * 2018-07-04 2018-11-16 吉林大学 A kind of short-time wind speed prediction technique based on four parameter mixed kernel function LSSVM
CN109388944A (en) * 2018-11-06 2019-02-26 吉林大学 A kind of intrusion detection method based on KPCA and ELM
CN109902740A (en) * 2019-02-27 2019-06-18 浙江理工大学 It is a kind of based on more algorithm fusions it is parallel learn Industry Control intrusion detection method again
CN110149330A (en) * 2019-05-22 2019-08-20 潘晓君 PSO feature selecting weight intrusion detection method and system based on information gain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
XIAOLI LIN等: "Protein Folding Structure Optimization Based on GAPSO Algorithm in the Off-Lattice Model", 《网页在线公开:HTTPS://IEEEXPLORE.IEEE.ORG/STAMP/STAMP.JSP?TP=&ARNUMBER=6999246》 *
YUAN ZHOU等: "Network Intrusion Detection Based on Kernel Principal Component Analysis and Extreme Learning Machine", 《网页在线公开:HTTPS://IEEEXPLORE.IEEE.ORG/STAMP/STAMP.JSP?TP=&ARNUMBER=8600104》 *
业巧林等: "基于正则化技术的对支持向量机特征选择算法", 《计算机研究与发展》 *
许璟等: "基于GAPSO_BP神经网络的Doherty功放行为模型", 《计算机应用与软件》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221100A (en) * 2021-02-09 2021-08-06 上海大学 Countermeasure intrusion detection method for industrial internet boundary protection

Also Published As

Publication number Publication date
CN110659482B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
Khan et al. HML-IDS: A hybrid-multilevel anomaly prediction approach for intrusion detection in SCADA systems
Wang et al. Detection of power grid disturbances and cyber-attacks based on machine learning
Piplai et al. NAttack! Adversarial Attacks to bypass a GAN based classifier trained to detect Network intrusion
Mohammadi Rouzbahani et al. Anomaly detection in cyber-physical systems using machine learning
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN103593609B (en) Trustworthy behavior recognition method and device
CN107315956B (en) It is a kind of for quick and precisely detecting the Graph-theoretical Approach of Malware on the zero
Chang et al. Anomaly detection for industrial control systems using k-means and convolutional autoencoder
Bai et al. Unsuccessful story about few shot malware family classification and siamese network to the rescue
Park et al. Host-based intrusion detection model using siamese network
Perez et al. Forget the myth of the air gap: Machine learning for reliable intrusion detection in SCADA systems
Nguyen et al. Nested one-class support vector machines for network intrusion detection
CN113067798A (en) ICS intrusion detection method and device, electronic equipment and storage medium
CN110659482B (en) Industrial network intrusion detection method based on GAPSO-TWSVM
Lu et al. An efficient class association rule‐pruning method for unified intrusion detection system using genetic algorithm
Yu et al. Specview: malware spectrum visualization framework with singular spectrum transformation
CN111784404B (en) Abnormal asset identification method based on behavior variable prediction
CN113094707A (en) Transverse mobile attack detection method and system based on heterogeneous graph network
CN117113228A (en) Electric power social engineering attack monitoring method and system based on deep learning
Qazanfari et al. A novel hybrid anomaly based intrusion detection method
CN115514581B (en) Data analysis method and equipment for industrial internet data security platform
Jie Research on malicious TLS traffic identification based on hybrid neural network
Safari et al. Industrial intrusion detection based on the behavior of rotating machine
Kalutharage et al. Explainable AI and Deep Autoencoders Based Security Framework for IoT Network Attack Certainty
Prerau et al. Unsupervised anomaly detection using an optimized K-nearest neighbors algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant