CN114397875A - Automatic production line spoofing attack detection method and system based on random control - Google Patents

Automatic production line spoofing attack detection method and system based on random control Download PDF

Info

Publication number
CN114397875A
CN114397875A CN202210032503.1A CN202210032503A CN114397875A CN 114397875 A CN114397875 A CN 114397875A CN 202210032503 A CN202210032503 A CN 202210032503A CN 114397875 A CN114397875 A CN 114397875A
Authority
CN
China
Prior art keywords
equipment
production line
time
waiting time
workstation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210032503.1A
Other languages
Chinese (zh)
Other versions
CN114397875B (en
Inventor
浦宏艺
程鹏
孙铭阳
陈积明
贾宁波
邵新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202210032503.1A priority Critical patent/CN114397875B/en
Publication of CN114397875A publication Critical patent/CN114397875A/en
Application granted granted Critical
Publication of CN114397875B publication Critical patent/CN114397875B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0218Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
    • G05B23/0243Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24065Real time diagnostics

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The invention discloses a method and a system for detecting cheating attacks on an automatic production line based on random control. In the training stage, randomly generating control instructions of different equipment of the production line, enabling the equipment to execute according to the control instructions, and generating the real running/waiting time of the equipment; identifying the relationship between the respective real running/waiting time of all equipment of the production line and the received control instruction by a linear regression method; in the attack detection stage, control instructions and expected operation/waiting time of different devices are randomly generated, the expected operation period of the production line is kept unchanged, and finally, the accumulated deviation between the real operation/waiting time and the expected operation/waiting time of the devices is calculated according to the operation data of the different devices uploaded by the production line, so that the attack detection is realized. By means of the technical scheme provided by the invention, detection aiming at the deception attack can be realized on the premise of keeping the operation efficiency of the production line, the detection process is not easily interfered by the outside, and the detection accuracy rate is higher.

Description

Automatic production line spoofing attack detection method and system based on random control
Technical Field
The invention relates to the field of industrial control system safety, in particular to a deception attack detection method and system for an automatic production line based on random control.
Background
Automated production lines are widely deployed in manufacturing systems. The automated production line always performs the same operations periodically, resulting in a high susceptibility to fraud attacks. In a fraud attack, an attacker may first record normal operating data of the automation line for a period of time and then tamper with the operating data of the automation line during the attack and replay the previously recorded operating data of the automation line that appears to be normal. The cheating attack can not only cause the problems of equipment damage, production efficiency reduction and the like, but also can cheat a general detector based on data uploaded by an automatic production line, so that workers cannot find the attack in time, and further more serious damage is caused.
At present, machine learning, physical modeling, formalization methods and the like are mainly utilized for an attack detection method aiming at an automatic production line. In particular, these detectors assume that at least a portion of the operational data uploaded from the automated manufacturing line is authentic and not spoofed by an attacker. Based on the above assumptions, these detectors reuse machine learning methods, such as SVM, to learn the operation data uploaded from the automation production line in normal or abnormal situations, and mainly use the operation data that has not been tampered to determine whether the attack is suffered or not during the detection. Similarly, the physical modeling directly performs physical modeling on the automatic production line, and predicts normal operation of the production line by using the model, and the formalization method defines some physical specifications and judges whether the uploaded operation data meets the physical specifications. However, the above detector cannot detect an attack when an attacker spoofs/replays all the uploaded execution data.
Disclosure of Invention
The invention aims to provide a method and a system for detecting the cheating attack of an automatic production line based on random control, which are suitable for the condition that the detection method based on the running data of the automatic production line fails due to the cheating attack (such as data replay) of the automatic production line. The detection method prevents the potential safety hazard of deception attack caused by repeated work of an attacker using an automatic production line. Specifically, the detection method randomly controls the equipment of the automatic production line, so that the running of the equipment is not only repeatedly operated, the deception attack can be prevented, and the detection accuracy is high.
The purpose of the invention is realized by the following technical scheme:
in a first aspect, the invention provides an automatic production line cheating attack detection method based on random control, which randomly generates control instructions of different devices of a production line in a training stage to enable the operation and waiting time of the devices to change along with the change of the control instructions, and identifies the relation between the real operation/waiting time of the production line devices and the received control instructions through a linear regression method; in the attack detection stage, different control instructions and expected operation/waiting time are randomly generated, the operation period of the production line is made constant/fixed (the operation period is the time interval between two products/batches produced), finally, the real operation/waiting time of the production line equipment is calculated according to the operation data of different equipment uploaded on the production line, the accumulated deviation between the real operation/waiting time and the expected operation/waiting time is calculated to realize the detection of the spoofing attack, and if the production line is judged not to be attacked, the real operation/waiting time of the equipment and the received control instructions are used for updating the relationship of the equipment and the expected operation/waiting time.
The automation line needs to meet the following characteristics: 1. the automatic production line is composed of one or more workstations which run independently, 2. each workstation is composed of equipment with adjustable speed such as a mechanical arm, a numerical control machine tool, a motor, a conveyor belt and the like in real time, 3. each workstation has a fixed operation period, and the operation period of the production line is equal to the maximum value of the operation periods of all the workstations, 4. the automatic production line can have workstations with two operation modes, wherein the first mode is that all the equipment operates in sequence, so that the operation period of the workstation is the sum of the operation time of all the equipment in the workstation (the operation time is the sum of the operation time and the waiting time of the equipment), and the second mode is that the main equipment operates in sequence, and the operation of non-main equipment is parallel to the main equipment, so that the operation period of the workstation is the sum of the operation time of all the main equipment in the workstation;
the detection method comprises the following steps:
step 1: in the training stage of the automatic production line, randomly generating control instructions of different equipment of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, so that the equipment is executed according to the control instructions, and the real operation/waiting time of the equipment is generated;
step 2: identifying the relationship between the respective real running/waiting time of all equipment of the production line and the received control instruction by a linear regression method;
and step 3: in the attack detection stage of the automatic production line, control instructions of different equipment of the production line are randomly generated in each operation period of the production line, so that the expected running/waiting time of all the equipment of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation periods of the production line are unchanged;
and 4, step 4: collecting real operation data of different equipment uploaded by an automatic production line, and calculating the real operation/waiting time of the different equipment according to the characteristics of the equipment during starting and stopping;
and 5: the true and expected device wait/run times are subtracted and the absolute value is taken to obtain the time offset, and the spoofing attack detection is completed according to whether the accumulated offset exceeds a certain threshold value in a period of time.
Further, in step 1, within the control range which is preset by an engineer and enables the production line equipment to safely operate (i.e. collision and equipment abrasion are not generated), control instructions are randomly issued to the equipment of the automatic production line, and the operation/waiting time corresponding to the control instructions is collected.
Further, in step 2, the expressions of the running time (i.e. acceleration from speed 0 to speed v at acceleration a, uniform movement for a period of time, and deceleration to speed 0 at acceleration-a) and the waiting time of the automation line equipment are as follows:
Figure BDA0003467076730000021
tn=tw
wherein, tmAnd tnRun time and latency of the device, v and t, respectivelywRespectively the equipment speed and the equipment waiting time specified by the received control instruction, and d and a are respectively the preset running distance and the preset acceleration; the run/latency of the device and the device speed/latency specified by the control instructions may be collectively written as a generalized expression as follows:
t=ω1c-123c
wherein t is the running/waiting time of the equipment, and c is the equipment speed/waiting time in the control command; { omega [ [ omega ] ]123The parameter is identified by a linear regression model;
linear regression training is performed using the control commands (i.e., speed and latency) and the corresponding device run/latency to derive a relationship between the control commands and the device run/latency.
Further, in step 3, generating control commands for all devices in each workstation, and ensuring that the expected operation period of each workstation is fixed;
for the first type of workstation (i.e. all devices operating in sequence), the following sub-steps are specifically included:
a. according to a safe control range established by an engineer in advance, calculating the shortest operation period of the workstation of all equipment at the fastest operation speed and the shortest waiting time;
b. subtracting the shortest operation period from the fixed operation period of the workstation to obtain the total adjustable operation time of the workstation;
c. calculating adjustable running time and waiting time of different devices in a workstation according to a safety control range established by an engineer in advance, and sequencing the adjustable running time and the waiting time from small to large;
d. randomly generating an adjusting time from the equipment corresponding to the minimum adjustable time, wherein the adjusting time ranges from 0 to the smaller value of the adjustable running/waiting time of the equipment and the overall adjustable operation time of the workstation, and adding the adjusting time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
e. subtracting the randomly generated adjustment time from the total adjustable operating time of the workstation as the total adjustable operating time of the new workstation;
f. next, taking down the equipment corresponding to the adjustable time, and jumping to the step d if the equipment corresponding to the last adjustable time is not taken down; if the equipment corresponds to the last adjustable time, directly taking the latest total adjustable operation time of the workstation as the adjustment time of the equipment, and adding the adjustment time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
g. calculating the control instructions of different devices by using the relationship between the control instructions obtained in the step 2 and the device operation/waiting time;
for the second workstation (i.e. the primary devices operate in sequence, the non-primary devices operate in parallel with the primary devices), the following sub-steps are specifically included:
A. the generation step of the control command of the operation/waiting time of the main equipment is the same as the generation step of the control command of the first workstation;
B. randomly generating expected operation/waiting time of non-main equipment according to a safety control range preset by an engineer;
C. and B, judging whether the expected operation/waiting time of all the randomly generated equipment meets the time constraint relation for preventing collision between the operation/waiting time of the main equipment and the operation/waiting time of the non-main equipment, which is preset by an engineer, calculating the control instruction of the non-main equipment if the time constraint relation is met, and returning to the step A to regenerate the expected operation/waiting time of all the equipment if the time constraint relation is not met.
Further, in step 4, converting the real operation data of the different devices uploaded by the automation production line into the real operation/waiting time of the devices, specifically comprising the following substeps:
step 4.1: judging whether the uploaded equipment operation data are discrete quantities or not according to whether the uploaded equipment operation data only contain 0/1 data or not, if so, identifying the time of the start/stop event of the equipment directly according to when the equipment operation data change from 0 to 1, if so, identifying the time of the start/stop event of the equipment according to the change amplitude of the equipment operation data, for example, identifying the equipment to be started when the change of the equipment operation data is larger than a preset threshold value, otherwise identifying the equipment to be stopped, and setting the threshold value as the maximum value of the change of the operation data when the equipment is stopped;
step 4.2: combining two events with similar event occurrence time (the time difference is within two sampling periods of the equipment operation data) into the same event;
step 4.3: events from the same workstation are classified into the same type for processing;
step 4.4: sequencing the start and stop events in each workstation from small to large in time;
step 4.5: and calculating the running/waiting time of different devices in the workstation according to the time difference value of the adjacent events.
In a second aspect, the invention provides an automatic production line spoofing attack detection system based on random control, which comprises an equipment control instruction random generation module, a linear regression module, an operation/waiting time conversion module and a spoofing attack detection module;
in the training stage of the automatic production line, a device control instruction random generation module randomly generates control instructions of different devices of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, so that the devices execute according to the control instructions and generate the real operation/waiting time of the devices; identifying the relationship between the respective actual running/waiting time of all the equipment of the production line and the received control instruction by using a linear regression method through a linear regression module;
in the attack detection stage of the automatic production line, the equipment control instruction random generation module randomly generates control instructions of different equipment of the production line in each operation period of the production line, so that the expected operation/waiting time of all the equipment of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation period of the production line is unchanged; acquiring real operation data of different equipment uploaded by an automatic production line through an operation/waiting time conversion module, and calculating the real operation/waiting time of the different equipment according to the characteristics of the equipment during starting and stopping; and subtracting the real and expected device waiting/running time by a spoofing attack detection module and taking an absolute value to obtain a time deviation, finishing spoofing attack detection according to whether the accumulated deviation exceeds a certain threshold value or not in a period of time, and if the production line is judged not to be attacked, using the real running/waiting time of the device and the received control instruction for updating the relationship.
In a third aspect, the present invention provides an automatic production line spoofing attack detecting device based on random control, which includes a memory and one or more processors, where the memory stores executable codes, and the processors execute the executable codes to implement the steps in the automatic production line spoofing attack detecting method based on random control according to the first aspect.
In a fourth aspect, the present invention provides a computer-readable storage medium, on which a program is stored, which, when being executed by a processor, implements the steps of the above-mentioned method for detecting spoofing attack in an automatic production line based on stochastic control according to the first aspect.
Compared with the prior art, the automatic production line cheating attack detection method based on random control has the remarkable advantages that: the prior art carries out attack detection based on operation data uploaded by an automatic production line, and the detectors assume that part of the uploaded data is true and reliable, so that the problem that the detectors fail when all the uploaded data are deceived exists. The invention can dynamically change the running time of the equipment, so that the equipment of the automatic production line does not generate the problem of repeated running, and the deception attack is fundamentally resisted.
Drawings
Fig. 1 is a flowchart of an automated production line spoofing attack detection method based on random control according to an embodiment of the present invention.
Fig. 2 is a flowchart for randomly generating control commands for a first workstation (i.e., all devices operate in sequence) and keeping the operation period of the workstation unchanged according to the embodiment of the present invention.
Fig. 3 is a flowchart for randomly generating control instructions for a second workstation (i.e., the primary devices operate in sequence, and the non-primary devices operate in parallel with the primary devices) and keeping the operation period of the workstation unchanged according to the embodiment of the present invention.
Fig. 4 is a flowchart of the operation data and operation/waiting time conversion of the automatic production line equipment according to the embodiment of the present invention.
Fig. 5 is a flowchart of attack detection according to an embodiment of the present invention.
Fig. 6 is a structural diagram of an automatic production line spoofing attack detection system based on random control according to an embodiment of the present invention.
Fig. 7 is a structural diagram of an automatic production line spoofing attack detecting device based on random control according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
Finally, the above description is a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily modify the technical solution of the present invention or substitute the same within the technical scope of the present invention, and the technical solution should be covered by the claims of the present invention.
The invention provides a detection method for deception attack of an automatic production line based on random control.A control instruction of different equipment of the production line is randomly generated in a training stage to ensure that the running time and the waiting time of the equipment change along with the change of the control instruction, and the relation between the real running/waiting time of the equipment of the production line and the received control instruction is identified by a linear regression method; in the attack detection stage, different control instructions and expected operation/waiting time are randomly generated, the operation period of the production line is made constant/fixed (the operation period is the time interval between two products/batches produced), finally, the real operation/waiting time of the production line equipment is calculated according to the operation data of different equipment uploaded on the production line, the accumulated deviation between the real operation/waiting time and the expected operation/waiting time is calculated to realize the detection of the spoofing attack, and if the production line is judged not to be attacked, the real operation/waiting time of the equipment and the received control instructions are used for updating the relationship of the equipment and the expected operation/waiting time.
The automation line needs to meet the following characteristics: 1. the automatic production line is composed of one or more workstations which run independently, 2. each workstation is composed of equipment with adjustable speed such as a mechanical arm, a numerical control machine tool, a motor, a conveyor belt and the like in real time, 3. each workstation has a fixed operation period, and the operation period of the production line is equal to the maximum value of the operation periods of all the workstations, 4. the automatic production line can have workstations with two operation modes, wherein the first mode is that all the equipment operates in sequence, so that the operation period of the workstation is the sum of the operation time of all the equipment in the workstation (the operation time is the sum of the operation time and the waiting time of the equipment), and the second mode is that the main equipment operates in sequence, and the operation of non-main equipment is parallel to the main equipment, so that the operation period of the workstation is the sum of the operation time of all the main equipment in the workstation; the method for actively changing the system dynamics so as to resist the cheating attack provides a new idea for detecting the cheating attack of the automatic production line.
Examples
As shown in fig. 1, the method for online detection of spoofing attack on an automatic production line based on random control provided in this embodiment specifically includes the following steps:
step 1, in the training stage of the automatic production line, randomly generating control instructions of different devices of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, the control instructions are in a control range preset by an engineer, then randomly issuing the control instructions to the devices of the automatic production line, and collecting operation/waiting time corresponding to the control instructions. The equipment is equipment with adjustable speed such as a mechanical arm, a numerical control machine tool, a motor and a conveyor belt in real time.
Step 2, identifying the relationship between the respective real running/waiting time of all the devices of the production line and the received control instruction by a linear regression method, specifically comprising the following steps:
the expressions for the run time (i.e. acceleration from speed 0 to speed v at acceleration a, uniform movement for a period of time, and deceleration to speed 0 at acceleration-a) and the wait time of the automation line equipment are respectively as follows:
Figure BDA0003467076730000061
tn=tw
wherein, tmAnd tnRun time and latency of the device, v and t, respectivelywRespectively the equipment speed and the equipment waiting time specified by the received control instruction, and d and a are respectively the preset running distance and the preset acceleration; the run/latency of the device and the device speed/latency specified by the control instructions may be collectively written as a generalized expression as follows:
t=ω1c-123c
wherein t is the running/waiting time of the equipment, and c is the equipment speed/waiting time in the control command; { omega [ [ omega ] ]123The parameter is identified by a linear regression model;
linear regression training is performed using the control commands (i.e., speed and latency) and the corresponding device run/latency to derive a relationship between the control commands and the device run/latency.
Step 3, in the attack detection stage of the automatic production line, randomly generating control instructions of different devices of the production line in each operation period of the production line, so that the expected operation/waiting time of all the devices of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation periods of the production line are unchanged;
as shown in fig. 2, for the first workstation (i.e. all devices operate in sequence), the following sub-steps are specifically included:
a. according to a safe control range established by an engineer in advance, calculating the shortest operation period of the workstation of all equipment at the fastest operation speed and the shortest waiting time;
b. subtracting the shortest operation period from the fixed operation period of the workstation to obtain the total adjustable operation time of the workstation;
c. calculating adjustable running time and waiting time of different devices in a workstation according to a safety control range established by an engineer in advance, and sequencing the adjustable running time and the waiting time from small to large;
d. randomly generating an adjusting time from the equipment corresponding to the minimum adjustable time, wherein the adjusting time ranges from 0 to the smaller value of the adjustable running/waiting time of the equipment and the overall adjustable operation time of the workstation, and adding the adjusting time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
e. subtracting the randomly generated adjustment time from the total adjustable operating time of the workstation as the total adjustable operating time of the new workstation;
f. next, taking down the equipment corresponding to the adjustable time, and jumping to the step d if the equipment corresponding to the last adjustable time is not taken down; if the equipment corresponds to the last adjustable time, directly taking the latest total adjustable operation time of the workstation as the adjustment time of the equipment, and adding the adjustment time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
g. calculating the control instructions of different devices by using the relationship between the control instructions obtained in the step 2 and the device operation/waiting time;
as shown in fig. 3, for the second workstation (i.e. the primary devices operate in sequence, and the non-primary devices operate in parallel with the primary devices), the following sub-steps are specifically included:
A. the generation step of the control command of the operation/waiting time of the main equipment is the same as the generation step of the control command of the first workstation;
B. randomly generating expected operation/waiting time of non-main equipment according to a safety control range preset by an engineer;
C. and B, judging whether the expected operation/waiting time of all the randomly generated equipment meets the time constraint relation for preventing collision between the operation/waiting time of the main equipment and the operation/waiting time of the non-main equipment, which is preset by an engineer, calculating the control instruction of the non-main equipment if the time constraint relation is met, and returning to the step A to regenerate the expected operation/waiting time of all the equipment if the time constraint relation is not met. The time constraint is written as the following expression:
Figure BDA0003467076730000081
where q is the number of time constraints within the workstation, m is the number of expected run/wait operations for all primary devices of the workstation, r is the number of expected run/wait operations for all non-primary devices of the workstation, tiIs the time of the i-th expected run/wait operation of the workstation, ai,kIs a factor of the time of the i-th expected run/wait operation in the k-th constraint of the workstation that needs to be identified. a isi,kCan be given by engineers with a high experience in debugging the automatic production line or automatically given by a digital twin/simulator of the production line. Specifically, a control instruction can be randomly generated in a production line digital twin/simulator, the simulated production line can be operated, the simulation operation waiting time corresponding to the control instruction and whether production line equipment can collide or not are obtained, and finally a is identified by using methods such as linear regression, support vector machine and the likei,k
Step 4, collecting real operation data of different devices uploaded by the automatic production line, and calculating real operation/waiting time of the different devices according to the characteristics of the devices during starting and stopping; as shown in fig. 4, the method specifically includes the following sub-steps:
step 4.1: judging whether the uploaded equipment operation data are discrete quantities or not according to whether the uploaded equipment operation data only contain 0/1 data or not, if so, identifying the time of the start/stop event of the equipment directly according to when the equipment operation data change from 0 to 1, if so, identifying the time of the start/stop event of the equipment according to the change amplitude of the equipment operation data, for example, identifying the equipment to be started when the change of the equipment operation data is larger than a preset threshold value, otherwise identifying the equipment to be stopped, and setting the threshold value as the maximum value of the change of the operation data when the equipment is stopped;
step 4.2: combining two events with similar event occurrence time (the time difference is within two sampling periods of the equipment operation data) into the same event;
step 4.3: events from the same workstation are classified into the same type for processing;
step 4.4: sequencing the start and stop events in each workstation from small to large in time;
step 4.5: and calculating the running/waiting time of different devices in the workstation according to the time difference value of the adjacent events.
Step 5, as shown in fig. 5, subtracting the actual and expected waiting/running time of the device and taking the absolute value to obtain the time deviation, and completing the detection of the spoofing attack according to whether the accumulated deviation exceeds a certain threshold value in a period of time; if the production line is judged not to be under attack, the real operation/waiting time of the equipment and the received control instruction are used for updating the relationship.
Corresponding to the embodiment of the automatic production line spoofing attack detection method based on random control, the invention also provides an embodiment of an automatic production line spoofing attack detection system based on random control. As shown in fig. 6, the system includes a device control instruction random generation module, a linear regression module, a run/wait time conversion module, and a spoofing attack detection module;
in the training stage of the automatic production line, a device control instruction random generation module randomly generates control instructions of different devices of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, so that the devices execute according to the control instructions and generate the real operation/waiting time of the devices; identifying the relationship between the respective actual running/waiting time of all the equipment of the production line and the received control instruction by using a linear regression method through a linear regression module;
in the attack detection stage of the automatic production line, the equipment control instruction random generation module randomly generates control instructions of different equipment of the production line in each operation period of the production line, so that the expected operation/waiting time of all the equipment of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation period of the production line is unchanged; acquiring real operation data of different equipment uploaded by an automatic production line through an operation/waiting time conversion module, and calculating the real operation/waiting time of the different equipment according to the characteristics of the equipment during starting and stopping; and subtracting the actual waiting time/running time of the expected equipment by a spoofing attack detection module, taking an absolute value to obtain a time deviation, and finishing spoofing attack detection according to whether the accumulated deviation exceeds a certain threshold value in a period of time.
Corresponding to the embodiment of the automatic production line spoofing attack detection method based on random control, the invention also provides an embodiment of the automatic production line spoofing attack detection device based on random control.
Referring to fig. 7, an automatic production line spoofing attack detecting device based on random control according to an embodiment of the present invention includes a memory and one or more processors, where the memory stores executable codes, and the processors execute the executable codes to implement the automatic production line spoofing attack detecting method based on random control according to the above embodiment.
The embodiment of the detection device for detecting spoofing attack of an automatic production line based on random control can be applied to any equipment with data processing capability, such as computers and other equipment or devices. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for running through the processor of any device with data processing capability. From a hardware aspect, as shown in fig. 7, a hardware structure diagram of any device with data processing capability where the automatic production line spoofing attack detecting device based on random control is located according to the present invention is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, in the embodiment, any device with data processing capability where the device is located may generally include other hardware according to the actual function of the any device with data processing capability, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
The embodiment of the invention also provides a computer readable storage medium, which stores a program, and when the program is executed by a processor, the detection method for spoofing attack of the automatic production line based on random control in the above embodiment is realized.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any data processing capability device described in any of the foregoing embodiments. The computer readable storage medium may also be any external storage device of a device with data processing capabilities, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), etc. provided on the device. Further, the computer readable storage medium may include both an internal storage unit and an external storage device of any data processing capable device. The computer-readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing-capable device, and may also be used for temporarily storing data that has been output or is to be output.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.

Claims (8)

1. A deception attack detection method for an automatic production line based on random control is characterized in that the automatic production line meets the following characteristics: the automatic production line consists of one or more workstations which operate independently; each workstation consists of equipment with real-time adjustable speed; each workstation has a fixed operation period, and the operation period of the production line is equal to the maximum value of the operation periods of all the workstations; the automatic production line has workstations with two operation modes, the first mode is that all equipment operates in sequence, so that the operation period of the workstation is the sum of the operation time of all the equipment in the workstation, the second mode is that the main equipment operates in sequence, and the operation of non-main equipment is parallel to the main equipment, so that the operation period of the workstation is the sum of the operation time of all the main equipment in the workstation;
the detection method comprises the following steps:
step 1: in the training stage of the automatic production line, randomly generating control instructions of different equipment of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, so that the equipment is executed according to the control instructions, and the real operation/waiting time of the equipment is generated;
step 2: identifying the relationship between the respective real running/waiting time of all equipment of the production line and the received control instruction by a linear regression method;
and step 3: in the attack detection stage of the automatic production line, control instructions of different equipment of the production line are randomly generated in each operation period of the production line, so that the expected running/waiting time of all the equipment of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation periods of the production line are unchanged;
and 4, step 4: collecting real operation data of different equipment uploaded by an automatic production line, and calculating the real operation/waiting time of the different equipment according to the characteristics of the equipment during starting and stopping;
and 5: subtracting the actual waiting/running time of the expected equipment and taking an absolute value to obtain a time deviation, and finishing the detection of the spoofing attack according to whether the accumulated deviation exceeds a certain threshold value in a period of time; if the production line is judged not to be under attack, the real operation/waiting time of the equipment and the received control instruction are used for updating the relationship.
2. The fraud attack detection method according to claim 1, wherein in step 1, a control command is issued randomly to the devices of the automatic production line within a control range that is preset by an engineer and allows the devices of the production line to operate safely, and the operation/waiting time corresponding to the control command is collected.
3. The automated production line spoofing attack detection method based on stochastic control as recited in claim 1, wherein in step 2, the expressions of the running time and the waiting time of the automated production line device are respectively as follows:
Figure FDA0003467076720000011
tn=tw
wherein, tmAnd tnRun time and latency of the device, v and t, respectivelywRespectively the equipment speed and the equipment waiting time specified by the received control instruction, and d and a are respectively the preset running distance and the preset acceleration; the run/latency of the device and the device speed/latency specified by the control instructions may be collectively written as a generalized expression as follows:
t=ω1c-123c
wherein t is the running/waiting time of the equipment, and c is the equipment speed/waiting time in the control command; { omega [ [ omega ] ]123The parameter is identified by a linear regression model;
and performing linear regression training by using the control command and the corresponding equipment running/waiting time so as to obtain the relation between the control command and the equipment running/waiting time.
4. The automated production line spoofing attack detecting method based on stochastic control as claimed in claim 1, wherein in step 3, control commands are generated for all devices in each workstation, and the expected operation period of each workstation is guaranteed to be fixed;
for the first workstation, the following substeps are specifically included:
a. according to a safety control range established in advance, calculating the shortest operation period of the workstation of all equipment under the condition of the fastest operation speed and the shortest waiting time;
b. subtracting the shortest operation period from the fixed operation period of the workstation to obtain the total adjustable operation time of the workstation;
c. calculating adjustable running time and waiting time of different devices in the workstation according to a safety control range established in advance, and sequencing the adjustable running time and the waiting time from small to large;
d. randomly generating an adjusting time from the equipment corresponding to the minimum adjustable time, wherein the adjusting time ranges from 0 to the smaller value of the adjustable running/waiting time of the equipment and the overall adjustable operation time of the workstation, and adding the adjusting time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
e. subtracting the randomly generated adjustment time from the total adjustable operating time of the workstation as the total adjustable operating time of the new workstation;
f. next, taking down the equipment corresponding to the adjustable time, and jumping to the step d if the equipment corresponding to the last adjustable time is not taken down; if the equipment corresponds to the last adjustable time, directly taking the latest total adjustable operation time of the workstation as the adjustment time of the equipment, and adding the adjustment time and the fastest running/waiting time of the equipment to obtain the expected running/waiting time of the equipment;
g. calculating the control instructions of different devices by using the relationship between the control instructions obtained in the step 2 and the device operation/waiting time;
for the second workstation, the following sub-steps are specifically included:
A. the generation step of the control command of the operation/waiting time of the main equipment is the same as the generation step of the control command of the first workstation;
B. randomly generating expected operation/waiting time of non-main equipment according to a safety control range established in advance;
C. and B, judging whether the expected operation/waiting time of all the randomly generated devices meets the time constraint relation for preventing collision between the operation/waiting time of the primary device and the operation/waiting time of the non-primary device, if so, calculating the control instruction of the non-primary device, and if not, returning to the step A to regenerate the expected operation/waiting time of all the devices.
5. The automated production line spoofing attack detection method based on stochastic control as claimed in claim 1, wherein in step 4, the real operation data of different devices uploaded by the automated production line is converted into the real operation/waiting time of the devices, and the method specifically comprises the following sub-steps:
step 4.1: judging whether the uploaded equipment operation data are discrete quantities or not according to whether the uploaded equipment operation data only contain 0/1 data or not, if so, identifying the time of the start/stop event of the equipment directly according to when the equipment operation data are changed from 0 to 1, and if so, identifying the time of the start/stop event of the equipment according to the variation amplitude of the equipment operation data;
step 4.2: combining two events with similar event occurrence time into the same event;
step 4.3: events from the same workstation are classified into the same type for processing;
step 4.4: sequencing the start and stop events in each workstation from small to large in time;
step 4.5: and calculating the running/waiting time of different devices in the workstation according to the time difference value of the adjacent events.
6. A deception attack detection system of an automatic production line based on random control is characterized by comprising a device control instruction random generation module, a linear regression module, an operation/waiting time conversion module and a deception attack detection module;
in the training stage of the automatic production line, a device control instruction random generation module randomly generates control instructions of different devices of the production line, wherein the control instructions comprise operation control instructions and waiting control instructions, so that the devices execute according to the control instructions and generate the real operation/waiting time of the devices; identifying the relationship between the respective actual running/waiting time of all the equipment of the production line and the received control instruction by using a linear regression method through a linear regression module;
in the attack detection stage of the automatic production line, the equipment control instruction random generation module randomly generates control instructions of different equipment of the production line in each operation period of the production line, so that the expected operation/waiting time of all the equipment of the production line is changed along with the change of the control instructions, and the expected operation periods of different workstations of the production line are unchanged, thereby ensuring that the expected operation period of the production line is unchanged; acquiring real operation data of different equipment uploaded by an automatic production line through an operation/waiting time conversion module, and calculating the real operation/waiting time of the different equipment according to the characteristics of the equipment during starting and stopping; and subtracting the real and expected device waiting/running time by a spoofing attack detection module and taking an absolute value to obtain a time deviation, finishing spoofing attack detection according to whether the accumulated deviation exceeds a certain threshold value or not in a period of time, and if the production line is judged not to be attacked, using the real running/waiting time of the device and the received control instruction for updating the relationship.
7. An automated production line spoofing attack detecting device based on random control, comprising a memory and one or more processors, wherein the memory stores executable codes, and the processors execute the executable codes to realize the steps of the automated production line spoofing attack detecting method based on random control according to any one of claims 1-5.
8. A computer-readable storage medium, on which a program is stored, which, when being executed by a processor, carries out the steps of the automated production line spoofing attack detection method based on stochastic control according to any one of claims 1 to 5.
CN202210032503.1A 2022-01-12 2022-01-12 Automatic production line spoofing attack detection method and system based on random control Active CN114397875B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210032503.1A CN114397875B (en) 2022-01-12 2022-01-12 Automatic production line spoofing attack detection method and system based on random control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210032503.1A CN114397875B (en) 2022-01-12 2022-01-12 Automatic production line spoofing attack detection method and system based on random control

Publications (2)

Publication Number Publication Date
CN114397875A true CN114397875A (en) 2022-04-26
CN114397875B CN114397875B (en) 2022-08-05

Family

ID=81230276

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210032503.1A Active CN114397875B (en) 2022-01-12 2022-01-12 Automatic production line spoofing attack detection method and system based on random control

Country Status (1)

Country Link
CN (1) CN114397875B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970131A (en) * 2011-08-31 2013-03-13 北京中电华大电子设计有限责任公司 Circuit structure for preventing power attacks on grouping algorithm
US20150293234A1 (en) * 2014-04-09 2015-10-15 The Mitre Corporation Positioning, Navigation, and Timing Device Interference and Spoofing Detector With Timing Mitigation
CN109937369A (en) * 2016-11-17 2019-06-25 三菱电机株式会社 Radar installations and control system
CN110473569A (en) * 2019-09-11 2019-11-19 苏州思必驰信息科技有限公司 Detect the optimization method and system of speaker's spoofing attack
US20200225358A1 (en) * 2019-01-10 2020-07-16 Raytheon Company Detection of spoofing and meaconing for geolocation positioning system signals
CN111835784A (en) * 2020-07-22 2020-10-27 苏州思必驰信息科技有限公司 Data generalization method and system for replay attack detection system
US20210141900A1 (en) * 2019-11-13 2021-05-13 Vmware, Inc. Methods and systems for troubleshooting applications using streaming anomaly detection
CN112822151A (en) * 2020-11-06 2021-05-18 浙江中烟工业有限责任公司 Multilayer accurate active network attack detection method and system for control network industrial computer
CN112839005A (en) * 2019-11-22 2021-05-25 中国互联网络信息中心 DNS domain name abnormal access monitoring method and device
US20210248401A1 (en) * 2020-02-06 2021-08-12 ID R&D, Inc. System and method for face spoofing attack detection
US20210329029A1 (en) * 2020-04-17 2021-10-21 Cisco Technology, Inc. Detecting spoofing in device classification systems

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970131A (en) * 2011-08-31 2013-03-13 北京中电华大电子设计有限责任公司 Circuit structure for preventing power attacks on grouping algorithm
US20150293234A1 (en) * 2014-04-09 2015-10-15 The Mitre Corporation Positioning, Navigation, and Timing Device Interference and Spoofing Detector With Timing Mitigation
CN109937369A (en) * 2016-11-17 2019-06-25 三菱电机株式会社 Radar installations and control system
US20200225358A1 (en) * 2019-01-10 2020-07-16 Raytheon Company Detection of spoofing and meaconing for geolocation positioning system signals
CN110473569A (en) * 2019-09-11 2019-11-19 苏州思必驰信息科技有限公司 Detect the optimization method and system of speaker's spoofing attack
US20210141900A1 (en) * 2019-11-13 2021-05-13 Vmware, Inc. Methods and systems for troubleshooting applications using streaming anomaly detection
CN112839005A (en) * 2019-11-22 2021-05-25 中国互联网络信息中心 DNS domain name abnormal access monitoring method and device
US20210248401A1 (en) * 2020-02-06 2021-08-12 ID R&D, Inc. System and method for face spoofing attack detection
US20210329029A1 (en) * 2020-04-17 2021-10-21 Cisco Technology, Inc. Detecting spoofing in device classification systems
CN111835784A (en) * 2020-07-22 2020-10-27 苏州思必驰信息科技有限公司 Data generalization method and system for replay attack detection system
CN112822151A (en) * 2020-11-06 2021-05-18 浙江中烟工业有限责任公司 Multilayer accurate active network attack detection method and system for control network industrial computer

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
CONG MENG: "Recursive Filtering for Complex Networks Against Random Deception Attacks", 《IEEE》 *
刘大龙等: "采用多尺度主成分分析的控制系统欺骗攻击检测", 《浙江大学学报(工学版)》 *
李古月等: "基于设备与信道特征的物理层安全方法", 《密码学报》 *
王亚楠等: "基于PCA的过程控制系统欺骗攻击研究", 《信阳师范学院学报(自然科学版)》 *
陶莉等: "无线传感器网络KIPSO欺骗攻击检测模型", 《传感技术学报》 *

Also Published As

Publication number Publication date
CN114397875B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
US10579453B2 (en) Stream-processing data
CN1975750B (en) Software operation modeling apparatus and method, software operation monitoring device and method
He et al. Scheduling flexible job shop problem subject to machine breakdown with route changing and right-shift strategies
JP2020173551A (en) Failure prediction device, failure prediction method, computer program, computation model learning method and computation model generation method
US10809695B2 (en) Information processing apparatus, machine learning device and system
CN105278906B (en) Programable display
CN113268334B (en) Scheduling method, device, equipment and storage medium of RPA robot
Han et al. Towards verifying safety properties of real-time probabilistic systems
CN112240784A (en) Abnormality determination device and abnormality determination system
CN110910193B (en) Order information input method and device based on RPA technology
CN114397875B (en) Automatic production line spoofing attack detection method and system based on random control
CN113946492A (en) Intelligent operation and maintenance method, device, equipment and storage medium
CN111161424B (en) Determination method and determination device for three-dimensional map
JP6890733B2 (en) Acquired data identification device, acquired data identification method and acquired data identification program
CN104065510A (en) PetriNet-based system operation and maintenance monitoring method and PetriNet-based system operation and maintenance monitoring system
CN111882074A (en) Data preprocessing system, method, computer device and readable storage medium
CN111736989A (en) Multi-mode distributed cluster GPU index detection method and system
WO2023181241A1 (en) Monitoring server device, system, method, and program
CN112463045B (en) Method, device, equipment and product for controlling diversity of redundant arrays of disks in batch
CN114490371A (en) Data testing method, device, testing equipment and medium based on artificial intelligence
CN111552263B (en) Method, computer-readable storage medium and system for inspecting industrial facilities
WO2021090476A1 (en) Stop cause specification assistance device, stop cause specification assistance program, and method
CN113722207A (en) Method and device for checking technical systems
CN114217594B (en) Method, device, medium and equipment for testing robot scheduling system
CN111783094A (en) Data analysis method and device, server and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant