CN116668068A - Industrial control abnormal flow detection method based on joint federal learning - Google Patents
Industrial control abnormal flow detection method based on joint federal learning Download PDFInfo
- Publication number
- CN116668068A CN116668068A CN202310423533.XA CN202310423533A CN116668068A CN 116668068 A CN116668068 A CN 116668068A CN 202310423533 A CN202310423533 A CN 202310423533A CN 116668068 A CN116668068 A CN 116668068A
- Authority
- CN
- China
- Prior art keywords
- model
- local
- industrial control
- training
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 58
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000012549 training Methods 0.000 claims abstract description 69
- 230000002776 aggregation Effects 0.000 claims abstract description 40
- 238000004220 aggregation Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 38
- 230000005856 abnormality Effects 0.000 claims abstract description 3
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 239000013598 vector Substances 0.000 claims description 11
- 238000007781 pre-processing Methods 0.000 claims description 6
- 101100394003 Butyrivibrio fibrisolvens end1 gene Proteins 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000035945 sensitivity Effects 0.000 description 4
- 238000006467 substitution reaction Methods 0.000 description 4
- 230000004075 alteration Effects 0.000 description 3
- 238000005070 sampling Methods 0.000 description 3
- 238000012952 Resampling Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007636 ensemble learning method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Safety Devices In Control Systems (AREA)
- General Factory Administration (AREA)
Abstract
The application discloses an industrial control abnormal flow detection method based on joint federal learning, which comprises the following steps: generating a local training dataset; the client trains on the initial model by using the local data set to obtain local model parameters, and sends the local model parameters to the server S1 to complete parameter aggregation; s1, distributing global parameters to a client, and starting the next round of local training by the client; obtaining a global model M1; the client sends the local abnormal samples to a server S2, and the S2 integrates all the abnormal samples to perform model training to obtain a model M2; and combining the models M1 and M2, collecting the data of the sensor and the actuator of the industrial control equipment, and sending the data into the combined model for real-time abnormality detection. The method and the device avoid the problem that the model is over-fitted to a normal sample and the detection precision is not high due to the fact that the local client side adopts unbalanced data set training in an industrial control environment; has stronger generalization capability.
Description
Technical Field
The application belongs to the technical field of industrial control detection, and particularly relates to an industrial control abnormal flow detection method based on joint federal learning.
Background
Federal learning is an emerging machine learning technique that can interconnect multiple clients distributed in different regions, and perform distributed machine learning model training by indirectly sharing training data (sharing model weights instead of original training samples) among the clients. The method can fully utilize the local data set of each participant on the premise of protecting the user data privacy, has the advantages of high model training efficiency, strong algorithm robustness and the like, and is widely applied to the field of abnormal flow detection of the industrial control system.
The abnormal flow detection technology is used as a key part in the safety guarantee system of the industrial control system, and because the machine learning and the deep learning have higher detection precision than the traditional detection algorithm, a plurality of students participate in research in recent years. With the development of federal learning technology, the machine learning technology perfectly matched with the distributed characteristics of the sensors in the industrial control system rapidly becomes a hot spot of the abnormal flow detection technology of the industrial control system. However, most of the flow in the industrial control system is normal flow, the proportion of abnormal flow is very small, the model training effect of the conventional machine learning and federal learning algorithm under the extremely unbalanced data set is poor, and the model convergence is slow, the test precision is not high and the like.
In order to make the trained model perform better, emphasis is placed on providing a high quality equalization dataset for model training. Classical methods of handling unbalanced data sets mainly include data set resampling, data set expansion and algorithm compensation. The resampling method comprises an oversampling method and an undersampling method, the data set expansion method comprises an attribute value random sampling method and a Smote method, and the algorithm compensation method comprises a boosting method based on ensemble learning and reducing the weight of a plurality of types of samples by introducing a cost function. In classical methods, the use of oversampling methods tends to result in model overfitting, whereas the use of undersampling methods does not make full use of the data set. The attribute value random sampling method cannot guarantee the linear relation before the sampled data attribute is reserved, and data which does not exist in reality may be generated. The Smote method tends to marginalize the data distribution, blurring the boundaries of positive and negative samples, and determination of K values depends on experience.
Aiming at the problem of unbalance of a data set under a federal learning framework, the Chinese patent with publication number CN112329820A discloses a sampling method and device for unbalanced data under federal learning, a k-means cluster majority class sample is used, a Smote method is used for generating minority class samples, two groups of sample sets are combined and then a local model is generated by using an Adaboost method, and finally model parameter aggregation is carried out through a central server. The Chinese patent publication No. CN114548419A discloses a longitudinal federal learning sample imbalance processing method based on the OT protocol, which utilizes the OT protocol to protect partner data privacy and uses an improved Smote method to generate minority class samples. The chinese patent publication No. CN114529014a discloses an unbalanced data ensemble learning method based on federal learning, a few samples are generated by using an adaptive boundary Smote algorithm, the repeated data generated by the Smote method is eliminated by a tomeklines method, and finally an equalized sample is obtained. These three schemes use the improved Smote method as the basis for solving the unbalanced data set, but they still have the problems described above. And federal learning is that multiple clients participate in training, and the data characteristics obtained by each client may be inconsistent, which means that multiple K values are manually set, and the operation is complicated.
The Chinese patent publication No. CN114462509A discloses a method for detecting the abnormality of distributed Internet of things equipment, which uses an improved self-coding network to perform feature extraction, feature correction and abnormal feature discrimination on abnormal data of a training set, and obtains high-quality reconstruction abnormal data. The scheme uses the self-encoder to extract the sample characteristics to low dimensionality, which inevitably results in the loss of part of useful information and poor quality of reconstructed samples.
Disclosure of Invention
Aiming at the problems of slow convergence speed and poor performance of model training caused by extremely unbalanced quantity of abnormal samples and normal samples in actual flow in the abnormal flow detection application of an industrial control system by the existing federal learning technology, the application introduces a combined model on the basis of the prior art, can fully and effectively utilize the abnormal samples distributed among all clients, and improves the integral detection precision of the federal learning model.
The application discloses an industrial control abnormal flow detection method based on joint federal learning, which comprises the following steps:
in the industrial control flow acquisition and preprocessing stage, acquiring data of each sensor and actuator of local industrial control equipment to generate a local training data set X l ;
During the model M1 training phase, each client uses the local data set X l Training on the initial model to obtain local model parameters w l And sends to the parameter aggregation server S1 to complete parameter aggregation; the parameter aggregation server S1 aggregates the global parameter w g Distributing to each client, and starting the next round of local training by the client; the method comprises the steps of reciprocating until the precision of the global model reaches the requirement or the global iteration times reach E times, and obtaining a global model M1;
in the model M2 training stage, each client sends a local abnormal sample to a server S2, and the server S2 integrates and breaks up all the received abnormal samples to perform model training to obtain a model M2;
in the model combination and anomaly detection stage, the models M1 and M2 are combined, data of sensors and actuators of industrial control equipment are collected, and the data are sent into the combined model for real-time anomaly detection.
Further, in the industrial control data acquisition and preprocessing stage, each client acquires data of each sensor and actuator of the local industrial control equipment once per second through an industrial control protocol to generate a t moment characteristic vector x t ∈R n N is the sum of the number of all the sensors and the actuators of the local industrial control equipment;
determining a current characteristic vector x according to the running state of the industrial control system at the current moment t Tag y of (2) t Y is as normal t =0, otherwise y t =1;
Continuously collecting data until y t The total number of feature vectors of the number of the feature vectors of the number of the times of the; and finally, forming local training samples.
Further, in the model M1 training phase, the parameter aggregation server S1 first models the base model w 0 Distributing to each client;
each client receives the parameters w from the parameter aggregation server S1 s And uses the local data at w s Performing local model iteration on the basis of (a) until the maximum local round iteration number E is reached l The method comprises the steps of carrying out a first treatment on the surface of the Model parameters w to complete local iteration l The transmitted parameter aggregation server;
the parameter aggregation server S1 receives the local parameters { w } from the client l1 ,w l2 ...w lN -where N is the total number of all clients; the federal average parameter aggregation algorithm is used for completing the parameter aggregation of the global iteration, and the global model parameter w of the round is obtained g+1 Distributing to each client;
repeating the steps until the precision of the global model reaches the requirement or the global iteration number reaches the preset number, and obtaining the global aggregation parameter w end1 And (5) completing the training of the global model M1.
Further, the specific calculation steps of the federal average parameter aggregation algorithm are as follows:
wherein w is g And the global model parameters are reserved for the last moment of the aggregation server, t is the learning rate, and N is the total number of clients participating in the parameter aggregation.
Further, during the model M2 training phase, each client willLocal training data set X l All abnormal samples of (1) are separated to form an abnormal sample setThe abnormal sample refers to a local training data set X l Samples of data tag y=1; each client side sets local exception samples +.>Transmitting to the server S2;
the server S2 receives training sample sets from all clients to obtain sample setsThe sample sets are then shuffled to obtain a training data set X abn ;
The server S2 uses the training data set X abn And carrying out local iterative training on the model M2 until the maximum iterative times are reached or the required precision is reached, namely finishing the training of the model M2.
Further, in the model combination and anomaly detection stage, the models M1 and M2 perform industrial control detection at the same time, and data of each sensor and actuator of the local industrial control equipment are acquired every second through an industrial control protocol, so that a sample x to be detected is generated;
and inputting the sample to be detected into the trained models M1 and M2 to obtain the anomaly rates R1 and R2 of the current sample, and judging whether the current industrial control system is normal or not by calculating the comprehensive anomaly detection score.
Further, the integrated anomaly detection score R is defined as follows:
and alpha is the confidence coefficient of the models M1 and M2, and when the anomaly detection score R is larger than a preset threshold value, the current industrial control system is abnormal, otherwise, the current industrial control system is normal.
The beneficial effects of the application are as follows:
1) By utilizing the characteristic that the abnormal data contains less private information, the abnormal data set X from each client is intensively used abn The model M2 is trained, so that the problem that the model is fitted to a normal sample and the detection precision is low due to the fact that a local client adopts unbalanced data set training in an industrial control environment is solved greatly.
2) The combined model is used for carrying out anomaly detection on the industrial control sensor and the executor data, and M1 is trained through training data sets from all clients, so that the method has stronger generalization capability. Finally, by giving higher confidence to the model M2 with higher anomaly sensitivity and combining the model M2 with higher anomaly sensitivity and the model M2 with higher anomaly sensitivity, the comprehensive anomaly detection score R is calculated, so that a more accurate anomaly detection result can be obtained.
Drawings
FIG. 1 is a flow chart of an abnormal flow detection method of the present application.
Detailed Description
The application is further described below with reference to the accompanying drawings, without limiting the application in any way, and any alterations or substitutions based on the teachings of the application are intended to fall within the scope of the application.
The application mainly comprises four stages of industrial control data acquisition and pretreatment, model M1 training, model M2 training, model combination and anomaly detection. The model M1 has stronger generalization performance, the model M2 has better capturing capability on abnormal data, and the final abnormal detection score is calculated by using the comprehensive score R, so that the abnormal detection precision of the model is higher. FIG. 1 is a general flow chart of the present application, in the industrial control flow acquisition and preprocessing stage, each client acquires the data of each sensor and actuator of the local industrial control equipment every second through Modbus TCP, S7, IEC104 and other industrial control protocols to generate a local training data set X l . During the model M1 training phase, each client uses the local data set X l Training on the initial model to obtain local model parameters w l And transmits to the parameter aggregation server S1 to complete parameter aggregation. S1 to global parameter w g Distributed to the various clients, which begin the next round of local training. So doing, until globalThe model precision reaches the requirement or the global iteration times reach E times, and the global model M1 is obtained. In the model M2 training stage, each client sends local abnormal samples to the server S2, S2 integrates and breaks up all the received abnormal samples, and performs model training to obtain a model M2. In the model combination and anomaly detection stage, firstly, the models M1 and M2 are combined, data of the industrial control equipment sensor and the actuator are collected, and the data are sent into the combined model to carry out real-time anomaly detection.
Specifically, the steps of the respective stages are as follows.
0001. In the industrial control data acquisition and preprocessing stage, each client acquires data of each sensor and actuator of the local industrial control equipment once per second through an industrial control protocol to generate a t moment characteristic vector x t ∈R n Specifically, n is the sum of the number of all sensors and actuators of the local industrial control device. Industrial control protocols include, but are not limited to, modbus TCP, S7, IEC104, and the like.
0002. Determining a current characteristic vector x according to the running state of the industrial control system at the current moment t Tag y of (2) t Y is as normal t =0, otherwise y t =1。
0003. Continuously collecting data until y t The total number of feature vectors of=1 is larger than a preset value, and data acquisition is stopped. And finally, forming local training samples. Preferably, the preset value is 50 in this embodiment.
0004. In the model M1 training phase, the parameter aggregation server S1 first models the basic model w 0 To the respective clients.
0005. Each client receives the parameters w from the parameter aggregation server S1 s And uses the local data at w s Performing local model iteration on the basis of (a) until the maximum local round iteration number E is reached l . Model parameters w to complete local iteration l And the transmitted parameters are aggregated to a server. The parameter aggregation server S1 is a coordinator.
0006. The parameter aggregation server receives the local parameter { w } from the client l1 ,w l2 ...w lN Where N is the total number of all clients. The federal average parameter aggregation algorithm is used for completing the parameter aggregation of the global iteration, and the global model parameter w of the round is obtained g+1 To each client.
0007. Specifically, the specific calculation steps of the federal average parameter aggregation algorithm mentioned in step 0006 are as follows:
wherein w is g And the global model parameters are reserved for the last moment of the aggregation server, t is the learning rate, and N is the total number of clients participating in the parameter aggregation.
0008. Repeating the steps 0005-0007 until the global model precision reaches the requirement or the global iteration times reach E times to obtain the global aggregation parameter w end1 And (5) completing the training of the global model M1.
0009. During the model M2 training phase, each client will train the data set X locally l All abnormal samples of (1) are separated to form an abnormal sample setSpecifically, the abnormal sample refers to the local training data set X l In the data tag y=1. Each client side sets local exception samples +.>To the server S2.
0010. The server S2 receives training sample sets from all clients to obtain sample setsThe sample sets are then shuffled to obtain a training data set X abn 。
0011. The server S2 uses the training data set X abn And carrying out local iterative training on the model M2 until the maximum iterative times are reached or the required precision is reached. I.e. the training of the model M2 is completed.
0012. In the model combination and anomaly detection stage, the models M1 and M2 perform industrial control detection simultaneously. And acquiring data of each sensor and each actuator of the local industrial control equipment every second through industrial control protocols such as Modbus TCP, S7, IEC104 and the like, and generating a sample x to be detected.
0013. And inputting the sample to be detected into the trained models M1 and M2 to obtain the anomaly rates R1 and R2 of the current sample, and judging whether the current industrial control system is normal or not by calculating the comprehensive anomaly detection score. Specifically, the integrated anomaly detection score R is defined as follows:
where α is the confidence level of the models M1 and M2, and since the model M2 has a higher sensitivity to abnormal samples, α <0.5 is preferably taken, and α=0.3 is preferably taken in this embodiment.
0014. When the anomaly detection score R is greater than 0.5, the current industrial control system is abnormal, otherwise, the current industrial control system is normal.
For abnormal detection, most researchers use Smote or its variant algorithm to expand the original data set to achieve the purpose of balancing the data set under the condition of poor model abnormal detection effect caused by unbalanced training data set. The Smote algorithm tends to cause marginalization of the data distribution, blurring the boundaries of positive and negative samples. Importantly, no matter how advanced the data generation algorithm is, it is not possible to construct a data set that is exactly the same as the true data set distribution. In addition, the data set expansion method depends on original data, and can not provide enough abnormal data samples to represent the distribution of abnormal data in an independent industrial control environment, and naturally can lead to low quality of the data samples obtained by expansion. The application avoids using a constructed data set, fully utilizes abnormal data samples distributed in each client under the federal learning framework, and concentrates the abnormal data samples to the same server to complete the training of the model. Finally, a model M1 trained under the federal learning framework and a model M2 trained by using multiple client abnormal data samples are combined, wherein the model M1 has strong generalization performance, and the model M2 has good capturing capability on abnormal data. The final anomaly detection score is calculated by using the comprehensive score R, and the anomaly detection capability of the model is better.
The word "preferred" is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as "preferred" is not necessarily to be construed as advantageous over other aspects or designs. Rather, use of the word "preferred" is intended to present concepts in a concrete fashion. The term "or" as used in this disclosure is intended to mean an inclusive "or" rather than an exclusive "or". That is, unless specified otherwise or clear from the context, "X uses a or B" is intended to naturally include any of the permutations. That is, if X uses A; x is B; or X uses both A and B, then "X uses A or B" is satisfied in any of the foregoing examples.
Moreover, although the disclosure has been shown and described with respect to one or more implementations, equivalent alterations and modifications will occur to others skilled in the art based upon a reading and understanding of this specification and the annexed drawings. The present disclosure includes all such modifications and alterations and is limited only by the scope of the following claims. In particular regard to the various functions performed by the above described components (e.g., elements, etc.), the terms used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., that is functionally equivalent), even though not structurally equivalent to the disclosed structure which performs the function in the herein illustrated exemplary implementations of the disclosure. Furthermore, while a particular feature of the disclosure may have been disclosed with respect to only one of several implementations, such feature may be combined with one or other features of the other implementations as may be desired and advantageous for a given or particular application. Moreover, to the extent that the terms "includes," has, "" contains, "or variants thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term" comprising.
The functional units in the embodiment of the application can be integrated in one processing module, or each unit can exist alone physically, or a plurality of or more than one unit can be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. The above-mentioned devices or systems may perform the storage methods in the corresponding method embodiments.
In summary, the foregoing embodiment is an implementation of the present application, but the implementation of the present application is not limited to the embodiment, and any other changes, modifications, substitutions, combinations, and simplifications made by the spirit and principles of the present application should be equivalent to the substitution manner, and all the changes, modifications, substitutions, combinations, and simplifications are included in the protection scope of the present application.
Claims (7)
1. The industrial control abnormal flow detection method based on the joint federal learning is characterized by comprising the following steps of:
in the industrial control flow acquisition and preprocessing stage, acquiring data of each sensor and actuator of local industrial control equipment to generate a local training data set X l ;
During the model M1 training phase, each client uses the local data set X l Training on the initial model to obtain local model parameters w l And sends to the parameter aggregation server S1 to complete parameter aggregation; the parameter aggregation server S1 aggregates the global parameter w g Distributing to each client, and starting the next round of local training by the client; the method comprises the steps of reciprocating until the precision of the global model reaches the requirement or the global iteration times reach E times, and obtaining a global model M1;
in the model M2 training stage, each client sends a local abnormal sample to a server S2, and the server S2 integrates and breaks up all the received abnormal samples to perform model training to obtain a model M2;
in the model combination and anomaly detection stage, the models M1 and M2 are combined, data of sensors and actuators of industrial control equipment are collected, and the data are sent into the combined model for real-time anomaly detection.
2. The method for detecting abnormal industrial control flow based on joint federal learning according to claim 1, wherein in the industrial control data acquisition and preprocessing stage, each client acquires data of each sensor and actuator of the local industrial control equipment once per second through an industrial control protocol to generate a t-moment feature vector x t ∈R n N is the sum of the number of all the sensors and the actuators of the local industrial control equipment;
determining a current characteristic vector x according to the running state of the industrial control system at the current moment t Tag y of (2) t Y is as normal t =0, otherwise y t =1;
Continuously collecting data until y t The total number of feature vectors of the number of the feature vectors of the number of the times of the; and finally, forming local training samples.
3. The method for detecting abnormal industrial control flow based on joint federal learning according to claim 1, wherein the parameter aggregation server S1 sets the basic model parameters w in the model M1 training phase 0 And model M1 is distributed to each client;
each client receives the parameters w from the parameter aggregation server S1 s And uses the local data at w s Performing local model iteration on the basis of (a) until the maximum local round iteration number E is reached l The method comprises the steps of carrying out a first treatment on the surface of the Model parameters w to complete local iteration l The transmitted parameter aggregation server;
the parameter aggregation server S1 receives the local parameters { w } from the client l1 ,w l2 ...w lN -where N is the total number of all clients; the federal average parameter aggregation algorithm is used for completing the parameter aggregation of the global iteration, and the global model parameter w of the round is obtained g+1 Distributing to each client;
repeating the steps until the precision of the global model reaches the requirement or the global iteration number reaches the preset number, and obtaining the global aggregation parameter w end1 And (5) completing the training of the global model M1.
4. The method for detecting industrial control abnormal flow based on joint federal learning according to claim 3, wherein the federal average parameter aggregation algorithm is specifically calculated as follows:
wherein w is g And the global model parameters are reserved for the last moment of the aggregation server, t is the learning rate, and N is the total number of clients participating in the parameter aggregation.
5. The method for detecting abnormal industrial control traffic based on joint federal learning according to claim 3, wherein each client uses the local training data set X in the model M2 training phase l All abnormal samples of (1) are separated to form an abnormal sample setThe abnormal sample refers to a local training data set X l Samples of data tag y=1; each client side sets local exception samples +.>Transmitting to the server S2;
the server S2 receives training sample sets from all clients to obtain sample setsThe sample sets are then shuffled to obtain a training data set X abn ;
The server S2 uses the training data set X abn And carrying out local iterative training on the model M2 until the maximum iterative times are reached or the required precision is reached, namely finishing the training of the model M2.
6. The industrial control abnormal flow detection method based on the joint federal learning according to claim 3, wherein in the model joint and abnormal detection stage, models M1 and M2 perform industrial control detection simultaneously, and data of each sensor and actuator of local industrial control equipment are acquired every second through an industrial control protocol, so as to generate a sample x to be detected;
and inputting the sample to be detected into the trained models M1 and M2 to obtain the anomaly rates R1 and R2 of the current sample, and judging whether the current industrial control system is normal or not by calculating the comprehensive anomaly detection score.
7. The method for detecting industrial control abnormal flow based on joint federal learning according to claim 6, wherein the integrated abnormality detection score R is defined as follows:
and alpha is the confidence coefficient of the models M1 and M2, and when the anomaly detection score R is larger than a preset threshold value, the current industrial control system is abnormal, otherwise, the current industrial control system is normal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310423533.XA CN116668068A (en) | 2023-04-20 | 2023-04-20 | Industrial control abnormal flow detection method based on joint federal learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310423533.XA CN116668068A (en) | 2023-04-20 | 2023-04-20 | Industrial control abnormal flow detection method based on joint federal learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116668068A true CN116668068A (en) | 2023-08-29 |
Family
ID=87717877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310423533.XA Pending CN116668068A (en) | 2023-04-20 | 2023-04-20 | Industrial control abnormal flow detection method based on joint federal learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116668068A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116915512A (en) * | 2023-09-14 | 2023-10-20 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
-
2023
- 2023-04-20 CN CN202310423533.XA patent/CN116668068A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116915512A (en) * | 2023-09-14 | 2023-10-20 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
| CN116915512B (en) * | 2023-09-14 | 2023-12-01 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110348330B (en) | Face pose virtual view generation method based on VAE-ACGAN | |
| CN109800710B (en) | Pedestrian re-identification system and method | |
| CN110490158B (en) | Robust face alignment method based on multistage model | |
| CN112420187B (en) | Medical disease analysis method based on migratory federal learning | |
| TWI714952B (en) | Method and device for determining pupil position | |
| CN114692741B (en) | Generalized face counterfeiting detection method based on domain invariant features | |
| CN106295501A (en) | The degree of depth based on lip movement study personal identification method | |
| CN114565594B (en) | Image anomaly detection method based on soft mask contrast loss | |
| CN111080513A (en) | Human face image super-resolution method based on attention mechanism | |
| CN107392865A (en) | A kind of restored method of facial image | |
| CN116668068A (en) | Industrial control abnormal flow detection method based on joint federal learning | |
| CN113988314A (en) | Cluster federal learning method and system for selecting client | |
| CN111507184B (en) | Human body posture detection method based on parallel cavity convolution and body structure constraint | |
| CN114004333A (en) | Oversampling method for generating countermeasure network based on multiple false classes | |
| CN109447153A (en) | Divergence-excitation self-encoding encoder and its classification method for lack of balance data classification | |
| CN111222583B (en) | Image steganalysis method based on countermeasure training and critical path extraction | |
| CN113949549A (en) | Real-time traffic anomaly detection method for intrusion and attack defense | |
| CN117168814A (en) | Bearing fault diagnosis method based on composite generation countermeasure network | |
| CN114511521A (en) | Tire defect detection method based on multiple representations and multiple sub-field self-adaption | |
| CN110288026A (en) | A kind of image partition method and device practised based on metric relation graphics | |
| CN113033345A (en) | V2V video face recognition method based on public feature subspace | |
| CN115438753B (en) | Method for measuring security of federal learning protocol data based on generation | |
| CN116738251A (en) | Radio frequency fingerprint identification training data generation method based on generation countermeasure network | |
| CN116416212A (en) | Training method of road surface damage detection neural network and road surface damage detection neural network | |
| CN115063630A (en) | Application of decoupling migration-based federated learning method in computer vision |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |