CN111885059A - Method for detecting and positioning abnormal industrial network flow - Google Patents

Method for detecting and positioning abnormal industrial network flow Download PDF

Info

Publication number
CN111885059A
CN111885059A CN202010716056.2A CN202010716056A CN111885059A CN 111885059 A CN111885059 A CN 111885059A CN 202010716056 A CN202010716056 A CN 202010716056A CN 111885059 A CN111885059 A CN 111885059A
Authority
CN
China
Prior art keywords
data
network
model
abnormal
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010716056.2A
Other languages
Chinese (zh)
Other versions
CN111885059B (en
Inventor
赵曦滨
陆犇圆
高跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202010716056.2A priority Critical patent/CN111885059B/en
Publication of CN111885059A publication Critical patent/CN111885059A/en
Application granted granted Critical
Publication of CN111885059B publication Critical patent/CN111885059B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • G06F18/2135Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an industrial network anomaly detection algorithm, which comprises a step 1 of deploying a switch at a node of industrial network flow exchange, and a step 2 of reading flow data through a network interface, transmitting the flow data to a protocol analysis algorithm for real-time layered protocol analysis, and extracting network behavior characteristics; step 3, processing the condition of feature missing, processing the data features into a digital form, and selecting a proper feature combination from the data features for model training; step 4, establishing a network behavior model for each protocol to judge whether the abnormality occurs; step 5, establishing a network behavior model for each layer of protocol characteristics of the OSI network model by using normal traffic data, inputting abnormal traffic into the network behavior model for further abnormal analysis, and outputting abnormal positioning results of the traffic; step 6, updating training data of the network behavior model at intervals and replacing the original model; the anomaly detection algorithm utilizes a machine learning algorithm to judge, completes the detection of unknown anomalies, and overcomes the defect that the traditional method cannot identify novel anomalies.

Description

Method for detecting and positioning abnormal industrial network flow
Technical Field
The invention relates to the field of industrial network security, in particular to an anomaly detection and positioning method based on network flow analysis.
Background
With the development of network technology, the internet is combined with the production of various industries, and plays an increasingly important role. However, when the industrial internet brings convenience to production, a lot of potential safety hazards and threats are also added. China suffers from serious and complicated overseas network attacks, the security threat degree of an industrial control system is obviously improved, and security events of malicious programs according to law are also in multiple situations.
The industrial network intrusion detection method is mainly an algorithm for detecting behaviors harmful to computer system safety, such as collecting vulnerability information, causing access refusal, trying to acquire illegal system control rights and the like aiming at a network formed by industrial control equipment.
The anomaly detection method can be divided into two types according to detection modes: one is misuse detection and one is anomaly detection. The misuse detection is based on a detection algorithm matched with an abnormal feature character string, and is performed by comparing with the existing abnormal features in the database. The accuracy of misuse detection is high, and meanwhile, the false alarm rate is low. However, it is very labor intensive to extract the features of the abnormal information and write the extracted features into the database in a specific form. As the size of the database increases, the detection time period increases significantly, resulting in poor real-time performance.
The abnormal detection mode abandons a database comparison method, establishes a normal behavior model for the network behavior traffic data characteristic value, or combines a machine learning algorithm which is raised in recent years, judges the traffic characteristics to be detected through model detection, and judges the data which obviously deviates from the normal model as abnormal traffic. This approach greatly improves the detection rate, but sometimes results in a certain degree of false alarm rate. Meanwhile, the anomaly detection mode can detect new anomaly conditions without manually maintaining a feature pattern library.
However, the current detection methods have the following defects: the misuse detection method depends on a detection mode of database comparison, and cannot detect a novel abnormality which does not exist in the feature library. The anomaly detection method mostly adopts a machine learning algorithm, and although the method has higher detection accuracy, the detection result can only report the generation of the anomaly due to the lack of interpretability, and the position of the anomaly and the reason causing the anomaly cannot be accurately positioned.
Disclosure of Invention
In order to overcome the defects of the existing industrial network intrusion detection method, the invention provides a real-time anomaly detection and positioning method, which can quickly detect anomalies and position the causes of the anomalies while inputting data streams.
The technical scheme of the invention provides an industrial network anomaly detection algorithm, which comprises the following steps:
step 1, deploying a switch at a node of industrial network flow exchange, collecting data passing through the switch and transmitting the data to a network interface of a server in a mirror image manner;
step 2, reading the flow data through a network interface, transmitting the flow data to a protocol analysis algorithm to analyze a real-time layered protocol, and extracting network behavior characteristics;
the protocol analysis algorithm comprises analyzing the flow data according to a TCP/IP five-layer model, and extracting network behavior characteristics from a data link layer, a network layer and a transmission layer according to a protocol;
when network behavior characteristics are extracted, common behavior characteristic keywords and representative behavior characteristic keywords in various formats are extracted from data in different formats of a certain protocol of an application layer, and the common keywords and the representative keywords are used as keywords of the certain protocol;
step 3, processing the condition of feature missing, processing the data features into a digital form, and selecting a proper feature combination from the data features for model training;
step 4, establishing a network behavior model for each protocol to judge whether the abnormality occurs; alarming the flow with the abnormal score larger than the threshold value;
step 5, establishing a network behavior model for each layer of protocol characteristics of the OSI network model by using normal traffic data, inputting abnormal traffic into the network behavior model for further abnormal analysis, and outputting abnormal positioning results of the traffic;
step 6, updating training data of the network behavior model at intervals and replacing the original model;
and setting time windows t, sequentially passing the data through a foreground detection module, a background training module and a positioning module in each time window, generating a detection report, finishing the training of a detection sub-model and a positioning sub-model corresponding to the new time window, and replacing the original network behavior model.
Further, in step 3, for the COTP protocol, if the 5 th bit of the payload data is not 2, the destination refers to the number represented by the 7-8 bits of the payload data, otherwise, there is no destination to refer to this field, and therefore, it is marked as 0;
for the URL field of the HTTP protocol, it is converted into ASCII code and processed as a digital type field.
Further, in step 4, a network behavior model is established by using an IForest algorithm, subsequent flow is detected, and an abnormal component formula of a characteristic group of all to-be-detected network behavior flow characteristic values in an soliton forest is calculated as follows:
Figure BDA0002598184920000021
wherein E (h (x)) represents the mean of the path lengths of the data features in the solitary forest, ψ represents the number of samples of training samples of a single solitary tree, C (ψ) represents the mean path length of a binary solitary tree constructed with ψ pieces of data, and the calculation formula of C (ψ) is as follows:
Figure BDA0002598184920000031
h (ψ -1) ═ ln (ψ -1) + Euler, Euler being the Euler constant.
Further, step 5 specifically includes:
step 5.1, judging whether the same-class flow data has the same network behavior characteristic field, when the field value fluctuates in a large range, considering that the field is abnormal, and measuring the abnormal degree of the flow data by adopting a variation coefficient:
Figure BDA0002598184920000038
wherein,
Figure BDA0002598184920000032
xiis the data of the ith field, mu is the average value of a certain field, and CV is the ratio of the standard deviation to the average value;
step 5.2, constructing a data processing matrix, and taking the normal data model of the previous 10 minutes as an input matrix A of the PCA:
Figure BDA0002598184920000033
wherein m is the number of historical data, n is the number of fields, and the columns represent the data of the fields;
step 5.3, carrying out standardization processing on the original input matrix, and obtaining eigenvalues and eigenvectors by using the standardized matrix;
because the value ranges of all fields are different, the original input matrix A needs to be subjected to standardized conversion to obtain a standardized matrix Z;
Figure BDA0002598184920000034
wherein,
Figure BDA0002598184920000035
next, a covariance matrix Σ of the matrix Z is obtained:
Figure BDA0002598184920000036
wherein,
Figure BDA0002598184920000037
cov(Zi,Zj)=E((Zi-E(Zi))(Zj-E(Zj) ); finally, the eigenvalue lambda of the covariance matrix is solved12,…,λnAnd a feature vector mu12,…,μn
Step 5.4, the characteristic value lambda is subjected to12,…,λnSorted in descending order, and then the principal component variance percentages are calculated such that
Figure BDA0002598184920000041
Beta is a set threshold value;
step 5.5, sorting the selected principal components, selecting the principal component with the largest information amount, and taking the field represented by the principal component as a root cause field candidate set;
step 5.6, defining the root cause field candidate set of k elements as a current abnormal mode, and comparing the current abnormal mode with a known abnormal mode; if the same type of abnormal mode exists, reporting the abnormal mode and detailed information thereof; otherwise, updating the abnormal mode library and reporting the abnormality.
The invention has the beneficial effects that:
(1) high efficiency: the model is used for online flow detection after the training and the detection of the model are separated, namely, an off-line training detection algorithm is carried out, so that high-efficiency anomaly detection is realized. The method can not only detect static data, but also ensure the detection of data flow.
(2) High accuracy: the anomaly detection algorithm utilizes a machine learning algorithm to judge, so that the detection of unknown anomalies is completed, and the defect that the traditional method cannot identify novel anomalies is overcome.
(3) Interpretability: after the anomaly detection is completed, the anomaly data is further analyzed, the cause of the anomaly is judged, and a detection report is generated. Through automatic abnormal positioning, the position and the occurrence reason of the abnormality can be clearly seen, and the abnormality positioning of the abnormality warning is carried out without redistributing manpower.
(4) Automatic updating: in order to adapt to the detection of the streaming data, the detection algorithm can be automatically updated along with the change of the real-time data characteristics, the updated model replaces the original detection model, and the anomaly detection is carried out on the subsequent data.
Drawings
FIG. 1 is a system data flow diagram of the present method;
FIG. 2 is a flow chart of the method for protocol and layer detection of the industrial control protocol.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations where mutually exclusive features and/or steps are present. Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
The preferred embodiments of the invention are described in further detail below.
As shown in fig. 1, the embodiment provides an industrial network anomaly detection algorithm of an embodiment, which includes the following steps:
step 1, a switch is deployed at a node of industrial network flow exchange, and data passing through the switch is collected and transmitted to a network interface of a server in a mirror image mode.
As shown in fig. 1, the collected data includes flow data exchanged between the PLC devices and flow data transmitted to the PLC devices by the upper computer.
And 2, reading the flow data through the network interface, transmitting the flow data to a protocol analysis algorithm to analyze the real-time layered protocol, and extracting the network behavior characteristics.
As shown in fig. 1, the protocol analysis algorithm includes analyzing the traffic data according to a TCP/IP five-layer model, and extracting network behavior characteristics from a data link layer, a network layer, and a transport layer according to a protocol.
When the network behavior characteristics are extracted, due to the complexity of the protocol format of the application layer, common network behavior keywords and representative network behavior keywords in various formats are extracted from data in different formats of a certain protocol of the application layer, and the common keywords and the representative keywords are used as keywords of the certain protocol.
For example: for all the traffic data of the HTTP protocol, the public key includes a source MAC address and a destination MAC address of a link layer, a source IP address and a destination IP address of a network layer, a source port and a destination port of a transport layer, a window size, and the like. However, since the traffic data of the HTTP protocol is divided into a request message and a response message, it is necessary to extract representative keywords from the two types of messages. Representative keywords of the HTTP protocol include HTTP message type, status code, method, URL, and the like.
And 3, processing the condition of feature loss, processing the data features into a digital form, and selecting a proper feature combination from the data features for model training.
For example: for the COTP protocol, if the 5 th bit of the payload data is not 2, the destination reference is the number represented by the 7-8 bits of the payload data, otherwise no destination reference is made to this field, and is therefore noted as 0. For the URL field of the HTTP protocol, this is a string-type field that is converted to ASCII code for ease of algorithm entry, and handled as a digital-type field. However, because the number of fields is too large, in order to improve the efficiency of the algorithm, a plurality of main fields can be extracted as input, for example, one of source IP and source MAC fields containing the same information is omitted, or field selection is performed by using a data dimension reduction algorithm such as PCA and tSNE.
As shown in fig. 1, processing data includes, for the case that some field values do not exist, padding according to the specific distribution of the field values, such as padding 0 or-1; and carrying out digital operation such as hashing or encoding on character strings and the like in the keywords so that all characteristic values are represented in a digital form.
Step 4, establishing a network behavior model for each protocol to judge whether the abnormality occurs; and alarming the flow with the abnormal score larger than the threshold value.
As shown in fig. 2, a network behavior model is established by using the IForest algorithm, and subsequent traffic is detected.
The detection method comprises the following steps: calculating the abnormal component formula of the characteristic group of the network behavior traffic characteristic values to be detected in the soliton forest as follows:
Figure BDA0002598184920000061
wherein E (h (x)) represents the mean of the path lengths of the data features in the solitary forest, ψ represents the number of samples of training samples of a single solitary tree, C (ψ) represents the mean path length of a binary solitary tree constructed with ψ pieces of data, and the calculation formula of C (ψ) is as follows:
Figure BDA0002598184920000062
h (ψ -1) ═ ln (ψ -1) + Euler, Euler being the Euler constant.
For example, for the traffic data of the HTTP protocol, historical sample data is selected, fields such as the source MAC, the destination MAC, the source port, the destination port, flag bits of the TCP, the HTTP protocol type, and the status code are selected as inputs of the IForest algorithm, and according to the result of the sample, a threshold value of the abnormal score is preset and applied to the detection of the subsequent flow data.
And 5, establishing a network behavior model for each layer of protocol characteristics of the OSI network model by using normal traffic data, inputting abnormal traffic into the network behavior model for further abnormal analysis, and outputting an abnormal positioning result of the traffic.
And 5.1, judging whether the same type of flow data has the same network behavior characteristic fields, such as HTTP data packets, Modbus data packets and the like, wherein the field values are relatively stable. If the value of the field fluctuates in a large range, the field is considered to be abnormal. And measuring the abnormal degree of the flow data by using the coefficient of variation.
Figure BDA0002598184920000063
Wherein,
Figure BDA0002598184920000064
xiis the data of the i-th field, μ is the average of a field,CV is the ratio of standard deviation to mean.
If the coefficient of variation CV is larger, the traffic packet is abnormal in the time period, and further positioning analysis is carried out. In the multivariate statistical analysis, when more than 10 variables are included, the discarded dimensions are mostly related to other dimensions and are redundant, so that the n-dimensional data is reduced into p principal components (p < n) by using a Principal Component Analysis (PCA) method to express original data information, and simultaneously, the data dimensions can be effectively reduced, and the problem positioning range is narrowed.
Step 5.2, constructing a data processing matrix, and taking the normal data model of the previous 10 minutes as an input matrix A of the PCA:
Figure BDA0002598184920000071
where m is the number of history data, n is the number of fields, and the columns represent the data of the fields.
And 5.3, carrying out standardization processing on the original input matrix, and obtaining the eigenvalue and the eigenvector by using the standardized matrix.
Because the value ranges of each field are different, the original input matrix a needs to be standardized and converted to obtain the standardized matrix Z.
Figure BDA0002598184920000072
Wherein,
Figure BDA0002598184920000073
next, a covariance matrix Σ of the matrix Z is obtained:
Figure BDA0002598184920000074
wherein,
Figure BDA0002598184920000075
cov(Zi,Zj)=E((Zi-E(Zi))(Zj-E(Zj))). Finally, find the agreementEigenvalues λ of the variance matrix12,…,λnAnd a feature vector mu12,…,μn
Step 5.4, the characteristic value lambda is subjected to12,…,λnSorted in descending order, and then the principal component variance percentages are calculated such that
Figure BDA0002598184920000076
Beta is a set threshold value.
The principal component is actually a linear combination of the original dimensions, and the coefficient vector is the corresponding eigenvector. The coefficient represents the correlation between the principal component and the original data dimension, and the larger the coefficient is, the larger the contribution of the dimension to the principal component is, that is, the method corresponding to the dimension is the main field causing the abnormality.
And 5.5, sequencing the selected principal components, selecting the principal component with the largest information amount, and taking the field represented by the principal component as a root factor field candidate set.
The abnormal positioning algorithm firstly selects k principal components p1,p2,…,pnAccording to the corresponding characteristic value lambda12,…,λkThe more the ranking is in the front, the more significant the main component is; then, sequentially selecting the principal component maximum coefficient and the corresponding field, and calculating the weight factor of the method to obtain k fields and the weight factor; and secondly, sorting the selected k fields in a reverse order according to the weight factors, and using the k fields as root factor fields of the abnormal positioning.
And 5.6, defining the root cause field candidate set of the k elements as a current abnormal mode, and comparing the current abnormal mode with a known abnormal mode. If the same type of abnormal mode exists, reporting the abnormal mode and detailed information thereof; otherwise, updating the abnormal mode library and reporting the abnormality.
And 6, updating training data of the network behavior model at intervals and replacing the original model.
And setting time windows t, sequentially passing the data through a foreground detection module, a background training module and a positioning module in each time window, generating a detection report, finishing the training of a detection sub-model and a positioning sub-model corresponding to the new time window, and replacing the original network behavior model.
Although the present invention has been disclosed in detail with reference to the accompanying drawings, it is to be understood that such description is merely illustrative of and not restrictive on the application of the present invention. The scope of the invention is defined by the appended claims and may include various modifications, adaptations and equivalents of the invention without departing from its scope and spirit.

Claims (4)

1. An industrial network anomaly detection algorithm, comprising the steps of:
step 1, deploying a switch at a node of industrial network flow exchange, collecting data passing through the switch and transmitting the data to a network interface of a server in a mirror image manner;
step 2, reading the flow data through a network interface, transmitting the flow data to a protocol analysis algorithm to analyze a real-time layered protocol, and extracting network behavior characteristics;
the protocol analysis algorithm comprises analyzing the flow data according to a TCP/IP five-layer model, and extracting network behavior characteristics from a data link layer, a network layer and a transmission layer according to a protocol;
when network behavior characteristics are extracted, common behavior characteristic keywords and representative behavior characteristic keywords in various formats are extracted from data in different formats of a certain protocol of an application layer, and the common keywords and the representative keywords are used as keywords of the certain protocol;
step 3, processing the condition of feature missing, processing the data features into a digital form, and selecting a proper feature combination from the data features for model training;
step 4, establishing a network behavior model for each protocol to judge whether the abnormality occurs; alarming the flow with the abnormal score larger than the threshold value;
step 5, establishing a network behavior model for each layer of protocol characteristics of the OSI network model by using normal traffic data, inputting abnormal traffic into the network behavior model for further abnormal analysis, and outputting abnormal positioning results of the traffic;
step 6, updating training data of the network behavior model at intervals and replacing the original model;
and setting time windows t, sequentially passing the data through a foreground detection module, a background training module and a positioning module in each time window, generating a detection report, finishing the training of a detection sub-model and a positioning sub-model corresponding to the new time window, and replacing the original network behavior model.
2. The industrial network anomaly detection algorithm of claim 1, wherein:
in step 3, for the COTP protocol, if the 5 th bit of the payload data is not 2, the destination reference is a number represented by the 7-8 bits of the payload data, otherwise, no destination reference is made to this field, and therefore, the number is marked as 0;
for the URL field of the HTTP protocol, it is converted into ASCII code and processed as a digital type field.
3. The industrial network anomaly detection algorithm of claim 1, wherein:
in step 4, a network behavior model is established by using an IForest algorithm, subsequent flow is detected, and an abnormal component formula of a characteristic group of all to-be-detected network behavior flow characteristic values in an soliton forest is calculated as follows:
Figure FDA0002598184910000011
wherein E (h (x)) represents the mean of the path lengths of the data features in the solitary forest, ψ represents the number of samples of training samples of a single solitary tree, C (ψ) represents the mean path length of a binary solitary tree constructed with ψ pieces of data, and the calculation formula of C (ψ) is as follows:
Figure FDA0002598184910000021
h (ψ -1) ═ ln (ψ -1) + Euler, Euler being the Euler constant.
4. The industrial network anomaly detection algorithm of claim 1, wherein: the step 5 specifically comprises the following steps:
step 5.1, judging whether the same-class flow data has the same network behavior characteristic field, when the field value fluctuates in a large range, considering that the field is abnormal, and measuring the abnormal degree of the flow data by adopting a variation coefficient:
Figure FDA0002598184910000022
wherein,
Figure FDA0002598184910000023
xiis the data of the ith field, mu is the average value of a certain field, and CV is the ratio of the standard deviation to the average value;
step 5.2, constructing a data processing matrix, and taking the normal data model of the previous 10 minutes as an input matrix A of the PCA:
Figure FDA0002598184910000024
wherein m is the number of historical data, n is the number of fields, and the columns represent the data of the fields;
step 5.3, carrying out standardization processing on the original input matrix, and obtaining eigenvalues and eigenvectors by using the standardized matrix;
because the value ranges of all fields are different, the original input matrix A needs to be subjected to standardized conversion to obtain a standardized matrix Z;
Figure FDA0002598184910000025
wherein,
Figure FDA0002598184910000026
next, a covariance matrix Σ of the matrix Z is obtained:
Figure FDA0002598184910000027
wherein,
Figure FDA0002598184910000028
finally, the eigenvalue lambda of the covariance matrix is solved12,…,λnAnd a feature vector mu12,…,μn
Step 5.4, the characteristic value lambda is subjected to12,…,λnSorted in descending order, and then the principal component variance percentages are calculated such that
Figure FDA0002598184910000031
Beta is a set threshold value;
step 5.5, sorting the selected principal components, selecting the principal component with the largest information amount, and taking the field represented by the principal component as a root cause field candidate set;
step 5.6, defining the root cause field candidate set of k elements as a current abnormal mode, and comparing the current abnormal mode with a known abnormal mode; if the same type of abnormal mode exists, reporting the abnormal mode and detailed information thereof; otherwise, updating the abnormal mode library and reporting the abnormality.
CN202010716056.2A 2020-07-23 2020-07-23 Method for detecting and positioning abnormal industrial network flow Active CN111885059B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010716056.2A CN111885059B (en) 2020-07-23 2020-07-23 Method for detecting and positioning abnormal industrial network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010716056.2A CN111885059B (en) 2020-07-23 2020-07-23 Method for detecting and positioning abnormal industrial network flow

Publications (2)

Publication Number Publication Date
CN111885059A true CN111885059A (en) 2020-11-03
CN111885059B CN111885059B (en) 2021-08-31

Family

ID=73155880

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010716056.2A Active CN111885059B (en) 2020-07-23 2020-07-23 Method for detecting and positioning abnormal industrial network flow

Country Status (1)

Country Link
CN (1) CN111885059B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822151A (en) * 2020-11-06 2021-05-18 浙江中烟工业有限责任公司 Multilayer accurate active network attack detection method and system for control network industrial computer
CN112966957A (en) * 2021-03-22 2021-06-15 国家电网有限公司大数据中心 Data link abnormity positioning method and device, electronic equipment and storage medium
CN113141373A (en) * 2021-04-30 2021-07-20 平安普惠企业管理有限公司 Method, device, equipment and storage medium for detecting abnormal intrusion
CN113592039A (en) * 2021-09-02 2021-11-02 北京沃东天骏信息技术有限公司 Method and device for predicting model primary key
CN113904812A (en) * 2021-09-18 2022-01-07 中标慧安信息技术股份有限公司 Internet of things intrusion detection method based on isolated forest
CN114221780A (en) * 2021-10-26 2022-03-22 深圳市永达电子信息股份有限公司 Industrial control system network security guarantee method, device and computer storage medium
CN114363005A (en) * 2021-12-08 2022-04-15 北京六方云信息技术有限公司 ICMP detection method, system, equipment and medium based on machine learning
CN114785617A (en) * 2022-06-15 2022-07-22 北京金汇创企业管理有限公司 5G network application layer anomaly detection method and system
CN115622810A (en) * 2022-12-14 2023-01-17 深圳市永达电子信息股份有限公司 Business application identification system and method based on machine learning algorithm
CN117914629A (en) * 2024-03-18 2024-04-19 台州市大数据发展有限公司 Network security detection method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101626322A (en) * 2009-08-17 2010-01-13 中国科学院计算技术研究所 Method and system of network behavior anomaly detection
US8218534B2 (en) * 2009-05-07 2012-07-10 The Industry & Academic Cooperation In Chungnam National University (Iac) VoIP anomaly traffic detection method with flow-level data
CN104301895A (en) * 2014-09-28 2015-01-21 北京邮电大学 Double-layer trigger intrusion detection method based on flow prediction
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
US20170195197A1 (en) * 2011-07-26 2017-07-06 Security Matters B.V. Method and system for classifying a protocol message in a data communication network
CN108900476A (en) * 2018-06-07 2018-11-27 桂林电子科技大学 Based on Spark and the parallel network flow method for detecting abnormality that forest is isolated
CN109714343A (en) * 2018-12-28 2019-05-03 北京天融信网络安全技术有限公司 A kind of judgment method and device of exception of network traffic
CN110505179A (en) * 2018-05-17 2019-11-26 中国科学院声学研究所 A kind of detection method and system of exception flow of network
CN110674940A (en) * 2019-09-18 2020-01-10 上海擎创信息技术有限公司 Multi-index anomaly detection method based on neural network
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8218534B2 (en) * 2009-05-07 2012-07-10 The Industry & Academic Cooperation In Chungnam National University (Iac) VoIP anomaly traffic detection method with flow-level data
CN101626322A (en) * 2009-08-17 2010-01-13 中国科学院计算技术研究所 Method and system of network behavior anomaly detection
US20170195197A1 (en) * 2011-07-26 2017-07-06 Security Matters B.V. Method and system for classifying a protocol message in a data communication network
CN104301895A (en) * 2014-09-28 2015-01-21 北京邮电大学 Double-layer trigger intrusion detection method based on flow prediction
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
CN110505179A (en) * 2018-05-17 2019-11-26 中国科学院声学研究所 A kind of detection method and system of exception flow of network
CN108900476A (en) * 2018-06-07 2018-11-27 桂林电子科技大学 Based on Spark and the parallel network flow method for detecting abnormality that forest is isolated
CN109714343A (en) * 2018-12-28 2019-05-03 北京天融信网络安全技术有限公司 A kind of judgment method and device of exception of network traffic
CN110674940A (en) * 2019-09-18 2020-01-10 上海擎创信息技术有限公司 Multi-index anomaly detection method based on neural network
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张艳升; 李喜旺; 李丹; 杨华: "基于卷积神经网络的工控网络异常流量检测", 《计算机应用》 *
赖英旭,刘增辉,蔡晓田,杨凯翔: "工业控制系统入侵检测研究综述", 《通信学报》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822151A (en) * 2020-11-06 2021-05-18 浙江中烟工业有限责任公司 Multilayer accurate active network attack detection method and system for control network industrial computer
CN112966957A (en) * 2021-03-22 2021-06-15 国家电网有限公司大数据中心 Data link abnormity positioning method and device, electronic equipment and storage medium
CN113141373B (en) * 2021-04-30 2023-02-07 平安普惠企业管理有限公司 Method, device, equipment and storage medium for detecting abnormal intrusion
CN113141373A (en) * 2021-04-30 2021-07-20 平安普惠企业管理有限公司 Method, device, equipment and storage medium for detecting abnormal intrusion
CN113592039A (en) * 2021-09-02 2021-11-02 北京沃东天骏信息技术有限公司 Method and device for predicting model primary key
CN113904812A (en) * 2021-09-18 2022-01-07 中标慧安信息技术股份有限公司 Internet of things intrusion detection method based on isolated forest
CN114221780A (en) * 2021-10-26 2022-03-22 深圳市永达电子信息股份有限公司 Industrial control system network security guarantee method, device and computer storage medium
CN114221780B (en) * 2021-10-26 2024-05-10 深圳市永达电子信息股份有限公司 Network security guarantee method and device for industrial control system and computer storage medium
CN114363005A (en) * 2021-12-08 2022-04-15 北京六方云信息技术有限公司 ICMP detection method, system, equipment and medium based on machine learning
CN114785617B (en) * 2022-06-15 2022-11-15 北京金汇创企业管理有限公司 5G network application layer anomaly detection method and system
CN114785617A (en) * 2022-06-15 2022-07-22 北京金汇创企业管理有限公司 5G network application layer anomaly detection method and system
CN115622810A (en) * 2022-12-14 2023-01-17 深圳市永达电子信息股份有限公司 Business application identification system and method based on machine learning algorithm
CN117914629A (en) * 2024-03-18 2024-04-19 台州市大数据发展有限公司 Network security detection method and system
CN117914629B (en) * 2024-03-18 2024-05-28 台州市大数据发展有限公司 Network security detection method and system

Also Published As

Publication number Publication date
CN111885059B (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN111885059B (en) Method for detecting and positioning abnormal industrial network flow
CN112398779B (en) Network traffic data analysis method and system
CN111294332B (en) Traffic anomaly detection and DNS channel anomaly detection system and method
CN110909811B (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
CN111191767B (en) Vectorization-based malicious traffic attack type judging method
CN111107102A (en) Real-time network flow abnormity detection method based on big data
CN110572413A (en) Low-rate denial of service attack detection method based on Elman neural network
CN117411703A (en) Modbus protocol-oriented industrial control network abnormal flow detection method
CN111092862A (en) Method and system for detecting abnormal communication flow of power grid terminal
CN109361673B (en) Network anomaly detection method based on flow data sample statistics and balance information entropy estimation
CN109660518B (en) Communication data detection method and device of network and machine-readable storage medium
CN113162893B (en) Attention mechanism-based industrial control system network flow abnormity detection method
CN111191720B (en) Service scene identification method and device and electronic equipment
CN114124482A (en) Access flow abnormity detection method and device based on LOF and isolated forest
CN105959321A (en) Passive identification method and apparatus for network remote host operation system
CN117220920A (en) Firewall policy management method based on artificial intelligence
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
CN114785563A (en) Encrypted malicious flow detection method for soft voting strategy
CN114205855A (en) Feeder automation service network anomaly detection method facing 5G slices
CN110995692A (en) Network security intrusion detection method based on factor analysis and subspace collaborative representation
CN117938496B (en) AI-driven data transmission threat detection method and system
CN117574135B (en) Power grid attack event detection method, device, equipment and storage medium
KR102470364B1 (en) A method for generating security event traning data and an apparatus for generating security event traning data
EP4254237A1 (en) Security data processing device, security data processing method, and computer-readable storage medium for storing program for processing security data
CN115208703B (en) Industrial control equipment intrusion detection method and system of fragment parallelization mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant