An edge-computing-based data security protection method for industrial personal computer
By collecting and calculating data packets, voltage, and temperature information at the edge computing node of the industrial control computer, dynamic judgment thresholds are generated, solving the problems of latency and environmental interference in the network security protection of industrial control computers, and achieving efficient identification and protection against malicious attacks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHANGHAI KUAN YU IND NETWORK EQUIP CO LTD
- Filing Date
- 2026-05-08
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies for network data security protection of industrial control computers suffer from problems such as increased communication latency, security judgment failure due to environmental drift, hardware quantization noise interference, and misjudgment of legitimate loads, making it difficult to effectively identify hidden data injection and illegal process hijacking.
By collecting data packet arrival time, data packet size, processor operating voltage, and absolute temperature from the edge nodes of the industrial control computer, a basic data sequence is formed. The adaptive temperature change rate and intrinsic thermal power deviation are calculated, and combined with dynamic judgment thresholds, abnormal communication behavior is identified.
Without affecting the real-time performance of industrial control, the system improved the accuracy of malicious attack interception, reduced the occupation of normal business communication links, and enhanced the system's robustness and identification capabilities.
Smart Images

Figure CN122179237A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data security technology, specifically to a data security protection method for industrial control computers based on edge computing. Background Technology
[0002] In the fields of Industrial Internet of Things (IIoT) and smart manufacturing, industrial control computer (ICS) edge computing nodes are responsible for handling massive data throughput and executing real-time control commands. Currently, network data security protection for ICS nodes mainly relies on deep packet inspection (DPI) technology. This technology typically intercepts malicious commands by decrypting communication protocol messages and performing feature matching. However, high-intensity decryption of ICS protocol data at edge nodes leads to a sharp increase in communication latency. Furthermore, relying solely on analyzing network ciphertext is insufficient to effectively detect hidden data injection or illegal process hijacking anomalies that conform to protocol syntax rules. To circumvent the limitations of DPI, some existing technologies attempt to utilize physical side-channel characteristics such as processor power consumption and temperature for security monitoring. However, in practical industrial applications, this approach faces numerous insurmountable bottlenecks. First, when ICS executes normal, complex, and legitimate control tasks, it inevitably causes voltage drops and power consumption fluctuations in the underlying operating system. Existing technologies struggle to effectively decouple legitimate physical task fluctuations from malicious communication security footprints, easily misjudging normal production tasks as security threats. Second, industrial environments generally experience slow changes in ambient temperature between day and night. This global environmental thermal drift directly alters the processor's absolute temperature reference, causing a severe failure of the absolute temperature-based safety decision-making mechanism. Finally, when extracting local transient thermal power deviations, the discrete resolution and polling fluctuations of the underlying temperature sensor result in significant quantization noise between adjacent temperature sampling points. Using conventional low-pass filtering to process this noise introduces unacceptable phase determination delays, preventing the system from capturing microsecond-level hidden anomalies.
[0003] In summary, there is an urgent need for a data security protection method for industrial control computers based on edge computing to overcome the shortcomings of existing technologies in terms of latency, environmental drift, hardware quantization noise, and legitimate load interference. Summary of the Invention
[0004] This invention provides a data security protection method for industrial control computers based on edge computing, which helps to solve the problems mentioned in the background art.
[0005] This invention provides the following technical solution: a method for protecting the data security of industrial control computers based on edge computing, comprising:
[0006] Collect the arrival time, data packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node to form a basic data sequence;
[0007] Calculate the ratio of the current operating voltage to the historical cumulative average voltage, and multiply this ratio as the modulation coefficient into the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate.
[0008] The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining the proportion of the current absolute temperature to the total average temperature and the sampling time interval.
[0009] Obtain the maximum operating voltage within the observation window, calculate the square of the difference between the maximum operating voltage and the current operating voltage, and divide it by the square of the maximum operating voltage to map the expected calculated load.
[0010] The instantaneous data throughput is calculated based on the size of the currently arriving data packet in bytes and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint.
[0011] The intrinsic thermal power deviation is normalized by dividing it by the historical average absolute deviation. The absolute difference between the normalized thermal power and the expected calculated load is then calculated. This difference is multiplied by the communication energy footprint to obtain the cross-domain security anomaly deviation.
[0012] Calculate the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, and generate a dynamic judgment threshold based on the fourth moment distribution characteristics of the deviation sequence from the mean. Compare the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred.
[0013] Optionally, the arrival time, packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer edge node are collected to form a basic data sequence, including:
[0014] Configure a message listener at the edge computing gateway of the industrial control computer;
[0015] Configure voltage and temperature sensors for the motherboard's central processing unit;
[0016] Set a data observation time window that includes multiple sampling points;
[0017] Within the data observation time window, the arrival timestamp, packet size, CPU core operating voltage, and CPU core absolute temperature of each data packet arriving at the edge node are recorded synchronously, forming a basic data sequence composed of data from each sampling point.
[0018] Optionally, the step of calculating the ratio of the current operating voltage to the historical cumulative average voltage, and multiplying this ratio as a modulation coefficient in the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate, includes:
[0019] Calculate the average value of the operating voltage measured from the start time to the current sampling time;
[0020] Divide the current operating voltage by the average value of the operating voltage to obtain the real-time voltage modulation coefficient;
[0021] Calculate the difference in absolute temperature between the current moment and the previous moment;
[0022] Calculate the difference between the current time and the previous time;
[0023] Divide the difference in absolute temperature by the difference in timestamps to obtain the initial rate of temperature change;
[0024] Multiply the initial temperature change rate by the real-time voltage modulation coefficient to obtain the adaptive temperature change rate at the current moment;
[0025] The adaptive temperature change rate at the start time is set to zero.
[0026] Optionally, the step of subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining this with the proportion of the current absolute temperature to the total average temperature and the sampling time interval to calculate the intrinsic thermal power deviation includes:
[0027] Obtain the absolute temperature difference between the end and start times of the data observation time window;
[0028] Obtain the difference between the timestamp of the last moment and the start moment of the data observation time window;
[0029] Dividing the difference in absolute temperatures by the difference in timestamps yields the linear drift rate;
[0030] Subtract the linear drift rate from the current adaptive temperature change rate to obtain the net temperature change rate;
[0031] Calculate the average absolute temperature of all sampling points within the data observation time window as the total average temperature;
[0032] Divide the current absolute temperature by the total average temperature to obtain the temperature percentage.
[0033] The intrinsic thermal power deviation at the current moment is obtained by multiplying the net temperature change rate, the difference between the timestamps of the current moment and the previous moment, and the temperature proportion.
[0034] Optionally, the step of obtaining the maximum operating voltage within the observation window, calculating the square of the difference between the maximum operating voltage and the current operating voltage, and dividing it by the square of the maximum operating voltage to map the expected computational load includes:
[0035] Extract the maximum value among all the operating voltages collected within the data observation time window, and use it as the maximum operating voltage;
[0036] Calculate the difference between the maximum operating voltage and the current operating voltage, and square the difference to obtain the first squared value;
[0037] The second squared value is obtained by squaring the maximum operating voltage.
[0038] Divide the first squared value by the second squared value to obtain the expected computational load at the current moment.
[0039] Optionally, the step of calculating the instantaneous data throughput based on the byte size of the currently arriving data packet and the time interval between adjacent sampling points, and dividing this throughput by the historical average throughput to extract the communication energy footprint includes:
[0040] Divide the size of the data packet arriving at the current time in bytes by the difference between the timestamp of the current time and the timestamp of the previous time to obtain the instantaneous data throughput at the current time.
[0041] Set the instantaneous data throughput at the start time to zero;
[0042] Calculate the average instantaneous data throughput of all sampling points except the initial time, and use it as the historical average throughput.
[0043] Divide the instantaneous data throughput at the current moment by the historical average throughput to obtain the communication energy footprint at the current moment.
[0044] Optionally, the step of normalizing the intrinsic thermal power deviation by dividing it by the historical average absolute deviation, calculating the absolute difference between the normalized thermal power and the expected calculated load, and multiplying this difference by the communication energy footprint to obtain the cross-domain security anomaly deviation includes:
[0045] Calculate the average of the absolute values of the intrinsic thermal power deviations at all sampling points except the initial time, and use this as the historical average absolute deviation.
[0046] Divide the current intrinsic thermal power deviation by the historical average absolute deviation to obtain the current normalized thermal power.
[0047] Calculate the difference between the normalized thermal power at the current moment and the expected calculated load, and take the absolute value of the difference;
[0048] Multiplying the absolute value by the current communication energy footprint yields the cross-domain security anomaly deviation index for the current moment.
[0049] Optionally, the step of calculating the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, generating a dynamic judgment threshold based on the fourth-order moment distribution characteristics of the deviation sequence's deviation from the mean, and comparing the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred includes:
[0050] Extract the cross-domain safety anomaly deviation index from all sampling points except the initial time, and form a deviation sequence;
[0051] Calculate the expected value and standard deviation of the bias sequence;
[0052] Calculate the fourth power and the square of the difference between each index in the deviation sequence and the expected value;
[0053] Summing all the fourth powers gives the fourth-order sum of differences, and summing all the squares gives the second-order sum of differences.
[0054] The square of the second-order difference sum is obtained by squaring the sum of the second-order differences.
[0055] Multiply the total number of indicators in the deviation sequence by the sum of the fourth-order differences, and then divide by the square of the sum of the second-order differences to obtain the kurtosis coefficient.
[0056] Multiply the kurtosis coefficient by the standard deviation and add the expected value to obtain the dynamic judgment threshold;
[0057] The current cross-domain security anomaly deviation index is compared with the dynamic judgment threshold.
[0058] If the cross-domain security anomaly deviation index is greater than the dynamic judgment threshold, an abnormal alarm is sent to the control center and the node is switched to hardware isolation mode.
[0059] If the cross-domain security anomaly deviation index is less than or equal to the dynamic judgment threshold, then data collection and calculation will continue in the next time window.
[0060] The present invention has the following beneficial effects:
[0061] 1. By synchronously collecting the underlying voltage, temperature, timing, and data size of network data packets processed by the industrial control computer, and cross-calculating the safety anomaly deviation, physical interference in the field is eliminated. The solution extracts the machine's true intrinsic heat generation by eliminating the linear drift of natural ambient temperature rise and maps legitimate voltage drops to the expected computational load. The beneficial effects of this method are: without disassembling and analyzing network data content, it can identify hidden data injection or illegal process hijacking simply by the cross-domain matching degree between the amount of data input from the network and the actual physical energy consumption of the machine, combined with a dynamically adaptive judgment threshold. This improves the accuracy of malicious attack interception in complex physical environments without affecting the real-time performance of industrial control.
[0062] 2. By configuring a message listener at the edge computing gateway of the industrial control computer and combining it with the voltage and temperature sensors at the bottom layer of the motherboard's central processing unit, a synchronous acquisition mechanism for multi-dimensional heterogeneous data is executed within a set data observation time window to construct a consistent underlying basic data sequence in the time dimension. This hardware-based bypass listening and acquisition mode differs from the traditional online security gateway's serial interception architecture design, reducing the occupation of the original normal business communication links and bandwidth resources of the industrial control computer, and ensuring the real-time issuance of high-frequency control commands in the industrial field. At the same time, relying on timestamp alignment operations, the system spatiotemporally binds the data communication payload, which is regarded as a different dimension of the network protocol stack layer, with the energy consumption fluctuation state of the processor's micro-transistor physical layer. This breaks the information isolation between the network security domain and the physical device domain, enabling the triggering of external network requests to find a physical mapping in the underlying hardware response. This lays the foundation for state tracing for subsequent cross-domain feature cross-comparison, abnormal computing power delimitation, and malicious process analysis.
[0063] 3. By extracting the relative ratio between the current operating voltage and the historical cumulative average voltage, and multiplying it as an adaptive modulation coefficient into the temperature differential rate calculation model of adjacent sampling points, this method leverages the electronic property of the processor's internal power supply network exhibiting smooth fluctuations in operating voltage at the physical level when responding to computing tasks. This corrects the quantization step error caused by the discrete resolution limitations of the underlying temperature sensor and the truncation of ADC sampling. This processing method introduces continuous dynamic characteristics reflecting the instantaneous work fluctuations of the processor into the stepped discrete temperature sequence, avoiding the mathematical phase delay and time window lag introduced by conventional filtering algorithms. This enables edge computing nodes deployed in industrial sites to capture weak transient thermal response changes caused by malicious code execution under low-latency monitoring conditions, thus broadening the perception boundary of side-channel security protection.
[0064] 4. By extracting the slope of the absolute temperature change at the beginning and end of the observation time window, the global linear drift rate is calculated and separated from the instantaneous adaptive temperature change rate. This eliminates background interference caused by external environmental factors such as day-night temperature differences, start-up and shutdown disturbances of computer room air conditioning, or close-range radiant heating of heavy machinery on the underlying hardware of the industrial control computer in real industrial manufacturing sites. Furthermore, by combining the relative weight of the current absolute temperature within the overall operating cycle and the adjacent sampling time intervals for nonlinear compensation, an intrinsic thermal power deviation independent of external environmental reference temperature fluctuations is reconstructed. This mechanism enables the safety protection system to filter out low-frequency environmental thermal noise and focus the monitoring field on abnormal heat generation induced by abnormal communication processing or illegal encryption calculation tasks performed by the processor core in a short timescale. This overcomes the technical bottleneck of traditional alarm systems based on fixed temperature thresholds failing under complex weather conditions and improves the robustness and alarm accuracy of underlying physical state detection in industrial scenarios.
[0065] 5. By capturing the peak voltage of the processor core during a set observation window and calculating the square ratio of the difference between this extreme value and the current transient operating voltage, the voltage drop depth of the underlying power supply network is mapped to the benchmark of the computational load borne by the industrial control computer at the current moment. This processing mechanism conforms to the electronic law that the dynamic transient power consumption of semiconductor CMOS transistors during high-frequency state switching is positively correlated with the square of the power supply voltage drop amplitude. This provides a dynamic standard for the safety protection system to measure the physical energy consumption fluctuations caused by control tasks. It decouples the voltage drop phenomenon caused by the execution of normal production instructions such as multi-axis linkage acceleration and complex PID calculations in the underlying physical signal. From the algorithm level, it avoids the system misjudging legitimate transient high-intensity physical production tasks as computing power hijacking or network resource exhaustion attacks, ensuring the continuity and reliability of the intelligent manufacturing production line under full-load operation.
[0066] 6. By synchronously monitoring the payload size of data packets arriving at the network ingress and the time interval between adjacent data packets, the instantaneous data throughput is calculated. This instantaneous throughput is then compared with the average throughput accumulated over historical stable observation periods to reduce dimensionality, thereby extracting the communication energy footprint in the network communication dimension. This characteristic indicator isolates the individual differences in network communication volume among different industrial control computer devices under different operating conditions, reflecting the relative changes and abnormal clustering of transient network communication activities. This allows the underlying security system to characterize the expected hardware energy consumption of external network command inputs without decrypting application-layer business data, based on bypass monitoring of network physical metadata. This provides a network benchmark for subsequent cross-domain orthogonal comparison with equipment physical energy consumption characteristics, changing the traditional method of relying on packet unpacking for security checks.
[0067] 7. By normalizing the extracted intrinsic thermal power deviation with the historical average absolute deviation through division, the dimensional differences in physical quantities between the parameters read by different underlying detection components such as temperature and voltage sensors are eliminated. This allows for the calculation of the absolute difference between the dimensionless normalized thermal power and the expected computational load. This difference, reflecting the deviation of physical work done, is then multiplied by the communication energy footprint, integrating the actual work deviation at the physical hardware level with the excitation intensity at the network communication level. This cross-domain comparison mechanism can detect abnormal deviations between the seemingly legitimate amount of network input data and the actual heat generation at the device's underlying level. It amplifies abnormal fluctuations such as covert decryption, Trojan data injection, or illegal background computing power usage, enhancing the system's ability to identify unknown attacks or APT threats.
[0068] 8. By extracting discrete statistical features such as the expected value and standard deviation within the cross-domain security anomaly deviation sequence, and introducing the fourth-order central moment kurtosis feature to characterize the distribution pattern and probability of abnormal mutations in the data sequence, a dynamic judgment boundary driven by the real-time operating status data of the current equipment is generated. This generation mechanism overcomes the shortcomings of traditional security defense systems that rely on manually set static alarm thresholds, resulting in poor cross-environment adaptability and susceptibility to false alarms and missed alarms. It enables the security protection system to perceive and follow the historical trends of the actual operating status of the industrial control computer, dynamically adjusting the security alarm threshold. When the instantaneous deviation exceeds the dynamic adaptive threshold, the underlying hardware isolation action is triggered, truncating the injected threat within a microsecond-level time slice, thus constructing a defense mechanism with environmental robustness and adaptability. Attached Figure Description
[0069] Figure 1 This is a schematic diagram of the basic process of the present invention.
[0070] Figure 2 This is a diagram of the overall architecture for parallel extraction and fusion of cross-domain multi-dimensional features in this invention.
[0071] Figure 3 This is a flowchart of the intrinsic thermal power deviation extraction algorithm of the present invention.
[0072] Figure 4 This is a flowchart of the dynamic threshold generation and determination process of the present invention. Detailed Implementation
[0073] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0074] Example 1, refer to Figure 1 A data security protection method for industrial control computers based on edge computing includes:
[0075] Collect the arrival time, data packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node to form a basic data sequence;
[0076] Calculate the ratio of the current operating voltage to the historical cumulative average voltage, and multiply this ratio as the modulation coefficient into the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate.
[0077] The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining the proportion of the current absolute temperature to the total average temperature and the sampling time interval.
[0078] Obtain the maximum operating voltage within the observation window, calculate the square of the difference between the maximum operating voltage and the current operating voltage, and divide it by the square of the maximum operating voltage to map the expected calculated load.
[0079] The instantaneous data throughput is calculated based on the size of the currently arriving data packet in bytes and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint.
[0080] The intrinsic thermal power deviation is normalized by dividing it by the historical average absolute deviation. The absolute difference between the normalized thermal power and the expected calculated load is then calculated. This difference is multiplied by the communication energy footprint to obtain the cross-domain security anomaly deviation.
[0081] Calculate the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, and generate a dynamic judgment threshold based on the fourth moment distribution characteristics of the deviation sequence from the mean. Compare the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred.
[0082] The data acquisition process collects the arrival time, packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node, forming a basic data sequence, including:
[0083] Configure a message listener at the edge computing gateway of the industrial control computer;
[0084] Configure voltage and temperature sensors for the motherboard's central processing unit;
[0085] Set a data observation time window that includes multiple sampling points;
[0086] Within the data observation time window, the arrival timestamp, packet size, CPU core operating voltage, and CPU core absolute temperature of each data packet arriving at the edge node are recorded synchronously, forming a basic data sequence composed of data from each sampling point.
[0087] The calculation of the ratio of the current operating voltage to the historical cumulative average voltage, and the multiplication of this ratio as a modulation coefficient into the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate, includes:
[0088] Calculate the average value of the operating voltage measured from the start time to the current sampling time;
[0089] Divide the current operating voltage by the average value of the operating voltage to obtain the real-time voltage modulation coefficient;
[0090] Calculate the difference in absolute temperature between the current moment and the previous moment;
[0091] Calculate the difference between the current time and the previous time;
[0092] Divide the difference in absolute temperature by the difference in timestamps to obtain the initial rate of temperature change;
[0093] Multiply the initial temperature change rate by the real-time voltage modulation coefficient to obtain the adaptive temperature change rate at the current moment;
[0094] The adaptive temperature change rate at the start time is set to zero.
[0095] The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining this with the proportion of the current absolute temperature to the total average temperature and the sampling time interval. This includes:
[0096] Obtain the absolute temperature difference between the end and start times of the data observation time window;
[0097] Obtain the difference between the timestamp of the last moment and the start moment of the data observation time window;
[0098] Dividing the difference in absolute temperatures by the difference in timestamps yields the linear drift rate;
[0099] Subtract the linear drift rate from the current adaptive temperature change rate to obtain the net temperature change rate;
[0100] Calculate the average absolute temperature of all sampling points within the data observation time window as the total average temperature;
[0101] Divide the current absolute temperature by the total average temperature to obtain the temperature percentage.
[0102] The intrinsic thermal power deviation at the current moment is obtained by multiplying the net temperature change rate, the difference between the timestamps of the current moment and the previous moment, and the temperature proportion.
[0103] The process of obtaining the maximum operating voltage within the observation window, calculating the square of the difference between the maximum operating voltage and the current operating voltage, and dividing it by the square of the maximum operating voltage to map the expected computational load includes:
[0104] Extract the maximum value among all the operating voltages collected within the data observation time window, and use it as the maximum operating voltage;
[0105] Calculate the difference between the maximum operating voltage and the current operating voltage, and square the difference to obtain the first squared value;
[0106] The second squared value is obtained by squaring the maximum operating voltage.
[0107] Divide the first squared value by the second squared value to obtain the expected computational load at the current moment.
[0108] The instantaneous data throughput is calculated based on the byte size of the currently arriving data packet and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint, including:
[0109] Divide the size of the data packet arriving at the current time in bytes by the difference between the timestamp of the current time and the timestamp of the previous time to obtain the instantaneous data throughput at the current time.
[0110] Set the instantaneous data throughput at the start time to zero;
[0111] Calculate the average instantaneous data throughput of all sampling points except the initial time, and use it as the historical average throughput.
[0112] Divide the instantaneous data throughput at the current moment by the historical average throughput to obtain the communication energy footprint at the current moment.
[0113] The step of normalizing the intrinsic thermal power deviation by dividing it by the historical average absolute deviation, calculating the absolute difference between the normalized thermal power and the expected calculated load, and multiplying this difference by the communication energy footprint to obtain the cross-domain security anomaly deviation includes:
[0114] Calculate the average of the absolute values of the intrinsic thermal power deviations at all sampling points except the initial time, and use this as the historical average absolute deviation.
[0115] Divide the current intrinsic thermal power deviation by the historical average absolute deviation to obtain the current normalized thermal power.
[0116] Calculate the difference between the normalized thermal power at the current moment and the expected calculated load, and take the absolute value of the difference;
[0117] Multiplying the absolute value by the current communication energy footprint yields the cross-domain security anomaly deviation index for the current moment.
[0118] The process involves calculating the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, generating a dynamic judgment threshold based on the fourth-order moment distribution characteristics of the deviation sequence's deviation from the mean, and comparing the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred, including:
[0119] Extract the cross-domain safety anomaly deviation index from all sampling points except the initial time, and form a deviation sequence;
[0120] Calculate the expected value and standard deviation of the bias sequence;
[0121] Calculate the fourth power and the square of the difference between each index in the deviation sequence and the expected value;
[0122] Summing all the fourth powers gives the fourth-order sum of differences, and summing all the squares gives the second-order sum of differences.
[0123] The square of the second-order difference sum is obtained by squaring the sum of the second-order differences.
[0124] Multiply the total number of indicators in the deviation sequence by the sum of the fourth-order differences, and then divide by the square of the sum of the second-order differences to obtain the kurtosis coefficient.
[0125] Multiply the kurtosis coefficient by the standard deviation and add the expected value to obtain the dynamic judgment threshold;
[0126] The current cross-domain security anomaly deviation index is compared with the dynamic judgment threshold.
[0127] If the cross-domain security anomaly deviation index is greater than the dynamic judgment threshold, an abnormal alarm is sent to the control center and the node is switched to hardware isolation mode.
[0128] If the cross-domain security anomaly deviation index is less than or equal to the dynamic judgment threshold, then data collection and calculation will continue in the next time window.
[0129] Example 2, refer to Figure 2 A data security protection method for industrial control computers based on edge computing includes:
[0130] The data acquisition process collects the arrival time, packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node, forming a basic data sequence, including:
[0131] Configure a message listener at the edge computing gateway of the industrial control computer;
[0132] Configure voltage and temperature sensors for the motherboard CPU;
[0133] Set a containing The data observation time window for each sampling point;
[0134] from to Synchronously record the arrival timestamp of each data packet arriving at the edge node. Data packet size in bytes CPU core operating voltage at the time of data acquisition and CPU core absolute temperature ; Forming a length of The basic data sequence.
[0135] In specific industrial manufacturing scenarios, the industrial control computer edge node is an industrial computing gateway based on ARM or x86 architecture, deployed next to CNC machine tools or PLC controllers. The packet listener, implemented using eBPF or DPDK technology, can bypass network card data copying, avoiding frequent copying between kernel and user modes. Before recording the timestamp, the edge node performs clock synchronization calibration with the industrial main switch using the IEEE 1588 precise time protocol to ensure... The recording accuracy reaches the sub-microsecond level. Simultaneously, the motherboard operating voltage data... Absolute temperature obtained by reading the power management integrated circuit. Data is acquired by reading the digital thermistor integrated within the processor. Due to the harsh electromagnetic environment in industrial settings, if data is missing at a certain moment due to busy I2C bus, the system uses valid data from the previous and next adjacent moments and employs linear interpolation to fill in the missing points. Subsequently, the operating voltage sequence is averaged and filtered through a small sliding window containing three sampling points to remove spurious voltage spikes caused by inherent high-frequency switching ripples in the power supply. The number of sampling points in the data observation time window is set. The time interval depends on the communication protocol used in the industrial environment. For example, for the Profinet protocol with a time interval of 1 millisecond, The optimal setting is 1000, with an adjacent sampling interval of 10 to 50 milliseconds. This parameter setting ensures coverage of the entire industrial control instruction execution cycle while avoiding the smoothing dilution of microsecond-level transient characteristics due to an excessively large window.
[0136] By configuring a message listener at the edge computing gateway of the industrial control computer and combining it with the voltage and temperature sensors at the bottom layer of the motherboard's central processing unit, a synchronous acquisition mechanism for multi-dimensional heterogeneous data is executed within a set data observation time window to construct a consistent underlying basic data sequence in the time dimension. This hardware-based bypass listening and acquisition mode differs from the traditional online security gateway's serial interception architecture design, reducing the occupation of the original normal business communication links and bandwidth resources of the industrial control computer, and ensuring the real-time issuance of high-frequency control commands in the industrial field. At the same time, relying on timestamp alignment operations, the system spatiotemporally binds the data communication payload, which is regarded as a different dimension of the network protocol stack layer, with the energy consumption fluctuation state at the physical layer of the processor's micro-transistors. This breaks the information isolation between the network security domain and the physical device domain, enabling the triggering of external network requests to find a physical mapping in the underlying hardware response. This lays the foundation for state tracing for subsequent cross-domain feature cross-comparison, abnormal computing power delimitation, and malicious process analysis.
[0137] After forming the basic data sequence and before calculating the adaptive temperature change rate, a denoising and cleaning step is also included in the basic data sequence: a median filtering algorithm is used to denoise and clean the data sequence. The processor at each sampling point performs sliding window detection using voltage and absolute temperature sequences to eliminate isolated noise points that deviate from the neighborhood mean by more than a set threshold, and then uses adjacent normal sampling points for linear interpolation replacement. This optimization eliminates the physical interference caused by transient electromagnetic pulses from the start-up and shutdown of large motors in industrial settings on the readings of the underlying hardware sensors, further improving the accuracy of safety anomaly deviation calculation.
[0138] Reference Figure 3 The step of calculating the ratio of the current operating voltage to the historical cumulative average voltage, and multiplying this ratio as a modulation coefficient in the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate, includes:
[0139] The real-time voltage modulation coefficient is calculated using the following formula:
[0140]
[0141] In the formula, It is the first Real-time voltage modulation coefficient at any given time; It is the first CPU core operating voltage at all times; From moment 1 to moment 2 The voltage measured cumulatively over time;
[0142] The adaptive temperature change rate is calculated using the following formula:
[0143]
[0144] In the formula, It is the first The adaptive rate of temperature change at any given time; It is the first The absolute temperature of the CPU core at any given time; It is the first The absolute temperature of the CPU core at any given time; and These are the timestamps of the current moment and the previous moment, respectively; It is the voltage modulation coefficient. When When, define .
[0145] By extracting the relative ratio between the current operating voltage and the historical cumulative average voltage, and multiplying it as an adaptive modulation coefficient into the temperature differential rate calculation model of adjacent sampling points, this approach leverages the electronic property of the processor's internal power supply network exhibiting smooth fluctuations in operating voltage at the physical level when responding to computational tasks. This corrects the quantization step error caused by the discrete resolution limitations of the underlying temperature sensor and the truncation of ADC sampling. This processing method introduces continuous dynamic characteristics reflecting the instantaneous work fluctuations of the processor into the stepped discrete temperature sequence, avoiding the mathematical phase delay and time window lag introduced by conventional filtering algorithms. This enables edge computing nodes deployed in industrial sites to capture subtle transient thermal response changes caused by malicious code execution under low-latency monitoring conditions, thus broadening the perception boundary of side-channel security protection.
[0146] The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining this with the proportion of the current absolute temperature to the total average temperature and the sampling time interval. This includes:
[0147] The net temperature change rate is calculated using the following formula:
[0148]
[0149] In the formula, It is the first Net temperature change rate at time t; It is an adaptive temperature change rate; and These are the absolute CPU core temperatures at the end and beginning of the window, respectively. and It is the corresponding timestamp;
[0150] The intrinsic thermal power deviation is calculated using the following formula:
[0151]
[0152] In the formula, It is the first The intrinsic thermal power deviation at any given time; It is the net temperature change rate; and It is the corresponding timestamp; It is the first The absolute temperature of the CPU core at any given time; It is the first The absolute temperature of the CPU core at any given time; This is the total number of sampling points.
[0153] By extracting the slope of the absolute temperature change at both ends of the observation time window to calculate the global linear drift rate, and separating it from the instantaneous adaptive temperature change rate, the background interference caused by external environmental factors such as day-night temperature differences, start-up and shutdown disturbances of computer room air conditioning, or close-range radiant heating of heavy machinery on the underlying hardware of industrial control computers in real industrial manufacturing sites is eliminated. Furthermore, by combining the relative weight of the current absolute temperature within the overall operating cycle and the adjacent sampling time intervals for nonlinear compensation, an intrinsic thermal power deviation independent of external environmental reference temperature fluctuations is reconstructed. This mechanism enables the safety protection system to filter out low-frequency environmental thermal noise and focus the monitoring field on abnormal heat generation induced by abnormal communication processing or illegal encryption calculation tasks performed by the processor core in a short timescale. This overcomes the technical bottleneck of traditional alarm systems based on fixed temperature thresholds failing under complex weather conditions, and improves the robustness and alarm accuracy of underlying physical state detection in industrial scenarios.
[0154] The process of obtaining the maximum operating voltage within the observation window, calculating the square of the difference between the maximum operating voltage and the current operating voltage, and dividing it by the square of the maximum operating voltage to map the expected computational load includes:
[0155] The expected computational load is calculated using the following formula:
[0156]
[0157] In the formula, It is the first Expected computational load at any given time; It is the first CPU core operating voltage at any given time; It is the operating voltage of all CPU cores during the entire data collection window. The maximum value in.
[0158] By capturing the peak voltage of the processor core during a set observation window and calculating the square ratio of the difference between this extreme value and the current transient operating voltage, the voltage drop depth of the underlying power supply network is mapped to the computational load benchmark currently borne by the industrial control computer. This processing mechanism conforms to the electronic law that the dynamic transient power consumption of semiconductor CMOS transistors during high-frequency state switching is positively correlated with the square of the supply voltage drop amplitude. This provides a dynamic standard for measuring the physical energy consumption fluctuations caused by control tasks in the safety protection system. It decouples the voltage drop phenomenon caused by the execution of normal production instructions such as multi-axis linkage acceleration and complex PID calculations in the underlying physical signal. From the algorithm level, it avoids the system misjudging legitimate transient high-intensity physical production tasks as computing power hijacking or network resource exhaustion attacks, ensuring the continuity and reliability of the intelligent manufacturing production line under full-load operation.
[0159] The instantaneous data throughput is calculated based on the byte size of the currently arriving data packet and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint, including:
[0160] Instantaneous data throughput is calculated using the following formula:
[0161]
[0162] In the formula, It is the first Instantaneous data throughput at any given moment; It is the first The size of the data packet arriving at any given time in bytes; and It is the corresponding timestamp; when When, define .
[0163] The communication energy footprint is extracted using the following formula:
[0164]
[0165] In the formula, It is the first The energy footprint of communication at any moment; It is the first Instantaneous data throughput at any given moment; It is the first Instantaneous data throughput at any given moment; This is the total number of sampling points.
[0166] Instantaneous data throughput is calculated by synchronously monitoring the payload size of data packets arriving at the network ingress and the time interval between adjacent data packets. This instantaneous throughput is then compared with the average throughput accumulated over a historical stable observation period to reduce dimensionality, thereby extracting the communication energy footprint in the network communication dimension. This characteristic indicator isolates the individual differences in network communication volume of different industrial control computers under different operating conditions, reflecting the relative changes and abnormal clustering of transient network communication activities. This allows the underlying security system to characterize the expected hardware energy consumption of external network command inputs without decrypting application layer business data, based on bypass monitoring of network physical metadata. This provides a network benchmark for subsequent cross-domain orthogonal comparison with the physical energy consumption characteristics of equipment, changing the traditional method of relying on packet unpacking security inspection.
[0167] The step of normalizing the intrinsic thermal power deviation by dividing it by the historical average absolute deviation, calculating the absolute difference between the normalized thermal power and the expected calculated load, and multiplying this difference by the communication energy footprint to obtain the cross-domain security anomaly deviation includes:
[0168] The normalized heat power is calculated using the following formula:
[0169]
[0170] In the formula, It is the first Normalized thermal power at any given time; It is the first The intrinsic thermal power deviation at any given time; It is the first The intrinsic thermal power deviation at any given time; This is the total number of sampling points;
[0171] The safety deviation index is calculated using the following formula:
[0172]
[0173] In the formula, It is the first Safety deviation indicators at any given time; For the first Normalized thermal power at any given time; For the first Expected computational load at any given time; For the first The energy footprint of communication at any moment.
[0174] By normalizing the extracted intrinsic thermal power deviation with the historical average absolute deviation through division, the dimensional differences in physical quantities between the reading parameters of different underlying detection components such as temperature and voltage sensors are eliminated. This allows for the calculation of the absolute difference between the dimensionless normalized thermal power and the expected computational load. This difference, reflecting the deviation of physical work done, is then multiplied by the communication energy footprint, integrating the actual work deviation at the physical hardware level with the excitation intensity at the network communication level. This cross-domain comparison mechanism can detect abnormal deviations between the seemingly legitimate amount of network input data and the actual heat generation at the device's underlying level. It amplifies abnormal fluctuations such as covert decryption, Trojan data injection, or illegal background computing power usage, enhancing the system's ability to identify unknown attacks or APT threats.
[0175] Reference Figure 4 The calculation of the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, and the generation of a dynamic judgment threshold based on the fourth moment distribution characteristics of the deviation sequence's deviation from the mean; comparing the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred, including:
[0176] The expected value of the safety anomaly deviation index series is calculated using the following formula:
[0177]
[0178] In the formula, It is the mathematical expectation of the safety anomaly deviation index sequence; It is the first Safety deviation indicators at any given time; This is the total number of sampling points;
[0179] The standard deviation of the safety anomaly deviation index series is calculated using the following formula:
[0180]
[0181] In the formula, It is the standard deviation of the safety anomaly deviation index sequence; It is the first Safety deviation indicators at any given time; This is the total number of sampling points; It is the mathematical expectation of the safety anomaly deviation index sequence;
[0182] The dynamic judgment threshold is calculated using the following formula:
[0183]
[0184] In the formula, It is a dynamic threshold; It is the standard deviation of the safety anomaly deviation index sequence; It is the mathematical expectation of the safety anomaly deviation index sequence; This is the total number of sampling points; It is the first Safety deviation indicators at any given time;
[0185] Comparing them one by one Safety deviation index at any time With dynamic judgment threshold ;
[0186] like If the current data flow does not match the physical control state, an anomaly is detected. This indicates that within this microsecond timeframe, the actual hardware thermal energy consumption of the edge node abnormally exceeds the expected physical control load, and this anomaly is amplified by network communication timing, confirming it as a covert data injection attack or illegal process hijacking targeting the industrial control computer. At this point, the system sends an alarm to the industrial control computer control center and switches the node to hardware isolation mode.
[0187] like If the current data stream matches the physical control state and no anomaly has occurred, then the data acquisition and calculation for the next time window will continue.
[0188] By extracting discrete statistical features such as the expected value and standard deviation within the cross-domain security anomaly deviation sequence, and introducing the fourth-order central moment kurtosis feature to characterize the distribution pattern and probability of anomalous mutations in the data sequence, a dynamic judgment threshold driven by the real-time operating status data of the current equipment is generated. This generation mechanism overcomes the shortcomings of traditional security defense systems that rely on manually set static alarm thresholds, resulting in poor cross-environment adaptability and susceptibility to false alarms and missed alarms. It enables the security protection system to perceive and follow the historical trend of the actual operating status of the industrial control computer and dynamically adjust the security alarm threshold. When the real-time instantaneous deviation exceeds the dynamic adaptive threshold, the underlying hardware isolation action is triggered, truncating the data injection threat within a microsecond-level time slice, thus constructing a defense mechanism with environmental robustness and adaptability.
[0189] By synchronously collecting the underlying voltage, temperature, timing, and data size of the industrial control computer when processing network data packets, and cross-calculating the safety anomaly deviation, physical interference in the field is eliminated. The solution extracts the machine's true intrinsic heat generation by removing the linear drift of natural ambient temperature rise and maps legitimate voltage drops to the expected computational load. The beneficial effects of this method are: without disassembling and analyzing network data content, it can identify hidden data injection or illegal process hijacking simply by the cross-domain matching degree between the amount of data input from the network and the actual physical energy consumption of the machine, combined with a dynamically adaptive judgment threshold. This improves the accuracy of malicious attack interception in complex physical environments without affecting the real-time performance of industrial control.
[0190] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0191] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A method for protecting the data security of industrial control computers based on edge computing, characterized in that, include: Collect the arrival time, data packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node to form a basic data sequence; Calculate the ratio of the current operating voltage to the historical cumulative average voltage, and multiply this ratio as the modulation coefficient into the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate. The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining the proportion of the current absolute temperature to the total average temperature and the sampling time interval. Obtain the maximum operating voltage within the observation window, calculate the square of the difference between the maximum operating voltage and the current operating voltage, and divide it by the square of the maximum operating voltage to map the expected calculated load. The instantaneous data throughput is calculated based on the size of the currently arriving data packet in bytes and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint. The intrinsic thermal power deviation is normalized by dividing it by the historical average absolute deviation. The absolute difference between the normalized thermal power and the expected calculated load is then calculated. This difference is multiplied by the communication energy footprint to obtain the cross-domain security anomaly deviation. Calculate the expected value and standard deviation of the cross-domain safety anomaly deviation sequence, and generate a dynamic judgment threshold based on the fourth moment distribution characteristics of the deviation sequence from the mean. Compare the real-time cross-domain safety anomaly deviation with the dynamic judgment threshold to determine whether an anomaly has occurred.
2. The method for protecting industrial control computer data based on edge computing according to claim 1, characterized in that, The data acquisition process collects the arrival time, packet size, processor operating voltage, and absolute temperature of each data packet received by the industrial control computer's edge node, forming a basic data sequence, including: Configure a message listener at the edge computing gateway of the industrial control computer; Configure voltage and temperature sensors for the motherboard's central processing unit; Set a data observation time window that includes multiple sampling points; Within the data observation time window, the arrival timestamp, packet size, CPU core operating voltage, and CPU core absolute temperature of each data packet arriving at the edge node are recorded synchronously, forming a basic data sequence composed of data from each sampling point.
3. The method for protecting industrial control computer data based on edge computing according to claim 2, characterized in that, The calculation of the ratio of the current operating voltage to the historical cumulative average voltage, and the multiplication of this ratio as a modulation coefficient into the calculation of the temperature change rate of adjacent sampling points to obtain the adaptive temperature change rate, includes: Calculate the average value of the operating voltage measured from the start time to the current sampling time; Divide the current operating voltage by the average value of the operating voltage to obtain the real-time voltage modulation coefficient; Calculate the difference in absolute temperature between the current moment and the previous moment; Calculate the difference between the current time and the previous time; Divide the difference in absolute temperature by the difference in timestamps to obtain the initial rate of temperature change; Multiply the initial temperature change rate by the real-time voltage modulation coefficient to obtain the adaptive temperature change rate at the current moment; The adaptive temperature change rate at the start time is set to zero.
4. The method for protecting industrial control computer data based on edge computing according to claim 3, characterized in that, The intrinsic thermal power deviation is calculated by subtracting the linear drift rate obtained from the first and last temperatures of the observation window from the adaptive temperature change rate, and then combining this with the proportion of the current absolute temperature to the total average temperature and the sampling time interval. This includes: Obtain the absolute temperature difference between the end and start times of the data observation time window; Obtain the difference between the timestamp of the last moment and the start moment of the data observation time window; Dividing the difference in absolute temperatures by the difference in timestamps yields the linear drift rate; Subtract the linear drift rate from the current adaptive temperature change rate to obtain the net temperature change rate; Calculate the average absolute temperature of all sampling points within the data observation time window as the total average temperature; Divide the current absolute temperature by the total average temperature to obtain the temperature percentage. The intrinsic thermal power deviation at the current moment is obtained by multiplying the net temperature change rate, the difference between the timestamps of the current moment and the previous moment, and the temperature proportion.
5. A method for protecting industrial control computer data security based on edge computing according to claim 4, characterized in that, The process of obtaining the maximum operating voltage within the observation window, calculating the square of the difference between the maximum operating voltage and the current operating voltage, and dividing it by the square of the maximum operating voltage to map the expected computational load includes: Extract the maximum value among all the operating voltages collected within the data observation time window, and use it as the maximum operating voltage; Calculate the difference between the maximum operating voltage and the current operating voltage, and square the difference to obtain the first squared value; The second squared value is obtained by squaring the maximum operating voltage. Divide the first squared value by the second squared value to obtain the expected computational load at the current moment.
6. The method for protecting industrial control computer data based on edge computing according to claim 5, characterized in that, The instantaneous data throughput is calculated based on the byte size of the currently arriving data packet and the time interval between adjacent sampling points. This throughput is then divided by the historical average throughput to extract the communication energy footprint, including: Divide the size of the data packet arriving at the current time in bytes by the difference between the timestamp of the current time and the timestamp of the previous time to obtain the instantaneous data throughput at the current time. Set the instantaneous data throughput at the start time to zero; Calculate the average instantaneous data throughput of all sampling points except the initial time, and use it as the historical average throughput. Divide the instantaneous data throughput at the current moment by the historical average throughput to obtain the communication energy footprint at the current moment.
7. A method for protecting industrial control computer data security based on edge computing according to claim 6, characterized in that, The step of normalizing the intrinsic thermal power deviation by dividing it by the historical average absolute deviation, calculating the absolute difference between the normalized thermal power and the expected calculated load, and multiplying this difference by the communication energy footprint to obtain the cross-domain security anomaly deviation includes: Calculate the average of the absolute values of the intrinsic thermal power deviations at all sampling points except the initial time, and use this as the historical average absolute deviation. Divide the current intrinsic thermal power deviation by the historical average absolute deviation to obtain the current normalized thermal power. Calculate the difference between the normalized thermal power at the current moment and the expected calculated load, and take the absolute value of the difference; Multiplying the absolute value by the current communication energy footprint yields the cross-domain security anomaly deviation index for the current moment.
8. A method for protecting industrial control computer data security based on edge computing according to claim 7, characterized in that, The mathematical expectation and standard deviation of the cross-domain safety anomaly deviation sequence are calculated, and a dynamic judgment threshold is generated based on the fourth moment distribution characteristics of the deviation sequence's deviation from the mean. The real-time cross-domain security anomaly deviation is compared with the dynamic judgment threshold to determine whether an anomaly has occurred, including: Extract the cross-domain safety anomaly deviation index from all sampling points except the initial time, and form a deviation sequence; Calculate the expected value and standard deviation of the bias sequence; Calculate the fourth power and the square of the difference between each index in the deviation sequence and the expected value; Summing all the fourth powers gives the fourth-order sum of differences, and summing all the squares gives the second-order sum of differences. The square of the second-order difference sum is obtained by squaring the sum of the second-order differences. Multiply the total number of indicators in the deviation sequence by the sum of the fourth-order differences, and then divide by the square of the sum of the second-order differences to obtain the kurtosis coefficient. Multiply the kurtosis coefficient by the standard deviation and add the expected value to obtain the dynamic judgment threshold; The current cross-domain security anomaly deviation index is compared with the dynamic judgment threshold. If the cross-domain security anomaly deviation index is greater than the dynamic judgment threshold, an abnormal alarm is sent to the control center and the node is switched to hardware isolation mode. If the cross-domain security anomaly deviation index is less than or equal to the dynamic judgment threshold, then data collection and calculation will continue in the next time window.