CN113806734B - Condition-based energy generation network attack recovery method against network - Google Patents

Condition-based energy generation network attack recovery method against network Download PDF

Info

Publication number
CN113806734B
CN113806734B CN202110958434.2A CN202110958434A CN113806734B CN 113806734 B CN113806734 B CN 113806734B CN 202110958434 A CN202110958434 A CN 202110958434A CN 113806734 B CN113806734 B CN 113806734B
Authority
CN
China
Prior art keywords
data
condition
training
network
countermeasure network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110958434.2A
Other languages
Chinese (zh)
Other versions
CN113806734A (en
Inventor
赖英旭
田必涛
王一鹏
刘静
孙墨童
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202110958434.2A priority Critical patent/CN113806734B/en
Publication of CN113806734A publication Critical patent/CN113806734A/en
Application granted granted Critical
Publication of CN113806734B publication Critical patent/CN113806734B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cascade type condition-based energy generation network attack recovery method for resisting a network, which takes a sensor measured value as input in flow data and generates characteristic data by using a trained model; characteristic data generated by the trained condition-based generation countermeasure network is taken as additional information to be spliced with random noise to be taken as input; the absolute error between the recovered data and the real data, the time required for training different models and the space occupied by the different models are counted, and the performance difference between the different models is measured by using the indexes. The condition-based generation countermeasure network model used by the invention can quickly simulate the behavior characteristics of the system during the sign operation, the proposed condition-based energy generation countermeasure network can effectively improve the recovery precision of the measured value, and the designed self-adaptive decision strategy can improve the stability of the recovery of the measured value and reduce the possibility of generating abnormal points.

Description

Condition-based energy generation network attack recovery method against network
Technical Field
The invention belongs to the technical field of network information security, relates to a network attack recovery technology, and particularly relates to a cascaded game-based deep learning model.
Background
With the continuous tight combination of industrialization and informatization, industrial control systems increasingly adopt standardized communication protocols and software and hardware, and realize remote control and operation through the internet. Although the mode obviously improves the efficiency of a complex industrial system, the connection breaks the closure and the specialization of the original system, so that the network security problems such as the lux software attack, the information leakage and the like are rapidly diffused to the industrial control field, and the security of a large number of industrial control related infrastructures is directly influenced. Network attacks against industrial control systems are intended to destroy control-related data in a network physical system, resulting in failure of the control of the physical system. A Programmable Logic Controller (PLC) is a field device in an Industrial Control System (ICS) that can be directly connected to sensors and actuators or other field devices, the main function of which is to monitor and control physical processes. The PLC provides the most effective penetration point for an attacker, since tampering with the data in the PLC can easily bring the physical system to an unstable state and cause significant economic loss and physical equipment damage to the system.
In the face of the increasingly serious operation safety problem of industrial control systems, research on network attack recovery is particularly important. Traditional network attack recovery can be divided into a control theory method and an automaton theory method according to the recovery mechanism. The method of control theory is mainly used for recovering the attacked state estimation by constructing an observer or a parameter estimator based on a process model and combining with a filtering technology, however, the operation behavior of a physical system may become too complex, and it is difficult to construct the observer or the parameter estimator conforming to the characteristics of the system. Furthermore, there may be many unknown factors affecting behavior, which also presents challenges to constructing observers or parameter estimators. The method of the automaton theory constrains the operation behavior of the system by changing the physical structure of the system and designing a corresponding state automaton, thereby realizing the detection and recovery of network attack to a certain extent. However, this method is poor in scalability on the one hand and, on the other hand, since it requires a large number of states to be set, which results in a great effort to be expended for maintaining these states.
As performance of computing devices continues to increase, data-driven methods, i.e., deep learning techniques, gradually become research hotspots in the field of artificial intelligence, and some researchers have applied techniques in the field of deep learning to the field of network attack recovery. The data driving-based method has remarkable generalization to industrial control systems in different fields in the recovery process, and can effectively avoid the difficulty of constructing an observer or a parameter estimator. However, this data-driven based approach tends to take a lot of time in the training phase, and there is the potential for further improvement in accuracy and stability of the results obtained. However, the prior art improves the defect of overlong training time, or further improves the accuracy and stability of the recovery result, so that the problem that the data-driven network attack based recovery technology has very rapid training time but poor recovery accuracy and stability or higher recovery accuracy but overlong training time is caused, which restricts the application of the prior art in the actual scene to a certain extent. Therefore, how to ensure that the system can still normally operate after the system is attacked is a research hotspot in the field of network attack recovery at present.
Disclosure of Invention
The invention aims to solve the technical problems of providing a network attack recovery method and a system for resisting a network based on conditional energy generation, which are used for solving the problems that the existing network attack recovery method is dependent on the modeling accuracy of a physical system in data recovery precision and the existing network attack recovery technology based on deep learning is poor in recovery precision and stability caused by difficult control of the training process.
The technical scheme for solving the technical problems is as follows: a condition-based energy generation network attack recovery method against a network, comprising:
and step 1, taking sensor measured values in the flow data as input, training a condition-based generation countermeasure network, and generating characteristic data by using a trained model.
And 2, taking the characteristic data generated by the training condition-based generating countermeasure network in the step 1 as additional information and splicing with random noise as input, training the condition-based energy generating countermeasure network, comparing the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator by utilizing the adaptive decision strategy after the training round number is greater than a certain threshold value, and selecting the optimal method for recovering the measured value as a means for recovering the measured value finally.
And step 3, evaluating the recovery effect by using the absolute error between the recovery data and the real data, counting the time and the occupied space required by training the data sets with the same size by using different models, and measuring the difference of recovery performance among different models by using the indexes.
Further, the process of training the condition-based generation countermeasure network by using the sensor measurement value in the flow data as input in the step 1 and generating the feature data by using the trained model specifically includes:
step 11, storing the sensor measured value in the flow as a csv file;
step 12, distinguishing whether the data is abnormal or not and marking corresponding labels;
step 13, constructing a condition-based generation countermeasure network;
step 14, training a discriminator;
step 15, controlling the number of training generators in each round according to the number of the real samples played in step 12 according to the data of each batch;
and step 16, if the model is trained, generating the characteristic data of the system by utilizing the condition-based generation countermeasure network model.
Further, in the step 2, the feature data generated by the training condition-based generating countermeasure network in the step 1 is taken as additional information and spliced with random noise to be input, the training condition-based energy generating countermeasure network is used, when the training round number is greater than a certain threshold value, the mean square error between the measured value generated by the adaptive decision strategy comparison generator and the measured value reconstructed by the discriminator is utilized, and a specific flow of the method for selecting the best recovered measured value as a means for finally recovering the measured value comprises:
Step 21, splicing the data generated by the condition-based generation countermeasure network as additional information with the randomly generated noise as an input of a condition-based energy generation countermeasure network generator;
step 22, constructing a condition-based energy generation countermeasure network;
step 23, controlling the number of training generators in each round according to the number of real samples in each batch of samples;
step 24, controlling the number of training discriminators in each round according to the number of real samples in each batch of samples;
step 25, comparing whether the mean square error of the generated data is smaller than the mean square error of the reconstructed data or not after the training round number is larger than a certain threshold value;
and step 26, selecting an optimal mode as a final recovery mode by utilizing an adaptive decision strategy.
Further, in the step 3, the recovery effect is evaluated by using the absolute error between the recovery measured value and the real measured value, the time and the occupied space required for training the data sets with the same size by different models are counted, and the difference of the recovery performance of the different models is measured by using the indexes specifically includes:
step 31, calculating an absolute error between the recovered measured value and the actual measured value;
step 32, counting training time lengths of different models;
Step 33, recording the storage space of the program code and the model.
Based on the method, the technical scheme of the invention also comprises a cascade type condition-based energy generation network attack recovery system for resisting the network, which comprises the following steps:
and the condition-based generation countermeasure network simulation system operation module is used for taking sensor measurement values expressed in flow data as input, training the condition-based generation countermeasure network and generating characteristic data by using the trained model.
The data recovery module of the condition-based energy generation type countermeasure network is used for taking the characteristic data generated by the trained condition-based generation type countermeasure network as additional information and splicing with random noise as input, training the condition-based energy generation type countermeasure network, comparing the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator by utilizing the adaptive decision strategy after the training round number is larger than a certain threshold value, and selecting the optimal method for recovering the measured value as a means for finally recovering the measured value.
The model-based evaluation module is used for evaluating the recovery effect by utilizing the absolute error between the recovery data and the real data, counting the time and the occupied space required by training the data sets with the same size by different models, and measuring the difference of recovery performance among different models by utilizing the indexes.
Further, the simulation system operation module based on the condition generation type countermeasure network comprises:
and the data conversion module is used for converting the part representing the sensor measurement value in the flow data into a decimal expression form and labeling each data according to whether the data is attacked or not, thereby taking the data as a training sample.
The condition-based generation countermeasure network module is used for simulating the normal running behavior of the system and generating characteristic data of the system by using the trained model.
Further, the data recovery module of the condition-based energy generating type countermeasure network includes:
and a construction generator input module for utilizing the condition-based generation of system characteristic data against the network generation in combination with the randomly generated noise as an input to the condition-based energy generation against the network generator.
The condition-based energy generation antagonism network training module is used for converging the model to the expected performance according to the training samples and recovering the measured value by using the trained model.
An adaptive decision strategy module for comparing the mean square error between the measurements generated by the generator and the reconstructed measurements by the discriminator, and selecting the best method of recovering the measurements as a means of recovering the final measurements.
Further, the model evaluation module includes:
and the measured value precision evaluation module is used for calculating absolute errors between measured values generated by different models and real measured values.
And the space-time loss evaluation module is used for counting the training time required by different models to apply the same number of data sets and the storage space required by generating the total of the models and codes.
The beneficial effects of the invention are as follows:
1. the invention proposes a cascade of generation against the network to recover network attacks. According to the method, the condition-based generation countermeasure network and the condition-based energy generation countermeasure network are superimposed, and the characteristics of the measured value of the register in the normal operation of the system are rapidly mastered by the condition-based generation countermeasure network in the operation condition stage of the simulation system, so that the operation effect of the simulation system is achieved. In the data recovery stage, a condition-based energy generation countermeasure network is used, characteristic data generated by a generator trained by the condition-based energy generation countermeasure network is used as additional information to be input, the fitting direction of a constraint model is used, mean square errors of recovery data generated by the generator and reconstructed data and target data of a discriminator are respectively compared after training is completed, and the mode with smaller mean square error is selected as the mode of final recovery data, so that expected data recovery precision is achieved. Experimental results demonstrate that the methods presented herein have higher recovery accuracy and stability than conventional methods. In addition, the method also well limits the time required to train the model.
2. The invention improves the traditional energy-based generation countermeasure network and introduces additional information. The extra information enables the model to have a certain direction guide in the training process, so that the model can be quickly converged on a desired target, and meanwhile, the accuracy of a model recovery value is improved. Experimental results demonstrate that such energy-based generation of additional information has higher accuracy of recovery data against the network.
3. The invention designs a self-adaptive decision strategy to select the optimal recovery data mode as the recovery mode so as to ensure that the mode with the best recovery effect is selected for recovery. The method takes as input the generated data generated by the generator of the condition-based energy generation countermeasure network and the reconstructed data obtained after the generated data passes through the automatic encoder, and selects a mode with a smaller accumulated value as a recovery method by comparing the accumulated magnitude of the mean square error between different recovery results and real data in the last 10 rounds.
Drawings
FIG. 1 is a flow chart of a method for recovering network attacks against a network based on condition-based energy generation according to the present invention;
FIG. 2 is a flow chart of training a condition-based generation countermeasure network according to a first embodiment of the invention;
FIG. 3 is a schematic flow chart of constructing a condition-based energy generation countermeasure network and implementing an adaptive decision strategy according to a first embodiment of the present invention;
FIG. 4 is a flow chart of measuring recovery performance of different models by using absolute error between recovery measurement value and actual measurement value, training time required by different models and storage space required to be occupied in the first embodiment of the present invention;
FIG. 5 is a diagram showing experimental results of recovery results of measured values in different registers by different models in a second embodiment of the present invention;
FIG. 6 is a graph of experimental results of absolute errors between recovery results of measured values in different registers and corresponding real measured values by different models in a second embodiment of the present invention;
FIG. 7 is a graph of experimental results of a confidence interval plot of recovery results of different models for measurements in different registers in a second embodiment of the present invention;
FIG. 8 is a graph of experimental results of absolute error box diagrams between recovery results of measured values in different registers and corresponding real measured values by different models in a second embodiment of the present invention;
fig. 9 is a diagram of experimental results of the influence of the cascade-type condition-based energy generation on the accuracy and stability of the measured value recovery by the adaptive decision strategy applied to the countermeasure network in the second embodiment of the present invention.
FIG. 10 shows training time and memory space required for code and model preservation required for training the same number of data sets for different models in the second embodiment of the present invention.
Detailed Description
The principles and features of the present invention are described below with reference to the drawings, the examples being provided for the purpose of illustrating the invention and not for the purpose of limiting the scope of the invention.
Example 1
As shown in fig. 1, the first embodiment is a cascade-type condition-based energy generation countermeasure network method, which is composed of three steps: the training can simulate the condition-based generation countermeasure network model of the normal running condition of the system, establish the condition-based energy generation countermeasure network model and implement the self-adaptive decision strategy, and evaluate the recovery performance of different models by utilizing the absolute error between the recovered measured value and the real measured value and the space-time loss caused by the models. The specific contents are described as follows:
and step 1, taking sensor measured values in the flow data as input, training a condition-based generation countermeasure network, and generating characteristic data by using a trained model.
And 2, taking the characteristic data generated by the training condition-based generating countermeasure network in the step 1 as additional information and splicing with random noise as input, training the condition-based energy generating countermeasure network, comparing the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator by utilizing the adaptive decision strategy after the training round number is greater than a certain threshold value, and selecting the optimal method for recovering the measured value as a means for recovering the measured value finally.
And step 3, evaluating the recovery effect by using the absolute error between the recovery measured value and the real measured value, counting the time and the occupied space required by training the data sets with the same size by using different models, and measuring the difference of recovery performance among different models by using the indexes.
As shown in fig. 2, the specific contents of training the condition-based generation countermeasure network and generating the feature data using the trained model are as follows, using the sensor measurement value in the flow data as input in the above step 1:
step 11, storing the sensor measurement value in the flow as csv file: in this process, the data field portion of the conventional network traffic data will be converted into csv file to meet the input requirements of the neural network. The method comprises the steps of screening bytes representing the measurement values of the sensor, and obtaining corresponding decimal values according to corresponding conversion rules. The conversion rule is to convert hexadecimal numbers of a data field part in the flow data into binary numbers, and then convert the corresponding binary numbers into corresponding floating point numbers according to the IEEE754 standard to store the floating point numbers in the csv file.
Step 12, distinguishing whether the data is abnormal or not and marking the corresponding label: in order to lead the model to have a certain target direction during training, the flow information processed in the last step is ordered according to time, corresponding labels representing normal or attack are marked according to whether the data are abnormal or not, and then the labels representing whether the data are abnormal or not are taken as priori knowledge to be input into training together with the obtained data.
Step 13, constructing a condition-based generation countermeasure network: since the construction of observers and parameter estimators conforming to the behavior characteristics of a physical system requires detailed knowledge of the system's operation and setting of corresponding parameters according to the specific situation, there are many unknown factors that affect the system behavior. Thus, when the input data is disturbed, the output we get may be a result of nothing to do with the behavioral characteristics of the system. The condition-based generation countermeasure network is able to generate relevant meaningful data for any input, thereby overcoming this disadvantage. Meanwhile, in order to save the time required by model training as much as possible, the invention fully uses the full connection layer when designing the condition-based generation countermeasure network model, and reduces the number of layers of the full connection layer and the unit number of each layer to reduce the storage loss caused when the model is stored.
Step 14, training the discriminator: and (3) packaging the data obtained in the step (11) and the data labels obtained in the step (12) in batches, splicing the data and the labels in a training model stage, and sending the data and the labels into the discriminator constructed in the step (13) as input data.
Step 15, training generator: noise is randomly generated according to the batch in the training process and is spliced with labels representing false data meanings, and the noise is used as input data to be sent into the generator constructed in the step 3.
Step 16, judging the cycle times of the generator: in the training stage, the data read from the csv file are packaged according to batches, and the cycle times of the generator in the condition-based generation countermeasure network in each round are controlled according to the number of normal data in each batch, so that the generator can extract the data characteristics more quickly and efficiently.
Step 17, outputting a generation characteristic: and after training is finished, taking the recovery data generated by the generator as the data characteristics of the system in normal operation.
As shown in fig. 3, in step 2, the feature data generated by the training condition-based generating countermeasure network in step 1 is taken as additional information and spliced with random noise to be input, the condition-based energy generating countermeasure network is trained, and when the number of training rounds is greater than a certain threshold, the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator is compared by using the adaptive decision strategy, and the specific content of the method for selecting the best recovered measured value as the means for finally recovering the measured value is as follows:
step 21, constraint of the fitting direction of the model by using the data features obtained by the condition-based generation countermeasure network as additional information: the condition-based generation of the characteristic data generated by the countermeasure network can reflect the approximate characteristic range of the sensor measured value when the system is in normal operation, so that the condition-based energy is used as additional information of the generator of the countermeasure network, and the model can be converged more quickly.
Step 22, constructing a condition-based energy generation countermeasure network: the result obtained by the conventional discriminator in the generation countermeasure network is a [0,1 ]]The probability value between them represents the data for which the current data is judged as real data by the discriminator. In the condition-based energy generation countermeasure network, an automatic encoder is used to replace a discriminator in the traditional sense, which is used for reconstructing data, and the mean square error is used as a loss function so as to adjust the profile of model fitting more accurately. On this basis, the training process of the model is guided by introducing additional information. Wherein y is k Representing the kth output result of the neural network, t k The k-th scalar result representing training data is expressed as follows:
step 23, training generator: the feature data generated by the condition-based generation countermeasure network is combined with the generated random noise as the input data as additional information, and is fed into the generator constructed in step 22.
Step 24, judging the cycle times of the generator: in the training phase, feature data generated by a condition-based generation countermeasure network is combined with random noise as input, and the number of cycles of the generator in the condition-based energy generation countermeasure network in each round is controlled according to a mean square error between the data generated by the generator and the data reconstructed by the discriminator.
Step 25, training the discriminator: the generated data and training data of the second stage generator are input and respectively spliced with the respective labels and then fed into the discriminator constructed in step 22.
Step 26, judging the cycle times of the discriminator: during the training phase, the data read from the csv file is packaged in batches, and the number of cycles in each round of the discriminators in the energy-based condition generation countermeasure network is controlled according to the amount of normal data in each batch.
Step 27, determining an output form according to the mean square error: since the energy-based condition generates recovery data against the output of the discriminator in the network, rather than the conventional probability. Thus, the smaller approach is chosen as the approach of the last recovered data by accumulating the recovered data reconstructed by the discriminator and the mean square error between the recovered data generated by the generator and the target data over the course of the training.
Step 28, outputting final recovery data: after the training is completed, final recovery data is generated according to the recovery scheme determined in step 27.
As shown in fig. 4, in the above step 3, the recovery effect is evaluated by using the absolute error between the recovery measurement value and the actual measurement value, and the time and the space required for training the data sets with the same size by using different models are counted, and the specific content of the recovery performance of the different models is measured by using these indexes is as follows:
Step 31, calculating an absolute value of an absolute error between the recovered data and the real data: the accuracy of recovery of the methods presented herein is measured by calculating the absolute error between the recovered data for 5 time steps in the future and the actual data for 5 time steps in the future of the system using the methods presented herein. Wherein y is k Recovery data, t, obtained for a kth time step in the future of the model k The expression form of the absolute error for the target result of the kth time step in the future of the training data of the target system is as follows:
E=yk-tk
step 32, counting training process time length: with the built-in time function of python, a time is recorded in milliseconds at the beginning and end of the training, respectively, the difference being the duration of the training process.
Step 33, recording the storage space required by the program code and the model: the size of the occupied storage space is recorded by looking up the attributes of the program code and saving the attributes of the model.
Based on the above method for recovering the network attack of the condition-based energy generation countermeasure network, the present example also provides a corresponding cascaded system for recovering the network attack of the condition-based energy generation countermeasure network, which comprises the following steps:
And the condition-based generation countermeasure network simulation system operation module is used for taking sensor measurement values expressed in flow data as input, training the condition-based generation countermeasure network and generating characteristic data by using the trained model.
The data recovery module of the condition-based energy generation type countermeasure network is used for taking the characteristic data generated by the trained condition-based generation type countermeasure network as additional information and splicing with random noise as input, training the condition-based energy generation type countermeasure network, comparing the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator by utilizing the adaptive decision strategy after the training round number is larger than a certain threshold value, and selecting the optimal method for recovering the measured value as a means for finally recovering the measured value.
The model-based evaluation module is used for evaluating the recovery effect by utilizing the absolute error between the recovery data and the real data, counting the time and the occupied space required by training the data sets with the same size by different models, and measuring the difference of recovery performance among different models by utilizing the indexes.
The described condition-based simulation system operation module of the generated countermeasure network comprises: the data conversion module is used for converting a part representing the sensor measurement value in the flow data into a decimal expression form, labeling each data according to whether the data is attacked or not, and taking the data as a training sample; the condition-based generation countermeasure network module is used for simulating the normal running behavior of the system and generating characteristic data of the system by using the trained model.
The described condition-based energy generation type data recovery module of an countermeasure network includes: a construction generator input module for utilizing the condition-based generation of system characteristic data against the network generation to splice with the randomly generated noise as an input to the condition-based energy generation against the network generator; a condition-based energy generation countermeasure network training module for converging the model to an expected performance based on the training samples and recovering the measurements using the trained model; an adaptive decision strategy module for comparing the mean square error between the measurements generated by the generator and the reconstructed measurements by the discriminator, and selecting the best method of recovering the measurements as a means of recovering the final measurements.
The described model evaluation module comprises: and the measured value precision evaluation module is used for calculating absolute errors between measured values generated by different models and real measured values. And the space-time loss evaluation module is used for counting the training time required by different models to apply the same number of data sets and the storage space required by generating the total of the models and codes.
Example two
In the second embodiment, the recovery data obtained by using the conventional energy-based generation countermeasure network and the cascade type countermeasure network with different training rounds are used as a reference, then the industrial network flow is used for experimental verification, the recovery data obtained by the method provided herein are compared, and the training time, the occupation condition of the storage space and the accuracy of the recovery data of different models are respectively compared.
Fig. 5 and 6 show five models and recovery accuracy over time for different register measurements. The results in the analysis table can find that the model proposed herein is significantly better in terms of recovery accuracy and stability than the generation of an countermeasure network and the cascade of different training rounds of energy-based generation of the countermeasure network. The reason for this is that: the traditional structure for generating the countermeasure network totally uses a full connection layer, and a convolution layer is not added, so that the model is not well mastered on the running characteristics of the system, and the recovery precision of the trained model is unstable. While the cascade energy-based generation countermeasure network introduces a roll layer, the fitting process of the model cannot be constrained in the training process, which can make the generated result too free and take more time to achieve the expected effect. The method firstly simulates the system behavior through the generation of the countermeasure network based on the conditions, and takes the generated characteristic data as additional information to serve as the input of the countermeasure network generated by the energy based on the conditions, so that the model is more accurate in grasping the running condition of the system, and the recovery accuracy of the model is higher and more stable. Experimental results indicate that such cascaded condition-based energy generation as proposed herein is more advantageous against networks in terms of recovery from cyber attacks.
Fig. 7 shows the variation of the different models in recovering the measured values. The changes to the three recovery methods are highlighted in the subgraph. The abscissa represents the variation of the same attribute measurement over time and the ordinate represents the recovered measurement. The solid line shows the trend of the actual measurement over time, the dashed line shows the trend of the recovery measurement of the different models, and the vertical line shows the confidence interval at α=95%. Furthermore, the recovery measurements of the proposed cascade condition-based energy generating countermeasure network are closer to the actual value than the generating countermeasure network and the cascade energy-based generating countermeasure network. Fig. 7 shows that after 25 iterations, our proposed method produces more accurate results than the generation of the challenge network and the cascaded energy-based generation of the challenge network after 25 and 50 iterations. In training with 100 iterations, the result of the cascade energy-based generation of the countermeasure network is slightly worse than our 25 iterations. It can be seen that the recovery measurements of our model are highly stable. Therefore, the method can effectively relieve the influence of network attacks on the industrial control system.
Fig. 8 shows the difference between the actual measured values and the recovered measured values for the different models. Here we can visually see the measured value recovery performance of the different models through the box plot. As shown in fig. 8 (a), the absolute error range of the cascade type condition-based energy generation countermeasure network is [0.014,0.097], the absolute error range of the generation countermeasure network is [0.0128,7.570], the absolute error range of the cascade type energy generation countermeasure network for the iterations 25, 50,100 times is [0.086,2.048], [0.057,0.148], [0.011,0.118], and as can be seen by comparing the absolute errors, the performance of the cascade type condition-based energy generation countermeasure network is always better than the generation countermeasure network. In addition, the absolute error of our model is reduced by at most about 7.5 and 2.0 with the same number of training cycles. Furthermore, we propose a method that is significantly superior to other methods in mean and outliers.
Figure 9 shows the accuracy of measurement recovery with or without the use of adaptive decision strategies in a cascaded condition-based energy generation countermeasure network. As can be seen from the box diagram, the absolute error between the recovered measured value and the actual measured value is obviously reduced, and the outlier of the generated measured value is also reduced after the self-adaptive decision strategy is adopted. This shows that the adaptive decision strategy improves the accuracy of measurement recovery and the stability of measurement recovery to some extent.
Fig. 10 (a) illustrates the time duration spent by a conventional generation countermeasure network, a cascade-type energy-based generation countermeasure network, and the model training phase of the method presented herein. Analysis of the results in the graph can reveal the time it takes to generate the energy-based generation of the countermeasure network and the methods presented herein in tandem with the generation of the countermeasure network model training phase. Experimental results indicate that 5923s is required in total to generate the challenge network training. The cascaded energy-based generation countermeasure network requires 5028s, 9210s and 16661s, respectively, in 25, 50 and 100 epoch iterative training, whereas the method presented herein requires 4858s. The reason for this is that: in the traditional structure for generating the countermeasure network, all the full-connection layers are adopted, and a large amount of time can be saved in the training process by the full-connection layers, but the required training time is increased due to the fact that the number of layers of the full-connection layers is too large. The cascade energy-based generation countermeasure network is characterized in that on one hand, a large amount of calculation is needed due to the possession of a coil base layer, and on the other hand, the model cannot be quickly converged due to the fact that the fitting direction is not restrained in the training process, so that the training time is long. The method proposed herein uses convolution layers instead of part of the fully connected layers in the structure of the model, although this results in a somewhat increased training time. However, in order to reduce training time as much as possible, the method proposed herein reduces the number of convolution layers in the condition-based energy generation countermeasure network as much as possible in the data recovery phase, and uses all the full connection layers in the condition-based generation countermeasure network during the simulation of the system operation behavior, so as to reduce the time required for model training time as much as possible, and experimental results also prove that.
Fig. 10 (b) illustrates the storage space occupied by a conventional generation countermeasure network, a cascade of energy-based generation countermeasure networks, and a model of the method presented herein. Experimental results indicate that 2735kB and 2393kB are required to generate program code and model parameters for the countermeasure network, whereas 2505kB is required for the method presented herein. This suggests that our proposed model does not consume much memory space. The reason for this is that: conventional generation of the countermeasure network not only requires the use of a large number of fully connected layers in order to achieve good results, but also requires as many neurons in each fully connected layer as possible, which results in the need to save a large number of weights when saving the model. The method described herein reduces the number of layers of the fully connected layer and the number of neurons in each layer as much as possible, and replaces part of the fully connected layer with a convolution layer, which reduces the required memory space, as also demonstrated by experimental results.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (7)

1. A method for recovering network attacks against a network by cascading condition-based energy generation, comprising:
step 1, taking sensor measured values in flow data as input, training a condition-based generation countermeasure network, and generating characteristic data by using a trained model;
step 2, the characteristic data generated by the training condition-based generating countermeasure network in the step 1 is taken as additional information to be spliced with random noise to be input, the condition-based energy generating countermeasure network is trained, after the training round number is larger than a certain threshold value, the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator is compared by utilizing the self-adaptive decision strategy, and the method for optimally recovering the measured value is selected to be taken as a means for finally recovering the measured value;
step 3, evaluating the recovery effect by using the absolute error between the recovery data and the real data, counting the time and the occupied space required by training the data sets with the same size by using different models, and measuring the difference of recovery performance among different models by using the indexes;
the step 1 of representing the flow data as a sensor measurement value as an input specifically includes:
Step 11, storing the sensor measurement value in the flow as csv file: the data field part in the traditional network flow data is converted into a csv file to meet the input requirement of the neural network; screening bytes representing the measurement value of the sensor, and obtaining corresponding decimal values according to corresponding conversion rules; the conversion rule is to convert hexadecimal numbers of a data field part in the flow data into binary numbers, then convert the corresponding binary numbers into corresponding floating point numbers according to an IEEE754 standard and store the floating point numbers in a csv file;
step 12, distinguishing whether the data is abnormal or not and marking the corresponding label: in order to lead the model to have a certain target direction during training, the flow information processed in the previous step is ordered according to time, corresponding labels representing normal or attack are marked according to whether the data are abnormal or not, and then the labels representing whether the data are abnormal or not are used as priori knowledge to be input into training together with the obtained data;
the generating the countermeasure network based on the condition in the step 1 is trained, and the generating the characteristic data by using the trained model specifically comprises the following steps:
step 13, constructing a condition-based generation countermeasure network: when the condition-based generation countermeasure network model is designed, all the full-connection layers are used, and the number of layers of the full-connection layers and the number of units of each layer are reduced to reduce the storage loss caused by storing the model;
Step 14, training the discriminator: packaging the data obtained in the step 11 and the data label obtained in the step 12 in batches, splicing the data and the label in a training model stage, and sending the data and the label into the discriminator constructed in the step 13 as input data;
step 15, training generator: randomly generating noise according to batches in the training process, splicing the noise with labels representing false data meanings, and sending the noise serving as input data into a generator constructed in the step 3;
step 16, judging the cycle times of the generator: in the training stage, the data read from the csv file are packaged according to batches, and the cycle times of the generator in the condition-based generation countermeasure network in each round are controlled according to the number of normal data in each batch;
step 17, outputting a generation characteristic: after training is finished, taking the recovery data generated by the generator as the data characteristics of the system in normal operation;
in the step 2, the step of using the characteristic data generated by the trained condition-based generation countermeasure network as the additional information and splicing with random noise as the input specifically includes:
step 21, constraint of the fitting direction of the model by using the data features obtained by the condition-based generation countermeasure network as additional information: the condition-based generation of the characteristic data generated by the countermeasure network can reflect the approximate characteristic range of the sensor measurement values during normal operation of the system, thereby serving as additional information of the condition-based energy generation of the generator of the countermeasure network.
2. The method for recovering network attacks on a cascaded condition-based energy generation countermeasure network according to claim 1, wherein training the condition-based energy generation countermeasure network in step 2 specifically includes:
step 22, constructing a condition-based energy generation countermeasure network: the result obtained by the conventional discriminator in the generation countermeasure network is a [0,1 ]]Probability values between the two represent data of which the current data is judged to be real data by the discriminator; in the condition-based energy generation countermeasure network, an automatic encoder is used for replacing the discriminator, the automatic encoder is used for reconstructing data, and the mean square error is used as a loss function so as to more accurately adjust the profile fitted to the model; on the basis, the training process of the model is guided by introducing additional information; wherein y is k Representing the kth output result of the neural network, t k The k-th scalar result representing training data is expressed as follows:
step 23, training generator: combining the feature data generated by the condition-based generation countermeasure network as additional information with the generated random noise as input data, and sending the combined data into the generator constructed in the step 22;
Step 24, judging the cycle times of the generator: in the training stage, characteristic data generated by a condition-based generation countermeasure network is combined with random noise as input, and the number of cycles of a generator in the condition-based energy generation countermeasure network in each round is controlled according to the mean square error between the data generated by the generator and the data reconstructed by the discriminator;
step 25, training the discriminator: inputting the generated data and training data of the second stage generator, respectively splicing the generated data and training data with the labels, and then sending the spliced data and training data into the discriminator constructed in the step 22;
step 26, judging the cycle times of the discriminator: during the training phase, the data read from the csv file is packaged in batches, and the number of cycles in each round of the discriminators in the energy-based condition generation countermeasure network is controlled according to the amount of normal data in each batch.
3. The method for recovering network attacks against a network according to claim 1, wherein in the step 2, after the number of training rounds is greater than a certain threshold, the method for selecting the best recovered measured value as the final recovered measured value by using the mean square error between the measured value generated by the adaptive decision strategy comparison generator and the reconstructed measured value by the discriminator specifically comprises:
Step 27, determining an output form according to the mean square error: the reconstructed recovery data and the mean square error between the recovery data generated by the generator and the target data are continuously accumulated in the training process, and a smaller mode is selected as the mode of the final recovery data;
step 28, outputting final recovery data: after the training is completed, final recovery data is generated according to the recovery scheme determined in step 27.
4. The method for recovering network attacks against a network according to claim 1, wherein in the step 3, the recovery effect is evaluated by using the absolute error between the recovered data and the real data, the time and the space required for training the data sets with the same size by using different models are counted, and the difference of recovery performance between different models is measured by using the indexes specifically comprises:
step 31, calculating an absolute value of an absolute error between the recovered data and the real data: the recovery precision of the method is measured by calculating the absolute error between the recovery data of 5 time steps in the future and the real data of 5 time steps in the future of the system; wherein y is k Recovery data, t, obtained for a kth time step in the future of the model k The expression form of the absolute error for the target result of the kth time step in the future of the training data of the target system is as follows:
E=y k -t k
step 32, counting training process time length: using a built-in time function of python, taking millisecond as a unit, and respectively recording a time at the beginning and the end of training, wherein the difference value is the duration of the training process;
step 33, recording the storage space required by the program code and the model: the size of the occupied storage space is recorded by looking up the attributes of the program code and saving the attributes of the model.
5. A cyber attack recovery system for implementing the method of claim 1 in tandem with condition-based energy generation against a network, comprising:
a condition-based generation countermeasure network simulation system operation module for training the condition-based generation countermeasure network with sensor measurement values expressed as flow data as input, and generating feature data with a trained model;
the data recovery module of the energy generation type countermeasure network based on the condition is used for taking the characteristic data generated by the trained condition generation type countermeasure network as additional information to be spliced with random noise as input, training the energy generation type countermeasure network based on the condition, comparing the mean square error between the measured value generated by the generator and the measured value reconstructed by the discriminator by utilizing the self-adaptive decision strategy after the training round number is larger than a certain threshold value, and selecting the optimal method for recovering the measured value as a means for recovering the measured value finally;
The model-based evaluation module is used for evaluating the recovery effect by utilizing the absolute error between the recovery data and the real data, counting the time and the occupied space required by training the data sets with the same size by different models, and measuring the difference of recovery performance among different models by utilizing indexes.
6. The cyber attack recovery system of the cascaded condition-based energy generation countermeasure network of claim 5, wherein the condition-based countermeasure network simulation system operation module includes:
the data conversion module is used for converting a part representing the sensor measurement value in the flow data into a decimal expression form, labeling each data according to whether the data is attacked or not, and taking the data as a training sample;
the condition-based generation countermeasure network module is used for simulating the normal running behavior of the system and generating characteristic data of the system by using the trained model.
7. The system for recovering network attacks on a cascaded condition-based energy-generating countering network of claim 6, wherein the condition-based energy-generating countering network data recovery module comprises:
A construction generator input module for utilizing the condition-based generation of system characteristic data against the network generation to splice with the randomly generated noise as an input to the condition-based energy generation against the network generator;
a condition-based energy generation countermeasure network training module for converging the model to an expected performance based on the training samples and recovering the measurements using the trained model;
an adaptive decision strategy module for comparing the mean square error between the measurement values generated by the generator and the reconstructed measurement values by the discriminator, and selecting the best method for recovering the measurement values as a means for recovering the measurement values finally;
the model-based evaluation module includes:
the measured value precision evaluation module is used for calculating absolute errors between measured values generated by different models and real measured values;
and the space-time loss evaluation module is used for counting the training time required by different models to apply the same number of data sets and the storage space required by generating the total of the models and codes.
CN202110958434.2A 2021-08-20 2021-08-20 Condition-based energy generation network attack recovery method against network Active CN113806734B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110958434.2A CN113806734B (en) 2021-08-20 2021-08-20 Condition-based energy generation network attack recovery method against network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110958434.2A CN113806734B (en) 2021-08-20 2021-08-20 Condition-based energy generation network attack recovery method against network

Publications (2)

Publication Number Publication Date
CN113806734A CN113806734A (en) 2021-12-17
CN113806734B true CN113806734B (en) 2024-02-09

Family

ID=78941483

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110958434.2A Active CN113806734B (en) 2021-08-20 2021-08-20 Condition-based energy generation network attack recovery method against network

Country Status (1)

Country Link
CN (1) CN113806734B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116644439B (en) * 2023-07-25 2023-10-17 中国海洋大学 Model safety assessment method based on denoising diffusion model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111210394A (en) * 2020-01-03 2020-05-29 北京智云视图科技有限公司 Image enhancement technology based on deep decomposition synthesis network
CN112101404A (en) * 2020-07-24 2020-12-18 西安电子科技大学 Image classification method and system based on generation countermeasure network and electronic equipment
CN112688928A (en) * 2020-12-18 2021-04-20 中国科学院信息工程研究所 Network attack flow data enhancement method and system combining self-encoder and WGAN

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111210394A (en) * 2020-01-03 2020-05-29 北京智云视图科技有限公司 Image enhancement technology based on deep decomposition synthesis network
CN112101404A (en) * 2020-07-24 2020-12-18 西安电子科技大学 Image classification method and system based on generation countermeasure network and electronic equipment
CN112688928A (en) * 2020-12-18 2021-04-20 中国科学院信息工程研究所 Network attack flow data enhancement method and system combining self-encoder and WGAN

Also Published As

Publication number Publication date
CN113806734A (en) 2021-12-17

Similar Documents

Publication Publication Date Title
Wilson et al. Deep learning-aided cyber-attack detection in power transmission systems
CN110795657B (en) Article pushing and model training method and device, storage medium and computer equipment
US5222197A (en) Rule invocation mechanism for inductive learning engine
CN111245848B (en) Industrial control intrusion detection method for hierarchical dependency modeling
CN112528275A (en) APT network attack detection method based on meta-path learning and sub-graph sampling
CN113806734B (en) Condition-based energy generation network attack recovery method against network
CN112257263A (en) Equipment residual life prediction system based on self-attention mechanism
CN114721264A (en) Industrial information physical system attack detection method based on two-stage self-encoder
CN116484740A (en) Line parameter identification method based on space topology characteristics of excavated power grid
CN113315644A (en) Flow prediction method, device and storage medium
CN112785056B (en) Short-term load prediction method based on fusion of Catboost and LSTM models
CN113904915A (en) Intelligent power communication fault analysis method and system based on Internet of things
Assis et al. Unsupervised machine learning techniques applied to composite reliability assessment of power systems
CN114793170B (en) DNS tunnel detection method, system, equipment and terminal based on open set identification
CN116488325A (en) Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium
CN116346392A (en) Network security situation prediction method and system based on Tranformer-CNN model and application thereof
CN114677556A (en) Countermeasure sample generation method of neural network model and related equipment
CN115936503A (en) Power system security evaluation hidden attack method, system and storage medium
CN110650130B (en) Industrial control intrusion detection method based on multi-classification GoogLeNet-LSTM model
CN114070415A (en) Optical fiber nonlinear equalization method and system
CN113821974A (en) Engine residual life prediction method based on multiple failure modes
ALmutairy et al. Identification and correction of false data injection attacks against AC state estimation using deep learning
Lv et al. CEP rule extraction framework based on evolutionary algorithm
CN117978551A (en) Interaction abnormal behavior analysis method for transformer substation monitoring network
CN117115608A (en) Decision method, device, equipment and medium based on knowledge embedding reinforcement learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant