An industrial control abnormity detection and attack classification method based on deep learning

Abstract

The invention discloses an industrial control anomaly detection and attack classification method based on deep learning, and relates to an industrial control flow feature mapping method based on Mahalanobis distance. The method considers the actual situation of an industrial control system, and is characterized by using the Mahalanobis distance between features for the correlation measurement, andconverting the original one-dimensional stream data into a two-dimensional matrix used for inputting a convolutional neural network model; and detecting and classifying by using the convolutional neural network model by analyzing the defects of the existing anomaly detection method. Meanwhile, the invention provides a feature mapping method based on the Mahalanobis distance in consideration of the characteristics of various features of an industrial control system, and the one-dimensional stream data is converted into a two-dimensional matrix used as CNN input. The method has excellent performance in the aspects of a two-classification problem and a multi-classification problem, meets the expected requirements of SCADA abnormity detection and attack classification, and provides help for the maintenance of the safety of an industrial control system.

Description

technical field [0001] The invention relates to the technical field of industrial control networks, in particular to an industrial control anomaly detection and attack classification method based on deep learning. Background technique [0002] Industrial Control Systems (ICS) is an automatic control system composed of computer equipment and industrial process control components, which plays an important role in key infrastructure fields such as railways, petrochemicals and electric power. As the process of industrial informatization continues, the closure of industrial control systems is gradually broken, and more and more information and computer technologies are widely used in the field of industrial control. This greatly increases the risk of industrial control systems being damaged by malicious programs or cyber attacks, which may cause damage to national infrastructure and cause major economic losses. [0003] Due to limited resource conditions and a relatively closed ...

AI Technical Summary

Problems solved by technology

The knowledge-based anomaly detection method analyzes system status, behavior patterns or protocol specifications under normal operating conditions, and establishes detection rules so that it can detect attacks that do not conform to the specifications. Its shortcoming is that it cannot detect potential attacks that meet normal behavior specifications; Statistical anomaly detection methods usually use analytical and statistical correlation methods to analyze the parameters of the industrial control system and establish the normal behavior profile of the system, but this method cannot precisely utilize the internal relationship of the data, at the same time, the intruder can train the detection system to treat the intrusion as Normal behavior; anomaly detection methods based on machine learning algorithms can improve the accuracy of abnormal behavior detection in industrial control environments to a certain extent, and are of great significance for establishing intelligent and efficient intrusion detection models. However, with the advent of the era of industrial big data, As the scale of industrial control network data sets continues to increase, the detection performance of traditional machine learning methods is gradually decreasing, and computing costs are also rising

In addition to the inadequacies mentioned above, it is far from enough to simply regard abnormal behavior detection as a binary classification problem

Images