CN115277071A - Method and device for detecting abnormal communication behavior of equipment - Google Patents
Method and device for detecting abnormal communication behavior of equipment Download PDFInfo
- Publication number
- CN115277071A CN115277071A CN202210693216.5A CN202210693216A CN115277071A CN 115277071 A CN115277071 A CN 115277071A CN 202210693216 A CN202210693216 A CN 202210693216A CN 115277071 A CN115277071 A CN 115277071A
- Authority
- CN
- China
- Prior art keywords
- data packet
- load
- behavior
- equipment
- space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 54
- 230000006399 behavior Effects 0.000 claims abstract description 183
- 239000013598 vector Substances 0.000 claims abstract description 105
- 238000001514 detection method Methods 0.000 claims abstract description 53
- 238000012549 training Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 19
- 230000015654 memory Effects 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 12
- 238000004364 calculation method Methods 0.000 abstract description 9
- 238000011897 real-time detection Methods 0.000 abstract description 5
- 239000011159 matrix material Substances 0.000 description 14
- 238000013527 convolutional neural network Methods 0.000 description 13
- 238000013528 artificial neural network Methods 0.000 description 12
- 238000000605 extraction Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 8
- 238000002474 experimental method Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000004913 activation Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000003062 neural network model Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 238000011176 pooling Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Molecular Biology (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Biophysics (AREA)
- Medical Informatics (AREA)
- Biomedical Technology (AREA)
Abstract
The invention provides a method and a device for detecting abnormal communication behaviors of equipment, wherein the method comprises the following steps: acquiring a data packet group, wherein the data packet group comprises a plurality of data packets of target equipment in a polling period; constructing a load gray level image according to the effective load of each data packet in the data packet group; acquiring a space-time characteristic vector of the load gray level image; and constructing a corresponding equipment behavior fingerprint by using the space-time characteristic vector of the load gray level image, and detecting the communication behavior of the target equipment or the data packet to be detected in the data packet group according to the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment. The method and the device for detecting the abnormal communication behavior of the equipment can improve the accuracy of detection; in addition, the detection process of the method has small calculation amount, can be applied to online real-time detection, and is more convenient and faster.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting abnormal communication behaviors of equipment.
Background
At present, the industrial intrusion detection technology is one of the main means of industrial control network security protection. Under normal conditions, the working mode of the industrial control equipment is fixed, the network behavior is stable, and the network traffic characteristics have certain identification degree. The intrusion detection technology monitors the flow of the industrial control network in real time, and when the industrial control network is attacked, whether the industrial control network is in a normal working state or is attacked or not can be judged according to the flow characteristics of the equipment.
In order to implement real-time monitoring of the network behavior of the device, it is necessary to extract key features from the communication data packets of the device, and further to identify, judge and evaluate the state of the device by using the features. In the prior art, the intrusion detection technology usually identifies whether the device communication behavior is abnormal by using identifiers such as an Internet Protocol (IP) address, a Media Access Control (MAC) address, a port number, and the like, or characteristics such as a direction of a data packet, a load length of the data packet, a response time of the device, and the like, but the identifier or the characteristic can be forged by a mature network attack at present, so that the accuracy of detecting the abnormal communication behavior of the device by using the identifier or the characteristic is low, and the security protection effect is poor.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method and a device for detecting abnormal communication behaviors of equipment.
In a first aspect, the present invention provides a method for detecting an abnormal communication behavior of a device, including:
acquiring a data packet group, wherein the data packet group comprises a plurality of data packets of target equipment in a polling period;
constructing a load gray level image according to the effective load of each data packet in the data packet group; wherein the effective load of one data packet corresponds to one line of the load gray scale image;
acquiring a space-time characteristic vector of the load gray level image, wherein the space-time characteristic vector is used for representing a spatial relationship between each pixel point in the load gray level image and a time sequence relationship between each row;
and constructing corresponding equipment behavior fingerprints by utilizing the space-time characteristic vectors of the load gray level images, and detecting the communication behavior of the target equipment or the to-be-detected data packet in the data packet group according to the constructed equipment behavior fingerprints and the space-time characteristic behavior fingerprints of the target equipment.
Optionally, the obtaining the space-time feature vector of the load gray scale image includes:
respectively extracting a space characteristic vector and a time sequence characteristic vector of the load gray level image;
cascading the space characteristic vector and the time sequence characteristic vector to obtain a space-time characteristic vector of the load gray level image;
the spatial feature vector is used for representing a spatial relationship between each pixel point in the load gray-scale image, and the timing feature vector is used for representing a timing relationship between each row in the load gray-scale image.
Optionally, extracting a spatial feature vector of the load gray image includes:
extracting a space characteristic vector of the load gray level image based on a CNN model;
the CNN model is obtained by training based on a load gray level image sample with an equipment communication behavior classification label.
Optionally, extracting a time-domain feature vector of the load grayscale image includes:
extracting a time sequence feature vector of the load gray level image based on an LSTM model;
the LSTM model is obtained by training based on a load gray level image sample with a device communication behavior classification label.
Optionally, the detecting, according to the constructed device behavior fingerprint and the spatio-temporal feature behavior fingerprint of the target device, the communication behavior of the target device or the to-be-detected data packet in the data packet group includes:
calculating a distance between the constructed device behavior fingerprint and the spatio-temporal feature behavior fingerprint of the target device;
and determining a result of detecting the communication behavior of the target equipment or the to-be-detected data packet in the data packet group according to a comparison result between the distance and the distance threshold corresponding to the target equipment.
Optionally, the determining, according to a comparison result between the distance and a distance threshold corresponding to the target device, a result of detecting the communication behavior of the target device or the to-be-detected data packet in the data packet group includes:
if the distance is larger than the distance threshold, determining that the communication behavior of the target equipment is abnormal or the detection of the data packet to be detected is abnormal;
and if the distance is smaller than or equal to the distance threshold, determining that the communication behavior of the target equipment is normal, or the detection of the data packet to be detected is normal.
Optionally, the obtaining the data packet group includes:
acquiring a first data packet group, wherein the first data packet group comprises all data packets of the target equipment in a polling period to be detected; alternatively, the first and second electrodes may be,
determining a data packet to be detected, and determining target equipment according to an equipment identifier in the data packet to be detected;
and taking a polling cycle of the target equipment as a sliding window for extracting a data packet group to obtain a second data packet group, wherein the second data packet group comprises the data packet to be detected and a plurality of data packets before the data packet to be detected by the target equipment.
Optionally, the number of rows of the load grayscale image is determined according to a maximum polling period in the numerical control network in which the target device is located.
In a second aspect, the present invention further provides an apparatus for detecting abnormal communication behavior of a device, including:
the device comprises a data packet acquisition module, a data packet transmission module and a data packet transmission module, wherein the data packet acquisition module is used for acquiring a data packet group, and the data packet group comprises a plurality of data packets of target equipment in a polling cycle;
the image construction module is used for constructing a load gray level image according to the effective load of each data packet in the data packet group; wherein the effective load of one data packet corresponds to one line of the load gray scale image;
the vector acquisition module is used for acquiring a space-time characteristic vector of the load gray level image, and the space-time characteristic vector is used for representing the spatial relationship between each pixel point and the time sequence relationship between each row in the load gray level image;
and the detection module is used for constructing a corresponding equipment behavior fingerprint by using the space-time characteristic vector of the load gray level image, and detecting the communication behavior of the target equipment or the data packet to be detected in the data packet group according to the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment.
In a third aspect, the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the method for detecting abnormal communication behavior of a device according to the first aspect.
In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the device abnormal communication behavior detection method according to the first aspect described above.
In a fifth aspect, the present invention also provides a computer program product comprising a computer program, which when executed by a processor, implements the method for detecting abnormal communication behavior of a device according to any one of the above.
According to the method and the device for detecting the abnormal communication behavior of the equipment, the load gray level image is constructed by utilizing the load of the data packet, and the space-time characteristic of the load gray level image is extracted as the behavior fingerprint of the equipment, so that the fingerprint not only contains the complicated and changeable load content characteristics, but also ensures that an attacker is difficult to accurately forge the data packet which can bypass the detection under the condition that the fingerprint extraction framework is not solved, and the accuracy rate of the detection can be improved; in addition, the method has small calculation amount in the detection process, can be applied to online real-time detection, and is more convenient and faster.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting abnormal communication behavior of a device according to the present invention;
FIG. 2 is a schematic diagram of the construction process of temporal-spatial characteristic behavior fingerprint provided by the present invention;
FIG. 3 is a schematic flow chart of a neural network model for extracting spatiotemporal feature behavior fingerprints provided by the invention;
FIG. 4 is a flow chart of the communication behavior of the fingerprint identification device using the spatiotemporal characteristics provided by the invention;
FIG. 5 is a flow chart illustrating online intrusion detection of a data packet by using temporal-spatial characteristic behavior fingerprints according to the present invention;
FIG. 6 is a statistical graph of packet payload length distribution provided by the present invention;
fig. 7 is a schematic diagram of a flow chart of extracting load gray scale image column number and space-time characteristic behavior fingerprints provided by the present invention;
FIG. 8 is a graph of classification experimental results under different numbers of columns of load gray scale images provided by the present invention;
FIG. 9 is a schematic diagram of a confusion matrix of classification experiments of four machine tools of the same brand and model under different load gray scale image sizes;
fig. 10 is a schematic structural diagram of an apparatus abnormal communication behavior detection device provided in the present invention;
fig. 11 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Aiming at the problems of low accuracy and poor safety protection effect of the existing industrial control network intrusion detection technology, the invention provides a solution, which can construct a load gray level image by using a data packet load according to a communication mode of a numerical control machine, extract the space-time characteristics of the load gray level image by using a neural network, and solve the problem that a fixed field as an identifier can be forged and falsified by using a space-time characteristic vector as an equipment behavior fingerprint. The load gray level image is constructed by extracting the data packet loads in a polling cycle, and the sequence relation of the original data packets, namely the time sequence relation among the data packet loads, is reserved; the content of the data packet reflects the values of the pixel points in the load gray level image and the position relationship between the pixel points, namely the spatial relationship between the pixel points of the load gray level image. In the detection process, the polling cycle of the machine tool can be taken as a unit, the load of the data packet is extracted to construct a load gray image, the space-time characteristic vector is extracted to be compared with the constructed equipment behavior fingerprint, and whether the network behavior of the equipment is abnormal or not is judged.
Fig. 1 is a schematic flow chart of a method for detecting abnormal communication behavior of a device according to the present invention, as shown in fig. 1, the method includes the following steps:
Specifically, the device in the embodiments of the present invention may refer to a numerical control machine or other industrial control equipment. When detecting abnormal communication behavior of a device, a data packet group to be detected needs to be acquired first.
Optionally, obtaining the packet group may include:
acquiring a first data packet group, wherein the first data packet group comprises all data packets of target equipment in a polling period to be detected; alternatively, the first and second liquid crystal display panels may be,
determining a data packet to be detected, and determining target equipment according to an equipment identifier in the data packet to be detected;
and taking a polling cycle of the target equipment as a sliding window for extracting the data packet group to obtain a second data packet group, wherein the second data packet group comprises a data packet to be detected and a plurality of data packets before the data packet to be detected by the target equipment.
Specifically, if the communication behavior of a certain target device needs to be detected, for example, whether the communication behavior of the device is abnormal or not is detected, all data packets of the device in a polling cycle to be detected may be obtained to form a data packet group.
If a certain data packet needs to be detected, for example, real-time online intrusion detection of the data packet needs to be performed, and whether each data packet is really sent to/from the device corresponding to the device identifier of the data packet is detected, then, after a certain data packet is picked up, the target device which is compared with the data packet is determined according to the device identifier (for example, an IP address) in the data packet, and then a sliding window with the length of a polling period of the target device is maintained to extract the data packet, so as to obtain a data packet group, where the data packet group includes the data packet to be detected and a plurality of data packets before the data packet to be detected by the target device.
101, constructing a load gray level image according to the effective load of each data packet in a data packet group; wherein the payload of one packet corresponds to one row of the payload gray scale image.
Specifically, after the data packet group is obtained, a load grayscale image corresponding to the data packet group may be constructed according to the effective load of each data packet in the data packet group.
The construction of the load gray-scale image P will be exemplified below.
(1) Let n be the load grayNumber of columns for image P, taking TCP packet as an example, each payload is considered an instance when TCP payloads are stored in hexadecimal format
Wherein x isiIs an example
The ith hexadecimal number of (c). Examples of the invention
Is varied with the length of the payload, so a padding and truncation mechanism is employed. Setting k as effective load length, when k is greater than or equal to n, adopting truncation mechanism to intercept effective load with length n, discarding the rest effective load,
is defined as:
when k is<When n is, an example
Will be populated with 00 as defined below:
wherein xk+1=xk+2=…=xn=00。
(2) Assuming that m is the number of rows of the load gray-scale image P, optionally, the number of rows of the load gray-scale image may be determined according to the maximum polling period in the numerical control network in which the target device is located. For example, since the number of rows varies with the polling period of the device, in order to ensure that each image can describe a complete polling period, a padding mechanism may be used, where T is the polling period of the target device, m is the largest polling period in the nc network, and when T = m, P is defined as:
when T < m, the load gray-scale image matrix will be filled with zero vectors, where P is defined as follows:
wherein
Is a zero vector of length n, defined as follows:
wherein x1=x2=…=xn=00。
Alternatively, in order to enhance the effect of the load gray scale image visualization, a blank line may be added at the end of each load gray scale image. Table 1 below is an example of a polling cycle list provided by the present invention, where the maximum polling cycle is 42, and in order to enhance the effect of visualizing the loaded grayscale image, a blank line is added at the end of each image, so that the number of lines of the loaded grayscale image is 43, and an extra line at the end of the image has no feature to be extracted, so that the detection result is not affected.
Table 1 polling period list example
102, obtaining a space-time characteristic vector of the load gray level image, wherein the space-time characteristic vector is used for representing a space relation between each pixel point in the load gray level image and a time sequence relation between each row.
Specifically, after the load gray image is constructed, the space-time feature vector of the load gray image can be further obtained, for example, the space-time feature vector of the load gray image can be extracted through a neural network.
Optionally, obtaining the space-time feature vector of the load gray scale image may include:
respectively extracting a space characteristic vector and a time sequence characteristic vector of the load gray level image;
cascading the space characteristic vector and the time sequence characteristic vector to obtain a space-time characteristic vector of the load gray level image;
the space characteristic vector is used for representing the space relation among all pixel points in the load gray level image, and the time sequence characteristic vector is used for representing the time sequence relation among all rows in the load gray level image.
Specifically, fig. 2 is a schematic diagram of a time-space characteristic behavior fingerprint construction process provided by the present invention, and as shown in fig. 2, after a load gray image is constructed, time sequence characteristics and spatial characteristics of the load gray image can be respectively extracted, and then a time-space characteristic vector is obtained through characteristic concatenation, and a device behavior fingerprint based on the time-space characteristics is constructed.
The following illustrates the process of obtaining behavior fingerprints of spatiotemporal features.
(1) And (5) extracting the spatial features of the load gray level image.
Optionally, extracting the spatial feature vector of the load gray scale image may include: extracting a space feature vector of a load gray level image based on a Convolutional Neural Network (CNN) model; the CNN model is obtained by training based on a load gray level image sample with an equipment communication behavior classification label.
Specifically, in the embodiment of the present invention, spatial feature extraction may be implemented by CNN, in this process, a convolution layer and a pooling layer are used, a load gray image P is used as an input of the convolution layer, a feature of each sub-region is filtered and extracted, a bias is added to improve a generalization capability of the feature, then the feature is activated by a nonlinear activation function, and an input feature map of a next layer is generated, where a convolution calculation process of each layer is as follows:
wherein, ck,lIs xi,jOutput by convolution, xi,jElements representing the ith row and jth column of the loaded grayscale image matrix, ck,lElements, w, representing the kth row and the l column of the characteristic map matrixp,qIs a convolution kernel weight matrix of p x q, xi+p,j+qIs the sub-region of the load gray scale image to be filtered, b1Is a bias vector and employs a modified Linear Unit (ReLU) as a nonlinear activation function, which is defined as follows:
f(x)=max(0,x)
after each convolutional layer, the pooling layer needs to be downsampled to reduce the feature size, and the largest pooling layer can be used. The step of extracting the spatial features mainly comprises the following stages:
a training stage: continuously adjusting weight parameter w of convolutional neural network by using error back propagationp,qAnd an offset vector b1And the trained model is saved. The training sample set is a load gray level image sample with a label, and the label is a result that the known equipment corresponding to each load gray level image is classified and the communication behavior of the known equipment corresponding to each load gray level image is normal or abnormal.
And (3) a testing stage: the load gray image P is used as the input of the trained model to output the space characteristic vector
Wherein the space feature vector
For the last layer of CNN outputAnd converting the feature map to obtain a one-dimensional feature vector. For example, the final layer of feature map matrix is
Then the
(2) And (5) extracting time sequence characteristics of the load gray level image.
Optionally, extracting the time-series feature vector of the load gray scale image may include: extracting a time sequence feature vector of a load gray level image based on a Long Short-Term Memory network (LSTM) model; the LSTM model is obtained by training based on a load gray level image sample with a device communication behavior classification label.
Specifically, in the embodiment of the present invention, the temporal feature extraction is implemented by LSTM, and this step adopts a multi-element multi-step structure, which adopts a plurality of sequences as input and output, where each sequence includes a plurality of time steps. Thus, the same CNN processed image matrix P can be split into m instances
Taking m instances as a set of input sequences for the LSTM unit, the calculation formula is as follows:
wherein h istHidden state of the t-th cell, wi,hAnd wh,hRepresenting the input layer and the hidden layer, respectively, the weight matrix between the hidden layer and the hidden layer, b2Is a bias vector corresponding to the weight matrix, σ is a nonlinear activation function, and the same activation function ReLU as CNN can be used.
The step of extracting the time characteristics mainly comprises the following stages:
a training stage: continuously adjusting the weight matrix w by using error back propagationi,h、wh,hAnd an offset vector b2And saves the trained model. The training sample set is a load gray level image sample with a label, and the label is a result that the known equipment corresponding to each load gray level image is classified and the communication behavior of the known equipment corresponding to each load gray level image is normal or abnormal.
And (3) a testing stage: the load gray level image is divided into a sequence form and is sequentially input into the trained LSTM network, and the time sequence characteristic vector is calculated and output
Wherein, and the space feature vector
Similarly, the time-series feature vector
Is a one-dimensional feature vector converted from the output result of the LSTM.
(3) And constructing the space-time characteristic behavior fingerprint.
In order to ensure that the behavior fingerprint contains time sequence characteristics and space characteristics at the same time, a cascade method is adopted to construct a space-time characteristic vector
Similar to a general deep learning model, a full connection layer can be selected as an output layer, and the association relation between the space-time characteristics is extracted through nonlinear transformation. These features are then mapped into space
The calculation method of the full connection layer comprises the following steps:
wherein W and b3The weight matrix and the bias vector of the fully connected layer respectively also adopt ReLU as the nonlinear activation function f. The same as the space-time feature extraction process, the full connection layer is also divided into two stages:
a training stage: based on actual output vector
And an ideal output vector
The deviation adjusting weight matrix W and the offset vector b3And obtaining an optimal solution, and finally storing the trained model and optimal parameters. The training sample set is a load gray level image sample with a label, and the label is a result that the known equipment corresponding to each load gray level image is classified and the communication behavior of the known equipment corresponding to each load gray level image is normal or abnormal.
And (3) a testing stage: space-time feature vector extracted from load gray level image
And realizing classification through a full connection layer and finishing the identification of the communication behavior of the equipment.
Fig. 3 is a schematic flow chart of a neural network model for extracting spatiotemporal characteristic behavior fingerprints provided by the present invention, which comprises six steps: data packet capture, data packet analysis, load gray level image construction, space-time feature extraction, feature cascade and classification. The data packet acquisition and data packet analysis steps capture the data packet in sequence, and a load vector is extracted from the data packet to prepare for load gray level image construction. In the load gray level image construction stage, the extracted load vectors are sequentially combined into a load gray level image by rows in a polling period unit, and in order to ensure that the load gray level images of different devices have the same size, the number of rows and the number of columns of the load gray level images are further determined. For example, the number of rows of the load gray scale image is uniform to 43, and the size of the number of columns of the load gray scale image can be determined according to the result of experimental optimization. The space-time characteristic extraction utilizes a parallel neural network architecture, one path of the space characteristic is extracted from the load gray level image by using CNN, the other path of the space characteristic is input by using the same load gray level image, and the time sequence characteristic (namely, the time sequence characteristic between data packet load vectors in a period) between image lines is extracted by using LSTM. And finally, cascading the two characteristics as the space-time characteristic behavior fingerprints of the load gray level image (or equipment) and classifying the behavior fingerprints. When training is carried out, the training sample set of the neural network model is a load gray level image sample with a label, and the label is a result that the known equipment corresponding to each load gray level image is classified and the communication behavior of the known equipment corresponding to each load gray level image is normal or abnormal.
And 103, constructing a corresponding equipment behavior fingerprint by using the space-time characteristic vector of the load gray level image, and detecting the communication behavior of the target equipment or the to-be-detected data packet in the data packet group according to the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment.
Specifically, the space-time characteristic behavior fingerprint of the target device may be understood as a device behavior fingerprint constructed by a space-time characteristic vector of the extracted load grayscale image after the load grayscale image is constructed by the extracted data packet group under the normal communication behavior of the target device, and a space-time characteristic behavior fingerprint uniquely corresponding to each device may be determined through the neural network model shown in fig. 3 according to the optimal size of the load grayscale image, so that when the device abnormal communication behavior is detected, after the space-time characteristic vector of the load grayscale image to be detected is obtained, the corresponding device behavior fingerprint may be constructed by using the space-time characteristic vector of the load grayscale image, and the communication behavior of the target device or the data packet to be detected in the data packet group is detected according to the constructed device behavior fingerprint and the space-time characteristic behavior fingerprint of the target device.
It should be noted that the spatio-temporal feature vector is an attribute of the load gray scale image. The behavior fingerprint based on the space-time characteristics is an attribute of the equipment, and the space-time characteristic behavior fingerprint is composed of corresponding space-time characteristic vectors.
Optionally, detecting a communication behavior of the target device or a to-be-detected data packet in the data packet group according to the constructed device behavior fingerprint and the spatio-temporal characteristic behavior fingerprint of the target device includes:
calculating the distance between the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment;
and determining the communication behavior of the target equipment or the result of detecting the data packet to be detected in the data packet group according to the comparison result between the distance and the distance threshold corresponding to the target equipment.
Specifically, the distance may refer to a euclidean distance or other types of distances between two fingerprints, and is not particularly limited herein.
Optionally, the distance threshold corresponding to the target device may be determined according to a maximum distance between a plurality of different spatio-temporal characteristic behavior fingerprints corresponding to the target device under a normal communication behavior acquired in the neural network model training process, so that a result of detecting the communication behavior of the target device or the to-be-detected data packet in the data packet group may be determined according to a comparison result between the distance between the spatio-temporal characteristic behavior fingerprint corresponding to the to-be-detected load grayscale image and the spatio-temporal characteristic behavior fingerprint of the target device and the distance threshold corresponding to the target device.
Optionally, determining, according to a comparison result between the distance and a distance threshold corresponding to the target device, a result of detecting a communication behavior of the target device or a to-be-detected data packet in the data packet group, may include:
if the distance is larger than the distance threshold, determining that the communication behavior of the target equipment is abnormal or the detection of the data packet to be detected is abnormal;
and if the distance is smaller than or equal to the distance threshold, determining that the communication behavior of the target equipment is normal or the detection of the data packet to be detected is normal.
Specifically, the following takes the identification of whether the device communication behavior is abnormal and the real-time online detection of the data packet as examples.
Fig. 4 is a schematic flow chart of the communication behavior of the fingerprint identification device using spatiotemporal characteristics according to the present invention, as shown in fig. 4, which mainly includes the following steps:
(1) Reading n0、m0、STFF0、D0Recording a file: reading the best load gray image size (n) corresponding to the device to be identified0For the number of gray scale image columns, m, of the optimum load0Number of lines for best-loaded grayscale image), best spatio-temporal feature behavior fingerprint STFF0(i.e. the space-time characteristic of the corresponding equipment is fingerprint under the optimal load gray image size), and the maximum Euclidean distance D0(namely, in the training stage, the maximum Euclidean distance between all the space-time characteristic behavior fingerprints of the equipment to be identified, namely, the distance threshold value of the abnormal detection) is used for constructing a load gray image to be detected, extracting the fingerprints and calculating the Euclidean distance.
(2) Constructing a load gray level image: fetching data at core switches with n0、m0A load gray scale image is constructed for the number of columns and rows.
(3) Extracting the space-time characteristic vector of the load gray level image and constructing a corresponding device behavior fingerprint STFF: according to the method of the above embodiments of the invention, the spatio-temporal characteristic behavior fingerprint STFF of the load gray image is extracted, and the fingerprint is required to be matched with STFF0And performing Euclidean distance calculation.
(4) Calculating the Euclidean distance d: calculating fingerprints STFF and STFF0Is used for the Euclidean distance D from the maximum Euclidean distance D0A comparison is made.
(5) Judging the equipment to be identified: if D is0D or more, the network communication behavior of the equipment is shown to be in accordance with the normal behavior mode, and the network behavior of the equipment is legal. If D is0<d, indicating that the network communication behavior of the device does not conform to the normal behavior mode, and the network behavior of the device is illegal.
Fig. 5 is a schematic flow chart of the present invention for implementing online intrusion detection on a data packet by using a temporal-spatial characteristic behavior fingerprint, as shown in fig. 5, the present invention mainly includes the following steps:
(1) Reading n0、m0、STFF0、D0Recording a file: reading the best load gray scale image size (n) corresponding to the current device0For the number of gray-scale image columns, m, of the optimum load0Number of lines for best-loaded grayscale image), best spatio-temporal feature behavior fingerprint STFF0(i.e. the space-time characteristic of the corresponding equipment is fingerprint under the optimal load gray image size), and the maximum Euclidean distance D0(namely, in the training stage, the maximum Euclidean distance between all the space-time characteristic behavior fingerprints of the current equipment, namely the distance threshold value of anomaly detection) is used for constructing a load gray image to be detected, extracting the fingerprints, calculating the Euclidean distance and judging whether a data packet is abnormal or not.
(2) Picking up a data packet A, constructing a load gray level image: the online detection of the data packet has real-time performance, so a sliding window with the length of the current device polling period needs to be maintained to extract the data packet, for example, a plurality of data packets with the same IP address as the data packet a before the data packet a can be extracted, and the data packets and the data packet a together construct a load gray scale image. After the packet is extracted, a padding and truncation mechanism may be utilized, with n0、m0A load gray scale image is constructed for the number of columns and rows.
(3) Extracting the space-time characteristic vector of the load gray level image and constructing a corresponding device behavior fingerprint STFF: according to the method of the above embodiments of the invention, the spatio-temporal characteristic behavior fingerprint STFF of the load gray image is extracted, and the fingerprint is required to be matched with STFF0And performing Euclidean distance calculation.
(4) Calculating the Euclidean distance d: calculating fingerprints STFF and STFF0Is used for the Euclidean distance D from the maximum Euclidean distance0A comparison is made.
(5) Detecting a data packet: if D is0D or more, indicating that the detected data packet A is detected normally. If D is0<d, indicating that the detected data packet A is detected abnormally. Because each STFF0Uniquely representing a device. Each data packet has an IP, so that whether the data packet is sent to/from the device corresponding to the IP can be detected through the method.
According to the method for detecting the abnormal communication behavior of the equipment, the load gray level image is constructed by utilizing the load of the data packet, and the space-time characteristic of the load gray level image is extracted as the fingerprint of the equipment behavior, so that the fingerprint not only contains the complicated and changeable load content characteristics, but also ensures that an attacker is difficult to accurately and falsely create the data packet which can bypass the detection under the condition that the fingerprint extraction framework is not known, and the detection accuracy can be improved; in addition, the detection process of the method has small calculation amount, can be applied to online real-time detection, and is more convenient and faster.
The optimal size of the load gray-scale image and the space-time characteristic behavior fingerprint of the target device are the prerequisites for device communication behavior identification and data packet detection by utilizing the space-time characteristic behavior fingerprint. The following optimal number of columns n for a loaded gray-scale image0And the time-space characteristic behavior fingerprint STFF of the device0The determination of (2) is exemplified.
Fig. 6 is a data packet load length distribution statistical chart provided by the present invention, as shown in fig. 6, in order to select a suitable value of the load gray scale image column number n, a statistical analysis may be performed on the data packet length first, for example, the load length of 418455 data packets included in fig. 6, it can be seen that the number of longer data packets is small, so that the characteristics of most data packets may be considered as much as possible when selecting the n value, a smaller n value is appropriately selected, and the tail characteristics of the longer data packets are ignored. It will be appreciated that the larger the number of loaded grayscale image columns n, the more information contained in the image matrix, but also the more complex neural networks and the larger the number of parameters required. In order to balance the running time and the detection accuracy, referring to the statistical data shown in fig. 6, training and testing of the neural network may be performed by constructing a plurality of load gray scale images with different sizes (for example, n may be 640, 400, 200, 100, 50, 35, 30, etc.) in an experiment, and finally, the optimal column number n of the load gray scale images is determined0。
Specifically, fig. 7 is a schematic diagram of a flow chart of extracting load gray scale image column number and space-time characteristic behavior fingerprints provided by the present invention, as shown in fig. 7, 640 may be used as a load gray scale image firstNumber of columns, 43 as number of rows m of the loaded grayscale image0And extracting corresponding load gray level images, extracting space-time characteristic behavior fingerprints by using a neural network, and calculating the classification accuracy. The number of columns of the load gray scale image is reduced in turn (value range [1,640 ]]) Repeating the above processes, calculating and finding the highest classification accuracy, wherein the number of load gray level image columns is the optimal value n0The space-time characteristic behavior fingerprint at the moment is the space-time characteristic behavior fingerprint STFF of the equipment0. In fig. 7, R represents the accuracy of a fingerprint classification experiment in which the temporal-spatial characteristic behavior fingerprint extracted under the current load gray level image column number is labeled with IP, and accordingly R represents the accuracy of the fingerprint classification experiment in which R represents the time-spatial characteristic behavior fingerprint extracted under the current load gray level image column number and is labeled with IPmaxAnd (3) representing the accuracy of a fingerprint classification experiment of the space-time characteristic behavior fingerprint of corresponding equipment with IP as a label under the optimal load gray image column number.
In one embodiment, the fingerprint extraction method provided by the invention is adopted to respectively extract fingerprints of 15 machine tools with 6 types of brands, gradually reduce the number of columns of the load gray level images to extract the fingerprints of space-time characteristic behaviors, and further perform fingerprint classification verification, wherein the result is as follows.
Fig. 8 is a graph of classification experimental results under different load gray scale image column numbers provided by the present invention, in the graph, the abscissa corresponding to each curve is iteration round (epoch), and the ordinate is accuracy (accuracuacy) or loss function (loss), as shown in fig. 8, when n is greater than 35, the classification accuracy can reach more than 99.09%. When n <35, the classification accuracy is greatly reduced, as shown in part (e) of fig. 8, and it can be confirmed from the raw data that four machines with the code numbers 9, 10, 11, and 12 have the same brand and model, as shown in part (f) of fig. 8.
For further load gray scale image size optimization of four machine tools with the numbers of 9, 10, 11 and 12, fig. 9 is a schematic diagram of a confusion matrix of classification experiments of the four machine tools with the same brand and model under different load gray scale image sizes, as shown in fig. 9, when n is greater than or equal to 32, the classification accuracy of fingerprints can reach more than 99%, and when n is less than 32, the classification accuracy is greatly reduced, so that the optimal number of load gray scale image columns can be determined to be 32 under the numerical control network environment. From the whole experimental result, the larger the load gray level image is, the higher the accuracy of fingerprint classification is, which theoretically can reach 100%, but the larger the image is, the more the parameters of the fingerprint extraction framework are, the fingerprint extraction speed is reduced, so that under the condition that the accuracy reaches the application requirement, the smaller load gray level image size should be selected as much as possible.
The invention converts the data packet load into the load gray image by combining the data acquisition cycle, and further extracts the space-time characteristic behavior fingerprint from the image by using the proposed parallel neural network architecture, each machine tool (taking the machine tool as an example) in an industrial control network can be uniquely represented by using one space-time characteristic behavior fingerprint, thereby realizing the identification of the machine tool network behavior and the detection of the data packet, and having the following advantages:
(1) Is not easy to be forged: the existing intrusion detection technology is constructed on the basis of the integral characteristics of a data packet or traceable public field characteristics, and the characteristics can be forged by the existing mature network attack so as to forge a legal data packet and bypass intrusion detection. The space-time characteristic behavior fingerprint is extracted from a data packet load by utilizing a neural network, the fingerprint comprises complex and variable load content characteristics on one hand, and on the other hand, the extraction is carried out by adopting the neural network with unclear theoretical interpretability (the neural network has clear mathematical reasoning and insufficient theoretical interpretability applied in different fields, the theoretical interpretability of the neural network in different specialized fields is not clear, and it is understood that the theoretical interpretability and the deducibility in the mathematical field are both clear and clear), the counterfeiting difficulty of the fingerprint is improved, and an attacker is difficult to accurately counterfeit a data packet which can bypass detection without solving a fingerprint extraction framework.
(2) The real-time detection can be realized: because the intrusion detection system has higher real-time requirement, the detection method provided by the invention can train the neural network in the normal network in the preparation stage and store the fingerprint of each machine tool. When the online real-time detection is carried out, the detection can be finished only by calculating and comparing the distance between the real-time extracted fingerprint and the machine tool fingerprint. Therefore, the detection process has small calculation amount and can realize real-time online detection.
In the following, the device abnormal communication behavior detection apparatus provided by the present invention is described, and the device abnormal communication behavior detection apparatus described below and the device abnormal communication behavior detection method described above may be referred to in correspondence with each other.
Fig. 10 is a schematic structural diagram of an apparatus abnormal communication behavior detection device provided in the present invention, and as shown in fig. 10, the device includes:
a data packet obtaining module 1000, configured to obtain a data packet group, where the data packet group includes multiple data packets of a target device in a polling cycle;
an image construction module 1010, configured to construct a load grayscale image according to an effective load of each data packet in the data packet group; wherein the effective load of one data packet corresponds to one line of the load gray level image;
the vector acquisition module 1020 is configured to acquire a space-time feature vector of the load grayscale image, where the space-time feature vector is used to represent a spatial relationship between pixels in the load grayscale image and a timing relationship between rows;
the detecting module 1030 is configured to construct a corresponding device behavior fingerprint by using the space-time feature vector of the load grayscale image, and detect a communication behavior of the target device or a to-be-detected data packet in the data packet group according to the constructed device behavior fingerprint and the space-time feature behavior fingerprint of the target device.
Optionally, obtaining a space-time feature vector of the load gray level image includes:
respectively extracting a space characteristic vector and a time sequence characteristic vector of the load gray level image;
cascading the space characteristic vector and the time sequence characteristic vector to obtain a space-time characteristic vector of the load gray level image;
the space characteristic vector is used for representing the space relation among all pixel points in the load gray level image, and the time sequence characteristic vector is used for representing the time sequence relation among all rows in the load gray level image.
Optionally, extracting the spatial feature vector of the load gray image includes:
extracting a space characteristic vector of the load gray level image based on the CNN model;
the CNN model is obtained by training based on a load gray level image sample with an equipment communication behavior classification label.
Optionally, extracting the time-series feature vector of the load gray scale image includes:
extracting a time sequence feature vector of the load gray level image based on the LSTM model;
the LSTM model is obtained by training based on a load gray level image sample with a device communication behavior classification label.
Optionally, detecting a communication behavior of the target device or a to-be-detected data packet in the data packet group according to the constructed device behavior fingerprint and the time-space characteristic behavior fingerprint of the target device, includes:
calculating the distance between the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment;
and determining the communication behavior of the target equipment or the result of detecting the data packet to be detected in the data packet group according to the comparison result between the distance and the distance threshold corresponding to the target equipment.
Optionally, determining, according to a comparison result between the distance and a distance threshold corresponding to the target device, a result of detecting a communication behavior of the target device or a to-be-detected data packet in the data packet group, includes:
if the distance is larger than the distance threshold, determining that the communication behavior of the target equipment is abnormal or the detection of the data packet to be detected is abnormal;
and if the distance is smaller than or equal to the distance threshold, determining that the communication behavior of the target equipment is normal or the detection of the data packet to be detected is normal.
Optionally, the obtaining the data packet group includes:
acquiring a first data packet group, wherein the first data packet group comprises all data packets of target equipment in a polling cycle to be detected; alternatively, the first and second liquid crystal display panels may be,
determining a data packet to be detected, and determining target equipment according to an equipment identifier in the data packet to be detected;
and taking a polling cycle of the target equipment as a sliding window for extracting the data packet group to obtain a second data packet group, wherein the second data packet group comprises the data packet to be detected and a plurality of data packets before the data packet to be detected by the target equipment.
Optionally, the number of rows of the load gray-scale image is determined according to a maximum polling period in the numerical control network in which the target device is located.
It should be noted that, the apparatus provided in the present invention can implement all the method steps implemented by the method embodiments and achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiments in this embodiment are omitted here.
Fig. 11 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 11, the electronic device may include: a processor (processor) 1110, a communication Interface (Communications Interface) 1120, a memory (memory) 1130, and a communication bus 1140, wherein the processor 1110, the communication Interface 1120, and the memory 1130 communicate with each other via the communication bus 1140. The processor 1110 may invoke logic instructions in the memory 1130 to perform any of the device abnormal communication behavior detection methods provided by the various embodiments described above.
In addition, the logic instructions in the memory 1130 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
It should be noted that, the electronic device provided by the present invention can implement all the method steps implemented by the method embodiments described above, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiments in this embodiment are not repeated herein.
In another aspect, the present invention further provides a computer program product, where the computer program product includes a computer program, the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute any one of the device abnormal communication behavior detection methods provided in the above embodiments.
It should be noted that, the computer program product provided by the present invention can implement all the method steps implemented by the above method embodiments, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiments in this embodiment are not repeated herein.
In still another aspect, the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program is implemented to perform any one of the above-mentioned abnormal communication behavior detection methods provided by the above-mentioned embodiments when executed by a processor.
It should be noted that the non-transitory computer readable storage medium provided by the present invention can implement all the method steps implemented by the method embodiments and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiments in this embodiment are not repeated herein.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (12)
1. A method for detecting abnormal communication behavior of equipment is characterized by comprising the following steps:
acquiring a data packet group, wherein the data packet group comprises a plurality of data packets of target equipment in a polling period;
constructing a load gray level image according to the effective load of each data packet in the data packet group; wherein the effective load of one data packet corresponds to one line of the load gray scale image;
acquiring a space-time characteristic vector of the load gray level image, wherein the space-time characteristic vector is used for representing a spatial relationship between each pixel point in the load gray level image and a time sequence relationship between each row;
and constructing corresponding equipment behavior fingerprints by utilizing the space-time characteristic vectors of the load gray level images, and detecting the communication behavior of the target equipment or the to-be-detected data packet in the data packet group according to the constructed equipment behavior fingerprints and the space-time characteristic behavior fingerprints of the target equipment.
2. The method for detecting abnormal communication behavior of equipment according to claim 1, wherein the obtaining the space-time feature vector of the load gray scale image comprises:
respectively extracting a space characteristic vector and a time sequence characteristic vector of the load gray level image;
cascading the space characteristic vector and the time sequence characteristic vector to obtain a space-time characteristic vector of the load gray level image;
the spatial feature vector is used for representing a spatial relationship between each pixel point in the load gray-scale image, and the timing feature vector is used for representing a timing relationship between each row in the load gray-scale image.
3. The device abnormal communication behavior detection method according to claim 2, wherein extracting the spatial feature vector of the load gray scale image comprises:
extracting a space characteristic vector of the load gray level image based on a CNN model;
the CNN model is obtained by training based on a load gray level image sample with an equipment communication behavior classification label.
4. The device abnormal communication behavior detection method according to claim 2 or 3, wherein extracting the time-series feature vector of the load gray scale image comprises:
extracting a time sequence feature vector of the load gray level image based on an LSTM model;
the LSTM model is obtained by training based on a load gray level image sample with a device communication behavior classification label.
5. The method for detecting the abnormal communication behavior of the device according to claim 1, wherein the detecting the communication behavior of the target device or the data packet to be detected in the data packet group according to the constructed device behavior fingerprint and the spatio-temporal characteristic behavior fingerprint of the target device comprises:
calculating a distance between the constructed device behavior fingerprint and the spatio-temporal feature behavior fingerprint of the target device;
and determining a communication behavior of the target equipment or a result of detecting the data packet to be detected in the data packet group according to a comparison result between the distance and the distance threshold corresponding to the target equipment.
6. The method according to claim 5, wherein the determining, according to the comparison result between the distance and the distance threshold corresponding to the target device, the result of detecting the communication behavior of the target device or the to-be-detected packet in the packet group includes:
if the distance is larger than the distance threshold, determining that the communication behavior of the target equipment is abnormal or the detection of the data packet to be detected is abnormal;
and if the distance is smaller than or equal to the distance threshold, determining that the communication behavior of the target equipment is normal, or the detection of the data packet to be detected is normal.
7. The method according to claim 1, wherein the acquiring the packet group comprises:
acquiring a first data packet group, wherein the first data packet group comprises all data packets of the target equipment in a polling period to be detected; alternatively, the first and second electrodes may be,
determining a data packet to be detected, and determining target equipment according to an equipment identifier in the data packet to be detected;
and taking a polling cycle of the target equipment as a sliding window for extracting a data packet group to obtain a second data packet group, wherein the second data packet group comprises the data packet to be detected and a plurality of data packets before the data packet to be detected by the target equipment.
8. The method for detecting the abnormal communication behavior of the equipment according to claim 1, wherein the number of rows of the load gray-scale image is determined according to a maximum polling period in a numerical control network in which the target equipment is located.
9. An apparatus for detecting an abnormal communication behavior of a device, comprising:
the system comprises a data packet acquisition module, a data packet transmission module and a data packet transmission module, wherein the data packet acquisition module is used for acquiring a data packet group, and the data packet group comprises a plurality of data packets of target equipment in a polling period;
the image construction module is used for constructing a load gray image according to the effective load of each data packet in the data packet group; wherein the effective load of one data packet corresponds to one line of the load gray scale image;
the vector acquisition module is used for acquiring a space-time characteristic vector of the load gray level image, and the space-time characteristic vector is used for representing the spatial relationship among all pixel points and the time sequence relationship among all rows in the load gray level image;
and the detection module is used for constructing a corresponding equipment behavior fingerprint by using the space-time characteristic vector of the load gray level image, and detecting the communication behavior of the target equipment or the data packet to be detected in the data packet group according to the constructed equipment behavior fingerprint and the space-time characteristic behavior fingerprint of the target equipment.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for detecting abnormal communication behavior of the device according to any one of claims 1 to 8 when executing the program.
11. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method for detecting abnormal communication behavior of a device according to any one of claims 1 to 8.
12. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements a method for detecting abnormal communication behavior of a device according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210693216.5A CN115277071B (en) | 2022-06-17 | 2022-06-17 | Method and device for detecting abnormal communication behavior of equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210693216.5A CN115277071B (en) | 2022-06-17 | 2022-06-17 | Method and device for detecting abnormal communication behavior of equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115277071A true CN115277071A (en) | 2022-11-01 |
| CN115277071B CN115277071B (en) | 2024-04-02 |
Family
ID=83761776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210693216.5A Active CN115277071B (en) | 2022-06-17 | 2022-06-17 | Method and device for detecting abnormal communication behavior of equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277071B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113226A (en) * | 2019-04-16 | 2019-08-09 | 新华三信息安全技术有限公司 | A kind of method and device of detection device exception |
| CN111783442A (en) * | 2019-12-19 | 2020-10-16 | 国网江西省电力有限公司电力科学研究院 | Intrusion detection method, device, server and storage medium |
| CN113313156A (en) * | 2021-05-21 | 2021-08-27 | 北京工业大学 | Internet of things equipment identification method and system based on time sequence load flow fingerprints |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113538288A (en) * | 2021-07-29 | 2021-10-22 | 中移(杭州)信息技术有限公司 | Network anomaly detection method and device and computer readable storage medium |
-
2022
- 2022-06-17 CN CN202210693216.5A patent/CN115277071B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113226A (en) * | 2019-04-16 | 2019-08-09 | 新华三信息安全技术有限公司 | A kind of method and device of detection device exception |
| CN111783442A (en) * | 2019-12-19 | 2020-10-16 | 国网江西省电力有限公司电力科学研究院 | Intrusion detection method, device, server and storage medium |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113313156A (en) * | 2021-05-21 | 2021-08-27 | 北京工业大学 | Internet of things equipment identification method and system based on time sequence load flow fingerprints |
| CN113538288A (en) * | 2021-07-29 | 2021-10-22 | 中移(杭州)信息技术有限公司 | Network anomaly detection method and device and computer readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 黄璇丽;李成明;姜青山;: "基于深度学习的网络流时空特征自动提取方法", 集成技术, no. 02, 15 March 2020 (2020-03-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115277071B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110048827B (en) | Class template attack method based on deep learning convolutional neural network | |
| CN112673381B (en) | Method and related device for identifying confrontation sample | |
| CN113468071B (en) | Fuzzy test case generation method, system, computer equipment and storage medium | |
| CN111131314B (en) | Network behavior detection method and device, computer equipment and storage medium | |
| CN103530367A (en) | Phishing netsite identification system and method | |
| CN110868414B (en) | Industrial control network intrusion detection method and system based on multi-voting technology | |
| CN113285924B (en) | In-vehicle network message anomaly detection method based on gray level image deep learning | |
| CN113067798B (en) | ICS intrusion detection method and device, electronic equipment and storage medium | |
| CN115037805B (en) | Unknown network protocol identification method, system and device based on deep clustering and storage medium | |
| CN116910752B (en) | Malicious code detection method based on big data | |
| CN112995150A (en) | Botnet detection method based on CNN-LSTM fusion | |
| CN110837872A (en) | Industrial control network intrusion detection method and system | |
| CN112418361A (en) | Industrial control system anomaly detection method and device based on deep learning | |
| CN112235314A (en) | Network flow detection method, device and equipment | |
| CN113705604A (en) | Botnet flow classification detection method and device, electronic equipment and storage medium | |
| CN114124447B (en) | Intrusion detection method and device based on Modbus data packet reorganization | |
| CN111026087B (en) | Weight-containing nonlinear industrial system fault detection method and device based on data | |
| CN110086860B (en) | Data anomaly detection method and device under Internet of things big data environment | |
| CN115277071B (en) | Method and device for detecting abnormal communication behavior of equipment | |
| CN116260736A (en) | Deep learning-based decentralization application flow identification method and system | |
| CN116232694A (en) | Lightweight network intrusion detection method and device, electronic equipment and storage medium | |
| CN115314239A (en) | Analysis method and related equipment for hidden malicious behaviors based on multi-model fusion | |
| CN113132397B (en) | Network encryption traffic identification method, device and equipment based on deep learning | |
| CN115187789A (en) | Confrontation image detection method and device based on convolutional layer activation difference | |
| CN110988803A (en) | Radar radiation source individual identification system with high confidence degree dynamic adjustment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |