CN112269336A - Abnormal control discovery method and device, electronic equipment and storage medium - Google Patents

Abnormal control discovery method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112269336A
CN112269336A CN202011117031.7A CN202011117031A CN112269336A CN 112269336 A CN112269336 A CN 112269336A CN 202011117031 A CN202011117031 A CN 202011117031A CN 112269336 A CN112269336 A CN 112269336A
Authority
CN
China
Prior art keywords
state
sequence
determining
data
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011117031.7A
Other languages
Chinese (zh)
Other versions
CN112269336B (en
Inventor
张家宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202011117031.7A priority Critical patent/CN112269336B/en
Publication of CN112269336A publication Critical patent/CN112269336A/en
Application granted granted Critical
Publication of CN112269336B publication Critical patent/CN112269336B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24024Safety, surveillance

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The application provides an abnormal control discovery method, an abnormal control discovery device, electronic equipment and a storage medium. Firstly, a corresponding data source is determined for the acquired data link between the control devices through a preset protocol, and the data link can represent the transmission state of the data source. And then determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence based on the sparse state matrix to obtain a state detection sequence. And finally, determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if not, determining that the control system has abnormal control behaviors. The data length of the data source does not need to be considered, the state detection sequence corresponding to the data source is determined through continuous updating and iteration, the data volume processed in the process and the required memory space are greatly reduced, the processing efficiency is effectively improved, the cost for discovering abnormal control in the control system is further reduced, and the method has high realizability.

Description

Abnormal control discovery method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of control technologies, and in particular, to a method and an apparatus for discovering abnormal control, an electronic device, and a storage medium.
Background
In the technical field of industrial control systems, corresponding control operations are completed among control devices included in a control system by executing corresponding control logic programs. Wherein, for a certain control operation, each control device usually corresponds to a fixed control state and control sequence.
In actual working conditions, corresponding control operations are completed among the control devices through the interactive data source, so that whether abnormal control behaviors exist in the control system or not can be detected through the interactive data source. However, since the data sources to be interacted often have different data lengths, the prior art has some problems in detecting abnormal control behaviors according to the data sources with different data lengths.
For example, in the prior art, a markov model is used to predict state transition data between control devices according to a data source, so as to detect whether abnormal control occurs in a control system according to the predicted state transition data, but in the process of predicting the state transition data, because the memory space occupied by the markov model is increased in a polynomial level, the calculation time in the prediction process is also increased in an exponential level, and if the data source with different data lengths is the data source with different data lengths, the occupied memory space and the consumed calculation time are increased in an exponential level, so that the redundant data amount is large, enough memory space is needed for use, and further, the abnormal behavior detection cost is too high, and the detection process is complex and variable.
Disclosure of Invention
The application provides an abnormal control discovery method, an abnormal control discovery device, electronic equipment and a storage medium, which are used for solving the technical problems of overhigh detection cost and complicated and variable detection process caused by large redundant data amount and long data calculation process when abnormal control behaviors of a control system are detected aiming at data sources with different data lengths in the prior art.
In a first aspect, the present application provides an abnormal control discovery method, applied to an industrial control system, where the control system includes a plurality of control devices; the method comprises the following steps:
acquiring data links among control devices, and determining a data source corresponding to the data links according to a preset protocol, wherein the data links are used for representing the transmission state of the data source;
determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence;
and determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if the determination result is negative, determining that the control system has abnormal control behavior.
In one possible design, the determining a sparse state matrix according to the state sequence corresponding to the data source includes:
determining a corresponding state identifier for each data packet in the data source, wherein the data packet is used for representing control state information corresponding to each control device, and the data packet and the state identifier have a unique corresponding relation;
determining the state sequence according to all the state identifications, and setting corresponding integer numerical values for each unique state identification to obtain an integer array corresponding to the state sequence;
and determining the sparse state matrix according to the number of different state identifications in the state sequence and the state sequence.
In one possible design, the determining the sparse state matrix according to the number of different state identifiers in the state sequence and the state sequence includes:
determining the identification number of the different state identifications in the state sequence, and determining the identification number as the dimensionality number of the sparse state matrix;
and determining each subsequence according to the state sequence, and acquiring the sequence number of each subsequence to determine the sequence number as a corresponding element in the sparse state matrix to obtain the sparse state matrix.
In one possible design, the performing update iteration on each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence includes:
determining confidence degrees of the subsequences according to the sparse state matrix, wherein the confidence degrees are used for representing the conversion probability of the control state information among the control devices;
if the confidence coefficient is lower than a preset confidence coefficient threshold value, generating a corresponding candidate detection sequence; if the confidence coefficient is not lower than the preset confidence coefficient threshold value, generating a corresponding increment detection sequence;
and updating and iterating the candidate detection sequence according to data sources in different data links acquired within a preset time period, determining the updated and iterated candidate detection sequence as the state detection sequence, and storing a detection array corresponding to the state detection sequence.
In a possible design, the performing update iteration on the candidate sequence according to data sources in different data links acquired within a preset time period includes:
acquiring the different data links in the preset time period, and determining data sources in the different data links according to the preset protocol;
determining a candidate state sequence according to the data sources in the different data links and the state identifier, and comparing the candidate state sequence with the candidate detection sequence;
if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, and determining the segmented candidate state sequence as the latest candidate detection sequence to obtain the updated and iterated candidate detection sequence;
if the candidate state sequence does not comprise the candidate detection sequence and is inconsistent with the candidate detection sequence, determining the candidate state sequence as the latest candidate detection sequence so as to obtain the updated and iterated candidate detection sequence;
and ending the updating iteration until all the data sources in the preset time period are compared.
In one possible design, the determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence includes:
determining a current state sequence according to the current data source and the state identifier;
determining a current integer array according to the current state sequence and the integer numerical value;
determining each sub-array according to the current integer array, and judging whether all detection arrays contain each sub-array;
and if the judgment result is negative, determining that the control system has the abnormal control behavior.
In one possible design, the determining, according to a preset protocol, a data source corresponding to the data link includes:
and determining the data source corresponding to the data link by reading one or more fields of the preset protocol, wherein the preset protocol comprises one of Modbus protocol, CIP protocol and DNP3 protocol.
In one possible design, the present application provides an abnormality control finding apparatus including:
the first processing module is used for acquiring data links among the control devices and determining a data source corresponding to the data links according to a preset protocol, wherein the data links are used for representing the transmission state of the data source;
the second processing module is used for determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence;
and the third processing module is used for determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if the determination result is negative, the control system has abnormal control behaviors.
In one possible design, the second processing module includes:
a first determining unit, configured to determine a corresponding state identifier for each data packet in the data source, where the data packet is used to represent control state information corresponding to each control device, and the data packet and the state identifier have a unique corresponding relationship;
the second determining unit is used for determining the state sequence according to all the state identifiers and setting a corresponding integer numerical value for each unique state identifier so as to obtain an integer array corresponding to the state sequence;
a third determining unit, configured to determine the sparse state matrix according to the number of different state identifiers in the state sequence and the state sequence.
In a possible design, the third determining unit is specifically configured to:
determining the identification number of the different state identifications in the state sequence, and determining the identification number as the dimensionality number of the sparse state matrix;
and determining each subsequence according to the state sequence, and acquiring the sequence number of each subsequence to determine the sequence number as a corresponding element in the sparse state matrix to obtain the sparse state matrix.
In one possible design, the second processing module further includes:
a confidence determining module, configured to determine a confidence of each subsequence according to the sparse state matrix, where the confidence is used to characterize a conversion probability of the control state information between the control devices;
the candidate sequence determination module is used for generating a corresponding candidate detection sequence if the confidence coefficient is lower than a preset confidence coefficient threshold value; if the confidence coefficient is not lower than the preset confidence coefficient threshold value, generating a corresponding increment detection sequence;
and the updating module is used for updating and iterating the candidate detection sequence according to the data sources in different data links acquired within a preset time period, determining the candidate detection sequence after updating and iterating as the state detection sequence, and storing the detection array corresponding to the state detection sequence.
In one possible design, the update module is specifically configured to:
acquiring the different data links in the preset time period, and determining data sources in the different data links according to the preset protocol;
determining a candidate state sequence according to the data sources in the different data links and the state identifier, and comparing the candidate state sequence with the candidate detection sequence;
if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, and determining the segmented candidate state sequence as the latest candidate detection sequence to obtain the updated and iterated candidate detection sequence;
if the candidate state sequence does not comprise the candidate detection sequence and is inconsistent with the candidate detection sequence, determining the candidate state sequence as the latest candidate detection sequence so as to obtain the updated and iterated candidate detection sequence;
and ending the updating iteration until all the data sources in the preset time period are compared.
In one possible design, the third processing module is configured to:
determining a current state sequence according to the current data source and the state identifier;
determining a current integer array according to the current state sequence and the integer numerical value;
determining each sub-array according to the current integer array, and judging whether all detection arrays contain each sub-array;
and if the judgment result is negative, determining that the control system has the abnormal control behavior.
In one possible design, the first processing module is specifically configured to:
and determining the data source corresponding to the data link by reading one or more fields of the preset protocol, wherein the preset protocol comprises one of Modbus protocol, CIP protocol and DNP3 protocol.
In a third aspect, the present application provides an electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of anomaly control discovery according to any one of the first aspect and the alternatives to the first aspect.
In a fourth aspect, the present application provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the abnormality control discovery method according to any one of the first aspect and the first aspect.
The application provides an abnormal control discovery method, an abnormal control discovery device, electronic equipment and a storage medium. The abnormal control discovery method is applied to an industrial control system, and the control system comprises a plurality of control devices. The method comprises the steps of firstly obtaining data links among control devices, and then determining a data source corresponding to the data links through a preset protocol, wherein the data links can represent the transmission state of the data source. And then determining a sparse state matrix according to a state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence, wherein the state sequence is used for uniquely representing a transmission state. And finally, determining whether a current data source corresponding to a current data link between the control devices is consistent with the state detection sequence, and if not, determining that the control system has abnormal control behaviors. The data length of the data source does not need to be considered, and the state detection sequence corresponding to the data source is determined through continuous updating and iteration, so that the data volume generated in the process is small, the required memory space is extremely small, the processing efficiency is high, the cost for discovering the abnormal control in the control system is effectively reduced, and the method has high realizability.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of an abnormal control discovery method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of determining a sparse state matrix according to an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of another abnormal control discovery method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another abnormal control discovery method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of another abnormal control discovery method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an abnormality control discovery apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another abnormal control discovery apparatus according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another abnormal control discovery apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of methods and apparatus consistent with certain aspects of the present application, as detailed in the appended claims.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For an industrial control system, generally, each control device has a corresponding fixed control state and control sequence, in other words, for a definite control operation, the control state content and control flow sequence of each control device are fixed. And the control devices complete corresponding control operations through data source interaction, specifically, the data source comprises data packets representing control states of all the control devices, and for a control operation, the sequence of the data packets in the data source represents a control flow sequence between the control devices. It is thus possible to detect the presence of abnormal control behavior in the control system from data packets in the data source. Because the data lengths of the data sources are often different, in the prior art, some problems exist in detecting abnormal control behaviors according to the data sources with different data lengths. For example, in the prior art, a markov model is used to predict state transition data between control devices according to a data source to detect abnormal control behaviors, but in the process of predicting the state transition data, a memory space occupied by the markov model is increased in polynomial level, and a calculation time in the prediction process is also increased in exponential level, whereas when the data length of the data source is different, the memory space occupied and the calculation time in the existing solution are increased in exponential level, which results in a large amount of redundant data and a sufficient amount of memory space for use, thereby resulting in an excessively high detection cost of abnormal control and a complex and variable detection process.
In view of the foregoing problems in the prior art, embodiments of the present application provide an abnormality control discovery method and apparatus, an electronic device, and a storage medium. According to the abnormal control discovery method, after the data links among the control devices are obtained, the data sources corresponding to the data links are determined according to the preset protocol, the sparse state matrix is determined according to the state sequence corresponding to the data sources, each subsequence in the state detection sequence is updated and iterated based on the sparse state matrix, the state detection sequence is obtained, and the state detection sequence is used for discovering abnormal control. The data link represents the transmission state of the data source, and the state sequence can uniquely represent the transmission state, so that in the process of determining the state detection sequence, each data source which does not need to consider the data length can be replaced by the corresponding state sequence, and the state sequence is further updated and iterated to obtain the state detection sequence, so that the data volume to be processed and the required memory space in the process are greatly reduced, the processing efficiency is effectively improved, and the cost for discovering abnormal control in the control system is effectively reduced. In addition, corresponding data processing channels do not need to be set for data sources with different data lengths, and the abnormal control discovery provided by the embodiment of the application has strong realizability through updating, iteration and repeated use.
An exemplary application scenario of the embodiments of the present application is described below.
The abnormal control discovery method provided by the embodiment of the application is applied to an industrial control system, the industrial control system comprises a plurality of control devices, and the plurality of control devices cooperate to complete the whole corresponding control operation, wherein the number of the control devices can be set according to the specific content of the specific control operation, which is not limited in this embodiment. The control system can control each control device through configuration software and a controller, for example, the configuration software is responsible for generating a corresponding software program, and the controller is responsible for executing the software program to realize a control function. The method for discovering abnormal control provided by the embodiment of the present application may be executed by the abnormal control discovery device provided by the embodiment of the present application, and the electronic device corresponding to the abnormal control discovery device provided by the embodiment of the present application may be a controller in a control system. Fig. 1 is a schematic view of an application scenario provided by an embodiment of the present application, and as shown in fig. 1, the anomaly control method provided by the embodiment of the present application is applied to a control system 11, where the control system 11 includes a controller 12 and a plurality of control devices, and the control devices may communicate with each other through a network to cooperatively complete a control operation. The controller 12 executes the abnormal control discovery method provided by the embodiment of the present application to discover abnormal control in the control system 11. It should be noted that the embodiment of the present application is not limited to a specific type of the controller 12 in the control system 11, and may be a server or a server cluster.
It should be noted that the above application scenarios are only exemplary, and the method, the apparatus, the electronic device, and the storage medium for discovering the abnormal control provided in the embodiments of the present application include, but are not limited to, the above application scenarios.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a schematic flowchart of an abnormal control discovery method provided in an embodiment of the present application, and as shown in fig. 2, the abnormal control discovery method provided in this embodiment includes:
s101: and acquiring data links among the control devices, and determining a data source corresponding to the data links according to a preset protocol.
Wherein the data link is used for characterizing the transmission state of the data source.
For a complete set of control operation, each control device in the control system feeds back respective control state to the controller through a data link, so that the controller knows whether the control flow in the control system is correct or not. Each data link is composed of a control device according to a server IP, a server port and a client IP which correspond to the control device, when the control device is restarted, the client IP can randomly change, and in order to clearly represent the control state of the control device, the data link comprises the client IP. After the data link between the control devices is acquired, a data source corresponding to the data link needs to be determined according to a preset protocol, wherein the control devices interact through the data source when cooperatively completing control operation, and the data link is used for representing the transmission state of the data source, namely how the control devices perform between the respective server and the client when realizing control function. Therefore, after the data link is acquired, in order to obtain the actual control situation of each control device, the data link needs to be analyzed according to a preset protocol to obtain a corresponding data source.
For example, the data source corresponding to the data link may be determined by reading one or more fields of a predetermined protocol, wherein the predetermined protocol includes one of a Modbus protocol, a CIP protocol, and a DNP3 protocol. The control system selects a corresponding preset protocol according to different control functions, for example, any one of a Modbus protocol, a CIP protocol, and a DNP3 protocol, which is not limited in this embodiment. It is understood that the data link is parsed by reading one or more fields in the corresponding predetermined protocol to obtain its corresponding data source.
S102: and determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence.
After determining the data source corresponding to the data link, first determining a sparse state matrix according to the state sequence corresponding to the data source. In the control system, each control device is usually a fixed control function for a set of control operations, so that in order to greatly reduce the data volume in the processing process, a state sequence can be used for representing a data source, and for data sources with different data lengths, only the length of the state sequence is changed, and the data structure is not changed. And, the data source has a one-to-one correspondence with the state sequence, in other words, the state sequence can uniquely characterize the transmission state of the data source. On the basis of introducing the state sequence, determining a sparse state matrix of the data source corresponding to the data source according to the state sequence, and simplifying a data processing flow in a counting mode. And further, updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence for discovering the abnormal control behavior. The state detection sequences are used for discovering abnormal control behaviors, so that the data processing efficiency is effectively improved.
S103: it is determined whether a current data source corresponding to a current data link between the control devices corresponds to the status detection sequence.
After the state detection sequence is determined, when the state detection sequence is determined according to the data source generated by the control operation completed by the control equipment and abnormal control does not exist, the normal control state information and the normal control flow sequence of each control equipment can be judged, so that whether abnormal control behaviors exist in the control system or not can be judged through the state detection sequence. Specifically, whether a current data source corresponding to a current data link between the control devices is consistent with the state detection sequence or not can be judged, if so, the control system control behavior is normal, abnormal control is not found, and if not, the control system has abnormal control behavior and abnormal control is found. In other words, it is determined whether the control system has an abnormal control behavior according to the determination result, and if the determination result is no, that is, the current data source does not match the state detection sequence, it indicates that the control system has an abnormal control behavior as shown in step S104. Conversely, if the determination result is yes, the current data source corresponds to the status detection sequence, and then as shown in step S105, it indicates that the control system is operating normally, and no abnormal control behavior is found.
S104: the control system has abnormal control behavior, i.e. abnormal control is found.
S105: the control system operates normally and no abnormal control behavior is found.
According to the abnormal control discovery method provided by the embodiment of the application, the data links among the control devices are obtained firstly, and the data sources corresponding to the data links are determined according to the preset protocol. And then determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state detection sequence based on the sparse state matrix to obtain the state detection sequence. And finally, using the state detection sequence for discovering abnormal control, wherein if the current data source corresponding to the current data link between the control devices is determined not to be consistent with the state detection sequence, the control system has abnormal control behavior, namely discovering abnormal control. And if the control system is in accordance with the control system, the control system operates normally, and abnormal control is not found. The data link represents the transmission state of the data source, and the state sequence can uniquely represent the transmission state, so that the data source with the data length does not need to be considered to replace the data source with the corresponding state sequence in the process of determining the state detection sequence, and the state sequence is further updated and iterated to obtain the state detection sequence, so that the data volume to be processed and the required memory space in the process are greatly reduced, the processing efficiency is effectively improved, and the cost for discovering abnormal control in the control system is effectively reduced. In addition, corresponding data processing channels do not need to be set for data sources with different data lengths, but due to the fact that the data structures are the same, the state detection sequence can be repeatedly used, and therefore the anomaly control discovery provided by the embodiment of the application has high realizability.
In a possible design, a possible implementation manner of determining a sparse state matrix according to a state sequence corresponding to a data source in step S102 is shown in fig. 3, where fig. 3 is a schematic flow chart of determining a sparse state matrix provided in the embodiment of the present application, and as shown in fig. 3, the determining a sparse state matrix according to a state sequence corresponding to a data source in the abnormal control discovery method provided in the embodiment includes:
s201: a corresponding state identification is determined for each data packet in the data source.
The data packet is used for representing control state information corresponding to each control device, and the data packet and the state identifier have a unique corresponding relation.
For a set of control operation, each control device corresponds to its own data packet, and a controller in the control system can receive the data packets reported by all the control devices according to the control flow by using network sniffing software, and the reported data packets form a data source. The order of the packets in the data source indicates the control flow order, and thus, a data source can be uniquely characterized by a state sequence. The data source includes data packets, and the data packets represent control state information corresponding to each control device, and the specific content of the control state information is determined by the control operation, which is not limited in this embodiment. And assigning a unique corresponding state identifier for each unique data packet, namely, the data packets have a unique corresponding relation with the state identifiers, so that the state identifiers corresponding to all the data packets in one data source form a state sequence. Specifically, a corresponding state identifier is determined for each data packet in the data source, that is, a state identifier is assigned to the data packet, the same data packet is the same state identifier, and different data packets are different state identifiers. For example, if packet one is "a" and packet two, which is different from packet one, is "B", and if packet three is the same as packet one, the status flag of packet three is also "a".
S202: and determining a state sequence according to the state identifiers, and setting corresponding integer numerical values for each unique state identifier to obtain an integer array corresponding to the state sequence.
After the state identifier is determined for each data packet, the state identifiers of all the data packets in the data source determine the state sequence, and thus the state sequence is determined according to the state identifiers. The determined strip state sequence can be 'ABCBA', a data source with the data length of 10 is replaced by the strip state sequence, if the data length of the data source changes, namely the length of the state sequence changes, the data source can still be replaced by the corresponding state sequence, and the data structure does not change. Further, the integer value corresponding to each unique state identification device is used for the controller to identify the unique state identification device, so that a bar state sequence can be converted into a corresponding integer array for the controller to perform operations such as query and reading. For example, setting "0" for the state identifier "a" as its corresponding integer value, setting "1" for the state identifier "B" as its corresponding integer value, and setting "2" for the state identifier "C" as its corresponding integer value, and further, obtaining that the integer array corresponding to the state sequence "abcba aacbba" is "0, 1, 2, 1, 0, 0, 2, 1, 1, 0", so as to convert the data source into the integer array for the controller to perform corresponding processing.
S203: and determining a sparse state matrix according to the number of different state identifications in the state sequence and the state sequence.
The sparse state matrix can represent the conversion between the state identifiers in a counting mode, and in a strip state sequence, the conversion between the state identifiers can reflect the control flow sequence. The sparse state matrix is an N multiplied by N dimensional square matrix, and each state sequence can determine the sparse state matrix uniquely corresponding to the state sequence according to the number of different state identifications.
For example, the number of identifiers of different state identifiers in the state sequence is determined, the determined number of identifiers is determined as the dimension number of the sparse state matrix, and assuming that the state sequence is "abcba aacba", the different states in the state sequence are identified as "a", "B", and "C", so that the number of identifiers is 3, that is, the sparse state matrix corresponding to the state sequence is a 3 × 3 square matrix, the dimension number is 3, and the sparse state matrix is 3 rows in the a-th row, the B-th row, and the C-th row, and 3 columns in the a-th column, the B-th column, and the C-th column, respectively. And then determining each subsequence according to the state sequence, acquiring the sequence number of each subsequence, and determining the sequence number as corresponding elements in the sparse state matrix, thereby obtaining the sparse state matrix. The elements in row a and column a are the number of subsequences "AA" in the state sequence, i.e. 1, and so on, and each element in the 3 × 3 square matrix is determined, so as to obtain a corresponding sparse state matrix as shown in the following matrix example:
A→B→C
A→1→1→1
B→2→1→1
C→-→2→-
the method can directly know which subsequences in the state sequence are respectively provided and the sequence number of each subsequence through the sparse state matrix.
In the method for discovering abnormal control provided by this embodiment, when a sparse state matrix is determined according to a state sequence corresponding to a data source, a corresponding state identifier is first determined for each data packet in the data source, then the state sequence is determined according to the state identifier, so as to convert the data source into the state sequence for representation, and further, a corresponding integer value is set for each unique state identifier, so as to represent the state sequence by an integer array. And finally, determining a sparse state matrix according to the number of different state identifications in the state sequence and the state sequence. Therefore, the state sequence is introduced, the sparse state matrix is used for representing the transmission state of the control equipment represented by the data source, the data volume is greatly reduced, and different data lengths of the data source do not need to be considered due to the fact that the data structure is the same and can be repeatedly used.
After the sparse state matrix is determined, further, each subsequence in the state sequence is updated and iterated based on the sparse state matrix to obtain a state detection sequence. In a possible design, one possible implementation manner of obtaining the state detection sequence in step S102 is shown in fig. 4, where fig. 4 is a schematic flow chart of another abnormal control discovery method provided in the embodiment of the present application, and as shown in fig. 4, the obtaining of the state detection sequence in the abnormal control discovery method provided in the embodiment includes:
s301: and determining the confidence of each subsequence according to the sparse state matrix.
Wherein the confidence is used for representing the conversion probability of the control state information between the control devices.
After the sparse state matrix is determined, determining the confidence coefficient of each subsequence included in the state sequence according to the sparse state matrix in sequence, wherein the confidence coefficient is calculated by the following formula:
Figure BDA0002730671720000131
taking the sub-sequence "AB" in the state sequence in the above embodiment as an example, where "i" is "a" and "j" is "B", it can be derived from the corresponding sparse state matrix, i.e. matrix example, that the total number of state transitions starting from "a" is 3, and the number of state transitions from "a" to "B" is 1, and the confidence of the sub-sequence "AB" is 1/3, or 33%. Accordingly, the confidence of each subsequence in the state sequence can be determined from the sparse state matrix. The confidence coefficient can predict the conversion probability of the previous state identifier in the subsequence to the next state identifier, for example, the subsequence "AB", with a confidence coefficient of 33%, that is, when the state identifier corresponding to the control state information of the control device is "a", the confidence coefficient can predict the probability of the state identifier corresponding to the next control state information being "B" as 33%. Thus, the transition probability of the state identification can be predicted by the existence of the confidence.
S302: if the confidence coefficient is lower than a preset confidence coefficient threshold value, generating a corresponding candidate detection sequence; and if the confidence coefficient is not lower than the preset confidence coefficient threshold value, generating a corresponding incremental detection sequence.
For a state sequence, after obtaining the confidence of each subsequence, the confidence of each subsequence is compared with a preset confidence threshold value to screen each subsequence. And for the subsequence with the confidence coefficient lower than the preset confidence coefficient, determining the subsequence as a candidate detection sequence, namely generating the corresponding candidate detection sequence. And generating a corresponding incremental detection sequence when the confidence coefficient is not lower than a preset confidence coefficient threshold value. Specifically, the confidence of each subsequence in the traversal state sequence is lower than the preset confidence, a corresponding candidate detection sequence is generated according to the subsequence, and otherwise, traversal search is continued. And for the sub-sequences with the confidence degrees not lower than the preset confidence degree threshold value, directly determining the sub-sequences as incremental detection sequences, namely generating the corresponding incremental detection sequences.
The specific value corresponding to the preset confidence level may be set according to a corresponding control function and a control flow sequence in the control system, which is not limited in the embodiments of the present application. Since the data lengths of the data sources may be different, that is, the lengths of the state sequences may be different, and the confidence of each sub-sequence depends on the corresponding state sequence, a higher preset confidence threshold is favorable for obtaining a candidate detection sequence with a shorter length, and a lower preset confidence threshold is favorable for obtaining an incremental detection sequence.
S303: and updating and iterating the candidate detection sequence according to data sources in different data links acquired within a preset time period, determining the candidate detection sequence after updating and iterating and the increment detection sequence as a state detection sequence, and storing a detection array corresponding to the state detection sequence.
After the candidate detection sequence is obtained, updating iteration is carried out on the candidate detection sequence, the candidate detection sequence after updating iteration and the incremental detection sequence are determined as a state detection sequence, then a detection array corresponding to the state detection sequence is obtained according to an integer value corresponding to the state identification, and the detection array is stored in a sequence library for the controller to inquire judgment for abnormal control discovery.
The updating iteration of the candidate detection sequences is carried out according to data sources in different data links acquired within a preset time period so as to enrich the detection arrays corresponding to the state detection sequences in the sequence library. It can be understood that the duration corresponding to the preset time period may be set according to the control function of the control system and related conditions, which is not limited in the embodiment of the present application.
In a possible design, a possible implementation manner of performing update iteration on the candidate detection sequence in step S303 is shown in fig. 5, where fig. 5 is a schematic flowchart of another abnormal control discovery method provided in the embodiment of the present application, and as shown in fig. 5, performing update iteration on the candidate detection sequence in the abnormal control discovery method provided in the embodiment includes:
s401: and acquiring different data links in a preset time period, and determining data sources in the different data links according to a preset protocol.
Firstly, a preset time period is determined, and then different data links in the preset time period are obtained, wherein the purpose of obtaining the different data links is to enrich a subsequent state detection sequence to be determined. Acquiring different data links may be understood as acquiring a plurality of data links that are not completely identical within a preset time period, but acquiring different data links with the same data structure. After the different data links are obtained, in a manner similar to that in step S101, the data sources in the different data links are determined by using the preset protocol to obtain various different data sources, and specific implementation processes and principles are not described herein again.
S402: and determining a candidate state sequence according to the data sources and the state identifications in different data links, and comparing the candidate state sequence with the candidate detection sequence.
After the data sources in different data links are acquired, the state sequence corresponding to the data sources in different data links is determined by using the state identifier determined by the data packet in the embodiment, each subsequence in the state sequence is determined, and each determined subsequence is determined to be a candidate state sequence corresponding to different data sources. It can be understood that, if the state identifier cannot satisfy the data packets in the different data sources, a new state identifier may be added to determine the state sequences corresponding to the data sources, so as to obtain candidate state sequences.
After the candidate state sequence is obtained, the candidate state sequence is compared with the candidate detection sequence to determine whether the candidate state sequence and the candidate detection sequence are consistent or not, or whether the candidate state sequence and the candidate detection sequence are included, for example, the candidate state sequence is "ABC" and the candidate detection sequence is "AB", which indicates that the candidate state sequence includes the candidate detection sequence. If the candidate state sequence includes the candidate detection sequence, step S403 is performed, and if the candidate state sequence does not include the state detection sequence and is not consistent with the state detection sequence, step S403 is performed.
S403: and if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, and determining the segmented candidate state sequence as the latest candidate detection sequence so as to obtain the updated and iterated candidate detection sequence.
And if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, replacing the previous candidate state sequence with the segmented candidate state sequence, determining the segmented candidate state sequence as the latest candidate detection sequence, and obtaining the updated and iterated candidate detection sequence.
For example, if the candidate state sequence is "ABCD" and the candidate detection sequence is "ABC", it indicates that the candidate state sequence includes the candidate detection sequence, the candidate state sequence "ABCD" is divided into "ABC" and "CD", and "ABC" and "CD" are determined as the latest candidate detection sequence, so that the candidate detection sequence "ABC" is updated and iterated to "ABC" and "CD".
S404: and if the candidate state sequence does not comprise the candidate detection sequence and is inconsistent with the candidate detection sequence, determining the candidate state sequence as the latest candidate detection sequence to obtain the updated and iterated candidate detection sequence.
For example, if the candidate state sequence is "ABC" and the candidate detection sequence is "CE", it indicates that the candidate state sequence does not include the candidate detection sequence, and the candidate state sequence is inconsistent with the candidate detection sequence, the candidate state sequence "ABC" is determined as the latest candidate detection sequence, and the candidate detection sequence is updated from "CE" to "ABC" and "CE", so as to obtain the updated and iterated candidate detection sequence.
It is to be understood that when the candidate state sequence is identical to the candidate detection sequence, no update iteration is performed on the candidate detection sequence.
And ending the updating iteration until all the data sources in the preset time period finish the comparison processing of the candidate state sequence and the candidate detection sequence, determining the candidate detection sequence and the incremental detection sequence after the updating iteration as the state detection sequence, and storing the detection array corresponding to the determined state detection sequence into a sequence library.
In the method for discovering abnormal control provided by this embodiment, the confidence of each subsequence is determined according to the sparse state matrix, if a confidence region presets a subsequence of a confidence threshold, a corresponding candidate detection sequence is generated, and if the confidence is not lower than the subsequence of the preset confidence threshold, a corresponding incremental detection sequence is generated. And then updating and iterating the candidate detection sequence according to the data sources in different data links acquired within a preset time period, and determining the updated and iterated candidate detection sequence and the incremental detection sequence as the state detection sequence. And the processing mode of updating iteration is to compare the candidate state sequence determined according to different data sources with the candidate detection sequence to realize updating iteration of the candidate detection sequence, determine the candidate detection sequence and the incremental detection sequence after updating iteration as the state detection sequence, and store the detection array corresponding to the state detection sequence into a sequence library for the controller to inquire for determining abnormal control. In the updating iteration process, the data structures of the candidate state sequence and the candidate detection sequence are the same, so that the updating iteration can be realized only by comparison processing, and the data volume to be processed in the process is greatly reduced. And for the data source which has finished updating iteration, the data source can be deleted without occupying memory space, and although the data amount of the data source is different, the memory space does not need to be expanded, so that the memory space required in the data processing process is reduced, the processing efficiency is improved, and the cost for discovering abnormal control in the control system is effectively reduced.
After the state detection sequence is determined, the state detection sequence is used for abnormal control discovery of the control system. In one possible design, a possible implementation of determining whether the current data source corresponding to the current data link between the control devices in step S103 corresponds to a status detection sequence is shown in fig. 6. Fig. 6 is a schematic flowchart of a further abnormal control discovery method provided in an embodiment of the present application, and as shown in fig. 6, the embodiment includes:
s501: determining a current state sequence according to a current data source and a state identifier;
s502: determining a current integer array according to the current state sequence and the integer numerical value;
s503: determining each sub-array according to the current integer array, and judging whether all detection arrays contain each sub-array;
s504: if the judgment result is negative, determining that the control system has abnormal control behaviors;
s505: if the judgment result is yes, the control system is determined to operate normally, and no abnormal control behavior is found.
The implementation manner of determining the current state sequence and the current integer array in steps S501 and S502 is similar to the manner of determining the state sequence and the integer array corresponding to the state sequence in the above embodiment, and is not described herein again.
After determining the current integer array corresponding to the current data source, further determining each sub-array according to the current integer array. Determining the sub-array may be understood as determining an integer array corresponding to each sub-sequence in the current state sequence. After each sub-array in the current integer array is obtained, whether each sub-array is contained in all the detection arrays is judged, and whether abnormal control exists is determined according to the judgment result. If the judgment result is yes, namely the data source is contained, the current data source is consistent with the state detection sequence, and then the control system is determined to operate normally without finding abnormal control. On the contrary, if the judgment result is negative, that is, all the detection arrays do not contain each sub-array, it indicates that the current data source does not accord with the state detection sequence, and further determines that the control system has an abnormal control behavior, and finds abnormal control.
Further, after the abnormal control is found, an alarm prompt can be generated to represent that the abnormal control currently exists in the control system.
In the method for discovering abnormal control provided by this embodiment, when determining whether a current data source corresponding to a current data link between control devices conforms to a state detection sequence, a current state sequence is determined according to the current data source and a state identifier, a current integer array is determined according to the current state sequence and a formal value, each sub-array is determined according to the current integer array, whether each sub-array is included in a detection array is determined, if so, abnormal control is not found, and if not, it is determined that an abnormal control behavior exists in a control system. Therefore, abnormal control discovery of the control system is realized based on the state detection sequence. The data volume needing to be processed and the required memory space are greatly reduced in the state detection sequence, the processing efficiency is effectively improved, and the cost for discovering abnormal control in the control system is effectively reduced. In addition, corresponding data processing channels do not need to be set for data sources with different data lengths, but due to the fact that the data structures are the same, the state detection sequence can be repeatedly used, and therefore the anomaly control discovery provided by the embodiment of the application has high realizability.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 7 is a schematic structural diagram of an abnormal control discovery apparatus according to an embodiment of the present application, and as shown in fig. 7, an abnormal control discovery apparatus 600 according to the present embodiment includes:
the first processing module 601 is configured to obtain data links between the control devices, and determine a data source corresponding to the data link according to a preset protocol, where the data link is used to represent a transmission state of the data source;
a second processing module 602, configured to determine a sparse state matrix according to a state sequence corresponding to a data source, and update and iterate each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence;
the third processing module 603 is configured to determine whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if the determination result is negative, the control system has an abnormal control behavior.
In one possible design, the first processing module 601 is specifically configured to:
and determining a data source corresponding to the data link by reading one or more fields of a preset protocol, wherein the preset protocol comprises one of a Modbus protocol, a CIP protocol and a DNP3 protocol.
Fig. 8 is a schematic structural diagram of another abnormal control discovery apparatus according to an embodiment of the present application, and as shown in fig. 8, a second processing module 602 of the abnormal control discovery apparatus 600 according to the present embodiment includes:
a first determining unit 6021, configured to determine a corresponding state identifier for each data packet in the data source, where the data packet is used to represent control state information corresponding to each control device, and the data packet and the state identifier have a unique corresponding relationship;
a second determining unit 6022, configured to determine a state sequence according to the state identifier, and set a corresponding integer numerical value for each unique state identifier, so as to obtain an integer array corresponding to the state sequence;
a third determining unit 6023 configured to determine a sparse state matrix according to the number of different state identifiers in the state sequence and the state sequence.
In one possible design, the third determining unit 6023 is specifically configured to:
determining the identification number of different state identifications in the state sequence, and determining the identification number as the dimensionality number of the sparse state matrix;
and determining each subsequence according to the state sequence, and acquiring the sequence number of each subsequence to determine the sequence number as corresponding elements in the sparse state matrix to obtain the sparse state matrix.
Fig. 9 is a schematic structural diagram of another abnormal control discovery apparatus according to an embodiment of the present application, and as shown in fig. 9, the second processing module 602 of the abnormal control discovery apparatus 600 according to the present embodiment further includes:
the confidence coefficient determining unit 6024 is used for determining the confidence coefficient of each subsequence according to the sparse state matrix, wherein the confidence coefficient is used for representing the conversion probability of the control state information among the control devices;
a candidate sequence determination unit 6025, configured to generate a corresponding candidate detection sequence if the confidence level is lower than a preset confidence level threshold; if the confidence coefficient is not lower than a preset confidence coefficient threshold value, generating a corresponding increment detection sequence;
the updating unit 6026 is configured to update and iterate the candidate detection sequence according to the data sources in the different data links acquired within the preset time period, determine the candidate detection sequence after update and iteration as a state detection sequence, and store the detection array corresponding to the state detection sequence.
In one possible design, the update unit 6026 is specifically configured to:
acquiring different data links in a preset time period, and determining data sources in the different data links according to a preset protocol;
determining a candidate state sequence according to data sources and state identifications in different data links, and comparing the candidate state sequence with a candidate detection sequence;
if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, and determining the segmented candidate state sequence as the latest candidate detection sequence so as to obtain an updated and iterated candidate detection sequence;
if the candidate state sequence does not comprise the candidate detection sequence and is inconsistent with the candidate detection sequence, determining the candidate state sequence as the latest candidate detection sequence to obtain the updated and iterated candidate detection sequence;
and finishing the updating iteration until all the data sources in the preset time period are compared.
In one possible design, the third processing module 603 is specifically configured to:
determining a current state sequence according to a current data source and a state identifier;
determining a current integer array according to the current state sequence and the integer numerical value;
determining each sub-array according to the current integer array, and judging whether all detection arrays contain each sub-array;
if the judgment result is negative, determining that the control system has abnormal control behaviors;
if the judgment result is yes, the control system is determined to operate normally, and no abnormal control behavior is found.
The above device embodiments provided in the present application are merely illustrative, and the module division is only one logic function division, and there may be another division manner in actual implementation. For example, multiple modules may be combined or may be integrated into another system. The coupling of the various modules to each other may be through interfaces that are typically electrical communication interfaces, but mechanical or other forms of interfaces are not excluded. Thus, modules described as separate components may or may not be physically separate, may be located in one place, or may be distributed in different locations on the same or different devices.
It should be noted that the abnormality control discovery apparatus provided in the above-mentioned embodiment may be used to execute corresponding steps of the abnormality control discovery method provided in the above-mentioned embodiment, and specific implementation, principle and technical effect are similar to those of the foregoing method embodiment, and are not described herein again.
Fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 10, an electronic device 700 according to the embodiment includes:
at least one processor 701; and
a memory 702 communicatively coupled to the at least one processor 701; wherein the content of the first and second substances,
the memory 702 stores instructions executable by the at least one processor 701, and the instructions are executed by the at least one processor 701, so that the at least one processor 701 can execute the steps of the abnormal control discovery method in the foregoing method embodiment, which may be referred to in detail in the foregoing description of the method embodiment.
Alternatively, the memory 702 may be separate or integrated with the processor 701.
When the memory 702 is a separate device from the processor 701, the electronic device 700 may further include:
the bus 703 is used to connect the processor 701 and the memory 702.
Further, embodiments of the present application also provide a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the steps of the abnormality control discovery method in the above embodiments. For example, the readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. An abnormal control discovery method is applied to an industrial control system, wherein the control system comprises a plurality of control devices; the method comprises the following steps:
acquiring data links among control devices, and determining a data source corresponding to the data links according to a preset protocol, wherein the data links are used for representing the transmission state of the data source;
determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence;
and determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if the determination result is negative, determining that the control system has abnormal control behavior.
2. The abnormal control discovery method according to claim 1, wherein said determining a sparse state matrix according to the state sequence corresponding to the data source comprises:
determining a corresponding state identifier for each data packet in the data source, wherein the data packet is used for representing control state information corresponding to each control device, and the data packet and the state identifier have a unique corresponding relation;
determining the state sequence according to all the state identifications, and setting corresponding integer numerical values for each unique state identification to obtain an integer array corresponding to the state sequence;
and determining the sparse state matrix according to the number of different state identifications in the state sequence and the state sequence.
3. The abnormal control discovery method of claim 2, wherein said determining said sparse state matrix from said state sequence and the number of different state identifiers in said state sequence comprises:
determining the identification number of the different state identifications in the state sequence, and determining the identification number as the dimensionality number of the sparse state matrix;
and determining each subsequence according to the state sequence, and acquiring the sequence number of each subsequence to determine the sequence number as a corresponding element in the sparse state matrix to obtain the sparse state matrix.
4. The abnormal control discovery method according to claim 3, wherein said updating each subsequence in said state sequence based on said sparse state matrix to obtain a state detection sequence comprises:
determining confidence degrees of the subsequences according to the sparse state matrix, wherein the confidence degrees are used for representing the conversion probability of the control state information among the control devices;
if the confidence coefficient is lower than a preset confidence coefficient threshold value, generating a corresponding candidate detection sequence; if the confidence coefficient is not lower than the preset confidence coefficient threshold value, generating a corresponding increment detection sequence;
and updating and iterating the candidate detection sequence according to data sources in different data links acquired within a preset time period, determining the candidate detection sequence after updating and iterating and the increment detection sequence column as the state detection sequence, and storing a detection array corresponding to the state detection sequence.
5. The abnormal control discovery method according to claim 4, wherein the performing update iteration on the candidate sequence according to data sources in different data links acquired within a preset time period includes:
acquiring the different data links in the preset time period, and determining data sources in the different data links according to the preset protocol;
determining a candidate state sequence according to the data sources in the different data links and the state identifier, and comparing the candidate state sequence with the candidate detection sequence;
if the candidate state sequence comprises the candidate detection sequence, segmenting the candidate state sequence, and determining the segmented candidate state sequence as the latest candidate detection sequence to obtain the updated and iterated candidate detection sequence;
if the candidate state sequence does not comprise the candidate detection sequence and is inconsistent with the candidate detection sequence, determining the candidate state sequence as the latest candidate detection sequence so as to obtain the updated and iterated candidate detection sequence;
and ending the updating iteration until all the data sources in the preset time period are compared.
6. The abnormal control discovery method of claim 5, wherein said determining whether a current data source corresponding to a current data link between said control devices is in compliance with said status detection sequence comprises:
determining a current state sequence according to the current data source and the state identifier;
determining a current integer array according to the current state sequence and the integer numerical value;
determining each sub-array according to the current integer array, and judging whether all detection arrays contain each sub-array;
and if the judgment result is negative, determining that the control system has the abnormal control behavior.
7. The abnormal control discovery method according to any of claims 1-6, wherein said determining a data source corresponding to said data link according to a predetermined protocol comprises:
and determining the data source corresponding to the data link by reading one or more fields of the preset protocol, wherein the preset protocol comprises one of Modbus protocol, CIP protocol and DNP3 protocol.
8. An abnormality control discovery device characterized by comprising:
the first processing module is used for acquiring data links among the control devices and determining a data source corresponding to the data links according to a preset protocol, wherein the data links are used for representing the transmission state of the data source;
the second processing module is used for determining a sparse state matrix according to the state sequence corresponding to the data source, and updating and iterating each subsequence in the state sequence based on the sparse state matrix to obtain a state detection sequence;
and the third processing module is used for determining whether a current data source corresponding to a current data link between the control devices conforms to the state detection sequence, and if the determination result is negative, the control system has abnormal control behaviors.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the exception control discovery method of any one of claims 1 to 7.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to execute the abnormality control discovery method according to any one of claims 1 to 7.
CN202011117031.7A 2020-10-19 2020-10-19 Abnormal control discovery method and device, electronic equipment and storage medium Active CN112269336B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011117031.7A CN112269336B (en) 2020-10-19 2020-10-19 Abnormal control discovery method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011117031.7A CN112269336B (en) 2020-10-19 2020-10-19 Abnormal control discovery method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112269336A true CN112269336A (en) 2021-01-26
CN112269336B CN112269336B (en) 2022-03-08

Family

ID=74337568

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011117031.7A Active CN112269336B (en) 2020-10-19 2020-10-19 Abnormal control discovery method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112269336B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6298404A (en) * 1985-10-24 1987-05-07 Toshiba Corp Diagnostic method for abnormality of system
US6122763A (en) * 1996-08-28 2000-09-19 France Telecom Process for transmitting information bits with error correction coding and decoder for the implementation of this process
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
US20090164405A1 (en) * 2007-12-21 2009-06-25 Honda Motor Co., Ltd. Online Sparse Matrix Gaussian Process Regression And Visual Applications
CN101651568A (en) * 2009-07-01 2010-02-17 青岛农业大学 Method for predicting network flow and detecting abnormality
CN102110187A (en) * 2009-12-28 2011-06-29 清华大学 Method and system for diagnosing mixed failure based on PCA and artificial immune system
CN103778215A (en) * 2014-01-17 2014-05-07 北京理工大学 Stock market forecasting method based on sentiment analysis and hidden Markov fusion model
CN104573738A (en) * 2013-10-28 2015-04-29 北京大学 Signal processing method and device thereof
CN107133142A (en) * 2017-04-18 2017-09-05 浙江大学 A kind of monitoring data intellegent sampling method based on association analysis
CN110535878A (en) * 2019-09-23 2019-12-03 电子科技大学 A kind of threat detection method based on sequence of events
EP3672192A1 (en) * 2018-12-21 2020-06-24 Garrett Transportation I Inc. Integrated equipment fault and cyber attack detection arrangement

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6298404A (en) * 1985-10-24 1987-05-07 Toshiba Corp Diagnostic method for abnormality of system
US6122763A (en) * 1996-08-28 2000-09-19 France Telecom Process for transmitting information bits with error correction coding and decoder for the implementation of this process
US20090164405A1 (en) * 2007-12-21 2009-06-25 Honda Motor Co., Ltd. Online Sparse Matrix Gaussian Process Regression And Visual Applications
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101651568A (en) * 2009-07-01 2010-02-17 青岛农业大学 Method for predicting network flow and detecting abnormality
CN102110187A (en) * 2009-12-28 2011-06-29 清华大学 Method and system for diagnosing mixed failure based on PCA and artificial immune system
CN104573738A (en) * 2013-10-28 2015-04-29 北京大学 Signal processing method and device thereof
CN103778215A (en) * 2014-01-17 2014-05-07 北京理工大学 Stock market forecasting method based on sentiment analysis and hidden Markov fusion model
CN107133142A (en) * 2017-04-18 2017-09-05 浙江大学 A kind of monitoring data intellegent sampling method based on association analysis
EP3672192A1 (en) * 2018-12-21 2020-06-24 Garrett Transportation I Inc. Integrated equipment fault and cyber attack detection arrangement
CN110535878A (en) * 2019-09-23 2019-12-03 电子科技大学 A kind of threat detection method based on sequence of events

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杨蒙蒙,钱伟: "基于神经网络预测的网络化控制系统故障检测", 《信息与控制》 *
武优西,周坤,刘靖宇,江贺,吴信东: "周期性一般间隙约束的序列模式挖掘", 《计算机学报》 *

Also Published As

Publication number Publication date
CN112269336B (en) 2022-03-08

Similar Documents

Publication Publication Date Title
CN110995482B (en) Alarm analysis method and device, computer equipment and computer readable storage medium
US9865101B2 (en) Methods for detecting one or more aircraft anomalies and devices thereof
US10733520B2 (en) Making a prediction regarding development of a software product
CN109669844B (en) Equipment fault processing method, device, equipment and storage medium
CN111061678B (en) Service data processing method, device, computer equipment and storage medium
CN113254153B (en) Method and device for processing flow task, computer equipment and storage medium
US20110154292A1 (en) Structure based testing
CN112269336B (en) Abnormal control discovery method and device, electronic equipment and storage medium
CN113704252A (en) Rule engine decision tree implementation method and device, computer equipment and computer readable storage medium
CN112511341A (en) Network automation fault positioning method, terminal and storage medium
CN117376092A (en) Fault root cause positioning method, device, equipment and storage medium
CN110716698B (en) Data fragment copy deployment method and device
Chen et al. Pattern mining for predicting critical events from sequential event data log
CN116361153A (en) Method and device for testing firmware codes, electronic equipment and storage medium
KR20190059152A (en) System and method for data assimilation system of agent based simulation model
CN114116253A (en) Message processing method and system for message queue
CN110908599B (en) Data writing method and system
CN106777981B (en) Behavior data verification method and device
CN113778450A (en) Processing method, device and equipment for dependency conflict and storage medium
CN111414178A (en) Equipment information updating method, device, equipment and medium
CN111817895B (en) Master control node switching method, device, equipment and storage medium
CN111787004B (en) Component cluster generation method and device based on communication channel and computer equipment
KR102406242B1 (en) Blockchain-based patch management device for patent specification management in patent brokering process
CN110096555B (en) Table matching processing method and device for distributed system
KR102552666B1 (en) Electronic device and operation method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant