CN113285938A - Network flow abnormity detection method applied to industrial Internet - Google Patents

Network flow abnormity detection method applied to industrial Internet Download PDF

Info

Publication number
CN113285938A
CN113285938A CN202110532715.1A CN202110532715A CN113285938A CN 113285938 A CN113285938 A CN 113285938A CN 202110532715 A CN202110532715 A CN 202110532715A CN 113285938 A CN113285938 A CN 113285938A
Authority
CN
China
Prior art keywords
industrial
network traffic
feature map
industrial internet
classification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110532715.1A
Other languages
Chinese (zh)
Inventor
叶勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Suqing Technology Co ltd
Original Assignee
Hangzhou Suqing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Suqing Technology Co ltd filed Critical Hangzhou Suqing Technology Co ltd
Priority to CN202110532715.1A priority Critical patent/CN113285938A/en
Publication of CN113285938A publication Critical patent/CN113285938A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/048Activation functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

The present invention relates to an industrial internet, and more particularly, to a network traffic anomaly detection method applied to an industrial internet. The industrial internet closely connects and merges devices, production lines, factories, suppliers, products and customers through an industrial-level network platform, and efficiently shares various key resources in the industrial economy. In the application, the network flow abnormity detection method applied to the industrial internet considers the correlation of the network flow among all industrial equipment linked in the production process to detect the network flow abnormity, so as to ensure the stable and safe operation of the whole industrial internet system.

Description

Network flow abnormity detection method applied to industrial Internet
Technical Field
The present application relates to intelligent network traffic anomaly detection in the field of intelligent manufacturing, and more particularly, to a network traffic anomaly detection method applied to an industrial internet, a network traffic anomaly detection system applied to an industrial internet, and an electronic device.
Background
With the continuous development of industrialization and informatization, more and more information technologies are applied to the industrial field, and an industrial internet is formed. The industrial internet is a result of the integration of global industrial systems with advanced computing, analysis, sensing technologies and internet connections, and its essence is to tightly connect and integrate equipment, production lines, factories, suppliers, products and customers through an open and global industrial network platform, efficiently share various essential resources in industrial economy, thereby reducing cost and increasing efficiency through an automatic and intelligent production mode, helping the manufacturing industry to extend the industry chain, and promoting the transformation development of the manufacturing industry.
In an actual industrial internet system, such as an automatic production line of plastic bags, since a plurality of different industrial devices are involved, if one of the industrial devices has a problem and generates abnormal traffic, the overall operation of the industrial internet system is affected. However, in a complete industrial internet system, the operation mechanisms of each industrial device are different, and the traffic data generated by each device in different operation states are also different, which makes it difficult to determine whether the network traffic is abnormal as a whole based on the network traffic of a single device.
Therefore, an optimized technical scheme for detecting network traffic anomaly applied to the industrial internet is expected.
Disclosure of Invention
The present application is proposed to solve the above-mentioned technical problems. The embodiment of the application provides a network flow abnormity detection method applied to an industrial internet, a network flow abnormity detection system applied to the industrial internet and electronic equipment, wherein the network flow abnormity detection is carried out based on the association of network flow among all industrial equipment linked in the production process, and the stable and safe operation of the whole industrial internet system is ensured through the mode.
According to an aspect of the present application, there is provided a network traffic abnormality detection method applied to an industrial internet, including:
sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to an industrial internet;
preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic, wherein preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic includes: carrying out linear normalization processing on the sampled network flow of each industrial device;
splicing the preprocessed network traffic of each industrial device into a data matrix, wherein a row of the data matrix represents each industrial device, a column represents flow data sampled by a single industrial device at each time point, and the last column represents the current network traffic of each industrial device on the production line at the current time;
passing the data matrix through a deep convolutional neural network to obtain a feature map corresponding to the data matrix;
performing Gaussian normalization on each characteristic matrix in the characteristic diagram to obtain a normalized characteristic diagram; and
and passing the normalized feature map through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial Internet-based production line is abnormal or not.
In the above method for detecting network traffic anomaly applied to the industrial internet, performing gaussian normalization on each feature matrix in the feature map to obtain a normalized feature map, including: performing Gaussian normalization on each column of each feature matrix in the feature map to obtain a normalized feature map by using the following formula: x '═ x- μ)/σ, x is the value before normalization, and x' is the value after normalization.
In the above method for detecting network traffic anomaly applied to the industrial internet, the passing the normalized feature map through a classifier to obtain a classification result includes: passing the normalized feature map through one or more fully-connected layers to encode the normalized feature map through the one or more fully-connected layers to obtain a classification feature vector; inputting the classification feature vector into a Softmax classification function to obtain probability values of the classification feature vector belonging to each classification label; and determining the classification result based on the probability value.
In the above network traffic anomaly detection method applied to the industrial internet, the deep convolutional neural network is a deep residual error network.
In the above method for detecting network traffic abnormality applied to the industrial internet, the production line based on the industrial internet is an automatic production line of plastic bags, and the industrial apparatus includes: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment.
According to another aspect of the present application, there is provided a network traffic abnormality detection system applied to an industrial internet, including:
a network traffic acquiring unit for sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to the industrial internet;
a preprocessed network traffic generating unit, configured to preprocess the network traffic sampled by the industrial device and obtained by each network traffic obtaining unit, so as to obtain a preprocessed network traffic, where the preprocessed network traffic generating unit is further configured to: performing linear normalization processing on the network traffic sampled by the industrial equipment obtained by each network traffic obtaining unit;
the data matrix generation unit is used for splicing the network traffic of the industrial equipment after the pretreatment obtained by each pretreatment network traffic generation unit into a data matrix, wherein the rows of the data matrix represent each industrial equipment, the columns represent the traffic data sampled by the single industrial equipment at each time point, and the last columns represent the current network traffic of each industrial equipment on the production line at the current time;
the data matrix characteristic map generating unit is used for enabling the data matrix obtained by the data matrix generating unit to pass through a deep convolution neural network so as to obtain a characteristic map corresponding to the data matrix;
the normalized feature map generating unit is used for performing Gaussian normalization on each feature matrix in the feature map obtained by the data matrix feature map generating unit to obtain a normalized feature map; and
and the classification result generating unit is used for enabling the normalized feature map obtained by the normalized feature map generating unit to pass through a classifier so as to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial internet-based production line is abnormal or not.
In the above system for detecting network traffic anomaly applied to the industrial internet, the normalized feature map generating unit is further configured to: performing Gaussian normalization on each column of each feature matrix in the feature map to obtain a normalized feature map by using the following formula: x '═ x- μ)/σ, x is the value before normalization, and x' is the value after normalization.
In the above network traffic abnormality detection system applied to the industrial internet, the classification result generating unit includes: a classification feature vector generation subunit, configured to pass the normalized feature map through one or more fully-connected layers, so as to encode the normalized feature map through the one or more fully-connected layers, so as to obtain a classification feature vector; a probability value generating subunit, configured to input the classification feature vector obtained by the classification feature vector generating subunit into a Softmax classification function, so as to obtain a probability value that the classification feature vector belongs to each classification label; and the classification result determining subunit is used for determining the classification result based on the probability value obtained by the probability value generating subunit.
In the above network traffic anomaly detection system applied to the industrial internet, the classification tag includes: the current network flow of the industrial internet-based production line is normal, and the current network flow of the industrial internet-based production line is abnormal.
In the above network traffic anomaly detection system applied to the industrial internet, the deep convolutional neural network is a deep residual error network.
In the above-mentioned abnormal network flow detecting system who is applied to industrial internet, the production line based on industrial internet is the automation line of plastic bag, industrial equipment includes: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment.
According to still another aspect of the present application, there is provided an electronic apparatus including: a processor; and a memory in which computer program instructions are stored, which, when executed by the processor, cause the processor to perform the network traffic abnormality detection method applied to the industrial internet as described above.
According to still another aspect of the present application, there is provided a computer readable medium having stored thereon computer program instructions, which, when executed by a processor, cause the processor to execute the network traffic abnormality detection method applied to the industrial internet as described above.
Compared with the prior art, the embodiment of the application provides a network flow abnormity detection method applied to the industrial internet, a network flow abnormity detection system applied to the industrial internet and electronic equipment, wherein the network flow abnormity detection is carried out based on the association of network flow among all industrial equipment linked in the production process, and the stable and safe operation of the whole industrial internet system is ensured through the way.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in more detail embodiments of the present application with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. In the drawings, like reference numbers generally represent like parts or steps.
Fig. 1 is an application scenario diagram of a network traffic anomaly detection method applied to an industrial internet according to an embodiment of the present application.
Fig. 2 is a flowchart of a network traffic anomaly detection method applied to the industrial internet according to an embodiment of the present application.
Fig. 3 is a schematic configuration diagram of a network traffic anomaly detection method applied to the industrial internet according to an embodiment of the present application.
Fig. 4 is a flowchart of obtaining a classification result by passing the normalized feature map through a classifier in the network traffic anomaly detection method applied to the industrial internet according to the embodiment of the present application.
Fig. 5 is a block diagram of a network traffic anomaly detection system applied to an industrial internet according to an embodiment of the present application.
Fig. 6 is a block diagram of a classification result generation unit in the network traffic anomaly detection system applied to the industrial internet according to the embodiment of the present application.
Fig. 7 is a block diagram of an electronic device according to an embodiment of the application.
Detailed Description
Hereinafter, example embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be understood that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and that the present application is not limited by the example embodiments described herein.
Overview of a scene
As described above, in the industrial internet system of the automatic production line of plastic bags, it is often necessary to connect each industrial device to the industrial internet, and in order to ensure stable and safe operation of the entire industrial internet system, it is necessary to detect the network traffic of the industrial internet.
However, in an actual industrial internet system, such as an automatic production line of plastic bags, since a plurality of different industrial equipments are involved and are at different stages in the production line, the operating states thereof may be greatly different. For example, in an automatic production line, a loading device, a manufacturing device, a packaging device, a detection device, and the like are in different stages of the production line, and all of them may be in a state of temporarily stopping operation, which makes it difficult to determine whether there is an abnormality in network traffic as a whole based on the network traffic of a single device.
Therefore, an automatic detection scheme for network traffic anomaly of the industrial internet is desired.
Specifically, the applicant of the present application performs network traffic detection considering not only a network traffic situation of a single industrial device but also a correlation of network traffic between respective industrial devices connected in a production process based on an actual network traffic state in an industrial internet of an automated production line. Therefore, the applicant of the present application uses the convolutional neural network based on deep learning to perform anomaly detection of network traffic, considering that the convolutional neural network based on deep learning can effectively extract the relevant information between data while mining the deep statistical features of the data.
In the training and inference process of the convolutional neural network based on deep learning, because the traffic information of the single industrial equipment over time is also considered, the network traffic of the single industrial equipment on the production line is sampled at fixed time intervals, and the sampled network traffic of each industrial equipment is spliced into a data matrix, for example, a row of the data matrix represents each industrial equipment, a column represents the traffic data sampled by the single industrial equipment at each time, and the last column represents the actual network traffic of each equipment on the industrial internet at the current time. However, the flow rate data obtained in this way does not take into account the flow rate differences of the respective industrial equipments themselves, and therefore, in the data preprocessing stage, the flow rates of the respective industrial equipments are first linearly normalized, so that each value in the input data matrix is between 0 and 1.
The data matrix is then passed through a convolutional neural network to obtain a signature, such that there is likely to be divergence in the probability distribution of the values in the obtained signature corresponding to the various locations of a single industrial device due to the presence of nonlinear activation in the convolutional neural network. To improve the effect of data convergence in the subsequent classifier, considering that the network traffic of a single industrial device will usually follow a gaussian distribution during normal operation, further for each row of the feature matrix in the feature map, i.e. x '═ μ)/σ, where x is a value before normalization and x' is a value after normalization, in this embodiment, this may also be referred to as gaussian reforming, or normalized reforming, of the feature. Therefore, the normalized and reformed feature map is input into the classifier, and can be used for representing the classification result whether the current network traffic is abnormal or not.
Based on this, the application provides a network traffic anomaly detection method applied to an industrial internet, which includes: sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to an industrial internet;
preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic, wherein preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic includes: carrying out linear normalization processing on the sampled network flow of each industrial device; splicing the preprocessed network traffic of each industrial device into a data matrix, wherein a row of the data matrix represents each industrial device, a column represents flow data sampled by a single industrial device at each time point, and the last column represents the current network traffic of each industrial device on the production line at the current time; passing the data matrix through a deep convolutional neural network to obtain a feature map corresponding to the data matrix; performing Gaussian normalization on each characteristic matrix in the characteristic diagram to obtain a normalized characteristic diagram; and enabling the normalized feature map to pass through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial internet-based production line is abnormal or not.
Fig. 1 is a diagram illustrating an application scenario of a network traffic anomaly detection method applied to an industrial internet according to an embodiment of the present application. As shown in fig. 1, in this application scenario, network traffic of various industrial devices (e.g., M1 and M2 as illustrated in fig. 1) is sampled at predetermined time intervals by a hardware probe (e.g., P as illustrated in fig. 1). It should be noted that, in the application scenario, other sensors may also be used to collect network traffic of the industrial device, which is not limited in the present application. Then, the collected network traffic is input into a server (for example, S as illustrated in fig. 1) deployed with a network traffic anomaly detection algorithm applied to the industrial internet, wherein the server can process the collected network traffic with the network traffic anomaly detection algorithm applied to the industrial internet to generate a classification result indicating whether the network traffic is anomalous or not.
In a specific application of the present application, the industrial internet-based production line is an automatic production line of plastic bags, and the industrial apparatus includes: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment. Of course, in other examples of the present application, the production line may also be implemented as an industrial internet-based production line, and the present application is not limited thereto.
Having described the general principles of the present application, various non-limiting embodiments of the present application will now be described with reference to the accompanying drawings.
Exemplary method
Fig. 2 illustrates a flowchart of a network traffic abnormality detection method applied to the industrial internet according to an embodiment of the present application. As shown in fig. 2, the method for detecting network traffic anomaly applied to the industrial internet according to the embodiment of the present application includes: s110, sampling the network flow of a single industrial device on a production line based on the industrial Internet at preset time intervals, wherein each industrial device of the production line is communicably connected to the industrial Internet; s120, preprocessing the sampled network traffic of each of the industrial devices to obtain a preprocessed network traffic, where preprocessing the sampled network traffic of each of the industrial devices to obtain a preprocessed network traffic includes: carrying out linear normalization processing on the sampled network flow of each industrial device; s130, splicing the preprocessed network traffic of each industrial device into a data matrix, wherein a row of the data matrix represents each industrial device, a column represents the traffic data sampled by a single industrial device at each time point, and the last column represents the current network traffic of each industrial device on the production line at the current time; s140, passing the data matrix through a deep convolutional neural network to obtain a characteristic diagram corresponding to the data matrix; s150, performing Gaussian normalization on each feature matrix in the feature map to obtain a normalized feature map; and S160, enabling the normalized feature map to pass through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial Internet-based production line is abnormal or not.
Fig. 3 is a schematic diagram illustrating an architecture of a network traffic anomaly detection method applied to an industrial internet according to an embodiment of the present application. As shown in fig. 3, in the network architecture, first, network traffic of a single industrial device (for example, NF1 as illustrated in fig. 3) on an industrial internet-based production line, each industrial device of which is communicably connected to the industrial internet, is sampled at predetermined time intervals; then, pre-processing the sampled network traffic of each of the industrial devices to obtain pre-processed network traffic (e.g., PNF1-PNFn as illustrated in fig. 3); then, the preprocessed network traffic of each industrial device is spliced into a data matrix (e.g., DM as illustrated in fig. 3), wherein a row of the data matrix represents each industrial device, a column represents traffic data sampled by a single industrial device at each time point, and a last column represents current network traffic of each industrial device on the production line at a current time; then, passing the data matrix through a deep convolutional neural network (e.g., CNN as illustrated in fig. 3) to obtain a feature map (e.g., Fm as illustrated in fig. 3) corresponding to the data matrix; then, performing gaussian normalization on each of the feature matrices in the feature map to obtain a normalized feature map (e.g., Fn as illustrated in fig. 3); finally, the normalized feature map is passed through a classifier (e.g., a classifier as illustrated in fig. 3) to obtain a classification result, wherein the classification result is used for indicating whether the current network traffic of the industrial internet-based production line is abnormal or not.
In step S110, network traffic of a single industrial device on an industrial internet-based production line, each industrial device of which is communicably connected to the industrial internet, is sampled at predetermined time intervals. As described above, in the technical solution of the present application, the network traffic of a single industrial device on a production line is sampled at regular time intervals in consideration of the traffic information of the single industrial device over time. That is, a single industrial device connected to the industrial internet is sampled through a predetermined time interval to obtain flow data of the respective industrial devices.
Specifically, in the embodiment of the present application, the hardware probe may be connected in series to the link to be observed to process all data traffic on the link, so as to extract a protocol field required for traffic monitoring and even all message contents.
In a specific application of the present application, the industrial internet-based production line is an automatic production line of plastic bags, and the industrial apparatus includes: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment. Of course, in other examples of the present application, the production line may also be implemented as an industrial internet-based production line, and the present application is not limited thereto.
In step S120, the sampled network traffic of each of the industrial devices is preprocessed to obtain a preprocessed network traffic. It should be understood that the collected network traffic does not take into account the traffic differences of the respective industrial devices themselves, and thus a preprocessing operation is required for the collected network traffic. Specifically, in this embodiment, the process of preprocessing the sampled network traffic of each of the industrial devices to obtain the preprocessed network traffic includes: and carrying out linear normalization processing on the sampled network flow of each industrial device. That is, the flow rates of the respective industrial equipments are subjected to the preprocessing of linear normalization so that each value of the inputted data is between 0 and 1.
In step S130, the preprocessed network traffic of each industrial device is merged into a data matrix, wherein a row of the data matrix represents each industrial device, a column represents the traffic data sampled by a single industrial device at each time point, and a last column represents the current network traffic of each industrial device on the production line at the current time. It should be understood that, in the technical solution of the present application, each industrial device may have a state of temporarily stopping working when it is in different stages of the production line, which may make it difficult to determine whether there is an abnormal network traffic condition based on the network traffic of a single device. That is, in the process of performing network traffic inspection, not only the network traffic condition of a single industrial device but also the network traffic correlation between the industrial devices connected in the production process are considered.
In a specific embodiment, the network traffic of each industrial device after normalization processing is spliced into a data matrix to realize the correlation of the network traffic among the industrial devices, wherein a row of the data matrix represents each industrial device, a column represents traffic data sampled by a single industrial device at each time point, and a last column represents the current network traffic of each industrial device on the production line at the current time.
In step S140, the data matrix is passed through a deep convolutional neural network to obtain a feature map corresponding to the data matrix. That is, the data matrix is processed with a deep convolutional neural network to extract feature representations of local features in the data matrix in a high-dimensional space.
Those skilled in the art will appreciate that the deep convolutional neural network has excellent performance in extracting local spatial features of an image. In one particular example of the present application, the convolutional neural network may be implemented as a deep residual network, e.g., ResNet 100. It should be known to those skilled in the art that, compared to the conventional convolutional neural network, the deep residual network is an optimized network structure proposed on the basis of the conventional convolutional neural network, which mainly solves the problem of gradient disappearance during the training process. The depth residual error network introduces a residual error network structure, the network layer can be made deeper through the residual error network structure, and the problem of gradient disappearance can not occur. The residual error network uses the cross-layer link thought of a high-speed network for reference, breaks through the convention that the traditional neural network only can provide N layers as input from the input layer of the N-1 layer, enables the output of a certain layer to directly cross several layers as the input of the later layer, and has the significance of providing a new direction for the difficult problem that the error rate of the whole learning model is not reduced and inversely increased by superposing multiple layers of networks.
The convolutional neural network includes a convolutional layer, a pooling layer, and an activation layer in its network construction. Specifically, the process of passing the data matrix through a deep convolutional neural network to obtain a feature map corresponding to the data matrix includes: the data matrix is first passed through the convolutional layer to perform convolution processing on the data matrix to generate a convolution characteristic map. Here, performing convolution processing on the data matrix can implement data dimension reduction on the data matrix and extract features matched with a convolution kernel in the data matrix. And then activating the convolution characteristic map by a nonlinear activation function to obtain an activation characteristic map, wherein the characterization capability of the convolution neural network can be enhanced through the activation processing of the activation layer. Then, the activation characteristic map is subjected to pooling processing through a pooling layer to generate a pooled characteristic map. Here, the essence of the pooling process is "down-sampling", i.e., the data can be further reduced in dimension by pooling the activation feature map and useful information in the activation feature map can be retained, thereby enhancing the generalization processing capability of the convolutional neural network. Here, in the present embodiment, the feature map may be selected from any one of the convolution feature map, the pooling feature map, and the activation feature map.
In step S150, each row of each feature matrix in the feature map is subjected to gaussian normalization to obtain a normalized feature map. As described above, in the technical solution of the present application, there is a non-linear activation in the convolutional neural network, which makes it highly likely that there is a divergence in the probability distribution of the values in the obtained feature map corresponding to the respective locations of the respective industrial devices. That is, each row of each feature matrix in the feature map is gaussian reshaped to improve the convergence effect of the data in the subsequent classifier.
Specifically, in the embodiment of the present application, considering that the network traffic of a single industrial device will generally follow a gaussian distribution during normal operation, further performing a gaussian normalization process for each row of the feature matrix in the feature map, that is, x '═ x- μ)/σ, where x is a value before normalization and x' is a value after normalization, to obtain a normalized feature map.
In step S160, the normalized feature map is passed through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the current network traffic of the industrial internet-based production line is abnormal or not. As described above, in consideration of the fact that the deep statistical features of the data are mined and the associated information between the data can be effectively extracted, that is, the detection of the network traffic needs to be converted into a classification problem based on the high-dimensional image features, in the technical solution of the present application, the probability value of the normalized feature map attributed to the label of the classifier is further calculated to generate a classification result.
Specifically, in an embodiment of the present application, passing the normalized feature map through a classifier to obtain a classification result includes: firstly, passing the normalized feature map through one or more fully-connected layers to encode the normalized feature map through the one or more fully-connected layers to obtain a classification feature vector, that is, firstly, encoding the normalized feature map through one or more fully-connected layers to fully utilize information of each position in the normalized feature map to obtain the classification feature vector; then, inputting the classification feature vector into a Softmax classification function to obtain probability values of the classification feature vector belonging to each classification label; finally, the classification result is determined based on the probability value.
Fig. 4 is a flowchart of obtaining a classification result by passing the normalized feature map through a classifier in the network traffic anomaly detection method applied to the industrial internet according to the embodiment of the present application. As shown in fig. 4, in the embodiment of the present application, passing the normalized feature map through a classifier to obtain a classification result includes: s210, passing the normalized feature map through one or more full-connected layers, and encoding the normalized feature map through the one or more full-connected layers to obtain a classification feature vector; s220, inputting the classification feature vector into a Softmax classification function to obtain probability values of the classification feature vector belonging to each classification label; and S230, determining the classification result based on the probability value.
In summary, the method for detecting network traffic abnormality applied to the industrial internet according to the embodiment of the present application is clarified, and the network traffic is detected based on the association of the network traffic between the industrial devices connected in the production process. Specifically, in the process of detection, the method samples the network traffic of a single industrial device on a production line at fixed time intervals; then, carrying out linear normalization processing on the network flow of each industrial device so as to take account of the flow difference of each device; splicing the network flows sampled by each industrial device into a data matrix, and enabling the data matrix to pass through a convolutional neural network to obtain a characteristic diagram; then, performing Gaussian normalization processing on each feature matrix in the feature map to obtain a normalized feature map, so that the convergence effect of data can be improved in a subsequent classifier; and finally, passing the normalized feature graph through a classifier to obtain a classification result for indicating whether the current network traffic is abnormal or not.
Exemplary System
Fig. 5 illustrates a block diagram of a network traffic abnormality detection system applied to the industrial internet according to an embodiment of the present application. As shown in fig. 5, the system 500 for detecting network traffic abnormality applied to the industrial internet according to the embodiment of the present application includes: a network traffic acquiring unit 510 for sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to the industrial internet; a pre-processing network traffic generating unit 520, configured to pre-process the network traffic sampled by the industrial device and obtained by each network traffic obtaining unit, so as to obtain a pre-processed network traffic, where the pre-processing network traffic generating unit 520 is further configured to: performing linear normalization processing on the network traffic sampled by the industrial equipment obtained by each network traffic obtaining unit; a data matrix generating unit 530, configured to splice the network traffic after the industrial device is preprocessed, which is obtained by each preprocessed network traffic generating unit, into a data matrix, where a row of the data matrix represents each industrial device, a column represents traffic data sampled by a single industrial device at each time point, and a last column represents a current network traffic of each industrial device on the production line at a current time; a data matrix characteristic map generating unit 540, configured to pass the data matrix obtained by the data matrix generating unit through a deep convolutional neural network to obtain a characteristic map corresponding to the data matrix; a normalized feature map generating unit 550, configured to perform gaussian normalization on each feature matrix in the feature map obtained by the data matrix feature map generating unit to obtain a normalized feature map; and a classification result generating unit 560, configured to pass the normalized feature map obtained by the normalized feature map generating unit through a classifier to obtain a classification result, where the classification result is used to indicate whether the current network traffic of the industrial internet-based production line is abnormal.
In an example, in the system 500 for detecting network traffic anomaly applied to the industrial internet, the normalized feature map generating unit 550 is further configured to: performing Gaussian normalization on each column of each feature matrix in the feature map to obtain a normalized feature map by using the following formula: x '═ x- μ)/σ, x is the value before normalization, and x' is the value after normalization.
In one example, in the system 500 for detecting network traffic abnormality applied to the industrial internet, as shown in fig. 6, the classification result generating unit 560 includes: a classification feature vector generation subunit 561, configured to pass the normalized feature map through one or more fully connected layers to encode the normalized feature map through the one or more fully connected layers to obtain a classification feature vector; a probability value generating subunit 562, configured to input the classification feature vector obtained by the classification feature vector generating subunit into a Softmax classification function, so as to obtain a probability value that the classification feature vector belongs to each classification label; and a classification result determining subunit 563 configured to determine the classification result based on the probability value obtained by the probability value generating subunit.
In an example, in the system 500 for detecting network traffic anomaly applied to the industrial internet, the method is further configured to: the classification label includes: the current network flow of the industrial internet-based production line is normal, and the current network flow of the industrial internet-based production line is abnormal.
In an example, in the system 500 for detecting network traffic anomaly applied to the industrial internet, the method is further configured to: the deep convolutional neural network is a deep residual error network.
In an example, in the system 500 for detecting network traffic anomaly applied to the industrial internet, the method is further configured to: production line based on industry internet is the automation line of plastic bag, industrial equipment includes: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment.
Here, it can be understood by those skilled in the art that the specific functions and operations of the respective units and modules in the network traffic abnormality detection system 500 applied to the industrial internet described above have been described in detail in the description of the network traffic abnormality detection method applied to the industrial internet with reference to fig. 1 to 4, and thus, a repetitive description thereof will be omitted.
As described above, the network traffic abnormality detection system 500 applied to the industrial internet according to the embodiment of the present application can be implemented in various terminal devices, such as a server of a network traffic abnormality detection algorithm applied to the industrial internet, and the like. In one example, the network traffic abnormality detection system 500 applied to the industrial internet according to the embodiment of the present application may be integrated into a terminal device as one software module and/or hardware module. For example, the network traffic abnormality detection system 500 applied to the industrial internet may be a software module in an operating system of the terminal device, or may be an application program developed for the terminal device; of course, the network traffic anomaly detection system 500 applied to the industrial internet can also be one of the hardware modules of the terminal device.
Alternatively, in another example, the network traffic abnormality detection system 500 applied to the industrial internet and the terminal device may be separate devices, and the network traffic abnormality detection system 500 applied to the industrial internet may be connected to the terminal device through a wired and/or wireless network and transmit the mutual information according to an agreed data format.
Exemplary electronic device
Next, an electronic apparatus according to an embodiment of the present application is described with reference to fig. 7.
As shown in fig. 7, the electronic device 10 includes at least one processor 11 and at least one memory 12.
The processor 11 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 10 to perform desired functions.
The memory 12 may include at least one computer program product that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. At least one computer program instruction may be stored on the computer readable storage medium, and the processor 11 may execute the program instruction to implement the network traffic abnormality detection method applied to the industrial internet of the various embodiments of the present application described above and/or other desired functions. Various contents such as feature maps, data matrices, and the like may also be normalized in the computer-readable storage medium.
In one example, the electronic device 10 may further include: an input device 13 and an output device 14, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 13 may include, for example, a keyboard, a mouse, and the like.
The output device 14 can output various information including the classification result to the outside. The output devices 14 may include, for example, a display, speakers, a printer, and a communication network and its connected remote output devices, among others.
Of course, for simplicity, only some of the components of the electronic device 10 relevant to the present application are shown in fig. 7, and components such as buses, input/output interfaces, and the like are omitted. In addition, the electronic device 10 may include any other suitable components depending on the particular application.
Exemplary computer program product and computer-readable storage Medium
In addition to the above-described methods and apparatuses, embodiments of the present application may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps of the network traffic anomaly detection method applied to the industrial internet according to various embodiments of the present application described in the above-mentioned "exemplary methods" section of this specification.
The computer program product may be written with program code for performing the operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, cause the processor to perform the steps in the network traffic anomaly detection method applied to the industrial internet according to various embodiments of the present application described in the above section "exemplary method" of the present specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having at least one wire, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present application in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present application are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present application. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the foregoing disclosure is not intended to be exhaustive or to limit the disclosure to the precise details disclosed.
The block diagrams of devices, apparatuses, systems referred to in this application are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
It should also be noted that in the devices, apparatuses, and methods of the present application, the components or steps may be decomposed and/or recombined. These decompositions and/or recombinations are to be considered as equivalents of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network flow abnormity detection method applied to industrial Internet is characterized by comprising the following steps:
sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to an industrial internet;
preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic, wherein preprocessing the sampled network traffic of each of the industrial devices to obtain preprocessed network traffic includes: carrying out linear normalization processing on the sampled network flow of each industrial device;
splicing the preprocessed network traffic of each industrial device into a data matrix, wherein a row of the data matrix represents each industrial device, a column represents flow data sampled by a single industrial device at each time point, and the last column represents the current network traffic of each industrial device on the production line at the current time;
passing the data matrix through a deep convolutional neural network to obtain a feature map corresponding to the data matrix;
performing Gaussian normalization on each characteristic matrix in the characteristic diagram to obtain a normalized characteristic diagram; and
and passing the normalized feature map through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial Internet-based production line is abnormal or not.
2. The method for detecting the abnormal network traffic applied to the industrial internet as claimed in claim 1, wherein the step of performing the gaussian normalization on each feature matrix in the feature map to obtain the normalized feature map comprises the following steps:
performing Gaussian normalization on each column of each feature matrix in the feature map to obtain a normalized feature map by using the following formula: x '═ x- μ)/σ, x is the value before normalization, and x' is the value after normalization.
3. The method for detecting the network traffic anomaly applied to the industrial internet as claimed in claim 1, wherein the step of passing the normalized feature map through a classifier to obtain a classification result comprises the steps of:
passing the normalized feature map through one or more fully-connected layers to encode the normalized feature map through the one or more fully-connected layers to obtain a classification feature vector;
inputting the classification feature vector into a Softmax classification function to obtain probability values of the classification feature vector belonging to each classification label; and
determining the classification result based on the probability value.
4. The method for detecting network traffic abnormality applied to industrial internet according to claim 3, wherein said classification tag includes: the current network flow of the industrial internet-based production line is normal, and the current network flow of the industrial internet-based production line is abnormal.
5. The method for detecting network traffic abnormality applied to industrial internet according to claim 1, wherein the deep convolutional neural network is a deep residual error network.
6. The method as claimed in claim 1, wherein the industrial internet-based production line is an automatic production line of plastic bags, and the industrial equipment comprises: the device comprises feeding equipment, manufacturing equipment, packaging equipment and detection equipment.
7. A network flow anomaly detection system applied to industrial Internet is characterized by comprising:
a network traffic acquiring unit for sampling network traffic of a single industrial device on an industrial internet-based production line at predetermined time intervals, wherein each industrial device of the production line is communicably connected to the industrial internet;
a preprocessed network traffic generating unit, configured to preprocess the network traffic sampled by the industrial device and obtained by each network traffic obtaining unit, so as to obtain a preprocessed network traffic, where the preprocessed network traffic generating unit is further configured to: performing linear normalization processing on the network traffic sampled by the industrial equipment obtained by each network traffic obtaining unit;
the data matrix generation unit is used for splicing the network traffic of the industrial equipment after the pretreatment obtained by each pretreatment network traffic generation unit into a data matrix, wherein the rows of the data matrix represent each industrial equipment, the columns represent the traffic data sampled by the single industrial equipment at each time point, and the last columns represent the current network traffic of each industrial equipment on the production line at the current time;
the data matrix characteristic map generating unit is used for enabling the data matrix obtained by the data matrix generating unit to pass through a deep convolution neural network so as to obtain a characteristic map corresponding to the data matrix;
the normalized feature map generating unit is used for performing Gaussian normalization on each feature matrix in the feature map obtained by the data matrix feature map generating unit to obtain a normalized feature map; and
and the classification result generating unit is used for enabling the normalized feature map obtained by the normalized feature map generating unit to pass through a classifier so as to obtain a classification result, wherein the classification result is used for indicating whether the current network flow of the industrial internet-based production line is abnormal or not.
8. The system for detecting abnormality in network traffic applied to the industrial internet as set forth in claim 7, wherein the classification result generating unit includes:
a classification feature vector generation subunit, configured to pass the normalized feature map through one or more fully-connected layers, so as to encode the normalized feature map through the one or more fully-connected layers, so as to obtain a classification feature vector;
a probability value generating subunit, configured to input the classification feature vector obtained by the classification feature vector generating subunit into a Softmax classification function, so as to obtain a probability value that the classification feature vector belongs to each classification label; and
and the classification result determining subunit is used for determining the classification result based on the probability value obtained by the probability value generating subunit.
9. The system for detecting network traffic abnormality applied to industrial internet according to claim 7, wherein the normalized feature map generating unit is further configured to: performing Gaussian normalization on each column of each feature matrix in the feature map to obtain a normalized feature map by using the following formula: x '═ x- μ)/σ, x is the value before normalization, and x' is the value after normalization.
10. An electronic device, comprising:
a processor; and
a memory in which computer program instructions are stored, which, when executed by the processor, cause the processor to perform the network traffic abnormality detection method applied to the industrial internet according to any one of claims 1 to 6.
CN202110532715.1A 2021-05-17 2021-05-17 Network flow abnormity detection method applied to industrial Internet Withdrawn CN113285938A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110532715.1A CN113285938A (en) 2021-05-17 2021-05-17 Network flow abnormity detection method applied to industrial Internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110532715.1A CN113285938A (en) 2021-05-17 2021-05-17 Network flow abnormity detection method applied to industrial Internet

Publications (1)

Publication Number Publication Date
CN113285938A true CN113285938A (en) 2021-08-20

Family

ID=77279425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110532715.1A Withdrawn CN113285938A (en) 2021-05-17 2021-05-17 Network flow abnormity detection method applied to industrial Internet

Country Status (1)

Country Link
CN (1) CN113285938A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117544416A (en) * 2023-12-28 2024-02-09 东莞本凡网络技术有限公司 Intelligent internet of things abnormal flow prediction system
CN117544416B (en) * 2023-12-28 2024-04-30 东莞本凡网络技术有限公司 Intelligent internet of things abnormal flow prediction system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117544416A (en) * 2023-12-28 2024-02-09 东莞本凡网络技术有限公司 Intelligent internet of things abnormal flow prediction system
CN117544416B (en) * 2023-12-28 2024-04-30 东莞本凡网络技术有限公司 Intelligent internet of things abnormal flow prediction system

Similar Documents

Publication Publication Date Title
TWI746914B (en) Detective method and system for activity-or-behavior model construction and automatic detection of the abnormal activities or behaviors of a subject system without requiring prior domain knowledge
CN107797465A (en) Monitoring method and device
Sajedi et al. Dual Bayesian inference for risk‐informed vibration‐based damage diagnosis
CN112631240A (en) Spacecraft fault active detection method and device
CN115174231B (en) Network fraud analysis method and server based on AI Knowledge Base
CN115471216B (en) Data management method of intelligent laboratory management platform
CN109871002B (en) Concurrent abnormal state identification and positioning system based on tensor label learning
CN115618269B (en) Big data analysis method and system based on industrial sensor production
CN116015837A (en) Intrusion detection method and system for computer network information security
CN117077075A (en) Water quality monitoring system and method for environmental protection
JP2023012311A (en) Information processing device, information processing method and program
Ming et al. Feature selection for chemical process fault diagnosis by artificial immune systems
CN111742462A (en) System and method for audio and vibration based power distribution equipment condition monitoring
CN117829209A (en) Abnormal operation detection method, computing device and computer program for process equipment
CN112733785A (en) Stability detection method of information equipment based on layer depth and receptive field
CN113285938A (en) Network flow abnormity detection method applied to industrial Internet
CN117274913A (en) Security guarantee method and system based on intelligent building
CN117231590A (en) Fault prediction system and method for hydraulic system
CN116247824A (en) Control method and system for power equipment
CN114401205B (en) Method and device for detecting drift of unmarked multi-source network flow data
Hashemi et al. Runtime monitoring for out-of-distribution detection in object detection neural networks
CN114610613A (en) Online real-time micro-service call chain abnormity detection method
Kim et al. Self-supervised representation learning anomaly detection methodology based on boosting algorithms enhanced by data augmentation using StyleGAN for manufacturing imbalanced data
Kadiyala et al. Anomaly Detection Using Unsupervised Machine Learning Algorithms
EP4141743A1 (en) Computer-implemented method for generating a trained machine learning model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210820

WW01 Invention patent application withdrawn after publication