CN116389116A - Industrial control system network security situation sensing system based on artificial intelligence - Google Patents

Industrial control system network security situation sensing system based on artificial intelligence Download PDF

Info

Publication number
CN116389116A
CN116389116A CN202310357359.3A CN202310357359A CN116389116A CN 116389116 A CN116389116 A CN 116389116A CN 202310357359 A CN202310357359 A CN 202310357359A CN 116389116 A CN116389116 A CN 116389116A
Authority
CN
China
Prior art keywords
network
module
attack
data
situation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310357359.3A
Other languages
Chinese (zh)
Inventor
陈小军
招嘉焕
赵伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Lubangtong IoT Co Ltd
Original Assignee
Guangzhou Lubangtong IoT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Lubangtong IoT Co Ltd filed Critical Guangzhou Lubangtong IoT Co Ltd
Priority to CN202310357359.3A priority Critical patent/CN116389116A/en
Publication of CN116389116A publication Critical patent/CN116389116A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

The invention discloses an artificial intelligence-based industrial control system network security situation awareness system, which comprises: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module; the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.

Description

Industrial control system network security situation sensing system based on artificial intelligence
Technical Field
The invention relates to the technical field of network security, in particular to an industrial control system network security situation awareness system based on artificial intelligence.
Background
The rapid development of the internet makes our lives more and more convenient, and the consequent network security problems gradually affect our lives. Although the prior art strengthens the protection measures to a certain extent, for example, a firewall and other modes are adopted for protection, a single protection mode cannot resist complex and changeable network attacks, and situation awareness can comprehensively and dynamically perceive the network environment, so that network threats can be effectively resolved.
Network security situation awareness is used as an active security protection technology and is widely applied to an industrial control network, but the existing network security situation awareness system still has the problem of low accuracy, so that how to improve the accuracy and the intelligent level of dynamic prediction of the security situation is a problem to be solved at present.
Disclosure of Invention
The invention provides an industrial control system network security situation awareness system based on artificial intelligence so as to solve the problems in the prior art.
The invention provides an artificial intelligence-based industrial control system network security situation awareness system, which comprises: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module;
the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
Preferably, the network security situation processing module includes:
the data preprocessing module is used for carrying out heterogeneous division on the network security data and screening the network security data according to a heterogeneous division result;
the format conversion module is used for carrying out format conversion on the screened network security data and converting the screened network security data into a data format conforming to data fusion;
the attribute feature extraction module is used for extracting attribute features from the data format after passing by and carrying out attribute conclusive processing based on the attribute features;
and the fusion processing module is used for analyzing the relevance of the network security data subjected to attribute conciseness processing from space-time and characteristic multiple angles and carrying out data fusion based on the relevance.
Preferably, the network security situation assessment module includes:
the network node dividing module is used for dividing the network into a plurality of network nodes based on a network node dividing algorithm;
the evaluation parameter determining module is used for establishing a parameter evaluation chart combining threat performance and defensive performance;
the construction module is used for constructing a pre-attack text and a post-attack text based on the parameter evaluation graph;
and the evaluation value calculation module is used for carrying out similarity calculation on the attack money text and the post-attack text, determining an evaluation value based on the similarity calculation, and determining a network security situation evaluation result based on the evaluation value.
Preferably, the parameters in the parameter evaluation relationship graph include: the network attack frequency parameter, the network attack threat degree parameter, the network node vulnerability quantity parameter, the network node vulnerability threat degree parameter and the network node vulnerability attack probability parameter.
Preferably, the evaluation value calculation module includes:
a data repetition rate calculation module for calculating the repetition rate of the data corresponding to the text before and after the attack,
the similarity calculation module is used for determining the similarity of the text before attack and the text after attack based on the repetition rate of the data and a similarity formula;
the threshold setting module is used for setting a threshold to judge whether two data are similar;
and the calculation result module is used for calculating whether the quantized values are similar or not and the similar quantized values according to the set threshold value, and determining the estimated quantized values.
Preferably, the network node dividing module includes:
the block dividing unit is used for dividing the large-scale industrial control system network by using a Louvain algorithm for detecting the community structure in the complex network to obtain a plurality of blocks and weights corresponding to each block;
and the storage unit is used for collecting the security situation elements detected on the network node, and uploading the security situation elements to the distributed file system for storage.
Preferably, the construction module includes:
the preprocessing unit is used for preprocessing elements of the network security situation to obtain attack types and attack times;
a scanning unit, configured to scan, inside the block, holes of the nodes; according to vulnerability types relied on by different network attacks, calculating the attack success probability of each attack type;
the measuring unit is used for constructing an attack text according to the attack type and the attack times for each node in the module, processing the text by adopting an improved Sim Hash algorithm and measuring the attack severity of different types of attacks;
and the computing unit is used for computing the security situation value of the node according to the attack threat value, the severity of the attack and the probability of success of the attack.
Preferably, the network security situation prediction module includes:
a large sample acquisition unit for replacing a large sample required by the neural network with lean information of the gray Verhulst model;
the fitting difference establishing unit is used for compensating nonlinear fitting difference of the gray Verhulst model by nonlinear processing capacity of the GRU network;
and the network prediction model building unit is used for building a Verhulst-GRU network prediction model.
Preferably, the network prediction model building unit includes:
based on a text Sim Hash algorithm, converting intrusion detection information into a nonlinear network security potential value time sequence; normalizing the historical and current network security situation sequences to obtain a predicted data sample;
establishing a self-adaptive gray Verhulst prediction model according to the processed network security situation value sequence,
and improving the gray background value generating function to improve the preliminary prediction accuracy; acquiring a preliminary situation predicted value;
and calculates a residual between the actual value and the predicted value.
Preferably, the network prediction model building unit further includes:
the determining unit is used for determining the number of training samples and prediction samples; inputting the predicted value into the input end and residual error of the GRU neural network to serve as an output result;
the training unit is used for training the GRU network by taking the mean square error of the GRU network as a target;
the residual prediction unit is used for predicting a residual sequence by adopting a trained GRU network to obtain a residual prediction value;
and the precision checking unit is used for carrying out secondary correction on the primary prediction result so as to check the precision.
Compared with the prior art, the invention has the following advantages:
the invention provides an artificial intelligence-based industrial control system network security situation awareness system, which comprises: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module; the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
FIG. 1 is a schematic diagram of an artificial intelligence-based network security situation awareness system of an industrial control system in an embodiment of the invention;
fig. 2 is a schematic structural diagram of a network security situation processing module in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network security situation assessment module according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
The embodiment of the invention provides an industrial control system network security situation awareness system based on artificial intelligence, referring to fig. 1, the system comprises:
the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module;
the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment comprises the following steps: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module; the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
The beneficial effects of the technical scheme are as follows: the scheme provided by the embodiment comprises the following steps: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module; the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
In another embodiment, referring to fig. 2, the network security situation processing module includes:
the data preprocessing module is used for carrying out heterogeneous division on the network security data and screening the network security data according to a heterogeneous division result;
the format conversion module is used for carrying out format conversion on the screened network security data and converting the screened network security data into a data format conforming to data fusion;
the attribute feature extraction module is used for extracting attribute features from the data format after passing by and carrying out attribute conclusive processing based on the attribute features;
and the fusion processing module is used for analyzing the relevance of the network security data subjected to attribute conciseness processing from space-time and characteristic multiple angles and carrying out data fusion based on the relevance.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network security situation processing module comprises: the data preprocessing module is used for carrying out heterogeneous division on the network security data and screening the network security data according to a heterogeneous division result; the format conversion module is used for carrying out format conversion on the screened network security data and converting the screened network security data into a data format conforming to data fusion; the attribute feature extraction module is used for extracting attribute features from the data format after passing by and carrying out attribute conclusive processing based on the attribute features; and the fusion processing module is used for analyzing the relevance of the network security data subjected to attribute conciseness processing from space-time and characteristic multiple angles and carrying out data fusion based on the relevance.
The beneficial effects of the technical scheme are as follows: the network security situation processing module adopting the scheme provided by the embodiment comprises: the data preprocessing module is used for carrying out heterogeneous division on the network security data and screening the network security data according to a heterogeneous division result; the format conversion module is used for carrying out format conversion on the screened network security data and converting the screened network security data into a data format conforming to data fusion; the attribute feature extraction module is used for extracting attribute features from the data format after passing by and carrying out attribute conclusive processing based on the attribute features; and the fusion processing module is used for analyzing the relevance of the network security data subjected to attribute conciseness processing from space-time and characteristic multiple angles and carrying out data fusion based on the relevance.
In another embodiment, referring to fig. 3, the network security posture assessment module includes:
the network node dividing module is used for dividing the network into a plurality of network nodes based on a network node dividing algorithm;
the evaluation parameter determining module is used for establishing a parameter evaluation chart combining threat performance and defensive performance;
the construction module is used for constructing a pre-attack text and a post-attack text based on the parameter evaluation graph;
and the evaluation value calculation module is used for carrying out similarity calculation on the attack money text and the post-attack text, determining an evaluation value based on the similarity calculation, and determining a network security situation evaluation result based on the evaluation value.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network security situation assessment module comprises: the network node dividing module is used for dividing the network into a plurality of network nodes based on a network node dividing algorithm; the evaluation parameter determining module is used for establishing a parameter evaluation chart combining threat performance and defensive performance; the construction module is used for constructing a pre-attack text and a post-attack text based on the parameter evaluation graph; and the evaluation value calculation module is used for carrying out similarity calculation on the attack money text and the post-attack text, determining an evaluation value based on the similarity calculation, and determining a network security situation evaluation result based on the evaluation value.
The beneficial effects of the technical scheme are as follows: the network security situation assessment module adopting the scheme provided by the embodiment comprises: the network node dividing module is used for dividing the network into a plurality of network nodes based on a network node dividing algorithm; the evaluation parameter determining module is used for establishing a parameter evaluation chart combining threat performance and defensive performance; the construction module is used for constructing a pre-attack text and a post-attack text based on the parameter evaluation graph; and the evaluation value calculation module is used for carrying out similarity calculation on the attack money text and the post-attack text, determining an evaluation value based on the similarity calculation, and determining a network security situation evaluation result based on the evaluation value.
In another embodiment, the parameter evaluating the parameters in the relationship graph includes: the network attack frequency parameter, the network attack threat degree parameter, the network node vulnerability quantity parameter, the network node vulnerability threat degree parameter and the network node vulnerability attack probability parameter.
The working principle of the technical scheme is as follows: the scheme adopted in the embodiment is that the parameters in the parameter evaluation relationship diagram include: the network attack frequency parameter, the network attack threat degree parameter, the network node vulnerability quantity parameter, the network node vulnerability threat degree parameter and the network node vulnerability attack probability parameter.
The beneficial effects of the technical scheme are as follows: the parameter evaluation relationship diagram adopting the scheme provided by the embodiment includes: the network attack frequency parameter, the network attack threat degree parameter, the network node vulnerability quantity parameter, the network node vulnerability threat degree parameter and the network node vulnerability attack probability parameter.
In another embodiment, the evaluation value calculation module includes:
a data repetition rate calculation module for calculating the repetition rate of the data corresponding to the text before and after the attack,
the similarity calculation module is used for determining the similarity of the text before attack and the text after attack based on the repetition rate of the data and a similarity formula;
the threshold setting module is used for setting a threshold to judge whether two data are similar;
and the calculation result module is used for calculating whether the quantized values are similar or not and the similar quantized values according to the set threshold value, and determining the estimated quantized values.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the evaluation value calculating module comprises: the data repetition rate calculation module is used for calculating the repetition rate of the data corresponding to the text before the attack and the text after the attack, and the similarity calculation module is used for determining the similarity of the text before the attack and the text after the attack based on the repetition rate of the data and a similarity formula; the threshold setting module is used for setting a threshold to judge whether two data are similar; and the calculation result module is used for calculating whether the quantized values are similar or not and the similar quantized values according to the set threshold value, and determining the estimated quantized values.
The beneficial effects of the technical scheme are as follows: the evaluation value calculation module adopting the scheme provided by the embodiment comprises: the data repetition rate calculation module is used for calculating the repetition rate of the data corresponding to the text before the attack and the text after the attack, and the similarity calculation module is used for determining the similarity of the text before the attack and the text after the attack based on the repetition rate of the data and a similarity formula; the threshold setting module is used for setting a threshold to judge whether two data are similar; and the calculation result module is used for calculating whether the quantized values are similar or not and the similar quantized values according to the set threshold value, and determining the estimated quantized values.
In another embodiment, the network node partitioning module comprises:
the block dividing unit is used for dividing the large-scale industrial control system network by using a Louvain algorithm for detecting the community structure in the complex network to obtain a plurality of blocks and weights corresponding to each block;
and the storage unit is used for collecting the security situation elements detected on the network node, and uploading the security situation elements to the distributed file system for storage.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network node dividing module comprises: the block dividing unit is used for dividing the large-scale industrial control system network by using a Louvain algorithm for detecting the community structure in the complex network to obtain a plurality of blocks and weights corresponding to each block; and the storage unit is used for collecting the security situation elements detected on the network node, and uploading the security situation elements to the distributed file system for storage.
The beneficial effects of the technical scheme are as follows: the network node dividing module adopting the scheme provided by the embodiment comprises: the block dividing unit is used for dividing the large-scale industrial control system network by using a Louvain algorithm for detecting the community structure in the complex network to obtain a plurality of blocks and weights corresponding to each block; and the storage unit is used for collecting the security situation elements detected on the network node, and uploading the security situation elements to the distributed file system for storage.
In another embodiment, the build module includes:
the preprocessing unit is used for preprocessing elements of the network security situation to obtain attack types and attack times;
a scanning unit, configured to scan, inside the block, holes of the nodes; according to vulnerability types relied on by different network attacks, calculating the attack success probability of each attack type;
the measuring unit is used for constructing an attack text according to the attack type and the attack times for each node in the module, processing the text by adopting an improved Sim Hash algorithm and measuring the attack severity of different types of attacks;
and the computing unit is used for computing the security situation value of the node according to the attack threat value, the severity of the attack and the probability of success of the attack.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the construction module comprises: the preprocessing unit is used for preprocessing elements of the network security situation to obtain attack types and attack times; a scanning unit, configured to scan, inside the block, holes of the nodes; according to vulnerability types relied on by different network attacks, calculating the attack success probability of each attack type; the measuring unit is used for constructing an attack text according to the attack type and the attack times for each node in the module, processing the text by adopting an improved Sim Hash algorithm and measuring the attack severity of different types of attacks; and the computing unit is used for computing the security situation value of the node according to the attack threat value, the severity of the attack and the probability of success of the attack.
The beneficial effects of the technical scheme are as follows: the construction module adopting the scheme provided by the embodiment comprises: the preprocessing unit is used for preprocessing elements of the network security situation to obtain attack types and attack times; a scanning unit, configured to scan, inside the block, holes of the nodes; according to vulnerability types relied on by different network attacks, calculating the attack success probability of each attack type; the measuring unit is used for constructing an attack text according to the attack type and the attack times for each node in the module, processing the text by adopting an improved Sim Hash algorithm and measuring the attack severity of different types of attacks; and the computing unit is used for computing the security situation value of the node according to the attack threat value, the severity of the attack and the probability of success of the attack.
In another embodiment, the network security posture prediction module includes:
a large sample acquisition unit for replacing a large sample required by the neural network with lean information of the gray Verhulst model;
the fitting difference establishing unit is used for compensating nonlinear fitting difference of the gray Verhulst model by nonlinear processing capacity of the GRU network;
and the network prediction model building unit is used for building a Verhulst-GRU network prediction model.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network security situation prediction module comprises: a large sample acquisition unit for replacing a large sample required by the neural network with lean information of the gray Verhulst model; the fitting difference establishing unit is used for compensating nonlinear fitting difference of the gray Verhulst model by nonlinear processing capacity of the GRU network; and the network prediction model building unit is used for building a Verhulst-GRU network prediction model.
The beneficial effects of the technical scheme are as follows: the network security situation prediction module adopting the scheme provided by the embodiment comprises: a large sample acquisition unit for replacing a large sample required by the neural network with lean information of the gray Verhulst model; the fitting difference establishing unit is used for compensating nonlinear fitting difference of the gray Verhulst model by nonlinear processing capacity of the GRU network; and the network prediction model building unit is used for building a Verhulst-GRU network prediction model.
In another embodiment, the network prediction model building unit includes:
based on a text Sim Hash algorithm, converting intrusion detection information into a nonlinear network security potential value time sequence; normalizing the historical and current network security situation sequences to obtain a predicted data sample;
establishing a self-adaptive gray Verhulst prediction model according to the processed network security situation value sequence,
and improving the gray background value generating function to improve the preliminary prediction accuracy; acquiring a preliminary situation predicted value;
and calculates a residual between the actual value and the predicted value.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network prediction model building unit comprises: based on a text Sim Hash algorithm, converting intrusion detection information into a nonlinear network security potential value time sequence; normalizing the historical and current network security situation sequences to obtain a predicted data sample; establishing a self-adaptive gray Verhulst prediction model according to the processed network security situation value sequence, and improving a gray background value generation function to improve the preliminary prediction accuracy; acquiring a preliminary situation predicted value; and calculates a residual between the actual value and the predicted value.
The beneficial effects of the technical scheme are as follows: the network prediction model building unit adopting the scheme provided by the embodiment comprises: based on a text Sim Hash algorithm, converting intrusion detection information into a nonlinear network security potential value time sequence; normalizing the historical and current network security situation sequences to obtain a predicted data sample; establishing a self-adaptive gray Verhulst prediction model according to the processed network security situation value sequence, and improving a gray background value generation function to improve the preliminary prediction accuracy; acquiring a preliminary situation predicted value; and calculates a residual between the actual value and the predicted value.
In another embodiment, the network prediction model building unit further includes:
the determining unit is used for determining the number of training samples and prediction samples; inputting the predicted value into the input end and residual error of the GRU neural network to serve as an output result;
the training unit is used for training the GRU network by taking the mean square error of the GRU network as a target;
the residual prediction unit is used for predicting a residual sequence by adopting a trained GRU network to obtain a residual prediction value;
and the precision checking unit is used for carrying out secondary correction on the primary prediction result so as to check the precision.
The working principle of the technical scheme is as follows: the scheme adopted by the embodiment is that the network prediction model building unit further comprises: the determining unit is used for determining the number of training samples and prediction samples; inputting the predicted value into the input end and residual error of the GRU neural network to serve as an output result; the training unit is used for training the GRU network by taking the mean square error of the GRU network as a target; the residual prediction unit is used for predicting a residual sequence by adopting a trained GRU network to obtain a residual prediction value; and the precision checking unit is used for carrying out secondary correction on the primary prediction result so as to check the precision.
The beneficial effects of the technical scheme are as follows: the network prediction model building unit adopting the scheme provided by the embodiment further comprises: the determining unit is used for determining the number of training samples and prediction samples; inputting the predicted value into the input end and residual error of the GRU neural network to serve as an output result; the training unit is used for training the GRU network by taking the mean square error of the GRU network as a target; the residual prediction unit is used for predicting a residual sequence by adopting a trained GRU network to obtain a residual prediction value; and the precision checking unit is used for carrying out secondary correction on the primary prediction result so as to check the precision.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. An artificial intelligence-based industrial control system network security situation awareness system, which is characterized by comprising: the system comprises an industrial control system safety data acquisition module, a network safety situation processing module, a network safety situation assessment module and a network safety situation prediction module;
the industrial control system safety data acquisition module acquires network safety data of the industrial control system, the network safety data are transmitted to the network safety situation processing module, the network safety situation processing module carries out data fusion on the network safety data based on an artificial intelligence algorithm to obtain a data fusion result, the data fusion result is respectively transmitted to the network safety situation assessment module and the network safety situation prediction module, the current network safety situation is assessed based on the network safety situation assessment module, and future network safety situations are predicted based on the network safety situation prediction module.
2. The artificial intelligence based industrial control system network security posture awareness system of claim 1, wherein the network security posture handling module comprises:
the data preprocessing module is used for carrying out heterogeneous division on the network security data and screening the network security data according to a heterogeneous division result;
the format conversion module is used for carrying out format conversion on the screened network security data and converting the screened network security data into a data format conforming to data fusion;
the attribute feature extraction module is used for extracting attribute features from the data format after passing by and carrying out attribute conclusive processing based on the attribute features;
and the fusion processing module is used for analyzing the relevance of the network security data subjected to attribute conciseness processing from space-time and characteristic multiple angles and carrying out data fusion based on the relevance.
3. The artificial intelligence based industrial control system network security posture awareness system of claim 1, wherein the network security posture assessment module comprises:
the network node dividing module is used for dividing the network into a plurality of network nodes based on a network node dividing algorithm;
the evaluation parameter determining module is used for establishing a parameter evaluation chart combining threat performance and defensive performance;
the construction module is used for constructing a pre-attack text and a post-attack text based on the parameter evaluation graph;
and the evaluation value calculation module is used for carrying out similarity calculation on the attack money text and the post-attack text, determining an evaluation value based on the similarity calculation, and determining a network security situation evaluation result based on the evaluation value.
4. The artificial intelligence based industrial control system network security posture awareness system of claim 3, wherein the parameters in the parameter assessment relationship graph comprise: the network attack frequency parameter, the network attack threat degree parameter, the network node vulnerability quantity parameter, the network node vulnerability threat degree parameter and the network node vulnerability attack probability parameter.
5. The artificial intelligence based industrial control system network security posture awareness system of claim 3, wherein the evaluation value calculation module comprises:
a data repetition rate calculation module for calculating the repetition rate of the data corresponding to the text before and after the attack,
the similarity calculation module is used for determining the similarity of the text before attack and the text after attack based on the repetition rate of the data and a similarity formula;
the threshold setting module is used for setting a threshold to judge whether two data are similar;
and the calculation result module is used for calculating whether the quantized values are similar or not and the similar quantized values according to the set threshold value, and determining the estimated quantized values.
6. The artificial intelligence based industrial control system network security posture awareness system of claim 1, wherein the network node partitioning module comprises:
the block dividing unit is used for dividing the large-scale industrial control system network by using a Louvain algorithm for detecting the community structure in the complex network to obtain a plurality of blocks and weights corresponding to each block;
and the storage unit is used for collecting the security situation elements detected on the network node, and uploading the security situation elements to the distributed file system for storage.
7. The artificial intelligence based industrial control system network security posture awareness system of claim 6, wherein the building block comprises:
the preprocessing unit is used for preprocessing elements of the network security situation to obtain attack types and attack times;
a scanning unit, configured to scan, inside the block, holes of the nodes; according to vulnerability types relied on by different network attacks, calculating the attack success probability of each attack type;
the measuring unit is used for constructing an attack text according to the attack type and the attack times for each node in the module, processing the text by adopting an improved Sim Hash algorithm and measuring the attack severity of different types of attacks;
and the computing unit is used for computing the security situation value of the node according to the attack threat value, the severity of the attack and the probability of success of the attack.
8. The artificial intelligence based industrial control system network security posture awareness system of claim 1, wherein the network security posture prediction module comprises:
a large sample acquisition unit for replacing a large sample required by the neural network with lean information of the gray Verhulst model;
the fitting difference establishing unit is used for compensating nonlinear fitting difference of the gray Verhulst model by nonlinear processing capacity of the GRU network;
and the network prediction model building unit is used for building a Verhulst-GRU network prediction model.
9. The artificial intelligence based industrial control system network security posture awareness system of claim 8, wherein the network prediction model building unit comprises:
based on a text Sim Hash algorithm, converting intrusion detection information into a nonlinear network security potential value time sequence; normalizing the historical and current network security situation sequences to obtain a predicted data sample;
establishing a self-adaptive gray Verhulst prediction model according to the processed network security situation value sequence,
and improving the gray background value generating function to improve the preliminary prediction accuracy; acquiring a preliminary situation predicted value;
and calculates a residual between the actual value and the predicted value.
10. The artificial intelligence based industrial control system network security posture awareness system of claim 9, wherein the network prediction model building unit further comprises:
the determining unit is used for determining the number of training samples and prediction samples; inputting the predicted value into the input end and residual error of the GRU neural network to serve as an output result;
the training unit is used for training the GRU network by taking the mean square error of the GRU network as a target;
the residual prediction unit is used for predicting a residual sequence by adopting a trained GRU network to obtain a residual prediction value;
and the precision checking unit is used for carrying out secondary correction on the primary prediction result so as to check the precision.
CN202310357359.3A 2023-04-04 2023-04-04 Industrial control system network security situation sensing system based on artificial intelligence Pending CN116389116A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310357359.3A CN116389116A (en) 2023-04-04 2023-04-04 Industrial control system network security situation sensing system based on artificial intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310357359.3A CN116389116A (en) 2023-04-04 2023-04-04 Industrial control system network security situation sensing system based on artificial intelligence

Publications (1)

Publication Number Publication Date
CN116389116A true CN116389116A (en) 2023-07-04

Family

ID=86964144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310357359.3A Pending CN116389116A (en) 2023-04-04 2023-04-04 Industrial control system network security situation sensing system based on artificial intelligence

Country Status (1)

Country Link
CN (1) CN116389116A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080010225A1 (en) * 2006-05-23 2008-01-10 Gonsalves Paul G Security system for and method of detecting and responding to cyber attacks on large network systems
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080010225A1 (en) * 2006-05-23 2008-01-10 Gonsalves Paul G Security system for and method of detecting and responding to cyber attacks on large network systems
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
舒闯: ""面向工业控制网络的网络安全态势感知方法研究"", 《兰州理工大学硕士学位论文》, pages 2 - 4 *

Similar Documents

Publication Publication Date Title
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN111600919B (en) Method and device for constructing intelligent network application protection system model
CN104967629A (en) Network attack detection method and apparatus
CN111641653A (en) Network security threat situation perception system based on cloud platform
CN111245848B (en) Industrial control intrusion detection method for hierarchical dependency modeling
CN110351291B (en) DDoS attack detection method and device based on multi-scale convolutional neural network
CN105072214A (en) C&C domain name identification method based on domain name feature
CN117041019B (en) Log analysis method, device and storage medium of content delivery network CDN
Shamshirband et al. Anomaly detection using fuzzy Q-learning algorithm
Marchetti et al. Identification of correlated network intrusion alerts
CN113886829B (en) Method and device for detecting defect host, electronic equipment and storage medium
Lightbody et al. Host-based intrusion detection system for iot using convolutional neural networks
CN115396324A (en) Network security situation perception early warning processing system
Jakkani et al. Design of a Novel Deep Learning Methodology for IOT Botnet based Attack Detection
CN116389116A (en) Industrial control system network security situation sensing system based on artificial intelligence
CN105516164B (en) Based on point shape and the P2P botnet detection method that adaptively merges
CN114499917B (en) CC attack detection method and CC attack detection device
CN114465784A (en) Honeypot identification method and device of industrial control system
CN113347021B (en) Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium
Beattie Detecting temporal anomalies in time series data utilizing the matrix profile
CN110493240B (en) Website tampering detection method and device, storage medium and electronic device
Wang Research on Intrusion Detection Method and Strategy of Industrial Internet Based on Big Data Environment
CN117892102A (en) Intrusion behavior detection method, system, equipment and medium based on active learning
Whipps et al. Distributed sensing for quickest change detection of point radiation sources
CN117478358A (en) Decision recommendation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination