CN115510978A - Industrial control system intrusion detection method and device and electronic equipment - Google Patents

Industrial control system intrusion detection method and device and electronic equipment Download PDF

Info

Publication number
CN115510978A
CN115510978A CN202211191929.8A CN202211191929A CN115510978A CN 115510978 A CN115510978 A CN 115510978A CN 202211191929 A CN202211191929 A CN 202211191929A CN 115510978 A CN115510978 A CN 115510978A
Authority
CN
China
Prior art keywords
classification model
optimal
preset
control system
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211191929.8A
Other languages
Chinese (zh)
Inventor
刘迪
崔逸群
毕玉冰
白发琪
燕前
刘超飞
肖力炀
朱博迪
刘骁
刘鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Thermal Power Research Institute Co Ltd
Huaneng Power International Inc
Original Assignee
Xian Thermal Power Research Institute Co Ltd
Huaneng Power International Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Thermal Power Research Institute Co Ltd, Huaneng Power International Inc filed Critical Xian Thermal Power Research Institute Co Ltd
Priority to CN202211191929.8A priority Critical patent/CN115510978A/en
Publication of CN115510978A publication Critical patent/CN115510978A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an industrial control system intrusion detection method, an industrial control system intrusion detection device and electronic equipment, wherein the method comprises the following steps: acquiring behavior data and a standard data set of a target industrial control system; performing parameter optimization on a preset classification model through a standard data set to obtain an optimal target parameter; optimizing a preset classification model based on the optimal target parameter to obtain an optimal classification model; and inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result. According to the method, the optimal classification model is established through parameter optimization, and compared with the prior art, the classification speed and precision can be effectively improved, and the classification efficiency is improved; the intrusion risk can be detected in time, so that the safety of the industrial control system is better guaranteed.

Description

Industrial control system intrusion detection method and device and electronic equipment
Technical Field
The invention relates to the technical field of risk detection, in particular to an industrial control system intrusion detection method, an industrial control system intrusion detection device and electronic equipment.
Background
As the industrial automation system develops towards the aspects of distributed and intelligent control, the networking process of the industrial control system integrates various technologies such as an embedded technology, multi-standard industrial control network interconnection, a wireless technology and the like, thereby expanding the development space in the field of industrial control. In the development process, the concept of industrial information security covers all information security on an industrial ecological chain, and relates to multiple aspects of industrial control systems, industrial networks, industrial big data, industrial clouds and the like. With the development of the times, the industrial information security is continuously upgraded, but the industrial control system still has the risk of intrusion, and because the existing industrial control system relates to data contents in various aspects, the coverage is wide, and the complexity is high, the intrusion detection has high calculation difficulty, low speed and low precision, which not only brings inconvenience to the safety maintenance of technicians, but also has potential safety hazards.
Disclosure of Invention
In view of this, the embodiment of the present invention provides an industrial control system intrusion detection method, so as to solve the problems of low computation speed and poor accuracy of the current industrial control system intrusion detection.
In order to achieve the purpose, the invention provides the following technical scheme:
the embodiment of the invention provides an industrial control system intrusion detection method, which comprises the following steps:
acquiring behavior data and a standard data set of a target industrial control system;
performing parameter optimization on a preset classification model through the standard data set to obtain an optimal target parameter;
optimizing the preset classification model based on the optimal target parameter to obtain an optimal classification model;
and inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result.
Optionally, the performing parameter optimization on a preset classification model through the standard data set to obtain an optimal target parameter includes:
carrying out normalization processing on the standard data set to obtain an initial sample set;
performing parameter optimization on the initial sample set based on a preset algorithm to obtain a first target parameter;
carrying out differential evolution calculation on the first target parameter to obtain a second target parameter;
and respectively calculating the fitness of the first target parameter and the second target parameter, comparing, and taking the target parameter with higher fitness as the optimal target parameter.
Optionally, the formula of the differential evolution calculation is:
X i (t+1)=,X m1 (t)+F·[X m2 (t)-X m3 (t)]
wherein X i Denotes a first target parameter, m 1 ,m 2 ,m 3 Three new objects found by the first target parameter are represented, four are integers which are not equal to each other, and F is [0,2 ]]A scaling factor within the interval.
Optionally, the optimizing a preset classification model based on the optimal target parameter to obtain an optimal classification model includes:
inputting the optimal target parameters into a preset classification model for training;
judging whether the model training process reaches a preset termination condition, wherein the termination condition comprises the following steps: the fitness reaching the preset iteration times or the optimal target parameter reaches a preset fitness threshold;
if the preset termination condition is not reached, returning to the step of performing optimization processing on the initial sample set based on a preset algorithm until the preset termination condition is reached;
and if the preset termination condition is reached, stopping training to obtain an optimal classification model.
Optionally, the inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result includes:
inputting the behavior data into the optimal classification model to obtain a data type;
comparing the data type with a preset intrusion risk type set, and judging whether an intrusion risk exists or not;
and if the intrusion risk exists, judging that the intrusion detection result is the risk.
Optionally, the method further includes:
respectively carrying out error analysis on the preset classification model and the optimal classification model based on the standard data set;
and verifying the precision of the optimal classification model based on an error analysis result.
Optionally, the performing error analysis on the preset classification model and the optimal classification model respectively based on the standard data set includes:
dividing the standard data set into a training set and a test set;
calculating a first error value of the preset classification model based on the training set, the first error value comprising: a first average relative error and a first average absolute error;
calculating a second error value for the optimal classification model based on the training set, the second error value comprising: a second average relative error and a second average absolute error;
calculating a third error value for the preset classification model based on the test set, the third error value comprising: a third average relative error and a third average absolute error;
calculating a fourth error value for the optimal classification model based on the test set, the fourth error value comprising: a fourth average relative error and a fourth average absolute error;
and comparing the first error value with the second error value, and comparing the third error value with the fourth error value to obtain an error analysis result.
The embodiment of the invention also provides an industrial control system intrusion detection device, which comprises:
the acquisition module is used for acquiring behavior data and a standard data set of the target industrial control system;
the optimizing module is used for optimizing parameters of a preset classification model through the standard data set to obtain optimal target parameters;
the optimization module is used for optimizing the preset classification model based on the optimal target parameter to obtain an optimal classification model;
and the analysis module is used for inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result.
An embodiment of the present invention further provides an electronic device, including:
the intrusion detection method of the industrial control system comprises a memory and a processor, wherein the memory and the processor are mutually communicated and connected, computer instructions are stored in the memory, and the processor executes the computer instructions so as to execute the intrusion detection method of the industrial control system provided by the embodiment of the invention.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer instructions, wherein the computer instructions are used for causing a computer to execute the industrial control system intrusion detection method provided by the embodiment of the invention.
The technical scheme of the invention has the following advantages:
the invention provides an industrial control system intrusion detection method, which comprises the steps of obtaining behavior data and a standard data set of a target industrial control system; performing parameter optimization on a preset classification model through a standard data set to obtain an optimal target parameter; optimizing a preset classification model based on the optimal target parameter to obtain an optimal classification model; and inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result. According to the method, the optimal classification model is established through parameter optimization, and compared with the prior art, the classification speed and precision can be effectively improved, and the classification efficiency is improved; the intrusion risk can be detected in time, and therefore the safety of the industrial control system is better guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an industrial control system intrusion detection method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating parameter optimization for a predetermined classification model according to an embodiment of the present invention;
FIG. 3 is a flow chart of optimizing a predetermined classification model according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating intrusion detection results analyzed according to an embodiment of the present invention;
FIG. 5 is a flow chart of verifying the accuracy of an optimal classification model according to an embodiment of the present invention;
FIG. 6 is a flow chart of an error analysis performed in an embodiment in accordance with the invention;
fig. 7 is a schematic structural diagram of an industrial control system intrusion detection device in an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In accordance with an embodiment of the present invention, an industrial control system intrusion detection method embodiment is provided, it should be noted that the steps illustrated in the flowcharts of the figures may be executed in a computer system such as a set of computer executable instructions, and although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be executed in an order different from that described herein.
In this embodiment, an industrial control system intrusion detection method is provided, which may be used for safety protection of an industrial control system, and as shown in fig. 1, the industrial control system intrusion detection method includes the following steps:
step S1: and acquiring behavior data and a standard data set of the target industrial control system. Specifically, the standard data set is a data set disclosed by an industrial control system and can be directly obtained through acquisition; the behavior data is data information obtained by monitoring the target industrial control system in real time.
Step S2: and performing parameter optimization on the preset classification model through a standard data set to obtain an optimal target parameter. Specifically, through a parameter optimization process, a penalty factor affecting classification precision in the model and an optimal parameter of a kernel function can be obtained, and then the model precision is improved in the subsequent model optimization.
And step S3: and optimizing the preset classification model based on the optimal target parameters to obtain the optimal classification model. Specifically, by optimizing the penalty factor and the kernel function of the model, the searching capability can be enhanced, the error can be reduced, and the classification precision of the model can be improved.
And step S4: and inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result. Specifically, the behavior with the intrusion risk can be accurately analyzed through intrusion detection, and powerful help is provided for technical personnel to carry out safety maintenance.
Through the steps S1 to S4, the industrial control system intrusion detection method provided by the embodiment of the invention establishes the optimal classification model through parameter optimization, and compared with the prior art, the method can effectively improve the classification speed and precision and improve the classification efficiency; the intrusion risk can be detected in time, so that the safety of the industrial control system is better guaranteed.
Specifically, in an embodiment, the step S2, as shown in fig. 2, specifically includes the following steps:
step S21: and carrying out normalization processing on the standard data set to obtain an initial sample set. Specifically, the standard data set obtained in the industrial control system includes discrete values and continuous values, and the value ranges of different characteristic values are different, and the normalization processing can remove unit dimensions, so that data of different magnitudes can be compared. In this embodiment, a maximum-minimum normalization method is adopted, so that the data of the data set can be mapped to a [0,1] interval, and the formula is as follows:
Figure BDA0003869825200000081
wherein x is a certain dimension attribute of data in the dataset, x max And x min Respectively, the maximum and minimum values of the property.
Step S22: and performing parameter optimization on the initial sample set based on a preset algorithm to obtain a first target parameter. Specifically, the preset algorithm may adopt a harris eagle algorithm, and the optimization process is as follows:
1. parameter setting and initializing populations
Let us assume Harris Eagle population Eagle = (X) of size N 1 ,X 2 ,...,X N ) T The initial population position is as follows:
Figure BDA0003869825200000082
wherein,X i,j Expressed as the value of the jth dimension of the ith harris eagle. The value of the fitness function f for each harris eagle is stored as an objective matrix as follows:
Figure BDA0003869825200000083
2. global search phase
In the hunting stage, the harris hawk population has higher dispersion degree and is scattered at different treetop positions to detect the hunting:
Figure BDA0003869825200000091
wherein q, r 1 ,r 2 ,r 3 ,r 4 Is a random number generated between (0, 1), X (t + 1) represents the position vector of the Harris eagle at the next iteration, X rand (t) is expressed as the position vector of Harris eagle random individuals, X rabbit (t) is expressed as a position vector, X, of the prey ave Representing the current average position of the eagle cluster, and LB and UB represent the upper and lower bounds of the variables in the search space. When q in the formula<When 0.5, the harris hawk finds a prey, the position of the hawk is updated according to the positions of other members and prey in the hawk group; when q is more than or equal to 0.5, the situation shows that no prey is found by members in the eagle group, the Harris eagle randomly selects a position to perch and updates the position vector of the Harris eagle.
After finding the prey, harris hawk catches the prey, the escape energy of the prey is converted into different states, and the escape energy E of the prey in the current situation is expressed by a mathematical formula as follows:
E=2E 0 (1-t/T)
where t is the number of current iterations, E 0 Expressed as random numbers between (-1, 1) when E 0 <0, indicating that the prey is continuously consuming energy during the escape process, E 0 >0, indicates the prey is in the energy recovery stage. When | E |>1 hour indicates vigorous hunter strength, harrisEagles are scattered in a large range to search for the location of a prey, which corresponds to the global search stage. When | E |<When 1 hour, the physical strength of the prey is insufficient, and harris hawk enters the local surrounding stage.
3. Local trapping stage
Assuming that r is the escape probability of the prey, r is less than 0.5 to indicate successful escape, r is more than or equal to 0.5 to indicate escape failure, and the local enclosure stage corresponds to 4 different enclosure modes corresponding to the escape energy E of the prey.
The first mode is as follows: soft surround. When | E | ≧ 0.5 and r ≧ 0.5, this indicates that the prey has sufficient energy to escape. At the moment, the harris hawk does not immediately enclose the shrinkage enclosure of the prey but spirals around the prey to consume energy of the prey, and the position updating formula of the harris hawk is as follows:
X(t+1)=X rabbit (t)-X(t)-E|JX rabbit (t)-X(t)|
where J is expressed as the random jump distance of the prey, between (0, 2).
The second mode is as follows: and (4) hard surrounding. When | E | is less than 0.5 and r is more than or equal to 0.5, the escape energy of the prey is low, and harris eagle is in the rush to the prey. The location update formula is:
X(t+1)=X rabbit (t)-E|X rabbit (t)-X(t)|
the third mode is as follows: gradual fast dive soft surround. When | E | ≧ 0.5, r < 0.5, it means that the prey has the chance to escape and the escape energy is sufficient, at this moment harris hawk is soft surrounding first and then fast dive attack, in this process add the route variable behavior of the escape stage of the prey of Laiwei flight simulation, and the irregular fast dive after the eagle colony suddenly fails. The eagle group corrects the direction and the position according to the puzzling action with changeable routes when the prey escapes. At this time, the Harris eagle position updating formula is
Figure BDA0003869825200000101
Wherein Y is the position corrected according to the prey escape direction for evaluating the next action:
Y=X rabbit (t)-E|JX rabbit -X(t)|
and comparing the fitness of the Y with the fitness of the current position, if the attack is not successful, obtaining Z by the eagle group through irregular rapid dive attack:
Z=Y+S×LF(D)
where S is a random vector of dimension 1 × D and LF is the Laevice flight function.
The fourth mode is as follows: progressive rapid dive hard surround. When E < 0.5 and r < 0.5, it means that the prey has the chance to escape but the escape energy is insufficient, at this time harris hawk forms a strong enclosure first and then gradually reduces the average distance to the prey. The position updating formula of the Harris hawk at the moment is as follows:
Figure BDA0003869825200000111
Y=X rabbit (t)-E|JX rabbit -X are (t)|
Z=Y+S×LF(D)
the Harris eagle algorithm has the characteristics of simple calculation, less control parameters and strong searching capability; the optimization is carried out through the Harris eagle algorithm, the optimization speed can be effectively improved, and the accuracy is high.
Step S23: and carrying out differential evolution calculation on the first target parameter to obtain a second target parameter. Specifically, the differential evolution has the characteristics of strong searching capability, difficulty in falling into local optimization and high convergence speed, and is beneficial to finding out more optimal target parameters through the differential evolution process.
Step S24: and respectively calculating the fitness of the first target parameter and the second target parameter, comparing, and taking the target parameter with higher fitness as the optimal target parameter. Specifically, the deviation between the predicted value and the true value is measured through the root mean square error, so that the fitness of the target parameter is represented. Through the parameter optimization process, a penalty factor influencing the classification precision in the model and the optimal parameter of the kernel function can be obtained, and then the model precision is improved in the subsequent model optimization.
Specifically, in an embodiment, the formula of the differential evolution calculation in step S23 is:
X i (t+1)=X m1 (t)+F·[X m2 (t)-X m3 (t)]
wherein X i Denotes a first target parameter, m 1 ,m 2 ,m 3 Three new objects found by the first target parameter are represented, four are integers which are not equal to each other, and F is [0,2 ]]A scaling factor within the interval.
Specifically, the differential evolution process comprises three parts of variation, intersection and selection, in the differential evolution algorithm, each object of the population randomly selects another three objects in the population to generate corresponding target genes, then new objects are generated by intersecting the target genes, whether the fitness of the new objects is better or not is judged through selection, if the fitness is better, the new objects are replaced, and if the fitness is not better, the evolution is abandoned. This process helps to calculate more optimal target parameters, thereby improving model accuracy.
Specifically, in an embodiment, the step S3, as shown in fig. 3, specifically includes the following steps:
step S31: and inputting the optimal target parameters into a preset classification model for training.
Step S32: judging whether the model training process reaches a preset termination condition, wherein the termination condition comprises the following steps: and the fitness reaching the preset iteration times or the optimal target parameter reaches a preset fitness threshold.
Step S33: and if the initial sample set does not reach the preset termination condition, returning to the step of performing optimization processing on the initial sample set based on the preset algorithm until the preset termination condition is reached.
Step S34: and if the preset termination condition is reached, stopping training to obtain the optimal classification model.
Specifically, the preset classification model in the embodiment of the method is established based on a least square support vector machine; LS-SVM: assume that a given training set sample is (x) i ,y i ),i=1,2,3,…,n,x∈R d Y ∈ R, function
Figure BDA0003869825200000131
Is a decision function.
An optimization problem is established by adopting a structure risk minimization principle:
Figure BDA0003869825200000132
wherein: c is the punishment degree of the punishment factor used for controlling the sample error score, omega is the weight vector,
Figure BDA0003869825200000138
is the kernel function, ξ is the relaxation variable.
The lagrangian function is then constructed according to the above equation:
Figure BDA0003869825200000133
obtaining the following result according to the Lagrangian function optimization solving condition:
Figure BDA0003869825200000134
the optimization problem is transformed into a problem of solving a system of linear equations:
Figure BDA0003869825200000135
wherein y = [ y = 1 ,y 2 ,...y n ] T ,E=[1,1,...,1] T
Figure BDA0003869825200000136
Ω={Ω ij }。
Defining radial basis functions as kernel functions, i.e.
Figure BDA0003869825200000137
The final decision function is obtained as:
Figure BDA0003869825200000141
a Support Vector Machine (SVM) is used as a typical classification algorithm in machine learning, so that the complex nonlinear problem can be solved, and the overfitting phenomenon is not easy to occur in regression analysis. The SVM is a hyperplane for solving the maximum distance of the learning samples, and the problem is converted into a problem for solving convex quadratic programming. Under the condition of linear divisibility, searching an optimal classification hyperplane about two types of samples in an original space; under the condition of linear inseparability, a kernel function is added to map the original data to a high-dimensional space, and the problem of linear inseparability is solved by utilizing the high-dimensional space. The least square support vector machine (LS-SVM) utilizes a least square linear structure to convert inequality constraint of the SVM into equality constraint and convert a quadratic programming problem of the SVM into a linear equation set for solving, so that the calculation amount of an algorithm is simplified, and the result is more stable.
Specifically, in an embodiment, as shown in fig. 4, the step S4 specifically includes the following steps:
step S41: and inputting the behavior data into the optimal classification model to obtain the data type.
Step S42: and comparing the data type with a preset intrusion risk type set, and judging whether an intrusion risk exists or not.
Step S43: and if the intrusion risk exists, judging that the intrusion detection result is the risk.
Specifically, the behavior with the intrusion risk can be accurately analyzed through intrusion detection, the intrusion risk can be detected in time, powerful help is provided for technical personnel to perform safety maintenance, and therefore safety of the industrial control system is better guaranteed.
Specifically, in an embodiment, as shown in fig. 5, the method for detecting an intrusion in an industrial control system specifically includes the following steps:
step S51: and respectively carrying out error analysis on the preset classification model and the optimal classification model based on the standard data set.
Step S52: and verifying the precision of the optimal classification model based on the error analysis result.
Specifically, by performing precision verification on the optimal classification model, the difference between the optimal classification model and a preset classification model can be visually compared, and the test precision of the optimal classification model can be known; when errors occur in the model building process, the errors can be found in time through precision verification, and then the model is adjusted, so that the accuracy of the model in the using process is ensured.
Specifically, in an embodiment, the step S51, as shown in fig. 6, specifically includes the following steps:
step S511: the standard data set is divided into a training set and a test set.
Step S512: calculating a first error value of the preset classification model based on the training set, wherein the first error value comprises: a first average relative error and a first average absolute error.
Step S513: calculating a second error value of the optimal classification model based on the training set, the second error value comprising: a second average relative error and a second average absolute error.
Step S514: calculating a third error value of the preset classification model based on the test set, wherein the third error value comprises: a third average relative error and a third average absolute error.
Step S515: calculating a fourth error value for the optimal classification model based on the test set, the fourth error value comprising: a fourth average relative error and a fourth average absolute error.
Step S516: and comparing the first error value with the second error value, and comparing the third error value with the fourth error value to obtain an error analysis result.
Specifically, in the verification process, the error between the actual predicted values is measured by the average relative error (MRE) and the average absolute error (MAE).
The model performance evaluation criteria are defined as:
Figure BDA0003869825200000161
Figure BDA0003869825200000162
wherein the content of the first and second substances,
Figure BDA0003869825200000163
as a predictor of the model, y i Is the true value, and n is the number of samples.
The error analysis process is illustrated below with specific examples:
initializing model parameters, and setting dim, the population scale and the maximum iteration times as follows; experiments were performed on the training and test sets, respectively.
Firstly, the intrusion detection of the industrial control system is predicted under a preset classification model. And obtaining the error of the model to the training set and the error of the test set sample. Then, in order to verify that the optimal classification model has stronger global search capability, the test precision can be improved, and the punishment factor c of the preset classification model and the sigma of the kernel function can be improved 2 And optimizing the parameters, inputting the optimized parameters into a preset classification model for training to obtain the errors of the model to a training set and the errors of a test set sample, observing the fitting degree of a predicted value and a true value, and comparing the fitting degree with the preset classification model. Through comparison, the difference of the error between the preset classification model and the optimal classification model can be seen. Therefore, whether the optimal classification model is effective or not is verified, and the classification precision is improved.
In this embodiment, an industrial control system intrusion detection apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description of which is already given is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The present embodiment provides an industrial control system intrusion detection apparatus, as shown in fig. 7, including:
the obtaining module 101 is configured to obtain behavior data and a standard data set of the target industrial control system, and for details, refer to the related description of step S1 in the foregoing method embodiment, which is not described herein again.
The optimizing module 102 is configured to perform parameter optimizing on the preset classification model through the standard data set to obtain an optimal target parameter, for details, refer to the relevant description of step S2 in the foregoing method embodiment, and details are not described here again.
The optimizing module 103 is configured to optimize the preset classification model based on the optimal target parameter to obtain an optimal classification model, and for details, reference is made to the relevant description of step S3 in the foregoing method embodiment, which is not described herein again.
The analysis module 104 is configured to input the behavior data into the optimal classification model to perform analysis to obtain an intrusion detection result, for details, refer to the related description of step S4 in the foregoing method embodiment, which is not described herein again.
The intrusion detection device of the industrial control system in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and a memory executing one or more software or fixed programs, and/or other devices capable of providing the above functions.
Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.
There is also provided an electronic device according to an embodiment of the present invention, as shown in fig. 8, the electronic device may include a processor 901 and a memory 902, where the processor 901 and the memory 902 may be connected by a bus or in another manner, and fig. 8 takes the example of being connected by a bus.
Processor 901 may be a Central Processing Unit (CPU). The Processor 901 may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 902, which is a non-transitory computer readable storage medium, may be used for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the methods in the method embodiments of the present invention. The processor 901 executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions and modules stored in the memory 902, that is, implements the methods in the above-described method embodiments.
The memory 902 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 901, and the like. Further, the memory 902 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 902 may optionally include memory located remotely from the processor 901, which may be connected to the processor 901 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 902, which when executed by the processor 901 perform the methods in the above-described method embodiments.
The specific details of the electronic device may be understood by referring to the corresponding related description and effects in the above method embodiments, which are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, and the program can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk Drive (Hard Disk Drive, abbreviated as HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. An industrial control system intrusion detection method is characterized by comprising the following steps:
acquiring behavior data and a standard data set of a target industrial control system;
performing parameter optimization on a preset classification model through the standard data set to obtain an optimal target parameter;
optimizing the preset classification model based on the optimal target parameter to obtain an optimal classification model;
and inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result.
2. The industrial control system intrusion detection method according to claim 1, wherein the performing parameter optimization on a preset classification model through the standard data set to obtain an optimal target parameter comprises:
carrying out normalization processing on the standard data set to obtain an initial sample set;
performing parameter optimization on the initial sample set based on a preset algorithm to obtain a first target parameter;
carrying out differential evolution calculation on the first target parameter to obtain a second target parameter;
and respectively calculating the fitness of the first target parameter and the second target parameter, comparing the fitness, and taking the target parameter with higher fitness as the optimal target parameter.
3. The industrial control system intrusion detection method according to claim 2, wherein the formula of the differential evolution calculation is as follows:
X i (t+1)=X m1 (t)+F·[X m2 (t)-X m3 (t)]
wherein, X i Denotes a first target parameter, m 1 ,m 2 ,m 3 Three new objects found by the first target parameter are represented, four are integers which are not equal to each other, and F is [0,2 ]]A scaling factor within the interval.
4. The industrial control system intrusion detection method according to claim 2, wherein the optimizing a preset classification model based on the optimal target parameter to obtain an optimal classification model comprises:
inputting the optimal target parameters into a preset classification model for training;
judging whether the model training process reaches a preset termination condition, wherein the termination condition comprises the following steps: the fitness reaching the preset iteration times or the optimal target parameter reaches a preset fitness threshold;
if the preset termination condition is not reached, returning to the step of performing optimization processing on the initial sample set based on a preset algorithm until the preset termination condition is reached;
and if the preset termination condition is reached, stopping training to obtain an optimal classification model.
5. The industrial control system intrusion detection method according to claim 1, wherein the inputting the behavior data into the optimal classification model for analysis to obtain intrusion detection results comprises:
inputting the behavior data into the optimal classification model to obtain a data type;
comparing the data type with a preset intrusion risk type set, and judging whether an intrusion risk exists or not;
and if the intrusion risk exists, judging that the intrusion detection result is the risk.
6. The industrial control system intrusion detection method according to claim 1, wherein the method further comprises:
respectively carrying out error analysis on the preset classification model and the optimal classification model based on the standard data set;
and verifying the precision of the optimal classification model based on the error analysis result.
7. The industrial control system intrusion detection method according to claim 6, wherein the performing error analysis on the preset classification model and the optimal classification model based on the standard data set respectively comprises:
dividing the standard data set into a training set and a test set;
calculating a first error value of the preset classification model based on the training set, the first error value comprising: a first average relative error and a first average absolute error;
calculating a second error value for the optimal classification model based on the training set, the second error value comprising: a second average relative error and a second average absolute error;
calculating a third error value for the preset classification model based on the test set, the third error value comprising: a third average relative error and a third average absolute error;
calculating a fourth error value for the optimal classification model based on the test set, the fourth error value comprising: a fourth average relative error and a fourth average absolute error;
and comparing the first error value with the second error value, and comparing the third error value with the fourth error value to obtain an error analysis result.
8. An industrial control system intrusion detection device, comprising:
the acquisition module is used for acquiring behavior data and a standard data set of the target industrial control system;
the optimizing module is used for optimizing parameters of a preset classification model through the standard data set to obtain optimal target parameters;
the optimization module is used for optimizing the preset classification model based on the optimal target parameter to obtain an optimal classification model;
and the analysis module is used for inputting the behavior data into the optimal classification model for analysis to obtain an intrusion detection result.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the industrial control system intrusion detection method of any one of claims 1-7.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions for causing a computer to perform the industrial control system intrusion detection method according to any one of claims 1-7.
CN202211191929.8A 2022-09-28 2022-09-28 Industrial control system intrusion detection method and device and electronic equipment Pending CN115510978A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211191929.8A CN115510978A (en) 2022-09-28 2022-09-28 Industrial control system intrusion detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211191929.8A CN115510978A (en) 2022-09-28 2022-09-28 Industrial control system intrusion detection method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN115510978A true CN115510978A (en) 2022-12-23

Family

ID=84505529

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211191929.8A Pending CN115510978A (en) 2022-09-28 2022-09-28 Industrial control system intrusion detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN115510978A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116242383A (en) * 2023-03-15 2023-06-09 皖西学院 Unmanned vehicle path planning method based on reinforced Harris eagle algorithm

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116242383A (en) * 2023-03-15 2023-06-09 皖西学院 Unmanned vehicle path planning method based on reinforced Harris eagle algorithm
CN116242383B (en) * 2023-03-15 2023-09-15 皖西学院 Unmanned vehicle path planning method based on reinforced Harris eagle algorithm

Similar Documents

Publication Publication Date Title
CN112800116B (en) Method and device for detecting abnormity of service data
CN111368887B (en) Training method of thunderstorm weather prediction model and thunderstorm weather prediction method
CN110768971B (en) Confrontation sample rapid early warning method and system suitable for artificial intelligence system
KR102570070B1 (en) Method and apparatus for user verification using generalized user model
CN112488183A (en) Model optimization method and device, computer equipment and storage medium
CN113765880B (en) Power system network attack detection method based on space-time correlation
CN113328908B (en) Abnormal data detection method and device, computer equipment and storage medium
CN113839926B (en) Method, system and device for modeling intrusion detection system based on characteristic selection of wolf algorithm
CN112272074B (en) Information transmission rate control method and system based on neural network
CN115510978A (en) Industrial control system intrusion detection method and device and electronic equipment
CN114863226A (en) Network physical system intrusion detection method
CN111507045B (en) Structural damage identification method based on adaptive weight whale optimization algorithm
CN116996272A (en) Network security situation prediction method based on improved sparrow search algorithm
CN114117787A (en) Short-term wind power prediction method based on SSA (simple sequence analysis) optimization BP (back propagation) neural network
CN114547964A (en) Improved HHO (Hilbert-Huang-Quadrature-order) optimization DELM (Del-enhanced dead mass) based debutanizer soft measurement modeling method
CN116485049B (en) Electric energy metering error prediction and optimization system based on artificial intelligence
CN116029221B (en) Power equipment fault diagnosis method, device, equipment and medium
CN114926701A (en) Model training method, target detection method and related equipment
CN113112092A (en) Short-term probability density load prediction method, device, equipment and storage medium
CN110889396A (en) Energy internet disturbance classification method and device, electronic equipment and storage medium
CN117150326B (en) New energy node output power prediction method, device, equipment and storage medium
CN117609806A (en) Network security situation awareness method based on machine learning
CN115146258B (en) Request processing method and device, storage medium and electronic equipment
CN116506149A (en) Threat behavior spectrum representation method and device
CN118036825A (en) Power load prediction method and system based on multi-scale feature fusion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination