An industrial internet of things intrusion detection method and system based on online incremental learning

By employing an online incremental learning method and utilizing positive sample unlabeled learning and anchor point constraint mechanisms, the problems of protocol heterogeneity and attack sample scarcity in the Industrial Internet of Things (IIoT) are solved. This achieves efficient intrusion detection and adaptability to new attack patterns, reduces false alarm rates, and maintains memory of historical patterns.

CN122247670APending Publication Date: 2026-06-19WUHAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN UNIV
Filing Date
2026-03-13
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing industrial IoT intrusion detection systems struggle to achieve effective intrusion detection when faced with challenges such as highly heterogeneous industrial protocol traffic, scarce attack samples, and dynamic shifts in attack patterns. In particular, they suffer from high false alarm rates and are unable to adapt to new attack patterns in scenarios with scarce tags.

Method used

We employ an online incremental learning approach, constructing robust normal traffic anchors, utilizing a positive sample unlabeled learning paradigm, and combining heterogeneous perceptual representation learning with an incremental update mechanism based on anchor constraints to identify zero-day threats and adapt to new attack patterns.

Benefits of technology

It significantly reduces the false alarm rate, effectively identifies unknown attacks in industrial IoT scenarios, achieves long-term stable operation, and adapts to new attack patterns without forgetting historical normal business patterns.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247670A_ABST
    Figure CN122247670A_ABST
Patent Text Reader

Abstract

This invention discloses an industrial IoT intrusion detection method and system based on online incremental learning. The method includes: acquiring IoT traffic and dividing it into offline historical data and online real-time data streams; training a feature encoder using heterogeneous perceptual representation learning to address protocol heterogeneity issues; training an initial classifier using a positive sample unlabeled learning paradigm to address label scarcity issues; during the online detection phase, calculating distribution dissimilarity to detect concept drift by maintaining an anchor buffer containing static positive samples and dynamic negative samples; and triggering incremental updates with consistency regularization constraints when drift is detected. This invention effectively adapts to the challenges of protocol heterogeneity, label scarcity, and attack pattern drift in the industrial IoT environment, achieving high-performance adaptive intrusion detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and specifically to an industrial Internet of Things (IoT) intrusion detection method and system based on online incremental learning. Background Technology

[0002] The Industrial Internet of Things (IIoT) has significantly improved production efficiency by breaking down the barriers between traditional operational technology (OT) and information technology (IT). However, this ubiquitous connectivity also disrupts the previously closed, physically isolated environment of industrial control systems, directly exposing them to complex cyberattack threats. Since industrial equipment often carries critical infrastructure or high-value production lines, malicious intrusions such as ransomware and advanced persistent threats can not only lead to the leakage of sensitive production data but also potentially cause equipment damage, production stoppages, and even physical safety incidents. Therefore, building a highly reliable security defense system for the IIoT has become a pressing common industry issue that needs to be addressed.

[0003] Intrusion detection systems (IDS) are a core component of industrial network security defense systems. They identify and respond to malicious behaviors and operations that violate security policies by monitoring and deeply analyzing industrial network traffic in real time. In the Industrial Internet of Things (IIoT) environment, IDS aims to accurately distinguish between normal process control traffic and potential attack traffic from massive amounts of production communication data, serving as a crucial line of defense for ensuring the continuity and security of industrial production.

[0004] However, in practical industrial IoT applications, intrusion detection faces the following serious data challenges: (1) High heterogeneity of industrial protocols and traffic characteristics. The industrial field network environment is extremely complex, with IT protocols (such as HTTP, FTP, etc.) and OT-specific protocols (such as Modbus TCP, OPC UA, PROFINET, EtherCAT, etc.) deeply intertwined. The payload structure, communication frequency, and interaction mode of different industrial protocols vary greatly. This results in normal industrial production traffic not exhibiting a single compact distribution in the feature space, but rather a multimodal, high-dimensional discrete distribution, which is difficult to cover with a single rule or statistical model.

[0005] (2) The widespread scarcity of anomalous attack samples. In real industrial networks, the vast majority of traffic data consists of normal production control commands. Although normal samples are extremely abundant, the high stability requirements of industrial systems make it difficult to conduct destructive penetration tests in production environments, resulting in extremely high costs and rarity in obtaining high-quality, definitive attack labels. This extreme asymmetry between positive and negative samples makes it difficult for traditional supervised learning models to obtain sufficient attack samples for training, making them highly susceptible to overfitting.

[0006] (3) Dynamic drift of attack methods and environment. Cyberattack methods targeting industrial facilities are constantly evolving, with zero-day exploits and variant attacks targeting specific industrial controllers emerging one after another. Over time, the statistical distribution of malicious traffic will change non-stationarily, resulting in inconsistencies between the distribution of training data and test data.

[0007] To address the aforementioned challenges, existing intrusion detection solutions still have significant shortcomings: First, traditional supervised learning methods heavily rely on complete attack labels, performing poorly in scenarios where labels are scarce. While some semi-supervised intrusion detection solutions attempt to utilize unlabeled data, existing methods typically assume that normal samples follow a single distribution, attempting to force heterogeneous normal traffic onto a unified semantic center. This approach disrupts the inherent structure of multi-protocol traffic in the Industrial Internet of Things (IIoT), resulting in overly loose decision boundaries for normal traffic, making it difficult to effectively eliminate highly disguised attacks. Second, static models cannot adapt to new attack patterns after training, and their performance degrades rapidly over time after deployment. Existing incremental learning or online update solutions, while possessing some adaptability, often lack effective constraint mechanisms. When models blindly adapt to new, unknown attack data, catastrophic forgetting can easily occur—that is, while learning new attack features, they forget previously learned normal business patterns, leading to a surge in false positives for old normal traffic. Furthermore, many adaptive methods rely on continuous manual intervention for label feedback, which is impractical in the massive data scenarios of the IIoT. Summary of the Invention

[0008] In view of this, the present invention proposes an industrial IoT intrusion detection method based on online incremental learning. This method aims to identify zero-day threats by constructing robust normal traffic anchors, utilizing a positive sample unlabeled learning paradigm, and achieving continuous adaptation of the model through an incremental update mechanism of anchor constraints.

[0009] According to one aspect of the present invention, an industrial Internet of Things (IoT) intrusion detection method based on online incremental learning is provided, comprising: S1: Acquire network traffic data in an industrial IoT environment; S2: Divide the network traffic data into offline historical data and online real-time data stream; S3: Based on the data representation generated by the feature encoder, perform heterogeneous perceptual representation learning on the offline historical data to train the feature encoder; S4: Based on the data representation generated by the trained feature encoder, perform positive sample unlabeled learning on offline historical data to train a classifier to the initial state; S5: Connect the trained feature encoder and the initial state classifier in series to form the initial detection model; S6: During the online detection phase, the initial detection model is used to perform attack detection on real-time data for each time period, and a concept drift adaptive mechanism is activated to determine whether attack mode drift has occurred. S7: When drift is detected, an incremental update process is triggered to adapt the model to the new attack mode before returning to S6.

[0010] As a further technical solution, the offline historical data in S2 includes normal offline historical data labeled with normal traffic tags and unlabeled offline historical data, and the online real-time data stream consists of several real-time data of the same data volume for different time periods.

[0011] The feature encoder is a two-layer fully connected neural network, consisting of a cascaded input layer, a hidden layer, and an output layer. Furthermore, the hidden layer includes a linear transformation layer and an activation layer, and the output layer is a linear transformation layer.

[0012] As a further technical solution, S3 performs heterogeneous perceptual representation learning on offline historical data, including: A positive sample set based on heterogeneous perception multi-view is constructed, in which a temporary auxiliary classifier is used; Minimize the representation loss to optimize the feature encoder and the auxiliary classifier in parallel; The representation loss consists of contrast loss and auxiliary classification loss; the positive sample set based on heterogeneous perception multi-view consists of the intersection of general structural view and semantic consistency view.

[0013] Furthermore, the general structural view is formed by processing sample representations using the K-means clustering algorithm to create clusters, with each positive sample assigned to its corresponding cluster. The semantic consistency view consists of positive samples with the same predicted label, requiring a temporary auxiliary classifier to obtain the predicted label of the sample. The auxiliary classifier is a linear transformation layer. Therefore, to construct a set of positive samples for any positive sample, samples in the same cluster and whose predicted labels from the auxiliary classifier are also positive are selected to represent normal traffic samples with the same protocol structure as the traffic sample.

[0014] As a further technical solution, the general structural view is a cluster formed by processing sample representations through the K-means clustering algorithm; the semantic consistency view is positive samples with the same predicted label; and the auxiliary classifier is a linear transformation layer used to obtain the predicted label of the sample.

[0015] As a further technical solution, S4 performs positive sample unlabeled learning on offline historical data, including: The first few epochs are used as the initial training phase, and a soft-label warm-up strategy is used to initialize the data sample representation. Subsequent epochs serve as an adaptive training phase, introducing an exponential moving average strategy to smooth pseudo-label updates and calculating dynamic weights based on prediction confidence. High-confidence samples are assigned higher weights through a Gaussian distribution function, gradually sharpening the decision boundary.

[0016] The classifier is a multilayer perceptron, consisting of a cascaded normalization module and an output layer. Furthermore, each normalization module includes a linear transformation layer, a normalization layer, an activation layer, and a dropout layer, while the output layer maps the input of the normalization module to a confidence interval.

[0017] As a further technical solution, the concept drift adaptive mechanism initiated in S6 includes: Maintain a reference buffer containing static positive sample anchors and dynamic negative sample anchors; the static positive sample anchors are derived from the centers of normal sample clusters in offline historical data, and the dynamic negative sample anchors are derived from the prototype attack samples detected in offline historical data. Define an attack buffer and store suspected attack samples detected in real time into the attack buffer; When the number of suspected attack samples accumulated in the attack buffer reaches a preset size, the distribution difference between the current suspected attack sample set and the dynamic negative sample anchor point in the reference buffer is calculated. If the distribution difference exceeds a preset drift threshold, an attack mode drift is determined to have occurred, and an incremental update process is triggered.

[0018] The distribution difference between the current suspected attack sample set and the dynamic negative sample anchor point is calculated, and the Kullback-Leibler divergence is calculated as a drift index using the cross-K nearest neighbor algorithm.

[0019] As a further technical solution, the incremental update process in S7 includes: Construct a hybrid updated training set using the real-time data stream of the current time period and the anchor data in the reference buffer; Minimize the update loss to optimize the feature encoder and classifier, and complete the model update; The update loss consists of a classification loss and a consistency regularization loss for the mixed update training set; the consistency regularization loss is used to constrain the updated model to maintain consistency with the representation of static positive sample anchors in the reference buffer before the update.

[0020] According to one aspect of the present invention, an industrial Internet of Things (IoT) intrusion detection system based on online incremental learning is provided, comprising: The data acquisition module is used to acquire network traffic data in an industrial IoT environment; The data segmentation module is used to divide the network traffic data into offline historical data and online real-time data streams; A heterogeneous perceptual representation learning module is used to perform heterogeneous perceptual representation learning on the offline historical data based on the data representation generated by the feature encoder, so as to train the feature encoder. The classifier initial training module is used to train a classifier to an initial state on the offline historical data based on the data representation generated by the trained feature encoder. The model combination module is used to concatenate the trained feature encoder with the classifier in the initial state to form an initial detection model; The online detection and drift detection module is used to perform attack detection on real-time data for each time period using the initial detection model during the online detection phase, and to activate the concept drift adaptive mechanism to determine whether attack mode drift has occurred. The incremental update module is used to trigger the incremental update process when drift is detected, so that the model can adapt to the new attack mode.

[0021] According to one aspect of the present invention, an electronic device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the aforementioned industrial Internet of Things intrusion detection method based on online incremental learning.

[0022] According to one aspect of the present invention, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the described industrial Internet of Things intrusion detection method based on online incremental learning.

[0023] Compared with the prior art, the beneficial effects of the present invention are as follows: (1) The heterogeneous perception representation learning mechanism proposed in this invention can align the normal traffic of different IoT protocols into a compact semantic cluster, solve the problem of loose decision boundaries caused by protocol diversity, and significantly reduce the false alarm rate.

[0024] (2) Unlike traditional methods that rely on attack features, this invention is based on a positive sample unlabeled learning paradigm. It can define the abnormal boundary using only a small number of normal labels, and can identify unknown attacks as outliers that deviate from the normal manifold, effectively solving the problem of scarce attack labels in the industrial Internet of Things scenario.

[0025] (3) By establishing a closed-loop adaptive mechanism based on anchor points, this invention can not only actively sense the drift of attack patterns, but also perform incremental updates through consistency regularization constraints, ensuring that the model does not forget historical normal business patterns while learning new attacks, so as to achieve long-term stable operation. Attached Figure Description

[0026] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0027] Figure 1 This is a schematic diagram of the overall process of an industrial IoT intrusion detection method based on online incremental learning, provided in an embodiment of the present invention.

[0028] Figure 2 This is a flowchart illustrating the unlabeled learning process for positive samples in a classifier, as provided in an embodiment of the present invention.

[0029] Figure 3 This is a flowchart of the online monitoring stage trigger-based concept drift detection provided in an embodiment of the present invention. Detailed Implementation

[0030] The terms “comprising” and “having”, and any variations thereof, in the specification, claims, and accompanying drawings of this invention are intended to cover a non-exclusive inclusion, such as a process, method, system, product, or apparatus that includes a series of steps or units, not necessarily limited to those explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0031] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. In addition, the technical features of the various embodiments or individual embodiments provided by the present invention can be arbitrarily combined to form new technical solutions. Such combinations are not bound by the order of steps and / or structural composition patterns, but must be based on the ability of those skilled in the art to implement them. When the combination of technical solutions is contradictory or cannot be implemented, it should be considered that such a combination of technical solutions does not exist and is not within the scope of protection claimed by the present invention.

[0032] This invention proposes an industrial IoT intrusion detection method based on online incremental learning. The overall process is as follows: Figure 1 As shown, the specific steps are explained below: S1: Acquire network traffic data in the industrial IoT environment and preprocess the network traffic data to obtain preprocessed data.

[0033] The experimental data used consists of several features and a label, where the original label defines the corresponding sample as normal traffic or attack traffic of various categories.

[0034] Preferably, the UNSW-NB15 dataset or the ToN-IoT dataset can be used as the experimental dataset.

[0035] Preferably, the network traffic data is preprocessed to obtain preprocessed data, specifically including the following steps: S101: Process missing values ​​in network traffic data to obtain missing value processing data.

[0036] For missing character values ​​in a feature, fill in the value with the highest frequency in the feature column; for missing numerical values ​​in a feature, fill in the median of the value in the feature column.

[0037] S102: Label the character features in the missing value processing data to obtain character-encoded data.

[0038] The label encoding is processed using the LabelEncoder algorithm. Its principle is to map each type of character-type numerical value to a distinct integer based on the lexicographical order of all unique values ​​in the feature column, thereby replacing each character-type numerical value with its corresponding integer.

[0039] S103: Standardize the character encoded data to obtain preprocessed data.

[0040] For the feature columns of the data, the StandardScaler algorithm is used for processing. Its principle is to transform the data distribution of each feature into a standard normal distribution with a mean of 0 and a standard deviation of 1. The calculation is shown in the following formula: , Where h is the standardized value, a is the original value, μ represents the mean of the features, and σ is the standard deviation of the feature values. After standardization, the data range will be converted to (-1, 1).

[0041] For the label column of the data, the label value defining normal traffic is replaced with 1, representing a positive sample in this invention; the label value defining attack traffic is replaced with 0.

[0042] S2: Divide the preprocessed data into offline historical data and online real-time data stream, wherein: the offline historical data includes normal offline historical data labeled with normal traffic and unlabeled offline historical data, and the online real-time data stream consists of several real-time data of the same data volume for different time periods.

[0043] The offline historical data and online real-time data stream define the network traffic pattern under the deployment logic of this invention. In the experiment, this invention simulates the network traffic pattern by dividing the dataset and processing labels. Specifically, this invention arbitrarily divides the preprocessed data into offline historical data D0 and online real-time data stream. In one possible implementation, the data in the online real-time data stream includes attack categories not included in the offline historical data to simulate attack pattern drift.

[0044] The normal offline historical data in the offline historical data D0 This involves extracting a certain amount of defined normal traffic data from offline historical data, whose labels serve as supervision signals during the training phase; the unlabeled offline historical data in the offline historical data D0... The remaining data cannot be labeled.

[0045] The real-time data for the time period in the online real-time data stream is the online real-time data stream. Divided into quantitative data segments It simulates real-time traffic input at regular intervals in the live network, and its labels are used for verification during the testing phase.

[0046] S3: Based on the representation of data by the feature encoder, heterogeneous perceptual representation learning is performed on offline historical data to train the feature encoder.

[0047] The feature encoder E is a two-layer fully connected neural network, consisting of a cascaded input layer, a hidden layer, and an output layer.

[0048] Its specific implementation method is as follows: A batch, denoted as B, is sampled from the offline historical data D0. For each sample feature vector x... i The input feature encoder E, which is related to x i Perform L2 normalization and map it onto a hypersphere to obtain the sample representation z. i The calculation is shown in the following formula: .

[0049] S301: Construct a positive sample set based on heterogeneous perceptual multi-view, in which a temporary auxiliary classifier is used.

[0050] The auxiliary classifier F auxIt is a linear transformation layer that reduces the dimension of the input vector to two-dimensional prediction probabilities.

[0051] The positive sample set P based on heterogeneous sensing multi-view i From the general structural view P gen and semantic consistency view P sem The intersection of these elements is denoted as P. i =P gen ∩P sem .

[0052] (i) For the construction of the general structural view, firstly, the sample representation {z} of the current batch is constructed. i Perform K-means clustering to form K clusters. Next, characterize z for each sample. i Assign a cluster ID, denoted as c. i The calculation is shown in the following formula: , Where, μ k The centroid of each cluster.

[0053] For each sample i, its general structural view P gen (i) is defined as a sample set, containing the set of samples j belonging to the same cluster as sample i in the same batch, denoted as . .

[0054] (ii) For the construction of the semantically consistent view, an auxiliary classifier F is used. aux Obtain the input sample representation z i Predicted probability Next, determine the semantic label y for each sample i. sem For data that has been marked as normal , making y sem =1; for unlabeled data Let its semantic label be the label y mapped by the predicted probability of the auxiliary classifier. sem = The mapping relationship is when The value is 1 when it is greater than the threshold and 0 when it is less than the threshold. One possible implementation is to define the threshold as 0.5.

[0055] For each sample i, its semantically consistent view P sem (i) is defined as a sample set, containing the set of samples j in the same batch as sample i that have the same semantic label, denoted as . .

[0056] S302: Minimize the representation loss to optimize the feature encoder and auxiliary classifier in parallel.

[0057] The characterization loss L E From contrast loss L cont And auxiliary classification loss L aux The composition is as shown in the following formula: , Where λ aux The influence weights for assisting classification tasks.

[0058] (i) Contrast loss L cont One possible implementation uses the InfoNCE loss function, which reduces the distance between a positive sample representation zi and other positive samples in Pi, and increases the distance to other samples. The calculation is shown in the following equation: , Where τ is the temperature parameter, P i This is the set of positive samples.

[0059] (ii) Auxiliary classification loss L aux In one possible implementation, the standard BCE loss function is used, calculated on labeled normal data. The calculation is shown in the following formula: .

[0060] S4: Based on the representation of the data by the trained feature encoder, perform positive sample unlabeled learning on offline historical data to train the classifier to the initial state.

[0061] The classifier F is a multilayer perceptron, consisting of cascaded normalization modules and an output layer. Each normalization module includes a linear transformation layer, a normalization layer, an activation layer, and a dropout layer. The output layer maps the input of the normalization modules to a confidence interval. Classifier F receives the sample representation z output by the feature encoder E. i And convert it into the predicted probability p of the corresponding sample. i ∈[0,1].

[0062] like Figure 2 As shown, the positive sample unlabeled learning follows a two-stage paradigm, namely the initialization training stage and the adaptive training stage.

[0063] S401: The first few epochs serve as the initial training phase, employing a soft-label warm-up strategy to initialize the data sample representation.

[0064] This stage addresses the cold start problem of classifier F. Specifically, this stage assigns an initial soft label to all samples. For normal offline historical data For unlabeled offline historical data Assign an initial value, and let it be... This represents the uncertain state of the sample. One possible implementation is to... Set to a local minimum close to 0.

[0065] The classifier uses these soft labels for the first few epochs of training, denoted as R1.

[0066] S402: Subsequent epochs serve as an adaptive training phase, introducing an exponential moving average strategy to smooth pseudo-label updates and calculating dynamic weights based on prediction confidence. High-confidence samples are assigned higher weights through a Gaussian distribution function, gradually sharpening the decision boundary.

[0067] Specifically, this stage first characterizes the sample z i Input the classifier and obtain its predicted probability p i .

[0068] To encourage classifiers to make high-confidence judgments, a label sharpening strategy is used to polarize the predicted probability to the two extremes of the prediction interval, i.e., 0 and 1. One possible implementation is to use a cosine function to polarize the predicted probability p. i The transformation is as shown in the following equation: , Where q i This is the sharpening value.

[0069] Next, the soft tags are updated using the exponential moving average algorithm. For the r-th epoch, the calculation is as follows: , Where α is the momentum coefficient, controlling the sharpening value q i The influence weights are indicated by the superscript (r-1), where (r) represents the current epoch number and represents the training logic.

[0070] The classifier is trained for the remaining number of epochs in this stage, denoted as R2.

[0071] Classification loss L for unlabeled learning of positive samples PU Represented as positive sample loss L P And unlabeled sample loss L U Summation: (i) Positive sample loss L P In one possible implementation, the standard BCE loss function is used, calculated on labeled normal data. The calculation is shown in the following formula: , (ii) Unlabeled sample loss L UIn one possible implementation, a weighted BCE loss function is constructed using a dynamic weighting strategy and computed on unlabeled data. The calculation is shown in the following equation: , Where ω j The dynamic weights of sample j are determined by the soft labels. Control. ω j The computational method makes the classifier tend to learn from samples with high confidence and ignore samples with low confidence, the latter being soft labels. The value is close to the center of the prediction interval (0.5), as shown in the following formula: , Where σ is the standard coefficient, which controls the steepness of the weighting function.

[0072] S5: Connect the feature encoder and the initial classifier in series to form the initial detection model.

[0073] The initial detection model is denoted as .

[0074] S6: During the online detection phase, the initial detection model is used to perform attack detection on real-time data for each time period, and a concept drift adaptive mechanism is activated to determine whether attack mode drift has occurred.

[0075] like Figure 3 As shown, this invention maintains a reference buffer M. anchor and attack buffer M attack Real-time data B for each time period k Input the detection model E for this round k-1 ∘F k-1 Subsequently, samples identified as attacks are stored in buffer M. attack In the middle. When the number exceeds the attack buffer size N. attack At that time, concept drift detection is triggered, combined with the reference buffer M. anchor Calculate the distribution dissimilarity and decide whether to perform an incremental update.

[0076] S601: Maintain a reference buffer that contains static positive sample anchors and dynamic negative sample anchors.

[0077] Reference buffer M anchor It consists of two parts, namely M anchor =M pos ∪M neg : (i) Static positive sample anchor point M pos : In the normal sample clusters identified during the offline learning phase, the distance μ from the centroid of each cluster k The most recent positive sample; (ii) Dynamic negative sample anchor point M neg Representative negative samples from historical attacks. The representative negative sample set is divided into boundary negative samples and prototype negative samples according to a specific ratio. The former is defined as samples with low prediction confidence, usually negative samples whose predicted labels are close to the center of the interval (0.5); the latter are samples predicted as attacks through further K-means clustering, selecting the negative samples in the attack sample cluster that are closest to the centroid of each cluster.

[0078] S602: Define an attack buffer to store suspected attack samples detected in real time.

[0079] S603: When the cumulative attack reaches the preset size of the attack buffer, calculate the distribution difference between the current suspected attack sample set and the dynamic negative sample anchor point in the reference buffer.

[0080] The calculation of the distribution difference between the current suspected attack sample set and the dynamic negative sample anchor points in the reference buffer is based on the cross-K nearest neighbor algorithm, including the following steps: (i) Construct the current attack set Z cur and historical benchmark set Z base As input to the algorithm, where the current attack set Z... cur For the current attack buffer M attack The representation of the medium sample, i.e., Z cur =E k-1 (M attack Historical benchmark set Z base For dynamic negative sample anchor point M neg The representation of the sample, i.e., Z base =E k-1 (M neg ); (ii) For the historical benchmark set Z base Each sample in the representation z i Search for the k nearest neighbors in this set; (iii) Calculate z i Euclidean distances between the device and its k neighbors; (iv) All distance values ​​constitute the empirical distribution Δ base ; (v) For the current attack set Z cur Each sample in the representation z j In the historical benchmark set Z neg Search for the k nearest neighbors; (vi) Calculate z j Euclidean distances between the device and its k neighbors; (vii) All distance values ​​form an empirical distribution Δ cross ; (viii) Calculate Δ cross With Δ base The Kullback-Leibler divergence between the two is the distributional dissimilarity, and it serves as the drift index S. drift As shown in the following formula: ; S604: If the distribution difference exceeds the preset drift threshold, it is determined that an attack mode drift has occurred, and an incremental update process is triggered.

[0081] The preset drift threshold is denoted as ξ. drift When S drift >ξ drift At that time, detection model E k-1 ∘F k-1 Perform an incremental update.

[0082] Regardless of whether it is updated, complete the real-time data B for this time period. k After processing, the detection model is denoted as .

[0083] S7: When drift is detected, an incremental update process is triggered to adapt the model to the new attack mode before returning to S6.

[0084] This stage includes the following steps: S701: Construct a hybrid updated training set using the real-time data stream of the current time period and the anchor data in the reference memory buffer.

[0085] The principle behind constructing the hybrid updated training set is to enable the detection model to adapt to new attack distributions during incremental learning while maintaining its memory of old knowledge. To this end, the training set data is derived from real-time data B from the current time period. k and reference buffer M anchor Select data randomly at a specific ratio and apply different labeling strategies to the data: (i) For the real-time data B of the current time period k Let its label value be 0.5, representing its uncertainty; (ii) For the reference buffer M anchor M pos Data label value is 1, M neg A data label value of 0 indicates an existing knowledge base.

[0086] S702: Minimize the update loss to optimize the feature encoder and classifier, and complete the model update.

[0087] The update loss L update The unlabeled classification loss L for positive samples in the mixed training set is used to update the training set. PU And consistency regularization loss Lreg The composition is as shown in the following formula: , Where λ reg The weights represent the impact of the regularization task.

[0088] Positive sample unlabeled classification loss L PU The construction reference is S402.

[0089] Consistency regularization loss L reg The construction principle is to ensure that the detection model maintains the invariance of normal anchor point memory during updates, as shown in the following equation: , Here, k and k-1 both represent the number of epochs for the corresponding real-time data.

[0090] This invention was tested on traffic datasets in general network scenarios and industrial IoT scenarios, and the detection performance was evaluated using overall accuracy, precision, recall, and F1 score. Table 1 shows the comparison results between the method of this invention (hereinafter referred to as ISAPUL) and the state-of-the-art methods. The results show that ISAPUL achieves the highest accuracy, recall, and F1 score on all datasets, demonstrating its superior overall performance.

[0091] Those skilled in the art will recognize that the modules and algorithm steps of the various examples described in conjunction with the embodiments disclosed in this invention can be implemented using electronic hardware or computer software. In one possible implementation, this invention is deployed in an industrial Internet of Things (IoT) scenario with a cloud-edge collaborative architecture.

[0092] The cloud management center deploys the source detection model and maintains a global reference buffer, responsible for executing the computationally demanding S1-S5 and S7 steps. After the source detection model completes training during the initialization or incremental update phase, the model parameters are pushed to the real-time detection model on the edge gateway via the downlink.

[0093] Industrial IoT edge gateways deploy real-time detection models and maintain attack buffers, responsible for executing S6 steps. They collect real-time traffic from industrial IoT devices, preprocess it, input it into the model for inference, cache suspected attack samples detected in real-time in the attack buffer, and trigger concept drift detection locally. When drift is detected, an incremental update process is triggered in the cloud.

[0094] Table 1. Performance comparison between the method of this invention and the state-of-the-art existing methods. .

[0095] This invention also provides an industrial IoT intrusion detection system based on online incremental learning, used to implement the above-described method embodiments. The system includes the following modules: The data acquisition module is used to acquire network traffic data in an industrial IoT environment. This module can be deployed on an industrial IoT edge gateway to collect network communication data from industrial devices such as sensors, controllers, and PLCs in real time.

[0096] The data partitioning module is used to divide the network traffic data into offline historical data and online real-time data streams. The offline historical data includes normal samples labeled with normal traffic tags and unlabeled samples, used for initial model training; the online real-time data stream is divided into several time-period real-time data streams with equal data volumes, used for online detection and incremental updates.

[0097] A heterogeneous perceptual representation learning module is used to perform heterogeneous perceptual representation learning on the offline historical data based on the data representation generated by the feature encoder, in order to train the feature encoder. This module maps heterogeneous protocol traffic to a compact deep semantic space by constructing a positive sample set based on heterogeneous perceptual multi-views and minimizing the representation loss consisting of contrastive loss and auxiliary classification loss, while simultaneously optimizing the feature encoder and temporary auxiliary classifier.

[0098] The classifier initial training module is used to train a classifier to an initial state on the offline historical data based on the data representation generated by the trained feature encoder. This module uses a soft-label warm-up strategy to initialize the sample representation and introduces an exponential moving average to smooth the pseudo-label update during the adaptive training phase. Combined with dynamic weights based on a Gaussian distribution function, the decision boundary is gradually sharpened.

[0099] The model combination module is used to concatenate the trained feature encoder with the classifier in the initial state to form an initial detection model, which serves as the basis for online detection.

[0100] The online detection and drift detection module is used during the online detection phase to perform attack detection on real-time data for each time period using the initial detection model, and to activate a concept drift adaptive mechanism to determine whether attack mode drift has occurred. This module maintains a reference buffer containing static positive sample anchors and dynamic negative sample anchors, as well as an attack buffer for temporarily storing suspected attack samples. When the attack buffer accumulates to a preset size, it calculates the distribution difference between the current suspected attack sample set and the dynamic negative sample anchors, and compares it with a drift threshold to determine whether drift has occurred.

[0101] The incremental update module triggers an incremental update process when drift is detected, allowing the model to adapt to new attack patterns. This module constructs a hybrid updated training set using real-time data from the current time period and anchor data from the reference buffer, and minimizes the update loss, which consists of classification loss and consistency regularization loss, to optimize the feature encoder and classifier, thus completing the model update.

[0102] The above modules can be implemented in software, hardware, or firmware, and can be deployed using a cloud-edge collaborative architecture: the heterogeneous perception representation learning module, the classifier initial training module, the model combination module, and the incremental update module can be deployed in the cloud management center, responsible for training and update tasks with high computing power requirements; the data acquisition module, the data partitioning module, and the online detection and drift detection module can be deployed on the edge gateway, responsible for real-time data acquisition, detection, and local drift perception, and collaboratively with the cloud to complete the adaptive closed loop.

[0103] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the industrial Internet of Things intrusion detection method based on online incremental learning as described in any of the above embodiments.

[0104] The electronic device can be a cloud server, edge computing gateway, industrial computer, programmable logic controller (PLC), or dedicated security device in an industrial IoT environment. Its memory can include high-speed random access memory (RAM) or non-volatile memory (such as solid-state drives or flash memory) for storing program code, network traffic data, model parameters, and buffer data. The processor executes the program to control the collaborative work of various functional modules, realizing a complete intrusion detection process from data acquisition, preprocessing, model training, online detection, and incremental updates.

[0105] The present invention also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the industrial Internet of Things intrusion detection method based on online incremental learning as described above.

[0106] The computer-readable storage medium can be any medium capable of storing program code, such as read-only memory (ROM), random access memory (RAM), magnetic disk, optical disk, flash memory, USB flash drive, or portable hard drive. When the program is loaded into a computing device (such as a cloud server or edge gateway) in an industrial IoT environment and executed by its processor, the device becomes a dedicated device for implementing the method of this invention, capable of real-time intrusion detection and adaptive updates of industrial network traffic.

[0107] In summary, this invention discloses an industrial IoT intrusion detection method based on online incremental learning. The method includes: acquiring IoT traffic and dividing it into offline historical data and online real-time data streams; training a feature encoder using heterogeneous perceptual representation learning to address protocol heterogeneity issues; training an initial classifier using a positive sample unlabeled learning paradigm to address label scarcity issues; during the online detection phase, maintaining an anchor buffer containing static positive samples and dynamic negative samples, and calculating distribution dissimilarity to detect concept drift; when drift is detected, triggering an incremental update with consistency regularization constraints. This invention can effectively adapt to the challenges of protocol heterogeneity, label scarcity, and attack pattern drift in the industrial IoT environment, achieving high-performance adaptive intrusion detection. Compared to existing technologies, it has the following advantages: (1) The heterogeneous sensing representation learning mechanism proposed in this invention differs from traditional methods that linearly partition the original feature space using Euclidean distance (such as local density calculation and Voronoi decomposition). Based on the prior condition of a stable distribution of normal traffic, this invention utilizes a contrastive learning framework. It constructs a set of positive samples by using the intersection of a general structural view formed by K-means clustering and a semantically consistent view predicted by an auxiliary classifier, driving the feature encoder to perform a nonlinear transformation. This mechanism can map traffic with differentiated feature distributions due to different protocol structures to a compact and heterogeneously sensing deep semantic space, rather than forcibly fitting it to a single semantic center. By aligning normal traffic from different IoT protocols to their respective semantic clusters, this invention effectively solves the problem of loose decision boundaries caused by protocol diversity, significantly reducing the false alarm rate of misclassifying normal traffic as attacks.

[0108] (2) This invention differs from traditional supervised learning methods that rely on complete attack labels for training, employing a positive sample unlabeled learning paradigm. This method utilizes only a small number of readily available normal labels, initializes sample representations through a soft-label warm-up strategy, and introduces exponential moving average smoothing of pseudo-label updates during the adaptive training phase. Specifically, this invention calculates dynamic weights based on prediction confidence, assigning higher weights to high-confidence samples using a Gaussian distribution function, gradually sharpening the decision boundary between normal and abnormal behaviors. This enables the model to identify unknown zero-day attacks as outliers deviating from the normal manifold, effectively solving the problems of widespread scarcity of attack samples and extremely high costs of acquiring high-quality attack labels in industrial IoT scenarios, thus improving the detection capability for unknown threats.

[0109] (3) This invention establishes a closed-loop adaptive mechanism based on anchor points to address the dynamic drift of attack patterns. Unlike existing incremental solutions (such as mechanically reducing the weight of old prototypes by relying on a time exponential decay function), this mechanism first accurately characterizes historical business benchmarks by maintaining a reference buffer containing static positive sample anchor points (centers of normal sample clusters) and dynamic negative sample anchor points (historical attack prototypes). Secondly, it achieves proactive perception of systemic and structural attack pattern variations by calculating the distribution difference between the suspected attack sample set and the dynamic negative sample anchor points in the attack buffer. Most importantly, when drift is detected, this invention uses a mixed training set containing static positive sample anchor points for incremental updates and introduces a consistency regularization loss. This loss uses static positive sample anchor points as implicit soft constraints in the deep feature space, forcing the updated model to maintain a high degree of consistency with the previous model in the representation of normal traffic. This mechanism enables the model to autonomously absorb new attack features while fundamentally anchoring the decision boundaries of normal business models. It not only achieves an automated adaptive closed loop without human intervention, but also effectively solves the catastrophic problem of forgetting historical normal business models due to learning new knowledge during model updates, ensuring the long-term stable operation of the detection system.

[0110] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the technical solutions of the embodiments of the present invention.

Claims

1. An industrial IoT intrusion detection method based on online incremental learning, characterized in that, include: S1: Acquire network traffic data in an industrial IoT environment; S2: Divide the network traffic data into offline historical data and online real-time data stream; S3: Based on the data representation generated by the feature encoder, perform heterogeneous perceptual representation learning on the offline historical data to train the feature encoder; S4: Based on the data representation generated by the trained feature encoder, perform positive sample unlabeled learning on offline historical data to train a classifier to the initial state; S5: Connect the trained feature encoder and the initial state classifier in series to form the initial detection model; S6: During the online detection phase, the initial detection model is used to perform attack detection on real-time data for each time period, and a concept drift adaptive mechanism is activated to determine whether attack mode drift has occurred. S7: When drift is detected, an incremental update process is triggered to adapt the model to the new attack mode before returning to S6.

2. The industrial IoT intrusion detection method based on online incremental learning according to claim 1, characterized in that, The offline historical data in S2 includes normal offline historical data labeled with normal traffic and unlabeled offline historical data. The online real-time data stream consists of several real-time data of the same data volume for different time periods.

3. The industrial IoT intrusion detection method based on online incremental learning according to claim 1, characterized in that, The S3 performs heterogeneous perception representation learning on offline historical data, including: A positive sample set based on heterogeneous perception multi-view is constructed, in which a temporary auxiliary classifier is used; Minimize the representation loss to optimize the feature encoder and the auxiliary classifier in parallel; The representation loss consists of contrast loss and auxiliary classification loss; the positive sample set based on heterogeneous perception multi-view consists of the intersection of general structural view and semantic consistency view.

4. The industrial IoT intrusion detection method based on online incremental learning according to claim 3, characterized in that, The general structural view is a cluster formed by processing sample representations through the K-means clustering algorithm; the semantic consistency view is positive samples with the same predicted label; the auxiliary classifier is a linear transformation layer used to obtain the predicted label of the sample.

5. The industrial IoT intrusion detection method based on online incremental learning according to claim 1, characterized in that, The S4 method performs positive sample unlabeled learning on offline historical data, including: The first few epochs are used as the initial training phase, and a soft-label warm-up strategy is used to initialize the data sample representation. Subsequent epochs serve as an adaptive training phase, introducing an exponential moving average strategy to smooth pseudo-label updates and calculating dynamic weights based on prediction confidence. High-confidence samples are assigned higher weights through a Gaussian distribution function, gradually sharpening the decision boundary.

6. The industrial IoT intrusion detection method based on online incremental learning according to claim 1, characterized in that, The concept drift adaptive mechanism initiated in S6 includes: Maintain a reference buffer containing static positive sample anchors and dynamic negative sample anchors; the static positive sample anchors are derived from the centers of normal sample clusters in offline historical data, and the dynamic negative sample anchors are derived from the prototype attack samples detected in offline historical data. Define an attack buffer and store suspected attack samples detected in real time into the attack buffer; When the number of suspected attack samples accumulated in the attack buffer reaches a preset size, the distribution difference between the current suspected attack sample set and the dynamic negative sample anchor point in the reference buffer is calculated. If the distribution difference exceeds a preset drift threshold, an attack mode drift is determined to have occurred, and an incremental update process is triggered.

7. The industrial IoT intrusion detection method based on online incremental learning according to claim 1, characterized in that, The incremental update process in S7 includes: Construct a hybrid updated training set using the real-time data stream of the current time period and the anchor data in the reference buffer; Minimize the update loss to optimize the feature encoder and classifier, and complete the model update; The update loss consists of a classification loss and a consistency regularization loss for the mixed update training set; the consistency regularization loss is used to constrain the updated model to maintain consistency with the representation of static positive sample anchors in the reference buffer before the update.

8. An industrial IoT intrusion detection system based on online incremental learning, characterized in that, include: The data acquisition module is used to acquire network traffic data in an industrial IoT environment; The data segmentation module is used to divide the network traffic data into offline historical data and online real-time data streams; A heterogeneous perceptual representation learning module is used to perform heterogeneous perceptual representation learning on the offline historical data based on the data representation generated by the feature encoder, so as to train the feature encoder. The classifier initial training module is used to train a classifier to an initial state on the offline historical data based on the data representation generated by the trained feature encoder. The model combination module is used to concatenate the trained feature encoder with the classifier in the initial state to form an initial detection model; The online detection and drift detection module is used to perform attack detection on real-time data for each time period using the initial detection model during the online detection phase, and to activate the concept drift adaptive mechanism to determine whether attack mode drift has occurred. The incremental update module is used to trigger the incremental update process when drift is detected, so that the model can adapt to the new attack mode.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the industrial IoT intrusion detection method based on online incremental learning as described in any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When executed by the processor, the program implements the industrial IoT intrusion detection method based on online incremental learning as described in any one of claims 1 to 7.