CN113722718A

CN113722718A - Cloud edge collaborative industrial control network security protection method based on policy base

Info

Publication number: CN113722718A
Application number: CN202110971368.2A
Authority: CN
Inventors: 季振洲; 贾东升; 李冲; 和树繁; 孔胜嵩
Original assignee: Harbin Institute of Technology Weihai
Current assignee: Harbin Institute of Technology Weihai
Priority date: 2021-08-24
Filing date: 2021-08-24
Publication date: 2021-11-30

Abstract

The invention provides a cloud edge collaborative industrial control network security protection method based on a policy library, which comprises the steps of generating an identification rule library of abnormal conditions by a generation type countermeasure network (GAN) of a generation model network-long-short term memory (LSTM) network and a novel discrimination model network-dendritic network (Dendrite NetrordD) at a cloud end, deploying the rules to corresponding edge ends, matching corresponding countermeasures to each rule, and finally forming a cloud edge collaborative policy library to meet the low-delay security protection of the industrial control network. The method comprises the steps that the side end comprises a data collection module and a strategy library module, and the cloud end comprises a data processing module, a generation type confrontation network module, a rule generation module and a rule library module. And the rule base and the strategy base contain prediction rules generated by the timing characteristics extracted by the long-short term memory network and identification rules generated by the dendritic network. The policies corresponding to the different rules may be set by an administrator of the industrial control system.

Description

Cloud edge collaborative industrial control network security protection method based on policy base

Technical Field

The invention belongs to the field of anomaly detection of an industrial control system, and particularly relates to a strategy library based on a cloud edge cooperation technology to meet the low-delay requirement of the industrial control system with harsh safety.

Background

The use of information technology in the industrial field of China relates to almost every link in industrial production, and the development of an industrial control system can be said to be very rapid, and even can be said to be an indispensable important part in modern industrial production of China. However, due to the development of networking and informatization of the industrial control system, design vulnerabilities of the original system are more and more exposed, security risks and intrusion threats faced by the system are enlarged, types of vulnerabilities include but are not limited to communication protocol vulnerabilities, operating system vulnerabilities, application software vulnerabilities and the like, and once an attacker attacks the industrial control facilities by using the system vulnerabilities, serious security challenges are brought to lives and property of industrial production. And as the industrial control system is opened from a closed state, large-scale interconnection and intercommunication provides more attack paths for attackers, so that new safety risks are brought to the application of new industrial technologies such as industrial internet, industrial cloud, industrial big data and the like.

However, with the coming of a big data era, the attack method is changing day by day, new types of attacks emerge endlessly, industrial control network attacks present a tendency of generalization, intellectualization and complication, the current industrial control network security protection technology is difficult to meet the increasing requirements, and the following problems mainly exist:

firstly, industrial control networks often have mass data, and the characteristics of the data are various, and the traditional data processing mode cannot meet the requirements.

Secondly, although the data of the industrial control network is large, the marked abnormal data accounts for a very low percentage, which brings great trouble to the training of the subsequent model.

Third, industrial control systems and manufacturers' equipment are faced with so much data and more complex depth models that it is computationally either difficult to meet the requirements or the forced processing requires significant cost.

Fourth, most of the existing safety protection systems are systems with prediction functions, which have good effects and are used for carrying out intrusion detection after the industrial control network encounters attack.

And fifthly, the industrial control network can be attacked from a plurality of sources and a plurality of kinds, and the problem that the industrial control network can be attacked by a plurality of kinds of attacks simultaneously exists, the attack situation is very complex, and the traditional attack kind identification technology is difficult to deal with.

Sixthly, the traditional safety protection mode hardly meets the low time delay required by the industrial control system.

At present, the existing industrial control network safety protection system cannot well solve and take the problems into account.

Disclosure of Invention

The invention aims to solve the problem that the existing safety protection system of the industrial control system can not meet the requirement of low-delay response, and provides a cloud-edge cooperative industrial control network safety protection method based on a policy library.

The cloud edge collaborative industrial control network security protection method based on the multiple deep learning model strategy libraries comprises an edge data collection module, a strategy library module, a cloud data processing module, a generative confrontation network module, a rule generation module and a rule library module, wherein the edge data collection module and the strategy library module are arranged at the edge, and the cloud data processing module, the generative confrontation network module, the rule generation module and the rule library module are shown in the attached figure 1.

Contain 4 modules in the cloud:

a data processing module: the module receives data from the data acquisition module and then performs preprocessing such as feature selection and normalization on the data.

Generating a confrontation network module: the module inputs the data processed by the data processing module into a generative confrontation network for model training, the generative model of the model is a long-term and short-term memory network model, and the multi-classification model is a novel neural network-dendritic network.

A rule generation module: and generating corresponding rules according to the result of the antagonistic network module by the generation formula, and transmitting the rules to a rule base of the rule base module.

A rule base module: the module comprises a rule base, a quick retrieval algorithm and a function of sending corresponding rules to the edge.

Two modules are contained in the side end:

a data acquisition module: when the industrial control system runs, the module collects corresponding running data in real time, constructs a historical data set and a real-time data set, sends the historical data set and the real-time data set to the data processing module at the cloud end, and sends the historical data set and the real-time data set to the strategy library module at the edge end to perform recognition response and prediction response under specific conditions.

The strategy library module: the module carries out simple data analysis on the collected data of the data acquisition module and judges whether abnormal conditions exist or are about to occur according to the rules of the strategy library, and if the abnormal conditions exist, corresponding strategies can be selected to deal with.

The data collection modules of the side terminals are collected by a SCADA (supervisory control and data acquisition) system of respective application scenes in practical application. The data acquisition items mainly comprise operation real-time data and historical data in the industrial control system and auxiliary data from other systems, such as safety situation perception. The running real-time data can be periodically transmitted to the strategy library module for abnormity prediction; when an abnormal condition occurs, transmitting abnormal historical data to a strategy library module at an edge end for abnormal recognition and adopting a corresponding coping strategy, if no corresponding item exists in the strategy library, transmitting the data to a cloud generation type countermeasure network model for training, and further perfecting the model, a rule library and a strategy library; while the helper data facilitates the generation of the policy repository.

Wherein the data processing module of the cloud:

firstly, data normalization is carried out:

after normalization, the speed of solving the optimal solution by gradient descent is increased, and the precision is possibly improved (normalization is to ensure that the characteristics among different dimensions have certain comparability in terms of values). The invention applies the min-max normalization method.

Selecting data characteristics:

the indexes of the SCADA data set are more, a large number of irrelevant, redundant and noisy characteristics exist, and the accuracy and the classification speed of the classifier are greatly influenced. Therefore, in the data set preprocessing stage, feature selection is performed first. Without a priori knowledge, it is difficult to know in advance the relevance of features to objects, features to features, and the degree of importance of each feature. The irrelevant characteristics and noise are removed before model training, so that the learning difficulty of the model is reduced, the model training and testing speed is increased, the model has better interpretability, the risk of overfitting can be reduced, and the generalization capability of the model is improved. Because there is an association between a plurality of features in the data set, the traditional filter method only considers a single feature, and cannot mine the combined effect between different features, so that the traditional filter method is not suitable for use. In addition, the related data set is large, and the traditional wrapper method is slow in convergence and has a great influence on the training and testing time. The ant colony algorithm can solve the problem of combination optimization by combining a filter method and a wrapper method, has quick convergence, and is suitable for SCADA data sets with large data volume and multiple characteristics.

Aiming at the problem that the detection effect of the supervised classification model is influenced due to the fact that training label samples are few (the number of abnormal label samples in label sample data of a related industrial control system is small compared with the number of normal samples, and the number of abnormal label samples in a data set may only account for 1% or less of the total number), the cloud-based generative confrontation network module is used for researching an application modeling method of the generative confrontation network in the field of abnormality detection and providing an intrusion detection framework based on the generative confrontation network for the first time. The framework introduces a long-short term memory network as a generating model in a training stage, samples are continuously generated by the generating model, an original label sample set is expanded, time sequence characteristics of data are extracted, classification of an anomaly detection model (dendritic network model) can be assisted, model detection accuracy is improved, the recognition capability of intrusion behaviors during execution of multi-classification tasks is improved, and an effective method is provided for enhancing the generalization capability of the intrusion detection model.

Compared with the traditional neural network, the dendritic network model is not a classical single neuron mode (multiplication of weight and input- > nonlinear mapping) but a novel layer neuron mode (multiplication of layer weight and upper layer input and multiplication of initial input points), and has the functions of multi-classification and regression. Fourier spectra have important applications in various fields for centuries. In essence, the fourier spectrum is an amplitude spectrum obtained by trigonometric decomposition of a primitive function. In addition to the tri-angle decomposition, there is another well-known decomposition method in mathematics, the taylor expansion. Taylor expansion is essentially a polynomial decomposition-the primitive function is decomposed into a series of polynomial combinations, constituting a polynomial or causal spectrum expressing the input and output relationships. The advantages of this network are:

the precision is controllable: the structure of the neural network corresponds to the Taylor expansion of which X is a matrix, and the layer number L of the neural network is the degree of the Taylor expansion, so that the approximation precision of the Taylor expansion and the neural network can be controlled.

The structure is readable: because the mapping relation of a complex system or an experimental result is stored in the weight value W of the complex system or the experimental result by training, each item of the weight value can correspond to the coefficient of a corresponding item in different Taylor expansion formulas, and the variable of the corresponding item is the combination of the products of powers of different input features, the causal spectrum of the network can be drawn to generate the identification rule.

Thirdly, the running speed is improved by 5-10 times: the calculation formula of the forward propagation of the network only relates to simple matrix multiplication, so the speed of the network is much higher than that of the traditional neural network, and the operation speed of the network is improved by 5-10 times compared with that of the traditional neural network by integrating the backward propagation.

The cloud rule generation module can generate rules for predicting the abnormality according to the time sequence characteristics extracted by the long-term and short-term memory network generation model of the generative countermeasure network, and the dendritic network multi-classification model can select the characteristics which have great influence on outputting the type of the abnormality according to peak values in causal spectrums of different abnormality types to generate corresponding abnormality identification rules.

The rule base module of the cloud integrates and stores the generated rules in different categories, and is provided with a quick retrieval algorithm and a rule deployment function, so that the corresponding rules can be rapidly deployed to the edge end with requirements.

The module is the best embodiment of cloud edge cooperative protection, and receives rules generated by a cloud end and arranges the rules to form a policy library. The module also receives data from the data acquisition module: real-time data is received periodically and is simply processed and analyzed by the module and identified according to the rules of the policy repository. If the abnormal situation is predicted to occur, the corresponding strategy is issued to the control layer of the corresponding industrial control system; if the abnormal condition occurs, sending the historical data corresponding to the abnormal condition to a strategy library module of the frontier for identification; if the corresponding rule and strategy exist, the strategy is issued; and if the corresponding rule does not exist, transmitting the data related to the abnormal condition to the deep learning model at the cloud end for training so as to perfect the deep learning model and the strategy library. By utilizing offline and online learning and cloud and edge cooperative protection, the accuracy of anomaly detection and prediction is fully improved under the condition of meeting the requirement of safety and real-time performance of an industrial control network.

A cloud edge collaborative industrial control network security protection method based on a policy base comprises the following steps:

step 1: data acquisition and preprocessing.

Step 2: expanding abnormal data by using a generative antagonistic neural network, extracting time sequence characteristics by using a long-short term memory network generation model, and generating a causal spectrum by using a dendritic network discrimination model.

And step 3: respectively generating an abnormality prediction and identification rule according to the time sequence characteristics and the causal spectrum in the step 2;

and 4, step 4: and (4) forming a rule base by the rules generated in the step (3), and configuring a quick retrieval algorithm and deploying the quick retrieval algorithm to the edge terminal.

And 5: and sending the rules in the cloud rule base to the edge end with the requirement, and setting a corresponding strategy for each rule to form a strategy base.

Drawings

FIG. 1 is a process block diagram

Fig. 2 is a diagram of a generative countermeasure network framework.

Fig. 3 is a diagram illustrating a learning rule.

FIG. 4 is a flow chart of policy repository usage.

Detailed Description

The embodiment is specifically a cloud-edge collaborative industrial control network security protection method based on a policy repository, and the method comprises the following steps:

step 1: data acquisition and preprocessing

The data acquisition and monitoring control (SCADA) system of each application scene is used for acquiring the data in practical application. The data acquisition items mainly comprise operation real-time data and historical data in the industrial control system and auxiliary data from other systems.

Firstly, the data after feature selection is normalized, which is beneficial to accelerating the training of the subsequent model. The present invention uses a min-max normalization method, also known as dispersion normalization, which is a linear transformation of the raw data, mapping the resulting values between [0-1 ]. The transfer function is as follows:

where max is the maximum value of the sample data and min is the minimum value of the sample data.

Ant colony algorithm may then be used for feature selection for running real-time data and historical data.

First, a full-connection undirected graph G ═ S, E } is defined, where S ═ S₁,S₂,S₃,...,S_dDenotes d features, E { (S) } { (S)_i,S_j):S_i,S_jE.s } represents an edge whose weight is the similarity between the features:

secondly, initializing pheromones, initializing the pheromone matrix by considering the cosine similarity maximum between the feature and the class label:

in each iteration, a threshold value t is set₀When the random number is greater than t₀Then, the probability of each candidate feature is calculated according to the following equation

Selecting a next feature by a roulette algorithm; when the random number is less than or equal to t₀The feature that maximizes the pheromone to cost ratio is selected as the next feature:

representing the next selectable feature set of the mth ant after selecting the feature i; η (i, μ) represents the cost between the two features i and μ; a pheromone representing a characteristic; alpha is pheromone factor, which represents the important degree of the accumulated pheromone of ants; beta is a heuristic factor and represents the importance degree of the heuristic factor in feature selection.

After each iteration is completed, classifying the feature set selected by each ant by using an SVM classifier, and selecting the first 20% of ants to update pheromones according to the result ranking, wherein the pheromones are represented by the following equation:

the pheromone volatilization factor rho represents the proportion of pheromone volatilization at the moment m +1, and C (i) represents the number of selected characteristics i after each iteration. After a number of iterations, the characteristics of the best performing ants are selected as the final result.

The generative countermeasure network is an optimization problem based on the infinitesimal game mechanism. Assuming that x represents a data sample, p (z) represents the input of the generative model-a noisy data distribution, usually gaussian or uniform, g (z) represents the mapping of noisy data to the space of the generative sample, d (x) represents the probability that sample x is a real sample rather than a generative sample, then the optimization problem for the generative confrontation network model is the maximization and minimization problem with respect to the discriminant model and the generative model, and the objective function is defined as follows:

from the above formula, in the training process of the generative confrontation network, on one hand, the discriminant model D needs to be continuously trained and evolved to maximally distinguish the real sample from the generated sample, so as to improve the accuracy of the discriminant, which is equivalent to maximizing the value of V, i.e., maximizing D (x) and minimizing D (g (z)); on the other hand, it is also necessary to train the optimized generative model G in an effort to make the generative model generate samples that are very similar to the real data samples, equivalent to minimizing the value of the function V, i.e., minimizing D (x) and maximizing D (G (z)). In a specific training process, firstly, one of the models needs to be fixed, the parameters of the other model are updated, alternating iterative training is carried out, so that the error of the other model is maximized, finally, the two models reach Nash equilibrium, the discriminant model and the generation model both obtain the optimal solution, the generation model can estimate the probability distribution of real data, the discriminant model can not correctly distinguish whether an input sample is a real sample or a generated sample, namely, the sample classification accuracy rate is equal to 50%.

Two core modules in the generative countermeasure network are a generative model and a discriminant model, and a multi-classification model is used for replacing the traditional discriminant model and mainly classifying various abnormal types, normal data and pseudo samples. The output of the generative model may then be used as a new class (fake). This modifies the standard generative confrontation network model extension into a supervised learning generative confrontation network anomaly detection framework, as shown in fig. 2. After the generative countermeasure network is introduced, the generative model can generate samples (pseudo samples) by utilizing random noise data distribution, and the samples and the original classified training label samples are mixed to form a new training set, so that the original label sample set is further expanded, and the intrusion detection multi-classification model can be better assisted to train.

The generation model adopts a long-short term memory network, LSTM is a special RNN, and the difference between the two is that only one state is in the single cycle structure of the common RNN. While there are four states inside the single-cycle structure (also called a cell) of LSTM. In contrast to RNNs, LSTM loop structures maintain a persistent unit state for passing on and off, which is used to determine which information to forget or continue passing on. The LSTM in one layer is composed of a single cycle structure, namely the dimension and the cycle number of input data determine that the single cycle structure needs to be updated for several times, but the LSTM in the other layer is not composed of a plurality of single cycle structures in a connected mode, namely the total number of parameters of the LSTM in the current layer only needs to be calculated by one cycle unit instead of the total number of a plurality of continuous units.

LSTM cells consist of an input gate, a forgetting gate, an output gate, and a cell state:

an input gate: determining how much input data of the network at the current moment needs to be stored in a unit state; forget the door: determining how many unit states at the previous moment need to be reserved to the current moment; an output gate: and controlling how much current unit state needs to be output to the current output value.

The method comprises the following specific steps:

(1) use inOutput h of one time_t-1And current data input x_tF is obtained through a forgetting gate_t

f_t＝σ(W_f·[h_t-1,x_t]+b_f)

(2) By the output h of the last moment_t-1And current data input x_tGet i through the input gate_tAnd obtaining the current time temporary state through the unit state

i_t＝σ(W_i·[h_t-1,x_t]+b_i)

(3) Using the unit state C of the last cell structure_t-1Forgotten gate output f_tInput gate output i_tAnd output of cell state

Obtaining the current state C of the cell_t

(4) By the output h of the last moment_t-1And current data input x_tThrough an output gate to obtain o_tAnd the unit state C of the binding current cell_tAnd o_tTo obtain the final output h_t

o_t＝σ(W_o·[h_t-1,x_t]+b_o)

h_t＝o_t*tanh(C_t)

The above-mentioned 4 processes are circularly updated for each structural unit, so that an LSTM network which can be practically used can be obtained. And extracting time sequence characteristics based on the network to generate service for subsequent strategies.

The multi-classifier adopts a dendritic network (Dendrite Net), the DD network is simple, and the formula of each layer is as follows:

wherein A is^lAnd A^l-1Is the input and output of the module. X is the input of DD, W^l,l-1Is a weight matrix from the l-1 th module to the l-th module.

The method is a dot multiplication operation of a matrix, namely simple multiplication of corresponding elements of two vectors or matrices with the same latitude. The Taylor expansion of the scalar is shown as follows:

for the Taylor expansion in tensor form, each layer of the network is essentially multiplied by the original data X, which is compared with (X-a)ⁿIn agreement, W^l,l-1The coefficients for each term.

The overall training process is shown in figure 3. And then constructing a causal spectrum according to the correspondence of the weight matrix and the Taylor expansion, and generating a corresponding anomaly identification rule by selecting features which have great influence on outputting the category according to peaks in the causal spectrum of different anomaly types.

And step 3: respectively generating an abnormity prediction and identification rule according to the time sequence characteristics and the causal spectrum of the step 2

The time sequence characteristics extracted by the long and short term memory network generation model of the generation type countermeasure network can generate rules for predicting the abnormity, the dendritic network model can construct cause-effect spectrums of different abnormity types according to the correspondence of the weight matrix and the Taylor expansion, and the characteristics which have great influence on outputting the type are selected according to the peak values in the cause-effect spectrums to generate corresponding abnormity identification rules.

The working steps of the policy library are shown in the attached figure 4:

step 1: data from the data acquisition module is received.

Step 2: and (4) judging whether the industrial control system is in an abnormal state at the moment, if not, turning to the step (3), and if so, turning to the step (4).

And step 3: the edge end periodically receives the running real-time data from the industrial control system, and then performs certain processing and then performs prediction rule matching with the strategy library of the edge end. If the abnormal situation is predicted to occur, a corresponding strategy is sent to a corresponding industrial control layer; if no abnormal situation is predicted to occur, nothing needs to be done.

And 4, step 4: and at the moment, the industrial control system is in an abnormal condition, the edge end receives abnormal data, performs certain processing, and then performs matching of the abnormal identification rule with the strategy library. If the matching is successful, sending a corresponding strategy to a corresponding industrial control layer; and if the matching is unsuccessful, uploading the abnormal data to the cloud model for continuous training so as to perfect the deep learning model and the strategy library.

Claims

1. A cloud-edge collaborative industrial control network security protection method based on a policy base is characterized in that the system comprises 4 cloud-end modules and 2 edge-end modules.

Contain 4 modules in the cloud:

a data processing module: the module receives data from the data acquisition module, and then performs preprocessing such as feature selection and normalization on the data;

generating a confrontation network module: the module inputs the data processed by the data processing module into a generative confrontation network for model training, the generative model of the model is a long-term and short-term memory network model, and the discrimination model is a novel neural network-dendritic network;

a rule generation module: generating corresponding rules according to the result of the generation type confrontation network module, and transmitting the rules to a rule base of the rule base module;

a rule base module: the module comprises a rule base, a quick retrieval algorithm and a function of sending corresponding rules to the side end;

two modules are contained in the side end:

a data acquisition module: when an industrial control system runs, the module collects corresponding running data in real time, constructs a historical data set and a real-time data set, sends the historical data set and the real-time data set to a data processing module at the cloud end, and sends the historical data set and the real-time data set to a strategy library module at the edge end to perform identification response and prediction response under specific conditions;

2. The data processing module of claim 1, wherein the module employs a cluster of algorithms to perform the selection of characteristics of the industrial control data.

3. The generative confrontation network module of claim 1, wherein:

the number of abnormal label samples in the label sample data of the industrial control system is less than that of normal samples, the samples are extremely unevenly distributed, the training effect of a subsequent model is seriously influenced, and therefore the problem is solved by adopting a generative confrontation network model. The generation model adopts a long-term and short-term memory network, and is very suitable for carrying out abnormity prediction according to the time sequence characteristics of data; the discriminant model is replaced by a multi-classifier constructed by a dendritic network, and pseudo samples generated by the generated model are added into a new multi-classified class.

4. The rule generation module of claim 1, wherein: the rule is generated based on the timing characteristics extracted by the long-short term memory network and a causal spectrum generated by the dendritic network.

5. The policy library module according to claim 1, wherein: the module meets the requirement of low time delay of industrial control network safety protection and embodies the cloud edge cooperation technology. The module trains a complex deep learning model by using the strong calculation power of the cloud, and generates rules to be deployed at the edge so as to quickly respond to the abnormity.