CN114915478A - Multi-Agent-based network attack scene identification method for intelligent park industrial control system based on distributed correlation analysis - Google Patents

Multi-Agent-based network attack scene identification method for intelligent park industrial control system based on distributed correlation analysis Download PDF

Info

Publication number
CN114915478A
CN114915478A CN202210547651.7A CN202210547651A CN114915478A CN 114915478 A CN114915478 A CN 114915478A CN 202210547651 A CN202210547651 A CN 202210547651A CN 114915478 A CN114915478 A CN 114915478A
Authority
CN
China
Prior art keywords
network attack
abnormal
data
control system
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210547651.7A
Other languages
Chinese (zh)
Other versions
CN114915478B (en
Inventor
周霞
陆建强
万磊
钱俊良
刘笑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Liyang Research Institute of Southeast University
Original Assignee
Nanjing University of Posts and Telecommunications
Liyang Research Institute of Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications, Liyang Research Institute of Southeast University filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202210547651.7A priority Critical patent/CN114915478B/en
Publication of CN114915478A publication Critical patent/CN114915478A/en
Application granted granted Critical
Publication of CN114915478B publication Critical patent/CN114915478B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses a network attack scene identification method of an intelligent park industrial control system based on multi-Agent distributed correlation analysis, which comprises the following steps: preprocessing the data of the network attack abnormal event, and constructing a network attack abnormal event associated factor set; grouping the preprocessed sets by using a multi-Agent distributed processor, then respectively inputting the groups of data into different agents into an FP-growth algorithm model to mine frequent item sets of network attack abnormal events of the intelligent park system, analyzing potential association relations among the events, and establishing a network attack association rule base; constructing an intelligent park system network attack real-time abnormal event attribute set, and calculating the association degree of the abnormal performance attribute by using a grey association analysis algorithm; and finally, combining the element set of the real-time abnormal event to the network attack abnormal expression form with the association rule in the network attack rule base to realize the rapid identification of the attack scene.

Description

Multi-Agent-based network attack scene identification method for intelligent park industrial control system based on distributed correlation analysis
Technical Field
The invention belongs to the technical field of network attack protection, and relates to a network attack scene identification method of an intelligent park industrial control system based on multi-Agent distributed correlation analysis.
Background
Under the background of the comprehensive energy system, the coupling relations among different energy systems, between the power network and the information network and the supporting effect of the power information communication system on the power physical system are continuously improved. Network attack behaviors aiming at the intelligent park industrial control system are continuously generated in recent years, such as false data injection attack, denial of service attack and the like. Meanwhile, due to system leaks or misoperation of workers and the like, the internal network of the park and the intelligent terminal of the equipment field face the threat of network attack. Therefore, how to mine the incidence relation between the abnormal events and the network attacks, match the abnormal events in real time, identify attack scenes, deploy an attack protection strategy to eliminate attack influence and ensure the safe and stable operation of the intelligent park system is very important.
In the field, partial research is currently carried out, Feraoxuan and the like establish an association analysis model based on an Apriori algorithm, excavate association rules under a power grid network attack scene, and combine a Bayesian model to realize rapid classification of the attack scene. However, in the process of mining the frequent item sets, the Apriori algorithm needs to traverse the data sets for many times, so that the time complexity is high, and the instantaneity of mass real-time data cannot be met. The method comprises the steps of mining association rules existing among multi-step attacks by using a Bayesian network model, describing a network attack scene graph, and realizing prediction of the network attack scene. However, the bayesian model needs to know the prior probability, and the assumed prior probability often affects the prediction result, so that the reliability of the prediction result cannot be guaranteed. Machine learning and other intelligent algorithms are gradually applied to attack association analysis, association rules corresponding to different network attack scenes are automatically generated by a genetic algorithm through preliminary classification of abnormal events at the power communication side, and the association rules are matched based on time sequence logic. However, the method needs to match the association rules in all attack scenarios in sequence, and the matching efficiency of abnormal events is not high.
Disclosure of Invention
In order to solve the technical problems, the invention provides a network attack scene identification method of an intelligent park industrial control system based on multi-Agent distributed association analysis, which can improve the association analysis efficiency of network attack abnormal events.
In order to achieve the purpose, the invention is realized by the following technical scheme:
the invention discloses a network attack scene recognition method of an intelligent park industrial control system based on multi-Agent distributed correlation analysis,
step 1, reading security log files of terminal equipment at a power side and a communication side of an intelligent park, preprocessing network attack abnormal event data, and constructing a network attack abnormal event associated factor set;
step 2, grouping the preprocessed network attack abnormal event associated factor sets by using a multi-Agent distributed processor, dividing terminal equipment accessed to the same edge Internet of things gateway into subsets, placing set data in the subsets into different agents, inputting the set data into an FP-growth algorithm model respectively, and setting a minimum support threshold and a minimum confidence threshold;
step 3, establishing an FP-tree in each Agent to store a network attack abnormal event data set of the intelligent park industrial control system, mining a frequent item set of the network attack abnormal events, analyzing a potential association relation among the events, performing fusion processing on all the grouped frequent item sets, and establishing an intelligent park industrial control system network attack association rule base; step 4, selecting a network attack abnormal expression form to form an abnormal event attribute set alpha ═ alpha 123 ,……,α n }; setting the optimal value of each index to form a reference attribute set Y ═ Y 1 ,y 2 ,y 3 ,……,y n }, establishing a realTime comparison array alpha i (k) Calculating the attribute association degree of the network attack abnormal expression by utilizing a grey association analysis algorithm, and constructing an intelligent park system network attack real-time abnormal event attribute set;
and 5, combining the element set of the real-time abnormal event to the network attack abnormal expression form with the association rule in the network attack rule base to realize the rapid identification of the attack scene.
The invention is further improved in that: the specific operation of the step 1 for preprocessing the network attack abnormal event data is as follows: extracting network attack event related factors including attack abnormal expression forms of a power side and a communication side and a network attack scene, coding the attack abnormal expression forms and the network attack scene, wherein the attack abnormal expression forms are numbered by numbers, the network attack scene is numbered by letters, different numbers and letters are combined, and the constructed network attack abnormal event related factor set is as follows:
X={S i ,A i ,O i }
in the formula: s i To attack a scene, A i Is an abnormal manifestation of network attacks, O i Representing a data source object.
The invention is further improved in that: the specific operation of step 3 is:
step 3.1, scanning the abnormal event data set once, setting the minimum support threshold value as 1, and counting S for each piece of data i Or A i Frequently 1 item set number, and removing S lower than support threshold i Or A i Establishing an abnormal event item header;
step 3.2, scanning the abnormal data set for the second time, and eliminating S not in the item header of each piece of data i Or A i Reserving other data meeting the minimum threshold, sorting the data in a descending order according to the support degree, and reestablishing an abnormal data set;
step 3.3, reading the newly-built abnormal data set, and building a FP tree, wherein each node in the tree represents S i Or A i And the times of occurrence of the abnormal data set in the newly-built abnormal data set, wherein each path from the root node to the leaf node represents oneAbnormal data and recursively establishes S i Or A i Obtaining a frequent item set by a corresponding condition mode set;
and 3.4, according to the potential association relation between the frequent item set analysis events, calculating confidence degrees between different abnormal expression forms and network attack scenes through an FP-Growth algorithm, finding out the frequent item sets with large association degree according to the confidence degrees, grouping, carrying out fusion processing on all the grouped frequent item sets, and establishing an intelligent park industrial control system network attack association rule base.
The invention is further improved in that: comparing the series alpha in step 4 i (k) And the reference number series β (k) is as follows:
α i =α i (k)|k=1,2...n,i=1,2...9β=β(k)|k=1,2...n
where k denotes different time, and i denotes different attributes in the attribute set.
The invention has the beneficial effects that: (1) the method disclosed by the invention has the advantages that the multi-Agent distributed parallel computing framework is combined with the FP-growth frequent item set mining algorithm, the offline training events of the association rules are greatly reduced, the method is suitable for the environment of mass data of the intelligent park system, the association relation between network attack abnormal events in the intelligent park is rapidly mined, and the timeliness of offline training of the association rules is improved.
(2) And the grey correlation analysis algorithm is utilized to realize the online matching of the network attack abnormal event and the correlation rule in the intelligent park system, so that the real-time accurate identification of the network attack scene of the intelligent park industrial control system is carried out, the identification precision of the network attack scene is further improved, and guidance is provided for eliminating the network attack influence.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of a multi-Agent distributed parallel association analysis model
FIG. 3 is a schematic diagram of a scan of a set of network attack exceptions;
FIG. 4 is a schematic diagram of a secondary scan of a set of network attack exception event data;
FIG. 5 is a diagram of FP tree establishment and conditional pattern base acquisition;
fig. 6 is a flow chart of the FP-growth-based network attack association rule base.
Detailed Description
The method of the present invention is further described in detail below with reference to the figures and examples.
As shown in FIG. 1-2, the invention relates to a network attack scene recognition method of an intelligent park industrial control system based on multi-Agent distributed correlation analysis, which comprises the following steps:
step 1, establishing a network attack abnormal event key factor set by using log data of terminal equipment at a power side and a communication side of an intelligent park. Due to the lack of standard format of the security log, the formats of the network attack abnormal events generated by different security terminals and security devices are not uniform. In order to analyze the network attack abnormal events, effective and representative feature data constituting item sets need to be obtained, according to the multi-dimensional attack abnormal expression form, the attack scene classification and the attack object analysis in the existing research, the two data volumes of the attack abnormal expression form and the attack scene causing the abnormal events are necessary elements for analyzing the network attack abnormal events and extracting the association rules. Therefore, a network attack abnormal event key factor set can be constructed as shown in (1):
X={S i ,A i ,O i } (1)
in the formula: s i To attack a scene, A i Is an abnormal manifestation of network attack, O i Representing a data source object. S i The attack scenario includes: modifying configuration parameters, session hijacking, equipment restarting, tampering measurement data, forging control instructions, illegally monitoring messages, maliciously controlling communication, rejecting service attack and equipment lock control;
A i the abnormal attack expression forms comprise: voltage abnormity, current abnormity, load shedding quantity abnormity, equipment malfunction/misoperation, time-varying electricity price abnormity, network flow abnormity, terminal illegal external connection, service application denial and user data leakage.
O i The data source objects include: the system comprises a terminal layer, a communication layer and a master station layer.
And after reading the corresponding log file, numbering the abnormal data in the log. In the embodiment, the expression forms of attack abnormality such as voltage abnormality, current abnormality, load shedding abnormality and the like are numbered by arabic numerals; modifying configuration parameters, session hijacking, restarting devices, and other attack scenarios, numbering them with capital letters, and establishing data according to the numbers, e.g. E 1 1, { a, 1, C, D, 3, 6 }. And writing the processed data into a network attack abnormal event data set.
And 2, grouping the preprocessed network attack abnormal event associated factor sets by using a multi-Agent distributed processor, dividing terminal equipment accessed to the same edge Internet of things gateway into subsets, then placing set data in each subset into different agents, inputting the set data into an FP-growth algorithm model respectively, and setting a minimum support threshold and a minimum confidence threshold.
Step 3, establishing an intelligent park industrial control system network attack association rule base according to the minimum support degree threshold value and the minimum confidence coefficient threshold value set in the step 2;
the method comprises the following specific steps:
step 3.1, scanning the abnormal event data set once, setting the minimum support threshold value as 1, and counting S for each piece of data i Or A i Frequently 1 item set number, and removing S lower than the support threshold i Or A i Establishing an abnormal event item header; as shown in fig. 3, the original abnormal data set including ten pieces of data on the left side is processed to establish an abnormal event item header on the right side, and it can be seen that the minimum support degree in the established abnormal event item header is 2, which satisfies the preset minimum support degree threshold;
step 3.2, scanning the abnormal data set for the second time, and eliminating S not in the item header of each piece of data i Or A i If the data I, H, 7, 8, etc. in the original data set in fig. 3 do not satisfy the preset minimum support threshold 1, the original data are removed, other data satisfying the minimum threshold are retained, and the abnormal data set is reestablished according to the descending order of the support, as shown in fig. 4It can be seen that, in the newly established abnormal data set, the minimum support threshold is 2, which meets the preset minimum threshold;
step 3.3, reading the newly-built abnormal data set, and building a FP tree, wherein each node in the tree represents S i Or A i And the times of appearance of the abnormal data set, each path from the root node to the leaf node represents an abnormal data, and S is recursively established i Or A i Obtaining a frequent item set by a corresponding condition mode set;
and 3.4, according to the potential association relation between the frequent item set analysis events, calculating confidence degrees between different abnormal expression forms and network attack scenes through an FP-Growth algorithm, finding out the frequent item sets with large association degree according to the confidence degrees, grouping, carrying out fusion processing on all the grouped frequent item sets, and establishing an intelligent park industrial control system network attack association rule base.
Step 4, firstly, selecting a network attack abnormal expression form to form an abnormal event attribute set for real-time abnormal events monitored by terminal equipment at the power side and the communication side of the intelligent park as shown in the formula (2):
α={α 123 ,……,α n } (2)
the optimal value (or the worst value) of each index is set to form a reference attribute set as shown in the formula (3):
β={β 123 ,……,β n } (3)
meanwhile, in order to calculate the association degree between each attribute in the attribute set and the reference attribute, a real-time comparison array alpha is established i (k) And the reference number sequence beta (k) is shown as the formula (4):
α i =α i (k)|k=1,2...n,i=1,2...9 β=β(k)|k=1,2...n (4)
where k denotes different time, and i denotes different attributes in the attribute set.
Because the dimensions of the data in each factor column are different, before the relevance between each attribute of the real-time abnormal event and the reference attribute is evaluated, the data needs to be subjected to non-dimensionalization processing, and the following two methods are mainly adopted, namely initialization processing and averaging processing, which are respectively expressed by formulas (5) and (6):
Figure BDA0003653086170000061
Figure BDA0003653086170000062
in the formula (I), the compound is shown in the specification,
Figure BDA0003653086170000063
the average of the data in the comparison series. Calculating a correlation coefficient xi under each time interval by using data subjected to non-dimensionalization processing i (k) As shown in formula (7):
Figure BDA0003653086170000064
let Δ i (k)=|β(k)-α i (k) If yes, then:
Figure BDA0003653086170000065
in the formula, ρ is referred to as a resolution coefficient. The smaller ρ is, the larger the resolution is, and ρ is usually 0.5.
And finally, calculating the average value of the correlation coefficient of the comparison array and the reference array at each moment, namely the correlation degree between each attribute of the real-time abnormal event and the reference attribute, as shown in formula (9):
Figure BDA0003653086170000066
in the formula, r i The degree of association between the attributes; xi i (k) Is a correlation coefficient. Setting different threshold values for single attribute, comparing the correlation r between the threshold values and corresponding attributes i Judging the difference corresponding to the attributeWhether or not regular expression occurs. For example, the calculation of the degree of correlation of the current abnormality may be set as:
Figure BDA0003653086170000071
wherein b is a threshold value. Therefore, the element set of the abnormal expression form of the real-time abnormal event to the network attack can be obtained.
And 5, combining the element set of the real-time abnormal event to the network attack abnormal expression form with the association rule in the network attack rule base to realize the rapid identification of the attack scene.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.

Claims (6)

1. The method for identifying the network attack scene of the intelligent park industrial control system based on the distributed correlation analysis of multiple agents is characterized by comprising the following steps of:
step 1, reading security log files of terminal equipment at a power side and a communication side of an intelligent park, preprocessing network attack abnormal event data, and constructing a network attack abnormal event correlation factor set;
step 2, grouping the preprocessed network attack abnormal event associated factor sets by using a multi-Agent distributed processor, dividing terminal equipment accessed to the same edge Internet of things gateway into subsets, placing set data in the subsets into different agents, inputting the set data into an FP-growth algorithm model respectively, and setting a minimum support threshold and a minimum confidence threshold;
step 3, establishing an FP-tree in each Agent to store a data set of network attack abnormal events of the industrial control system of the intelligent park, excavating a frequent item set of the network attack abnormal events, analyzing a potential association relation among the events, performing fusion processing on all the grouped frequent item sets, and establishing an industrial control system network attack association rule base of the intelligent park;
step 4, selecting a network attack abnormal expression form to form an abnormal event attribute set alpha ═ alpha 123 ,……,α n }; setting the optimal value of each index constitutes a reference attribute set β ═ β 123 ,……,β n Creating a real-time comparison sequence alpha i (k) Calculating the attribute association degree of the network attack abnormal expression by utilizing a grey association analysis algorithm with a reference number sequence beta (k) to construct an intelligent park system network attack real-time abnormal event attribute set;
and 5, combining the element set of the real-time abnormal event to the network attack abnormal expression form with the association rule in the network attack rule base to realize the rapid identification of the attack scene.
2. The intelligent park industrial control system network attack scene identification method based on multi-Agent distributed correlation analysis according to claim 1, characterized in that: the specific operation of the step 1 for preprocessing the network attack abnormal event data is as follows: extracting network attack event related factors including attack abnormal expression forms of a power side and a communication side and a network attack scene, coding the two, and combining the codes of the two to construct a network attack abnormal event related factor set, wherein the constructed network attack abnormal event related factor set is as follows:
X={S i ,A i ,O i }
in the formula: s i To attack a scene, A i Is an abnormal manifestation of network attacks, O i Representing a data source object.
3. The intelligent park industrial control system network attack scene identification method based on multi-Agent distributed correlation analysis according to claim 1, characterized in that: the specific operation of step 3 is:
step 3.1, scanning the abnormal event data set once, setting the minimum support threshold value as 1, and counting S for each piece of data i Or A i Frequently 1 item set number, and removing S lower than the support threshold i Or A i Establishing an abnormal event item header;
step 3.2, scanning the abnormal data set for the second time, and eliminating S not in the item header of each piece of data i Or A i Reserving other data meeting the minimum threshold, sorting the data in a descending order according to the support degree, and reestablishing an abnormal data set;
step 3.3, reading the newly-built abnormal data set, and building a FP tree, wherein each node in the tree represents S i Or A i And the times of appearance of the abnormal data set, each path from the root node to the leaf node represents an abnormal data, and S is recursively established i Or A i Obtaining a frequent item set by a corresponding condition mode set;
and 3.4, analyzing potential association relations among events according to the frequent item sets, calculating confidence degrees among different abnormal expression forms and network attack scenes through an FP-Growth algorithm, finding out the association degrees according to the confidence degrees, grouping, carrying out fusion processing on all grouped frequent item sets, and establishing a network attack association rule base of the intelligent park industrial control system.
4. The intelligent park industrial control system network attack scene identification method based on multi-Agent distributed correlation analysis according to claim 1, characterized in that: comparing the series alpha in step 4 i (k) The expression with reference number series β (k) is as follows:
α i =α i (k)|k=1,2...n,i=1,2...9β=β(k)|k=1,2...n
where k denotes different time, and i denotes different attributes in the attribute set.
5. The network attack scene recognition system of the intelligent park industrial control system based on the distributed correlation analysis of the multiple agents is characterized in that the network attack scene recognition system of the intelligent park industrial control system based on the distributed correlation analysis of the multiple agents comprises: a network interface, a memory, and a processor; wherein the content of the first and second substances,
the network interface is used for receiving and sending signals in the process of receiving and sending information with other external network elements;
the memory for storing a computer program operable on the processor;
the processor is used for executing the steps of the method for identifying the network attack scene of the intelligent park industrial control system based on the multi-Agent distributed correlation analysis according to any one of claims 1 to 4 when the computer program is run.
6. A computer storage medium, wherein the computer storage medium stores a program for identifying a network attack scenario of a smart park industrial control system based on multi-Agent distributed correlation analysis, and the program for identifying a network attack scenario of a smart park industrial control system based on multi-Agent distributed correlation analysis is executed by at least one processor to implement the steps of the method for identifying a network attack scenario of a smart park industrial control system based on multi-Agent distributed correlation analysis according to any one of claims 1 to 4.
CN202210547651.7A 2022-05-19 2022-05-19 Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis Active CN114915478B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210547651.7A CN114915478B (en) 2022-05-19 2022-05-19 Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210547651.7A CN114915478B (en) 2022-05-19 2022-05-19 Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis

Publications (2)

Publication Number Publication Date
CN114915478A true CN114915478A (en) 2022-08-16
CN114915478B CN114915478B (en) 2023-03-10

Family

ID=82767792

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210547651.7A Active CN114915478B (en) 2022-05-19 2022-05-19 Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis

Country Status (1)

Country Link
CN (1) CN114915478B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115603989A (en) * 2022-10-08 2023-01-13 东南大学溧阳研究院(Cn) Network attack correlation analysis method of source network load storage cooperative control system
CN116074127A (en) * 2023-04-03 2023-05-05 成都工业职业技术学院 Self-adaptive network security situation assessment model based on big data
CN116796043A (en) * 2023-08-29 2023-09-22 山东通维信息工程有限公司 Intelligent park data visualization method and system
CN117574135A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120254242A1 (en) * 2011-03-31 2012-10-04 Infosys Technologies Limited Methods and systems for mining association rules
US20180107695A1 (en) * 2016-10-19 2018-04-19 Futurewei Technologies, Inc. Distributed fp-growth with node table for large-scale association rule mining
CN110149350A (en) * 2019-06-24 2019-08-20 国网安徽省电力有限公司信息通信分公司 A kind of associated assault analysis method of alarm log and device
CN114124484A (en) * 2021-11-09 2022-03-01 招商银行股份有限公司 Network attack identification method, system, device, terminal equipment and storage medium
CN114143020A (en) * 2021-09-06 2022-03-04 北京许继电气有限公司 Rule-based network security event correlation analysis method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120254242A1 (en) * 2011-03-31 2012-10-04 Infosys Technologies Limited Methods and systems for mining association rules
US20180107695A1 (en) * 2016-10-19 2018-04-19 Futurewei Technologies, Inc. Distributed fp-growth with node table for large-scale association rule mining
CN110149350A (en) * 2019-06-24 2019-08-20 国网安徽省电力有限公司信息通信分公司 A kind of associated assault analysis method of alarm log and device
CN114143020A (en) * 2021-09-06 2022-03-04 北京许继电气有限公司 Rule-based network security event correlation analysis method and system
CN114124484A (en) * 2021-11-09 2022-03-01 招商银行股份有限公司 Network attack identification method, system, device, terminal equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高泽芳,王岱辉,王昀,文成江: "基于告警事件特征的网络攻击行为实时预警研究", 《电信工程技术与标准化 》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115603989A (en) * 2022-10-08 2023-01-13 东南大学溧阳研究院(Cn) Network attack correlation analysis method of source network load storage cooperative control system
CN116074127A (en) * 2023-04-03 2023-05-05 成都工业职业技术学院 Self-adaptive network security situation assessment model based on big data
CN116074127B (en) * 2023-04-03 2023-07-04 成都工业职业技术学院 Self-adaptive network security situation assessment system based on big data
CN116796043A (en) * 2023-08-29 2023-09-22 山东通维信息工程有限公司 Intelligent park data visualization method and system
CN117574135A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium
CN117574135B (en) * 2024-01-16 2024-03-26 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN114915478B (en) 2023-03-10

Similar Documents

Publication Publication Date Title
CN114915478B (en) Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis
CN109889538B (en) User abnormal behavior detection method and system
CN111598179B (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN112804196A (en) Log data processing method and device
CN112765603A (en) Abnormity tracing method combining system log and origin graph
CN105376193A (en) Intelligent association analysis method and intelligent association analysis device for security events
CN113918367A (en) Large-scale system log anomaly detection method based on attention mechanism
CN112115965A (en) SVM-based passive operating system identification method, storage medium and equipment
CN105989287A (en) Method and system for judging homology of massive malicious samples
CN117220920A (en) Firewall policy management method based on artificial intelligence
CN113067798A (en) ICS intrusion detection method and device, electronic equipment and storage medium
CN111767324B (en) Intelligent associated self-adaptive data analysis method and device
CN109309586B (en) Intrusion detection method for food processing remote control system
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN116563690A (en) Unmanned aerial vehicle sensor type unbalanced data anomaly detection method and detection system
CN114969761A (en) Log anomaly detection method based on LDA theme characteristics
CN113468527A (en) Malicious code family classification method based on feature expression enhancement
CN113537349A (en) Method, device, equipment and storage medium for identifying hardware fault of large host
CN113297582A (en) Safety portrait generation method based on information safety big data and big data system
CN112202867A (en) Workflow node disposal method and system applied to network security environment
Shao et al. Low-latency Dimensional Expansion and Anomaly Detection empowered Secure IoT Network
CN115277177B (en) Police cloud security data fusion method, system, device and storage medium
KR102562665B1 (en) Social advanced persistent threat detection system and method based on attacker group similarity
Schölnast et al. Anomaly Detection in Communication Networks of Cyber-physical Systems using Cross-over Data Compression.
KR102556463B1 (en) Social advanced persistent threat prediction system and method based on attacker group similarity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant