CN117879838A - Abnormality detection method and device for network data of industrial side equipment and electronic equipment - Google Patents
Abnormality detection method and device for network data of industrial side equipment and electronic equipment Download PDFInfo
- Publication number
- CN117879838A CN117879838A CN202210987166.1A CN202210987166A CN117879838A CN 117879838 A CN117879838 A CN 117879838A CN 202210987166 A CN202210987166 A CN 202210987166A CN 117879838 A CN117879838 A CN 117879838A
- Authority
- CN
- China
- Prior art keywords
- network
- normal
- data
- network data
- period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 230000005856 abnormality Effects 0.000 title claims description 29
- 238000009826 distribution Methods 0.000 claims abstract description 73
- 230000003993 interaction Effects 0.000 claims abstract description 70
- 238000003860 storage Methods 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 43
- 238000004891 communication Methods 0.000 claims description 14
- 230000002159 abnormal effect Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000737 periodic effect Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an anomaly detection method, an anomaly detection device, electronic equipment and a storage medium for network data of industrial side equipment, wherein the anomaly detection method for network data of the industrial side equipment is used for determining the normal probability of the network data interaction times by acquiring the network data interaction times in a period time period and based on a network security normal data distribution model obtained by poisson distribution, and determining whether the network data are normal or not based on the normal probability and a threshold probability.
Description
Technical Field
The present disclosure relates to the field of anomaly detection technologies, and in particular, to a method and an apparatus for detecting anomalies in network data of an industrial edge device, an electronic device, and a storage medium.
Background
Under the great background that the digitalization and the intelligent transformation of the manufacturing industry are greatly promoted in China, the demands of each subdivision industry in the manufacturing industry for the factory digitalization and the intelligent transformation are increasing. In the process of digital and intelligent upgrading of the manufacturing factory, the network security problem is increasingly serious because of the huge number of side devices and the requirement of network interaction with cloud service. Because cloud service resources are relatively mature, network security products are also very abundant, and cloud service rooms are relatively closed and are difficult to break through by physical means, cloud network security is more mature and stable than that of a side network, the construction scale of an industrial side network is relatively smaller, equipment such as a side server and the like are also relatively harsh in a factory environment, various physical means are very frequently placed in a network environment, and the security construction of the industrial side network environment is relatively difficult to the cloud side. Then, for these problems, we should consider not only the use of the corresponding network security device, but also the deeper detection of the network data packet from the software source of the network data transmission.
At present, the data required to be detected by network attack mainly has two aspects, namely, the data from the sensing equipment to the edge computing end is mainly attacked by two modes, namely, fake detection data and DDOS attack, so that the detection efficiency is fundamentally influenced, and the production efficiency of a production line is reduced or even stopped. Secondly, the data uploaded to the cloud end from the edge computing end can be attacked by DDOS, and the data can also be uploaded to Trojan horse, virus and the like, so that the cloud end service downtime, data loss and the like can be directly caused. Therefore, the data in the two aspects are important points to be monitored, and if the network attack identification can be effectively carried out, the production efficiency can be greatly improved, and the direct influence caused by the network attack can be reduced.
The prior art methods mainly comprise the following two methods:
1) Clustering-based method
Cluster-based anomaly detection methods typically rely on the assumption that a) normal data instances belong to one cluster in the data, while abnormal data instances do not belong to any cluster; b) Normal data instances are close to their nearest cluster centroid, while abnormal data are far from their nearest cluster centroid; c) Normal data instances belong to large and dense clusters, while abnormal data instances belong to either small clusters or sparse clusters; by grouping the data into different clusters, the outlier data is data that belongs to a small cluster or does not belong to any cluster or is far from the center of the cluster. The disadvantage of the clustering-based method is that the data features with large data volume and single characteristics can form a new cluster independently for DDOS attack, all data are very close to the mass center of the cluster, even are closer to the mass center than the normal data cluster, and can not be distinguished from the normal data cluster through the features of small clusters or sparse clusters, so that the detection omission is very easy. In addition, for a masquerading packet attack, if its masquerading packet data characteristics are very close to normal data, it is difficult to screen out outliers by analyzing the normal distribution rules of data in normal clusters.
2) Classification-based method
The representative method is an One class SVM, the principle is to find a hyperplane to circle out the positive examples in the samples, the prediction is to make a decision by using the hyperplane, and the samples in the circle are regarded as positive samples. Since kernel function computation is time consuming, it is not very useful in a scenario of massive data. It can be seen that the drawback of the classification-based method is that massive data needs to be marked, which is time-consuming and error-prone, and the overall detection accuracy is affected if the error data is too much. In addition, since kernel function calculation is time-consuming, detection efficiency is very low under massive data, detection beats of massive network data packets in a time period are difficult to keep up, network attack delay is found, optimal problem solving time is missed, and loss is caused.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the invention and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The application provides an abnormality detection method and device for network data of industrial side equipment, electronic equipment and a storage medium, and aims to solve the problem that network data abnormality of the side equipment cannot be accurately detected in the related technology.
In a first aspect, the present application provides a method for detecting an abnormality of network data of an industrial side device, where the method for detecting an abnormality of network data of an industrial side device includes: acquiring network data interaction times of the side equipment in a period time period, and determining a network security normal data distribution model corresponding to the period time period, wherein the network security normal data distribution model is obtained based on poisson distribution; calculating the normal probability of the network data interaction times according to the data distribution model with normal network security; and comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data arranged at the side end is normal or not.
In some examples, before determining the data distribution model for which the network security is normal for the period of time, the method further comprises: acquiring historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of period time periods; dividing each period time period into a plurality of historical time periods by taking preset duration as an interval, and calculating poisson distribution of the historical time periods in each period time period to obtain a data distribution model corresponding to each period time period, wherein the data distribution model is safe and normal in the network.
In some examples, calculating the normal probability of the network data interaction times according to the data distribution model with normal network security includes: dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period; calculating the average value of the network data interaction times in each period of the periodic time periods; and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability.
In some examples, comparing the normal probability with a threshold probability to obtain a comparison result, where the comparison result is used to determine whether the network data set at the edge is normal, including: and when the comparison result is that the normal probability is lower than the threshold probability, judging that the network data is abnormal in a period time.
In some examples, the normal probability is compared to a threshold probability, and after the comparison, the method further comprises: and outputting abnormal alarm information when the comparison result is that the network data of the side equipment is abnormal.
In a second aspect, the present application provides an abnormality detection apparatus for industrial side equipment network data, the abnormality detection apparatus for industrial side equipment network data including: the acquisition module is used for acquiring the network data interaction times of the side equipment in the period time, and determining a network security normal data distribution model corresponding to the period time, wherein the network security normal data distribution model is obtained based on poisson distribution; the calculation module is used for calculating the normal probability of the network data interaction times according to the data distribution model with normal network security; and the comparison module is used for comparing the normal probability with a threshold probability to obtain a comparison result, and the comparison result is used for determining whether the network data arranged at the side end are normal or not.
In some examples, the abnormality detection apparatus of industrial side device network data further includes: a model building module; the model building module is used for obtaining historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of historical period time periods; dividing each historical period time period into a plurality of historical time periods by taking preset duration as an interval, and calculating poisson distribution of the historical time periods in each historical period time period to obtain a data distribution model corresponding to each historical period time period and having normal network security.
In some examples, the computing module is further to: dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period; calculating the average value of the network data interaction times in each period of the periodic time periods; and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability.
In a third aspect, an electronic device is provided, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the step of the abnormality detection method of the industrial side equipment network data according to any one of the embodiments of the first aspect when executing the program stored in the memory.
In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored, which when being executed by a processor, implements the steps of the method for detecting anomalies in industrial premises equipment network data according to any of the embodiments of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
the method for detecting the abnormality of the network data of the industrial side equipment provided by the embodiment of the application comprises the following steps: acquiring network data interaction times of the side equipment in a period time period, and determining a network security normal data distribution model corresponding to the period time period, wherein the network security normal data distribution model is obtained based on poisson distribution; calculating the normal probability of the network data interaction times according to the data distribution model with normal network security; comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data set at the side end is normal or not, and the embodiment determines the normal probability of the network data interaction times based on the poisson distribution obtained network safety normal data distribution model, and determines whether the network data is normal or not based on the normal probability and the threshold probability.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a basic flow diagram of an alternative method for detecting abnormality of network data of an industrial side device according to an embodiment of the present application;
fig. 2 is a schematic basic structure diagram of an alternative abnormality detection apparatus for network data of an industrial side device according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
In order to solve the problem that in the related art, network data anomalies of an edge device cannot be accurately detected, please refer to fig. 1, fig. 1 is a method for detecting anomalies of network data of an industrial edge device, where the method for detecting anomalies of network data of an industrial edge device includes:
s101, acquiring network data interaction times of a side device in a period time, and determining a network security normal data distribution model corresponding to the period time, wherein the network security normal data distribution model is obtained based on Poisson distribution;
s102, calculating the normal probability of the network data interaction times according to the data distribution model with normal network security;
s103, comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data set at the side end are normal or not.
The method for detecting the abnormality of the network data of the industrial side device provided in the embodiment is applied to the terminal and/or the server, that is, the method for detecting the abnormality of the network data of the industrial side device may be executed by the terminal or the server alone or by the terminal and the server together, where the terminal is implemented in various forms. For example, the terminals described in the present invention may include mobile terminals such as cell phones, tablet computers, notebook computers, palm computers, personal digital assistants (Personal Digital Assistant, PDA), portable media players (Portable Media Player, PMP), navigation devices, wearable devices, smart bracelets, pedometers, and fixed terminals such as digital TVs, desktop computers, and the like.
In some examples of this embodiment, before determining the data distribution model with normal network security corresponding to the period time, the method further includes: acquiring historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of period time periods; dividing each period time period into a plurality of historical time periods by taking preset duration as an interval, calculating poisson distribution of the historical time periods in each period time period, and obtaining a data distribution model of the network security and the normal corresponding to each period time period, thereby obtaining a data distribution model of the network security and the normal corresponding to each period time period.
In some examples of this embodiment, calculating the normal probability of the network data interaction times according to the data distribution model with normal network security includes: dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period; calculating the average value of the network data interaction times in each period of the periodic time periods; and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability. Wherein, can be with an hour as a cycle time period, presets duration to ten minutes.
In some examples of this embodiment, comparing the normal probability with a threshold probability to obtain a comparison result, where the comparison result is used to determine whether the network data set at the edge is normal, including: and when the comparison result is that the normal probability is lower than the threshold probability, judging that the network data is abnormal in a period time. And otherwise, when the comparison result is that the normal probability is higher than the threshold probability, judging that the network data in the period time is normal.
In some examples of this embodiment, the normal probability is compared with a threshold probability, and after the comparison result is obtained, the method further includes: and when the comparison result is that the network data of the side equipment is abnormal, outputting abnormal alarm information so as to remind related personnel that the network data is abnormal and processing the network data.
It can be understood that, considering that the network transmission data volume from different sensing devices to the side device and from the side device to the cloud service in different time periods every day is very large, in order to improve the detection efficiency, the discrete data characteristics in the time period can be effectively learned, and the method for detecting the abnormality of the network data of the industrial side device is provided. According to the method, the Poisson distribution of each hour in a day is calculated by collecting the average number of network data interaction of each 10 minutes in a period of which each side device takes a day as a period and takes an hour as an independent period.
In a specific real-time detection process, randomly sampling the network data interaction times in a time period of one hour every day, detecting the acquired network data interaction times and calculating the normal probability of the network data interaction times. Since the detection beat of the edge device is fixed, the data interaction frequency is relatively fixed, so a higher threshold probability is set to ensure the accuracy of detecting the network attack, and preferably, the threshold probability is set to 0.9.
Judging whether the normal probability of the network data interaction times in each period exceeds a threshold value, if so, judging that the network data interaction times are normal, and if not, judging that the network attack data are network attack data.
And then, the early warning service distributes the network attack early warning to industrial edge network operation and maintenance personnel to conduct investigation and threat treatment.
And acquiring 24-hour historical network interaction frequency data in a normal state, and judging a data distribution model with normal network safety at the moment by taking the historical network interaction frequency distribution of each hour as the data distribution model. Then we calculate the lambda value of poisson distribution at intervals of 10 minutes for the historical network interaction number data per hour, assuming that the historical network interaction number data per 10 minutes in one hour is X i (i=0, 1,2, …, n), then the poisson distribution likelihood function of the historical network interaction times data is as follows:
i.e. lambda is the mean of the number of network interactions per 10 minutes in an hour, substituting lambda into the poisson distribution probability density function as follows:
the method can calculate whether the network interaction data is attacked by the network every 10 minutes in an hour, for example, the average network interaction times between the sensing device and the edge computing device is 3 times in every 10 minutes in a certain hour under the normal condition, namely lambda=3, and the network interaction times reach x=8 times under the premise that the network is attacked by the DDOS network in a certain 10 minutes, and the probability of obtaining f (X) =0.008 in the formula is very low, and the probability threshold is set to 0.9, so that the network attack is judged.
The method for detecting the abnormality of the network data of the industrial side equipment provided by the embodiment of the application comprises the following steps: acquiring network data interaction times of the side equipment in a period time period, and determining a network security normal data distribution model corresponding to the period time period, wherein the network security normal data distribution model is obtained based on poisson distribution; calculating the normal probability of the network data interaction times according to the data distribution model with normal network security; comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data set at the side end is normal or not, and the embodiment determines the normal probability of the network data interaction times based on the poisson distribution obtained network safety normal data distribution model, and determines whether the network data is normal or not based on the normal probability and the threshold probability.
Based on the same concept, the present embodiment provides an abnormality detection apparatus for industrial side equipment network data, as shown in fig. 2, including:
the acquisition module 1 is used for acquiring the network data interaction times of the side equipment in the period time, and determining a network security normal data distribution model corresponding to the period time, wherein the network security normal data distribution model is obtained based on poisson distribution;
the calculation module 2 is used for calculating the normal probability of the network data interaction times according to the data distribution model with normal network security;
and the comparison module 3 is used for comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data arranged at the side end are normal or not.
In some examples of embodiments, the abnormality detection apparatus for industrial side device network data further includes: a model building module; the model building module is used for obtaining historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of historical period time periods; dividing each historical period time period into a plurality of historical time periods by taking preset duration as an interval, and calculating poisson distribution of the historical time periods in each historical period time period to obtain a data distribution model corresponding to each historical period time period and having normal network security.
In some examples of this embodiment, the computing module 2 is further configured to: dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period; calculating the average value of the network data interaction times in each period of the periodic time periods; and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability.
It should be understood that each module in the abnormality detection apparatus for industrial side equipment network data provided in this embodiment may combine and implement each step of the abnormality detection method for industrial side equipment network data, so as to achieve the same technical effects as each step of the abnormality detection method for industrial side equipment network data, which are not described herein.
As shown in fig. 3, the embodiment of the present application provides an electronic device, which includes a processor 111, a communication interface 112, a memory 113, and a communication bus 114, where the processor 111, the communication interface 112, and the memory 113 perform communication with each other through the communication bus 114,
a memory 113 for storing a computer program;
in one embodiment of the present application, the processor 111 is configured to implement the steps of the method for detecting an abnormality of network data of an industrial edge device provided in any one of the foregoing method embodiments when executing a program stored in the memory 113.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, the computer program implementing the steps of the method for detecting the abnormality of the network data of the industrial side device provided by any one of the method embodiments.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An anomaly detection method for industrial side equipment network data is characterized by comprising the following steps:
acquiring network data interaction times of the side equipment in a period time period, and determining a network security normal data distribution model corresponding to the period time period, wherein the network security normal data distribution model is obtained based on poisson distribution;
calculating the normal probability of the network data interaction times according to the data distribution model with normal network security;
and comparing the normal probability with a threshold probability to obtain a comparison result, wherein the comparison result is used for determining whether the network data arranged at the side end is normal or not.
2. The method for detecting anomalies in network data of an industrial end device according to claim 1, wherein prior to determining a data distribution model for network security normities corresponding to periodic time periods, the method further comprises:
acquiring historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of period time periods;
dividing each period time period into a plurality of historical time periods by taking preset duration as an interval, and calculating poisson distribution of the historical time periods in each period time period to obtain a data distribution model corresponding to each period time period, wherein the data distribution model is safe and normal in the network.
3. The abnormality detection method for network data of industrial side equipment according to claim 2, wherein calculating the normal probability of the network data interaction times according to the data distribution model of network security normality comprises:
dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period;
calculating the average value of the network data interaction times in each period of the periodic time periods;
and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability.
4. The method for detecting anomalies in network data of an industrial edge device according to claim 3, wherein comparing the normal probability with a threshold probability results in a comparison result, the comparison result being used to determine whether the network data set by the edge is normal, comprises:
and when the comparison result is that the normal probability is lower than the threshold probability, judging that the network data is abnormal in a period time.
5. The method for detecting anomalies according to claim 4, wherein the normal probability is compared with a threshold probability, and after the comparison, the method further comprises:
and outputting abnormal alarm information when the comparison result is that the network data of the side equipment is abnormal.
6. An abnormality detection apparatus for industrial side equipment network data, characterized in that the abnormality detection apparatus for industrial side equipment network data comprises:
the acquisition module is used for acquiring the network data interaction times of the side equipment in the period time, and determining a network security normal data distribution model corresponding to the period time, wherein the network security normal data distribution model is obtained based on poisson distribution;
the calculation module is used for calculating the normal probability of the network data interaction times according to the data distribution model with normal network security;
and the comparison module is used for comparing the normal probability with a threshold probability to obtain a comparison result, and the comparison result is used for determining whether the network data arranged at the side end are normal or not.
7. The abnormality detection apparatus for industrial side equipment network data according to claim 6, characterized by further comprising: a model building module;
the model building module is used for obtaining historical network interaction frequency data in a normal state, wherein the historical network interaction frequency data comprises historical network data interaction frequencies corresponding to a plurality of historical period time periods; dividing each historical period time period into a plurality of historical time periods by taking preset duration as an interval, and calculating poisson distribution of the historical time periods in each historical period time period to obtain a data distribution model corresponding to each historical period time period and having normal network security.
8. The anomaly detection apparatus for industrial edge device network data of claim 7, wherein the computing module is further configured to: dividing the period time period into a plurality of time periods by taking the preset duration as an interval, and acquiring the network data interaction times in each time period; calculating the average value of the network data interaction times in each period of the periodic time periods; and taking the mean value into the data distribution model with normal network security, and obtaining the normal probability.
9. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method for detecting an abnormality of network data of an industrial side device according to any one of claims 1 to 5 when executing a program stored in a memory.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the anomaly detection method for industrial edge device network data according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210987166.1A CN117879838A (en) | 2022-08-17 | 2022-08-17 | Abnormality detection method and device for network data of industrial side equipment and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210987166.1A CN117879838A (en) | 2022-08-17 | 2022-08-17 | Abnormality detection method and device for network data of industrial side equipment and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117879838A true CN117879838A (en) | 2024-04-12 |
Family
ID=90595386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210987166.1A Pending CN117879838A (en) | 2022-08-17 | 2022-08-17 | Abnormality detection method and device for network data of industrial side equipment and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117879838A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180191552A1 (en) * | 2016-12-29 | 2018-07-05 | Alcatel-Lucent Usa Inc. | Network monitor and method for event based prediction of radio network outages and their root cause |
| CN112152833A (en) * | 2019-06-29 | 2020-12-29 | 北京金山云网络技术有限公司 | Network abnormity alarm method and device and electronic equipment |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
| CN113691507A (en) * | 2021-08-05 | 2021-11-23 | 武汉卓尔信息科技有限公司 | Industrial control network security detection method and system |
| CN117834476A (en) * | 2022-08-17 | 2024-04-05 | 国器智眸(重庆)科技有限公司 | Industrial side equipment abnormality detection method and device, electronic equipment and storage medium |
-
2022
- 2022-08-17 CN CN202210987166.1A patent/CN117879838A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180191552A1 (en) * | 2016-12-29 | 2018-07-05 | Alcatel-Lucent Usa Inc. | Network monitor and method for event based prediction of radio network outages and their root cause |
| CN112152833A (en) * | 2019-06-29 | 2020-12-29 | 北京金山云网络技术有限公司 | Network abnormity alarm method and device and electronic equipment |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
| CN113691507A (en) * | 2021-08-05 | 2021-11-23 | 武汉卓尔信息科技有限公司 | Industrial control network security detection method and system |
| CN117834476A (en) * | 2022-08-17 | 2024-04-05 | 国器智眸(重庆)科技有限公司 | Industrial side equipment abnormality detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| US20190190938A1 (en) | Anomaly detection method, learning method, anomaly detection device, and learning device | |
| Giatrakos et al. | Prediction-based geometric monitoring over distributed data streams | |
| Fawzy et al. | Outliers detection and classification in wireless sensor networks | |
| Čisar et al. | Skewness and kurtosis in function of selection of network traffic distribution | |
| US11194902B2 (en) | Side-channel attack detection using hardware performance counters | |
| CN103561419A (en) | Distributed event detection method based on correlation | |
| CN105959316A (en) | Network security authentication system | |
| CN117439827B (en) | Network flow big data analysis method | |
| Apruzzese et al. | Identifying malicious hosts involved in periodic communications | |
| CN110825545A (en) | Cloud service platform anomaly detection method and system | |
| US20230156034A1 (en) | Real-time threat detection for encrypted communications | |
| Bebeshko et al. | Use of Neural Networks for Predicting Cyberattacks. | |
| CN115632874A (en) | Method, device, equipment and storage medium for detecting threat of entity object | |
| CN113794742B (en) | High-precision detection method for FDIA of power system | |
| Yang et al. | Novel correlation analysis of alarms based on block matching similarities | |
| CN113672912A (en) | Network security monitoring system based on computer hardware indication and behavior analysis | |
| CN117879838A (en) | Abnormality detection method and device for network data of industrial side equipment and electronic equipment | |
| de Souza et al. | Performance and accuracy trade-off analysis of techniques for anomaly detection in IoT sensors | |
| CN112256732A (en) | Abnormity detection method and device, electronic equipment and storage medium | |
| CN110287256B (en) | Cloud computing-based power grid data parallel processing system and processing method thereof | |
| Bhargava et al. | Anomaly detection in wireless sensor networks using S-Transform in combination with SVM | |
| CN117834476A (en) | Industrial side equipment abnormality detection method and device, electronic equipment and storage medium | |
| KR102343139B1 (en) | Method and appartus for anomaly detectioin | |
| Xu et al. | Multi-Featured Anomaly Detection for Mobile Edge Computing Based UAV Delivery Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |