CN114124460A - Industrial control system intrusion detection method and device, computer equipment and storage medium - Google Patents

Industrial control system intrusion detection method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN114124460A
CN114124460A CN202111245686.7A CN202111245686A CN114124460A CN 114124460 A CN114124460 A CN 114124460A CN 202111245686 A CN202111245686 A CN 202111245686A CN 114124460 A CN114124460 A CN 114124460A
Authority
CN
China
Prior art keywords
attack
nodes
model
neural network
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111245686.7A
Other languages
Chinese (zh)
Other versions
CN114124460B (en
Inventor
罗建桢
李慧
蔡君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Polytechnic Normal University
Original Assignee
Guangdong Polytechnic Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Polytechnic Normal University filed Critical Guangdong Polytechnic Normal University
Publication of CN114124460A publication Critical patent/CN114124460A/en
Application granted granted Critical
Publication of CN114124460B publication Critical patent/CN114124460B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The embodiment of the application belongs to the field of industrial control, and relates to an industrial control system intrusion detection method, an industrial control system intrusion detection device, computer equipment and a storage medium, wherein the method comprises the following steps: adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model, training, and using the trained DQN neural network model for misuse detection; adding space state perception parameters in an input gate of a long-short term memory neural network (LSTM), establishing an LSTM anomaly detection model, and using the LSTM anomaly detection model for anomaly detection in a production process; inputting the collected real-time state data into a DQN neural network attack model to detect an attack flow, inputting the unknown flow into an LSTM anomaly detection model except the attack flow and detecting again to obtain a normal flow and an abnormal flow; and clustering the abnormal flow, finding out a new attack type, and putting the new attack type into the DQN neural network attack model for secondary detection. The misuse detection is combined with the anomaly detection model to enable the detection result to be more accurate.

Description

Industrial control system intrusion detection method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of industrial control technologies, and in particular, to an industrial control system intrusion detection method, an apparatus, a computer device, and a storage medium
Background
Industrial Control Systems (ICS) are a general term for various control systems in industrial production. The industrial control system is faced with direct physical environment and real devices, and the requirements of the industrial control system on the types of control devices are different for different environments, the more complex the environment is, the more complicated the devices of the industrial control system are, with the development of network information opening, the close physical world connection of the ICS and the complicated characteristics of the control devices make the ICS more easily invaded by various viruses and trojan attacks, and in recent years, security problem events related to the ICS are increased.
Aiming at the received security threat, the ICS adopts an intrusion detection technology to monitor the running state of the system and discover suspicious behaviors in real time, so that people can take measures in time to deal with known and unknown attacks. Intrusion detection is a core technology of system defense, and the implementation of a plurality of protection technologies depends on the efficiency of the intrusion detection technology, namely whether intrusion behaviors can be found in real time or not. The IDS technology for ICS is currently receiving a wide range of attention from researchers. However, the existing intrusion detection technology is not uniform due to the reasons of research background of different researchers.
At present, the intrusion detection technology is mainly divided into misuse detection technology and anomaly detection technology, wherein misuse detection is to extract features of abnormal behaviors and compare the behaviors acquired in real time with an established abnormal behavior feature database so as to find anomalies. The misuse detection technology comprises a network flow abnormity detection method, a method for automatically extracting abnormal behaviors by a genetic algorithm, a method for detecting mixed abnormal features and abnormal behaviors, and the like. The methods essentially analyze and summarize abnormal attack behaviors, extract the characteristics of corresponding behavior operations, establish a data knowledge base of the abnormal behaviors, and detect new abnormal attack behavior operations by matching the new behavior data characteristics with the known attack behavior characteristics. When monitored user or system behavior matches a record in the library, the system considers the behavior to be an intrusion. The method has the advantages that the detection rate of the known type attack behavior is high, but the detection capability of the novel unknown attack behavior is weak. The abnormal detection is to model the normal behavior and compare the real-time behavior with the normal behavior to judge the abnormality. The anomaly detection is usually performed by using a statistical model, the probability that the value of the random variable falls within a certain interval is calculated by the statistical model, a threshold value is defined according to experience, and if the value of the random variable exceeds the threshold value, the intrusion is considered to occur. The method is more suitable for detecting unknown abnormal behaviors, but the false alarm rate is relatively high. Therefore, the detection of misuse and abnormality are relatively highly targeted, and lack certain versatility.
Disclosure of Invention
An object of the embodiments of the present application is to provide an industrial control system intrusion detection method, an apparatus, a computer device, and a storage medium, so as to solve the problems in the prior art that the pertinence of misuse detection and anomaly detection is strong, and a certain commonality is lacking.
In order to solve the above technical problem, an embodiment of the present application provides an industrial control system intrusion detection method, which adopts the following technical scheme, including the steps of:
adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model, training, and using the trained DQN neural network model for misuse detection;
adding space state perception parameters in an input gate of the long-short term memory neural network LSTM, establishing an LSTM anomaly detection model according to the space state perception parameters, and using the trained LSTM anomaly detection model for anomaly detection in the production process;
inputting the collected real-time state data into a DQN neural network attack model to detect an attack flow, inputting the unknown flow into an LSTM anomaly detection model except the attack flow and detecting again to obtain a normal flow and an abnormal flow;
and clustering the abnormal flow, finding out a new attack type, and putting the new attack type into the DQN neural network attack model for secondary detection.
Further, the step of adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model and training, and using the trained DQN neural network model for misuse detection further includes:
calculating correlation coefficients between nodes in the DQN neural network and between the nodes and correlation coefficients between the nodes and attack labels;
and judging the correlation coefficients between the two nodes and between the node and the attack tag, if the correlation coefficients are higher than the threshold value of the correlation coefficients, keeping the characteristic of high correlation degree with the attack tag, and removing the nodes with low correlation degree and irrelevant degree.
Further, the step of adding the spatial state perception parameter in the input gate of the long-short term memory neural network LSTM according to the time state law of the long-short term memory neural network LSTM learning production process specifically includes:
screening out nodes with high relevance to the label by using standard mutual clustering information, and selecting and deleting one node for the two nodes with high relevance;
assuming that the production process has M nodes, each time slice collects the characteristic information { x ] of the M nodest(1),xt(2),....,xt(M), N (N is less than or equal to M) screened nodes are provided;
using a signature sequence of N nodes at each time { x }t(1),xt(2),....,xt(N) predicting a feature sequence at a next time
Figure BDA0003320883930000031
When the next time comes, the predicted sequence and the actual sequence { X }t+1(1),Xt+1(2),Xt+1(3),.....,Xt+1(N) comparing, calculating the mean square error loss function loss _ test of the predicted characteristic sequence and the actual characteristic sequence at the next moment, and recording the maximum MSE of the loss function of the training datamaxAnd minimum value MSEminIf MSEmin≤loss_test≤MSEmaxIf not, the sequence is determined to be a normal sequence, otherwise, the sequence is determined to be an abnormal sequence.
Further, the step of inputting the collected real-time state data into the DQN neural network attack model to detect an attack flow, inputting the unknown flow into the LSTM anomaly detection model, and performing re-detection to obtain a normal flow and an abnormal flow specifically includes:
after the real-time state data are preprocessed, the real-time state data are input into a DQN neural network attack model, and attack flows and unknown flows are detected by the DQN neural network attack model;
and inputting the unknown flow into an LSTM anomaly detection model, and detecting the unknown flow again to respectively detect the normal flow and the anomaly flow.
Further, the step of clustering the abnormal flow, finding a new attack type, and putting the new attack type into the DQN neural network attack model for re-detection further includes:
classifying unknown attack streams according to the clustering result, and customizing the unknown attack streams into a new attack type;
and training the DQN neural network attack model again by using the new attack type data, and identifying the original unknown flow when the real-time state is input into the DQN neural network attack model again.
Further, the step of determining the correlation coefficients between two nodes and between a node and an attack tag, if the correlation coefficients are higher than a threshold, retaining the feature of high correlation with the attack tag, and removing nodes with low correlation and no correlation further includes:
calculating a correlation coefficient between two nodes
Figure BDA0003320883930000041
Wherein X and Y are respectively the characteristic information of two nodes, H (X) and H (Y)) Information entropy for X and Y, respectively, where I (X; y) represents mutual information of X and Y,
Figure BDA0003320883930000042
Figure BDA0003320883930000043
Figure BDA0003320883930000044
wherein X and Y distributions correspond to feature data of nodes X and Y, p (X, Y) is a joint probability distribution of X and Y, p (X) is a probability function of X, and p (Y) is a probability function of Y;
if the node correlation coefficient U (X, Y) is larger than the node correlation coefficient threshold, considering that the correlation degree of the node X and the node Y is high, and selecting to remove one node feature;
calculating correlation coefficients U (X, L) between the nodes and the attack labels, if the nodes with the correlation degrees of the nodes being 0 and 1 are the nodes with the correlation degrees of the nodes being 0 and 1, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being 0 or 1, if the correlation coefficients of the nodes and the attack labels are less than or equal to a correlation coefficient threshold of the attack labels of the nodes, considering that the correlation degrees of the nodes and the labels are not high, if the correlation coefficients of the nodes and the attack labels are not more than or equal to the correlation coefficient threshold of the attack labels of the nodes, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being less than or equal to the correlation coefficient threshold of the attack labels of the nodes, and keeping the rest of the nodes.
In order to solve the above technical problem, an embodiment of the present application further provides an industrial control system intrusion detection apparatus, which adopts the following technical scheme, including:
the misuse detection module establishing module is used for adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model and training, and using the trained DQN neural network model for misuse detection;
the abnormity detection module establishing module is used for adding space state perception parameters in an input gate of the long-short term memory neural network LSTM, establishing an LSTM abnormity detection model according to the space state perception parameters, and using the trained LSTM abnormity detection model for abnormity detection in the production process;
the primary detection module is used for inputting the collected real-time state data into the DQN neural network attack model to detect an attack flow, inputting the unknown flow into the LSTM anomaly detection model to perform secondary detection so as to obtain a normal flow and an abnormal flow, wherein the attack flow and a part of the unknown flow are also input into the LSTM anomaly detection model;
and the secondary detection module is used for clustering the abnormal flow, finding out a new attack type and putting the new attack type into the DQN neural network attack model for secondary detection.
Further, the misuse detection module establishing module includes:
the correlation coefficient calculation module is used for calculating correlation coefficients between nodes in the DQN neural network and between the nodes and the attack tags;
and the selection module is used for judging the correlation coefficient between the two nodes and between the node and the attack tag, if the correlation coefficient is higher than the threshold value of the correlation coefficient, retaining the characteristic of high correlation degree with the attack tag, and removing the nodes with low correlation degree and irrelevant degree.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which adopts the following technical solutions:
the intrusion detection system comprises a memory and a processor, wherein computer readable instructions are stored in the memory, and the processor executes the computer readable instructions to realize the steps of the intrusion detection method of the industrial control system.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, which adopts the following technical solutions:
the computer readable storage medium stores computer readable instructions, and the computer readable instructions, when executed by the processor, implement the steps of the intrusion detection method for the industrial control system.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: establishing an attack behavior model for misuse detection by utilizing the attack sample training deep reinforcement learning, simultaneously performing link prediction by utilizing the advantages of the LSTM in processing time sequence data, inputting a normal behavior model into the LSTM for training, and performing anomaly detection by using the trained LSTM; and the samples which cannot be detected by misuse detection are placed in the abnormal detection model for further detection, the samples of which the abnormal detection model does not identify the attack behavior are placed in the misuse detection model for further detection, and the two detection methods are combined to enable the detection result to be more accurate.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings needed for describing the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of an industrial control system intrusion detection method according to the present application;
FIG. 3 is a schematic diagram of the intrusion detection framework employed in FIG. 2;
FIG. 4 is a flow chart of the operation of the DQN employed in FIG. 2;
FIG. 5 is a schematic diagram of the LSTM cell configuration employed in FIG. 2;
FIG. 6 is a schematic structural diagram of an embodiment of an industrial control system intrusion detection device according to the application;
FIG. 7 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to a smart phone, a tablet computer, an E-book reader, an MP3 player (Moving Picture E industrial control system intrusion detection private Group Audio Layer III, Moving Picture experts compression standard Audio Layer 3), an MP4(Moving Picture E industrial control system intrusion detection private Group Audio Layer IV, Moving Picture experts compression standard Audio Layer 4) player, a laptop portable computer, a desktop computer, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that the industrial control system intrusion detection method provided in the embodiment of the present application is generally executed by a server/terminal device, and accordingly, the industrial control system intrusion detection apparatus is generally disposed in the server/terminal device.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to fig. 2, a flow diagram of one embodiment of a method of industrial control system intrusion detection is shown, in accordance with the present application. The industrial control system intrusion detection method comprises the following steps:
step S201, adding a spatial correlation analysis factor to the DQN neural network, establishing a DQN neural network attack model and performing training, and using the trained DQN neural network model for misuse detection.
In this embodiment, an electronic device (for example, the server/terminal device shown in fig. 1) on which the industrial control system intrusion detection method operates may receive an industrial control system intrusion detection request in a wired connection manner or a wireless connection manner. It should be noted that the wireless connection means may include, but is not limited to, a 3G/4G/5G connection, a WiFi connection, a bluetooth connection, a wimax industrial control system intrusion detection connection, a Zigbee connection, an uwb (ultra wideband) connection, and other wireless connection means now known or developed in the future.
Fig. 3 is a schematic diagram of the intrusion detection framework employed in fig. 2. As shown in fig. 3, the attack sample is preprocessed, the misuse detection model is trained by the attack sample, and the collected real-time state data is input into the misuse detection model to detect the attack flow. Since the misuse detection can only aim at the behavior of the constructed attack model, and the detection effect on the unknown attack behavior is poor, the unknown flow obtained by the misuse detection is put into the anomaly detection model for detection again. And training an abnormal detection model by using the normal sample, separating the unknown flow into a normal flow and an abnormal flow by using the abnormal detection model, clustering the abnormal flow, finding a new attack type, and putting the new attack type into the misuse detection model for secondary detection.
And if the correlation between the two nodes is high, selecting to remove the characteristic of one node, and reserving the characteristic with high correlation with the attack label to remove the nodes with low correlation and irrelevant. This leaves important features that remove redundant features to facilitate data analysis and improve the learning performance of the model.
The standardized mutual clustering information is realized by the following formula:
Figure BDA0003320883930000091
wherein X and Y are respectively the characteristic information of two nodes, H (X) and H (Y) are respectively the information entropy of the two nodes, and I (X; Y) represents the mutual information of X and Y.
Figure BDA0003320883930000092
Figure BDA0003320883930000093
Figure BDA0003320883930000094
Wherein X and Y distributions correspond to feature data of nodes X and Y, p (X, Y) is a joint probability distribution of X and Y, p (X) is a probability function of X, and p (Y) is a probability function of Y;
if the node correlation coefficient U (X, Y) is larger than the node correlation coefficient threshold, considering that the correlation degree of the node X and the node Y is high, and selecting to remove one node feature;
calculating correlation coefficients U (X, L) between the nodes and the attack labels, if the nodes with the correlation degrees of the nodes being 0 and 1 are the nodes with the correlation degrees of the nodes being 0 and 1, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being 0 or 1, if the correlation coefficients of the nodes and the attack labels are less than or equal to a correlation coefficient threshold of the attack labels of the nodes, considering that the correlation degrees of the nodes and the labels are not high, if the correlation coefficients of the nodes and the attack labels are not more than or equal to the correlation coefficient threshold of the attack labels of the nodes, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being less than or equal to the correlation coefficient threshold of the attack labels of the nodes, and keeping the rest of the nodes.
If the node correlation coefficient threshold U (X, Y) is set to 0.6 to 0.9 and the node correlation coefficient threshold U (X, Y) is set to 0.8 in this embodiment, it is needless to say that the node correlation coefficient threshold U (X, Y) may be set according to actual needs, and here, the node correlation coefficient threshold U (X, Y) is not limited. If the node attack tag correlation coefficient threshold U (X, L) is set to 0.6 to 0.9, and the node attack tag correlation coefficient threshold U (X, L) of this embodiment is set to 0.8, it is needless to say that the node attack tag correlation coefficient threshold U (X, L) may be set according to actual needs, and here, the node attack tag correlation coefficient threshold U (X, L) is not limited.
And if U (X, Y) >0.8, the correlation degree of the two nodes is considered to be high, and one node feature is selected to be removed. And selecting and removing the mutual clustering information between the nodes and the labels if the nodes with the correlation degree of 0 and the correlation degree of 1 are the nodes with the correlation degree of 0 and the correlation degree of 1, namely U (X, L) ═ 0 and U (X, L) ═ 1.
The DQN mainly comprises an online value network, a target value network and a playback memory unit. Playback memory cell memory quadruple(s)t,at,rt,s't+1) Form, including the current state stAction a corresponding to the current statetCurrent state stTake action atReceive a reward value rtAnd next step status st+1
And (3) state set: falseThe production process is provided with M nodes, and each time slice collects the characteristic information x of the M nodest={xt(1),xt(2),....,xt(M) }. Firstly, calculating correlation coefficients between nodes and correlation coefficients between the nodes and attack labels by using standard mutual clustering information, screening out nodes with high correlation degrees with the labels, selecting and deleting one node from two nodes with high correlation degrees, and finally screening out N nodes from M nodes. Set of states st={st(1),st(2),....,st(N) screening feature data x of N nodest={xt(1),xt(2),....,xt(N). The method comprises the steps of calculating standardized mutual clustering information among the N node characteristics to obtain a correlation coefficient matrix H e RN×N. Taking the 1 XN vector obtained by multiplying the original characteristic vector and the correlation coefficient matrix as a state set s of the DQN modelt
And (3) action set: setting the action set as a according to whether the node is attacked or nottWith 0 indicating no attack and 1 indicating attack. Unlike the traditional DQN action set, the action set is used as a label for prediction, and has no influence on the system.
The reward function: when the agent performs action atThen obtain an instant reward rtTo evaluate the quality of the action. The reward function is defined as:
Figure BDA0003320883930000111
and calculating the absolute value of the difference between the current action Q value and the other action Q value and recording the absolute value as alpha, wherein when the action judged by the estimation value network according to the current state is the same as the actual action, the reward value is alpha, and otherwise, the intelligent agent can receive a penalty value-alpha.
The operational flow chart of DQN is shown in FIG. 4, the DQN model is trained by using abnormal behavior data in the production process, the playback memory unit, the online value network and the target network are initialized, and then the action a is randomly selected by using the epsilon-greedy strategytInteraction with the environment returns {0,1}Back to the next time state stQuadruple(s) to be generatedt,at,rt,s't+1) And storing the data into a playback memory unit, randomly extracting memory from the playback memory unit in a DQN learning stage for learning, updating the current Q network value by using the current state and action, and determining the target network Q value according to the state at the next moment:
Figure BDA0003320883930000112
θ is the weight generated by initialization, γ represents the discount factor, and takes a value between 0.1 and 1, and the loss function of DQN is as follows:
L(θ)=(TargetQ-Q(st,at;θ))2
Q(st,at(ii) a Theta) represents the Q value of the online value network, theta is updated by a random gradient descent method, and theta is further updated every M steps-The target value network is updated to bring the current Q value closer to the target Q.
When the model is used, the acquired real-time state data is input into the misuse detection model, the real-time state data comprises normal data and abnormal data, M nodes in the real-time state are screened, and a correlation coefficient matrix H belonging to R of the screened N nodes is calculatedN×NThe original feature vectors { x) of N nodes are calculatedt(1),xt(2),....,xtThe vector of 1 multiplied by N obtained by multiplying (M) and the correlation coefficient matrix H is used as a state set s of the DQN modelt={st(1),st(2),....,st(N). Assuming four attacks { A, B, C and D }, training a DQN model for each type of attack, judging different actions by the DQN model for different states, wherein 0 represents that the type of attack is not received, and 1 represents that the type of attack is received.
Step S202, according to the time state law of the long-short term memory neural network LSTM learning production process, adding a spatial state perception parameter in an input gate of the long-short term memory neural network LSTM.
In this embodiment, the LSTM-based anomaly detection is performed by first screening out nodes with high correlation with a label using standard cross-clustering information, and selecting and deleting one of the two nodes with high correlation, assuming that there are M nodes in the production process, and each time slice collects feature information of the M nodes
{xt(1),xt(2),....,xt(M), N screened nodes are provided. Using a signature sequence of N nodes at each time { x }t(1),xt(2),....,xt(N) predicting a feature sequence at a next time instant
Figure BDA0003320883930000121
The predicted sequence and the actual sequence { X ] are then used when the next time comest+1(1),Xt+1(2),Xt+1(3),.....,Xt+1(N) } comparison. Calculating the mean square error loss function of the predicted characteristic sequence and the actual characteristic sequence at the next moment, and recording the maximum MSE of the loss function of the training datamaxAnd minimum value MSEmin. The loss function is as follows:
Figure BDA0003320883930000122
the LSTM model accumulates information with a time series in a linear fashion. And each gate of the LSTM model has respective weight and bias, and as the model training is carried out, the parameters of the model can be adjusted accordingly, so that the problem of long-term dependence is solved, and therefore the LSTM can effectively process the link prediction problem of the opportunistic network. The LSTM is made up of a number of cells, each with three gates inside, an input gate, a forgetting gate, and an output gate.
Fig. 5 is a schematic diagram of the LSTM unit configuration employed in fig. 2. As shown in fig. 5, the forgetting gate: it is determined whether information in the previous state was discarded. The sigmoid function will output a number between [0,1], with 0 representing the cell state before complete rejection and 1 representing the cell state before complete retention. The calculation formula is as follows:
ft=sigmoid(WfXt+Ufht-1+bf)
an input gate: the proportion of the input information remaining in the cellular state is determined. The calculation formula is as follows:
it=sigmoid(WiXt+Uiht-1+bi);
Figure BDA0003320883930000131
Figure BDA0003320883930000132
and an output gate for outputting the updated cell state and determining an input for writing a cell. The calculation formula is as follows:
ot=sigmoid(WoXt+Uoht-1+bo);
ht=ot×tanh(ct)。
where X and h are the input state and the hidden state, respectively, and b is the activation value. W and U correspond to weight coefficients.
The trained LSTM model can accurately predict the behavior characteristics of the next moment in the production process, the LSTM model is tested by adopting normal and abnormal mixed data, the correlation coefficients of M nodes in a test data set are calculated, N nodes with high correlation coefficients are screened out, and the characteristic sequence { x ] of the N nodes at each moment is usedt(1),xt(2),....,xt(N) predicting a feature sequence at a next time instant
Figure BDA0003320883930000133
The predicted sequence and the actual sequence { X ] are then used when the next time comest+1(1),Xt+1(2),Xt+1(3),.....,Xt+1(N) } comparison. Calculating the mean square error loss function (loss _ test) of the predicted characteristic sequence and the actual characteristic sequence at the next moment, if the MSE ismin≤loss_test≤MSEmaxIf not, the sequence is determined to be a normal sequence, otherwise, the sequence is determined to be an abnormal sequence. The normal sequence is judged to be in a normal state, and the abnormal sequence is judged to be in an attacked state.
Step S203, combining the misuse detection based on the DQN neural network with the abnormity detection based on the long-short term memory neural network LSTM, putting the samples which can not detect the attack by the misuse detection into an abnormity detection model for further detection, and putting the samples which can not identify the attack behavior by the abnormity detection model into the misuse detection model for further detection.
And inputting the collected real-time state data into a misuse detection model to detect the attack flow. And putting the unknown flow obtained by the misuse detection into an abnormality detection model for detection again. And training an abnormal detection model by using the normal sample, separating the unknown flow into a normal flow and an abnormal flow by using the abnormal detection model, clustering the abnormal flow, finding a new attack type, and putting the new attack type into the misuse detection model for secondary detection.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: establishing an attack behavior model for misuse detection by utilizing the attack sample training deep reinforcement learning, simultaneously performing link prediction by utilizing the advantages of the LSTM in processing time sequence data, inputting a normal behavior model into the LSTM for training, and performing anomaly detection by using the trained LSTM; and the samples which cannot be detected by misuse detection are placed in the abnormal detection model for further detection, the samples of which the abnormal detection model does not identify the attack behavior are placed in the misuse detection model for further detection, and the two detection methods are combined to enable the detection result to be more accurate.
It should be emphasized that, in order to further ensure the privacy and security of the intrusion detection information of the industrial control information, the intrusion detection information of the industrial control information may also be stored in a node of a block chain.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The application can also be applied to the field of intrusion detection of intelligent industrial control systems, so that the construction of intelligent cities is promoted.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware associated with computer readable instructions, which can be stored in a computer readable storage medium, and when executed, the processes of the embodiments of the methods described above can be included. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
With further reference to fig. 6, as an implementation of the method shown in fig. 2, the present application provides an embodiment of an industrial control system intrusion detection apparatus, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 6, the intrusion detection device 400 of the industrial control system according to this embodiment includes: a misuse detection module establishing module 401, an abnormality detection module establishing module 402, a primary detection module 403, and a secondary detection module 404. Wherein:
a misuse detection module establishing module 401, configured to add a spatial correlation analysis factor to the DQN neural network, establish a DQN neural network attack model, train the model, and use the trained DQN neural network model for misuse detection;
an anomaly detection module establishing module 402, configured to add spatial state perception parameters to an input gate of the long-short term memory neural network LSTM, establish an LSTM anomaly detection model according to the spatial state perception parameters, and use the trained LSTM anomaly detection model for anomaly detection in the production process;
the primary detection module 403 is configured to input the acquired real-time state data into the DQN neural network attack model to detect an attack flow, where the attack flow includes a part of unknown flow, and input the unknown flow into the LSTM anomaly detection model to perform secondary detection, so as to obtain a normal flow and an abnormal flow;
and the secondary detection module 404 is configured to perform clustering operation on the abnormal flow, find a new attack type, and place the new attack type in the DQN neural network attack model for secondary detection.
In some optional implementations of this embodiment, the misuse detection module creating module 401 may further include:
a correlation coefficient calculation module 411, configured to calculate correlation coefficients between nodes in the DQN neural network and correlation coefficients between the nodes and attack tags;
and the selecting module 412 is used for judging the correlation coefficient between two nodes and between the node and the attack tag, if the correlation coefficient is higher than the threshold value of the correlation coefficient, retaining the characteristic of high correlation degree with the attack tag, and removing the nodes with low correlation degree and no correlation.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: establishing an attack behavior model for misuse detection by utilizing the attack sample training deep reinforcement learning, simultaneously performing link prediction by utilizing the advantages of the LSTM in processing time sequence data, inputting a normal behavior model into the LSTM for training, and performing anomaly detection by using the trained LSTM; and the samples which cannot be detected by misuse detection are placed in the abnormal detection model for further detection, the samples of which the abnormal detection model does not identify the attack behavior are placed in the misuse detection model for further detection, and the two detection methods are combined to enable the detection result to be more accurate.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 7, fig. 7 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 6 comprises a memory 61, a processor 62, a network interface 63 communicatively connected to each other via a system bus. It is noted that only a computer device 6 having components 61-63 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 61 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or D industrial control system intrusion detection memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the memory 61 may be an internal storage unit of the computer device 6, such as a hard disk or a memory of the computer device 6. In other embodiments, the memory 61 may also be an external storage device of the computer device 6, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 6. Of course, the memory 61 may also comprise both an internal storage unit of the computer device 6 and an external storage device thereof. In this embodiment, the memory 61 is generally used for storing an operating system installed in the computer device 6 and various application software, such as computer readable instructions of an industrial control system intrusion detection method. Further, the memory 61 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 62 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 62 is typically used to control the overall operation of the computer device 6. In this embodiment, the processor 62 is configured to execute computer readable instructions stored in the memory 61 or process data, for example, computer readable instructions for executing the intrusion detection method of the industrial control system.
The network interface 63 may comprise a wireless network interface or a wired network interface, and the network interface 63 is typically used for establishing a communication connection between the computer device 6 and other electronic devices.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: establishing an attack behavior model for misuse detection by utilizing the attack sample training deep reinforcement learning, simultaneously performing link prediction by utilizing the advantages of the LSTM in processing time sequence data, inputting a normal behavior model into the LSTM for training, and performing anomaly detection by using the trained LSTM; and the samples which cannot be detected by misuse detection are placed in the abnormal detection model for further detection, the samples of which the abnormal detection model does not identify the attack behavior are placed in the misuse detection model for further detection, and the two detection methods are combined to enable the detection result to be more accurate.
The present application further provides another embodiment, which is to provide a computer-readable storage medium, wherein the computer-readable storage medium stores computer-readable instructions, which can be executed by at least one processor, so as to cause the at least one processor to execute the steps of the method for detecting intrusion in an industrial control system as described above.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: establishing an attack behavior model for misuse detection by utilizing the attack sample training deep reinforcement learning, simultaneously performing link prediction by utilizing the advantages of the LSTM in processing time sequence data, inputting a normal behavior model into the LSTM for training, and performing anomaly detection by using the trained LSTM; and the samples which cannot be detected by misuse detection are placed in the abnormal detection model for further detection, the samples of which the abnormal detection model does not identify the attack behavior are placed in the misuse detection model for further detection, and the two detection methods are combined to enable the detection result to be more accurate.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.

Claims (10)

1. An industrial control system intrusion detection method is characterized by comprising the following steps:
adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model, training, and using the trained DQN neural network model for misuse detection;
adding space state perception parameters in an input gate of the long-short term memory neural network LSTM, establishing an LSTM anomaly detection model according to the space state perception parameters, and using the trained LSTM anomaly detection model for anomaly detection in the production process;
inputting the collected real-time state data into a DQN neural network attack model to detect an attack flow, inputting the unknown flow into an LSTM anomaly detection model except the attack flow and detecting again to obtain a normal flow and an abnormal flow;
and clustering the abnormal flow, finding out a new attack type, and putting the new attack type into the DQN neural network attack model for secondary detection.
2. The industrial control system intrusion detection method according to claim 1, wherein the step of adding a spatial correlation analysis factor to the DQN neural network, establishing a DQN neural network attack model and performing training, and using the trained DQN neural network model for misuse detection further comprises:
calculating correlation coefficients between the nodes in the production process and correlation coefficients between the nodes and the attack tags;
and judging the correlation coefficients between the two nodes and between the node and the attack tag, if the correlation coefficients are higher than the threshold value of the correlation coefficients, keeping the characteristics of the node with high correlation degree with the attack tag, and removing the nodes with low correlation degree and little irrelevance.
3. The industrial control system intrusion detection method according to claim 1, wherein the step of adding the spatial state perception parameter to the input gate of the long-short term memory neural network LSTM specifically comprises:
screening out nodes with high relevance to the label by using standard mutual clustering information, and selecting and deleting one node for the two nodes with high relevance;
assuming that the production process has M nodes, each time slice collects the characteristic information { x ] of the M nodest(1),xt(2),....,xt(M), N (N is less than or equal to M) screened nodes are provided;
using a signature sequence of N nodes at each time { x }t(1),xt(2),....,xt(N) predicting a feature sequence at a next time
Figure FDA0003320883920000021
When the next moment comes, the predicted sequence is compared with the actual sequence { Xt +1(1), Xt +1(2), Xt +1(3), (9.),. once.,. Xt +1(N) }, and the predicted characteristic sequence and the actual characteristic of the next moment are calculatedThe loss function loss _ test of the mean square error of the sequence, the maximum MSE of the loss function of the recorded training datamaxAnd minimum value MSEminIf MSEmin≤loss_test≤MSEmaxIf not, the sequence is determined to be a normal sequence, otherwise, the sequence is determined to be an abnormal sequence.
4. The industrial control system intrusion detection method according to claim 1, wherein the step of inputting the collected real-time status data into the DQN neural network attack model to detect an attack flow, placing an unknown flow in the detected attack flow into the LSTM anomaly detection model to perform a re-detection to obtain a normal flow and an anomaly flow specifically comprises:
after the real-time state data are preprocessed, the real-time state data are input into a DQN neural network attack model, and attack flows and unknown flows are detected by the DQN neural network attack model;
and inputting the unknown flow into an LSTM anomaly detection model, and detecting the unknown flow again to respectively detect the normal flow and the anomaly flow.
5. The industrial control system intrusion detection method according to claim 1, wherein the step of clustering abnormal flows, finding new attack types, and putting the new attack types into the DQN neural network attack model for re-detection further comprises:
classifying unknown attack streams according to the clustering result, and customizing the unknown attack streams into a new attack type;
and training the DQN neural network attack model again by using the new attack type data, and identifying the original unknown flow when the real-time state is input into the DQN neural network attack model again.
6. The industrial control system intrusion detection method according to claim 2, wherein the step of determining the correlation coefficients between two nodes and between a node and an attack tag, and if the correlation coefficients are higher than a threshold value of the correlation coefficients, retaining the feature of high correlation with the attack tag, and removing the nodes of low correlation and no correlation further comprises:
calculate two sectionsCorrelation coefficient between points
Figure FDA0003320883920000031
Wherein X and Y are respectively the characteristic information of two nodes, H (X) and H (Y) are respectively the information entropy of X and Y, wherein I (X; Y) represents the mutual information of X and Y,
Figure FDA0003320883920000032
Figure FDA0003320883920000033
Figure FDA0003320883920000034
wherein X and Y distributions correspond to feature data of nodes X and Y, p (X, Y) is a joint probability distribution of X and Y, p (X) is a probability function of X, and p (Y) is a probability function of Y;
if the node correlation coefficient U (X, Y) is larger than the node correlation coefficient threshold, considering that the correlation degree of the node X and the node Y is high, and selecting to remove one node feature;
calculating correlation coefficients U (X, L) between the nodes and the attack labels, if the nodes with the correlation degrees of the nodes being 0 and 1 are the nodes with the correlation degrees of the nodes being 0 and 1, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being 0 or 1, if the correlation coefficients of the nodes and the attack labels are less than or equal to a correlation coefficient threshold of the attack labels of the nodes, considering that the correlation degrees of the nodes and the labels are not high, if the correlation coefficients of the nodes and the attack labels are not more than or equal to the correlation coefficient threshold of the attack labels of the nodes, selecting the nodes with the correlation coefficients of the attack labels of the removed nodes being less than or equal to the correlation coefficient threshold of the attack labels of the nodes, and keeping the rest of the nodes.
7. An industrial control system intrusion detection device, comprising:
the misuse detection module establishing module is used for adding a spatial correlation analysis factor in the DQN neural network, establishing a DQN neural network attack model and training, and using the trained DQN neural network model for misuse detection;
the abnormity detection module establishing module is used for adding space state perception parameters in an input gate of the long-short term memory neural network LSTM, establishing an LSTM abnormity detection model according to the space state perception parameters, and using the trained LSTM abnormity detection model for abnormity detection in the production process;
the primary detection module is used for inputting the collected real-time state data into the DQN neural network attack model to detect an attack flow, inputting the unknown flow into the LSTM anomaly detection model to perform secondary detection so as to obtain a normal flow and an abnormal flow, wherein the attack flow and a part of the unknown flow are also input into the LSTM anomaly detection model;
and the secondary detection module is used for clustering the abnormal flow, finding out a new attack type and putting the new attack type into the DQN neural network attack model for secondary detection.
8. The industrial control system intrusion detection device according to claim 7, wherein the misuse detection module establishing module comprises:
the correlation coefficient calculation module is used for calculating correlation coefficients between nodes in the DQN neural network and between the nodes and the attack tags;
and the selection module is used for judging the correlation coefficient between the two nodes and between the node and the attack tag, if the correlation coefficient is higher than the threshold value of the correlation coefficient, retaining the characteristic of high correlation degree with the attack tag, and removing the nodes with low correlation degree and irrelevant degree.
9. A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, implement the steps of the industrial control system intrusion detection method according to any one of claims 1 to 6.
10. A computer readable storage medium having computer readable instructions stored thereon, which when executed by a processor implement the steps of the industrial control system intrusion detection method according to any one of claims 1 to 6.
CN202111245686.7A 2021-10-09 2021-10-26 Industrial control system intrusion detection method and device, computer equipment and storage medium Active CN114124460B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2021111780172 2021-10-09
CN202111178017 2021-10-09

Publications (2)

Publication Number Publication Date
CN114124460A true CN114124460A (en) 2022-03-01
CN114124460B CN114124460B (en) 2023-07-18

Family

ID=80376746

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111245686.7A Active CN114124460B (en) 2021-10-09 2021-10-26 Industrial control system intrusion detection method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114124460B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116056087A (en) * 2023-03-31 2023-05-02 国家计算机网络与信息安全管理中心 Network attack detection method, device and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108932671A (en) * 2018-06-06 2018-12-04 上海电力学院 A kind of LSTM wind-powered electricity generation load forecasting method joined using depth Q neural network tune
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN112165464A (en) * 2020-09-15 2021-01-01 江南大学 Industrial control hybrid intrusion detection method based on deep learning
US20210126931A1 (en) * 2019-10-25 2021-04-29 Cognizant Technology Solutions India Pvt. Ltd System and a method for detecting anomalous patterns in a network
CN113344134A (en) * 2021-06-30 2021-09-03 广东电网有限责任公司 Data acquisition abnormity detection method and system for low-voltage power distribution monitoring terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108932671A (en) * 2018-06-06 2018-12-04 上海电力学院 A kind of LSTM wind-powered electricity generation load forecasting method joined using depth Q neural network tune
US20210126931A1 (en) * 2019-10-25 2021-04-29 Cognizant Technology Solutions India Pvt. Ltd System and a method for detecting anomalous patterns in a network
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN112165464A (en) * 2020-09-15 2021-01-01 江南大学 Industrial control hybrid intrusion detection method based on deep learning
CN113344134A (en) * 2021-06-30 2021-09-03 广东电网有限责任公司 Data acquisition abnormity detection method and system for low-voltage power distribution monitoring terminal

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
YEO KEAT EE; NURFADHLINA MOHD SHAREF; RAZALI YAAKOB; KHAIRUL AZHAR KASMIRAN: "LSTM Based Recurrent Enhancement of DQN for Stock Trading", 《2020 IEEE CONFERENCE ON BIG DATA AND ANALYTICS (ICBDA)》 *
朱佳璐; 马永涛; 刘开华: "基于LSTM及DQN的多用户联合抗干扰决策算法", vol. 34, no. 6 *
赵兵;王增平;孙毅: "计及差异化用能需求的集群空调负荷优化控制策略", 《电测与仪表》, vol. 58, no. 9, pages 22 - 27 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116056087A (en) * 2023-03-31 2023-05-02 国家计算机网络与信息安全管理中心 Network attack detection method, device and equipment

Also Published As

Publication number Publication date
CN114124460B (en) 2023-07-18

Similar Documents

Publication Publication Date Title
CN112148987B (en) Message pushing method based on target object activity and related equipment
CN111475804A (en) Alarm prediction method and system
CN112863683B (en) Medical record quality control method and device based on artificial intelligence, computer equipment and storage medium
CN111784528A (en) Abnormal community detection method and device, computer equipment and storage medium
CN112231570B (en) Recommendation system support attack detection method, device, equipment and storage medium
CN112035549B (en) Data mining method, device, computer equipment and storage medium
CN111831675A (en) Storage model training method and device, computer equipment and storage medium
CN112766649B (en) Target object evaluation method based on multi-scoring card fusion and related equipment thereof
CN112307472A (en) Abnormal user identification method and device based on intelligent decision and computer equipment
CN112132676A (en) Method and device for determining contribution degree of joint training target model and terminal equipment
CN113220734A (en) Course recommendation method and device, computer equipment and storage medium
CN114926282A (en) Abnormal transaction identification method and device, computer equipment and storage medium
CN113326991A (en) Automatic authorization method, device, computer equipment and storage medium
CN112686301A (en) Data annotation method based on cross validation and related equipment
CN112395351A (en) Visual identification group complaint risk method, device, computer equipment and medium
CN112288163A (en) Target factor prediction method of target object and related equipment
CN115941322A (en) Attack detection method, device, equipment and storage medium based on artificial intelligence
CN115237724A (en) Data monitoring method, device, equipment and storage medium based on artificial intelligence
CN112528040B (en) Detection method for guiding drive corpus based on knowledge graph and related equipment thereof
CN114124460B (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
CN114359582A (en) Small sample feature extraction method based on neural network and related equipment
CN111784360B (en) Anti-fraud prediction method and system based on network link backtracking
CN112990583A (en) Method and equipment for determining mold entering characteristics of data prediction model
CN116776150A (en) Interface abnormal access identification method and device, computer equipment and storage medium
CN116843395A (en) Alarm classification method, device, equipment and storage medium of service system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant