CN115021954A - Industrial control service data false injection attack detection method based on depth self-encoder - Google Patents
Industrial control service data false injection attack detection method based on depth self-encoder Download PDFInfo
- Publication number
- CN115021954A CN115021954A CN202210410562.8A CN202210410562A CN115021954A CN 115021954 A CN115021954 A CN 115021954A CN 202210410562 A CN202210410562 A CN 202210410562A CN 115021954 A CN115021954 A CN 115021954A
- Authority
- CN
- China
- Prior art keywords
- data
- industrial control
- injection attack
- service data
- false
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 60
- 239000007924 injection Substances 0.000 title claims abstract description 60
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 230000002159 abnormal effect Effects 0.000 claims abstract description 19
- 238000007781 pre-processing Methods 0.000 claims abstract description 17
- 238000012549 training Methods 0.000 claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 12
- 238000012216 screening Methods 0.000 claims description 13
- 230000006870 function Effects 0.000 claims description 9
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 4
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 claims description 3
- 230000004913 activation Effects 0.000 claims description 3
- 238000013135 deep learning Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 238000005070 sampling Methods 0.000 claims description 3
- 230000000007 visual effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000005457 optimization Methods 0.000 claims description 2
- 238000013136 deep learning model Methods 0.000 abstract description 2
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention discloses a false injection attack detection method for industrial control service data based on a depth self-encoder, which comprises the following steps: s1, carrying out data preprocessing on historical data of the industrial control equipment, and carrying out model training to obtain a false injection attack detection model; s2, carrying out data preprocessing on the random injection attack data, and inputting the trained false injection attack detection model to set a model threshold; s3, collecting industrial control service data on the OPC server in real time to perform data preprocessing, predicting the result through a trained false injection attack detection model, and judging whether the predicted value is false injection data. According to the method, the abnormal data of the false data injection attack of the business data of the industrial control equipment is detected in real time through the deep learning model, and the alarm can be given according to the abnormal data associated with the related equipment, so that the abnormal condition of the equipment operation can be sensed at the first time, the rapid and accurate judgment can be carried out, and the safe operation of the system can be effectively maintained.
Description
Technical Field
The invention belongs to the technical field of industrial control, and particularly relates to a false injection attack detection method for industrial control service data based on a depth self-encoder.
Background
The close integration of industrial control systems and production relationships, the complex relationships between physical devices, and the availability of systems have the highest priority among safety indicators, exposing them to a variety of security threats. The adoption of the encryption authentication technology can greatly improve the transmission delay of data in the industrial control system, and the high requirement of the industrial control system on the real-time performance increases the possibility that the data is maliciously stolen or even tampered.
False data injection attacks can tamper with measurement signals collected by an Industrial Control System (ICS), affecting important decisions of the control system. The injection of false data in the measurement signal is not only not easy to be perceived, but also can achieve the purpose of destroying the system. The attacker may adopt a mode of randomly injecting malicious values or injecting deviation values carefully calculated according to prior information according to the amount of information mastered by the attacker. The system is seriously damaged by random or accurate-purpose false data injection attack, so that how to efficiently detect the false data injection in real time has important significance for ensuring the safe operation of an industrial control system.
Disclosure of Invention
Aiming at the defects in the prior art, the industrial control service data false injection attack detection method based on the depth self-encoder solves the problems of how to efficiently detect false data injection in real time and ensure the safe operation of an industrial control system.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that: a false injection attack detection method for industrial control service data based on a depth self-encoder comprises the following steps:
s1, carrying out data preprocessing on historical data of the industrial control equipment, and carrying out model training to obtain a false injection attack detection model;
s2, preprocessing the random injection attack data, inputting the trained false injection attack detection model and setting a model threshold;
s3, collecting industrial control service data on the OPC server in real time to perform data preprocessing, predicting the result through the trained false injection attack detection model, and judging whether the predicted value is false injection data.
Further: and the industrial control equipment historical data is industrial control equipment historical service data measured by a sensor and collected by an OPC server.
Further: the data preprocessing in step S1 specifically includes: and screening normally-operated service data from the historical service data of the industrial control equipment according to the point table and the equipment operation and maintenance information, and carrying out standardized processing on the data.
Further, the method comprises the following steps: the model training specifically comprises: the method comprises the steps of constructing a network structure of the self-encoder by adopting a keras deep learning framework, adopting relu as an activation function, using a mean square error as a loss function, adopting an optimizer as Adam, and enabling the loss function to be reduced to the minimum by adjusting an epochs, batch _ size and lr parameter optimization model, namely reconstructing input data information of the decoder by output data of the encoder.
Further, the method comprises the following steps: and storing the model obtained by the model training and uploading the model to a server.
Further: the threshold setting method in step S2 includes: and inputting abnormal service data into a trained false injection attack detection model, and setting a model threshold according to the principle of high detection rate and low false alarm rate and application scene requirements.
Further: the calculation formula of the detection rate and the false alarm rate is as follows:
further: the abnormal service data source is as follows: sampling and extracting training set data, constructing abnormal data in a random, deviation and surge false injection attack mode, or screening abnormal business data according to an industrial control system point table and equipment operation and maintenance information.
Further: the specific steps of step S3 are: and storing the trained false injection attack detection model and the judgment threshold value, uploading the model to a server, acquiring industrial control service data on an OPC server in real time to perform data preprocessing, loading the pre-trained false injection attack detection model to predict the result, considering the model as false injection data if the deviation between the predicted value and the true value exceeds the threshold value, and considering the model as normal data if the deviation between the predicted value and the true value is less than the threshold value.
Further: acquiring alarm information from the false injection data according to the user filtering condition and visualizing the alarm information; the alarm information comprises equipment type, equipment name, equipment number, equipment service data and an operation unit to which the equipment belongs; the visual screening condition can be a designated time period and equipment type, the background queries the database according to the screening condition to obtain data and returns the data to the front end, and the front end visually displays alarm information.
The invention has the beneficial effects that: according to the invention, the abnormal data of the false data injection attack of the business data of the industrial control equipment is detected in real time through the deep learning model, and the alarm can be given according to the abnormal data associated with the related equipment, so that the abnormal condition of the equipment operation can be sensed at the first time, the rapid and accurate judgment can be carried out, and the safe operation of the system can be effectively maintained.
Drawings
Fig. 1 is a working principle diagram of the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
As shown in fig. 1, a method for detecting false injection attack of industrial control service data based on a deep self-encoder includes:
s1, carrying out data preprocessing on historical data of the industrial control equipment, and carrying out model training to obtain a false injection attack detection model;
(1) data source
And historical service data of the industrial control equipment measured by the sensor and collected by an OPC server in the industrial control system.
(2) Data processing
And screening normally-operated service data from the historical service data of the industrial control equipment according to the point table and the equipment operation and maintenance information, and carrying out standardized processing on the data.
(3) Model training
The method comprises the steps of adopting a keras deep learning framework to construct a self-encoder network structure, adopting relu as an activation function, using a mean square error as a loss function, adopting an optimizer as Adam, and optimizing a model by adjusting parameters such as epochs, batch _ size and lr to enable the loss function to be reduced to the minimum, namely, the encoder output data can well reconstruct input data information of a decoder.
(4) Model preservation
And (4) storing and uploading the model obtained by training in the step (3) to a server.
S2, preprocessing the random injection attack data, inputting the trained false injection attack detection model and setting a model threshold;
(1) sources of anomalous data
a) Sampling and extracting training set data, constructing abnormal data through false injection attack modes such as random, deviation and surge, and realizing through a python script.
b) And screening abnormal business data according to the point table of the industrial control system and the operation and maintenance information of the equipment, and realizing the abnormal business data through a python script and manual assistance.
(2) Threshold determination
And (3) inputting the abnormal service data acquired by the 2 methods into a trained encoder model, and setting a model threshold value according to the principle of high detection rate and low false alarm rate and application scene requirements.
Wherein, the higher the detection rate, the lower the false alarm rate and the better the model effect.
S3, collecting industrial control service data on the OPC server in real time to perform data preprocessing, predicting the result through the trained false injection attack detection model, and judging whether the predicted value is false injection data.
And storing the trained false injection attack detection model and a judgment threshold value and uploading the model to a server, wherein a service data acquisition module acquires industrial control service data on an OPC server in real time to perform data preprocessing, then loads a pre-trained abnormal detection model to predict the result, if the deviation between a predicted value and a true value exceeds the threshold value, the model is considered as false injection data, and if the deviation between the predicted value and the true value is less than the threshold value, the model is considered as normal data.
And acquiring alarm information from the database according to the user filtering condition and visualizing the alarm information.
a) The alarm information comprises the equipment type, the equipment name, the equipment number, the equipment service data, the operation unit to which the equipment belongs and the like, and if a user wants to check the equipment service data trend graph, the user can inquire the database to obtain the equipment service data trend graph.
b) The visual screening condition can be a designated time period, equipment type and the like, the background queries the database according to the screening condition to obtain data and returns the data to the front end, and the front end visually displays alarm information.
In one embodiment of the invention, the experimental data is based on equipment business data collected by an OPC server of a certain oil depot, and is used as a training data set after data screening and standardization.
1) Comparison of depth autoencoder and one-ClassSVM algorithm model
2) Comparison of depth autoencoder and Gaussian mixture model GMM algorithm model
Compared with two different algorithms, the detection rate of the depth self-encoder in the identification of the false data injection attack is higher than that of the other algorithm, the false alarm rate is lower, and the depth self-encoder can be used as a method for injecting and detecting the false data of the industrial control service data.
Claims (10)
1. A method for detecting false injection attack of industrial control service data based on a depth self-encoder is characterized by comprising the following steps:
s1, carrying out data preprocessing on historical data of the industrial control equipment, and carrying out model training to obtain a false injection attack detection model;
s2, carrying out data preprocessing on the random injection attack data, and inputting the trained false injection attack detection model to set a model threshold;
s3, collecting industrial control service data on the OPC server in real time to perform data preprocessing, predicting the result through a trained false injection attack detection model, and judging whether the predicted value is false injection data.
2. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the industrial control device history data is industrial control device history service data measured by a sensor collected by an OPC server.
3. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the data preprocessing in the step S1 specifically includes: and screening normally-operated service data from historical service data of the industrial control equipment according to the point table and the equipment operation and maintenance information, and carrying out standardized processing on the data.
4. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the model training specifically comprises: the method comprises the steps of adopting a keras deep learning framework to construct a self-encoder network structure, adopting relu as an activation function, using a mean square error as a loss function, adopting an optimizer as Adam, and enabling the loss function to be reduced to the minimum by adjusting an epochs, batch _ size and lr parameter optimization model, namely reconstructing input data information of a decoder by encoder output data.
5. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the model obtained by the model training is stored and uploaded to a server.
6. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the threshold setting method in step S2 is: and inputting abnormal service data into a trained false injection attack detection model, and setting a model threshold value according to the principle of high detection rate and low false alarm rate and application scene requirements.
7. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 6, wherein the calculation formulas of the detection rate and the false alarm rate are as follows:
8. the industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 6, wherein the abnormal service data source is: sampling and extracting training set data, constructing abnormal data in a random, deviation and surge false injection attack mode, or screening abnormal business data according to an industrial control system point table and equipment operation and maintenance information.
9. The industrial control service data false injection attack detection method based on the deep self-encoder as claimed in claim 1, wherein the step S3 includes the following specific steps: and storing the trained false injection attack detection model and the judgment threshold value, uploading the model and the judgment threshold value to a server, acquiring industrial control service data on an OPC server in real time to perform data preprocessing, then loading the pre-trained false injection attack detection model to predict a result, considering the model as false injection data if the deviation between a predicted value and a real value exceeds the threshold value, and considering the model as normal data if the deviation between the predicted value and the real value is less than the threshold value.
10. The industrial control service data false injection attack detection method based on the depth self-encoder as claimed in claim 8, characterized in that alarm information is obtained from false injection data according to user filtering conditions and visualized; the alarm information comprises equipment type, equipment name, equipment number, equipment service data and an operation unit to which the equipment belongs; the visual screening condition can be a designated time period and an equipment type, the background queries the database according to the screening condition to obtain data and returns the data to the front end, and the front end visually displays alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210410562.8A CN115021954A (en) | 2022-04-19 | 2022-04-19 | Industrial control service data false injection attack detection method based on depth self-encoder |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210410562.8A CN115021954A (en) | 2022-04-19 | 2022-04-19 | Industrial control service data false injection attack detection method based on depth self-encoder |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115021954A true CN115021954A (en) | 2022-09-06 |
Family
ID=83066559
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210410562.8A Pending CN115021954A (en) | 2022-04-19 | 2022-04-19 | Industrial control service data false injection attack detection method based on depth self-encoder |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115021954A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150067409A1 (en) * | 2013-09-04 | 2015-03-05 | Raytheon BBN Technologies, Corp. | Detection of code injection attacks |
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN112929381A (en) * | 2021-02-26 | 2021-06-08 | 南方电网科学研究院有限责任公司 | Detection method, device and storage medium for false injection data |
| CN113179264A (en) * | 2021-04-26 | 2021-07-27 | 哈尔滨工业大学 | Attack detection method for data transmission in networked control system |
| CN113992350A (en) * | 2021-09-24 | 2022-01-28 | 杭州意能电力技术有限公司 | Smart grid false data injection attack detection system based on deep learning |
-
2022
- 2022-04-19 CN CN202210410562.8A patent/CN115021954A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150067409A1 (en) * | 2013-09-04 | 2015-03-05 | Raytheon BBN Technologies, Corp. | Detection of code injection attacks |
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN112929381A (en) * | 2021-02-26 | 2021-06-08 | 南方电网科学研究院有限责任公司 | Detection method, device and storage medium for false injection data |
| CN113179264A (en) * | 2021-04-26 | 2021-07-27 | 哈尔滨工业大学 | Attack detection method for data transmission in networked control system |
| CN113992350A (en) * | 2021-09-24 | 2022-01-28 | 杭州意能电力技术有限公司 | Smart grid false data injection attack detection system based on deep learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106888205B (en) | Non-invasive PLC anomaly detection method based on power consumption analysis | |
| CN109889476A (en) | A kind of network safety protection method and network security protection system | |
| US8621629B2 (en) | System, method, and computer software code for detecting a computer network intrusion in an infrastructure element of a high value target | |
| CN112995161B (en) | Network security situation prediction system based on artificial intelligence | |
| CN111669375A (en) | Online safety situation assessment method and system for power industrial control terminal | |
| CN112929381B (en) | Detection method, device and storage medium for false injection data | |
| CN108803565B (en) | Real-time detection method and device for industrial control system hidden attack | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| US11657150B2 (en) | Two-dimensionality detection method for industrial control system attacks | |
| CN115311829B (en) | Accurate alarm method and system based on mass data | |
| CN115935415A (en) | Data safety early warning system based on industrial internet multi-factor perception | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| Iturbe et al. | On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control | |
| CN112787984B (en) | Vehicle-mounted network anomaly detection method and system based on correlation analysis | |
| CN115883163A (en) | Network safety alarm monitoring method | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN117113228B (en) | Electric power social engineering attack monitoring method and system based on deep learning | |
| CN116823233B (en) | User data processing method and system based on full-period operation and maintenance | |
| CN117439916A (en) | Network security test evaluation system and method | |
| CN115021954A (en) | Industrial control service data false injection attack detection method based on depth self-encoder | |
| CN115296933B (en) | Industrial production data risk level assessment method and system | |
| CN111784404A (en) | Abnormal asset identification method based on behavior variable prediction | |
| CN115567241A (en) | Multi-site network perception detection system | |
| CN114331029A (en) | Operation and maintenance risk analysis method and system for power monitoring system | |
| CN111343205B (en) | Industrial control network security detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |