An industrial network intrusion detection method based on cross-domain graph representation and open set identification

By constructing cross-domain heterogeneous graphs and graph neural networks, and simultaneously collecting data from the communication network domain and the industrial process domain, the problem of insufficient cross-domain attack detection capability in existing technologies is solved, and accurate alarms for known attacks and unknown attacks are achieved.

CN122348856APending Publication Date: 2026-07-07XIAMEN UNIV MALAYSIA BRANCH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XIAMEN UNIV MALAYSIA BRANCH
Filing Date
2026-04-21
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing industrial network intrusion detection methods are ineffective at detecting abnormal behavior involving cross-domain linkages, severing the causal relationship between the communication network domain and the industrial process domain, resulting in insufficient detection capabilities for cross-domain attacks.

Method used

By synchronously collecting multi-source data from the communication network domain and the industrial process domain, a cross-domain heterogeneous graph is constructed. Graph neural networks are used to extract cross-domain joint behavioral features. Combined with learnable prototype vectors and rejection thresholds, the system can classify and identify known attacks and issue rejection warnings for unknown attacks.

Benefits of technology

It achieves effective detection of cross-domain attacks, improves the ability to classify and identify known attacks, accurately alerts to unknown and new attacks, and enhances the ability to distinguish subtle semantic differences.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122348856A_ABST
    Figure CN122348856A_ABST
Patent Text Reader

Abstract

The application relates to the field of industrial network security and discloses an industrial network intrusion detection method based on cross-domain graph representation and open set identification, which comprises the following steps: constructing a cross-domain heterogeneous graph containing device nodes, communication session nodes, protocol instruction nodes, process variable nodes and various semantic edges according to multi-source data; encoding the cross-domain heterogeneous graph by using a graph neural network; maintaining a learnable prototype vector and a rejection threshold for each known category; obtaining the minimum distance and the corresponding candidate category; and outputting the candidate category as a detection result. By synchronously collecting multi-source data of a communication network domain and an industrial process domain and constructing a cross-domain heterogeneous graph containing various node types and semantic edges, the association between communication behavior and physical processes is incorporated into a unified detection framework, and classification identification of known attacks and rejection alarm of unknown attacks are realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of industrial network security technology, specifically to an industrial network intrusion detection method based on cross-domain graph representation and open set identification. Background Technology

[0002] Industrial control systems, as a core component of national critical infrastructure, are widely used in fields such as power, petrochemicals, intelligent manufacturing, and transportation. With the development of the Industrial Internet and intelligent manufacturing, traditionally relatively closed industrial control systems are increasingly being connected to public networks, leading to increasingly severe cybersecurity threats. Therefore, real-time monitoring of network traffic and equipment operating status of industrial control systems, and timely detection and identification of intrusion behaviors, has become an important research direction in the field of industrial information security.

[0003] Existing industrial network intrusion detection methods are mainly based on network traffic. They analyze traffic characteristics, protocol fields, and session patterns in communication networks to determine whether abnormal behavior exists. However, detection methods based on a single data source are difficult to characterize abnormal behavior in cross-domain linkages in industrial control systems. Actual attacks often manifest simultaneously as abnormal protocol commands or changes in traffic patterns in the communication network domain, and as sensor value deviations or actuator state anomalies in the industrial process domain. Existing methods process data from the two domains separately, severing the causal relationship and temporal correlation between them, which easily leads to insufficient detection capabilities for cross-domain attacks. Summary of the Invention

[0004] To address the shortcomings of existing technologies, this invention provides an industrial network intrusion detection method based on cross-domain graph representation and open set recognition, which solves the problem that existing industrial network intrusion detection methods are prone to insufficient detection capabilities against cross-domain attacks.

[0005] To achieve the above objectives, the present invention provides the following technical solution: an industrial network intrusion detection method based on cross-domain graph representation and open set identification, comprising the following steps: Simultaneously acquire multi-source data from the communication network domain and the industrial process domain in the industrial control system; Construct a cross-domain heterogeneous graph based on multi-source data, including device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges; The cross-domain heterogeneous graph is encoded using a graph neural network to extract cross-domain joint behavior features; Maintain a learnable prototype vector and a rejection threshold for each known category, which includes normal categories and known attack categories; The distance between the cross-domain joint behavioral features and each prototype vector is measured to obtain the minimum distance and its corresponding candidate category. When the minimum distance is less than or equal to the rejection threshold of the candidate category, the candidate category is output as the detection result; when the minimum distance is greater than the rejection threshold of the candidate category, the current sample is an unknown attack.

[0006] By adopting the above technical solution, multi-source data from the communication network domain and the industrial process domain are collected simultaneously, and a cross-domain heterogeneous graph containing various node types and semantic edges is constructed. Cross-domain joint behavioral features are extracted using graph neural networks, and open set determination is performed by combining learnable prototype vectors and rejection thresholds calibrated by extreme value theory. This integrates the correlation between communication behavior and physical processes into a unified detection framework, and enables the classification and identification of known attacks and the rejection and alarm of unknown attacks. This solves the problem that existing industrial network intrusion detection methods are prone to insufficient detection capabilities for cross-domain attacks.

[0007] Preferably, the synchronous acquisition of multi-source data from the communication network domain and multi-source data from the industrial process domain in the industrial control system includes the following steps: Synchronously collect network flow metadata and industrial protocol messages from preset nodes in the industrial network; Acquire process domain data including sensor readings, actuator status, and control logic feedback values; Accurate timestamps are added to the collected data, and time alignment and encapsulation are performed in fixed time windows to form multi-source data.

[0008] Preferably, the step of constructing a cross-domain heterogeneous graph containing device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges based on multi-source data includes the following steps: Create each uniquely identified network device as a device node, each five-tuple communication session as a communication session node, each industrial protocol instruction as a protocol instruction node, and each physical process measurement point as a process variable node. When a communication session is initiated or terminated by a device, a home edge is established between the device node and the communication session node. When a protocol instruction is transmitted in a communication session, an inclusion edge is established between the communication session node and the protocol instruction node. When a device performs a read or write operation on a process variable, an association edge is established between the device node and the process variable node. When the operation target of a protocol instruction is mapped to a process variable, a protocol semantic edge is established between the protocol instruction node and the process variable node, thus obtaining a cross-domain heterogeneous graph.

[0009] Preferably, the extraction of cross-domain joint behavioral features includes the following steps: Initialize the initial feature vector according to the node type of each node, and construct an edge type-aware multiset aggregation network as a graph neural network to perform sorted pooling aggregation on the neighbor node sets of different edge types in the cross-domain heterogeneous graph. The sorted pooling aggregation sorts the feature vectors of neighboring nodes by numerical value, flattens them, and then maps them to the specified dimension through a fully connected layer dedicated to this edge type. The aggregation results of each edge type are added to the node self-loop transformation results, and the node features of this layer are output through a nonlinear activation function; After multi-layer graph convolution, average pooling is performed on the final feature vectors of all nodes to obtain fixed-dimensional cross-domain joint behavioral features.

[0010] Preferably, the initial feature vector initialization based on the node type of each node includes the following steps: Device nodes use device identifiers embedded in vectors; Communication session nodes use a 5-tuple hash mapping vector; The protocol instruction node uses a vector concatenated with one-hot encoding of the function code and parameter fields; The process variable nodes are constructed by splicing the current normalized value and its historical time series statistics into a vector.

[0011] Preferably, maintaining a learnable prototype vector and a rejection threshold for each known category includes the following steps: Initialize a learnable prototype vector for each known category; A learnable rejection threshold is initialized for each known category, wherein the rejection threshold is a positive real number; A joint loss function is used to perform end-to-end optimization of the graph neural network parameters, prototype vector, and rejection threshold to obtain the trained prototype vector and rejection threshold.

[0012] Preferably, after training, the rejection threshold parameter is calibrated using extreme value theory, including the following steps: Collect the set of distances from the training samples of each known class to their prototype vectors; Take the preset high quantile of the distance set as the high threshold, and extract the tail distance set that exceeds the high threshold; A Weibull distribution is fitted to the set of tail distances to obtain scale parameters and shape parameters; The extreme threshold is calculated based on the target rejection rate, and the extreme threshold is the scale parameter multiplied by the shape parameter power of the natural logarithm of the negative target rejection rate; The minimum value between the learnable rejection threshold obtained from training and the extreme value threshold is used as the rejection threshold for that category.

[0013] Preferably, obtaining the minimum distance and its corresponding candidate category includes the following steps: Calculate the Euclidean distance between the cross-domain joint behavioral features and the prototype vector of each known category; Find the minimum value among all Euclidean distances, and record the known category corresponding to the minimum value as a candidate category.

[0014] Preferably, when the minimum distance is less than or equal to the rejection threshold of the candidate category, the candidate category is output as the detection result; when the minimum distance is greater than the rejection threshold of the candidate category, the current sample is considered an unknown attack. This includes the following steps: Obtain the rejection threshold corresponding to the candidate category; When the minimum distance is less than or equal to the rejection threshold, the candidate category is output as the detection result, and the detection result is either a normal class or a known attack class. If the minimum distance is greater than the rejection threshold, the current sample is considered an unknown attack, and attribution analysis is performed.

[0015] Preferably, the attribution analysis includes the following steps: Define the anomaly score as the minimum distance; The mean absolute value of the gradient of the anomaly score with respect to the features of each node in the last layer of the graph neural network is calculated as the node contribution. The node contributions are accumulated separately according to node type to obtain the communication domain contribution and the process domain contribution; Output unknown attack alarms and major anomaly domain identifiers, wherein the major anomaly domain identifiers are determined based on the ratio of the contribution of the communication domain to the contribution of the process domain.

[0016] This invention provides an industrial network intrusion detection method based on cross-domain graph representation and open set identification. It has the following advantages: 1. This invention synchronously collects multi-source data from the communication network domain and the industrial process domain and constructs a cross-domain heterogeneous graph containing various node types and semantic edges. It uses graph neural networks to extract cross-domain joint behavioral features and then combines learnable prototype vectors and rejection thresholds calibrated by extreme value theory to determine open sets. This integrates the correlation between communication behavior and physical processes into a unified detection framework and enables the classification and identification of known attacks and the rejection and alarm of unknown attacks. This solves the problem that existing industrial network intrusion detection methods are prone to insufficient detection capabilities for cross-domain attacks.

[0017] 2. This invention maintains a learnable prototype vector and a rejection threshold for each known category, and uses a joint loss function to perform end-to-end optimization of the graph neural network parameters, prototype vector, and rejection threshold during the training phase. This results in normal behavior and known attack behavior forming a compact and separate distribution region in the feature space. The rejection threshold is calibrated using extreme value theory, and the smaller of the learnable rejection threshold obtained during training and the extreme value threshold is used as the final rejection threshold. This enables the model to effectively reject samples in the feature space that deviate from all known distribution regions while classifying known categories, thereby achieving accurate alerts for new attacks, variant attacks, and zero-day exploits that did not appear during the training phase.

[0018] 3. This invention employs an edge-type-aware multiset aggregation network as a graph neural network encoder, performing sorted pooling aggregation on neighbor node sets of different edge types respectively, ensuring the injectivity of the aggregation function, and enabling the encoder's expressive power to reach the theoretical upper limit of the heterogeneous one-dimensional Weisfeiler-Lehman test. This allows the graph neural network to distinguish abnormal graph patterns with structural isomorphism but different node semantics, enhancing the detection model's ability to distinguish fine semantic differences. Attached Figure Description

[0019] Figure 1 This is a flowchart of an industrial network intrusion detection method based on cross-domain graph representation and open set identification proposed in this invention; Figure 2 This is an architecture diagram of an industrial network intrusion detection system based on cross-domain graph representation and open set recognition, as proposed in an embodiment of the present invention. Detailed Implementation

[0020] The technical solution of the present invention will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of the present invention, and not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention.

[0021] Example 1: In a first embodiment of the present invention, the present invention provides an industrial network intrusion detection method based on cross-domain graph representation and open set identification, such as... Figure 1 As shown, it includes the following steps: Simultaneously acquire multi-source data from the communication network domain and the industrial process domain in the industrial control system; Furthermore, the simultaneous acquisition of multi-source data from the communication network domain and the industrial process domain within the industrial control system includes the following steps: Synchronously collect network flow metadata and industrial protocol messages from preset nodes in the industrial network; Acquire process domain data including sensor readings, actuator status, and control logic feedback values; Accurate timestamps are added to the collected data, and time alignment and encapsulation are performed in fixed time windows to form multi-source data.

[0022] Specifically, the simultaneous acquisition of multi-source data from the communication network domain and the industrial process domain in the industrial control system is the data acquisition foundation of the entire intrusion detection method. Intrusion behavior in the industrial control system will simultaneously cause anomalies at the communication layer and deviations at the physical process layer. Data from a single domain is insufficient to fully characterize the attack behavior. Therefore, it is necessary to acquire data from both domains in parallel to provide aligned raw information for subsequent cross-domain graph construction.

[0023] Multi-source data from the communication network domain is obtained by deploying traffic probes at key nodes of the industrial network. Probe devices are connected to the mirror ports of industrial switches or network splitters to capture real-time network flow metadata and industrial protocol messages. Network flow metadata includes source Internet Protocol address, destination Internet Protocol address, source port number, destination port number, and transport layer protocol type. Industrial protocol messages include, but are not limited to, application layer data units of Modbus, Profinet, Ethernet IP, and OPC UA protocols, with a focus on parsing fields such as function code, register address, written value, and read status. Simultaneously, multi-source data from the industrial process domain is acquired through process data acquisition interfaces, using OPC UA clients or Modbus master station polling to read real-time process variables from programmable logic controllers, remote terminal units, and distributed control systems. Process variables include sensor readings, such as temperature values ​​collected by temperature sensors, pressure values ​​collected by pressure sensors, and speed values ​​collected by speed sensors; actuator status, such as valve opening percentage, motor start / stop status, and inverter frequency setpoint; and control logic feedback values, such as the output value of a PID controller and Boolean flags for logic interlock status.

[0024] To ensure the temporal consistency of the two domains, a precise timestamp is added to each acquired data record. Precise time protocol or network time protocol is used to synchronize the probe device and process data acquisition server, ensuring that the time reference error of each data source is less than 1 millisecond. The timestamp is appended to each data record in the form of Coordinated Universal Time (UTC) or a system cycle counter. Subsequently, data alignment and encapsulation are performed in fixed time windows. A fixed time window length is set, determined based on the control cycle of the industrial control system and the network communication rate, ranging from 0.5 seconds to 2 seconds. All communication network domain data and industrial process domain data whose timestamps fall within the same window are extracted and concatenated in chronological order to form multi-source data samples. For missing process variable data within the window, linear interpolation or forward padding is used to fill in the missing data, ensuring the data dimensions of each sample are complete.

[0025] In this embodiment, the above-mentioned synchronous acquisition and alignment process can be formally described as follows: Let the data set acquired by the communication network domain be... ,in For timestamps, A set of time points, This includes flow tuples and protocol command information; let the data set collected from the industrial process domain be... ,in This includes sensor values, actuator status, and control feedback values; the time alignment operation is defined as: for any time window ,in Extracting the window length: ; ; Combine the two subsets mentioned above into a single multi-source data sample. This sample serves as input data for subsequent cross-domain heterogeneous graph construction steps. The data acquisition frequency of the communication network domain is higher than the data update frequency of the industrial process domain. Therefore, within a time window, the number of data points in the communication domain is far greater than the number of data points in the process domain. The process domain data is downsampled by retaining the latest value, ensuring that each process variable within each window retains only one representative value—either the instantaneous value at the end of the window or the average value within the window. Through the above synchronous acquisition and alignment processing, a multi-source data set with a unified time reference and spatially distributed across the network and process domains is obtained, providing a complete and reliable data foundation for constructing a cross-domain graph reflecting the joint state of communication behavior and physical processes.

[0026] Construct a cross-domain heterogeneous graph based on multi-source data, including device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges; Furthermore, a cross-domain heterogeneous graph containing device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges is constructed based on multi-source data, including the following steps: Create each uniquely identified network device as a device node, each five-tuple communication session as a communication session node, each industrial protocol instruction as a protocol instruction node, and each physical process measurement point as a process variable node. When a communication session is initiated or terminated by a device, a home edge is established between the device node and the communication session node. When a protocol instruction is transmitted in a communication session, an inclusion edge is established between the communication session node and the protocol instruction node. When a device performs a read or write operation on a process variable, an association edge is established between the device node and the process variable node. When the operation target of a protocol instruction is mapped to a process variable, a protocol semantic edge is established between the protocol instruction node and the process variable node, thus obtaining a cross-domain heterogeneous graph.

[0027] Specifically, a cross-domain heterogeneous graph is constructed based on synchronously collected and time-aligned multi-source data. This graph is used to uniformly represent the structural associations and semantic interactions between the communication network domain and the industrial process domain. There are complex correspondences between devices, sessions, and instructions in the communication network domain and process variables in the industrial process domain. For example, a Modbus write instruction may change the opening degree of a valve, and this valve opening degree is collected by a sensor as a process variable. By explicitly encoding these heterogeneous elements and their relationships into a graph structure, the subsequent graph neural network can simultaneously capture cross-domain structural information and node attribute information, providing a unified mathematical representation for detecting cross-domain coordinated attacks.

[0028] The construction process of the cross-domain heterogeneous graph is divided into two sub-stages: node creation and edge establishment. In the node creation stage, four types of nodes are extracted from multi-source data samples. Device nodes are derived from network devices in the communication network domain. Each network device with a unique identifier is created as a device node. This unique identifier can be an Internet Protocol address, a Media Access Control address, or a device serial number. For example, a programmable logic controller with an Internet Protocol address of 192.168.1.10 is created as a device node. Communication session nodes are derived from network flow metadata. Each five-tuple communication session is created as a communication session node. The five-tuple includes the source Internet Protocol address, source port number, destination Internet Protocol address, destination port number, and transport layer protocol type. For example, a transmission control protocol session from source port 192.168.1.10 (port 502) to destination port 192.168.1.20 (port 502) is created as a communication session node; protocol instruction nodes originate from application layer data units in industrial protocol messages, and each independent industrial protocol instruction is created as a protocol instruction node. The granularity of the instruction depends on the protocol type. For example, in the Modbus protocol, each function code and its carried register address and value combination are considered as an instruction, and in the Profinet protocol, a specific data block of each periodic data frame is considered as an instruction; process variable nodes originate from physical measurement points in the industrial process domain, and each process variable with a unique label name is created as a process variable node. Label names include "reactor temperature", "feed valve opening", and "motor speed feedback".

[0029] Edge establishment phase: Four types of semantic edges are created based on the actual interaction relationships between nodes. The belonging edge represents the ownership relationship between a device and a communication session; when a communication session is initiated or terminated by a device, a belonging edge is established between that device node and the communication session node. A communication session involves two device nodes, a source device and a destination device, therefore two belonging edges need to be established separately. The inclusion edge represents the inclusion relationship between a communication session and its internally transmitted protocol instructions; when a protocol instruction is transmitted in the data payload of a communication session, an inclusion edge is established between the communication session node and the protocol instruction node. The association edge represents the read / write relationship between a device and a process variable; when a device performs a read or write operation on a process variable... By parsing the register address and process variable address mapping table in the protocol message, an association edge is established between the device node and the process variable node. The association edge can have a direction attribute; the direction of a read operation is from the process variable to the device, and the direction of a write operation is from the device to the process variable. Protocol semantic edges represent the operational relationship between protocol instructions and process variables. When the operation target of a protocol instruction is mapped to a certain process variable through address resolution, a protocol semantic edge is established between the protocol instruction node and the process variable node. For example, in the Modbus protocol, the write holding register instruction has its register address 40001 mapped to the process variable "valve opening setting value", so a protocol semantic edge is established from the protocol instruction node to the process variable node.

[0030] When constructing a cross-domain heterogeneous graph, nodes of the same type that appear repeatedly can be merged. For example, if the same device appears multiple times within the same time window, only one device node is created; if the same quintuple transmits different instructions multiple times, only one communication session node is created, but each instruction creates a separate protocol instruction node and connects to the session node through an edge. For process variable nodes, only one node is created for each measurement point within a single window, and its initial features use the statistical values ​​within that window. Through the above rules for creating nodes and edges, multi-source data within a time window is completely transformed into a heterogeneous graph that contains all entities and their interrelationships in the communication network domain and the industrial process domain.

[0031] Let the set of device nodes extracted from multi-source data samples be . The set of communication session nodes is The protocol instruction node set is The process variable node set is The set of nodes in the entire cross-domain heterogeneous graph is Define node type mapping functions ,in Define an edge type mapping function for a set of node types. ,in The edge set corresponds to belonging edge, containing edge, associated edge, and protocol semantic edge, respectively. Generated according to the following rules: For any device node and communication session nodes ,like yes If the initiating or terminating device is a certain device, then a home edge is added. .

[0032] For any communication session node and protocol instruction nodes ,like The instruction data is in If the corresponding communication session transmits an edge, then add an edge containing it. .

[0033] For any device node and process variable nodes If the parsing of the protocol message reveals right If a read or write operation is performed, an associated edge is added. .

[0034] For any protocol instruction node and process variable nodes ,like The carried register address or data field, after being converted by a preset address mapping table, points to... Then add a protocol semantic edge. .

[0035] The resulting cross-domain heterogeneous graph can be represented as This graph structure serves as the direct input to the subsequent graph neural network encoder. By coupling communication behavior with the physical process state in the form of a graph, the cross-domain heterogeneous graph preserves the inherent causal relationships between device communication, instruction semantics, and process variable changes in the industrial control system. This enables subsequent graph representation learning to simultaneously perceive abnormal communication patterns in the network domain and abnormal state shifts in the process domain, thereby improving the detection capability of cross-domain coordinated attacks.

[0036] Graph neural networks are used to encode cross-domain heterogeneous graphs and extract cross-domain joint behavior features; Furthermore, extract cross-domain joint behavioral features, including the following steps: Initialize the initial feature vector according to the node type of each node, and construct an edge type-aware multiset aggregation network as a graph neural network to perform sorted pooling aggregation on the neighbor node sets of different edge types in the cross-domain heterogeneous graph. Sorted pooling aggregation sorts the feature vectors of neighboring nodes by numerical value, flattens them, and then maps them to the specified dimension through a fully connected layer dedicated to this edge type. The aggregation results of each edge type are added to the node self-loop transformation results, and the node features of this layer are output through a nonlinear activation function; After multi-layer graph convolution, average pooling is performed on the final feature vectors of all nodes to obtain fixed-dimensional cross-domain joint behavioral features.

[0037] Furthermore, the initial feature vector is initialized according to the node type of each node, including the following steps: Device nodes use device identifiers embedded in vectors; Communication session nodes use a 5-tuple hash mapping vector; The protocol instruction node uses a vector concatenated with one-hot encoding of the function code and parameter fields; The process variable nodes are constructed by splicing the current normalized value and its historical time series statistics into a vector.

[0038] Specifically, graph neural networks are used to encode cross-domain heterogeneous graphs and extract cross-domain joint behavior features. The purpose is to fuse the topological structure information and node attribute information in the cross-domain heterogeneous graph into a fixed-dimensional vector representation for subsequent open set discrimination. The cross-domain heterogeneous graph contains four types of nodes and four types of edges. Different edge types carry different semantic interaction relationships. For example, the belonging edge represents the subordinate relationship between the device and the communication session, and the protocol semantic edge represents the operation mapping relationship between the instruction and the process variable. Therefore, it is necessary to design a graph neural network encoder that can distinguish different edge types and has sufficient expressive power to preserve the distinguishability between structurally isomorphic but semantically different abnormal patterns in the cross-domain graph.

[0039] For each node in the cross-domain heterogeneous graph, an initial feature vector is initialized according to its node type. For device nodes, the device identifier embedding vector is used as the initial feature. A lookup table from device identifier to embedding vector is pre-constructed, and the embedding dimension is set to 64 dimensions. For newly appearing devices, a randomly initialized embedding vector is used and updated as the network is trained. For communication session nodes, a 5-tuple hash mapping vector is used as the initial feature. The five fields—source Internet Protocol address, source port number, destination Internet Protocol address, destination port number, and transport layer protocol type—are hashed and mapped to integer values ​​between 0 and 65535. These five integer values ​​are then concatenated and projected onto a 64-dimensional space through a fully connected layer. For protocol instruction nodes, a vector is constructed by concatenating the function code (one-hot encoding) with the parameter fields. The function code's value range is determined based on the industrial protocol type; for example, the Modbus protocol function code range is 1 to 255, using 256-dimensional one-hot encoding. The parameter fields include register addresses and written values, which are normalized to form a 32-dimensional vector. These two vectors are concatenated and mapped to 64 dimensions through a fully connected layer. For process variable nodes, a vector is constructed by concatenating the current normalized value and its historical time-series statistics. The current normalized value is the final value of the process variable within the window, normalized to its maximum and minimum values. The historical time-series statistics include the mean and variance of the process variable within the window. These three vectors are concatenated to form a 3-dimensional vector, which is then mapped to 64 dimensions through a linear layer. Let the node type be... Then the initial eigenvector It can be represented as: ; in, Embedded matrix for devices, For device identification index, , , These are the multilayer perceptron mapping layers corresponding to the node types. This represents a vector concatenation operation. For normalized values ​​of process variables, and These represent the mean and variance of the variable within the window, respectively.

[0040] In this embodiment, an edge-type-aware multiset aggregation network, denoted as EMANet, is constructed as the graph neural network encoder. The core innovation of this network lies in performing sorted pooling aggregation on neighbor node sets of different edge types to ensure the injectivity of the aggregation function, thereby enabling the encoder's expressive power to reach the theoretical upper bound of the heterogeneous one-dimensional Weisfeiler-Lehman test; assuming the graph neural network has a total of Layer, number The input to the layer is the feature vector of all nodes. The output is the updated node features. For each node First, a linear mapping of its own features is obtained through a self-loop transformation. ,in For the first The self-loop weight matrix of the layer. Then, for each edge type... Collection nodes In edge type The set of all neighboring nodes Extract the feature vectors of these neighboring nodes. These feature vectors are sorted by numerical value, following this rule: first, the values ​​of the first dimension are compared; if they are the same, the values ​​of the second dimension are compared, and so on, resulting in a sorted matrix. The matrix is ​​flattened into a one-dimensional vector and then input into a fully connected layer specific to this edge type. In, mapped to dimension The aggregation result of this edge type is obtained. If the neighbor set is empty, the aggregation result is a zero vector. It can be represented as: ; in, This is an operation to sort by numerical value. Flatten the matrix into a vector. edge type A dedicated learnable fully connected layer; sums the aggregation results of all edge types, adds them to the self-loop transformation results, and finally passes them through a nonlinear activation function. Output the node features of this layer: Set the number of layers in the graph neural network. The output dimensions of each layer are 128, 256, and 512, respectively. After... After layer message passing, the final feature vector of each node is obtained. To obtain a global representation of the entire cross-domain heterogeneous graph, average pooling is performed on the final feature vectors of all nodes to obtain fixed-dimensional cross-domain joint behavioral features: ; The vector This refers to the extracted cross-domain joint behavior feature, with a dimension of 512. Through the aforementioned edge-type-aware multiset aggregation network, the information conveyed by different semantic edges is processed separately and fully preserved. Simultaneously, sorted pooling ensures that the aggregation process does not lose multiset information of neighboring nodes, thus enabling the encoder to distinguish abnormal graph patterns with the same topological structure but different node feature distributions. This feature vector will serve as the input to the subsequent open set determination module, used to calculate the distance between it and the prototype vectors of each category.

[0041] Maintain a learnable prototype vector and a rejection threshold for each known category, which includes normal classes and known attack classes; Furthermore, for each known category, a learnable prototype vector and a rejection threshold are maintained, including the following steps: Initialize a learnable prototype vector for each known category; Initialize a learnable rejection threshold for each known category; the rejection threshold is a positive real number. A joint loss function is used to perform end-to-end optimization of the graph neural network parameters, prototype vector, and rejection threshold to obtain the trained prototype vector and rejection threshold.

[0042] Furthermore, after training, the rejection threshold parameters are calibrated using extreme value theory, including the following steps: Collect the set of distances from the training samples of each known class to their prototype vectors; Take the preset high quantile of the distance set as the high threshold, and extract the tail distance set that exceeds the high threshold; A Weibull distribution is fitted to the tail distance set to obtain the scale and shape parameters; The extreme threshold is calculated based on the target rejection rate. The extreme threshold is the scale parameter multiplied by the shape parameter power of the natural logarithm of the negative target rejection rate. The minimum value between the learnable rejection threshold and the extreme value threshold obtained during training is used as the rejection threshold for that category.

[0043] Specifically, a learnable prototype vector and rejection threshold are maintained for each known category. The purpose is to establish distinguishable reference points and corresponding decision boundaries for normal behavior and known attack behavior in the feature space, providing a quantitative basis for subsequent open set judgment. The cross-domain joint behavior features obtained after graph neural network encoding are distributed in a high-dimensional space. Sample features of the same category should cluster around their prototype vectors, while prototype vectors of different categories should be far apart. At the same time, each category needs a rejection threshold to determine whether the sample features belong to the distribution range of that category. In order to obtain the optimal prototype vector and rejection threshold, the graph neural network parameters, prototype vectors and rejection thresholds need to be jointly optimized end-to-end during the training phase. After training, the rejection threshold is calibrated using extreme value theory so that it can reasonably control the rejection rate of unknown attacks.

[0044] Let the known set of categories be... ,in Indicates the normal class. This indicates known attack classes. For each class... Initialize a learnable prototype vector. ,in For the dimension of cross-domain joint behavioral features, the prototype vector can be randomly initialized, or the mean of the features of that class of samples in the training set can be used as the initial value. Meanwhile, for each class... Initialize a learnable rejection threshold parameter. , which is a positive real number, can be initially set to a large value such as 10, so that all samples can be accepted in the early stage of training, and gradually adjusted to a reasonable range as the training process progresses.

[0045] In this embodiment, a joint loss function is used to perform end-to-end optimization of the graph neural network parameters, prototype vector, and rejection threshold. Assume there are N samples in the training set, and the i-th... The cross-domain joint behavior characteristics of each sample are as follows: Its actual category label is First, define the sample. Category The probability is calculated based on the Euclidean distance from the feature to the prototype vector: ,in, Let Euclidean distance represent the spatial distance between the cross-domain joint behavioral feature vector and the class prototype vector. The smaller the distance, the higher the probability that the sample belongs to that class. Based on this, we define the cross-entropy loss: This loss causes the feature vector of each sample to move closer to the prototype vector of its true class. To further enhance intra-class compactness, the prototype center loss is defined: To prevent classification ambiguity caused by prototype vectors of different categories being too close, we define the inter-class separation loss: ,in The pre-defined boundary margin requires that the Euclidean distance between prototype vectors of different classes be at least greater than 1. If less than Then a punishment will be imposed; The value is set to 1. Furthermore, to incorporate the rejection threshold into the training process, a boundary relaxation loss is defined: ,in The relaxation coefficient, ranging from 0 to 1, requires that the distance from each sample to its true class prototype vector does not exceed the rejection threshold for that class. This multiplies the size of the region, thus creating a contracted decision region for each category within the feature space. The value is set to 0.8. The total loss function is the weighted sum of the above losses: ,in , , To balance the hyperparameters of the various loss terms, a value is generally set to 1. The backpropagation algorithm is used to simultaneously update the graph neural network parameters, all prototype vectors, and all learnable rejection threshold parameters until the loss function converges, yielding the trained prototype vectors. and learnable rejection threshold .

[0046] In this embodiment, to further calibrate the rejection threshold and enable it to reasonably control the rejection rate of unknown attacks based on the statistical characteristics of the feature distribution, the rejection threshold is calibrated using extreme value theory after training. The basic idea of ​​extreme value theory is that for each known class, the tail of the distance from the training sample to its prototype vector follows a generalized Pareto distribution. By fitting this distribution, a reasonable distance threshold for a given rejection rate can be estimated. Specifically, for each class... Collect all samples belonging to this category in the training set into prototype vectors. The set of distances: Set a preset high quantile ratio The value is 0.05, that is, it is taken as... The 95th percentile as the high threshold Extract the set of distances greater than... Tail distance set .right The samples in the dataset are fitted with a Weibull distribution, and the probability density function of the Weibull distribution is: ,in is a scale parameter, which represents the size of the tail distance; Let be the shape parameter, and be the decay rate of the tail distance. The fitting parameters are obtained through maximum likelihood estimation. and Set a target rejection rate. Extreme value threshold The calculation is as follows: This formula states that in the fitted Weibull distribution, the proportion of samples exceeding this threshold is exactly the target rejection rate. Finally, the smaller of the learnable rejection threshold and the extreme threshold obtained during training is used as the final rejection threshold for that category: By taking the minimum value, the rejection threshold is ensured to be neither too lenient nor too strict, thus incorporating boundary information learned during training while utilizing extreme value theory for a reasonable estimate of tail risk. The aforementioned prototype vector... and rejection threshold Together, they constitute the decision-making basis for open set discrimination: for a sample to be detected, if the distance from its features to a certain prototype vector is less than or equal to the rejection threshold of that class, it is accepted as a known class; otherwise, it is judged as an unknown attack.

[0047] The distance between the cross-domain joint behavioral features and each prototype vector is measured to obtain the minimum distance and its corresponding candidate category. Furthermore, obtaining the minimum distance and its corresponding candidate category includes the following steps: Calculate the Euclidean distance between the cross-domain joint behavioral features and the prototype vector of each known category; Find the minimum value among all Euclidean distances, and record the known category corresponding to the minimum value as a candidate category.

[0048] Specifically, the distance between the cross-domain joint behavioral feature and each prototype vector is measured to determine the closest known category of the feature in the feature space. The smaller the Euclidean distance between the cross-domain joint behavioral feature vector and the prototype vector of a certain category, the more similar the behavior pattern of the sample is to the typical pattern of that category. By calculating the distances to all known categories and finding the minimum value, the most likely candidate category can be located, providing a basis for subsequent threshold determination.

[0049] Let the characteristics of cross-domain joint behavior be: The set of prototype vectors for known categories is .calculate With each prototype vector Euclidean distance between them: ,in The first character representing the cross-domain joint behavior feature One portion, Indicate category The prototype vector of the first The distance is the cross-domain behavior pattern of the sample to be detected and the first component; this distance is the cross-domain behavior pattern of the sample to be detected and the second component. The degree of deviation between typical patterns. Then find the minimum value from all distances: And record the category index corresponding to the minimum value: ,Will As a candidate category, This distance is used as the distance metric corresponding to the candidate category. For example, if the prototype vector distance of the normal class is 0.3 and the prototype vector distance of a known attack class is 0.8, then the minimum distance is 0.3, and the candidate category is the normal class. This calculation result will be directly used for subsequent rejection threshold comparison. If the minimum distance is less than or equal to the rejection threshold of the candidate category, the classification result is accepted; otherwise, it is determined to be an unknown attack.

[0050] When the minimum distance is less than or equal to the rejection threshold of the candidate class, the candidate class is output as the detection result. When the minimum distance is greater than the rejection threshold of the candidate class, the current sample is considered an unknown attack.

[0051] Furthermore, when the minimum distance is less than or equal to the rejection threshold of the candidate class, the candidate class is output as the detection result; when the minimum distance is greater than the rejection threshold of the candidate class, the current sample is considered an unknown attack, including the following steps: Obtain the rejection threshold corresponding to the candidate category; If the minimum distance is less than or equal to the rejection threshold, the candidate category is output as the detection result, and the detection result is either normal or known attack category. If the minimum distance is greater than the rejection threshold, the current sample is considered an unknown attack, and attribution analysis is performed.

[0052] Furthermore, attribution analysis is conducted, including the following steps: Define the anomaly score as the minimum distance; The mean absolute value of the gradient of the anomaly score with respect to the features of each node in the last layer of the graph neural network is calculated as the node contribution. The node contributions are accumulated separately according to node type to obtain the communication domain contribution and the process domain contribution; Output unknown attack alarms and major anomaly domain identifiers. The major anomaly domain identifiers are determined based on the ratio of the contribution of the communication domain to the contribution of the process domain.

[0053] Specifically, the category of the detection output or the triggering of an unknown attack alarm is determined based on the comparison between the minimum distance and the candidate category rejection threshold. When it is determined to be an unknown attack, attribution analysis is performed to locate the main source domain of the anomaly. The rejection threshold characterizes the acceptable deviation range of this type of normal behavior or known attack behavior in the feature space. If the minimum distance is less than or equal to the threshold, it indicates that the features of the current sample are close enough to the typical pattern of this type and can be accepted as a known category. Conversely, it indicates that the features of the current sample deviate from the distribution range of all known categories and should be determined as an unknown attack. The source of the anomaly contribution is traced through attribution analysis.

[0054] Get candidate categories The corresponding final rejection threshold The minimum distance calculated in the steps. Compare with this threshold. When When, the candidate categories As the output of the detection result. If If the result is normal, then the test result is normal; if If so, the detection result is the corresponding known attack class. When the current sample is identified as an unknown attack, an attribution analysis step is performed.

[0055] In this embodiment, the attribution analysis is implemented as follows: Anomaly score is defined. , which is the minimum distance from the current sample to the prototype vectors of all known categories; a larger value indicates a higher degree of anomaly. To pinpoint the main factors causing this anomaly, the gradient of the anomaly score with respect to the features of each node in the last layer of the graph neural network is calculated. Let the node features of the last layer of the graph neural network be... ,in Indexing nodes. Nodes The contribution is defined as the mean of the absolute values ​​of the gradients of the anomaly scores to each component of the node's feature vector: ,in Represents a node The final eigenvector of the th Each component, with its partial derivative, represents the physical meaning of how a small change in that component affects the anomaly score. The average of the absolute values ​​yields the node's overall contribution to the anomaly score. Then, the contributions are accumulated separately for each node type: communication domain contribution. Process domain contribution Finally, the main anomaly domain identifiers are determined based on the ratio of the communication domain contribution to the process domain contribution. If Output "Communication Domain Dominance Anomaly"; if The system outputs "Process domain dominant anomaly" if the anomaly is not specified, and "Cross-domain joint anomaly" otherwise. It also outputs an unknown attack alert, providing security operations personnel with a clear direction for investigation. Through this attribution analysis, not only can the existence of unknown attacks be identified, but the system can also indicate whether the abnormal behavior primarily originates from the communication network domain, the industrial process domain, or a combination of both, thereby improving the interpretability of the detection results.

[0056] Example 2: In a second embodiment of the present invention, the present invention provides an industrial network intrusion detection system based on cross-domain graph representation and open set identification, such as... Figure 2 As shown, it includes the following modules: Acquisition module: Used to synchronously acquire multi-source data from the communication network domain and the industrial process domain in the industrial control system; Construction module: Used to build a cross-domain heterogeneous graph based on multi-source data, including device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges; Feature extraction module: used to encode cross-domain heterogeneous graphs using graph neural networks and extract cross-domain joint behavior features; Maintenance module: Used to maintain learnable prototype vectors and rejection thresholds for each known category, including normal classes and known attack classes; The metrics module is used to measure the distance between cross-domain joint behavioral features and each prototype vector to obtain the minimum distance and its corresponding candidate category. Output module: When the minimum distance is less than or equal to the rejection threshold of the candidate class, the candidate class is output as the detection result. When the minimum distance is greater than the rejection threshold of the candidate class, the current sample is considered an unknown attack.

[0057] The industrial control system of a smart factory comprises multiple programmable logic controllers (PLCs), remote terminal units, and a host computer monitoring system. Data exchange and control command issuance between devices are achieved through network protocols. Due to the long-term operation of the production line, the system frequently suffers from network attacks from both internal and external sources. Some attacks manifest as simultaneous occurrences of abnormal protocol commands in the communication domain and sensor value deviations in the process domain. For example, attackers alter valve openings in reactors by tampering with Modbus write commands, causing abnormal increases in temperature sensor readings. Traditional detection methods based on single data sources struggle to identify such cross-domain coordinated attacks, and new attack variants not included in the training phase continuously emerge, resulting in numerous false negatives and false negatives. To address these issues, this invention employs an industrial network intrusion detection system based on cross-domain graph representation and open set recognition, the architecture of which is as follows: Figure 2 As shown. The specific implementation process of this system is as follows: The acquisition module synchronously acquires network stream metadata, industrial protocol messages, and process domain data such as sensor readings and actuator status, and aligns and encapsulates them in a 1-second time window to form multi-source data samples. Then, the construction module creates device nodes, communication session nodes, protocol instruction nodes and process variable nodes based on the sample, and establishes belonging edges, containing edges, associated edges and protocol semantic edges according to the communication relationship to obtain a cross-domain heterogeneous graph; The feature extraction module uses an edge-type-aware multiset aggregation network to encode the graph. After three layers of graph convolution, it outputs 512-dimensional cross-domain joint behavioral features through average pooling. In the maintenance module, each known category, including the normal class and several known attack classes, maintains a learnable prototype vector and a rejection threshold calibrated by extreme value theory. These parameters are obtained by optimization through a joint loss function during the training phase. The metric module calculates the Euclidean distance between the current feature and all prototype vectors, and finds the minimum distance and its corresponding candidate category; The output module compares the minimum distance with the rejection threshold of the candidate category: if it is less than or equal to the threshold, the corresponding detection result is output; if it is greater than the threshold, it is determined to be an unknown attack, and attribution analysis is triggered to calculate the gradient contribution of the anomaly score to the features of each node. The contribution of the communication domain and the process domain are accumulated according to the node type. Finally, the unknown attack alarm and the main anomaly domain identifier are output to provide accurate troubleshooting guidance for operation and maintenance personnel. Thus, through the cooperation of various modules, known and unknown attacks can be detected in real time in the actual industrial environment, and the source domain of the anomaly can be located.

[0058] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. An industrial network intrusion detection method based on cross-domain graph representation and open set recognition, characterized in that, Includes the following steps: Simultaneously acquire multi-source data from the communication network domain and the industrial process domain in the industrial control system; Construct a cross-domain heterogeneous graph based on multi-source data, including device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges; The cross-domain heterogeneous graph is encoded using a graph neural network to extract cross-domain joint behavior features; Maintain a learnable prototype vector and a rejection threshold for each known category, which includes normal categories and known attack categories; The distance between the cross-domain joint behavioral features and each prototype vector is measured to obtain the minimum distance and its corresponding candidate category. When the minimum distance is less than or equal to the rejection threshold of the candidate category, the candidate category is output as the detection result; when the minimum distance is greater than the rejection threshold of the candidate category, the current sample is an unknown attack.

2. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: The synchronous acquisition of multi-source data from the communication network domain and the industrial process domain in the industrial control system includes the following steps: Synchronously collect network flow metadata and industrial protocol messages from preset nodes in the industrial network; Acquire process domain data including sensor readings, actuator status, and control logic feedback values; Accurate timestamps are added to the collected data, and time alignment and encapsulation are performed in fixed time windows to form multi-source data.

3. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: The construction of a cross-domain heterogeneous graph based on multi-source data, including device nodes, communication session nodes, protocol instruction nodes, process variable nodes, and various semantic edges, includes the following steps: Create each uniquely identified network device as a device node, each five-tuple communication session as a communication session node, each industrial protocol instruction as a protocol instruction node, and each physical process measurement point as a process variable node. When a communication session is initiated or terminated by a device, a home edge is established between the device node and the communication session node. When a protocol instruction is transmitted in a communication session, an inclusion edge is established between the communication session node and the protocol instruction node. When a device performs a read or write operation on a process variable, an association edge is established between the device node and the process variable node. When the operation target of a protocol instruction is mapped to a process variable, a protocol semantic edge is established between the protocol instruction node and the process variable node, thus obtaining a cross-domain heterogeneous graph.

4. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: The extraction of cross-domain joint behavior features includes the following steps: Initialize the initial feature vector according to the node type of each node, and construct an edge type-aware multiset aggregation network as a graph neural network to perform sorted pooling aggregation on the neighbor node sets of different edge types in the cross-domain heterogeneous graph. The sorted pooling aggregation sorts the feature vectors of neighboring nodes by numerical value, flattens them, and then maps them to the specified dimension through a fully connected layer dedicated to this edge type. The aggregation results of each edge type are added to the node self-loop transformation results, and the node features of this layer are output through a nonlinear activation function; After multi-layer graph convolution, average pooling is performed on the final feature vectors of all nodes to obtain fixed-dimensional cross-domain joint behavioral features.

5. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 4, characterized in that: The initial feature vector initialization based on the node type of each node includes the following steps: Device nodes use device identifiers embedded in vectors; Communication session nodes use a 5-tuple hash mapping vector; The protocol instruction node uses a vector concatenated with one-hot encoding of the function code and parameter fields; The process variable nodes are constructed by splicing the current normalized value and its historical time series statistics into a vector.

6. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: Maintaining a learnable prototype vector and rejection threshold for each known category includes the following steps: Initialize a learnable prototype vector for each known category; A learnable rejection threshold is initialized for each known category, wherein the rejection threshold is a positive real number; A joint loss function is used to perform end-to-end optimization of the graph neural network parameters, prototype vector, and rejection threshold to obtain the trained prototype vector and rejection threshold.

7. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 6, characterized in that: After training, the rejection threshold parameter is calibrated using extreme value theory, including the following steps: Collect the set of distances from the training samples of each known class to their prototype vectors; Take the preset high quantile of the distance set as the high threshold, and extract the tail distance set that exceeds the high threshold; A Weibull distribution is fitted to the set of tail distances to obtain scale parameters and shape parameters; The extreme threshold is calculated based on the target rejection rate, and the extreme threshold is the scale parameter multiplied by the shape parameter power of the natural logarithm of the negative target rejection rate; The minimum value between the learnable rejection threshold obtained from training and the extreme value threshold is used as the rejection threshold for that category.

8. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: Obtaining the minimum distance and its corresponding candidate category includes the following steps: Calculate the Euclidean distance between the cross-domain joint behavioral features and the prototype vector of each known category; Find the minimum value among all Euclidean distances, and record the known category corresponding to the minimum value as a candidate category.

9. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 1, characterized in that: When the minimum distance is less than or equal to the rejection threshold of the candidate category, the candidate category is output as the detection result; when the minimum distance is greater than the rejection threshold of the candidate category, the current sample is considered an unknown attack. This includes the following steps: Obtain the rejection threshold corresponding to the candidate category; When the minimum distance is less than or equal to the rejection threshold, the candidate category is output as the detection result, and the detection result is either a normal class or a known attack class. If the minimum distance is greater than the rejection threshold, the current sample is considered an unknown attack, and attribution analysis is performed.

10. The industrial network intrusion detection method based on cross-domain graph representation and open set identification according to claim 9, characterized in that: The attribution analysis includes the following steps: Define the anomaly score as the minimum distance; The mean absolute value of the gradient of the anomaly score with respect to the features of each node in the last layer of the graph neural network is calculated as the node contribution. The node contributions are accumulated separately according to node type to obtain the communication domain contribution and the process domain contribution; Output unknown attack alarms and major anomaly domain identifiers, wherein the major anomaly domain identifiers are determined based on the ratio of the contribution of the communication domain to the contribution of the process domain.