CN112134737A - Reverse analysis system of industrial Internet of things - Google Patents

Abstract

The invention provides an industrial Internet of things reverse analysis system, which comprises: firstly, preprocessing an initial industrial internet of things protocol message sequence sample set to obtain a complete application layer protocol; secondly, constructing an LSTM neural network model structure according to format characteristics of an industrial Internet of things protocol; then, inputting the training data set as an LSTM network model, and training model parameters; and finally, taking the trained LSTM network structure model as an industrial Internet of things protocol message field prediction model, and predicting unknown industrial Internet of things protocol message fields. Compared with the method for manually analyzing the unknown industrial Internet of things protocol format, the method is higher in efficiency and accuracy.

Description

Reverse analysis system of industrial Internet of things

Technical Field

The invention relates to the field of industrial Internet of things safety, and particularly provides an industrial Internet of things reverse analysis system for a collected industrial Internet of things protocol sample sequence.

Background

The safety problem of the industrial internet of things is getting worse as events such as damages to Iran nuclear facilities by earthquake network viruses, blackish power failure of an UK power grid, explosion of British petroleum pipelines, paralysis of a water supply system in Illinois, USA and the like frequently occur. The industrial internet of things system is interconnected and intercommunicated by communication protocols, the safety of the communication protocols is an important part of the safety of the industrial internet of things system, but due to the consideration of factors such as providing personalized functions and optimizing the communication protocols, various industrial internet of things manufacturers cause a large number of private and unknown communication protocols in the industrial internet of things industry, and great challenges are brought to protocol safety analysis.

In existing solutions, it is the main approach to resolve unknown protocols using protocol inversion techniques. Because the industrial control protocol processing program is mainly integrated in special software and hardware equipment provided by industrial control manufacturers, a protocol analysis execution stream is not easy to obtain, and an unknown industrial control protocol is mainly analyzed by adopting a static method aiming at the protocol stream. Tao et al (Siyu Tao, et al, "Bit-oriented format extraction for automatic binary replication engineering," in IET Communications,2016.) propose a binary protocol analysis method, extract Bit-level features based on Bayesian probability, thereby improving the efficiency of protocol identification; luo et al (Luo Jianzhen, et al, "Position-based automatic reverse engineering of network protocols," in Journal of network and computer applications,2013.) propose an application layer protocol reverse parsing method, which infers a message format based on an association rule established by a message field occurrence frequency and a Position distribution rule; cui et al (Weidong Cui, et al, "discover: automatic protocol conversion from network processes," in Usenix Security Symposium,2007.) propose a protocol format flag domain extraction tool, which recursively clusters a format flag domain by a probabilistic matching algorithm to infer protocol semantics. In the scheme, the time consumption and the accuracy are low by manually analyzing the unknown internet of things protocol format based on the probability algorithm.

Disclosure of Invention

The technical problem to be solved by the invention is to provide an industrial internet of things reverse analysis system, which can solve the problems of time consumption and low accuracy of manual reverse analysis of unknown internet of things protocol formats.

In order to solve the above problem, an embodiment of the present invention provides an industrial internet of things reverse analysis system, where the method includes the following steps:

s1: data collection: capturing communication data in a network as an original data source by accessing an industrial Internet of things, and filtering out the communication data between specific communication entities needing to be analyzed according to sub-packets of IP addresses, port numbers and the like to be used as an initial message sequence sample set for reverse analysis;

s2: data preprocessing: performing data cleaning on an industrial Internet of things protocol data set, dividing the data into a training set and a testing set, and labeling industrial Internet of things protocol data fields of the training set;

s3: constructing an RNN-LSTM neural network model: the input of the RNN-LSTM model is an industrial Internet of things protocol message sequence, and the output of the RNN-LSTM model is a protocol message field;

s4: RNN-LSTM model parameter training: inputting a training data set as an RNN-LSTM network model, and training the model; inputting the data of the test set into a trained RNN-LSTM network model for verification, calculating the prediction accuracy and finely adjusting parameters through the test set to improve the prediction precision;

s5: predicting the field of the industrial Internet of things protocol message: and taking the finally trained RNN-LSTM network structure model as an industrial Internet of things protocol message field prediction model to predict unknown industrial Internet of things protocol message fields.

For example, in the reverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the S2 data preprocessing specifically includes:

s21: processing the situations of packet loss, retransmission, disorder and the like in the industrial internet of things protocol message sequence; filtering messages without load; discarding the message with the checksum error; recombining the IP fragment message; for a TCP session, a complete session starts with a SYN message and ends with an FIN/RST message;

s22: and performing bottom-up decapsulation on the data packet according to a TCP/IP protocol format, and sequentially removing encapsulation of a data link layer, a network layer and a transmission layer to obtain a complete application layer message.

For example, in an industrial internet of things reverse analysis system provided by an embodiment of the present invention, the RNN-LSTM neural network model structure of S3 satisfies the following conditions:

input door i_t＝σ(W_i*h_t-1+U_i*x_t+b_i) Wherein, U_iRepresenting an input-output weight matrix, W_iRepresenting hidden layer-input gate weight matrix, b_iRepresenting the deviation of the input layer from the hidden layer, the activation function uses a sigmoid function of

Wherein h is_t-1Representing the output of the hidden layer at the previous moment, x_tAn input matrix representing time step t time;

output gate o_t＝σ(W_o*h_t-1+U_o*x_t+b_o)，U_oRepresenting an input-output gate weight matrix, W_oRepresenting hidden layer-input gate weight matrix, b_oRepresents the output gate offset, o_t∈(0，1)；

Forget door f_t＝σ(W_f*h_t-1+U_f*x_t+b_f)，U_fRepresenting an input-forgetting gate weight matrix, W_fRepresenting hidden layer-forgetting gate weight matrix, b_fIndicating a forgotten door deviation, f_t∈(0，1)；

Output memory information c_t＝i_t*tanh(W_c*h_t-1+U_c*x_t+b_c)+f_t*c_t-1，U_cRepresenting the input-memory cell weight matrix, W_cRepresenting a hidden layer-memory cell weight matrix, b_cRepresenting the deviation of the input layer to the memory cell;

for example, in the inverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the loss function of the RNN-LSTM neural network model in S3 is represented as:

wherein y is_iAnd y_jRespectively a real field value and a predicted field value of an industrial Internet of things protocol sequence, wherein n is the total length of a data sequence

For example, in the inverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the RNN-LSTM neural network model loss function in S3 is regularized, and the processed loss function is:

where λ is the regularization coefficient and W represents the value of the model structure weight parameter used.

For example, in the inverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the process of training the RNN-LSTM neural network model in S4 adopts Adam optimization algorithm to update the network weight and the deviation according to the gradient of the loss function.

For example, in the reverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the accuracy of predicting the unknown protocol message field of the industrial internet of things in S5 is determined by

It is shown that, among others,

f (k) represents the predicted industrial IOT protocol field and the actual inconsistent function when y_iAnd y_j1 at the same time, not 0 at the same time, y_iAnd y_jThe real field value and the predicted field value of the industrial internet of things protocol sequence are respectively, and N is the total length of the data sequence.

In order to solve the above problems, the present invention further provides an industrial internet of things reverse analysis system, including:

a data collection module: the system is used for collecting industrial Internet of things protocol data as an initial message sequence sample set;

a data preprocessing module: the method comprises the steps of cleaning an initial industrial Internet of things message sequence sample set;

LSTM model building module: the method is used for constructing an LSTM model structure to reversely analyze unknown industrial Internet of things protocol message fields;

a model parameter training module: parameters used for training the reverse analysis model are used for improving the accuracy of prediction;

a protocol message field prediction module: the method is used for predicting the unknown industrial internet of things protocol message field.

The invention has the beneficial effects that: compared with the method for manually analyzing the unknown Internet of things protocol format, the method is higher in efficiency and accuracy.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description only relate to some embodiments of the present invention and are not limiting on the present invention.

Fig. 1 is a flowchart of an industrial internet of things reverse analysis system provided in an embodiment of the present invention;

FIG. 2 is a diagram illustrating the recognition effect of the present invention on unknown industrial IOT protocol fields;

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions of the embodiments of the present invention will be described below with reference to the drawings of the embodiments of the present invention, it is obvious that the described embodiments are some but not all embodiments of the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts based on the described embodiments of the present invention belong to the protection scope of the present invention.

According to the reverse analysis system for the industrial Internet of things, the LSTM neural network model is adopted to predict the unknown protocol format of the industrial Internet of things, and the efficiency and accuracy of analyzing the unknown protocol of the industrial Internet of things are improved.

As shown in fig. 1, an embodiment of the present invention provides an industrial internet of things reverse analysis system, which includes the following steps:

s1: data collection: capturing communication data in a network as an original data source by accessing an industrial Internet of things, and filtering out the communication data between specific communication entities needing to be analyzed according to sub-packets of IP addresses, port numbers and the like to be used as an initial message sequence sample set for reverse analysis;

s2: data preprocessing: performing data cleaning on an industrial Internet of things protocol data set, dividing the data into a training set and a testing set, and labeling industrial Internet of things protocol data fields of the training set; the method comprises the following specific steps:

s3: constructing an RNN-LSTM neural network model: the input of the RNN-LSTM model is an industrial Internet of things protocol message sequence, and the output of the RNN-LSTM model is a protocol message field. The method mainly comprises the following model formulas:

input door i_t＝σ(W_i*h_t-1+U_i*x_t+b_i) Wherein, U_iRepresenting an input-output weight matrix, W_iRepresenting hidden layer-input gate weight matrix, b_iRepresenting the deviation of the input layer from the hidden layer, the activation function uses a sigmoid function of

Wherein h is_t-1Representing the output of the hidden layer at the previous moment, x_tAn input matrix representing time step t time;

output gate o_t＝σ(W_o*h_t-1+U_o*x_t+b_o)，U_oRepresenting an input-output gate weight matrix, W_oRepresenting hidden layer-input gate weight matrix, b_oRepresents the output gate offset, o_t∈(0，1)；

Forget door f_t＝σ(W_f*h_t-1+U_f*x_t+b_f)，U_fRepresenting an input-forgetting gate weight matrix, W_fRepresenting hidden layer-forgetting gate weight matrix, b_fIndicating a forgotten door deviation, f_t∈(0，1)；

Output memory information c_t＝i_t*tanh(W_c*h_t-1+U_c*x_t+b_c)+f_t*c_t-1，U_cRepresenting the input-memory cell weight matrix, W_cRepresenting a hidden layer-memory cell weight matrix, b_cRepresenting the deviation of the input layer to the memory cell;

s4: RNN-LSTM model parameter training: inputting a training data set as an RNN-LSTM network model, and training the model; inputting the data of the test set into a trained RNN-LSTM network model for verification, calculating the prediction accuracy and finely adjusting parameters through the test set to improve the prediction precision;

s5: predicting the field of the industrial Internet of things protocol message: and taking the finally trained RNN-LSTM network structure model as an industrial Internet of things protocol message field prediction model to predict unknown industrial Internet of things protocol message fields.

For example, in the inverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the LSTM neural network model loss function is expressed as:

wherein y is_iAnd y_jThe real field value and the predicted field value of the industrial internet of things protocol sequence are respectively, n is the total length of the data sequence, and in order to solve the problem of model overfitting, a loss function L (W) needs to be regularized, and the regularized loss function is represented as:

where λ is the regularization coefficient, the initial default value λ is 0.9, and W represents the value of the model structure weight parameter used.

For example, in the industrial internet of things reverse analysis system provided by the embodiment of the present invention, the LSTM model is specifically constructed as follows: the model is divided into an input layer, an output layer and a hidden layer, the number of input neurons is set to be 1, the number of output neurons is set to be 1, the hidden layer is set to be 1 layer, 256 nodes are arranged, and a fully-connected network structure is established by input and output.

For example, in the inverse analysis system of the industrial internet of things provided by the embodiment of the present invention, the LSTM model parameter training specifically includes: updating the network weight and deviation according to the gradient of the loss function by adopting an Adam optimization algorithm, and mainly comprising the following algorithm formula:

m_t＝μ₁*m_t-1+(1-μ₁)*L(W_t-1)

n_t＝μ₂*n_t-1+(1-μ₂)*L(W_t-1)²

m_t ^*＝m_t/(1-μ₁ ^t)

n_t ^*＝n_t/(1-μ₂ ^t)

wherein L (W) is a loss function, μ₁And mu₂For decay index, μ is set by default₁＝0.9，μ₂0.999; η is a training step length, also called a learning rate, and is generally set to be 0.001 by default; e is 10^-8Is a constant; m is_tThe gradient index mean value is obtained through gradient first moment; n is_tThe square gradient is obtained through the second moment of the gradient; iteratively updating the LSTM neural network weight and deviation by continuously inputting training data to enable the loss function to gradually converge; thereby determining the LSTM network structure ultimately used for condition prediction.

For example, in the reverse analysis system for the industrial internet of things provided in the embodiment of the present invention, the LSTM model predicts the protocol message field of the industrial internet of things specifically as follows: inputting the test set into a trained LSTM model for verification, calculating the predicted accuracy Acc, and generating the accuracy Acc formula as follows:

wherein the content of the first and second substances,

f (k) represents the predicted industrial IOT protocol field and the actual inconsistent function when y_iAnd y_j1 at the same time, not 0 at the same time, y_iAnd y_jThe real field value and the predicted field value of the industrial internet of things protocol sequence are respectively, and N is the total length of the data sequence.

The recognition effect of the unknown industrial internet of things protocol field is explained by adopting the method. Firstly, four common industrial internet of things protocols are selected, wherein the four common industrial internet of things protocols comprise a Modbus protocol of a Schneider Programmable Logic Controller (PLC), an S7Comm protocol of a Siemens PLC, an IEC104 protocol of a power system and a Message Queue Telemetry Transport (MQTT) protocol; secondly, preprocessing a collected industrial Internet of things protocol sequence sample set to obtain application layer protocol data of the industrial Internet of things protocol sequence sample set; then, training LSTM model parameters; finally, inputting the industrial internet of things protocol sample sequence into the industrial internet of things reverse analysis system provided by the invention, so as to predict unknown industrial internet of things protocol message fields, wherein the protocol reverse analysis effect is shown in the attached figure 2: with the increase of the number of times of LSTM model training, the recognition rate of each protocol tends to be stable, wherein the final recognition rate of the Modbus protocol reaches 73%, the final recognition rate of the S7Comm protocol reaches 67%, the final recognition rate of the IEC104 reaches 65%, and the final recognition rate of the MQTT protocol reaches 66%. The experimental result shows that the LSTM neural network model is adopted to predict the unknown industrial Internet of things protocol format, and the method has higher efficiency and accuracy in analyzing the unknown industrial Internet of things protocol.

The invention provides an industrial Internet of things reverse analysis system, which comprises the following steps of firstly preprocessing an initial industrial Internet of things protocol message sequence sample set to obtain a complete application layer protocol; secondly, constructing an LSTM neural network model structure; then, inputting the training data set as an LSTM network model, and training model parameters; and finally, taking the finally trained LSTM network structure model as an industrial Internet of things protocol message field prediction model to predict unknown industrial Internet of things protocol message fields. In addition, the technology supports other types of industrial control protocols.

It will be apparent to those skilled in the art that modifications and improvements may be made to the embodiments of the invention without departing from the spirit of the invention, and it is intended that all such modifications and improvements be included within the scope of the invention as defined by the appended claims.

Claims (8)

1. An industry thing networking reverse analysis system, includes:

a data collection module: the system is used for collecting industrial Internet of things protocol data as an initial message sequence sample set;

a data preprocessing module: the method comprises the steps of cleaning an initial industrial Internet of things message sequence sample set;

LSTM model building module: the method is used for constructing an LSTM model structure to reversely analyze unknown industrial Internet of things protocol message fields;

a model parameter training module: parameters used for training the reverse analysis model are used for improving the accuracy of prediction;

a protocol message field prediction module: the method is used for predicting the unknown industrial internet of things protocol message field.

2. An industrial Internet of things reverse analysis method comprises the following steps:

s1: data collection: capturing communication data in a network as an original data source by accessing an industrial Internet of things, and filtering out the communication data between specific communication entities needing to be analyzed according to sub-packets of IP addresses, port numbers and the like to be used as an initial message sequence sample set for reverse analysis;

s2: data preprocessing: performing data cleaning on an industrial Internet of things protocol data set, dividing the data into a training set and a testing set, and labeling industrial Internet of things protocol data fields of the training set;

s3: constructing an RNN-LSTM neural network model: the input of the RNN-LSTM model is an industrial Internet of things protocol message sequence, and the output of the RNN-LSTM model is a protocol message field;

s4: RNN-LSTM model parameter training: inputting a training data set as an RNN-LSTM network model, and training the model; inputting the data of the test set into a trained RNN-LSTM network model for verification, calculating the prediction accuracy and finely adjusting parameters through the test set to improve the prediction precision;

s5: predicting the field of the industrial Internet of things protocol message: and taking the finally trained RNN-LSTM network structure model as an industrial Internet of things protocol message field prediction model to predict unknown industrial Internet of things protocol message fields.

3. The industrial internet of things reverse analysis method according to claim 2, wherein the step S2 specifically comprises:

s21: processing the situations of packet loss, retransmission, disorder and the like in the industrial internet of things protocol message sequence; filtering messages without load; discarding the message with the checksum error; recombining the IP fragment message; for a TCP session, a complete session starts with a SYN message and ends with an FIN/RST message;

s22: and performing bottom-up decapsulation on the data packet according to a TCP/IP protocol format, and sequentially removing encapsulation of a data link layer, a network layer and a transmission layer to obtain a complete application layer message.

4. The inverse analysis method of the industrial internet of things as claimed in claim 2, wherein the RNN-LSTM neural network model structure in step S3 satisfies the following requirements:

input door i_t＝σ(W_i*h_t-1+U_i*x_t+b_i) Wherein, U_iRepresenting an input-output weight matrix, W_iRepresenting hidden layer-input gate weight matrix, b_iRepresenting the deviation of the input layer from the hidden layer, the activation function uses a sigmoid function of

Wherein h is_t-1Representing the output of the hidden layer at the previous moment, x_tAn input matrix representing time step t time;

output gate o_t＝σ(W_o*h_t-1+U_o*x_t+b_o)，U_oRepresenting an input-output gate weight matrix, W_oRepresenting hidden layer-input gate weight matrix, b_oRepresents the output gate offset, o_t∈(0，1)；

Forget door f_t＝σ(W_f*h_t-1+U_f*x_t+b_f)，U_fRepresenting an input-forgetting gate weight matrix, W_fRepresenting hidden layer-forgetting gate weight matrix, b_fIndicating a forgotten door deviation, f_t∈(0，1)；

Output memory information c_t＝i_t*tanh(W_c*h_t-1+U_c*x_t+b_c)+f_t*c_t-1，U_cRepresenting the input-memory cell weight matrix, W_cRepresenting a hidden layer-memory cell weight matrix, b_cIndicating the deviation of the input layer to the memory cell.

5. The inverse analysis method of the internet of things of claim 4, wherein the loss function of the RNN-LSTM neural network model in the step S3 is expressed as:

wherein y is_iAnd y_jThe real field value and the predicted field value of the industrial internet of things protocol sequence are respectively, and n is the total length of the data sequence.

6. The reverse analysis method of the industrial internet of things according to claim 5, wherein the loss function is subjected to regularization, and the processed loss function is as follows:

where λ is the regularization coefficient and W represents the value of the model structure weight parameter used.

7. The inverse analysis method of the internet of things of claim 2, wherein the step S4 of training the RNN-LSTM neural network model adopts Adam optimization algorithm to update the network weight and the deviation according to the gradient of the loss function.

8. The reverse analysis method for industrial internet of things as claimed in claim 2, wherein the accuracy of predicting the unknown protocol field of the industrial internet of things in step S5 is determined by

It is shown that, among others,

f (k) represents the predicted industrial IOT protocol field and the actual inconsistent function when y_iAnd y_j1 at the same time, not 0 at the same time, y_iAnd y_jThe real field value and the predicted field value of the industrial internet of things protocol sequence are respectively, and N is the total length of the data sequence.

Images