CN110912867B - Intrusion detection method, device, equipment and storage medium for industrial control system - Google Patents

Intrusion detection method, device, equipment and storage medium for industrial control system Download PDF

Info

Publication number
CN110912867B
CN110912867B CN201910933031.5A CN201910933031A CN110912867B CN 110912867 B CN110912867 B CN 110912867B CN 201910933031 A CN201910933031 A CN 201910933031A CN 110912867 B CN110912867 B CN 110912867B
Authority
CN
China
Prior art keywords
data set
data
control system
industrial control
training
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910933031.5A
Other languages
Chinese (zh)
Other versions
CN110912867A (en
Inventor
林晔篁
彭纬伟
刘蕾蕾
王雷
杜伟
陈旭腾
崔钰
陈云云
陈晓锋
王思杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huizhou Energy Storage Power Generating Co ltd
Original Assignee
Huizhou Energy Storage Power Generating Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huizhou Energy Storage Power Generating Co ltd filed Critical Huizhou Energy Storage Power Generating Co ltd
Priority to CN201910933031.5A priority Critical patent/CN110912867B/en
Publication of CN110912867A publication Critical patent/CN110912867A/en
Application granted granted Critical
Publication of CN110912867B publication Critical patent/CN110912867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to an industrial control system intrusion detection method, an industrial control system intrusion detection device, a computer device and a computer readable storage medium based on a convolutional neural network, wherein the method comprises the following steps: extracting an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system. According to the scheme, the classification model with excellent performance is designed through the convolutional neural network and the convolutional neural network, mass data can be processed quickly, multi-classification can be performed, and classification performance is more accurate, so that the technical problem that the classification accuracy of the intrusion detection method of the industrial control system in the traditional technology is poor is solved.

Description

Intrusion detection method, device, equipment and storage medium for industrial control system
Technical Field
The present application relates to the field of industrial control technologies, and in particular, to an industrial control system intrusion detection method based on a convolutional neural network, an industrial control system intrusion detection apparatus based on a convolutional neural network, a computer device, and a computer-readable storage medium.
Background
The industrial control system is spread in the industries of electric power, chemical industry, petroleum and the like, and along with the mutual integration of informatization and industrialization, a communication network inside the industrial control system is gradually interconnected and intercommunicated with the internet. Therefore, the original sealing performance of the industrial control system is broken, and the industrial control system is easy to be attacked. The intrusion detection system can detect the external attack before the attack harms the system and send out an alarm. The intrusion detection technology in the traditional IT network is mature, but the requirement of the industrial control system on safety is different from that of the traditional IT system.
The current method for intrusion detection of the industrial control system is to acquire Modbus TCP data in real time as a characteristic vector, obtain a detection result through a support vector machine two-classification model, and give an alarm if abnormal flow is found, and the method has the advantages that the abnormal flow which cannot be identified by some firewalls can be detected.
However, the intrusion detection method of the industrial control system in the traditional technology has the problem of poor classification precision.
Disclosure of Invention
Therefore, it is necessary to provide an industrial control system intrusion detection method based on a convolutional neural network, an industrial control system intrusion detection device based on a convolutional neural network, a computer device and a computer readable storage medium, aiming at the technical problem that the classification accuracy is poor in the conventional industrial control system intrusion detection method.
An industrial control system intrusion detection method based on a convolutional neural network comprises the following steps:
extracting an original data set of an industrial control system from a network data set of a communication protocol of the industrial control system;
dividing the original data set into a training data set and a testing data set according to a preset proportion;
training the training data set through a convolutional neural network classification model to obtain an optimal classification model;
and inputting the test data set into the optimal classification model for classification processing, and obtaining an intrusion detection result of the industrial control system.
An industrial control system intrusion detection device based on a convolutional neural network, comprising:
the system comprises an original data set extraction module, a data processing module and a data processing module, wherein the original data set extraction module is used for extracting an original data set of an industrial control system from a network data set of a communication protocol of the industrial control system;
the system comprises an original data set classification module, a training data set and a testing data set, wherein the original data set is divided into the training data set and the testing data set according to a preset proportion;
the convolutional neural network training module is used for training the training data set through a convolutional neural network classification model to obtain an optimal classification model;
and the data classification module is used for inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system.
A computer device comprising a processor and a memory, the memory storing a computer program that when executed by the processor performs the steps of: extracting an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of: extracting an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system.
The method, the device, the computer equipment and the storage medium for detecting the intrusion of the industrial control system based on the convolutional neural network extract an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system. According to the scheme, the classification model with excellent performance is designed through the convolutional neural network and the convolutional neural network, mass data can be processed quickly, multi-classification can be performed, and classification performance is more accurate, so that the technical problem that the classification accuracy of the intrusion detection method of the industrial control system in the traditional technology is poor is solved.
Drawings
FIG. 1 is a schematic flow chart of an embodiment of an intrusion detection method for an industrial control system based on a convolutional neural network;
FIG. 2 is a flow diagram illustrating a method for extracting a raw data set of an industrial control system from a network data set of a communication protocol of the industrial control system in one embodiment;
FIG. 3 is a schematic flow chart diagram illustrating a method for training a training data set to obtain an optimal classification model using a convolutional neural network classification model in one embodiment;
FIG. 4 is a diagram of a convolutional neural network architecture in one embodiment;
FIG. 5 is a flow diagram illustrating an intrusion detection method for an industrial control system according to one embodiment;
FIG. 6 is a block diagram of an embodiment of an intrusion detection device for an industrial control system based on a convolutional neural network;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In an embodiment, an industrial control system intrusion detection method based on a convolutional neural network is provided, referring to fig. 1, fig. 1 is a schematic flowchart of the industrial control system intrusion detection method based on the convolutional neural network in an embodiment, and the industrial control system intrusion detection method based on the convolutional neural network may include the following steps:
step S101, an original data set of the industrial control system is extracted from a network data set of a communication protocol of the industrial control system.
The communication protocol of the industrial control system is generally a Modbus protocol. Specifically, a network data set of the industrial system based on the Modbus protocol can be collected, and variables which are possibly affected when the industrial control system is invaded are extracted from the network data set to serve as selected features and serve as original data sets.
And S102, dividing the original data set into a training data set and a testing data set according to a preset proportion.
The training data set is used for inputting an intrusion detection model so as to obtain a classification model, and the testing data set is used for inputting the classification model for classification so as to obtain a classification result. Specifically, after the raw data set is obtained, the raw data set may be divided into a training data set and a testing data set according to a certain proportion. For example: the raw data set may be divided into a training data set and a test data set on a 4:1 scale as desired.
After the original data set is divided into a training data set and a testing data set, the training data set and the testing data set can be normalized to ensure that all values in the feature vector are in the same order of magnitude.
And S103, training the training data set through the convolutional neural network classification model to obtain an optimal classification model.
The convolutional neural network is a feedforward neural network containing convolutional calculation and having a deep structure, and is one of the representative algorithms of deep learning. Specifically, the training data set may be trained by a convolutional neural network, and one of the trained models is selected as an optimal classification model for performing a classification process on the test data set.
And step S104, inputting the test data set into the optimal classification model for classification processing, and obtaining an intrusion detection result of the industrial control system.
Specifically, after the optimal classification model is obtained in step S103, the test data set with the reduced feature dimension is input into the classification model of the support vector machine, the test data set is classified, and whether or not the industrial control system is invaded, and even the type of the invasion can be determined according to the classification result.
The industrial control system intrusion detection method based on the convolutional neural network extracts an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system. According to the scheme, the classification model with excellent performance is designed through the convolutional neural network and the convolutional neural network, mass data can be processed quickly, multi-classification can be performed, and classification performance is more accurate, so that the technical problem that the classification accuracy of the intrusion detection method of the industrial control system in the traditional technology is poor is solved.
In an embodiment, referring to fig. 2, fig. 2 is a flowchart illustrating a method for extracting a raw data set of an industrial control system from a network data set of a communication protocol of the industrial control system in an embodiment, and step S101 may include the following steps:
step S201, classifying the data to be processed according to the communication flow of the industrial control system, and acquiring the intrusion type of the data to be processed.
The data to be processed is data in a network data set, the communication flow of the industrial control system can comprise communication flows of a Modbus client and a Modbus server, for intrusion detection of the industrial control system, a state model of normal flow of the system can be established, unknown flow is compared, and if the unknown flow deviates from the established normal model, abnormal flow is regarded and an alarm is given. Specifically, the intrusion categories of the data in the Modbus network data set can be classified according to the communication flow of the Modbus client and the Modbus server. The intrusion categories may include: one or more of normal, spy attack, response injection attack, command injection attack, and denial of service attack.
Step S202, obtaining a command data packet and a response data packet in a network data set;
step S203, the data characteristics of the data to be processed are obtained according to the command data packet and the response data packet.
The command data packet and the response data packet are stored in the Modbus network data set, and particularly, data characteristics related to characteristics of the industrial control system can be extracted from the Modbus network data set. For example: the data characteristics may include: the device addresses, the initial memory positions, the read-write commands, the byte numbers of the responded memory, the read and write function codes of the command data packet and the response data packet, the lengths of the command data packet and the response data packet, the time interval between the command data packet and the response data packet, the error rate of the cyclic redundancy check and the characteristic or state value of a specific industrial control system in the command data packet and the response data packet. For example, PID parameter values and state values specific to the industrial control system, such as pipeline pressure, solenoid valve state, pump state, etc., may be extracted according to the characteristics of different industrial control systems.
Step S204, the data characteristics and the intrusion types are set as an original data set.
In this step, the data characteristics obtained in step S203 and the intrusion type of the data obtained in step S201 may be used to form an original data set for intrusion detection.
Further, after the intrusion category of the data to be processed is obtained in step S201, the intrusion category of the data may be assigned. For example: the intrusion type of the feature vector in the normal state may be labeled as 0, the intrusion type in the investigation as the attack type is 1, the intrusion type in the response to the injection attack as the attack type is 2, the intrusion type in the command injection attack as the attack type is 3, and the intrusion type in the denial of service attack as the attack type is 4. The assignment of the intrusion class can be used for judging the accuracy of intrusion detection, thereby verifying the reliability of the intrusion detection method of the industrial control system.
In an embodiment, referring to fig. 3, fig. 3 is a flowchart illustrating a method for training a training data set by using a convolutional neural network classification model to obtain an optimal classification model in an embodiment, where step S103 includes the following steps:
step S301 extracts data features from the training data set as an input data set.
The architecture of the used convolutional neural network is shown in fig. 4, fig. 4 is an architecture diagram of the convolutional neural network in one embodiment, and as shown in fig. 4, a convolutional neural network model is designed into 3 convolutional layers, 2 fully-connected layers and 1 transition layer, a flat layer; the number of convolution kernels is designed to be 8-16-32 and gradually increased, and the capability of feature learning is enhanced; and a Dropout layer is added behind each convolution layer and the full-connection layer, the neural network units are randomly discarded according to the probability of 30% to prevent overfitting, the convolution neural network model is based on a TensorFlow deep learning framework keras well as written by using Python language, and the GPU is used for acceleration.
Specifically, the data in the training data set is subjected to convolution operation through three convolutional layers and features are extracted to serve as an input data set, and the data in the input data set serves as input quantity of a classification model.
Step S302, training the input data set through a convolutional neural network classification model to obtain a predicted value.
Specifically, the prediction result of the current classification can be obtained by entering a softmax classifier after the full connection layer, and is recorded as the prediction value.
Step S303, inputting the predicted value and the actual value into a classified cross entropy loss function, and obtaining a loss function value output by the classified cross entropy loss function; the actual value is an assignment of an intrusion type of the data.
Specifically, a classified cross entropy loss function may be adopted according to the predicted value and the actual value obtained in step S302, where the actual value is an assignment to a data intrusion class, and the predicted value and the actual value are used as input quantities, and a loss function value output by the classified cross entropy loss function is obtained.
Further, the classification cross-entropy loss function may employ the following function:
Figure BDA0002220773030000081
wherein L isiTo be a loss function value, ti,jIs an actual value, pi,jIs a predicted value.
And step S304, when the training times are reached and the variation of the loss function value is less than a set threshold value, selecting the trained convolutional neural network classification model corresponding to the minimum loss function value as the optimal classification model.
Specifically, during training, the loss function value can be propagated backwards by using an Adam random gradient descent algorithm, weight parameters and bias parameters of each layer in the network are updated, the training process is repeated until the loss function value (namely, the loss value) is reduced to a value with a variation smaller than a set threshold value, and the optimal model with the lowest loss value is stored by using a module model checkpoint in Keras.
A classification model with excellent performance is designed through a convolutional neural network, mass data can be processed quickly, multi-classification can be carried out, and classification performance is more accurate, so that the technical problem that an intrusion detection method of an industrial control system in the traditional technology is poor in classification accuracy is solved.
In one embodiment, after step S102, the method further includes: and performing feature dimensionality reduction on the training data set and the test data set by using a principal component analysis method to obtain the training data set after feature dimensionality reduction and the test data set after feature dimensionality reduction.
Specifically, the performing feature dimensionality reduction on the training data set and the test data set by using the principal component analysis method to obtain the training data set after feature dimensionality reduction and the test data set after feature dimensionality reduction may include the following steps: standardizing elements in the training data set to form a standardized matrix; calculating a covariance matrix according to the standardized matrix; calculating an eigenvalue, an eigenvector and a contribution rate of the covariance matrix; extracting a maximum eigenvalue and an eigenvector corresponding to the maximum eigenvalue according to the accumulated contribution rate of the demand to form a transformation matrix; and performing feature dimension reduction on the training data set and the test data set through the transformation matrix.
Further, after the classification model is obtained, the test data set can be input into the classification model to be classified, the classification result can be a five-dimensional confusion matrix, and then the five-dimensional confusion matrix can be evaluated to judge whether the industrial control system network intrusion detection method meets the detection requirement or not, and can be compared with a conventional intrusion detection method. Through comparative experiments, the following results can be obtained: the intrusion detection method of the industrial control system not only subtracts 40% of characteristic dimension, but also obviously improves the accuracy, the detection rate and the false alarm rate.
Next, an intrusion detection method of an industrial control system provided in an embodiment of the present application is shown by an application example, as shown in fig. 5, fig. 5 is a schematic flow diagram of an intrusion detection method of an industrial control system in an embodiment, and specifically includes the following steps:
s1: the method comprises the steps that a network data set of an industrial control system based on a Modbus protocol is collected, communication flow of a Modbus client and communication flow of a Modbus server are extracted, the type of each piece of data in the data set is divided into normal, investigation attack, response injection attack, command injection attack and denial of service attack, and specific features in each command data packet and a corresponding response data packet are combined to serve as one of the data set;
s2: aiming at the characteristics of an industrial control system, a command in the Modbus data set, a device address in a response data packet and a memory initial position can be extracted; reading and writing the command and the number of bytes of the responded memory; the read and write function codes of the command packet and the response packet; the length of the command packet and the response packet; the time interval between two packets; error rate of cyclic redundancy check. In addition, the PID parameter values and also state values specific to the industrial control system, such as the pipe pressure, the solenoid valve state, the pump state, etc., are extracted according to the characteristics of different industrial control systems. The above total N characteristics, the last dimension is labeled with the category, that is, each characteristic vector has N +1 values in total;
dividing the original data set into a training set and a testing set according to the proportion of 4:1, and then carrying out normalization processing to enable all values in the characteristic vector to belong to the same order of magnitude;
s3: aiming at the problems of large quantity of characteristics and possible existence of correlation and redundancy in a data set, PCA is used to enable a few new characteristics to replace original characteristics, the correlation of a plurality of variables with correlation existing in original data is eliminated, and a group of variables with small quantity and mutual independence are recombined, wherein the specific method comprises the following steps: firstly, an input data set is regarded as a matrix form of M multiplied by N +1, and data of ith row and j column in the matrix are xijThe mean and standard deviation of the j-th dimension data are respectively mujAnd σj(ii) a Obtain a normalized matrix yijThe matrix Y of the composition is formed,
Figure BDA0002220773030000101
computing a covariance matrix
Figure BDA0002220773030000102
Then, the characteristic value (lambda) of S is calculated12,...,λp) And a feature vector ai=(ai1,ai2,...,aip) Wherein i 1, 2.. said, p;
Figure BDA0002220773030000103
wherein the contribution rate eta is calculated by the characteristic value of each principal component; the larger the contribution rate corresponding to the principal component is, the more information proving that the principal component contains the original variableAt this time, the first k maximum eigenvalues are taken out according to the accumulated contribution rate of the demand, and the eigenvector (a) is taken out1,a2,...,ak) Forming a transformation matrix Q with p rows and k columns; finally, obtaining a k-dimension data matrix T after dimension reduction through T ═ YQ, wherein k is less than N +1, and the dimension reduction is carried out on the original test data set by using a transformation matrix Q, so that the training set and the test set keep the same characteristic dimension;
s4: marking the category of the characteristic vector in a normal state as 0, marking the attack type as 1 in detection, marking the attack type as 2 in response to injection attack, marking the attack type as 3 in command injection attack, and marking the attack type as 4 in denial of service attack;
s5: inputting the processed feature vectors into a convolutional neural network classification model, wherein the convolutional neural network model is based on a TensorFlow deep learning framework keras and written by using a Python language, and the configuration is accelerated by using a GPU;
the CNN model is designed into 3 convolution layers, 2 full-connection layers and 1 transition layer Flatten layer; the number of convolution kernels is designed to be 8-16-32 and gradually increased, and the capability of feature learning is enhanced; and a Dropout layer is added behind each convolution layer and the full connection layer, and the neural network units are discarded randomly according to the probability of 30% to prevent overfitting;
carrying out convolution operation on the preprocessed data through three convolution layers and extracting features, then entering a softmax classifier through a full connection layer to obtain a prediction result of the classification, and also obtaining a difference value between a predicted value and a true value, wherein the network weight in the convolutional neural network is adjusted in a mode of minimum loss; the higher the output value of the loss function is, the greater the difference is, so the training of the convolutional neural network aims to reduce the loss value as much as possible, and the classified cross entropy loss function is adopted (directly selecting the coordinated cross entropy in Keras)
Figure BDA0002220773030000111
It is often used for multi-classification problems, increasing L2Norm controls overfitting of weight, parameter lambda controls overfitting strength, and overall loss functionThe number is as follows:
Figure BDA0002220773030000112
during training, the loss value is subjected to back propagation by using an Adam random gradient descent algorithm, and a weight parameter W and a bias parameter b of each layer in the network are updated, wherein eta is a learning rate:
Figure BDA0002220773030000113
Figure BDA0002220773030000114
then repeating the training process until the loss function value is reduced to a small value, and storing the optimal model with the lowest loss value through a module ModelCheckpoint in Keras;
s6: inputting a test data set with five types of labels into the obtained optimal model for classification to obtain a classification result, namely a five-dimensional confusion matrix;
s7: and evaluating the five-dimensional confusion matrix, and evaluating the classification result by using the accuracy, the detection rate and the false alarm rate as evaluation indexes to judge whether the industrial control system network intrusion detection method based on the PCA and the CNN meets the detection requirement, and can compare the method with the conventional intrusion detection method in the aspects of complexity, time consumption, calculated amount and the like.
In an embodiment, an industrial control system intrusion detection apparatus based on a convolutional neural network is provided, and referring to fig. 6, fig. 6 is a block diagram illustrating a structure of the industrial control system intrusion detection apparatus based on a convolutional neural network according to an embodiment, the industrial control system intrusion detection apparatus based on a convolutional neural network may include:
an original data set extraction module 601, configured to extract an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system;
an original data set classification module 602, configured to classify an original data set into a training data set and a test data set according to a preset ratio;
a convolutional neural network training module 603, configured to train a training data set through a convolutional neural network classification model to obtain an optimal classification model;
and the data classification module 604 is configured to input the test data set into the optimal classification model for classification processing, so as to obtain an intrusion detection result of the industrial control system.
In an embodiment, the original data set extracting module 601 is further configured to classify the data to be processed according to the communication traffic of the industrial control system, and obtain an intrusion category of the data to be processed; the data to be processed is data in the network data set; acquiring a command data packet and a response data packet in a network data set; acquiring data characteristics of data to be processed according to the command data packet and the response data packet; and setting the data characteristics and the intrusion type as an original data set.
In one embodiment, the data features include: the device address, the initial position of the memory, the read-write command, the byte number of the responded memory, the read-write function codes of the command data packet and the response data packet, the lengths of the command data packet and the response data packet, the time interval between the command data packet and the response data packet, the error rate of cyclic redundancy check and the characteristic or state value of the industrial control system.
In one embodiment, the original data set extracting module 601 is further configured to assign an intrusion class of the data.
In one embodiment, the convolutional neural network training module 603 is further configured to extract data features from the training data set as an input data set; training an input data set through a convolutional neural network classification model to obtain a predicted value; inputting the predicted value and the actual value into a classified cross entropy loss function to obtain a loss function value output by the classified cross entropy loss function; the actual value is the assignment of the intrusion type of the data; and when the training times reach the condition that the change of the loss function value is smaller than a set threshold value, selecting the trained convolutional neural network classification model corresponding to the minimum loss function value as the optimal classification model.
In one embodiment, the following function is employed as the above-described categorical cross-entropy loss function:
Figure BDA0002220773030000131
wherein L isiTo be a loss function value, ti,jIs an actual value, pi,jIs a predicted value.
In one embodiment, the convolutional neural network-based industrial control system intrusion detection device further comprises:
and the characteristic dimension reduction module is used for performing characteristic dimension reduction on the training data set and the test data set by utilizing a principal component analysis method to obtain the training data set after the characteristic dimension reduction and the test data set after the characteristic dimension reduction.
The industrial control system intrusion detection device based on the convolutional neural network corresponds to the industrial control system intrusion detection method based on the convolutional neural network one to one, and for specific limitations of the industrial control system intrusion detection device based on the convolutional neural network, reference may be made to the above limitations on the industrial control system intrusion detection method based on the convolutional neural network, and technical features and advantages thereof described in the above embodiments of the industrial control system intrusion detection method based on the convolutional neural network are all applicable to the embodiments of the industrial control system intrusion detection device based on the convolutional neural network, and are not described herein again. All or part of each module in the industrial control system intrusion detection device based on the convolutional neural network can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, and the computer device may be a terminal, and its internal structure diagram may be as shown in fig. 7, and fig. 7 is an internal structure diagram of the computer device in one embodiment. The computer device comprises a processor, a memory, a network interface, a display screen and an input device which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a convolutional neural network-based industrial control system intrusion detection method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, there is provided a computer device comprising a processor and a memory, the memory storing a computer program which when executed by the processor performs the steps of: extracting an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system.
In one embodiment, the processor, when executing the computer program, further performs the steps of: classifying the data to be processed according to the communication flow of the industrial control system to obtain the invasion category of the data to be processed; the data to be processed is data in the network data set; acquiring a command data packet and a response data packet in a network data set; acquiring data characteristics of data to be processed according to the command data packet and the response data packet; and setting the data characteristics and the intrusion type as an original data set.
In one embodiment, the data features include: the device address, the initial position of the memory, the read-write command, the byte number of the responded memory, the read-write function codes of the command data packet and the response data packet, the lengths of the command data packet and the response data packet, the time interval between the command data packet and the response data packet, the error rate of cyclic redundancy check and the characteristic or state value of the industrial control system.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and carrying out assignment processing on the intrusion type of the data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: extracting data characteristics from the training data set as an input data set; training an input data set through a convolutional neural network classification model to obtain a predicted value; inputting the predicted value and the actual value into a classified cross entropy loss function to obtain a loss function value output by the classified cross entropy loss function; the actual value is the assignment of the intrusion type of the data; and when the training times reach the condition that the variation of the loss function value is smaller than a set threshold value, selecting the trained convolutional neural network classification model corresponding to the minimum loss function value as the optimal classification model.
In one embodiment, the following function is employed as the above-described categorical cross-entropy loss function:
Figure BDA0002220773030000151
wherein L isiTo be a loss function value, ti,jIs an actual value, pi,jIs a predicted value.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and performing feature dimensionality reduction on the training data set and the test data set by using a principal component analysis method to obtain the training data set after feature dimensionality reduction and the test data set after feature dimensionality reduction.
According to the computer equipment, through the computer program running on the processor, mass data can be processed quickly, multi-classification can be carried out, and classification performance is more accurate, so that the technical problem that an intrusion detection method of an industrial control system in the traditional technology is poor in classification precision is solved.
It will be understood by those skilled in the art that all or part of the processes for implementing the convolutional neural network-based industrial control system intrusion detection method according to any of the above embodiments may be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and the computer program, when executed, may include the processes of the above embodiments of the methods. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
Accordingly, in one embodiment there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of: extracting an original data set of the industrial control system from a network data set of a communication protocol of the industrial control system; dividing an original data set into a training data set and a testing data set according to a preset proportion; training the training data set through a convolutional neural network classification model to obtain an optimal classification model; and inputting the test data set into the optimal classification model for classification processing to obtain an intrusion detection result of the industrial control system.
In one embodiment, the computer program when executed by the processor further performs the steps of: classifying the data to be processed according to the communication flow of the industrial control system to obtain the invasion category of the data to be processed; the data to be processed is data in the network data set; acquiring a command data packet and a response data packet in a network data set; acquiring data characteristics of data to be processed according to the command data packet and the response data packet; and setting the data characteristics and the intrusion type as an original data set.
In one embodiment, the data features include: the device address, the initial position of the memory, the read-write command, the byte number of the responded memory, the read-write function codes of the command data packet and the response data packet, the lengths of the command data packet and the response data packet, the time interval between the command data packet and the response data packet, the error rate of cyclic redundancy check and the characteristic or state value of the industrial control system.
In one embodiment, the computer program when executed by the processor further performs the steps of: and carrying out assignment processing on the intrusion type of the data.
In one embodiment, the computer program when executed by the processor further performs the steps of: extracting data characteristics from the training data set as an input data set; training an input data set through a convolutional neural network classification model to obtain a predicted value; inputting the predicted value and the actual value into a classified cross entropy loss function to obtain a loss function value output by the classified cross entropy loss function; the actual value is the assignment of the intrusion type of the data; and when the training times reach the condition that the variation of the loss function value is smaller than a set threshold value, selecting the trained convolutional neural network classification model corresponding to the minimum loss function value as the optimal classification model.
In one embodiment, the following function is employed as the above-described categorical cross-entropy loss function:
Figure BDA0002220773030000171
wherein L isiTo be a loss function value, ti,jIs an actual value, pi,jIs a predicted value.
In one embodiment, the computer program when executed by the processor further performs the steps of: and performing feature dimensionality reduction on the training data set and the test data set by using a principal component analysis method to obtain the training data set after feature dimensionality reduction and the test data set after feature dimensionality reduction.
The computer readable storage medium can process mass data quickly and can perform multi-classification through the stored computer program, and classification performance is more accurate, so that the technical problem that the classification precision of the intrusion detection method of the industrial control system in the traditional technology is poor is solved.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (7)

1. An industrial control system intrusion detection method based on a convolutional neural network is characterized by comprising the following steps:
extracting a raw data set of an industrial control system from a network data set of a communication protocol of the industrial control system, comprising: determining whether the communication flow of the industrial control system is normal or not based on a state model of normal flow of the system, and classifying the data to be processed in the network data set to acquire the intrusion type of the data to be processed; acquiring a command data packet and a response data packet in the network data set; acquiring the data characteristics of the data to be processed according to the command data packet and the response data packet; setting the data characteristics and the intrusion category as the original data set; the data characteristics include: the method comprises the following steps of (1) equipment address, memory initial position, read-write command, byte number of a response memory, read-write function codes of a command data packet and a response data packet, length of the command data packet and the response data packet, time interval between the command data packet and the response data packet, error rate of cyclic redundancy check and characteristic or state value of the industrial control system;
dividing the original data set into a training data set and a testing data set according to a preset proportion;
performing feature dimensionality reduction on the data features in the training data set and the data features in the test data set by using a principal component analysis method to obtain a training data set subjected to feature dimensionality reduction and a test data set subjected to feature dimensionality reduction;
training the training data set after the feature dimensionality reduction through a convolutional neural network classification model to obtain an optimal classification model;
and inputting the test data set subjected to feature dimension reduction into the optimal classification model for classification processing, and obtaining an intrusion detection result of the industrial control system.
2. The method of claim 1, wherein after the obtaining the intrusion category of the data to be processed, further comprising:
and carrying out assignment processing on the intrusion type of the data.
3. The method of claim 2, wherein the training the feature-reduced training data set through the convolutional neural network classification model to obtain an optimal classification model, comprises:
extracting data characteristics from the training data set after the characteristic dimension reduction to be used as an input data set;
training the input data set through the convolutional neural network classification model to obtain a predicted value;
inputting the predicted value and the actual value into a classified cross entropy loss function to obtain a loss function value output by the classified cross entropy loss function; the actual value is the assignment of the intrusion type of the data;
and when the training times reach the condition that the variation of the loss function value is smaller than a set threshold value, selecting the trained convolutional neural network classification model corresponding to the minimum loss function value as an optimal classification model.
4. A method according to claim 3, characterized by employing as said classification cross entropy loss function the following function:
Figure FDA0003475061440000021
wherein L isiFor said loss function value, ti,jIs the actual value, pi,jFor the predictor, i is a row in a matrix of input data sets and j is a column in the matrix of input data sets.
5. An industrial control system intrusion detection device based on a convolutional neural network, comprising:
the system comprises an original data set extraction module, a state model acquisition module and a state model analysis module, wherein the original data set extraction module is used for determining whether the communication flow of the industrial control system is normal or not based on the state model of the normal flow of the system, classifying the data to be processed in a network data set and acquiring the intrusion type of the data to be processed; acquiring a command data packet and a response data packet in the network data set; acquiring the data characteristics of the data to be processed according to the command data packet and the response data packet; setting the data characteristics and the intrusion types as original data sets; the data characteristics include: the method comprises the following steps of (1) equipment address, memory initial position, read-write command, byte number of a response memory, read-write function codes of a command data packet and a response data packet, length of the command data packet and the response data packet, time interval between the command data packet and the response data packet, error rate of cyclic redundancy check and characteristic or state value of the industrial control system;
the system comprises an original data set classification module, a training data set and a testing data set, wherein the original data set is divided into the training data set and the testing data set according to a preset proportion;
performing feature dimensionality reduction on the data features in the training data set and the data features in the test data set by using a principal component analysis method to obtain a training data set subjected to feature dimensionality reduction and a test data set subjected to feature dimensionality reduction;
the convolutional neural network training module is used for training the training data set subjected to feature dimensionality reduction through a convolutional neural network classification model to obtain an optimal classification model;
and the data classification module is used for inputting the test data set subjected to feature dimension reduction into the optimal classification model for classification processing, and obtaining an intrusion detection result of the industrial control system.
6. A computer device comprising a processor and a memory, said memory storing a computer program, wherein the steps of the method of any of claims 1 to 4 are performed when said computer program is executed by said processor.
7. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 4.
CN201910933031.5A 2019-09-29 2019-09-29 Intrusion detection method, device, equipment and storage medium for industrial control system Active CN110912867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910933031.5A CN110912867B (en) 2019-09-29 2019-09-29 Intrusion detection method, device, equipment and storage medium for industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910933031.5A CN110912867B (en) 2019-09-29 2019-09-29 Intrusion detection method, device, equipment and storage medium for industrial control system

Publications (2)

Publication Number Publication Date
CN110912867A CN110912867A (en) 2020-03-24
CN110912867B true CN110912867B (en) 2022-05-17

Family

ID=69815237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910933031.5A Active CN110912867B (en) 2019-09-29 2019-09-29 Intrusion detection method, device, equipment and storage medium for industrial control system

Country Status (1)

Country Link
CN (1) CN110912867B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478913B (en) * 2020-04-13 2022-01-21 广东电网有限责任公司东莞供电局 Network intrusion detection method, device and storage medium for power distribution and utilization communication network
CN111741002B (en) * 2020-06-23 2022-02-15 广东工业大学 Method and device for training network intrusion detection model
CN111931175B (en) 2020-09-23 2020-12-25 四川大学 Industrial control system intrusion detection method based on small sample learning
CN112738014B (en) * 2020-10-28 2023-05-16 北京工业大学 Industrial control flow anomaly detection method and system based on convolution time sequence network
CN112383563A (en) * 2020-12-03 2021-02-19 中国铁建重工集团股份有限公司 Intrusion detection method and related device
CN112653675A (en) * 2020-12-12 2021-04-13 海南师范大学 Intelligent intrusion detection method and device based on deep learning
CN113009817B (en) * 2021-02-08 2022-07-05 浙江大学 Industrial control system intrusion detection method based on controller output state safety entropy
CN112929381B (en) * 2021-02-26 2022-12-23 南方电网科学研究院有限责任公司 Detection method, device and storage medium for false injection data
CN113095433B (en) * 2021-04-27 2023-06-23 北京石油化工学院 Training method for intrusion detection network structure model
CN113179279A (en) * 2021-05-20 2021-07-27 哈尔滨凯纳科技股份有限公司 Industrial control network intrusion detection method and device based on AE-CNN
CN113542276B (en) * 2021-07-16 2023-01-24 江苏商贸职业学院 Method and system for detecting intrusion target of hybrid network
CN114124447B (en) * 2021-10-12 2024-02-02 杭州电子科技大学 Intrusion detection method and device based on Modbus data packet reorganization
CN113987481B (en) * 2021-12-23 2022-05-03 浙江国利网安科技有限公司 Industrial control intrusion detection method, device, storage medium and equipment
CN115021981B (en) * 2022-05-18 2024-06-18 桂林电子科技大学 Industrial control system intrusion detection and tracing method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040002103A (en) * 2002-06-29 2004-01-07 한국전자통신연구원 Incursion detection system using the hybrid neural network and incursion dectection method using the same
CN109379379A (en) * 2018-12-06 2019-02-22 中国民航大学 Based on the network inbreak detection method for improving convolutional neural networks
CN109446804A (en) * 2018-09-27 2019-03-08 桂林电子科技大学 A kind of intrusion detection method based on Analysis On Multi-scale Features connection convolutional neural networks
CN109766992A (en) * 2018-12-06 2019-05-17 北京工业大学 Industry control abnormality detection and attack classification based on deep learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040002103A (en) * 2002-06-29 2004-01-07 한국전자통신연구원 Incursion detection system using the hybrid neural network and incursion dectection method using the same
CN109446804A (en) * 2018-09-27 2019-03-08 桂林电子科技大学 A kind of intrusion detection method based on Analysis On Multi-scale Features connection convolutional neural networks
CN109379379A (en) * 2018-12-06 2019-02-22 中国民航大学 Based on the network inbreak detection method for improving convolutional neural networks
CN109766992A (en) * 2018-12-06 2019-05-17 北京工业大学 Industry control abnormality detection and attack classification based on deep learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于卷积神经网络的工控网络异常流量检测;张艳升等;《计算机应用》;20190510;第39卷(第5期);1512-1517页,第0-2节 *

Also Published As

Publication number Publication date
CN110912867A (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CN110912867B (en) Intrusion detection method, device, equipment and storage medium for industrial control system
CN110825068A (en) Industrial control system anomaly detection method based on PCA-CNN
CN108377240B (en) Abnormal interface detection method and device, computer equipment and storage medium
CN111898758B (en) User abnormal behavior identification method and device and computer readable storage medium
CN112839034B (en) Network intrusion detection method based on CNN-GRU hierarchical neural network
CN109302410B (en) Method and system for detecting abnormal behavior of internal user and computer storage medium
CN110298663B (en) Fraud transaction detection method based on sequence wide and deep learning
CN111915437A (en) RNN-based anti-money laundering model training method, device, equipment and medium
CN104539484A (en) Method and system for dynamically estimating network connection reliability
CN116597384B (en) Space target identification method and device based on small sample training and computer equipment
CN113660196A (en) Network traffic intrusion detection method and device based on deep learning
CN113179279A (en) Industrial control network intrusion detection method and device based on AE-CNN
CN115580445A (en) Unknown attack intrusion detection method, device and computer readable storage medium
CN110912908A (en) Network protocol anomaly detection method and device, computer equipment and storage medium
CN115630298A (en) Network flow abnormity detection method and system based on self-attention mechanism
CN116167010A (en) Rapid identification method for abnormal events of power system with intelligent transfer learning capability
CN110166422B (en) Domain name behavior recognition method and device, readable storage medium and computer equipment
CN114140246A (en) Model training method, fraud transaction identification method, device and computer equipment
CN117251813A (en) Network traffic anomaly detection method and system
US20220269991A1 (en) Evaluating reliability of artificial intelligence
CN115314239A (en) Analysis method and related equipment for hidden malicious behaviors based on multi-model fusion
CN114511018A (en) Countermeasure sample detection method and device based on intra-class adjustment cosine similarity
CN110865939B (en) Application program quality monitoring method, device, computer equipment and storage medium
CN114422450A (en) Network flow analysis method and device based on multi-source network flow data
CN117235270B (en) Text classification method and device based on belief confusion matrix and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant