A variable correlation-based PLC information security analysis model construction method

By constructing a PLC information security analysis model based on variable association, cleaning and enhancing dependency edges, the problems of weak and redundant associations in the PLC information security analysis model are solved, and high accuracy and robustness analysis under noise and data drift conditions are achieved.

CN122151701APending Publication Date: 2026-06-05GUANGZHOU UNIVERSITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGZHOU UNIVERSITY
Filing Date
2026-04-27
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing PLC information security analysis models contain weak or redundant correlations, which dilute the representation weight of core control logic, making it difficult to effectively detect advanced threats. Furthermore, data drift and noise interference affect the accuracy of the analysis.

Method used

By constructing a PLC information security analysis model based on variable association, parsing the PLC code to obtain variable dependencies, constructing a weighted PLC program dependency graph, and cleaning and strengthening dependency edges through adaptive threshold modulation and nonlinear enhancement mechanisms, the accuracy and robustness of the model are improved.

Benefits of technology

It effectively removes redundant dependency edges, maintains the stability of key dependencies, significantly improves the accuracy and robustness of PLC information security analysis models, and can maintain a high signal-to-noise ratio analysis effect under data drift and noise interference conditions.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122151701A_ABST
    Figure CN122151701A_ABST
Patent Text Reader

Abstract

The application provides a PLC information security analysis model construction method based on variable association, which comprises the following steps: analyzing PLC code to obtain PLC variables, combining variable pairs according to network blocks, splicing variable pairs in a global range to obtain global variable dependency relations, constructing a weighted PLC program dependency graph according to the global variable dependency relations and SCADA log features, cleaning the relationship edges of the weighted PLC program dependency graph, and enhancing the dependency strength of the dependency edges of the cleaned weighted PLC program dependency graph to generate a PLC information security analysis model. The method can simultaneously act on two levels of structure optimization and weight optimization, and realize stable reconstruction of PLC dependency relations. Not only can the method effectively remove redundant dependency edges, but also can maintain the stability of key dependency relations under the conditions of data drift and noise interference, and significantly improve the accuracy and robustness of the PLC information security analysis model.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security analysis technology, and in particular to a method for constructing a PLC information security analysis model based on variable correlation. Background Technology

[0002] Programmable Logic Controller (PLC) information security analysis models are widely used in the defense of modern Industrial Control Systems (ICS). They can effectively discover vulnerabilities in PLC systems and identify potential information leaks and tampering risks. PLCs are the core of industrial control systems and a focal point for attacks and defenses against critical infrastructure. Building PLC information security analysis models is crucial for the early detection of vulnerabilities, abnormal behavior, and potential tampering attack paths in industrial control systems.

[0003] Currently, PLC information security analysis model construction methods mainly rely on SCADA log feature analysis. This involves passively collecting communication messages between the PLC and the host computer / SCADA system on the network side, extracting physical variables and their measured values, and then using statistical analysis, timing anomaly detection, or deep learning models to construct the PLC information security analysis model. Another approach focuses on the static analysis of PLC program code, which involves offline collection of PLC source code or decompiling bytecode. By constructing control flow graphs, data flow graphs, or program dependency graphs, and combining formal verification, symbolic execution, model checking, and other techniques, the integrity, consistency, and security of the program logic are verified, thereby identifying code-level vulnerabilities such as unsafe state combinations, unauthorized operations, and abnormal branches.

[0004] However, existing PLC information security analysis models have many drawbacks: the presence of a large number of weak or redundant relational edges in the model can dilute the representation weight of the core control logic, making it difficult to effectively detect advanced threats; PLC variables may drift during long-term operation, causing the model to be subject to noise interference, making it difficult to effectively distinguish between the core control logic and redundant relationships, and difficult to distinguish between normal drift and malicious tampering, thus affecting the accuracy of the analysis.

[0005] Therefore, it is necessary to provide a method for constructing a PLC information security analysis model that suppresses data interference, so as to improve the accuracy and robustness of the model. Summary of the Invention

[0006] The purpose of this invention is to provide a method for constructing a PLC information security analysis model based on variable correlation, so as to improve the accuracy and robustness of the PLC information security analysis model.

[0007] The method for constructing a PLC information security analysis model based on variable association provided by this invention includes: parsing PLC code to obtain PLC variables; combining variable pairs according to network blocks; concatenating variable pairs globally to obtain global variable dependencies; constructing a weighted PLC program dependency graph based on global variable dependencies and SCADA log characteristics; cleaning the relation edges of the weighted PLC program dependency graph; and enhancing the dependency strength of the dependency edges of the cleaned weighted PLC program dependency graph to generate a PLC information security analysis model.

[0008] The beneficial effects of the variable-association-based PLC information security analysis model construction method provided by this invention are as follows: By constructing an adaptive threshold modulation mechanism that introduces the time stability characteristics of dependency strength and a nonlinear enhancement mechanism under screening constraints, and by constructing threshold screening and nonlinear enhancement as a collaborative processing mechanism, it works simultaneously at both the structural optimization and weight optimization levels to achieve stable reconstruction of PLC dependencies. This not only effectively removes redundant dependency edges but also maintains the stability of key dependencies under data drift and noise interference conditions, significantly improving the accuracy and robustness of the PLC information security analysis model.

[0009] In one possible embodiment, parsing the PLC code to obtain PLC variables, combining variable pairs according to network blocks, and concatenating variable pairs globally to obtain global variable dependencies include: parsing the PLC code to extract PLC variables; combining PLC variables participating in logical operations and PLC variables whose values ​​have changed in network blocks where logical instructions are executed into variable pairs; and concatenating variable pairs globally based on the same variables in the variable pairs to supplement the transit edges across network blocks to obtain global variable dependencies.

[0010] In another possible embodiment, a weighted PLC program dependency graph is constructed based on global variable dependencies and SCADA log characteristics, including: using PLC variables as nodes, constructing relational edges to form a directed graph based on global variable dependency keys; obtaining the temporal changes of variables through SCADA logs, calculating the correlation of PLC variables in the industrial control process as the dependency strength of directed edges between corresponding variable pairs in the directed graph to obtain the weighted PLC program dependency graph.

[0011] In other possible embodiments, the cleaning threshold is dynamically determined based on the dependency strength distribution; the relation edge cleaning of the weighted PLC program dependency graph includes: extracting nodes in the weighted PLC program dependency graph; performing a cleaning operation on each node, including: extracting the list of child nodes of the node, extracting the dependency strength of the dependency edge between the node and each child node, and deleting dependency edges with a dependency strength less than or equal to the cleaning threshold; after completing the cleaning operation on all nodes in the weighted PLC program dependency graph, the cleaned weighted PLC program dependency graph is obtained.

[0012] The calculation of the cleaning threshold, which is dynamically determined based on the dependency intensity distribution, satisfies the following formula: ,in, Indicates the cleaning threshold. This represents a threshold modulation mechanism that combines statistical distribution characteristics with temporal stability. This represents the average strength of all dependency edges in the weighted PLC program dependency graph. This represents the standard deviation of the strength of all dependency edges in the weighted PLC program dependency graph. This indicates the degree of fluctuation in the strength of the dependency edge over time.

[0013] The dependency strength of the dependent edges in the cleaned weighted PLC program dependency graph is enhanced, including: calculating the mean and standard deviation of the dependency strength of all dependent edges in the cleaned weighted PLC program dependency graph; normalizing the original dependency strength of each dependent edge using the mean and standard deviation of the dependency strength; and performing nonlinear power enhancement on the dependency strength of the normalized dependent edges.

[0014] The normalized calculation of the original dependency strength for each dependent edge satisfies the following formula: ,in, Indicates dependent edges Normalized dependency strength Indicates dependent edges The original dependency strength, This represents the average dependency strength of all dependency edges in the dependency graph of the cleaned PLC program. This represents the standard deviation of the dependency strength of all dependency edges in the PLC program dependency graph after cleaning; the nonlinear power enhancement calculation satisfies the following formula: ,in, Indicates dependent edges The strength of the enhanced dependency This represents a function that suppresses the influence of negative values ​​that occur during the normalization process. Represents the power exponent and . Attached Figure Description

[0015] Figure 1 A flowchart illustrating a method for constructing a PLC information security analysis model based on variable correlation, provided in an embodiment of the present invention;

[0016] Figure 2 This is a schematic diagram of redundancy edge cleaning in a weighted PLC program dependency graph provided in an embodiment of the present invention. Detailed Implementation

[0017] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions in the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without inventive effort are within the scope of protection of this invention. Unless otherwise defined, the technical or scientific terms used herein should have the ordinary meaning understood by those skilled in the art. The terms "comprising" and similar expressions used herein mean that the element or object preceding the word covers the element or object listed following the word and its equivalents, but do not exclude other elements or objects.

[0018] This embodiment provides a method for constructing a PLC information security analysis model based on variable correlation.

[0019] See the instruction manual appendix Figure 1 The method for constructing a PLC information security analysis model based on variable correlation includes:

[0020] S101: Parse the PLC code to obtain PLC variables, combine variable pairs according to network blocks, and concatenate variable pairs in the global scope to obtain global variable dependencies.

[0021] In one possible embodiment, the PLC code is parsed to extract PLC variables; PLC variables involved in logical operations and PLC variables whose values ​​have changed are combined into variable pairs in the network block where logical instructions are executed; and variable pairs are concatenated globally based on the common variables in the variable pairs to supplement the transit edges across network blocks and obtain global variable dependencies.

[0022] In one possible embodiment, acquiring PLC variables includes sensor variables. Executor variables and memory variables The set of PLC variables is (On a network block basis, variables are combined according to the dependencies between PLC variables.) , indicating output variable Depends on input variables ,variable and variables All of them belong to the set V. The dependencies between PLC variables include control dependencies and data dependencies.

[0023] In a specific embodiment, STL (Structured Text Language) is a form of PLC code that conforms to the IE6111-3 encoding standard. Instructions in STL typically consist of two parts: an opcode and operands. The opcode specifies the operation or type of operation to be performed, while the operands specify the objects of the operation, such as PLC variables, constants, or addresses. Therefore, when parsing STL language, it is necessary to distinguish between the opcode and operands in the instructions. The operands contain variables from the process image input table (I-area), process image input table (Q-area), and bit storage area (M-area), thereby completely extracting all physical inputs, outputs, and internal intermediate variables in the PLC program that are read, written, and involved in logical operations. Specifically, in STL semantics, the I-area stores sensor variables, the Q-area stores actuator variables, and the M-area stores memory variables.

[0024] In a PLC, the status word register stores the results of logical operations, such as logic instructions or comparison instructions. These results cause changes to the values ​​of PLC variables. Typically, a single STL network block may contain one or more logic instructions. The opcodes of these instructions generally include basic logic instructions like AND and OR; edge detection instructions like FP and FN; and set and reset instructions like RESET. Therefore, in a network block containing logic instructions, PLC variables involved in the logic operation and those whose values ​​have changed are grouped into variable pairs. For example, in the STL statement "AN I 1.1; AI 1.2; = M 3.0;", the input variables involved in the logic operation are I1.1 and I1.2, and the output variable whose value has changed is M3.0, which can be paired into variable pairs (I1.1, M3.0) and (I1.2, M3.0).

[0025] Because the PLC program uses a cyclic scanning method, the same variable may be repeatedly read and written across multiple network blocks. Therefore, it is necessary to concatenate the variable pairs extracted from all network blocks globally. Specifically, the intermediate variable transfer chain across network blocks is handled. For example, when (A,B) exists in Network1 and (B,C) exists in Network2, the transfer edge (A,B,C) across network blocks is automatically added.

[0026] S102: Construct a weighted PLC program dependency graph based on global variable dependencies and SCADA log characteristics.

[0027] In one possible implementation, a directed graph is formed by constructing relational edges based on global variable dependencies, using PLC variables as nodes; the temporal changes of variables are obtained through SCADA logs, and the correlation of PLC variables in the industrial control process is calculated as the dependency strength of the directed edges between corresponding variable pairs in the directed graph to obtain a weighted PLC program dependency graph.

[0028] In one specific embodiment, a directed graph covering the entire PLC program and containing all control and data dependencies is constructed based on global variable dependencies and SCADA log characteristics. ,in Let E be the set of directed edges that have dependent variable pairs. SCADA log information reflects the dynamic characteristics of PLC variables in the industrial control process. Analyzing the changes in these time-series data and calculating the correlations of PLC variables in the actual industrial control process, the calculated correlations are integrated into a directed graph as a representation of the strength of dependencies between variables. This achieves a unified representation of static code dependencies and runtime dynamic characteristics, generating a weighted PLC program dependency graph with weighted edges. The weighted PLC program dependency graph with dependency edge strength is represented as follows: ,in Indicates the strength of dependency between variable nodes, specifically... This indicates that the dependent edges are reflected. The strength of the defined dependency.

[0029] For example, the process of calculating the dependency strength between variable nodes is as follows: Dependency edges conditional entropy Indicates that the input variables are known. Under the condition of output variable The entropy of the conditional probability distribution The mathematical expectation is expressed by the formula: ,in, , This indicates that variables are entered into the SCADA log. The probability distribution at that time. Furthermore, mutual information is used to determine the probability distribution of dependent edges. Dependence strength Definition: Because variables in SCADA systems often have time delay effects, cross-mutual information is used to measure the dependency strength of variables under different time delay conditions to consider the timing effect. This quantifies the correlation between PLC variables in the SCADA log. The dependency strength calculation formula is expressed as follows: , Indicates the output variables in the SCADA log. The probability distribution, Represents variables in SCADA logs The probability distribution, The value representing the delay. Indicates the output variable after the delay. The distribution, This represents a variable. right The There are several reachable paths.

[0030] S103: Clean the relation edges of the weighted PLC program dependency graph.

[0031] In one possible embodiment, the cleaning threshold is dynamically determined based on the dependency strength distribution; the relation edge cleaning of the weighted PLC program dependency graph includes: extracting nodes in the weighted PLC program dependency graph; performing a cleaning operation on each node, including: extracting the list of child nodes of the node, extracting the dependency strength of the dependency edge between the node and each child node, and deleting dependency edges with a dependency strength less than or equal to the cleaning threshold; after completing the cleaning operation on all nodes in the weighted PLC program dependency graph, the cleaned weighted PLC program dependency graph is obtained.

[0032] In a specific embodiment, the calculation of the cleaning threshold dynamically determined based on the dependency intensity distribution satisfies the following formula: ,in, Indicates the cleaning threshold. This represents a threshold modulation mechanism that combines statistical distribution characteristics with temporal stability. This represents the average strength of all dependency edges in the weighted PLC program dependency graph. This represents the standard deviation of the strength of all dependency edges in the weighted PLC program dependency graph. This indicates the degree of fluctuation in the strength of the dependency edge over time.

[0033] In a specific embodiment, after obtaining the PLC program dependency graph, the graph contains numerous weak dependency edges—such as dead variables and test variables—that exist in the code but are rarely or never cyclically scanned and executed in actual industrial control processes. These low-dependency edges severely dilute the representation weight of the core control logic, causing abnormal disturbances from advanced attacks such as covert tampering, logic bombs, and fake data injection to be overwhelmed by a large number of noisy edges. The signal-to-noise ratio is so low that it cannot meet the requirements of information security analysis. Therefore, it is necessary to clean the PLC program dependency graph to increase the representation weight of the core control logic in the industrial control system.

[0034] For example, see the appendix to the specification. Figure 2A specific process for cleaning redundant edges in a weighted PLC program dependency graph is as follows: 1. Input the weighted PLC program dependency graph G(V,E,W) with weight information for the dependent edges, and proceed to step 2; 2. Dequeue the vertex nodes of G and assign them to cur_node, and proceed to step 3; 3. Determine if node cur_node is empty. If yes, proceed to step 10; otherwise, proceed to step 4; 4. Extract the child node list child_list of cur_node, and proceed to step 5; 5. Determine if child_list is empty. If yes, proceed to step 2; otherwise, proceed to step 6; 6. Dequeue child_list and assign it to child_node, and proceed to step 7; 7. Extract the dependency strength w of the dependency edge combination (cur_node, child_node), and proceed to step 8; 8. Determine if the dependency strength w is greater than the cleaning threshold. If yes, proceed to step 5; otherwise, proceed to step 9; 9. Delete the dependent edge (cur_node, child_node) in graph G, and proceed to step 5; 10. Return to graph G and proceed to step 11; 11. End, output the cleaned PLC program dependency graph. The cleaning threshold is... Determined based on an adaptive threshold mechanism.

[0035] Specifically, the adaptive threshold mechanism is defined as dynamically determining the cleaning threshold based on the dependency strength distribution, and the calculation of the cleaning threshold satisfies: ,in, This represents the average strength of all dependency edges in the weighted PLC program dependency graph. The standard deviation of the edge strength represents the overall dispersion of the edge strength. This represents the degree of fluctuation in the strength of a dependency edge over time, specifically the degree of fluctuation in the strength of the dependency edge within a defined time window, reflecting the temporal stability of the dependency relationship; (function) This refers to a threshold modulation mechanism that combines statistical distribution characteristics with time stability, used to dynamically adjust the dependency edge screening criteria in the presence of data drift and noise interference.

[0036] For example, function satisfy , and These are adjustment parameters used to control the weighting of statistical distribution characteristics and time stability on the threshold. When the dependence strength fluctuates significantly over time, i.e. As the threshold is increased, it decreases accordingly, thus preventing accidental deletion due to a decrease in the weight of key dependency edges caused by data drift; when the dependency relationship is relatively stable, i.e. The threshold is relatively small, and is mainly determined by the statistical distribution of dependency strength, thus effectively filtering out low-intensity pseudo-dependencies when the edges move significantly. As the threshold is increased, it decreases accordingly, thus preventing accidental deletion due to a decrease in the weight of key dependency edges caused by data drift; when the dependency relationship is relatively stable, i.e. The threshold is relatively small, and is mainly determined by the statistical distribution of dependency strength, thus effectively filtering out low-intensity pseudo-dependency edges.

[0037] In different implementations, the threshold function can also be represented in an equivalent functional form, as long as it can simultaneously reflect the statistical distribution characteristics and time stability characteristics of the dependence intensity.

[0038] S104: Enhance the dependency strength of the dependency edges in the cleaned weighted PLC program dependency graph to generate a PLC information security analysis model.

[0039] In one possible embodiment, the dependency strength of the dependent edges in the cleaned weighted PLC program dependency graph is enhanced, including: calculating the mean and standard deviation of the dependency strength of all dependent edges in the cleaned PLC program dependency graph; normalizing the original dependency strength of each dependent edge using the mean and standard deviation of the dependency strength; and performing nonlinear power enhancement on the dependency strength of the normalized dependent edges.

[0040] In a specific embodiment, the normalized calculation of the original dependency strength of each dependent edge satisfies the following formula: ,in, Indicates dependent edges Normalized dependency strength Indicates dependent edges The original dependency strength, This represents the average dependency strength of all dependency edges in the dependency graph of the cleaned PLC program. This represents the standard deviation of the dependency strength of all dependency edges in the PLC program dependency graph after cleaning; the nonlinear power enhancement calculation satisfies the following formula: ,in, Indicates dependent edges The strength of the enhanced dependency This represents a function that suppresses the influence of negative values ​​that occur during the normalization process. Represents the power exponent and .

[0041] In the operation of industrial control systems, sensors and actuators suffer from noise interference and data drift. These problems gradually distort the weight values ​​of dependency edges in the PLC program dependency graph, thus affecting the robustness of the PLC information security analysis model. After cleaning up redundant dependency edges, this embodiment designs a nonlinear power enhancement method to compensate for the weight distortion caused by sensor noise interference and actuator data drift. Enhancement operations are performed only on dependency edges that meet the threshold screening conditions, thereby forming a nonlinear enhancement mechanism under screening constraints to reduce the interference of noise on dependency strength and reconstruct the strength of the retained dependency edges.

[0042] Specifically, the PLC program dependency diagram after cleaning Each dependent edge Original dependency strength Normalization is performed, and the normalized dependency strength is denoted as . The normalization process is as follows ,in, The image shows the result after cleaning. The mean of the dependency strength of all dependent edges in the equation; Representation diagram The standard deviation of the dependency strength of all dependent edges is used. The dependency strength of the normalized dependent edges is then enhanced nonlinearly using an exponential method. ,in, Indicates the enhanced dependency strength, power exponent It is an adjustable hyperparameter, and , Represents a nonlinear enhancement function. This function is used to suppress the negative effects that may occur during the normalization process. This is a mapping mechanism that performs nonlinear reconstruction of dependency strength under screening constraints, used to suppress low-intensity disturbances while preserving core dependencies. This nonlinear function can enhance high-intensity dependencies with minimal weight changes, maintaining the stability of the core control logic; for low-intensity dependencies close to the threshold, their weights are further compressed, thereby reducing the impact of noisy dependencies on the overall structure; and for negative values ​​generated during normalization, a truncation operation is used to prevent them from being amplified abnormally during enhancement.

[0043] Through the nonlinear enhancement mechanism under the above screening constraints, a stable reconstruction of the dependency strength is achieved. Even in the presence of noise interference, it can still maintain an effective representation of the key control dependencies, effectively compensate for the weight distortion caused by sensor noise interference and actuator data drift, and finally form a PLC information security analysis model with high signal-to-noise ratio, high robustness, and high precision, thus completing the construction of the entire PLC information security analysis model.

[0044] The PLC information security analysis model construction method based on variable correlation provided by this invention constructs an adaptive threshold modulation mechanism that introduces the time stability characteristics of dependency strength, enabling the dependency edge selection to be dynamically adjusted according to changes in data distribution. Simultaneously, a nonlinear enhancement mechanism under selection constraints is constructed, enhancing only the selected dependency edges to avoid noise amplification. Furthermore, threshold selection and nonlinear enhancement are constructed as a collaborative processing mechanism, working simultaneously at both the structural optimization and weight optimization levels to achieve stable reconstruction of PLC dependencies. This not only effectively removes redundant dependency edges but also maintains the stability of key dependencies under data drift and noise interference conditions, significantly improving the accuracy and robustness of the PLC information security analysis model.

[0045] By constructing a weighted PLC program dependency graph and introducing an adaptive threshold mechanism based on the statistical distribution of dependency strength to filter low-intensity dependency edges, redundant dependency edges generated by test variables and dead variables can be effectively removed, thus solving the problem of easily deleting critical dependency edges under data drift conditions. The filtering criteria can be dynamically adjusted according to the dependency strength distribution, significantly improving the representation capability of core control logic.

[0046] By introducing the stability feature of dependency strength over time during threshold calculation, the threshold not only depends on statistical distribution characteristics but can also be dynamically modulated over time. This prevents the accidental deletion of critical dependency edges due to weight reduction in the presence of sensor drift or actuator offset, while also reducing interference from noisy dependency edges. It maintains the stability of dependency identification even when data distribution undergoes unstable changes.

[0047] Based on redundant edge cleaning, a nonlinear enhancement mechanism under screening constraints is designed. Nonlinear power enhancement is applied only to dependent edges that pass threshold screening, thereby stabilizing strong dependencies at the weight level and compressing low-intensity disturbances. This avoids the noise amplification problem caused by directly enhancing all dependent edges in traditional methods, improving the model's signal-to-noise ratio at both the structural and weight levels, thus constructing a highly robust and accurate PLC information security analysis model.

[0048] Through the above description of the embodiments, those skilled in the art will clearly understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, device, and unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0049] In the embodiments of this application, the functional units can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0050] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the embodiments of this application, essentially, or the parts that contribute to the prior art, or all or part of the technical solutions, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as flash memory, portable hard disk, read-only memory, random access memory, magnetic disk, or optical disk.

[0051] The above description is merely a specific implementation of the embodiments of this application, but the protection scope of the embodiments of this application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the embodiments of this application should be covered within the protection scope of the embodiments of this application. Therefore, the protection scope of the embodiments of this application should be determined by the protection scope of the claims.

Claims

1. A method for constructing a PLC information security analysis model based on variable correlation, characterized in that, include: Parse the PLC code to obtain PLC variables, combine variable pairs according to network blocks, and concatenate variable pairs in the global scope to obtain global variable dependencies; Construct a weighted PLC program dependency graph based on the global variable dependencies and SCADA log characteristics; Clean the relationship edges of the weighted PLC program dependency graph; The dependency strength of the dependency edges in the cleaned weighted PLC program dependency graph is enhanced to generate a PLC information security analysis model.

2. The method according to claim 1, characterized in that, Parse the PLC code to obtain PLC variables, combine variable pairs according to network blocks, and concatenate variable pairs globally to obtain global variable dependencies, including: Parse the PLC code and extract PLC variables; Combine PLC variables that participate in logical operations and PLC variables whose values ​​have changed in the network block where logical instructions are executed into variable pairs; Globally, variable pairs with identical variables are concatenated to supplement transitive edges across network blocks, thus obtaining global variable dependencies.

3. The method according to claim 1, characterized in that, Based on the global variable dependencies and SCADA log characteristics, a weighted PLC program dependency graph is constructed, including: Using the PLC variables as nodes, a directed graph is formed by constructing relational edges based on the global variable dependencies. By obtaining the temporal changes of variables through SCADA logs, the correlation of PLC variables in the industrial control process is calculated as the dependence strength of the directed edges between corresponding variable pairs in the directed graph, thus obtaining a weighted PLC program dependency graph.

4. The method according to claim 1, characterized in that, The cleaning threshold is dynamically determined based on the dependence intensity distribution; Clean the dependency graph of the weighted PLC program, including: Extract the nodes from the weighted PLC program dependency graph; Perform a cleaning operation on each node, including: extracting the list of child nodes of the node, extracting the dependency strength of the dependency edges between the node and each child node, and deleting dependency edges whose dependency strength is less than or equal to the cleaning threshold; After cleaning all nodes in the weighted PLC program dependency graph, the cleaned weighted PLC program dependency graph is obtained.

5. The method according to claim 4, characterized in that, The calculation of the cleaning threshold, which is dynamically determined based on the dependency intensity distribution, satisfies the following formula: ,in, Indicates the cleaning threshold. This represents a threshold modulation mechanism that combines statistical distribution characteristics with temporal stability. This represents the average strength of all dependency edges in the weighted PLC program dependency graph. This represents the standard deviation of the strength of all dependency edges in the weighted PLC program dependency graph. This indicates the degree of fluctuation in the strength of the dependency edge over time.

6. The method according to claim 1, characterized in that, Strengthen the dependency strength of the dependency edges in the cleaned weighted PLC program dependency graph, including: Calculate the mean and standard deviation of the dependency strength of all dependency edges in the weighted PLC program dependency graph after cleaning; The original dependency strength of each dependency edge is normalized using the mean and standard deviation of the dependency strength. The dependency strength of the normalized dependency edges is enhanced by nonlinear power.

7. The method according to claim 6, characterized in that, The normalized calculation of the original dependency strength for each dependent edge satisfies the following formula: ,in, Indicates dependent edges Normalized dependency strength Indicates dependent edges The original dependency strength, This represents the average dependency strength of all dependency edges in the dependency graph of the cleaned PLC program. This represents the standard deviation of the dependency strength of all dependency edges in the PLC program dependency graph after cleaning. Nonlinear power enhancement calculations satisfy the following formula: ,in, Indicates dependent edges The strength of the enhanced dependency This represents a function that suppresses the negative effects that occur during the normalization process. Represents the power exponent and .