CN115186690A - KL divergence-based fault and attack detection method, system, medium, and program - Google Patents
KL divergence-based fault and attack detection method, system, medium, and program Download PDFInfo
- Publication number
- CN115186690A CN115186690A CN202110369945.0A CN202110369945A CN115186690A CN 115186690 A CN115186690 A CN 115186690A CN 202110369945 A CN202110369945 A CN 202110369945A CN 115186690 A CN115186690 A CN 115186690A
- Authority
- CN
- China
- Prior art keywords
- divergence
- local system
- kalman
- attack detection
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a fault and attack detection method, system, medium and program based on KL divergence. The method comprises the following steps: establishing a space state model for a local system: x is the number of k+1 =Ax k +Bu k +w k ,y k =Cx k +v k (ii) a Receiving output data of a local system; estimating the state of the local system by using the received data and a Kalman estimator, wherein the Kalman estimator model is as follows:whereinIs the kalman innovation; in the local system debugging operation phase,identifying w with assurance that local systems are fault and attack free k And v k And calculating the Kalman innovation z at that time k The covariance of (e); real-time identification w after the local system is put into operation k And v k Of (2) is calculatedAndand calculating the Kalman innovation at that timeOf (2) is calculatedAnd by formula OrAnd calculating the KL divergence, and determining that the local system is in fault or under attack when the KL divergence value is larger than a threshold value.
Description
Technical Field
The present disclosure relates to the field of communications, and in particular, to KL divergence-based fault and attack detection methods, systems, media, and programs.
Background
In a system such as a permanent magnet synchronous motor test, system faults may be caused by wear of mechanical parts of the system, failure of system parts, or malfunction of the system, which may be reflected in measurement data of the system.
Meanwhile, the risk of data interception and tampering is also faced in the data transmission process. The event that data is intercepted and tampered during transmission is generally called system attack.
The decision process of the server is influenced by the system failure and the attack.
Therefore, a method and a system for detecting whether the system is failed or attacked in time so that the server can take countermeasures in time are needed.
Disclosure of Invention
In view of the above technical problems, the present invention proposes a fault and attack detection method, system, medium, and program based on KL divergence.
According to the disclosureIn one aspect, a fault and attack detection method based on KL divergence is provided, including: establishing a space state model for a local system: x is the number of k+1 =Ax k +Bu k +w k ,y k =Cx k +v k Wherein x is k ∈R m Is the local system state, y k ∈R n For local system output, u k ∈R p For control input, w k ∈R m Is process noise, v k ∈R n To measure the output noise, A ∈ R m ×m For the local system matrix, B ∈ R m×p For the input matrix, C ∈ R n×m Is an output matrix; receiving output data of a local system; estimating the state of the local system by using the received data and a Kalman estimator, wherein the Kalman estimator model is as follows: whereinIs a one-step predictor of the state of the local system,updating a value, K, for a measurement of a state of a local system k Is a Kalman gain, anIs the kalman innovation; in the local system debugging operation stage, identifying w under the condition of ensuring that the local system is free from faults and attacks k And v k And calculating the Kalman innovation z at that time k The covariance of (E); real-time identification w after the local system is put into operation k And v k Covariance ofAndand calculating the Kalman innovation at that timeOf (2) is calculatedAnd by formulaOr And calculating the KL divergence, and determining that the local system is in fault or under attack when the KL divergence value is larger than a threshold value.
According to another aspect of the present disclosure, there is provided a KL divergence-based fault and attack detection system, comprising: one or more processors; and a memory coupled to the one or more processors, the memory storing computer-readable program instructions that, when executed by the one or more processors, perform a KL divergence-based fault and attack detection method according to the present invention.
According to yet another aspect of the present disclosure, a non-transitory computer-readable medium having instructions stored thereon for execution by a processor to perform a KL divergence-based fault and attack detection method according to the present invention is provided.
According to yet another aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of KL divergence based fault and attack detection according to the present invention.
Other features of the present invention and advantages thereof will become more apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
FIG. 1 illustrates a block diagram of an exemplary computer system/server 12 suitable for use in implementing embodiments of the present invention.
FIG. 2 illustrates a KL divergence based fault and attack detection method according to an exemplary embodiment of the present invention.
Fig. 3 shows a schematic diagram of a local system according to an exemplary embodiment of the present invention.
Detailed Description
The following description is presented to enable any person skilled in the art to make and use the described embodiments, and is provided in the context of a particular system and its requirements. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments and systems without departing from the spirit or scope of the described embodiments. Thus, the described embodiments are not limited to the embodiments shown, but are to be accorded the widest scope consistent with the principles and features disclosed herein.
FIG. 1 illustrates a block diagram of an exemplary computer system/server 12 suitable for use in implementing embodiments of the present invention. The computer system/server 12 shown in FIG. 1 is only an example and should not be taken to limit the scope of use or the functionality of embodiments of the present invention in any way.
As shown in FIG. 1, computer system/server 12 is in the form of a general purpose computing device. The components of computer system/server 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The computer system/server 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media. Although not shown in FIG. 1, a magnetic disk drive as well as an optical disk drive may also be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
The computer system/server 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, etc.) and a display 24, and may also communicate with one or more devices that enable a user to interact with the computer system/server 12, and/or with any devices (e.g., network card, modem, etc.) that enable the computer system/server 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the computer system/server 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) via the network adapter 20. As shown, network adapter 20 communicates with the other modules of computer system/server 12 via bus 18. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the computer system/server 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
To distinguish from KL divergence based fault and attack detection systems as claimed by the present invention, the system that needs fault or attack detection is referred to herein as the local system.
The KL divergence-based fault and attack detection method provided by the invention needs to perform state space modeling on the local system to obtain each parameter of the local system, and uses a Kalman estimator to predict the state of the local system to obtain Kalman information and covariance thereof. The fault and attack detection method based on KL divergence is described in detail below with reference to FIG. 2.
FIG. 2 illustrates a KL divergence-based fault and attack detection method 200 according to an exemplary embodiment of the present invention. The method 200 may be performed, for example, by the computer system/server 12 described in FIG. 1.
As shown in fig. 2, a state space model is built for the local system at step 201.
According to an embodiment of the invention, the state space model is:
x k+1 =Ax k +Bu k +w k ,
y k =Cx k +v k 。
wherein x k ∈R m Is the local system state, y k ∈R n For local system output, u k ∈R p For control input, w k ∈R m Is process noise, v k ∈R n To measure the output noise, A ∈ R m×m For the local system matrix, B ∈ R m×p For the input matrix, C ∈ R n×m Is an output matrix.
According to an embodiment of the present invention, { w } k And { v } k Modeled as mutually independent zero-mean gaussian processes, with covariances Q and R, respectively, and (a, C) is observable,is stable, (A, B) isAnd (4) controlling.
In step 202, output data of the local system is received. For example, the output data includes A, B, C and y k 。
In step 203, the state of the local system is predicted using the received output data of the local system and the kalman estimator.
The Kalman estimator model is:
whereinIs a one-step predictor of the state of the local system,updating a value, K, for a measurement of a state of a local system k In order to be the basis of the kalman gain,in order to predict the error covariance in one step,for measuringThe new error covariance.
By solving algebraic Riccati equation One-step prediction error covariance steady-state value can be obtained
At step 204, during the local system debug run phase, w is identified with assurance that the local system is free of failures and attacks k And v k And calculating the Kalman innovation z at that time k Sigma.
Here, for w k And v k The covariance Q and R identification algorithm is described in detail in Anewautoctovorariance least-squares method for identifying noise covariances, published by Brian J.Odelson et al, 42, pp.303-308, 2006, which is not repeated herein, and is incorporated herein by reference in its entiretywww.sciencedirect.comAnd (4) obtaining.
In step 205, after the local system is put into operation, w is identified in real time k And v k Of (2)Variance (variance)Andand calculating the Kalman innovation at that timeCovariance of
Here, the first and second liquid crystal display panels are,refer to real-time discerned w respectively k And v k The covariance of (a), the corresponding Kalman information and the covariance thereof are used for the expressive distinction from the corresponding parameters of the system debugging and running stage under the condition that the system has no fault and attack.
In step 206, the KL divergence is calculated, and it is determined that the local system is malfunctioning or under attack when the KL divergence value is greater than a threshold value.
According to the embodiment of the invention, when the system is determined to be in fault or under attack, alarm information is triggered to remind that the fault or the attack is processed in time. The alarm information can be given in a visual mode, such as jumping out prompt or setting an alarm lamp to give an alarm in a flashing mode, or can be given in an audible mode, or visual and audible alarms and the like are adopted at the same time.
According to the embodiment of the invention, the threshold value can be set and modified as required. For example, inThe corresponding threshold is set to epsilon andwhen the corresponding threshold is set to delta, atOrIt is determined that the local system is malfunctioning or under attack.
according to the KL divergence-based fault and attack detection method, faults or attacks occurring in a real-time dynamic system can be detected in time, so that repair measures can be taken in time, the operation efficiency of the system is improved, and the influence on the decision process of a server is reduced.
The present invention may be implemented as a system, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therewith for causing a processor to implement various aspects of the present invention.
According to one embodiment of the present invention, a KL divergence-based fault and attack detection system is provided that includes one or more processors and a memory coupled to the one or more processors. The memory stores computer-readable program instructions that, when executed by the one or more processors, perform a KL divergence based fault and attack detection method in accordance with the present invention.
The KL divergence-based fault and attack detection system can be realized in a software mode, and also can be realized in a hardware mode or a hardware and software mode.
The KL divergence-based fault and attack detection system can be applied to various real-time dynamic systems. For example, it can be applied to a permanent magnet synchronous motor test system as shown in fig. 3.
According to another embodiment of the present invention, a non-transitory computer readable medium having instructions stored thereon for execution by a processor to perform a KL divergence based fault and attack detection method according to the present invention is provided.
According to another embodiment of the invention, a computer program product is provided, comprising a computer program which, when being executed by a processor, performs the steps of the KL divergence based fault and attack detection method according to the invention.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
Computer program instructions for carrying out operations of the present invention may be assembler instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present invention are implemented by personalizing an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), with state information of computer-readable program instructions, which can execute the computer-readable program instructions.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (10)
1. A fault and attack detection method based on KL divergence comprises the following steps:
establishing a state space model for a local system: x is the number of k+1 =Ax k +Bu k +w k ,y k =Cx k +v k Wherein x is k ∈R m Is the local system state, y k ∈R n For local system output, u k ∈R p For control input, w k ∈R m Is process noise, v k ∈R n To measure the output noise, A ∈ R m×W For the local system matrix, B ∈ R m×p For the input matrix, 6 ∈ R n×W Is an output matrix;
receiving output data of a local system;
predicting the state of the local system using the received data and a Kalman estimator, wherein the Kalman estimator model is:whereinIs a one-step predictor of the state of the local system,updating a value, K, for a measurement of a state of a local system k Is a Kalman gain, anIs a kalman innovation;
in the local system debugging operation stage, identifying w under the condition of ensuring that the local system is free from faults and attacks k And v k And calculating the Kalman innovation z at that time k The covariance of (E);
real-time identification w after the local system is put into operation k And v k Covariance ofAndand calculates the Kalman innovation at that timeCovariance ofAnd
2. The KL divergence-based fault and attack detection method according to claim 1, wherein { w } k And { v } and k are modeled as mutually independent zero-mean gaussian processes, respectively.
7. The KL divergence-based fault and attack detection method according to claim 1, further comprising triggering alarm information when it is determined that the system is faulty or under attack.
8. A KL divergence-based fault and attack detection system, comprising:
one or more processors; and
a memory coupled with the one or more processors, the memory storing computer-readable program instructions that, when executed by the one or more processors, perform the method of any of claims 1-7.
9. A non-transitory computer readable medium having instructions stored thereon for execution by a processor to perform the method of any of claims 1-7.
10. A computer program product comprising a computer program which, when executed by a processor, performs the steps of the method according to any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110369945.0A CN115186690A (en) | 2021-04-07 | 2021-04-07 | KL divergence-based fault and attack detection method, system, medium, and program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110369945.0A CN115186690A (en) | 2021-04-07 | 2021-04-07 | KL divergence-based fault and attack detection method, system, medium, and program |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115186690A true CN115186690A (en) | 2022-10-14 |
Family
ID=83512300
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110369945.0A Pending CN115186690A (en) | 2021-04-07 | 2021-04-07 | KL divergence-based fault and attack detection method, system, medium, and program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115186690A (en) |
-
2021
- 2021-04-07 CN CN202110369945.0A patent/CN115186690A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10452983B2 (en) | Determining an anomalous state of a system at a future point in time | |
US9794153B2 (en) | Determining a risk level for server health check processing | |
Soualhia et al. | Infrastructure fault detection and prediction in edge cloud environments | |
US20220075704A1 (en) | Perform preemptive identification and reduction of risk of failure in computational systems by training a machine learning module | |
US10212058B2 (en) | System and method for detecting system's performance regression | |
US10935970B2 (en) | Electrical device degradation determination | |
US11256562B2 (en) | Augmented exception prognosis and management in real time safety critical embedded applications | |
US10642342B2 (en) | Predicting voltage guardband and operating at a safe limit | |
CN110825561B (en) | Control system and control device | |
CN109992477B (en) | Information processing method and system for electronic equipment and electronic equipment | |
US20230236923A1 (en) | Machine learning assisted remediation of networked computing failure patterns | |
WO2020040764A1 (en) | System and method for validation and correction of real-time sensor data for a plant using existing data-based models of the same plant | |
US10418808B2 (en) | Detecting electrostatic discharge events in a computer system | |
CN115186690A (en) | KL divergence-based fault and attack detection method, system, medium, and program | |
US20180097712A1 (en) | Network resiliency through memory health monitoring and proactive management | |
US11436069B2 (en) | Method and apparatus for predicting hard drive failure | |
WO2020109252A1 (en) | Test system and method for data analytics | |
CN117519052B (en) | Fault analysis method and system based on electronic gas production and manufacturing system | |
CN113969870B (en) | Monitoring method and device for wind generating set estimator | |
US20240291859A1 (en) | Detection of erroneous data generated in an electric vehicle charging station | |
US20230409421A1 (en) | Anomaly detection in computer systems | |
KR102319386B1 (en) | Apparatus and method of calculating failure intensity | |
US20230222024A1 (en) | Method, electronic device, and computer program product for memory fault prediction | |
CN114721847A (en) | Method and device for determining equipment failure | |
CN117311671A (en) | Embedded software model architecture, battery management system controller and vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |