CN113067805B - Internet of things weak electromagnetic interference attack detection method and system based on edge calculation - Google Patents
Internet of things weak electromagnetic interference attack detection method and system based on edge calculation Download PDFInfo
- Publication number
- CN113067805B CN113067805B CN202110275796.1A CN202110275796A CN113067805B CN 113067805 B CN113067805 B CN 113067805B CN 202110275796 A CN202110275796 A CN 202110275796A CN 113067805 B CN113067805 B CN 113067805B
- Authority
- CN
- China
- Prior art keywords
- noise
- model
- feu
- electromagnetic interference
- lstm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/10—Detection; Monitoring
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
Abstract
The invention provides an industrial Internet of things weak electromagnetic interference attack detection method and system based on edge calculation, and belongs to the field of industrial Internet of things. The method comprises the following steps: extracting noise fingerprints of the intelligent equipment from sensing data transmitted to the MCU from the sensing module as samples, and respectively extracting M noise fingerprints with the length of T to establish a noise fingerprint sample library under two states of no weak electromagnetic interference attack and weak electromagnetic interference attack, wherein M is more than or equal to 5000; establishing an FEU-LSTM fusion model, wherein the FEU-LSTM fusion model comprises an FEU model based on a convolutional neural network and a time-cycle neural network LSTM model; randomly extracting P noise fingerprints from a noise fingerprint sample library, inputting the P noise fingerprints into an FEU-LSTM fusion model for Q Epoch iterations, and completing model training, wherein P is more than or equal to 125, and Q is more than or equal to 30; in the process of executing attack detection, the device noise fingerprint with the length of T read from the sensing data in real time is input into the trained FEU-LSTM fusion model, and whether the intelligent device is attacked by weak electromagnetic interference or not is judged according to the output result of the model.
Description
Technical Field
The invention relates to the field of industrial Internet of things, in particular to a weak electromagnetic attack detection method and a weak electromagnetic attack detection system of the industrial Internet of things.
Background
The current intelligent industrial production can not be supported by the industrial Internet of things, the industrial Internet of things has very high requirements on the reliability and the safety of data, and once the data in the industrial Internet of things system is tampered, the quality control of products is influenced, and even major accidents are caused.
In an intelligent device, the process of data acquisition to transmission comprises: the sensing module converts the physical quantity into an analog electric signal, then sends the signal to the sampling module MCU module through a signal line, the MCU module receives data and executes security processing (the security operation comprises encryption and verification), and the data after the security processing is sent to the cloud server through the gateway. At present, the process from the MCU to the cloud server has a well-established mechanism to ensure data security. However, the process from the sensing module to the MCU has little security verification method to ensure data security.
At present, electromagnetic interference threatens all electronic products, an attacker can modify sensing data by utilizing the electromagnetic interference and cheat an MCU (microprogrammed control Unit) to make an error decision, and the electromagnetic interference attack can be divided into strong electromagnetic interference attack and weak electromagnetic interference attack.
In an industrial field, an attacker can change the voltage on a signal line through a specific electromagnetic interference device so as to achieve the purpose of silently tampering data, and the attack is easy to destroy the accuracy of the industrial device and cause production accidents. Since devices (such as an analog-to-digital converter) in the industrial internet of things are easily coupled with electromagnetic waves, and a signal line for communication between the sensing module and the MCU serves as an antenna, an attacker can launch weak electromagnetic interference attack in various ways, so that the weak electromagnetic interference can tamper with data generated by the sensing module.
In order to protect against electromagnetic interference, there are electromagnetic interference filters and shielding lines to protect against the effects of strong electromagnetic interference, and although such electromagnetic interference protection strategies can reduce the effects of strong electromagnetic interference, there are still electromagnetic waves penetrating the circuitry, i.e. the protection strategies cannot eliminate the negative effects of weak electromagnetic waves. And the lack of data security verification and attack detection between the sensing module and the MCU results in failure to detect attacks caused by weak electromagnetic interference, so that the safety and reliability of industrial production have greater risks.
Disclosure of Invention
In order to solve the above problems, an object of an embodiment of the present invention is to provide a weak electromagnetic interference attack detection method and a weak electromagnetic interference attack detection system, which are mainly used for an industrial internet of things.
In order to achieve the above object, a first aspect of the present invention provides an edge computing-based method for detecting a weak electromagnetic interference attack of an industrial internet of things, where the industrial internet of things includes a controlled device, a smart device and a server, the smart device includes a sensing module and an MCU, and sensing data of the sensing module is transmitted to the MCU for processing, and the method includes:
extracting noise fingerprints of the intelligent equipment from sensing data transmitted to the MCU from the sensing module as samples, wherein M noise fingerprints with the length of T are respectively extracted under two states of no weak electromagnetic interference attack and weak electromagnetic interference attack to establish a noise fingerprint sample library, wherein M is more than or equal to 5000;
establishing an FEU-LSTM fusion model, wherein the FEU-LSTM fusion model comprises an FEU model based on a convolutional neural network and a time cycle neural network LSTM model;
randomly extracting P noise fingerprints from a noise fingerprint sample library, inputting the P noise fingerprints into the FEU-LSTM fusion model for Q Epoch iterations, and finishing FEU-LSTM fusion model training, wherein P is more than or equal to 125, and Q is more than or equal to 30;
in the attack detection process, the device noise fingerprint with the length of T read in real time from the sensing data transmitted from the sensing module to the MCU is input to the trained FEU-LSTM fusion model, and whether the intelligent device is attacked by weak electromagnetic interference is judged according to the output result of the trained FEU-LSTM fusion model.
Optionally, extracting the noise fingerprint with the length T includes: and extracting the noise fingerprint with the length of T from the sensing data transmitted from the sensing module to the MCU by adopting a sliding window technology and a Kalman algorithm.
Optionally, the FEU-LSTM fusion model further includes: the fingerprint features output by the FEU model are input into the LSTM model after being processed by the averaging pooling layer, and the fingerprint features output by the LSTM model are input into the Softmax function after being processed by the full connection layer.
Optionally, the FEU has a first convolutional layer, a second convolutional layer, and a third convolutional layer;
the input data dimension of the first convolution layer is [ T, 1], the convolution kernel is 3 multiplied by 32, and the output data dimension is [ T, 32 ];
the input data dimension of the second convolution layer is [ T, 32], the convolution kernel is 3 multiplied by 64, and the output data dimension is [ T, 64 ];
the input data dimension of the third convolutional layer is [ T, 64], the convolutional kernel is 3 multiplied by 64, and the output data dimension is [ T, 64 ];
the motion step length of convolution kernels of the first convolution layer, the second convolution layer and the third convolution layer is 1, and activation functions adopted in the first convolution layer, the second convolution layer and the third convolution layer are all ReLU functions;
wherein T represents the length of the noise fingerprint.
Optionally, T is equal to 45.
Optionally, Q is equal to 30; p equals 256; the FEU-LSTM fusion model training comprises the following steps: 30 Epoch iterations are performed, each Epoch inputting a random noise fingerprint from a 256 noise fingerprint sample library.
The second aspect of the invention provides a system for detecting weak electromagnetic interference attack of an industrial internet of things, which comprises: the detection method comprises a memory and a processor, wherein the memory stores computer program instructions, and the computer program instructions realize the detection method for the weak electromagnetic interference attack of the industrial internet of things when being executed by the processor.
Optionally, the memory in the system includes: a first memory and a second memory; the processor comprises a first processor and a second processor; computer program instructions of a noise fingerprint extraction algorithm and a noise fingerprint feature extraction algorithm are stored on the first memory, and when the computer program instructions are executed by the first processor, the noise fingerprint extraction and the noise fingerprint feature extraction in the industrial internet of things weak electromagnetic interference attack detection method are realized; and computer program instructions of the LSTM model are stored on the second memory, and when the computer program instructions are executed by the second processor, the functions of the LSTM model in the weak electromagnetic interference attack detection method of the industrial Internet of things are realized.
Optionally, the system further includes: the first memory and the first processor are disposed on the smart device, and the second memory and the second processor are disposed on the server.
The third aspect of the invention provides an industrial Internet of things, wherein the industrial Internet of things is provided with the weak electromagnetic interference attack detection system of the industrial Internet of things.
According to the technical scheme, firstly, an FEU-LSTM fusion model is established based on a noise fingerprint sample library of the intelligent device, in the process of executing attack detection, noise fingerprints are extracted from data sent by the sensing module in real time, the real-time noise fingerprints are compared with the noise fingerprints of the intelligent device when the intelligent device is not attacked, whether the system is attacked by weak electromagnetic interference or not is judged according to the change condition of the fingerprints, and therefore whether the data sent by the sensing module is credible or not is judged.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention without limiting the embodiments of the invention. In the drawings:
FIG. 1 is a schematic diagram of weak electromagnetic interference attack of an industrial Internet of things provided by the invention;
FIG. 2 is a block diagram of an LTI model provided by one embodiment of the present invention;
FIG. 3 is a comparison diagram of noise fingerprint characteristics with and without weak electromagnetic interference attack according to an embodiment of the present invention;
FIG. 4 is a block diagram of an FEU having three convolutional layers provided by one embodiment of the present invention;
FIG. 5 is a FEU extracted fingerprint feature and corresponding histogram provided by one embodiment of the present invention;
FIG. 6 is a block diagram of a FEU-LSTM fusion model provided in accordance with an embodiment of the present invention;
FIG. 7 is a flowchart of a weak electromagnetic interference attack detection method according to an embodiment of the present invention;
FIG. 8 is a comparison graph of the detection accuracy of different noise fingerprint lengths of the FEU-LSTM fusion model provided by an embodiment of the present invention;
FIG. 9 is a comparison graph of the detection accuracy of the FEU-LSTM fusion model under different Epoch training conditions according to an embodiment of the present invention;
FIG. 10 is an edge calculation framework of a weak electromagnetic interference attack detection method according to an embodiment of the present invention;
fig. 11 is a comparison graph of edge calculation and centralized calculation of the weak electromagnetic interference attack detection method according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Fig. 1 is a schematic diagram of weak electromagnetic interference attack of an industrial internet of things provided by the invention. As shown in fig. 1, the sensing module sends the sensing data s (t) to the ADC analog-to-digital conversion module through a signal line, and due to different manufacturing processes, the noise fingerprint n (t) carried by the smart device is also injected into the signal line. If the attacker launches the weak electromagnetic interference attack, the malicious weak electromagnetic interference signal gamma (t) will be injected into the signal line. And finally, the signal obtained by the ADC module is the fusion of three signals, namely sensing data s (t), noise fingerprint n (t) carried by the intelligent equipment and malicious weak electromagnetic interference signal gamma (t). Where t represents the sampling time constant.
As shown in fig. 1, the weak electromagnetic interference attack model includes four components: weak electromagnetic interference attackers, a perception module, an environment and production process interference and sampling module (an ADC (analog-to-digital conversion) module and an MCU).
Fig. 2 is a block diagram of an LTI model according to an embodiment of the present invention. Existing research has demonstrated that smart devices in the industrial internet of things follow an LTI (Linear Time-Invariant) model that can accurately describe noise injection for each link in the device, including: perception module, ADC module, MCU module.
The noise fingerprint is associated with an LTI model, wherein the noise fingerprint n (t) carried by the intelligent device and the manufacturing process noise mu (t) and the environment injection noise beta (t) satisfy the following relation: n (t) + μ (t).
According to the LTI model, the ideal sensor data generated by the sensing module is defined as s (t), the data received by the MCU without attack is defined as y (t), and the data received by the MCU with attack is defined as
Said y (t) and
the following equation (1) is satisfied between the ideal sensor data s (t), the process noise mu (t), the environment injection noise beta (t) and the malicious weak electromagnetic interference signal gamma (t).
Wherein t ∈ N represents a sampling time constant, A and B represent state transition variables, and C represents a state control variable.
Alternatively, a may be set to 1, B may be set to 1, and C may be set to 0.1.
By respectively obtaining the data from the data y (t),
the ideal sensor data s (t) is subtracted to obtain the noisy fingerprint at time t. Noise fingerprint is respectively defined by a noise set F ═ F1,f2,...,ft,...,fTF'1,f′2,...,f′t,...,f′TRepresents it.
As shown in the following equation (2), F represents a noise fingerprint set when the smart device is not under attack, including: environmental interference noise and manufacturing process noise. F' represents a noise fingerprint set when the intelligent device is attacked, and the noise in F and malicious weak electromagnetic interference signals injected by an attacker are included.
As the intelligent equipment in the industrial Internet of things follows the LTI model, the data y (t) received by the MCU without the attack and the data y (t) received by the MCU with the attack can be obtained by using the Kalman algorithm
The ideal sensor data s (t) is calculated, and the noise fingerprint set F when the smart device is not attacked and the noise fingerprint set F' when the smart device is attacked can be calculated according to the above equation (2).
From the set of noise fingerprints obtained (F and F'), the differences between the noise fingerprints can be compared to determine whether the device is under attack by weak electromagnetic interference.
Fig. 3 is a comparison diagram of noise fingerprint characteristics with or without weak electromagnetic interference attack according to an embodiment of the present invention. As shown in fig. 3, a graph of data signals received by the MCU in three cases of no weak electromagnetic interference attack, electromagnetic interference attack 1 and electromagnetic interference attack 2 (a0, b0 and c0) and a graph of noise fingerprint feature extraction in the three cases (a1, b1 and c1) are intercepted. As shown in fig. 3, the location of the attack that occurred is marked with a black rectangular box.
As shown in fig. 3 a1-c1, the fingerprint under emi attack 1 has significant changes, which can be detected by simple comparison of features (e.g., amplitude, frequency). However, the fingerprint in the emi attack 2 has small variation, and it is difficult to determine whether the system is attacked by simple comparison of features (such as amplitude and frequency), so the following embodiments will provide a more optimized detection means according to the emi attack with small variation of fingerprint in the attack 2.
FIG. 4 is a block diagram of an FEU having three convolutional layers in accordance with one embodiment of the present invention. An optional embodiment of the invention employs deep learning convolution operations to process the noise fingerprints and extract features from the noise fingerprints.
As shown in fig. 4, an FEU (Feature Extraction Unit) having three convolutional layers:
a first convolution layer with input data dimension [ T, 1], convolution kernel 3 × 32 and output data dimension [ T, 32 ];
in the second convolutional layer, the input data dimension is [ T, 32], the convolutional kernel is 3 × 64, and the output data dimension is [ T, 64 ]. (ii) a
In the third convolutional layer, the input data dimension is [ T, 64], the convolutional kernel is 3 × 64, and the output data dimension is [ T, 64 ].
The motion step size of all convolution kernels is 1 and the activation function is ReLU (Linear rectification function).
Where T represents the length of the fingerprint.
As shown in fig. 4, will have a dimension of [ T, 1]]Noise fingerprint F0Input into FEU and output with size [ T, 64]]Characteristic F of3. Wherein each convolutional layer process is shown in the following equation (3).
Wherein, FiRepresenting the fingerprint vector, W, input to the i +1 th convolutional layeri+1Convolution kernels representing the i +1 th convolution layer, bi+1Which represents the deviation of the position of the object,
representing a convolution operation.
Fig. 5 is a graph of FEU extracted features and corresponding histograms provided by one embodiment of the invention. As shown in fig. 5, three noise fingerprint feature maps and their corresponding histograms before and after weak electromagnetic interference attack are extracted by using the FEU.
As shown in fig. 5(a-c), the characteristic diagrams before and after three weak electromagnetic interference attacks are output from the FEU. The histograms corresponding to the feature maps of fig. 5(a-c) are shown in fig. 5(d-f), respectively. As shown in fig. 5, the noise fingerprint features extracted by the FEU before and after the attack have a significant difference, by which it can be determined whether the device is under a weak electromagnetic interference attack.
When an attacker launches a weak electromagnetic interference attack, the attacker needs to adjust the electromagnetic wave frequency or parameters of the attack equipment so as to achieve the purpose of coupling the interference waves with the electric signals in the hardware. In this process, the target device is subject to multiple attacks, and thus the attack behavior occurs continuously in the time dimension. When the intelligent device is attacked at the current moment, the previous moment and the next moment are also likely to be attacked. In view of the above, the following embodiments build an LSTM (Long Short-Term Memory network) model to detect attacks that is good at reasoning in the time dimension. In the embodiments provided below, the FEU and LSTM models are combined to obtain a fusion model, referred to as the FEU-LSTM fusion model, for weak electromagnetic interference attack detection.
FIG. 6 is a block diagram of a FEU-LSTM fusion model provided in accordance with an embodiment of the present invention. As shown in fig. 6(a), a block diagram of a weak electromagnetic attack detection FEU-LSTM fusion model is provided for one embodiment of the present invention.
As shown in fig. 6(a), the noise fingerprint feature matrix with the size of [ T, 64] output by the FEU model is first converted into the noise fingerprint feature matrix with the size of [1, T ] by the averaging pooling layer, then the converted noise fingerprint feature matrix is input into the LSTM model, and finally the noise fingerprint feature matrix is output to the Softmax function (normalized exponential function) through the full connection layer to detect whether the fingerprint has been changed, so as to determine whether the system is attacked by weak electromagnetic interference.
The specific process is as follows:
first, the FEU model outputs [ T, 64]]Dimensional noise fingerprint features, the [ T, 64]]The dimensional noise fingerprint features are changed into [ T, 1] after the average pooling layer operation]Dimensional noise fingerprint features, said [ T, 1]Dimensional noise fingerprint features are denoted as FE ═ X1,X2,...,Xk,...,XT}. Wherein, XkRepresenting the kth eigenvalue in the eigenvector FE.
Second, the T elements of FE are input into the T elementary units of the LSTM model. As shown in fig. 6(b), the basic unit of the LSTM model includes a forgetting gate, an input gate, and an output gate. Where gates are the selective way of letting information pass, they enable neurons to record new information and forget old information. The three gates function as follows:
function f of forgetting to remember doorkExpression to choose to forget some information in the past, as shown in equation (4);
fk=σ(Wf·[Yk-1,Xk]+bf), (4)
the function of the input gate is represented byk,
ckExpressed, in order to store some current information, as shown in equation (5);
function of output gatek、YkExpression for outputting the execution result, as shown in equation (6);
finally, the LSTM model will output the feature vector YkAnd k is input into a Softmax function, and the Softmax function performs attack detection. If the output result D of the Softmax function is as shown in equation (7)r1, which means that a weak EMI attack has occurred and the data collected by the perception module is not reliable. Otherwise, weak electromagnetic interference attack does not occur, and the data collected by the sensing module is reliable.
Dr=Softmax({Yk,k=1,2,...,T}), (7)
In the above equations (4) to (6), σ is an activation function, Wi,Wf,Wo,WcRepresents the weight matrix in the LSTM model, and bi,bf,bo,bcRepresenting the bias coefficients in the LSTM model. XkRepresenting the kth eigenvalue in the eigenvector FE. Operator tableMatrix multiplication is shown, and x represents digital multiplication.
Fig. 7 is a flowchart of a weak electromagnetic interference attack detection method according to an embodiment of the present invention. As shown in fig. 7, the weak electromagnetic interference attack detection method includes: the intelligent device inputs sensing data into a data container, a sliding window technology is used for intercepting a data segment with a fixed length from a data stream generated by a sensing module, a data array is taken out after the data segment passes through a sliding window, an LTI (low temperature integrated information) model and a Kalman algorithm are used for extracting noise fingerprints, and finally the extracted noise fingerprints are input into an FEU-LSTM fusion model to finish noise fingerprint detection.
Optionally, the size of the sliding window is set to be T, two sliding windows at T and T +1 are partially overlapped to ensure the accuracy of the weak electromagnetic interference attack detection, and the length of the overlap is T/3. The sliding distance of the sliding window is 2 × T/3. The purpose of detecting the attack for a long time can be achieved by continuously analyzing the single sliding window.
Optionally, as shown in fig. 7, the method for completing noise fingerprint detection in the FEU-LSTM fusion model mainly includes two stages, namely, model training and model testing.
And in the model training stage, respectively extracting M intelligent equipment noise fingerprints with the length of T for establishing a noise fingerprint sample library by using a Kalman algorithm under two states of no weak electromagnetic interference attack and weak electromagnetic interference attack, wherein M is more than or equal to 5000. Randomly extracting P noise fingerprints from a sample library, inputting the P noise fingerprints into an FEU-LSTM fusion model, and completing Q Epoch iterations, wherein P is larger than or equal to 125, Q is larger than or equal to 5, and Q is preferably 30. The Epoch represents that the P noise fingerprints pass the LSTM model once and return once, which is called an Epoch.
And in the model testing stage, a trained model is used, a Kalman algorithm is used for extracting the noise fingerprints of the intelligent equipment with the length of T in real time, the trained FEU-LSTM fusion model is classified according to the input noise fingerprints, and a detection result is output through a Softmax function.
Optionally, in order to extract a noise fingerprint under weak electromagnetic interference attack to create a noise fingerprint sample library, an external voltage source (voltage range is 0 to 3.3V) may be used to inject an attack voltage into the signal line to simulate a system attacked by weak electromagnetic interference.
Optionally, fig. 8 is a comparison graph of detection accuracy of different noise fingerprint lengths of the FEU-LSTM fusion model according to an embodiment of the present invention. As shown in FIG. 8, the convergence speed and accuracy of the FEU-LSTM fusion model training and testing are verified under four conditions of 30, 35, 40 and 45 noise fingerprint lengths T. The abscissa indicates the number of Epoch iterations performed, and the ordinate indicates the test accuracy, with 256 noise fingerprints input per Epoch. As shown in fig. 8 (d), when the noise fingerprint length T is 45, after 30 Epoch training, the test accuracy of the FEU-LSTM fusion model can reach 0.963.
Optionally, fig. 9 is a comparison diagram of detection accuracy of the FEU-LSTM fusion model provided in an embodiment of the present invention under different Epoch training.
Before the FEU-LSTM fusion model is adopted, a Softmax regression model, a convolutional neural network model and a support vector machine model are also constructed for testing, and the test result shows that the test precision of other models is not as good as that of the FEU-LSTM fusion model.
As shown in fig. 9, which are diagrams (a) - (f), the FEU-LSTM fusion model and other models (e.g., Softmax regression model, convolutional neural network model, and support vector machine model) are compared to detect the accuracy of weak electromagnetic interference attack when epochs are 5, 10, 15, 20, 25, and 30, and 256 noise fingerprints are input per Epoch.
As can be seen from (a) - (f) of fig. 9, as the training Epoch increases, the attack detection accuracy of both models improves. When the Epoch is 5 or 10, the FEU-LSTM fusion model has not reached the convergence state yet, and thus the detection accuracy is unstable. However, when the training Epoch is greater than 10, the detection accuracy of the weak electromagnetic interference attack of the FEU-LSTM fusion model is significantly higher than that of other models. When the Epoch is 30 and the T is 45, the detection precision of the FEU-LSTM fusion model is 0.963, which is superior to other models.
Alternatively, since there are many intelligent devices in the industrial internet of things, these intelligent devices are always sending large amounts of data to the server through the gateway. Therefore, the server faces a huge data processing and storage pressure. However, the smart device is only responsible for the collection and transmission of data, and its computing power is idle. Therefore, the idle part of the computing power of the intelligent device can be used for sharing the stress of the server. In contrast, the invention provides an edge calculation method for a weak electromagnetic interference attack detection method.
Fig. 10 is an edge calculation framework of a weak electromagnetic interference attack detection method according to an embodiment of the present invention. The computing power of idle intelligent equipment is utilized to share the computing pressure of the server, so that the overall execution efficiency of the weak electromagnetic interference attack detection method is improved. The edge computing framework is shown in fig. 10, and the weak electromagnetic interference attack detection method is divided into several parts and deployed on the intelligent device and the server. As shown in fig. 10, an LTI model-based noise fingerprint extraction algorithm and an FEU model algorithm are deployed on the smart device, and an LSTM model algorithm is deployed on the server.
Although the whole method is separately deployed, the whole implementation process thereof is still in accordance with the flow chart of the weak electromagnetic interference attack detection method of fig. 7. The deployment method distributes the calculation tasks belonging to the server to the intelligent equipment, thereby reducing the operation pressure of the server, avoiding network congestion and improving the overall execution efficiency.
Optionally, fig. 11 is a comparison graph of edge calculation and centralized calculation of the weak electromagnetic interference attack detection method according to an embodiment of the present invention.
As shown in fig. 11(a) - (d), when the noise fingerprint length T is tested at 30, 35, 40 and 45, the weak electromagnetic interference detection method provided by the present invention compares the time consumption in the edge calculation mode and the centralized calculation mode. As shown in FIG. 11, when the noise fingerprint lengths T are 30, 35, 40, and 45, the average running time of the concentration calculation is 2-3 times the average running time of the edge calculation, respectively.
The embodiment of the invention also provides a weak electromagnetic interference attack detection system, which comprises a memory and a processor, wherein computer program instructions are stored on the memory, and when the computer program instructions are executed by the processor, the weak electromagnetic interference attack detection method can be realized.
Optionally, an embodiment of the present invention further provides a weak electromagnetic interference attack detection system, where the memory includes: a first memory and a second memory; the processor comprises a first processor and a second processor;
the first memory has stored thereon computer program instructions for a noise fingerprint extraction algorithm and a noise fingerprint FEU algorithm, which when executed by the first processor, enable noise fingerprint extraction and noise fingerprint feature extraction in the above weak electromagnetic interference attack detection method.
Stored on the second memory are computer program instructions of the LSTM model which, when executed by the second processor, enable the noise fingerprint feature comparison detection in the weak electromagnetic interference attack detection method described above.
Optionally, an embodiment of the present invention further provides a system for detecting weak electromagnetic interference attack, where the first memory and the first processor are disposed at an intelligent device end. The second memory and the second processor are deployed on the server side.
The embodiment of the invention also provides an industrial Internet of things, wherein the weak electromagnetic interference attack detection system is arranged on the industrial Internet of things.
Those skilled in the art will appreciate that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solution of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications are within the scope of the embodiments of the present invention. It should be noted that the various features described in the foregoing embodiments may be combined in any suitable manner without contradiction. In order to avoid unnecessary repetition, the embodiments of the present invention will not be described separately for the various possible combinations.
In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as disclosed in the embodiments of the present invention as long as it does not depart from the spirit of the embodiments of the present invention.
Claims (9)
1. The utility model provides an industry thing networking weak electromagnetic interference attack detection method based on edge calculation, industry thing networking includes controlled equipment, smart machine and server, smart machine includes perception module and MCU, and the sensing data transmission of perception module is handled to MCU, the detection method includes:
extracting noise fingerprints of the intelligent device from sensing data transmitted from the sensing module to the MCU as samples, wherein M parts of the noise fingerprints with the length of M are respectively extracted under two states of no weak electromagnetic interference attack and weak electromagnetic interference attackTThe noise fingerprint to establish a noise fingerprint sample library, wherein M is more than or equal to 5000;
establishing FEU-LSTM fusion model, and setting the length asTThe noise fingerprint is input into an FEU model for fingerprint feature extraction, fingerprint features output by the FEU model are input into an LSTM model after being processed by an average pooling layer, the fingerprint features output by the LSTM model are input into a Softmax function after being processed by a full connection layer, and the FEU-LSTM fusion model comprises the FEU model based on a convolutional neural network, a time-cycling neural network LSTM model, the average pooling layer, the full connection layer and the Softmax function;
randomly extracting P noise fingerprints from a noise fingerprint sample library, inputting the P noise fingerprints into an FEU-LSTM fusion model for Q Epoch iterations, and finishing FEU-LSTM fusion model training, wherein P is more than or equal to 125, and Q is more than or equal to 30;
after executing attack detectionIn the process, the length of real-time reading in the sensing data transmitted from the sensing module to the MCU isTAnd inputting the device noise fingerprint into the trained FEU-LSTM fusion model, and judging whether the intelligent device is attacked by weak electromagnetic interference or not according to the output result of the trained FEU-LSTM fusion model.
2. The detection method according to claim 1, wherein the extraction length isTThe noise fingerprint of (1), comprising:
the length of the sensing data transmitted from the sensing module to the MCU is extracted from the sensing data by adopting a sliding window technology and a Kalman algorithmTThe noise fingerprint of (1).
3. The inspection method of claim 1, wherein the FEU model has a first convolutional layer, a second convolutional layer, and a third convolutional layer;
the input data dimension of the first convolution layer is [ 2]T,1]The convolution kernel is 3X 32, and the output data dimension is [ 2]T,32];
The input data dimension of the second convolution layer is [ 2]T,32]The convolution kernel is 3X 64, and the output data dimension is [ alpha ], [ alpha ]T,64];
The input data dimension of the third convolution layer is [ 2]T,64]The convolution kernel is 3X 64, and the output data dimension is [ alpha ], [ alpha ]T,64];
The motion step length of convolution kernels of the first convolution layer, the second convolution layer and the third convolution layer is 1, and activation functions adopted in the first convolution layer, the second convolution layer and the third convolution layer are all ReLU functions;
wherein the content of the first and second substances,Trepresenting the length of the noise fingerprint.
4. The detection method according to claim 3,Tequal to 45.
5. The detection method according to claim 4, wherein Q is equal to 30; p equals 256;
the FEU-LSTM fusion model training comprises the following steps: 30 Epoch iterations are performed, each Epoch inputting a randomly extracted noise fingerprint from a 256 noise fingerprint sample library.
6. The utility model provides a weak electromagnetic interference attack detecting system of industry thing networking, includes smart machine and server, its characterized in that, detecting system includes: a memory and a processor, the memory having stored thereon computer program instructions which, when executed by the processor, implement the method of detecting weak electromagnetic interference attacks of the industrial internet of things as claimed in any one of claims 1 to 5.
7. The detection system of claim 6, wherein the memory comprises: a first memory and a second memory; the processor comprises a first processor and a second processor;
computer program instructions for a noise fingerprint extraction algorithm and a noise fingerprint feature extraction algorithm stored on the first memory, which computer program instructions, when executed by the first processor, perform the noise fingerprint extraction and the noise fingerprint feature extraction in the detection method of any one of claims 1 to 5;
on said second memory there are stored computer program instructions of the LSTM model which, when executed by the second processor, implement the functionality of the LSTM model in the detection method of any of claims 1 to 5.
8. The detection system of claim 7, wherein the first memory and the first processor are disposed on a smart device and the second memory and the second processor are disposed on a server.
9. An industrial Internet of things device, characterized in that the industrial Internet of things device is provided with the industrial Internet of things weak electromagnetic interference attack detection system as claimed in any one of claims 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110275796.1A CN113067805B (en) | 2021-03-15 | 2021-03-15 | Internet of things weak electromagnetic interference attack detection method and system based on edge calculation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110275796.1A CN113067805B (en) | 2021-03-15 | 2021-03-15 | Internet of things weak electromagnetic interference attack detection method and system based on edge calculation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113067805A CN113067805A (en) | 2021-07-02 |
| CN113067805B true CN113067805B (en) | 2022-05-24 |
Family
ID=76561442
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110275796.1A Active CN113067805B (en) | 2021-03-15 | 2021-03-15 | Internet of things weak electromagnetic interference attack detection method and system based on edge calculation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113067805B (en) |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7613580B2 (en) * | 2007-04-12 | 2009-11-03 | Sun Microsystems, Inc. | Method and apparatus for generating an EMI fingerprint for a computer system |
| CN110197127B (en) * | 2019-05-06 | 2022-10-18 | 安徽继远软件有限公司 | Wireless signal detection and electromagnetic interference classification system and method based on deep learning |
| CN110555388A (en) * | 2019-08-06 | 2019-12-10 | 浙江大学 | CNN and LSTM-based method for constructing intracardiac abnormal excitation point positioning model |
| CN110933031A (en) * | 2019-10-25 | 2020-03-27 | 国网吉林省电力有限公司电力科学研究院 | Intelligent power grid power distribution terminal unit intrusion detection method based on LSTM |
| CN111638488B (en) * | 2020-04-10 | 2023-05-30 | 西安电子科技大学 | LSTM network-based radar interference signal identification method |
| CN111783558A (en) * | 2020-06-11 | 2020-10-16 | 上海交通大学 | Satellite navigation interference signal type intelligent identification method and system |
| CN111818052B (en) * | 2020-07-09 | 2022-07-08 | 国网山西省电力公司信息通信分公司 | CNN-LSTM-based industrial control protocol homologous attack detection method |
| CN112183647A (en) * | 2020-09-30 | 2021-01-05 | 国网山西省电力公司大同供电公司 | Transformer substation equipment sound fault detection and positioning method based on deep learning |
-
2021
- 2021-03-15 CN CN202110275796.1A patent/CN113067805B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113067805A (en) | 2021-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | LSTM-based analysis of industrial IoT equipment | |
| Verstraete et al. | Deep learning enabled fault diagnosis using time-frequency image analysis of rolling element bearings | |
| Zhang et al. | Deep learning algorithms for bearing fault diagnostics-a review | |
| CN113554089A (en) | Image classification countermeasure sample defense method and system and data processing terminal | |
| CN111751133B (en) | Intelligent fault diagnosis method of deep convolutional neural network model based on non-local mean embedding | |
| Qin et al. | Anti‐noise diesel engine misfire diagnosis using a multi‐scale CNN‐LSTM neural network with denoising module | |
| Dai et al. | SMASH: A malware detection method based on multi-feature ensemble learning | |
| Xu et al. | Applying morphology to improve Canny operator's image segmentation method | |
| CN114155397B (en) | Small sample image classification method and system | |
| Liao et al. | Research on a rolling bearing fault detection method with wavelet convolution deep transfer learning | |
| Xin et al. | Intelligent fault diagnosis method for rotating machinery based on vibration signal analysis and hybrid multi‐object deep CNN | |
| Belkhouja et al. | Analyzing deep learning for time-series data through adversarial lens in mobile and IoT applications | |
| Peng et al. | Research on fault diagnosis method of rolling bearing based on 2DCNN | |
| Gungor et al. | Res-hd: Resilient intelligent fault diagnosis against adversarial attacks using hyper-dimensional computing | |
| CN108507607B (en) | Weak signal detection method based on kernel function | |
| CN108694375B (en) | Imaging white spirit identification method applicable to multi-electronic nose platform | |
| CN113067805B (en) | Internet of things weak electromagnetic interference attack detection method and system based on edge calculation | |
| Stojanović et al. | Deep learning‐based approach to latent overlapped fingerprints mask segmentation | |
| Wang et al. | Few‐shot multiscene fault diagnosis of rolling bearing under compound variable working conditions | |
| CN111343205B (en) | Industrial control network security detection method and device, electronic equipment and storage medium | |
| CN115314239A (en) | Analysis method and related equipment for hidden malicious behaviors based on multi-model fusion | |
| CN114549912B (en) | Gravitational wave candidate screening method and device and storage medium | |
| Al-Nafjan et al. | Intrusion detection using PCA based modular neural network | |
| Ali et al. | Detecting Conventional and Adversarial Attacks Using Deep Learning Techniques: A Systematic Review | |
| CN115545080B (en) | Online detection method and device for lubricating oil scraps |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Fang Kai Inventor after: Fang Qin Inventor after: Wang Lina Inventor after: Zhou Xiaolong Inventor after: Yang Mingxia Inventor before: Fang Kai Inventor before: Wang Lina Inventor before: Zhou Xiaolong Inventor before: Yang Mingxia |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230913 Address after: Room 1101, Building 7, Xinghu 101 Square, No. 1101 Xinghu Avenue, Economic and Technological Development Zone, Nantong City, Jiangsu Province, 226000 Patentee after: Nantong Jingxiang Technology Co.,Ltd. Address before: 324000 North China Road No. 78, Quzhou, Quzhou, Zhejiang Patentee before: QUZHOU University |