CN110719250B - Powerlink industrial control protocol anomaly detection method based on PSO-SVDD - Google Patents

Powerlink industrial control protocol anomaly detection method based on PSO-SVDD Download PDF

Info

Publication number
CN110719250B
CN110719250B CN201810767994.8A CN201810767994A CN110719250B CN 110719250 B CN110719250 B CN 110719250B CN 201810767994 A CN201810767994 A CN 201810767994A CN 110719250 B CN110719250 B CN 110719250B
Authority
CN
China
Prior art keywords
data
industrial control
powerlink
svdd
pso
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810767994.8A
Other languages
Chinese (zh)
Other versions
CN110719250A (en
Inventor
尚文利
赵剑明
刘贤达
尹隆
陈春雨
曾鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Automation of CAS
Original Assignee
Shenyang Institute of Automation of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Automation of CAS filed Critical Shenyang Institute of Automation of CAS
Priority to CN201810767994.8A priority Critical patent/CN110719250B/en
Publication of CN110719250A publication Critical patent/CN110719250A/en
Application granted granted Critical
Publication of CN110719250B publication Critical patent/CN110719250B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention provides a Powerlink industrial control protocol abnormity detection method based on PSO-SVDD, aiming at the safety problem of industrial control networks. Specifically, aiming at the particularity of a Powerlink industrial control network, a Powerlink communication system is subjected to security analysis from the industrial control security perspective, data traffic characteristics are extracted from the communication network by revealing possible abnormal attack behaviors, a Support Vector Data Description (SVDD) abnormal detection algorithm model is established, and abnormal network communication traffic is identified. Meanwhile, the improved Particle Swarm Optimization (PSO) is adopted to optimize the model parameters, so that the detection precision is further improved. The method can effectively detect abnormal malicious attack behaviors and improve the safe operation of the industrial control communication network.

Description

Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
Technical Field
The invention relates to a PSO-SVDD (particle swarm optimization-singular value decomposition) -based Powerlink industrial control protocol anomaly detection method, which is used for extracting communication traffic data characteristics and establishing an anomaly detection model by analyzing vulnerability of a Powerlink industrial control network and possible abnormal attack behaviors, and belongs to the field of industrial control network security.
Background
With the development of informatization and networking, an Industrial Control System (ICS) gradually develops towards information networking, an original isolated closed environment is changed into an open environment, and Industrial Control network security faces more and more malicious attack threats. In recent years, network attack events in industrial control systems have increased, causing significant losses to industrial production. The industrial control system is widely applied to national important infrastructure, such as the fields of electric power, petrifaction, traffic, energy and the like, and is particularly important for ensuring the safety of an industrial control network, so that the industrial control system is related to the prosperity of the country and the happiness of people.
The safety problem of the communication protocol of the industrial control system mainly comprises two aspects, namely defect problem existing in the communication protocol and attack suffered in the protocol implementation. Aiming at the security problem that a specific protocol is attacked, the intrusion detection technology has a good detection effect on the protocol. The intrusion detection can further detect intrusion attack behaviors on the basis of a firewall, and is a safe and reliable network monitoring approach.
The Ethernet Powerlink is a high-speed and open-source industrial control network communication protocol with high real-time performance established on the basis of standard Ethernet IEEE 802.3. The Powerlink adopts a typical master/slave communication mode, and has wide application prospect in the fields of CNC and robot, high-speed multi-axis system, aviation and high-speed rail test system timing analysis and the like. The Powerlink industrial network is vulnerable to security risks and threats due to the vulnerability of the traditional network and some security vulnerabilities of the Powerlink itself. At present, for the security problem of the Powerlink network, scholars at home and abroad only discuss and study the implementation of opensafe on Powerlink, do not analyze security holes and possible attacked behaviors, and do not study the intrusion detection, so that the Powerlink has a serious security problem.
Aiming at the problems, the safety of the Powerlink network is deeply researched through the safety research of the related industrial control network and the deep analysis of the Powerlink protocol specification, an abnormal detection model is established, and the abnormal attack behavior is detected in real time. The method comprises the steps of analyzing the typical attack behavior of the Powerlink industrial control network, analyzing the data flow characteristics of the communication network, extracting data characteristic vectors, establishing an SVDD anomaly detection classification model, optimizing the parameters of the model through an improved particle swarm optimization, monitoring the Powerlink network in real time, and greatly improving the safety of the communication network.
Disclosure of Invention
In view of this, the present invention provides a method for detecting abnormal behavior of Powerlink industrial control protocol based on PSO-SVDD, which realizes detection of abnormal attack behavior of Powerlink industrial control network.
The technical scheme adopted by the invention for solving the technical problems is as follows: a Powerlink industrial control protocol anomaly detection method based on PSO-SVDD comprises the following steps:
feature extraction: acquiring a Powerlink industrial control network communication flow data packet and extracting the characteristic attribute of Powerlink industrial control protocol data;
data preprocessing: dividing the data into different sequences according to different attributes, removing redundant data sequences in the sequences, arranging the data in each sequence to construct data characteristic vectors, and performing normalization processing;
PSO optimization: iterating the initialized particles through a particle swarm algorithm to obtain an optimal parameter by a parameter penalty factor C and a Gaussian kernel function parameter g, and establishing an optimization model;
SVDD: carrying out classification detection on the initialized feature vector data set through a support vector data domain description algorithm to obtain a detection model;
PSO-SVDD: and establishing an abnormal detection model according to the optimizing model and the detection model to detect abnormal behaviors.
The feature extraction comprises the following steps:
and a Linux operating system is used for acquiring a powerlink industrial control network communication flow data packet through a Libpcap library function, and the required characteristic attribute of powerlink control protocol data is extracted according to a protocol.
The characteristic attributes for extracting the Powerlink industrial control protocol data are specifically as follows:
extracting the request information Preq of the node, the information Pres of the reply node and the relevant data characteristics of the asynchronous initial message SoA:
and extracting byte data which represent Powerlink industrial control protocol in Preq, Pres and SoA.
The normalization comprises the following steps:
mapping data to a [0,1] interval by adopting a minimum and maximum normalization method, and grouping data of different units and dimensions into a uniform form:
Figure BDA0001729521730000031
wherein max and min represent the maximum value and the minimum value of data in a sequence respectively; x represents an input vector, i.e., a data feature vector; y represents the output vector, i.e. the normalized data feature vector.
The PSO optimization comprises the following steps:
setting the maximum iteration times Kmax, and the limited ranges of the particle position and the speed;
randomly initializing a group of particles, wherein the particle characteristics comprise position, speed and fitness value, and two components of a penalty factor C and a Gaussian kernel function g are characteristic values to be optimized;
carrying out SVDD training on the particles to serve as a penalty factor C and a Gaussian kernel function g for supporting vector data field description, and selecting the accuracy of cross validation as a particle fitness value;
if the extreme value of the individual or the group has a larger fitness value, updating the extreme value of the individual or the group;
if the iteration times exceed a set value Kmax or the fitness value for N continuous times is lower than a certain threshold value, the iteration process is stopped, and the obtained group extreme value is the optimal parameter;
updating the particle velocity and position and inertial weight: and judging the range of the position after the updating of each round is finished, and if the range exceeds the preset range, setting the range in an allowable range.
The support vector data field description algorithm comprises the following steps:
data extraction: acquiring an initialized feature vector data set, and establishing training set data and test set data of an intrusion detection network;
obtaining the optimal parameters: receiving a penalty factor C and an optimal value of a Gaussian kernel function g which are obtained by PSO optimization training;
constructing and solving a dual problem to obtain a sphere center and a radius;
constructing a decision function;
and carrying out classified prediction on the test set describing the communication behavior according to the constructed decision function.
The invention has the following beneficial effects and advantages:
1. the invention provides an anomaly detection method based on a Powerlink communication protocol, aiming at the safety problem faced by an industrial communication network Ethernet Powerlink. The method adopts SVDD algorithm to establish an anomaly detection classification model, and effectively monitors single-class communication flow existing in a large amount in a communication network.
2. The invention analyzes the safety of the Ethernet Powerlink industrial control system and the attack mode of abnormal attack behaviors, provides an abnormal detection feature extraction method aiming at the Powerlink industrial control protocol, and provides experience for the subsequent Powerlink abnormal detection research.
3. The SVDD anomaly detection method adopts the particle swarm optimization to perform parameter optimization on the SVDD anomaly detection model, and adopts the linear integral decreasing strategy to calculate the value of omega.
Drawings
FIG. 1 is an overall framework diagram of Powerlink industrial control protocol anomaly detection based on PSO-SVDD;
FIG. 2 is a PSO-SVDD anomaly detection model.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
A Powerlink industrial control protocol anomaly detection method based on PSO-SVDD comprises the following steps:
and (3) vulnerability analysis: analyzing the vulnerability of the powerlink communication protocol according to the characteristics of the powerlink industrial control protocol;
and (3) attack behavior analysis: according to the characteristics of the powerlink industrial control protocol, analyzing possible attack behaviors of the powerlink communication network;
feature extraction: firstly, a C language programming is carried out by using a Linux operating system through a Libpcap library function to obtain a powerlink industrial control network communication flow data packet, and normal data characteristic attributes which can reflect characteristics of the powerlink industrial control network are extracted;
data preprocessing: dividing the data into different short sequences according to different attributes, removing redundant data sequences in the sequences, arranging the data in each sequence to construct SVDD data characteristic vectors, and performing normalization processing;
PSO optimization: carrying out iterative optimization on the parameter penalty factor C and the Gaussian kernel function parameter g of the SVDD by the initialized particles through a Particle Swarm Optimization (PSO) to obtain optimal parameters, and establishing an optimization model;
SVDD: carrying out classification detection on the initialized feature vector data set through a support vector data domain description algorithm (SVDD) to establish a detection model;
PSO-SVDD: and establishing an abnormal detection model according to the optimizing model and the detection model to detect abnormal behaviors.
The vulnerability analysis includes: due to the protocol structure and some security holes existing in the protocol structure, the Powerlink industrial control protocol is easy to suffer from security risks and threats of abnormal behavior attacks because the Powerlink industrial control protocol lacks security mechanisms such as authentication, authorization and encryption.
The attack behavior analysis comprises: through the security loophole of the system, an attacker mainly carries out malicious attack on the usability, the integrity and the confidentiality of the Powerlink industrial control protocol, and the normal network communication process is blocked.
The feature extraction comprises the following steps:
c language programming is carried out through a Libpcap library function by using a Linux operating system to obtain a powerlink industrial control network communication flow data packet, and a powerlink attribute data value required to be extracted is extracted according to a protocol specification.
The normalization comprises the following steps:
dividing the data into different short sequences according to the difference of attributes, and forming a short sequence set after removing repeated redundant data sequences in each sequence;
arranging the data in each sequence according to a set sequence to construct an SVDD data feature vector;
mapping the data to a [0,1] interval by adopting a minimum and maximum normalization method, and grouping the data with different units and dimensions into a uniform form:
Figure BDA0001729521730000061
wherein max and min represent the maximum value and the minimum value of data in a sequence respectively; x represents an input vector; y denotes an output vector.
The PSO optimization comprises the following steps:
setting a limiting range of the maximum iteration times Kmax particle position and speed of the PSO algorithm under the condition that the PSO algorithm can not meet the end condition all the time;
randomly initializing a group of particles, wherein each particle represents a potential optimal solution of the problem, the particle characteristics are represented by position, speed and fitness value, and two components of a penalty factor C and a Gaussian kernel function g are characteristic values to be optimized;
carrying out SVDD training on the particles as a penalty factor C and a Gaussian kernel function g for supporting vector data field description, and selecting the accuracy in the cross validation sense as a particle fitness value;
updating individual extremum and group extremum according to the fitness value: if a greater fitness value occurs, updating individual and population extrema;
judging whether the end condition is met: if the iteration times exceed Kmax or the fitness value of N continuous times is lower than a certain threshold value, the iteration process is stopped, and the obtained group extreme value is the optimal parameter containing C and g;
updating the particle velocity and position and inertial weight according to the formula: and judging the range of the position after the updating of each round is finished, and if the range exceeds the preset range, setting the range in an allowable range.
The iterative formula is:
Figure BDA0001729521730000062
Figure BDA0001729521730000071
the formula for calculating the inertial weight of the linear decreasing strategy is as follows:
Figure BDA0001729521730000072
wherein: ω inertial weight, k current iteration number, PiIs an individual extremum, PgIs the population extremum, d is the dimension of the particle.
The SVDD algorithm comprises the following steps:
data extraction: and acquiring initialized feature vector data, namely normal flow data of the powerlink communication network, and establishing training set data and test set data of the intrusion detection network through data preprocessing and PSO (particle swarm optimization).
And obtaining the optimal parameters. And receiving the penalty factor C trained in the parameter optimization stage and the optimal value of the Gaussian kernel function g.
Constructing and solving a dual problem to obtain a sphere center and a radius;
constructing a decision function;
and obtaining a detection model for the test set describing the communication behavior according to the constructed decision function, and performing classification prediction.
The dual problem is as follows:
Figure BDA0001729521730000073
Figure BDA0001729521730000074
wherein L represents a dual operation, α ═ α (α)12,...,αn) Representing the Lagrangian, K (x)i,xj) Expressing the Gaussian radial basis kernel function to obtain a solution alpha*=(α1 *2 *,...,αn *) (ii) a n represents the total number of data vectors;
the decision function is:
f(x)=sgn(R2-||z-a2)
in the formula:
Figure BDA0001729521730000081
Figure BDA0001729521730000082
wherein sgn () represents a sign function, and if the f (x) output is positive, the test point is a normal sample point, otherwise, it is an abnormal sample point.
The PSO-SVDD algorithm comprises the following steps:
and establishing an abnormal detection model according to the optimizing model and the detection model to detect abnormal behaviors.
The Powerlink industrial control protocol anomaly detection method based on PSO-SVDD comprises the following steps:
a. vulnerability and attack behavior analysis part
1. Vulnerability analysis
As Powerlink is an industrial control network protocol for transmission on the Ethernet, TCP and IP protocols can be transmitted, and the Powerlink is easily threatened by traditional network attack behaviors such as IP and DOS.
Due to the characteristics of simple Powerlink protocol, complete opening of source codes, easy development and the like, and some security holes existing in Powerlink, the Powerlink industrial network is easy to be utilized by hackers and is subjected to security risks and threats of being attacked.
Due to the lack of security mechanisms such as authentication, authorization and encryption, the Powerlink protocol is vulnerable to abnormal attack threats:
the lack of authentication is mainly reflected in that the Powerlink communication connection is simple to establish, and a session can be established as long as the communication periods are the same and a legal node ID number is used;
the lack of authorization is mainly reflected in the Powerlink communication process, no role-based access mechanism is defined, and classification management is not performed on users;
the lack of encryption is mainly reflected in that Powerlink message addresses and commands are transmitted in plain text and are easily acquired and decrypted by attackers.
2. Analysis of attack behavior
Aiming at the network attack behavior of the Powerlink, malicious attack is carried out by mainly utilizing the security loophole of the system and utilizing the protocol specification of the Powerlink, so that the normal network communication process is hindered. An attacker steals or modifies communication data of the master station and the slave station, so that the communication system refuses service, the slave station enters a listen-only mode, and the like.
The attacker mainly invades the industrial control network in availability, integrity and confidentiality and maliciously attacks powerlink communication behaviors:
aiming at Powerlink availability attacks, the Powerlink availability attacks comprise interference or communication network cutting, restarting or stopping, so that communication cannot be normally carried out, and industrial production is damaged;
integrity attack comprises adding, modifying or destroying key data in data frames in Powerlink communication data flow, thereby destroying the authenticity of information and enabling an industrial control system to execute wrong operation;
confidentiality attacks mainly refer to stealing of critical information during the process of Powerlink information generation, transmission, processing and storage.
b. Feature extraction and pre-processing section
1. The Powerlink has 5 data frame types, each data frame has a frame structure and a function, and feature vector extraction is complex. The AsyncData data frame is divided into 5 data frames due to the serviceID, different frame-to-frame structures are greatly different, and the SOC only contains clock information except basic information, so that the two data frames are not detected. The method mainly extracts the relevant data characteristics of Preq, Pres and SoA, PReq and PRes can transmit application data, and a master station (MN) and a slave node (CN) carry out data interaction one by one (PReq) and one by one (PRes). And an asynchronous initial message (So A) is sent to the network by the master station in a broadcast mode in an asynchronous stage to send out a request, and the slave node responds with an AsyncData message to realize the configuration of the node. Therefore, based on the Powerlink protocol common format, as shown in table one, the identification bits and the functional behaviors are obtained to obtain the relevant data characteristics for constructing the anomaly detection model of the SVDD.
Watch 1
Figure BDA0001729521730000091
Figure BDA0001729521730000101
2. C language programming is carried out through a Libpcap library function by using a Linux operating system to obtain a powerlink industrial control network communication flow data packet, and a powerlink attribute data value required to be extracted is extracted according to a protocol specification.
The abnormal behavior-based feature extraction mainly comprises the steps of extracting data features from an industrial control communication network by analyzing the features of abnormal attack behaviors and establishing an abnormal detection model. The extracted data features mainly include: the source MAC address and the destination MAC address may reveal the subject of the anomalous attack and are therefore chosen as characteristic quantities X1 and X2; the ethernet type may indicate whether an attacker maliciously changes the protocol, so it is selected as the characteristic quantity X3; different information types have different frame formats and different information contents, so that the information types are selected as the characteristic quantity X4; the different NMT states are in different communication phases, so they are selected as characteristic quantities X5; an attacker adds and destroys the application layer data message, changes the length of the message and makes the message deformed, so the size of the message is selected as the characteristic quantity X6. Through fully analyzing the communication flow characteristics and the attack mode, 13 characteristic quantities are selected to construct an intrusion detection model, and the selected characteristics are shown in a table II.
Watch two
Figure BDA0001729521730000102
3. Dividing the data into different short sequences according to the difference of attributes, and forming a short sequence set after removing repeated redundant data sequences in each sequence;
arranging the data in each sequence according to a set sequence to construct an SVDD data feature vector;
mapping the data to a [0,1] interval by adopting a minimum and maximum normalization method, and grouping the data with different units and dimensions into a uniform form:
Figure BDA0001729521730000111
wherein max and min represent the maximum value and the minimum value of data in a sequence respectively; x represents an input vector; y denotes an output vector.
PSO optimization
1. The maximum number of iterations Kmax is set at which the termination condition cannot always be met.
2. And (5) initializing. In the D-dimensional search space, the position X of a group of particles is randomly set (X)1,X2,…,Xn) And speed V ═ V1,V2,…,Vn) And n represents the number of particles. Wherein, Xi=(Xic,Xig) And Vi=(Vic,Vig) A penalty factor C component and a gaussian kernel function g component representing the ith particle. Respectively setting position component limit ranges [ X ]min,Xmax]And speed limit range [ V ]min,Vmax]。Xic、XigA penalty factor C component and a Gaussian kernel function g component, V, respectively representing the ith particle positionic、VigAnd a penalty factor C component and a Gaussian kernel function g component respectively representing the ith particle velocity.
3. Calculating the particle fitness value F (X)i). Selecting accuracy based on SVDD cross validation meaning as particle fitness value F (X)i)。
4. And updating the state of the particles. Updating individual extremum and group extremum according to the fitness value: if the fitness value is
Figure BDA0001729521730000112
Then
Figure BDA0001729521730000113
Otherwise
Figure BDA0001729521730000114
If j is present, then it is true, and
Figure BDA0001729521730000115
then
Figure BDA0001729521730000116
Otherwise
Figure BDA0001729521730000117
Pi k+1、Xi k+1Respectively representing the updated individual extremum and position, Pg k+1、Xj k+1Respectively representing the updated population extremum and location.
5. And judging whether the ending condition is met. If the iteration times k is more than or equal to Kmax or the fitness value change rate calculated for 50 times does not reach 0.01%, the iteration is terminated, and the obtained group extreme value is the optimal parameter. KmaxIs the maximum number of iterations.
And 6, step 6: particle velocity and position and inertial weight update: judging the range of the position after the updating of each round is finished, if X isig<XgminThen set up Xig=XgminIf X isig>XgmaxThen Xig=Xgmax。Xgmin、XgmaxThe minimum and maximum values of the range of the component of the gaussian kernel function parameter g representing the particle position, respectively, the iterative formula of the particle velocity and position is:
Figure BDA0001729521730000121
Figure BDA0001729521730000122
Vid k+1the updated speed of the ith particle with the dimension d is shown, and c1 and c2 represent non-negative constants; r1 and r2 are distributed in [0,1]]A random number of intervals; pid k、Pgd kRepresenting the current individual and group extrema, Xid kIndicating the current location.
The inertia weight adopts a linear decreasing strategy, and the calculation formula is as follows:
Figure BDA0001729521730000123
omega is the inertial weight, k is the current iteration number, ViIs the velocity of the ith particle, wstartRepresenting initial inertial weight value, wendRepresenting the inertial weight, t, as it evolves to the maximum algebramaxRepresents the maximum evolution algebra, and t represents the current evolution algebra.
d. And (3) detecting the model:
1. data extraction: and acquiring normal flow data of the powerlink communication network, and establishing training set data and test set data of the intrusion detection network.
2. And obtaining the optimal parameters. And receiving the penalty factor C trained in the parameter optimization stage and the optimal value of the Gaussian kernel function g.
3. Constructing and solving a dual problem:
Figure BDA0001729521730000124
Figure BDA0001729521730000125
wherein L represents a dual operation, α ═ α (α)12,...,αn) Representing the Lagrangian, K (x)i,xj) Expressing the Gaussian radial basis kernel function to obtain a solution alpha*=(α1 *2 *,...,αn *) (ii) a n represents the total number of data vectors, i and j are 1 … n; t ═ xiI ═ 1, 2, …, n } is the training sample set.
4. Constructing a decision function:
f(x)=sgn(R2-||z-a2)
in the formula:
Figure BDA0001729521730000131
Figure BDA0001729521730000132
wherein sgn () represents a sign function, and if the f (x) output is positive, the test point is a normal sample point, otherwise, it is an abnormal sample point. x is the number ofkThe support vectors located on the boundary, z is the test sample point, and a is the center of the hyper-sphere.
5. And carrying out classified prediction on the test set describing the communication behavior according to the constructed decision function. The test results are divided into normal data and abnormal data. Normal data indicates that the communication network is operating normally and the system is allowed to pass; the abnormal data represents that the communication network is in error transmission or is subjected to malicious attack, and the system generates an alarm response. .
6. And establishing a PSO-SVDD anomaly detection model for anomaly behavior detection according to the optimization model obtained by the PSO and the detection model obtained by the SVDD. If the type of the model output is 1, it is determined to be normal, and if it is 0, it is determined to be abnormal.

Claims (5)

1. A Powerlink industrial control protocol anomaly detection method based on PSO-SVDD is characterized by comprising the following steps:
feature extraction: acquiring a Powerlink industrial control network communication flow data packet and extracting the characteristic attribute of Powerlink industrial control protocol data;
data preprocessing: dividing the data into different sequences according to different attributes, removing redundant data sequences in the sequences, arranging the data in each sequence to construct data characteristic vectors, and performing normalization processing;
PSO optimization: iterating the initialized particles through a particle swarm algorithm to obtain an optimal parameter by a parameter penalty factor C and a Gaussian kernel function parameter g, and establishing an optimization model;
SVDD: carrying out classification detection on the initialized feature vector data set through a support vector data domain description algorithm to obtain a detection model;
PSO-SVDD: establishing an abnormal detection model according to the optimizing model and the detection model to detect abnormal behaviors;
the support vector data field description algorithm comprises the following steps:
data extraction: acquiring an initialized feature vector data set, and establishing training set data and test set data of an intrusion detection network;
obtaining the optimal parameters: receiving a penalty factor C and an optimal value of a Gaussian kernel function g which are obtained by PSO optimization training;
constructing and solving a dual problem to obtain a sphere center and a radius;
constructing a decision function;
and carrying out classified prediction on the test set describing the communication behavior according to the constructed decision function.
2. The method for detecting the abnormality of the Powerlink industrial control protocol based on the PSO-SVDD as claimed in claim 1, wherein said feature extraction comprises the steps of:
and a Linux operating system is used for acquiring a powerlink industrial control network communication flow data packet through a Libpcap library function, and the required characteristic attribute of powerlink control protocol data is extracted according to a protocol.
3. The method for detecting the abnormality of the Powerlink industrial control protocol based on the PSO-SVDD according to claim 1, wherein the extracting the characteristic attributes of the Powerlink industrial control protocol data specifically includes:
extracting the request information Preq of the node, the information Pres of the reply node and the relevant data characteristics of the asynchronous initial message SoA:
and extracting byte data which represent Powerlink industrial control protocol in Preq, Pres and SoA.
4. The method for detecting the abnormality of the Powerlink industrial control protocol based on the PSO-SVDD as set forth in claim 1, wherein said normalization comprises the steps of:
mapping data to a [0,1] interval by adopting a minimum and maximum normalization method, and grouping data of different units and dimensions into a uniform form:
Figure FDA0002992336590000021
wherein max and min represent the maximum value and the minimum value of data in a sequence respectively; x represents an input vector, i.e., a data feature vector; y represents the output vector, i.e. the normalized data feature vector.
5. The method for detecting the abnormality of the Powerlink industrial control protocol based on the PSO-SVDD as claimed in claim 1, wherein said PSO optimization comprises the steps of:
setting the maximum iteration times Kmax, and the limited ranges of the particle position and the speed;
randomly initializing a group of particles, wherein the particle characteristics comprise position, speed and fitness value, and two components of a penalty factor C and a Gaussian kernel function g are characteristic values to be optimized;
carrying out SVDD training on the particles to serve as a penalty factor C and a Gaussian kernel function g for supporting vector data field description, and selecting the accuracy of cross validation as a particle fitness value;
if the extreme value of the individual or the group has a larger fitness value, updating the extreme value of the individual or the group;
if the iteration times exceed a set value Kmax or the fitness value for N continuous times is lower than a certain threshold value, the iteration process is stopped, and the obtained group extreme value is the optimal parameter;
updating the particle velocity and position and inertial weight: and judging the range of the position after the updating of each round is finished, and if the range exceeds the preset range, setting the range in an allowable range.
CN201810767994.8A 2018-07-13 2018-07-13 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD Active CN110719250B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810767994.8A CN110719250B (en) 2018-07-13 2018-07-13 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810767994.8A CN110719250B (en) 2018-07-13 2018-07-13 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD

Publications (2)

Publication Number Publication Date
CN110719250A CN110719250A (en) 2020-01-21
CN110719250B true CN110719250B (en) 2021-07-06

Family

ID=69208436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810767994.8A Active CN110719250B (en) 2018-07-13 2018-07-13 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD

Country Status (1)

Country Link
CN (1) CN110719250B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113884292B (en) * 2021-10-09 2023-07-21 西安西电开关电气有限公司 SVDD-based mechanical fault diagnosis method and system for switchgear
CN114095222B (en) * 2021-11-10 2022-11-11 湖南大学 LDoS attack detection method based on perceptual linear prediction and SVDD
CN113779045B (en) * 2021-11-12 2022-02-22 航天宏康智能科技(北京)有限公司 Training method and training device for industrial control protocol data anomaly detection model
CN115086070B (en) * 2022-07-20 2022-11-15 山东省计算中心(国家超级计算济南中心) Industrial internet intrusion detection method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006072A2 (en) * 2002-07-02 2004-01-15 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Method and apparatus for analysing arbitrary objects
WO2004050369A9 (en) * 2002-12-02 2005-05-12 Silverbrook Res Pty Ltd Dead nozzle compensation
CN104079444A (en) * 2013-03-27 2014-10-01 西门子公司 Method and device for detecting depth of industrial Ethernet data frame
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105703963A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 PSO-OCSVM based industrial control system communication behavior anomaly detection method
CN106209870A (en) * 2016-07-18 2016-12-07 北京科技大学 A kind of Network Intrusion Detection System for distributed industrial control system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006072A2 (en) * 2002-07-02 2004-01-15 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Method and apparatus for analysing arbitrary objects
WO2004050369A9 (en) * 2002-12-02 2005-05-12 Silverbrook Res Pty Ltd Dead nozzle compensation
CN104079444A (en) * 2013-03-27 2014-10-01 西门子公司 Method and device for detecting depth of industrial Ethernet data frame
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105703963A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 PSO-OCSVM based industrial control system communication behavior anomaly detection method
CN106209870A (en) * 2016-07-18 2016-12-07 北京科技大学 A kind of Network Intrusion Detection System for distributed industrial control system

Also Published As

Publication number Publication date
CN110719250A (en) 2020-01-21

Similar Documents

Publication Publication Date Title
CN110719250B (en) Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
Gao et al. Omni SCADA intrusion detection using deep learning algorithms
Ponomarev et al. Industrial control system network intrusion detection by telemetry analysis
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
US10261502B2 (en) Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model
Olufowobi et al. Anomaly detection approach using adaptive cumulative sum algorithm for controller area network
CN105703963B (en) Industrial control system communication behavior method for detecting abnormality based on PSO OCSVM
Sedjelmaci et al. Cyber security game for intelligent transportation systems
Caselli et al. Modeling message sequences for intrusion detection in industrial control systems
CN112671701A (en) Vehicle-mounted terminal intrusion detection method based on vehicle-mounted network abnormal behavior feature driving
CN108712369B (en) Multi-attribute constraint access control decision system and method for industrial control network
Mudassir et al. Detection of botnet attacks against industrial IoT systems by multilayer deep learning approaches
Obeidat et al. Smart approach for botnet detection based on Network Traffic analysis
Wei et al. IoVShield: an efficient vehicular intrusion detection system for self-driving (short paper)
Al Baalbaki et al. Autonomic critical infrastructure protection (acip) system
Potteti et al. Intrusion detection system using hybrid Fuzzy Genetic algorithm
CN113965393B (en) Botnet detection method based on complex network and graph neural network
Olakanmi et al. Throttle: An efficient approach to mitigate distributed denial of service attacks on software‐defined networks
Atkison et al. Feature Extraction Optimization for Network Intrusion Detection in Control System Networks.
Li et al. Optimization and implementation of industrial control system network intrusion detection by telemetry analysis
Basan et al. Protection system for a group of robots based on the detection of anomalous behavior
Wang et al. Intrusion detection model of SCADA using graphical features
Lysenko et al. Distributed Discrete Malware Detection Systems Based on Partial Centralization and Self-Organization
You Construction of Early Warning Mechanism of University Education Network Based on the Markov Model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant