CN116736781A - Safety state monitoring method and device for industrial automation control equipment - Google Patents

Abstract

The application discloses a safety state monitoring method and device of industrial automation control equipment, comprising the steps of determining a target data distribution model matched with the normal safety state of industrial control equipment before entering a safety state monitoring mode, and determining an abnormal state perception threshold corresponding to the target data distribution model; after entering a safety state monitoring mode, collecting real-time network flow data characteristic values of industrial control equipment, rapidly sequencing, and calculating a corresponding real-time experience cumulative distribution function; calculating the coincidence degree of the corresponding probability distribution function and the real-time experience cumulative distribution function under the normal safety state of the industrial control equipment to obtain a check deviation value; and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state. The method and the device for monitoring the safety state of the industrial automation control equipment provided by the application have low operation complexity, and are suitable for being deployed on the industrial environment site with limited computing resources to effectively monitor the safety state of the industrial automation control equipment.

Description

Safety state monitoring method and device for industrial automation control equipment

Technical Field

The application relates to the technical field of data processing, in particular to a method and a device for monitoring the safety state of industrial automation control equipment.

Background

Industrial automation control devices are an important component in industrial control systems for monitoring and controlling various industrial processes. They are commonly used to control critical infrastructure of plant equipment, energy systems, traffic systems, and the like. The safety threat faced by industrial automation control equipment terminals can lead to production interruption, equipment damage and even casualties, so the safety state monitoring of the industrial automation control terminals is of great importance.

The safety state monitoring of the industrial automation control equipment means that the industrial control terminal is monitored and analyzed in real time to acquire the safety state information of the industrial control terminal. The method comprises the steps of monitoring hardware, an operating system, industrial control software, network connection and the like of the industrial control terminal so as to detect potential security holes, malicious attacks and abnormal behaviors, discover and deal with security threats in time, and ensure reliable operation and production security of the industrial control system.

Therefore, how to ensure the safety state monitoring of the industrial automation control equipment is a technical problem to be solved urgently by those skilled in the art.

Disclosure of Invention

The application provides a method and a device for monitoring the safety state of industrial automation control equipment, which have low operation complexity and are suitable for being deployed on an industrial environment site with limited computing resources to effectively monitor the safety state of industrial control equipment.

In order to solve the above technical problems, an embodiment of the present application provides a method for monitoring a safety state of an industrial automation control device, including:

before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a checking sample;

selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples one by adopting a maximum likelihood estimation method to obtain corresponding fitting probability distribution functions;

rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

determining a target data distribution model matched with the normal safety state of industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sequencing to obtain sequenced second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

adopting K-S test to calculate the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment, and obtaining a check deviation value;

and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

As one preferable mode, the data distribution model at least comprises a gaussian distribution model, a lognormal distribution model, a poisson distribution model, a weibull distribution model, a gamma distribution model and an exponential distribution model.

As one preferable scheme, the selecting a plurality of data distribution models, and performing fitting analysis on the fitting samples by adopting a maximum likelihood estimation method one by one to obtain corresponding fitting probability distribution functions, specifically including:

selecting a data distribution model from a plurality of data distribution models;

calculating likelihood functions corresponding to the data distribution model, wherein the likelihood functions are as follows:

wherein L (theta) is a likelihood function, X is a network flow data characteristic value set in acquisition time, and theta is a model parameter of a selected data distribution model;

taking the logarithm of the likelihood function to obtain a log likelihood function as follows:

deriving the log-likelihood function to obtain a corresponding maximum likelihood estimation parameter value;

and carrying the maximum likelihood estimation parameter value into an accumulated distribution function corresponding to the selected characteristic distribution model for calculation, wherein the calculation formula is as follows:

wherein ,for accumulating distribution functions +.>Estimating parameter values for the maximum likelihood;

repeating the steps until the maximum likelihood estimation parameter values and the accumulated distribution function corresponding to all the data distribution models are obtained.

As one preferable solution, the quick sorting of the check samples by adopting a bucket-tree two-dimensional indexing method specifically includes:

distinguishing the data in the check sample according to a barrel dividing mode, and storing the data in a corresponding barrel array;

and arranging the data in each bucket array according to a tree array structure.

As one preferable scheme, the calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to the K-S test specifically includes:

according to K-S test, respectively calculating a first parameter, a second parameter and a third parameter of a network flow data distribution characteristic value corresponding to the data stored in each barrel group, wherein the calculation formula is as follows:

wherein ,to reflect the first parameter of maximum forward K-S distance,/>To reflect the second parameter of the maximum inverse K-S distance,/a second parameter of the maximum inverse K-S distance is chosen>To reflect the third parameter of the feature quantity stored in the j-th bucket array, +.>Is->Barrel array corresponding to each interval, < > and the like>For probability distribution function +.>For the empirical cumulative distribution function, the calculation formula is as follows:

wherein ,indicate->Then 1;

and obtaining the K-S check fitting distance reflecting the fitting degree based on the maximum first parameter and the maximum second parameter.

Another embodiment of the present application provides an industrial automation control device safety state monitoring apparatus, comprising a processor configured to:

before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a checking sample;

selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples one by adopting a maximum likelihood estimation method to obtain corresponding fitting probability distribution functions;

rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

determining a target data distribution model matched with the normal safety state of industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sequencing to obtain sequenced second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

adopting K-S test to calculate the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment, and obtaining a check deviation value;

and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

As one preferable mode, the data distribution model at least comprises a gaussian distribution model, a lognormal distribution model, a poisson distribution model, a weibull distribution model, a gamma distribution model and an exponential distribution model.

As one preferable scheme, the selecting a plurality of data distribution models, and performing fitting analysis on the fitting samples by adopting a maximum likelihood estimation method one by one to obtain corresponding fitting probability distribution functions, specifically including:

selecting a data distribution model from a plurality of data distribution models;

calculating likelihood functions corresponding to the data distribution model, wherein the likelihood functions are as follows:

wherein L (theta) is a likelihood function, X is a network flow data characteristic value set in acquisition time, and theta is a model parameter of a selected data distribution model;

taking the logarithm of the likelihood function to obtain a log likelihood function as follows:

deriving the log-likelihood function to obtain a corresponding maximum likelihood estimation parameter value;

and carrying the maximum likelihood estimation parameter value into an accumulated distribution function corresponding to the selected characteristic distribution model for calculation, wherein the calculation formula is as follows:

wherein ,for accumulating distribution functions +.>Estimating parameter values for the maximum likelihood;

repeating the steps until the maximum likelihood estimation parameter values and the accumulated distribution function corresponding to all the data distribution models are obtained.

As one preferable solution, the quick sorting of the check samples by adopting a bucket-tree two-dimensional indexing method specifically includes:

distinguishing the data in the check sample according to a barrel dividing mode, and storing the data in a corresponding barrel array;

and arranging the data in each bucket array according to a tree array structure.

As one preferable scheme, the calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to the K-S test specifically includes:

according to K-S test, respectively calculating a first parameter, a second parameter and a third parameter of a network flow data distribution characteristic value corresponding to the data stored in each barrel group, wherein the calculation formula is as follows:

wherein ,to reflect the first parameter of maximum forward K-S distance,/>To reflect the second parameter of the maximum inverse K-S distance,/a second parameter of the maximum inverse K-S distance is chosen>To reflect the third parameter of the feature quantity stored in the j-th bucket array, +.>Is->Barrel array corresponding to each interval, < > and the like>For probability distribution function +.>For the empirical cumulative distribution function, the calculation formula is as follows:

wherein ,indicate->Then 1;

and obtaining the K-S check fitting distance reflecting the fitting degree based on the maximum first parameter and the maximum second parameter.

Compared with the prior art, the embodiment of the application has the beneficial effects that at least one of the following points is adopted:

before entering a safety state monitoring mode, fully considering the matching degree of each model in the normal safety state of the industrial control equipment, screening and determining a target data distribution model matched with the normal safety state of the industrial control equipment, determining an abnormal state sensing threshold corresponding to the target data distribution model, then entering a real-time monitoring mode, monitoring the safety state of the industrial automation control equipment, continuously calculating the network flow data characteristic distribution in the running process of the equipment, adopting K-S test to judge the coincidence degree of the network flow data characteristic distribution and the reference characteristic distribution, and if the deviation is larger than the abnormal state sensing threshold, judging that the running state is abnormal. The whole monitoring method does not need to invade the equipment to internally install a specific program to acquire the running state of the system for safety state sensing, has low operation complexity in the whole process, and is suitable for being deployed in the industrial environment site with limited computing resources for effective safety state monitoring of industrial control equipment.

Drawings

FIG. 1 is a flow chart of a method for monitoring a safety state of an industrial automation control device in one embodiment of the present application;

FIG. 2 is a flow chart of a method for monitoring safety status of an industrial automation control device in one embodiment of the application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the application, and the purpose of these embodiments is to provide a more thorough and complete disclosure of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In the description of the present application, the terms "first," "second," "third," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first", "a second", "a third", etc. may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.

In the description of the present application, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The terms "vertical," "horizontal," "left," "right," "upper," "lower," and the like are used herein for descriptive purposes only and not to indicate or imply that the apparatus or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and therefore should not be construed as limiting the application. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.

In the description of the present application, it should be noted that all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs unless defined otherwise. The terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application, as the particular meaning of the terms described above in the present application will be understood to those of ordinary skill in the art in the detailed description of the application.

The embodiment of the application provides a method for monitoring the safety state of industrial automation control equipment, which needs to be described in advance, wherein the conventional method (or sensing method) for monitoring the safety of an industrial control terminal comprises the following steps: 1) The system operation monitoring system is used for identifying possible security threats by collecting various volumes in the operation process of the industrial control terminal and analyzing the behavior mode, and triggering an alarm or taking corresponding defensive measures; 2) Access control: access to the key system is limited by performing access control on the industrial control terminal, potential security threat is reduced, and external attack threat is prevented by strengthening password policy, limiting privileged access, implementing firewall and access control list and the like; 3) Security audit and log analysis: through the security audit and log analysis of the industrial control terminal, the security events and abnormal behaviors in the system can be tracked and analyzed. This helps to discover potential attack activities and security threats in time and take appropriate action to respond and defend.

However, the above methods belong to the invasive sensing methods, and require the acquisition and analysis of the state by installing a program in the industrial control equipment, which causes a certain interference to the normal operation of the industrial control equipment, and cannot effectively meet the requirements of the industrial control operation site on the system operation continuity, the system stability and the system response instantaneity. In contrast to invasive methods, non-invasive awareness does not require any intervention on the target system, but rather information is obtained by passively listening and observing the behavior, interactions and communications of the target system. The non-invasive sensing method has the advantages that normal operation of the target system is not affected, and safety monitoring can be performed under the condition of high real-time requirements. However, there are some limitations in the non-invasive sensing method, and the existing method relies on passively monitoring and observing the behavior of the target system, which generally requires a large amount of data collection and analysis, and has relatively large consumption of computing resources, relatively low real-time sensing performance, and no timely effective discovery of the abnormality of the system security state.

According to the embodiment of the application, the sensing problem of the safety state is converted into the characteristic matching problem, the network flow data distribution characteristic of the industrial control equipment in the safety operation state is firstly used as the reference distribution characteristic, the deviation between the data distribution characteristic and the reference distribution characteristic of the system in the actual operation process is judged by adopting a statistical test mode to rapidly judge the safety state of the system, and the technical problems that a large amount of observation data needs to be collected, a large amount of calculation resources are needed and the response time is not timely in the traditional non-invasive safety state sensing method can be solved.

Referring to fig. 1 to fig. 2, fig. 1 is a schematic flow chart of a method for monitoring a safety state of an industrial automation control device according to one embodiment of the present application, and fig. 2 is a block flow chart of a method for monitoring a safety state of an industrial automation control device according to one embodiment of the present application, where the monitoring method specifically includes:

s1, before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a verification sample;

s2, selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples by adopting a maximum likelihood estimation method one by one to obtain corresponding fitting probability distribution functions;

s3, rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

s4, calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

s5, determining a target data distribution model matched with the normal safety state of the industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

s6, after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

s7, inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sorting to obtain sorted second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

s8, adopting K-S test, and calculating the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment to obtain a check deviation value;

and S9, when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

In order to monitor the safety state of industrial automation control equipment, the general TCP/IP protocol network data flow of the industrial control equipment is selected as the collected data. The whole implementation process comprises a network flow data distribution characteristic extraction stage of the normal safety state of the industrial control equipment and an abnormal safety state sensing stage of the industrial control equipment. Specifically, the above embodiment includes two steps, namely, a first step (corresponding to the steps S1 to S5) before entering the safety state monitoring mode, and a second step (corresponding to the steps S6 to S9) after entering the safety state monitoring mode.

1. In the network flow data distribution characteristic extraction stage of the normal safety state of the industrial control equipment, the specific steps are as follows:

and step 1, collecting characteristic values of network flow data of industrial control equipment in a normal safety state, and dividing the characteristic values into a fitting sample and a checking sample.

In step 1, the TCP/IP network data of the industrial control device is collected, and various information of the data packet including the source IP address, the destination IP address, the protocol type, the data packet length, etc. are obtained, and the content of the data packet may be further analyzed, and deeper information, such as an application layer protocol, user behavior, etc., may be extracted, where these information constitute the characteristic value of the network traffic data. Preferably, the fitting sample and the verification sample use 1:1, and the acquisition time is preferably 30 minutes.

Step 2, selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples by adopting maximum likelihood estimation one by one to obtain a fitting probability distribution function;

in the step 2, in the first step, a data distribution model is selected from a plurality of data distribution models to be selected, where the data distribution models selectable in the implementation include gaussian distribution, lognormal distribution, poisson distribution, weibull distribution, gamma distribution, exponential distribution, and the like, and the probability density function, cumulative distribution function, and related parameters corresponding to the data distribution models are described in the following table:

in the step 2, a second step of calculating likelihood functions of the data distribution model; the likelihood function is defined as follows:

wherein Representing likelihood functions +.>For collecting characteristic value set of network flow data in time, < +.>Parameters for the feature distribution model are shown in the table above. The likelihood function is given parameter->Down->Is a probability of occurrence of (a).

Data distributed independently and simultaneously->Composition, thus likelihood function->Can be decomposed into->At a given parameter->The probability product is expressed as follows:

in the step 2, in the third step, the log likelihood function takes the log to obtain a log likelihood function, which is expressed as follows:

in the fourth step of the above step 2, the log likelihood function is used for the followingDeriving and zeroing to obtainThe parameter corresponding to the maximum value is called maximum likelihood estimation parameter value +.>。

In the above step 2, the fifth stepEstimating the maximum likelihood parameter valueThe integrated distribution function CDF is carried into the integrated distribution function CDF corresponding to the characteristic distribution model for calculation, and the integrated distribution function CDF of each characteristic distribution model is shown in the table.

The function is used for representing when the characteristic distribution model parameters areTime sample variable +.>Less than value->Probability of time.

In the sixth step in the above step 2, the steps 2.1 to 2.5 are repeatedly performed until all feature distribution models are calculated and />。

Step 3, rapidly sorting the check samples by adopting a barrel-tree two-dimensional index, and calculating an experience cumulative distribution function ECDF for the sorted data;

in the step 3, in the first step, the data are distinguished according to the barrel division mode and stored in the barrel array. The process is that the value range of the collected network flow data value is uniformly divided into m intervals, each interval corresponds to one barrel, and then the data value is determined and stored in a specific barrel;

for example, assuming the current 10 data, the data values are 0.5, 1.5, 2.5, 3.5, 4.5, 5.5, 6.5, 7.5, 8.5.9.5 in order. The array value range is 0-10, the setting is divided into m=5 intervals, and each interval is mapped into a barrel. Each of which isThe ranges of the buckets are [0, 2), [2, 4), [4, 6), [6, 8) and [8,10 ], respectively. Each data will then be allocated into a corresponding bucket according to its size. For example, data 0.5 and 1.5 would be placed in the first bucket, 2.5 and 3.5 would be placed in the second bucket, and so on. If there is a new data, e.g. 3, it will be put directly into the second bucket. The main advantage of this is that the efficiency of data querying and ordering can be greatly improved by directly accessing the corresponding buckets, rather than traversing all the data. This approach would be able to address one of the needs that would otherwise be requiredThe ordering problem of the temporal complexity is reduced to +.>Is a complex time of the system.

In the step 3, in the second step, the data in the bucket is arranged according to a tree array structure, wherein the tree array size is n+1, and n is the maximum number of the data which can be stored.

The internal structure of a tree array can be seen as a special binary tree, where each node contains a range of prefix sums of elements. This binary tree can be generated by a smart encoding scheme.

In the specific implementation process, the generation mode of the binary tree inside the tree array adopts a low-order generation method: 1) First, given a tree-like array of length n, the index of the array is encoded from 1 to n. Index 0 is not used. 2) For each node in the tree array, its corresponding index value is denoted index, and the range of nodes is from [ index-lowbit (index) +1, index ]. lowbit (index) refers to the value represented by the 1 of the lowest bit of index. lowbit (index) =index & -index. 3) Starting from the root node (index 1), the left and right child nodes of each node are generated in turn. For node index, the index of the left child node is index+lowbit (index), and the index of the right child node is index+1. 4) Repeating the steps until all nodes are generated.

By the generation mode, a binary tree structure with a correct node range can be constructed. Each node stores a prefix sum of elements within a corresponding range.

Step 4, calculating the fitting degree of the fitting probability distribution function and the experience cumulative distribution function by adopting K-S test;

in the step 4, in the first step, the collected network traffic data distribution characteristic value is calculated for the data stored in each barrelThree parameters, the calculation formula of which is defined as follows:

wherein Is->Barrel corresponding to each interval, probability distribution function->Indicating when the distribution model parameter value is +.>The time characteristic value is less than or equal to%>Probability of->Is an abbreviation for empirical cumulative distribution function (Empirical Cumulative Distribution Function) for describing the cumulative distribution of random variablesA non-parametric tool. Which is calculated from the sample data. />Representing that the characteristic value is less than or equal to +.>The calculation formula is as follows:

wherein Indicate->Then it is 1.

Namely, the maximum forward K-S distance and the maximum reverse K-S distance obtained by K-S check calculation are +.>For storage at->And (3) rapidly counting the feature quantity in each barrel by using the tree-shaped array in the barrel in the step (3).

In the step 4, in the second step, all buckets in the bucket array are traversed and calculatedMaximum +.>The absolute value of (2) is taken as the K-S check fitting distance of the characteristic distribution model and is recorded as +.>The calculation formula is as follows:

step 5, calculating all characteristic distribution modelsValue, will->The characteristic distribution model with the minimum value is the data distribution model with the highest fitting degree of the normal safety state of the industrial control equipment, and is used as the reference distribution characteristic of the normal safety state of the industrial control equipment. At the same time +.>The value serves as an abnormal state perception threshold.

2. The industrial control equipment abnormal safety state sensing and monitoring stage comprises the following specific steps:

step 1, acquiring a network flow data characteristic value, namely a real-time network flow data characteristic value, in the running process of industrial control equipment;

step 2, inserting the newly acquired numerical values into the barrel-tree two-dimensional indexes to carry out quick sorting, simultaneously counting the number of the inserted numerical values in each barrel, and calculating an experience cumulative distribution function for the sorted data, wherein the specific calculation process is as described above;

step 3, adopting K-S test to calculate the coincidence degree of the probability distribution function corresponding to the standard distribution characteristic of the normal safety state of the industrial control equipment and the experience cumulative distribution function to obtain a check deviation value;

and step 4, judging that the industrial control equipment is in an abnormal safety state when the check deviation value is larger than the abnormal state sensing threshold value.

Another embodiment of the present application provides an industrial automation control device safety state monitoring apparatus, comprising a processor configured to:

before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a checking sample;

selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples one by adopting a maximum likelihood estimation method to obtain corresponding fitting probability distribution functions;

rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

determining a target data distribution model matched with the normal safety state of industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sequencing to obtain sequenced second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

adopting K-S test to calculate the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment, and obtaining a check deviation value;

and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

Further, in the above embodiment, the data distribution model includes at least a gaussian distribution model, a lognormal distribution model, a poisson distribution model, a weibull distribution model, a gamma distribution model, and an exponential distribution model.

Further, in the above embodiment, the selecting a plurality of data distribution models, and performing fitting analysis on the fitting samples by using a maximum likelihood estimation method one by one to obtain a corresponding fitting probability distribution function, specifically includes:

selecting a data distribution model from a plurality of data distribution models;

calculating likelihood functions corresponding to the data distribution model, wherein the likelihood functions are as follows:

wherein L (theta) is a likelihood function, X is a network flow data characteristic value set in acquisition time, and theta is a model parameter of a selected data distribution model;

taking the logarithm of the likelihood function to obtain a log likelihood function as follows:

deriving the log-likelihood function to obtain a corresponding maximum likelihood estimation parameter value;

and carrying the maximum likelihood estimation parameter value into an accumulated distribution function corresponding to the selected characteristic distribution model for calculation, wherein the calculation formula is as follows:

wherein ,for accumulating distribution functions +.>Estimating parameter values for the maximum likelihood;

repeating the steps until the maximum likelihood estimation parameter values and the accumulated distribution function corresponding to all the data distribution models are obtained.

Further, in the foregoing embodiment, the fast sorting of the check samples by using a bucket-tree two-dimensional indexing method specifically includes:

distinguishing the data in the check sample according to a barrel dividing mode, and storing the data in a corresponding barrel array;

and arranging the data in each bucket array according to a tree array structure.

Further, in the above embodiment, the calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to the K-S test specifically includes:

according to K-S test, respectively calculating a first parameter, a second parameter and a third parameter of a network flow data distribution characteristic value corresponding to the data stored in each barrel group, wherein the calculation formula is as follows:

wherein ,to reflect the first parameter of maximum forward K-S distance,/>To reflect the second parameter of the maximum inverse K-S distance,/a second parameter of the maximum inverse K-S distance is chosen>To reflect the third parameter of the feature quantity stored in the j-th bucket array, +.>Is->Barrel array corresponding to each interval, < > and the like>For probability distribution function +.>For the empirical cumulative distribution function, the calculation formula is as follows:

wherein ,indicate->Then 1;

and obtaining the K-S check fitting distance reflecting the fitting degree based on the maximum first parameter and the maximum second parameter.

The method and the device for monitoring the safety state of the industrial automation control equipment have the beneficial effects that at least one point of the following is:

before entering a safety state monitoring mode, fully considering the matching degree of each model in the normal safety state of the industrial control equipment, screening and determining a target data distribution model matched with the normal safety state of the industrial control equipment, determining an abnormal state sensing threshold corresponding to the target data distribution model, then entering a real-time monitoring mode, monitoring the safety state of the industrial automation control equipment, continuously calculating the network flow data characteristic distribution in the running process of the equipment, adopting K-S test to judge the coincidence degree of the network flow data characteristic distribution and the reference characteristic distribution, and if the deviation is larger than the abnormal state sensing threshold, judging that the running state is abnormal. The whole monitoring method does not need to invade the equipment to internally install a specific program to acquire the running state of the system for safety state sensing, has low operation complexity in the whole process, and is suitable for being deployed in the industrial environment site with limited computing resources for effective safety state monitoring of industrial control equipment.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (10)

1. A method for monitoring the safety state of industrial automation control equipment, comprising the steps of:

before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a checking sample;

selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples one by adopting a maximum likelihood estimation method to obtain corresponding fitting probability distribution functions;

rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

determining a target data distribution model matched with the normal safety state of industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sequencing to obtain sequenced second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

adopting K-S test to calculate the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment, and obtaining a check deviation value;

and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

2. The method of claim 1, wherein the data distribution model includes at least a gaussian distribution model, a lognormal distribution model, a poisson distribution model, a weibull distribution model, a gamma distribution model, and an exponential distribution model.

3. The method for monitoring the safety state of industrial automation control equipment according to claim 2, wherein the selecting a plurality of data distribution models, and performing fitting analysis on the fitting samples by adopting a maximum likelihood estimation method one by one to obtain corresponding fitting probability distribution functions, specifically comprises:

selecting a data distribution model from a plurality of data distribution models;

calculating likelihood functions corresponding to the data distribution model, wherein the likelihood functions are as follows:

wherein L (theta) is a likelihood function, X is a network flow data characteristic value set in acquisition time, and theta is a model parameter of a selected data distribution model;

taking the logarithm of the likelihood function to obtain a log likelihood function as follows:

deriving the log-likelihood function to obtain a corresponding maximum likelihood estimation parameter value;

and carrying the maximum likelihood estimation parameter value into an accumulated distribution function corresponding to the selected characteristic distribution model for calculation, wherein the calculation formula is as follows:

wherein ,for accumulating distribution functions +.>Estimating parameter values for the maximum likelihood;

repeating the steps until the maximum likelihood estimation parameter values and the accumulated distribution function corresponding to all the data distribution models are obtained.

4. The method for monitoring the safety state of industrial automation control equipment according to claim 3, wherein the fast sorting of the check samples by adopting a bucket-tree two-dimensional indexing method specifically comprises:

distinguishing the data in the check sample according to a barrel dividing mode, and storing the data in a corresponding barrel array;

and arranging the data in each bucket array according to a tree array structure.

5. The method for monitoring the safety state of an industrial automation control device according to claim 4, wherein the calculating the fitting degree of each fitting probability distribution function and the corresponding empirical cumulative distribution function according to the K-S test specifically comprises:

according to K-S test, respectively calculating a first parameter, a second parameter and a third parameter of a network flow data distribution characteristic value corresponding to the data stored in each barrel group, wherein the calculation formula is as follows:

wherein ,to reflect the first parameter of maximum forward K-S distance,/>To reflect the second parameter of the maximum inverse K-S distance,/a second parameter of the maximum inverse K-S distance is chosen>To reflect the third parameter of the feature quantity stored in the j-th bucket array, +.>Is->Barrel array corresponding to each interval, < > and the like>For probability distribution function +.>For the empirical cumulative distribution function, the calculation formula is as follows:

wherein ,indicate->Then 1;

and obtaining the K-S check fitting distance reflecting the fitting degree based on the maximum first parameter and the maximum second parameter.

6. An industrial automation control device safety state monitoring apparatus comprising a processor configured to:

before entering a safety state monitoring mode, collecting a network flow data characteristic value of industrial control equipment in a normal safety state, and dividing the network flow data characteristic value into a fitting sample and a checking sample;

selecting a plurality of data distribution models, and carrying out fitting analysis on the fitting samples one by adopting a maximum likelihood estimation method to obtain corresponding fitting probability distribution functions;

rapidly sequencing the check samples by adopting a bucket-tree two-dimensional indexing method to obtain sequenced first data, and calculating an experience cumulative distribution function corresponding to the first data;

calculating the fitting degree of each fitting probability distribution function and the corresponding experience cumulative distribution function according to K-S test;

determining a target data distribution model matched with the normal safety state of industrial control equipment, and determining an abnormal state perception threshold corresponding to the target data distribution model;

after entering a safety state monitoring mode, acquiring a real-time network flow data characteristic value of the industrial control equipment;

inserting the real-time network flow data characteristic values into a barrel-tree two-dimensional index for quick sequencing to obtain sequenced second data, and calculating a real-time experience cumulative distribution function corresponding to the second data;

adopting K-S test to calculate the coincidence degree of the probability distribution function and the real-time experience cumulative distribution function corresponding to the normal safety state of the industrial control equipment, and obtaining a check deviation value;

and when the check deviation value is larger than the abnormal state sensing threshold value, judging that the industrial control equipment is in an abnormal safety state.

7. The industrial automation control device safety state monitoring device of claim 6, wherein the data distribution model includes at least a gaussian distribution model, a lognormal distribution model, a poisson distribution model, a weibull distribution model, a gamma distribution model, and an exponential distribution model.

8. The apparatus for monitoring the safety state of an industrial automation control device according to claim 7, wherein the selecting the plurality of data distribution models, performing fitting analysis on the fitting samples by using a maximum likelihood estimation method one by one, and obtaining a corresponding fitting probability distribution function, specifically includes:

selecting a data distribution model from a plurality of data distribution models;

calculating likelihood functions corresponding to the data distribution model, wherein the likelihood functions are as follows:

wherein L (theta) is a likelihood function, X is a network flow data characteristic value set in acquisition time, and theta is a model parameter of a selected data distribution model;

taking the logarithm of the likelihood function to obtain a log likelihood function as follows:

deriving the log-likelihood function to obtain a corresponding maximum likelihood estimation parameter value;

and carrying the maximum likelihood estimation parameter value into an accumulated distribution function corresponding to the selected characteristic distribution model for calculation, wherein the calculation formula is as follows:

wherein ,for accumulating distribution functions +.>Estimating parameter values for the maximum likelihood;

repeating the steps until the maximum likelihood estimation parameter values and the accumulated distribution function corresponding to all the data distribution models are obtained.

9. The industrial automation control device safety state monitoring apparatus of claim 8, wherein the fast sorting of the check samples by bucket-tree two-dimensional indexing method comprises:

distinguishing the data in the check sample according to a barrel dividing mode, and storing the data in a corresponding barrel array;

and arranging the data in each bucket array according to a tree array structure.

10. The industrial automation control device safety state monitoring apparatus of claim 9, wherein the calculating the fitting degree of each of the fitting probability distribution functions and the corresponding empirical cumulative distribution function according to the K-S test specifically includes:

according to K-S test, respectively calculating a first parameter, a second parameter and a third parameter of a network flow data distribution characteristic value corresponding to the data stored in each barrel group, wherein the calculation formula is as follows:

wherein ,to reflect the first parameter of maximum forward K-S distance,/>To reflect the second parameter of the maximum inverse K-S distance,/a second parameter of the maximum inverse K-S distance is chosen>To reflect the third parameter of the feature quantity stored in the j-th bucket array, +.>Is->Barrel array corresponding to each interval, < > and the like>For probability distribution function +.>For the empirical cumulative distribution function, the calculation formula is as follows:

wherein ,indicate->Then 1;

and obtaining the K-S check fitting distance reflecting the fitting degree based on the maximum first parameter and the maximum second parameter.