CN115484102A - Anomaly detection system and method for industrial control system - Google Patents

Anomaly detection system and method for industrial control system Download PDF

Info

Publication number
CN115484102A
CN115484102A CN202211131264.1A CN202211131264A CN115484102A CN 115484102 A CN115484102 A CN 115484102A CN 202211131264 A CN202211131264 A CN 202211131264A CN 115484102 A CN115484102 A CN 115484102A
Authority
CN
China
Prior art keywords
time series
data
anomaly detection
time
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211131264.1A
Other languages
Chinese (zh)
Inventor
夏武
还约辉
杨根科
褚健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Guoli Network Security Technology Co ltd
Ningbo Institute Of Artificial Intelligence Shanghai Jiaotong University
Original Assignee
Zhejiang Guoli Network Security Technology Co ltd
Ningbo Institute Of Artificial Intelligence Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Guoli Network Security Technology Co ltd, Ningbo Institute Of Artificial Intelligence Shanghai Jiaotong University filed Critical Zhejiang Guoli Network Security Technology Co ltd
Priority to CN202211131264.1A priority Critical patent/CN115484102A/en
Publication of CN115484102A publication Critical patent/CN115484102A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The invention discloses an anomaly detection system and method for an industrial control system, which relate to the field of anomaly detection, and the system comprises: the device comprises a data acquisition module, a data preprocessing module, an anomaly detection model training module, a threshold setting module, an anomaly detection module and a result output module. The method comprises the following steps: step 1, collecting training data; step 2, data preprocessing is carried out; step 3, learning time dimension characteristics; step 4, learning time series correlation; step 5, reconstructing the multidimensional time sequence data; step 6, setting an abnormal threshold value; step 7, real-time online detection; and 8, outputting a detection result. The method can effectively model the time sequence, learn the periodic rule of the normal sequence and effectively perform robust modeling on the abnormally polluted time sequence data; and the reconstruction error in the training process is learned by adopting an extreme value theorem, and the threshold value is automatically set, so that the inconvenience of setting according to an empirical value is avoided.

Description

一种面向工业控制系统的异常检测系统和方法Anomaly detection system and method for industrial control system

技术领域technical field

本发明涉及异常检测领域,尤其涉及一种面向工业控制系统的异常检测系统和方法。The invention relates to the field of anomaly detection, in particular to an anomaly detection system and method for industrial control systems.

背景技术Background technique

工业控制系统广泛应用于工业部门和关键基础设施,如电气、水和废水、石油和天然气、化工、运输、制药、纸浆和造纸、食品和饮料,以及离散制造(如汽车、航空航天和耐用品)等行业。面向工业控制系统进行及时有效的异常检测可以确保工业生产的长期稳定运行。Industrial control systems are widely used in industrial sectors and critical infrastructure such as electrical, water and wastewater, oil and gas, chemical, transportation, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing such as automotive, aerospace and durable goods ) and other industries. Timely and effective anomaly detection for industrial control systems can ensure the long-term stable operation of industrial production.

在实际的生产过程中,具有标签的数据往往很难获得,因此异常检测大多基于无监督方法。工控系统结构复杂,单变量时间序列异常检测很难适用,而在工业生产过程中一般会由大量传感器实时监测当前状态,执行器对当前系统进行操作,因此,从传感器和执行器采集的多变量时间序列数据可作为异常检测领域重要的研究对象。In the actual production process, labeled data is often difficult to obtain, so anomaly detection is mostly based on unsupervised methods. The structure of the industrial control system is complex, and it is difficult to apply single-variable time series anomaly detection. In the industrial production process, a large number of sensors generally monitor the current state in real time, and the actuators operate the current system. Therefore, the multi-variable data collected from sensors and actuators Time series data can be used as an important research object in the field of anomaly detection.

传统的基于机器学习的异常检测方法尽管可解释性好,但该类方法需要依靠专家经验对时间序列数据建立复杂的特征工程。随着技术的发展和算力的提高,基于深度学习的异常检测方法开始受到广泛关注。循环神经网络能够捕获时间序列数据中的长期依赖关系,但并没有考虑到不同时间序列之间的相关性,所以在建模具有序列潜在相关性的多维时间序列数据时,效果并不理想,且在实际工业场景中,工作负载的变化及工作环境噪声不可避免,导致模型的鲁棒性较差,另外异常检测阈值的设定多依赖于经验,缺乏灵活性。Although traditional machine learning-based anomaly detection methods have good interpretability, they need to rely on expert experience to establish complex feature engineering for time series data. With the development of technology and the improvement of computing power, anomaly detection methods based on deep learning have begun to receive widespread attention. Recurrent neural networks can capture long-term dependencies in time series data, but do not take into account the correlation between different time series, so the effect is not ideal when modeling multidimensional time series data with serial potential correlation, and In actual industrial scenarios, changes in workload and noise in the working environment are unavoidable, resulting in poor robustness of the model. In addition, the setting of anomaly detection thresholds mostly depends on experience and lacks flexibility.

金耀辉等人在中国发明专利申请“一种多维时间序列异常检测方法及检测系统”(申请号为:202011060906.4)中提供了一种多维时间序列异常检测方法及检测系统,包括:通过循环神经网络自编码器将采样得到的低维变量重构为多维时间序列,采用基于时间序列马尔科夫平滑假设的正则化方法对模型进行优化,基于重构时间序列概率分布对时间序列异常值进行计算。但此方法只学习了时间序列在时间维度上的规律而忽略了时序之间潜在的相关性,时序之间潜在的相关性的缺失会导致模型准确度低,检测性能低,Jin Yaohui and others provided a multi-dimensional time series anomaly detection method and detection system in the Chinese invention patent application "a multi-dimensional time series anomaly detection method and detection system" (application number: 202011060906.4), including: The encoder reconstructs the sampled low-dimensional variables into a multidimensional time series, optimizes the model with a regularization method based on the time series Markov smoothing assumption, and calculates outliers of the time series based on the probability distribution of the reconstructed time series. However, this method only learns the law of time series in the time dimension and ignores the potential correlation between time series. The lack of potential correlation between time series will lead to low model accuracy and low detection performance.

赵培海等人在中国发明专利申请“使用无监督深度神经网络的多维时序数据实时异常检测方法”(申请号为:202110848400.8)中提供了一种多维时间序列异常检测方法及检测系统,包括:对采集的数据计算相关性特征矩阵SFM,将特征矩阵序列输入到由四层卷积神经网络作为特征提取器的提取特征重建数据模块,每一层卷积神经网络增加一层LSTM网络结构,对每一层LSTM网络结构输出的特征提取矩阵进行重构获得重构矩阵,所有重构矩阵构成了重构矩阵序列,将重构矩阵序列作为一线性回归的输入,线性回归的输出表现形式为n阶方阵PSFM的预测采集数据,计算PSFM与SFM的差异得到异常得分sc,根据给定的阈值δ判断异常得分sc是否达到了异常的范围。此方法虽然考虑到了时序之间的相关性,但其相关性计算局限于线性关系,对于具有复杂关系的系统而言,难以达到好的效果。Zhao Peihai and others provided a multi-dimensional time series anomaly detection method and detection system in the Chinese invention patent application "Real-time anomaly detection method for multi-dimensional time series data using unsupervised deep neural network" (application number: 202110848400.8), including: The correlation feature matrix SFM is calculated from the data, and the feature matrix sequence is input to the extraction feature reconstruction data module that uses a four-layer convolutional neural network as a feature extractor. Each layer of convolutional neural network adds a layer of LSTM network structure, and each The feature extraction matrix output by the layer LSTM network structure is reconstructed to obtain the reconstruction matrix. All the reconstruction matrices constitute the reconstruction matrix sequence, and the reconstruction matrix sequence is used as the input of a linear regression. The output form of the linear regression is nth order square Collect data for the prediction of PSFM, calculate the difference between PSFM and SFM to get the abnormal score sc, and judge whether the abnormal score sc has reached the abnormal range according to the given threshold δ. Although this method takes into account the correlation between time series, its correlation calculation is limited to linear relationships, and it is difficult to achieve good results for systems with complex relationships.

皮德常等人在中国发明专利申请”一种多维时序数据异常检测方法和系统”(申请号为:202111371649.0)中提供了一种多维时序数据异常检测方法和系统,包括如下步骤:首先,对卫星遥测数据进行预处理,得到编码附加数据和时间尺度融合特征;接着,融合编码附加数据和融合特征得到融合输入信息;随后,将融合输入信息输入至Transformer变分自编码器中进行编码和解码再到重构结果,计算得出重构误差;然后,采用加权移动平均法对所述重构误差进行平滑处理,当平滑误差超过阈值范围时,判定为所述待检测卫星遥测数据存在异常,并记录异常时间点。该方法能有效捕获时间序列之间的相关性,但在异常检测的阈值设定依旧使用经验值,缺少灵活性和适应性。Pi Dechang and others provided a multi-dimensional time-series data anomaly detection method and system in the Chinese invention patent application "A method and system for detecting anomalies in multi-dimensional time-series data" (application number: 202111371649.0), including the following steps: First, the Satellite telemetry data is preprocessed to obtain coded additional data and time-scale fusion features; then, the fusion coded additional data and fusion features are fused to obtain fused input information; then, the fused input information is input into the Transformer variational autoencoder for encoding and decoding Then to the reconstruction result, the reconstruction error is calculated; then, the weighted moving average method is used to smooth the reconstruction error, and when the smoothing error exceeds the threshold range, it is determined that there is an abnormality in the telemetry data of the satellite to be detected, And record the abnormal time point. This method can effectively capture the correlation between time series, but the threshold setting of anomaly detection still uses empirical values, which lacks flexibility and adaptability.

因此,本领域的技术人员致力于开发一种新的面向工业控制系统的异常检测系统和方法,克服现有技术中存在的上述缺陷。Therefore, those skilled in the art are devoting themselves to developing a new anomaly detection system and method for industrial control systems to overcome the above-mentioned defects in the prior art.

发明内容Contents of the invention

有鉴于现有技术的上述缺陷,本发明所要解决的技术问题是如何克服现有技术中存在的缺少对时间序列之间潜在关系的学习而导致模型性能低、训练数据集中存在噪声的情况下异常检测深度学习模型的过拟合、异常阈值的设定依靠经验的缺陷。In view of the above-mentioned defects of the prior art, the technical problem to be solved by the present invention is how to overcome the lack of learning of the potential relationship between time series in the prior art, resulting in low model performance and abnormalities in the case of noise in the training data set Detecting the overfitting of the deep learning model and the setting of the abnormal threshold rely on the defects of experience.

为实现上述目的,本发明提供了一种面向工业控制系统的多维时间序列异常检测系统与方法,采用深度学习的方法学习工业多维时间序列的正常周期规律,基于重构时间序列概率分布对时间序列异常进行检测,有利于提高异常检测的准确度和稳定性,增强检测模型的可靠性。In order to achieve the above purpose, the present invention provides a multi-dimensional time series anomaly detection system and method for industrial control systems, using deep learning methods to learn the normal periodicity of industrial multi-dimensional time series, based on the reconstructed time series probability distribution to analyze the time series Anomaly detection is conducive to improving the accuracy and stability of anomaly detection and enhancing the reliability of the detection model.

本发明提供的一种面向工业控制系统的多维时间序列异常检测系统,包括:A multi-dimensional time series anomaly detection system oriented to an industrial control system provided by the present invention includes:

数据采集模块,所述数据采集模块记录工业控制系统的多维时间序列数据;A data acquisition module, the data acquisition module records the multidimensional time series data of the industrial control system;

数据预处理模块,所述数据预处理模块连接所述数据采集模块,对采集到的所述多维时间序列数据进行预处理,得到若干批次的多维时间序列子序列;A data preprocessing module, the data preprocessing module is connected to the data acquisition module, and preprocesses the collected multidimensional time series data to obtain several batches of multidimensional time series subsequences;

异常检测模型训练模块,所述异常检测模型训练模块连接所述数据预处理模块,接收所述若干批次的多维时间序列子序列,构建和训练用于异常检测的神经网络模型,称为异常检测模型,所述异常检测模型训练模块的输出为输入的所述多维时间序列数据的重构数据;An anomaly detection model training module, the anomaly detection model training module is connected to the data preprocessing module, receives the multi-dimensional time series subsequences of the plurality of batches, and constructs and trains a neural network model for anomaly detection, which is called anomaly detection model, the output of the anomaly detection model training module is the reconstructed data of the input multidimensional time series data;

阈值设定模块,所述阈值设定模块连接所述异常检测模型训练模块,计算所述重构数据与输入的所述多维时间序列数据之间的误差,称为重构误差,以所述重构误差作为样本数据,采用极值定理进行学习,自动设定异常阈值;Threshold value setting module, the threshold value setting module is connected to the abnormality detection model training module, and calculates the error between the reconstructed data and the input multidimensional time series data, which is called reconstruction error. Structural errors are used as sample data, the extreme value theorem is used for learning, and the abnormal threshold is automatically set;

异常检测模块,将实时采集的时间序列数据经过所述数据预处理模块后,输入到训练好的所述异常检测模型中计算所述重构误差,将所述重构误差作为异常分数,比较所述异常分数与所述异常阈值;当所述异常分数小于所述异常阈值时,则认为所述实时采集的时间序列数据存在异常;The anomaly detection module inputs the time series data collected in real time into the trained anomaly detection model to calculate the reconstruction error after passing through the data preprocessing module, and uses the reconstruction error as an abnormal score to compare the The abnormal score and the abnormal threshold; when the abnormal score is less than the abnormal threshold, it is considered that there is an abnormality in the time series data collected in real time;

结果输出模块,所述结果输出模块连接所述异常检测模块,对于检测到的异常的所述实时采集的时间序列数据,输出异常检测结果。A result output module, the result output module is connected to the anomaly detection module, and outputs an anomaly detection result for the time series data collected in real time of detected anomalies.

进一步地,所述实时采集的时间序列数据也由所述数据采集模块进行采集。Further, the time series data collected in real time is also collected by the data collection module.

进一步地,在所述数据预处理模块中,数据预处理先采用滑动窗口技术进行分割,再将分割后的子序列进行分批次和归一化的处理。Further, in the data preprocessing module, the data preprocessing first adopts sliding window technology to segment, and then divides the subsequences into batches and normalizes them.

进一步地,在所述异常检测模型训练模块中,所述异常检测模型采用一维卷积神经网络学习时间序列的时序特征,采用随机循环神经网络学习时序之间的相关性,通过变分自编码器的思想对输入的所述多维时间序列数据进行重构;通过所述重构误差、隐空间向量的后验分布和假设先验分布的KL散度来构造损失函数;通过优化所述损失函数进行模型训练,当所述损失函数达到最小时,保存所述异常检测模型的参数。Further, in the anomaly detection model training module, the anomaly detection model uses a one-dimensional convolutional neural network to learn the timing characteristics of time series, uses a random recurrent neural network to learn the correlation between time series, and uses variational self-encoding The idea of the device reconstructs the input multidimensional time series data; the loss function is constructed by the reconstruction error, the posterior distribution of the latent space vector and the KL divergence of the hypothetical prior distribution; by optimizing the loss function Perform model training, and save the parameters of the abnormality detection model when the loss function reaches the minimum.

进一步地,在所述结果输出模块中,所述异常检测结果包括异常发生位置、发生时间、持续时间长度。Further, in the result output module, the abnormality detection result includes abnormality occurrence location, occurrence time, and duration.

本发明还提供一种面向工业控制系统的多维时间序列异常检测方法,所述方法包括以下步骤:The present invention also provides a multidimensional time series anomaly detection method oriented to an industrial control system, the method comprising the following steps:

步骤1、对工业控制系统的a个传感器和b个执行器按照预先设定的频率f连续采样,采样时间长度为T,得到多维时间序列数据的样本X,大小为X∈RN×M,其中,N为采样数据长度,由所述频率f和所述采样时间长度T计算得出;M为采样数据维度,M=a+b;Step 1. Continuously sample the a sensors and b actuators of the industrial control system according to the preset frequency f, and the sampling time length is T, and obtain the sample X of the multidimensional time series data, whose size is X∈R N×M , Wherein, N is the sampling data length, calculated by the frequency f and the sampling time length T; M is the sampling data dimension, M=a+b;

步骤2、进行数据预处理,设置滑动时间窗口,包括起始时间st和终止时间et;所述滑动时间窗口的长度为w=et-st,宽度为所述多维时间序列数据的所述采样数据维度M;将所述滑动时间窗口在所述多维时间序列数据上滑动,直至序列数据结束;设定每次滑动的步长大小为s,将所述多维时间序列数据分割成若干个采样时间长度为w、采样数据维度为M的子序列片段x,x∈Rw×M;当采样时间长度小于所述滑动时间窗口的长度时,则直接将该片段作为子序列;选定批次大小为bs,分割后的子序列片段分为多个大小为bs的批次,每一批次的子序列大小为(bs,w,M);Step 2, perform data preprocessing, set a sliding time window, including start time st and end time e t ; the length of the sliding time window is w=e t - st , and the width is the multidimensional time series data The sampling data dimension M; slide the sliding time window on the multidimensional time series data until the end of the sequence data; set the step size of each sliding as s, and divide the multidimensional time series data into several A subsequence fragment x with a sampling time length of w and a sampling data dimension of M, x∈R w×M ; when the sampling time length is less than the length of the sliding time window, the fragment is directly used as a subsequence; selected The batch size is b s , the divided subsequence fragments are divided into multiple batches of size b s , and the subsequence size of each batch is (b s ,w,M);

步骤3、学习时间维特征,首先,使用若干个一维卷积神经网络对输入的所述多维时间序列数据沿其时间维度进行一维卷积,学习得到时序特征的低维表示z1,然后,对所述时序特征的低维表示z1进行反卷积,输出为d;Step 3. Learning time-dimensional features. First, use several one-dimensional convolutional neural networks to perform one-dimensional convolution on the input multi-dimensional time series data along its time dimension to learn a low-dimensional representation z 1 of time series features, and then , performing deconvolution on the low-dimensional representation z 1 of the time series features, and the output is d;

步骤4、学习时间序列相关性,首先,将d输入随机循环神经网络的变分编码网络,学习时间序列之间的相关性,得到低维表示z2,然后,将z2经过realNVP flow得到增强的低维表示;所述步骤3和所述步骤4构成变分自编码器的结构中的近似推理网络:Step 4. Learning time series correlation. First, input d into the variational coding network of the random recurrent neural network to learn the correlation between time series and obtain a low-dimensional representation z 2 . Then, z 2 is enhanced through realNVP flow The low-dimensional representation of; said step 3 and said step 4 constitute an approximate inference network in the structure of the variational autoencoder:

Figure BDA0003850509900000041
Figure BDA0003850509900000041

具体为:Specifically:

Figure BDA0003850509900000042
Figure BDA0003850509900000042

其中:in:

f(·)和f-1(·)代表一维卷积操作及反卷积操作,

Figure BDA0003850509900000043
表示门控循环单元GRU;f( ) and f -1 ( ) represent one-dimensional convolution operation and deconvolution operation,
Figure BDA0003850509900000043
Represents the gated recurrent unit GRU;

步骤5、重构所述多维时间序列数据;Step 5, reconstructing the multidimensional time series data;

步骤6、设置异常阈值;Step 6, setting the abnormal threshold;

步骤7、实时在线检测;Step 7, real-time online detection;

步骤8、输出检测结果。Step 8, outputting the detection result.

进一步地,在所述步骤5中,对所述时序特征的所述低维表示z1进行反卷积得到解码网络的输入e,将e包含的时序信息作为外部输入,输入到所述随机循环神经网络中,构建和训练用于异常检测的神经网络模型,称为异常检测模型,同时,结合时间序列之间的所述低维表示z2来实现对原始输入的所述多维时间序列数据的重构,得到重构数据,可表示为:Further, in the step 5, deconvolve the low-dimensional representation z1 of the timing feature to obtain the input e of the decoding network, and use the timing information contained in e as an external input to the random loop In the neural network, the neural network model used for anomaly detection is constructed and trained, which is called an anomaly detection model. At the same time, the multidimensional time series data of the original input is realized by combining the low-dimensional representation z 2 between time series. Refactoring to get reconstructed data, which can be expressed as:

pθ(x,z1,z2)=pθ(x|z1z,2)pθ(z2|z1)p θ (x,z 1 ,z 2 )=p θ (x|z 1 z,2)p θ (z 2 |z 1 )

具体为:Specifically:

Figure BDA0003850509900000047
Figure BDA0003850509900000047

其中:g(·)表示对z1进行反卷积操作,构造损失函数来对近似模型与生成模型联合优化;Among them: g( ) means to perform deconvolution operation on z 1 , and construct a loss function to jointly optimize the approximate model and the generative model;

根据所述变分自编码器的优化函数:According to the optimization function of the variational autoencoder:

Figure BDA0003850509900000044
的形式,
Figure BDA0003850509900000044
form,

构造优化函数为:The construction optimization function is:

Figure BDA0003850509900000045
Figure BDA0003850509900000045

优化方式包括采用蒙特卡洛采样、SGVB估计器和重参数技巧。Optimization methods include the use of Monte Carlo sampling, SGVB estimators and heavy parameter techniques.

进一步地,在所述步骤6中,计算所述重构数据与原始输入的所述多维时间序列数据之间的误差,得到一系列的重构误差error={er1,er2…};Further, in the step 6, the error between the reconstructed data and the original input multidimensional time series data is calculated to obtain a series of reconstruction errors error={er 1 , er 2 ...};

以所述重构误差为样本,采用极值定理自动化设定阈值为threshold,由极值定理:Taking the reconstruction error as a sample, the extreme value theorem is used to automatically set the threshold as threshold, and the extreme value theorem:

Figure BDA0003850509900000046
Figure BDA0003850509900000046

异常阈值的计算公式为:The formula for calculating the abnormal threshold is:

Figure BDA0003850509900000051
Figure BDA0003850509900000051

其中,th为初始设定阈值,

Figure BDA0003850509900000052
为需要学习的参数,q为设定的概率大小,N为输入样本数,Nt为样本中大于初始阈值的数目,同时添加实时计算的异常分数对检测阈值进行迭代更新。Among them, th is the initial setting threshold,
Figure BDA0003850509900000052
is the parameter to be learned, q is the set probability, N is the number of input samples, N t is the number of samples greater than the initial threshold, and the abnormal score calculated in real time is added to iteratively update the detection threshold.

进一步地,在所述步骤7中,对于t时刻实时采集的时间序列数据,输入到所述异常检测模型中,得出异常分数score,score即所述异常检测模型对输入数据的重构概率;当score<threshold时,认为产生异常,否则,认为是正常。Further, in the step 7, the time series data collected in real time at time t is input into the abnormality detection model to obtain an abnormality score score, which is the reconstruction probability of the input data by the abnormality detection model; When score<threshold, it is considered abnormal, otherwise, it is considered normal.

进一步地,在所述步骤8中,对检测到的异常时间序列片段,计算该时刻输入数据所有维度的异常可能性,并按照从高到低排序,选择前k个维度作为异常,输出异常维度对应的传感器或执行器的名称、异常发生的时间和持续时间长度。Further, in the step 8, for the detected abnormal time series fragments, calculate the abnormal possibility of all dimensions of the input data at that moment, sort them from high to low, select the first k dimensions as abnormal, and output the abnormal dimension The name of the corresponding sensor or actuator, the time and duration of the abnormality.

本发明提供的一种面向工业控制系统的多维时间序列异常检测系统与方法至少具有以下技术效果:A multi-dimensional time series anomaly detection system and method for industrial control systems provided by the present invention has at least the following technical effects:

1、本发明所提供的技术方案是基于层次变分自编码器的策略,既学习了多维时间序列在时间上的时序关系,同时也捕获了不同时间序列之间存在的潜在相关性,能够有效的对时间序列进行建模,学习正常序列的周期规律;1. The technical solution provided by the present invention is based on the strategy of hierarchical variational autoencoder, which not only learns the temporal relationship of multidimensional time series in time, but also captures the potential correlation between different time series, which can effectively Model the time series and learn the periodic law of the normal sequence;

2、本发明所提供的技术方案通过一维卷积网络和反向一维卷积操作,重构输入以过滤原始数据中存在的异常,能够有效地对异常污染的时间序列数据进行鲁棒性建模;2. The technical solution provided by the present invention uses one-dimensional convolutional network and reverse one-dimensional convolution operation to reconstruct the input to filter the anomalies existing in the original data, and can effectively perform robustness on abnormally polluted time series data. modeling;

3、本发明所提供的技术方案是采用极值定理对训练过程中的重构误差进行学习,自动化设定阈值,避免了按照经验值设定的不便。3. The technical solution provided by the present invention is to use the extreme value theorem to learn the reconstruction error in the training process, automatically set the threshold, and avoid the inconvenience of setting according to the empirical value.

以下将结合附图对本发明的构思、具体结构及产生的技术效果作进一步说明,以充分地了解本发明的目的、特征和效果。The idea, specific structure and technical effects of the present invention will be further described below in conjunction with the accompanying drawings, so as to fully understand the purpose, features and effects of the present invention.

附图说明Description of drawings

图1为本发明的一个较佳实施例的整体框架图;Fig. 1 is the overall frame diagram of a preferred embodiment of the present invention;

图2为图1实施例的多维时间序列及滑动窗口示意图;Fig. 2 is the schematic diagram of multidimensional time series and sliding window of Fig. 1 embodiment;

图3为图1实施例的随机循环神经网络;Fig. 3 is the random recurrent neural network of Fig. 1 embodiment;

图4为图1实施例的异常检测模型整体架构图。FIG. 4 is an overall architecture diagram of the anomaly detection model of the embodiment in FIG. 1 .

具体实施方式detailed description

以下参考说明书附图介绍本发明的多个优选实施例,使其技术内容更加清楚和便于理解。本发明可以通过许多不同形式的实施例来得以体现,本发明的保护范围并非仅限于文中提到的实施例。The following describes several preferred embodiments of the present invention with reference to the accompanying drawings, so as to make the technical content clearer and easier to understand. The present invention can be embodied in many different forms of embodiments, and the protection scope of the present invention is not limited to the embodiments mentioned herein.

本发明所要解决的技术问题是如何克服现有技术中存在的缺少对时间序列之间潜在关系的学习而导致模型性能低、训练数据集中存在噪声的情况下异常检测深度学习模型的过拟合、异常阈值的设定依靠经验的缺陷。为了解决上述技术问题,本发明采用一维卷积学习多维时间序列在时间上的时序关系,同时通过随机变分自编码器捕获不同时间序列之间存在的潜在相关性,以时序关系和相关性信息进行数据重构,基于变分自编码器的策略进行模型训练,能够有效地对时间序列进行建模,学习正常序列的周期规律。另外,采用极值定理,对训练过程中产生的重构误差进行学习,自动设定异常检测阈值,避免了按照经验值设定的不便。The technical problem to be solved by the present invention is how to overcome the lack of learning of the potential relationship between time series in the prior art, resulting in low model performance and overfitting of the abnormality detection deep learning model under the condition of noise in the training data set, The setting of abnormal threshold depends on the flaw of experience. In order to solve the above technical problems, the present invention uses one-dimensional convolution to learn the temporal relationship of multi-dimensional time series in time, and at the same time captures the potential correlation between different time series through random variational autoencoders, and uses the temporal relationship and correlation Data reconstruction based on information, and model training based on the strategy of variational autoencoder can effectively model time series and learn the periodicity of normal sequences. In addition, the extreme value theorem is used to learn the reconstruction error generated during the training process, and the abnormal detection threshold is automatically set, which avoids the inconvenience of setting according to the empirical value.

本发明提供的一种面向工业控制系统的多维时间序列异常检测系统与方法,采用深度学习的方法学习工业多维时间序列的正常周期规律,基于重构时间序列概率分布对时间序列异常进行检测,有利于提高异常检测的准确度和稳定性,增强检测模型的可靠性。The present invention provides a multi-dimensional time series anomaly detection system and method for industrial control systems, using deep learning methods to learn the normal periodicity of industrial multi-dimensional time series, and detecting time series anomalies based on the reconstructed time series probability distribution. It is beneficial to improve the accuracy and stability of anomaly detection and enhance the reliability of the detection model.

如图1所示,为本发明提供的一种面向工业控制系统的多维时间序列异常检测系统,包括:As shown in Figure 1, a kind of industrial control system-oriented multi-dimensional time series anomaly detection system provided by the present invention includes:

数据采集模块,数据采集模块记录工业控制系统的多维时间序列数据;数据采集模块记录工业控制系统正常运行时按固定频率连续采样得到的传感器和执行器的当前状态信息,生成多维时间序列数据,在异常检测系统的模型训练阶段,数据采集模块构建用于神经网络建模所需的数据集;在异常检测系统的模型运行阶段,数据采集模块实时采集系统状态数据用于异常检测;Data acquisition module, the data acquisition module records the multidimensional time series data of the industrial control system; the data acquisition module records the current status information of the sensors and actuators obtained by continuous sampling at a fixed frequency during the normal operation of the industrial control system, and generates multidimensional time series data. In the model training phase of the anomaly detection system, the data acquisition module constructs the data set required for neural network modeling; in the model operation phase of the anomaly detection system, the data acquisition module collects system status data in real time for anomaly detection;

数据预处理模块,数据预处理模块连接数据采集模块,对采集到的多维时间序列数据进行预处理,得到若干批次的多维时间序列子序列;具体来说,数据预处理模块对于所采集到的多维时间序列数据进行预处理,采用滑动窗口技术对多维时间序列进行分割,然后对分割后的子序列进行分批次并进行归一化,得到若干批次的多维时间序列子序列。The data preprocessing module, the data preprocessing module is connected to the data acquisition module, preprocesses the collected multidimensional time series data, and obtains several batches of multidimensional time series subsequences; specifically, the data preprocessing module for the collected The multidimensional time series data is preprocessed, and the multidimensional time series is segmented by sliding window technology, and then the divided subsequences are divided into batches and normalized to obtain several batches of multidimensional time series subsequences.

异常检测模型训练模块,异常检测模型训练模块连接数据预处理模块,接收若干批次的多维时间序列子序列,构建和训练用于异常检测的神经网络模型,称为异常检测模型,异常检测模型训练模块的输出为输入的多维时间序列数据的重构数据。具体来说,异常检测模型采用一维卷积神经网络学习时间序列的时序特征,采用随机循环神经网络学习时序之间的相关性,通过变分自编码器的思想对输入的多维时间序列数据进行重构;通过重构误差、隐空间向量的后验分布和假设先验分布的KL散度来构造损失函数;通过优化损失函数进行模型训练,当损失函数达到最小时,保存异常检测模型的参数。Anomaly detection model training module, the anomaly detection model training module is connected to the data preprocessing module, receives several batches of multi-dimensional time series subsequences, constructs and trains a neural network model for anomaly detection, called an anomaly detection model, anomaly detection model training The output of the module is the reconstructed data of the input multidimensional time series data. Specifically, the anomaly detection model uses a one-dimensional convolutional neural network to learn the time series characteristics of time series, uses a random recurrent neural network to learn the correlation between time series, and uses the idea of variational autoencoder to process the input multidimensional time series data. Reconstruction; construct a loss function by reconstructing the error, the posterior distribution of the latent space vector, and the KL divergence of the hypothetical prior distribution; perform model training by optimizing the loss function, and save the parameters of the anomaly detection model when the loss function reaches the minimum .

阈值设定模块,阈值设定模块连接异常检测模型训练模块,计算重构数据与输入的多维时间序列数据之间的误差,称为重构误差,以重构误差作为样本数据,采用极值定理进行学习,自动设定异常阈值;Threshold setting module, the threshold setting module is connected to the anomaly detection model training module to calculate the error between the reconstructed data and the input multidimensional time series data, which is called the reconstruction error. The reconstruction error is used as the sample data, and the extreme value theorem is adopted Carry out learning and automatically set the abnormal threshold;

异常检测模块,将实时采集的时间序列数据经过数据预处理模块后,输入到训练好的异常检测模型中计算重构误差,将重构误差作为异常分数,比较异常分数与异常阈值;当异常分数小于异常阈值时,则认为实时采集的时间序列数据存在异常。The anomaly detection module inputs the time series data collected in real time into the trained anomaly detection model to calculate the reconstruction error after passing through the data preprocessing module, takes the reconstruction error as the abnormal score, and compares the abnormal score with the abnormal threshold; when the abnormal score When it is less than the abnormal threshold, it is considered that there is an abnormality in the time series data collected in real time.

其中,实时采集的时间序列数据也由数据采集模块进行采集。Among them, the time series data collected in real time is also collected by the data collection module.

结果输出模块,结果输出模块连接异常检测模块,对于检测到的异常的实时采集的时间序列数据,输出异常检测结果。其中,异常检测结果包括异常发生位置、发生时间、持续时间长度。The result output module, the result output module is connected to the abnormality detection module, and outputs the abnormality detection result for the detected abnormal real-time collected time series data. Wherein, the abnormality detection result includes abnormality occurrence location, occurrence time, duration length.

本发明还提供一种面向工业控制系统的多维时间序列异常检测方法,先对工业生产过程中的传感器和执行器信号进行测量和采集生成多维时间序列,对采集的多维时间序列按滑动窗口进行分割形成时序片段,对时间序列的低维特征进行分层学习,沿时间序列的时间维采用一维卷积神经网络学习其时序特征,沿时间序列的特征维采用随机循环神经网络学习其时间序列之间潜在的相关性,用学习到的时序特征和相关性信息对输入的时间序列进行重构,采用变分自编码器的策略构造损失函数对模型进行训练优化,计算重构数据与原始输入之间的误差作为重构误差,对重构误差进行学习,设定异常检测阈值,将实时采集的数据输入异常检测模型,计算得出异常分数,进行阈值判定,若判定为异常,则输出异常告警并对异常进行定位。The present invention also provides a multi-dimensional time series anomaly detection method for industrial control systems. First, the signals of sensors and actuators in the industrial production process are measured and collected to generate a multi-dimensional time series, and the collected multi-dimensional time series is divided by a sliding window. Form time series fragments, learn the low-dimensional features of time series hierarchically, use one-dimensional convolutional neural network to learn its time series features along the time dimension of time series, and use random cyclic neural network to learn the time series features along the feature dimension of time series The potential correlation between them, reconstruct the input time series with the learned time series features and correlation information, use the strategy of variational autoencoder to construct the loss function to train and optimize the model, and calculate the relationship between the reconstructed data and the original input The error between them is used as the reconstruction error, the reconstruction error is learned, the abnormal detection threshold is set, the real-time collected data is input into the abnormal detection model, the abnormal score is calculated, and the threshold is judged. If it is judged to be abnormal, an abnormal alarm will be output and locate the exception.

具体来说,该方法包括以下步骤:Specifically, the method includes the following steps:

步骤1、对工业控制系统的a个传感器和b个执行器按照预先设定的频率f连续采样,采样时间长度为T,得到多维时间序列数据的样本X,大小为X∈RN×M,其中,N为采样数据长度,由频率f和采样时间长度T计算得出;M为采样数据维度,M=a+b;Step 1. Continuously sample the a sensors and b actuators of the industrial control system according to the preset frequency f, and the sampling time length is T, and obtain the sample X of the multidimensional time series data, whose size is X∈R N×M , Among them, N is the sampling data length, calculated from the frequency f and the sampling time length T; M is the sampling data dimension, M=a+b;

步骤2、进行数据预处理,如图2所示,设置滑动时间窗口,包括起始时间st和终止时间et;滑动时间窗口的长度为w=et-st,宽度为多维时间序列数据的采样数据维度M;将滑动时间窗口在多维时间序列数据上滑动,直至序列数据结束;设定每次滑动的步长大小为s,将多维时间序列数据分割成若干个采样时间长度为w、采样数据维度为M的子序列片段x,x∈Rw×M;当采样时间长度小于滑动时间窗口的长度时,则直接将该片段作为子序列;选定批次大小为bs,分割后的子序列片段分为多个大小为bs的批次,每一批次的子序列大小为(bs,w,M),随后依次输入异常检测模型进行训练;Step 2, perform data preprocessing, as shown in Figure 2, set the sliding time window, including the start time st and end time e t ; the length of the sliding time window is w=e t -s t , and the width is a multidimensional time series The sampling data dimension of the data is M; slide the sliding time window on the multidimensional time series data until the end of the sequence data; set the step size of each sliding as s, and divide the multidimensional time series data into several sampling time lengths w , Sampling the subsequence fragment x with dimension M, x∈R w×M ; when the sampling time length is less than the length of the sliding time window, the fragment is directly used as a subsequence; the selected batch size is b s , and the division The final subsequence fragments are divided into multiple batches of size b s , and the subsequence size of each batch is (b s , w, M), and then input into the anomaly detection model for training in turn;

步骤3、学习时间维特征,首先,使用若干个一维卷积神经网络对输入的多维时间序列数据沿其时间维度进行一维卷积,学习得到时序特征的低维表示z1,然后,对时序特征的低维表示z1进行反卷积,输出为d;反卷积操作的目的在于滤去训练数据中存在的异常数据噪声,保证模型的准确性和后续时间序列相关性学习的一致性;Step 3. Learning time-dimensional features. First, use several one-dimensional convolutional neural networks to perform one-dimensional convolution on the input multi-dimensional time series data along its time dimension, and learn the low-dimensional representation z 1 of time series features. Then, The low-dimensional representation z 1 of time series features is deconvolved, and the output is d; the purpose of the deconvolution operation is to filter out the abnormal data noise existing in the training data, to ensure the accuracy of the model and the consistency of subsequent time series correlation learning ;

步骤4、学习时间序列相关性,如图3所示,首先,将d输入随机循环神经网络的变分编码网络,学习时间序列之间的相关性,得到低维表示z2,然后,将z2经过realNVP flow得到增强的低维表示;步骤3和步骤4构成变分自编码器的结构中的近似推理网络:Step 4, learning time series correlation, as shown in Figure 3, first, input d into the variational coding network of the random recurrent neural network, learn the correlation between time series, and obtain a low-dimensional representation z 2 , then, z 2 Enhanced low-dimensional representation through realNVP flow; Step 3 and Step 4 constitute the approximate inference network in the structure of the variational autoencoder:

Figure BDA0003850509900000081
Figure BDA0003850509900000081

具体为:Specifically:

Figure BDA0003850509900000082
Figure BDA0003850509900000082

其中:in:

f(·)和f-1(·)代表一维卷积操作及反卷积操作,

Figure BDA0003850509900000083
表示门控循环单元GRU;f( ) and f -1 ( ) represent one-dimensional convolution operation and deconvolution operation,
Figure BDA0003850509900000083
Represents the gated recurrent unit GRU;

步骤5、重构多维时间序列数据,对时序特征的低维表示z1进行反卷积得到解码网络的输入e,将e包含的时序信息作为外部输入,输入到随机循环神经网络中,构建和训练用于异常检测的神经网络模型,称为异常检测模型,同时,结合时间序列之间的低维表示z2来实现对原始输入的多维时间序列数据的重构,得到重构数据,可表示为:Step 5. Reconstruct the multi-dimensional time series data, deconvolute the low-dimensional representation z 1 of the time series features to obtain the input e of the decoding network, and use the time series information contained in e as an external input into the random cyclic neural network to construct and The neural network model trained for anomaly detection is called an anomaly detection model. At the same time, combined with the low-dimensional representation z 2 between time series to realize the reconstruction of the original input multi-dimensional time series data, the reconstructed data can be expressed for:

pθ(x,z1,z2)=pθ(x|z1,z2)pθ(z2|z1)p θ (x,z 1 ,z 2 )=p θ (x|z 1 ,z 2 )p θ (z 2 |z 1 )

具体为:Specifically:

Figure BDA0003850509900000089
Figure BDA0003850509900000089

其中:g(·)表示对z1进行反卷积操作,构造损失函数来对近似模型与生成模型联合优化;Among them: g( ) means to perform deconvolution operation on z 1 , and construct a loss function to jointly optimize the approximate model and the generative model;

根据变分自编码器的优化函数:According to the optimization function of the variational autoencoder:

Figure BDA0003850509900000084
的形式,
Figure BDA0003850509900000084
form,

构造优化函数为:The construction optimization function is:

Figure BDA0003850509900000085
Figure BDA0003850509900000085

优化方式包括采用蒙特卡洛采样、SGVB估计器和重参数技巧;Optimization methods include using Monte Carlo sampling, SGVB estimators and heavy parameter techniques;

步骤6、设置异常阈值,如图4所示,计算重构数据与原始输入的多维时间序列数据之间的误差,得到一系列的重构误差error={er1,er2…};Step 6. Set the abnormal threshold, as shown in Figure 4, calculate the error between the reconstructed data and the original input multidimensional time series data, and obtain a series of reconstruction errors error={er 1 , er 2 ...};

以重构误差为样本,采用极值定理自动化设定阈值为threshold,由极值定理:Taking the reconstruction error as a sample, the extreme value theorem is used to automatically set the threshold as the threshold. According to the extreme value theorem:

Figure BDA0003850509900000086
Figure BDA0003850509900000086

异常阈值的计算公式为:The formula for calculating the abnormal threshold is:

Figure BDA0003850509900000087
Figure BDA0003850509900000087

其中,th为初始设定阈值,

Figure BDA0003850509900000088
为需要学习的参数,q为设定的概率大小,N为输入样本数,Nt为样本中大于初始阈值的数目,同时添加实时计算的异常分数对检测阈值进行迭代更新;Among them, th is the initial setting threshold,
Figure BDA0003850509900000088
is the parameter that needs to be learned, q is the set probability, N is the number of input samples, N t is the number of samples greater than the initial threshold, and the abnormal score calculated in real time is added to iteratively update the detection threshold;

步骤7、实时在线检测,对于t时刻实时采集的时间序列数据,输入到异常检测模型中,得出异常分数score,score即异常检测模型对输入数据的重构概率;当score<threshold时,认为产生异常,否则,认为是正常;Step 7. Real-time online detection. For the time series data collected in real time at time t, input it into the anomaly detection model to obtain the abnormal score score, which is the reconstruction probability of the input data by the anomaly detection model; when score<threshold, consider An exception is generated, otherwise, it is considered normal;

步骤8、输出检测结果,对检测到的异常时间序列片段,计算该时刻输入数据所有维度的异常可能性,并按照从高到低排序,选择前k个维度作为异常,输出异常维度对应的传感器或执行器的名称、异常发生的时间和持续时间长度。Step 8. Output the detection results. For the detected abnormal time series fragments, calculate the abnormal possibility of all dimensions of the input data at that moment, sort them from high to low, select the first k dimensions as abnormal, and output the sensor corresponding to the abnormal dimension or the name of the executor, when and for how long the exception occurred.

以上详细描述了本发明的较佳具体实施例。应当理解,本领域的普通技术无需创造性劳动就可以根据本发明的构思作出诸多修改和变化。因此,凡本技术领域中技术人员依本发明的构思在现有技术的基础上通过逻辑分析、推理或者有限的实验可以得到的技术方案,皆应在由权利要求书所确定的保护范围内。The preferred specific embodiments of the present invention have been described in detail above. It should be understood that those skilled in the art can make many modifications and changes according to the concept of the present invention without creative efforts. Therefore, all technical solutions that can be obtained by those skilled in the art based on the concept of the present invention through logical analysis, reasoning or limited experiments on the basis of the prior art shall be within the scope of protection defined by the claims.

Claims (10)

1.一种面向工业控制系统的多维时间序列异常检测系统,其特征在于,包括:1. A multidimensional time series anomaly detection system for industrial control systems, characterized in that it comprises: 数据采集模块,所述数据采集模块记录工业控制系统的多维时间序列数据;A data acquisition module, the data acquisition module records the multidimensional time series data of the industrial control system; 数据预处理模块,所述数据预处理模块连接所述数据采集模块,对采集到的所述多维时间序列数据进行预处理,得到若干批次的多维时间序列子序列;A data preprocessing module, the data preprocessing module is connected to the data acquisition module, and preprocesses the collected multidimensional time series data to obtain several batches of multidimensional time series subsequences; 异常检测模型训练模块,所述异常检测模型训练模块连接所述数据预处理模块,接收所述若干批次的多维时间序列子序列,构建和训练用于异常检测的神经网络模型,称为异常检测模型,所述异常检测模型训练模块的输出为输入的所述多维时间序列数据的重构数据;An anomaly detection model training module, the anomaly detection model training module is connected to the data preprocessing module, receives the multi-dimensional time series subsequences of the plurality of batches, and constructs and trains a neural network model for anomaly detection, which is called anomaly detection model, the output of the anomaly detection model training module is the reconstructed data of the input multidimensional time series data; 阈值设定模块,所述阈值设定模块连接所述异常检测模型训练模块,计算所述重构数据与输入的所述多维时间序列数据之间的误差,称为重构误差,以所述重构误差作为样本数据,采用极值定理进行学习,自动设定异常阈值;Threshold value setting module, the threshold value setting module is connected to the abnormality detection model training module, and calculates the error between the reconstructed data and the input multidimensional time series data, which is called reconstruction error. Structural errors are used as sample data, the extreme value theorem is used for learning, and the abnormal threshold is automatically set; 异常检测模块,将实时采集的时间序列数据经过所述数据预处理模块后,输入到训练好的所述异常检测模型中计算所述重构误差,将所述重构误差作为异常分数,比较所述异常分数与所述异常阈值;当所述异常分数小于所述异常阈值时,则认为所述实时采集的时间序列数据存在异常;The anomaly detection module inputs the time series data collected in real time into the trained anomaly detection model to calculate the reconstruction error after passing through the data preprocessing module, and uses the reconstruction error as an abnormal score to compare the The abnormal score and the abnormal threshold; when the abnormal score is less than the abnormal threshold, it is considered that there is an abnormality in the time series data collected in real time; 结果输出模块,所述结果输出模块连接所述异常检测模块,对于检测到的异常的所述实时采集的时间序列数据,输出异常检测结果。A result output module, the result output module is connected to the anomaly detection module, and outputs an anomaly detection result for the time series data collected in real time of detected anomalies. 2.如权利要求1所述的面向工业控制系统的多维时间序列异常检测系统,其特征在于,所述实时采集的时间序列数据也由所述数据采集模块进行采集。2. The multi-dimensional time-series anomaly detection system oriented to an industrial control system according to claim 1, wherein the time-series data collected in real time is also collected by the data collection module. 3.如权利要求1所述的面向工业控制系统的多维时间序列异常检测系统,其特征在于,在所述数据预处理模块中,数据预处理先采用滑动窗口技术进行分割,再将分割后的子序列进行分批次和归一化的处理。3. the multi-dimensional time series anomaly detection system facing industrial control system as claimed in claim 1, is characterized in that, in described data preprocessing module, data preprocessing adopts sliding window technique to segment earlier, and then the segmented Subsequences are batched and normalized. 4.如权利要求1所述的面向工业控制系统的多维时间序列异常检测系统,其特征在于,在所述异常检测模型训练模块中,所述异常检测模型采用一维卷积神经网络学习时间序列的时序特征,采用随机循环神经网络学习时序之间的相关性,通过变分自编码器的思想对输入的所述多维时间序列数据进行重构;通过所述重构误差、隐空间向量的后验分布和假设先验分布的KL散度来构造损失函数;通过优化所述损失函数进行模型训练,当所述损失函数达到最小时,保存所述异常检测模型的参数。4. the multidimensional time series anomaly detection system facing industrial control system as claimed in claim 1, is characterized in that, in described anomaly detection model training module, described anomaly detection model adopts one-dimensional convolutional neural network learning time series The timing characteristics of the time series, using the random cycle neural network to learn the correlation between the time series, through the idea of variational autoencoder to reconstruct the input multi-dimensional time series data; through the reconstruction error, the hidden space vector after The prior distribution and the KL divergence of the hypothetical prior distribution are used to construct a loss function; the model training is performed by optimizing the loss function, and when the loss function reaches a minimum, the parameters of the anomaly detection model are saved. 5.如权利要求1所述的面向工业控制系统的多维时间序列异常检测系统,其特征在于,在所述结果输出模块中,所述异常检测结果包括异常发生位置、发生时间、持续时间长度。5. The multi-dimensional time series anomaly detection system oriented to industrial control systems according to claim 1, characterized in that, in the result output module, the anomaly detection results include abnormal occurrence location, occurrence time, and duration length. 6.如权利要求1所述的面向工业控制系统的多维时间序列异常检测方法,其特征在于,所述方法包括以下步骤:6. the multidimensional time series anomaly detection method facing industrial control system as claimed in claim 1, is characterized in that, described method comprises the following steps: 步骤1、对工业控制系统的a个传感器和b个执行器按照预先设定的频率f连续采样,采样时间长度为T,得到多维时间序列数据的样本X,大小为X∈RN×M,其中,N为采样数据长度,由所述频率f和所述采样时间长度T计算得出;M为采样数据维度,M=a+b;Step 1. Continuously sample the a sensors and b actuators of the industrial control system according to the preset frequency f, and the sampling time length is T, and obtain the sample X of the multidimensional time series data, whose size is X∈R N×M , Wherein, N is the sampling data length, calculated by the frequency f and the sampling time length T; M is the sampling data dimension, M=a+b; 步骤2、进行数据预处理,设置滑动时间窗口,包括起始时间st和终止时间et;所述滑动时间窗口的长度为w=et-st,宽度为所述多维时间序列数据的所述采样数据维度M;将所述滑动时间窗口在所述多维时间序列数据上滑动,直至序列数据结束;设定每次滑动的步长大小为s,将所述多维时间序列数据分割成若干个采样时间长度为w、采样数据维度为M的子序列片段x,x∈Rw×M;当采样时间长度小于所述滑动时间窗口的长度时,则直接将该片段作为子序列;选定批次大小为bs,分割后的子序列片段分为多个大小为bs的批次,每一批次的子序列大小为(bs,w,M);Step 2, perform data preprocessing, set a sliding time window, including start time st and end time e t ; the length of the sliding time window is w=e t - st , and the width is the multidimensional time series data The sampling data dimension M; slide the sliding time window on the multidimensional time series data until the end of the sequence data; set the step size of each sliding as s, and divide the multidimensional time series data into several A subsequence segment x with a sampling time length of w and a sampling data dimension of M, x∈R w×M ; when the sampling time length is less than the length of the sliding time window, the segment is directly used as a subsequence; selected The batch size is b s , the divided subsequence fragments are divided into multiple batches of size b s , and the subsequence size of each batch is (b s ,w,M); 步骤3、学习时间维特征,首先,使用若干个一维卷积神经网络对输入的所述多维时间序列数据沿其时间维度进行一维卷积,学习得到时序特征的低维表示z1,然后,对所述时序特征的低维表示z1进行反卷积,输出为d;Step 3. Learning time-dimensional features. First, use several one-dimensional convolutional neural networks to perform one-dimensional convolution on the input multi-dimensional time series data along its time dimension to learn a low-dimensional representation z 1 of time series features, and then , performing deconvolution on the low-dimensional representation z 1 of the time series feature, and the output is d; 步骤4、学习时间序列相关性,首先,将d输入随机循环神经网络的变分编码网络,学习时间序列之间的相关性,得到低维表示z2,然后,将z2经过realNVP flow得到增强的低维表示;所述步骤3和所述步骤4构成变分自编码器的结构中的近似推理网络:Step 4. Learning time series correlation. First, input d into the variational coding network of the random recurrent neural network to learn the correlation between time series and obtain a low-dimensional representation z 2 . Then, z 2 is enhanced through realNVP flow The low-dimensional representation of; said step 3 and said step 4 constitute an approximate inference network in the structure of the variational autoencoder:
Figure FDA0003850509890000021
Figure FDA0003850509890000021
 具体为:Specifically:
Figure FDA0003850509890000022
Figure FDA0003850509890000022
 其中:in: f(·)和f-1(·)代表一维卷积操作及反卷积操作,
Figure FDA0003850509890000023
表示门控循环单元GRU;f( ) and f -1 ( ) represent one-dimensional convolution operation and deconvolution operation,
Figure FDA0003850509890000023
Represents the gated recurrent unit GRU; 步骤5、重构所述多维时间序列数据;Step 5, reconstructing the multidimensional time series data; 步骤6、设置异常阈值;Step 6, setting the abnormal threshold; 步骤7、实时在线检测;Step 7, real-time online detection; 步骤8、输出检测结果。Step 8, outputting the detection result. 7.如权利要求6所述的面向工业控制系统的多维时间序列异常检测方法,其特征在于,在所述步骤5中,对所述时序特征的所述低维表示z1进行反卷积得到解码网络的输入e,将e包含的时序信息作为外部输入,输入到所述随机循环神经网络中,构建和训练用于异常检测的神经网络模型,称为异常检测模型,同时,结合时间序列之间的所述低维表示z2来实现对原始输入的所述多维时间序列数据的重构,得到重构数据,可表示为:7. the multidimensional time series anomaly detection method facing industrial control system as claimed in claim 6, is characterized in that, in described step 5, deconvolution is carried out to the described low-dimensional representation z1 of described time series feature to obtain Decoding the input e of the network, using the timing information contained in e as an external input, inputting it into the random cyclic neural network, constructing and training a neural network model for anomaly detection, called an anomaly detection model, and at the same time, combining the time series The low - dimensional representation z2 between realizes the reconstruction of the multi-dimensional time series data of the original input, and obtains the reconstructed data, which can be expressed as: pθ(x,z1,z2)=pθ(x|z1,z2)pθ(z2|z1)p θ (x,z 1 ,z 2 )=p θ (x|z 1 ,z 2 )p θ (z 2 |z 1 ) 具体为:Specifically:
Figure FDA0003850509890000031
Figure FDA0003850509890000031
 其中:g(·)表示对z1进行反卷积操作,构造损失函数来对近似模型与生成模型联合优化;Among them: g( ) means to perform deconvolution operation on z 1 , and construct a loss function to jointly optimize the approximate model and the generative model; 根据所述变分自编码器的优化函数:According to the optimization function of the variational autoencoder:
Figure FDA0003850509890000032
的形式,
Figure FDA0003850509890000032
form, 构造优化函数为:The construction optimization function is:
Figure FDA0003850509890000033
Figure FDA0003850509890000033
 优化方式包括采用蒙特卡洛采样、SGVB估计器和重参数技巧。Optimization methods include the use of Monte Carlo sampling, SGVB estimators and heavy parameter techniques. 8.如权利要求7所述的面向工业控制系统的多维时间序列异常检测方法,其特征在于,在所述步骤6中,计算所述重构数据与原始输入的所述多维时间序列数据之间的误差,得到一系列的重构误差error={er1,er2…};8. The multidimensional time series anomaly detection method for industrial control systems as claimed in claim 7, characterized in that, in said step 6, calculating the difference between the reconstructed data and the multidimensional time series data of the original input Error, get a series of reconstruction errors error={er 1 ,er 2 ...}; 以所述重构误差为样本,采用极值定理自动化设定阈值为threshold,由极值定理:Taking the reconstruction error as a sample, the extreme value theorem is used to automatically set the threshold as threshold, and the extreme value theorem:
Figure FDA0003850509890000034
Figure FDA0003850509890000034
 异常阈值的计算公式为:The formula for calculating the abnormal threshold is:
Figure FDA0003850509890000035
Figure FDA0003850509890000035
 其中,th为初始设定阈值,
Figure FDA0003850509890000036
为需要学习的参数,q为设定的概率大小,N为输入样本数,Nt为样本中大于初始阈值的数目,同时添加实时计算的异常分数对检测阈值进行迭代更新。Among them, th is the initial setting threshold,
Figure FDA0003850509890000036
is the parameter to be learned, q is the set probability, N is the number of input samples, N t is the number of samples greater than the initial threshold, and the abnormal score calculated in real time is added to iteratively update the detection threshold. 9.如权利要求8所述的面向工业控制系统的多维时间序列异常检测方法,其特征在于,在所述步骤7中,对于t时刻实时采集的时间序列数据,输入到所述异常检测模型中,得出异常分数score,score即所述异常检测模型对输入数据的重构概率;当score<threshold时,认为产生异常,否则,认为是正常。9. The multi-dimensional time series anomaly detection method oriented to industrial control systems as claimed in claim 8, characterized in that, in said step 7, the time series data collected in real time at time t are input into the anomaly detection model , to obtain the abnormal score score, which is the reconstruction probability of the input data by the abnormal detection model; when score<threshold, it is considered abnormal, otherwise, it is considered normal. 10.如权利要求9所述的面向工业控制系统的多维时间序列异常检测方法,其特征在于,在所述步骤8中,对检测到的异常时间序列片段,计算该时刻输入数据所有维度的异常可能性,并按照从高到低排序,选择前k个维度作为异常,输出异常维度对应的传感器或执行器的名称、异常发生的时间和持续时间长度。10. The multi-dimensional time series anomaly detection method oriented to industrial control systems according to claim 9, characterized in that in step 8, for the detected abnormal time series fragments, the abnormalities of all dimensions of the input data at that moment are calculated Possibility, and sorted from high to low, select the first k dimensions as anomalies, and output the name of the sensor or actuator corresponding to the anomalous dimension, the time when the anomaly occurred, and the duration.
CN202211131264.1A 2022-09-16 2022-09-16 Anomaly detection system and method for industrial control system Pending CN115484102A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211131264.1A CN115484102A (en) 2022-09-16 2022-09-16 Anomaly detection system and method for industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211131264.1A CN115484102A (en) 2022-09-16 2022-09-16 Anomaly detection system and method for industrial control system

Publications (1)

Publication Number Publication Date
CN115484102A true CN115484102A (en) 2022-12-16

Family

ID=84392798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211131264.1A Pending CN115484102A (en) 2022-09-16 2022-09-16 Anomaly detection system and method for industrial control system

Country Status (1)

Country Link
CN (1) CN115484102A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115795350A (en) * 2023-01-29 2023-03-14 北京众驰伟业科技发展有限公司 Abnormal data information processing method in production process of blood rheology test cup
CN115964636A (en) * 2022-12-23 2023-04-14 浙江苍南仪表集团股份有限公司 Gas flow abnormity detection method and system based on machine learning and dynamic threshold
CN116032775A (en) * 2023-01-09 2023-04-28 山东省计算中心(国家超级计算济南中心) Industrial control network anomaly detection method oriented to concept drift
CN116361673A (en) * 2023-06-01 2023-06-30 西南石油大学 Quasi-periodic time sequence unsupervised anomaly detection method, system and terminal
CN116662811A (en) * 2023-06-13 2023-08-29 无锡物联网创新中心有限公司 Time sequence state data reconstruction method and related device of industrial equipment
CN116738170A (en) * 2023-06-13 2023-09-12 无锡物联网创新中心有限公司 Abnormality analysis method and related device for industrial equipment
CN117095254A (en) * 2023-07-25 2023-11-21 南京航空航天大学 Open set radio frequency fingerprint identification method based on layered self-encoder
CN117150407A (en) * 2023-09-04 2023-12-01 国网上海市电力公司 Abnormality detection method for industrial carbon emission data
CN118378092A (en) * 2024-06-20 2024-07-23 阿里云飞天(杭州)云计算技术有限公司 Model training method, abnormality detection system, electronic device, and storage medium
CN118797346A (en) * 2024-07-04 2024-10-18 上海米喜网络科技有限公司 A method, system, device and medium for automatic data intelligent processing
CN119067225A (en) * 2024-11-06 2024-12-03 齐鲁工业大学(山东省科学院) Industrial control anomaly explanation method and system based on generative counterfactual sample differences
CN119126765A (en) * 2024-11-13 2024-12-13 青岛智腾微电子有限公司 Avionic system fault self-diagnosis method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112416662A (en) * 2020-11-26 2021-02-26 清华大学 Multi-time series data anomaly detection method and device
CN113051822A (en) * 2021-03-25 2021-06-29 浙江工业大学 Industrial system anomaly detection method based on graph attention network and LSTM automatic coding model
CN114065862A (en) * 2021-11-18 2022-02-18 南京航空航天大学 Anomaly detection method and system for multidimensional time series data
CN114492826A (en) * 2021-11-22 2022-05-13 杭州电子科技大学 Unsupervised anomaly detection analysis solution method based on multivariate time sequence flow data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112416662A (en) * 2020-11-26 2021-02-26 清华大学 Multi-time series data anomaly detection method and device
CN113051822A (en) * 2021-03-25 2021-06-29 浙江工业大学 Industrial system anomaly detection method based on graph attention network and LSTM automatic coding model
CN114065862A (en) * 2021-11-18 2022-02-18 南京航空航天大学 Anomaly detection method and system for multidimensional time series data
CN114492826A (en) * 2021-11-22 2022-05-13 杭州电子科技大学 Unsupervised anomaly detection analysis solution method based on multivariate time sequence flow data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
任建强;陈仲新;唐华俊;: "基于MODIS-NDVI的区域冬小麦遥感估产――以山东省济宁市为例", 应用生态学报, no. 12, 28 December 2006 (2006-12-28) *
李祎颖: "基于主题模型与变分自编码的文本摘要生成", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》, 15 March 2022 (2022-03-15) *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115964636A (en) * 2022-12-23 2023-04-14 浙江苍南仪表集团股份有限公司 Gas flow abnormity detection method and system based on machine learning and dynamic threshold
CN115964636B (en) * 2022-12-23 2023-11-07 浙江苍南仪表集团股份有限公司 Gas flow abnormality detection method and system based on machine learning and dynamic threshold
CN116032775A (en) * 2023-01-09 2023-04-28 山东省计算中心(国家超级计算济南中心) Industrial control network anomaly detection method oriented to concept drift
CN115795350A (en) * 2023-01-29 2023-03-14 北京众驰伟业科技发展有限公司 Abnormal data information processing method in production process of blood rheology test cup
CN116361673A (en) * 2023-06-01 2023-06-30 西南石油大学 Quasi-periodic time sequence unsupervised anomaly detection method, system and terminal
CN116361673B (en) * 2023-06-01 2023-08-11 西南石油大学 Quasi-periodic time sequence unsupervised anomaly detection method, system and terminal
CN116662811B (en) * 2023-06-13 2024-02-06 无锡物联网创新中心有限公司 Time sequence state data reconstruction method and related device of industrial equipment
CN116662811A (en) * 2023-06-13 2023-08-29 无锡物联网创新中心有限公司 Time sequence state data reconstruction method and related device of industrial equipment
CN116738170A (en) * 2023-06-13 2023-09-12 无锡物联网创新中心有限公司 Abnormality analysis method and related device for industrial equipment
CN116738170B (en) * 2023-06-13 2024-06-18 无锡物联网创新中心有限公司 Abnormality analysis method and related device for industrial equipment
CN117095254A (en) * 2023-07-25 2023-11-21 南京航空航天大学 Open set radio frequency fingerprint identification method based on layered self-encoder
CN117150407A (en) * 2023-09-04 2023-12-01 国网上海市电力公司 Abnormality detection method for industrial carbon emission data
CN117150407B (en) * 2023-09-04 2024-10-01 国网上海市电力公司 Anomaly detection method for industrial carbon emission data
CN118378092A (en) * 2024-06-20 2024-07-23 阿里云飞天(杭州)云计算技术有限公司 Model training method, abnormality detection system, electronic device, and storage medium
CN118378092B (en) * 2024-06-20 2024-10-25 阿里云飞天(杭州)云计算技术有限公司 Model training method, abnormality detection system, electronic device, and storage medium
CN118797346A (en) * 2024-07-04 2024-10-18 上海米喜网络科技有限公司 A method, system, device and medium for automatic data intelligent processing
CN119067225A (en) * 2024-11-06 2024-12-03 齐鲁工业大学(山东省科学院) Industrial control anomaly explanation method and system based on generative counterfactual sample differences
CN119126765A (en) * 2024-11-13 2024-12-13 青岛智腾微电子有限公司 Avionic system fault self-diagnosis method and system

Similar Documents

Publication Publication Date Title
CN115484102A (en) Anomaly detection system and method for industrial control system
CN111947928A (en) A bearing fault prediction system and method based on multi-source information fusion
CN115688035A (en) Time sequence power data anomaly detection method based on self-supervision learning
Zhang et al. Gated recurrent unit-enhanced deep convolutional neural network for real-time industrial process fault diagnosis
CN111241744A (en) Low-pressure casting machine time sequence data abnormity detection method based on bidirectional LSTM
WO2023197617A1 (en) Method for detecting and diagnosing production abnormality of industrial system on basis of multi-dimensional sensing data
CN115903741B (en) A method for detecting data anomalies in industrial control systems
CN117494071B (en) Life prediction method based on motor rotation speed monitoring and related device
Wong et al. Recurrent auto-encoder model for large-scale industrial sensor signal analysis
CN116821619A (en) A time series anomaly detection method based on multivariate temporal relationship learning
CN117669373A (en) Energy consumption prediction method and system for hydraulic system of forging forming equipment
CN110779988A (en) A deep learning-based bolt life prediction method
CN117034055A (en) L-converter-based short-term photovoltaic power generation power prediction method
Zhou et al. FM-AE: Frequency-masked Multimodal Autoencoder for Zinc Electrolysis Plate Contact Abnormality Detection
Febrinanto et al. Entropy causal graphs for multivariate time series anomaly detection
Li et al. Hybrid variable dictionary learning for monitoring continuous and discrete variables in manufacturing processes
Abudurexiti et al. An explainable unsupervised anomaly detection framework for Industrial Internet of Things
CN118411589A (en) A method and device for detecting anomalies in semiconductor wafer manufacturing based on spatiotemporal graph neural network
John Temporal Analysis of Human Serum Albumin Using Recurrent Neural Networks for Changepoint Detection and Forecasting
CN113988259B (en) Real-time abnormality detection method for thermal power generating unit operation parameters based on VAE-GRU
CN116933643A (en) Intelligent data monitoring method based on partial robust M regression and multiple interpolation
Aksan et al. Review of the application of deep learning for fault detection in wind turbine
Wang et al. DeepFilter: An Instrumental Baseline for Accurate and Efficient Process Monitoring
Kalyani et al. A TimeImageNet sequence learning for remaining useful life estimation of turbofan engine in aircraft systems
Macas et al. An Attention-Based Deep Generative Model for Anomaly Detection in Industrial Control Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination