A covert collaborative attack tracing method for heterogeneous industrial sensor networks
By introducing physical invariance benchmarks and anomaly propagation subgraphs into the Industrial Internet of Things (IIoT), and combining them with reverse path inversion, the problem of identifying and tracing covert collaborative attacks in existing technologies is solved. This enables accurate location of attack source nodes and interpretation of propagation relationships, improving the stability and interpretability of detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SOUTHWEST PETROLEUM UNIV
- Filing Date
- 2026-05-08
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies struggle to effectively identify and trace low-amplitude, gradual, covert collaborative attacks in the Industrial Internet of Things (IIoT), and they also fail to combine the physical constraints of industrial processes with heterogeneous sampling characteristics, making it difficult to accurately locate the attack source node.
By employing physical invariance benchmarks, benchmark state estimation, anomaly propagation subgraphs, and reverse path inversion methods, combined with the conservation relationships of industrial processes, equipment boundaries, and measurement mapping relationships, malicious coordinated attacks can be identified and traced through benchmark state estimation and anomaly propagation analysis.
It achieves accurate location and propagation relationship interpretation of covert cooperative attacks in heterogeneous industrial sensor networks, reduces the risk of false correlations, improves the stability and interpretability of anomaly detection, and can output the set of attack source nodes, propagation path and confidence level.
Smart Images

Figure CN122394930A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the fields of industrial IoT security monitoring, industrial process anomaly interpretation and edge intelligent analysis technology. Specifically, it relates to a method for tracing the source of covert collaborative attacks on heterogeneous industrial sensor networks. This method can be deployed in edge-side or edge-cloud collaborative security monitoring architectures. Background Technology
[0002] With the development of Industrial Internet of Things (IIoT) technology, a large number of heterogeneous sensors have been widely deployed in process industries, discrete manufacturing, energy transmission and distribution, and critical infrastructure operating environments. Distributed sensor nodes continuously collect multi-source operating data such as flow rate, pressure, temperature, liquid level, valve position, current, and vibration, providing fundamental support for industrial system status perception, coordinated control, and predictive maintenance. Because industrial processes generally have strong physical coupling, strong temporal correlation, and complex feedback closed-loop characteristics, sensor nodes usually do not work in isolation but collectively reflect the dynamic evolution of the same process.
[0003] In industrial cybersecurity scenarios, attackers are increasingly shifting from brute-force, single-point tampering to multi-point, coordinated, low-amplitude, and gradual covert attack methods. These attacks often simultaneously target multiple physically connected sensor nodes, controlling the timing, direction, and amplitude of the tampering to make the forged data appear plausible locally, even convincingly indistinguishable from normal fluctuations for a short period, thus circumventing traditional threshold alarm mechanisms. Once a successful attack occurs, it not only affects state estimation and control decisions but also interferes with subsequent attribution and accountability.
[0004] Existing anomaly detection and attack attribution schemes mostly focus on statistical correlation mining, deep feature learning, or general graph model inference, failing to adequately utilize physical priors such as conservation relationships in industrial processes, equipment operating boundaries, and normal propagation delays. This makes them prone to generating false correlations under conditions of equipment disturbance, asynchronous sampling, communication jitter, and localized missing data. Furthermore, while some schemes can provide anomaly scores, they struggle to further explain the propagation path and source node set of the anomaly, hindering the identification of the true origin of covert coordinated attacks. Therefore, an attribution method is needed that can combine the physical constraints of industrial processes, consider heterogeneous sampling characteristics, and output the attack propagation path and source node set. Summary of the Invention
[0005] The purpose of this invention is to provide a method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks, in order to solve the problems in the prior art such as insufficient utilization of industrial physical mechanisms, poor adaptability to heterogeneous sampling and closed-loop feedback, difficulty in distinguishing between natural disturbances and malicious cooperative attacks, and difficulty in accurately locating the attack source node.
[0006] To achieve the above objectives, this invention adopts the following technical solution: a method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks, mainly including the following steps: First, sensor nodes in the heterogeneous industrial sensor network are grouped according to the sensor's measurement object, sampling period, process stage, and physical coupling relationship between nodes, and a physical invariance benchmark including process conservation relationships, equipment operating boundaries, and measurement mapping relationships is established for each group; then, under no-attack calibration conditions, asynchronous time alignment and confidence weighting are performed on the multi-source observation sequences of each group to obtain the benchmark state estimate and benchmark residual interval of each sensor node. The normal propagation delay interval between nodes is determined. During the online monitoring phase, the real-time observation sequence is substituted into the physical invariance benchmark to calculate the observation residual, residual change rate, cross-node delay deviation, and closed-loop constraint non-closure degree of each node, forming an anomaly representation vector. Anomaly seed nodes are further screened based on the anomaly representation vector, and anomaly propagation subgraph is constructed. Finally, with the goal of minimizing the sum of the number of source nodes, propagation path length, physical constraint violation cost, and anomaly interpretation residual required to explain the current anomaly propagation subgraph, reverse path inversion is performed on the candidate suspected source nodes to obtain the set of malicious collaborative attack source nodes, propagation path, propagation order, and their confidence.
[0007] Furthermore, the physical invariance benchmark includes at least: process conservation constraints reflecting the balance of materials, energy, or flow; equipment boundary constraints reflecting equipment start-up and shutdown states, rated upper limits, and safety lower limits; and measurement mapping constraints reflecting the correspondence between measurements from different types of sensors and the same process state variable. The physical invariance benchmark is used to constrain the benchmark state estimation process and serves as the basis for subsequent anomaly interpretation and propagation analysis.
[0008] Furthermore, to adapt to the realities of heterogeneous industrial sensor networks, such as varying sampling periods for multi-source observation data, time delays in propagation responses, and continuous evolution of system states, the establishment of the physical invariance benchmark is not based solely on static observations at a single moment. Instead, it combines current observation information with observation information from adjacent historical moments to jointly characterize the short-term dynamic evolution of the system. By incorporating multi-node observation information from the current moment and the previous reference moment into the analysis scope, the system can simultaneously reflect the instantaneous state and short-term dynamic change trends of nodes under current operating conditions, thereby more accurately describing the physical relationships and propagation response characteristics between nodes under normal operating conditions. The physical invariance benchmark established in this manner is more suitable for subsequent benchmark state estimation, anomaly deviation identification, and propagation time series analysis.
[0009] Furthermore, under attack-free calibration conditions, the normal operating state of each node is solved using the aforementioned physical invariance benchmark to obtain the corresponding benchmark state estimate. This solution process comprehensively considers the reliability differences of the observation data from each sensor node, as well as the conservation relationships in the industrial process, equipment operating boundaries, and measurement mapping relationships, so that the obtained benchmark state not only closely approximates actual observations but also conforms to the physical operating laws of the system under normal operating conditions.
[0010] Furthermore, the real-time observations of each node are compared with the corresponding baseline state estimates to obtain the degree of deviation of each node from the normal physical mechanism. This degree of deviation is then used as the basic characterization quantity for subsequent anomaly identification and propagation analysis. Compared with directly using raw observation data for threshold judgment, this method can effectively reduce the interference of local random fluctuations, transient noise, and slight changes in operating conditions on the detection results, thereby improving the stability and physical interpretability of anomaly judgment.
[0011] Furthermore, under attack-free calibration conditions, statistical analysis is performed on the deviation characteristics of each node in historical normal samples to establish a baseline residual interval for each node, which describes the reasonable deviation range allowed for nodes under normal operating conditions. Simultaneously, for node pairs with direct physical coupling or normal propagation relationships, the range of propagation delay changes under normal conditions is statistically analyzed using historical samples to form normal propagation delay intervals between nodes. During the online monitoring phase, the system compares the propagation sequence of the current anomaly between different nodes with historical normal propagation patterns to obtain the degree of delay deviation between nodes. When the delay deviation of certain node pairs continues to increase, it indicates that the propagation pattern of the current anomaly has significantly deviated from the physical response pattern during normal system operation, thus providing a more reliable basis for subsequent anomaly propagation analysis and source node selection. By simultaneously establishing baseline residual intervals and normal propagation delay intervals, anomalies can be constrained from two dimensions: "deviation amplitude" and "propagation sequence," avoiding misjudgment problems caused by relying solely on a single anomaly amplitude.
[0012] Furthermore, to reflect the degree of coordination mismatch among multiple node anomalies in the industrial closed-loop control process, for any set of closed-loop nodes, the system constructs a non-closed index to measure the degree of closed-loop consistency impairment based on the superposition of deviations of each node after time delay compensation. This index can reflect whether there are coordinated offset phenomena within the closed loop that cannot be explained by normal process relationships. Further, the system integrates the deviation amplitude, deviation trend, time delay deviation between nodes, and closed-loop consistency mismatch of each node to construct corresponding anomaly characterization information for a more comprehensive description of the node's abnormal state. If a node simultaneously exhibits continuously exceeding deviation limits and a significantly abnormal trend in multiple consecutive monitoring windows, and there is obvious time delay mismatch or closed-loop consistency impairment between it and its associated nodes, then this node can be identified as an anomaly seed node. Through this multi-dimensional joint judgment mechanism, false alarms caused by single-index anomalies can be effectively avoided, improving the ability to detect highly concealed, gradual, multi-node coordinated attacks.
[0013] Furthermore, an anomaly propagation subgraph is constructed starting from the aforementioned anomaly seed node. The vertex set of the anomaly propagation subgraph consists of the anomaly seed node and related nodes in its local propagation neighborhood, while the edge set consists of node pairs that satisfy the conditions of anomaly sequence, propagation delay consistency, and anomaly correlation. In this way, the system can extract the local propagation structure most relevant to the current anomaly event from the entire network, and thereby eliminate a large number of normal or weakly related nodes that are not directly related to the anomaly, thus limiting the subsequent source tracing process to a more compact local scope. Furthermore, the system can screen and sort potential source nodes based on the shared anomaly excitation intensity, upstream propagation attributes, and local connectivity characteristics of each node in the anomaly propagation subgraph. Nodes that repeatedly appear in multiple anomaly propagation links, can explain the common change trend of multiple anomaly nodes, and whose shared anomaly excitation intensity exceeds a preset threshold can be identified as candidate suspected source nodes. By constructing the anomaly propagation subgraph, not only can the computational efficiency of the subsequent inversion process be improved, but the structural interpretability of the source tracing results can also be enhanced.
[0014] Furthermore, using the set of candidate suspected source nodes and their corresponding propagation path combinations as input, a reverse path inversion process is executed. The system comprehensively considers the number of candidate source nodes, the length of the propagation path, the degree of violation of physical constraints on the path, and the explanatory power of the candidate results for the current anomaly observation. Different candidate solutions are evaluated, and the set of candidate suspected source nodes with the best comprehensive explanatory effect is selected as the set of malicious collaborative attack source nodes. On this basis, the system further combines the fitting degree of the optimal candidate solution to the anomaly propagation phenomenon, the consistency of the path explanation, and the stability of the results to generate a corresponding confidence level, which is used to characterize the reliability of the current source tracing conclusion. If the confidence level of the obtained result reaches a preset threshold, and the source node involves at least two sensor groups with physical coupling, a collaborative attack warning can be output; otherwise, the current event can be marked as an anomaly to be verified, and the analysis results can be updated in conjunction with subsequent observation data. Through the above processing, the present invention can not only provide a judgment result on whether an anomaly has occurred, but also further provide which nodes dominate the anomaly, along which path it propagates, and the reliability of the conclusion, thereby providing stronger support for the safe handling and subsequent defense of industrial sites.
[0015] Compared with existing technologies, the present invention has at least the following beneficial effects: First, the present invention directly incorporates the conservation relationships of industrial processes, equipment boundaries, and measurement mapping relationships into the baseline state estimation and anomaly determination process, reducing the risk of spurious correlations caused by relying solely on statistical correlations; Second, the present invention uses the baseline residual interval, normal propagation delay interval, and closed-loop constraint non-closure degree to jointly determine anomalies, which can better distinguish between natural disturbances, equipment failures, and malicious coordinated attacks; Third, the present invention can directly output the set of attack source nodes, propagation path, propagation order, and confidence level, facilitating rapid early warning and subsequent handling and tracking at the edge. Attached Figure Description
[0016] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are merely some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without any creative effort.
[0017] Figure 1 A schematic diagram illustrating the overall deployment and functional relationship of a covert collaborative attack tracing method for heterogeneous industrial sensor networks provided in an embodiment of the present invention; Figure 2 A schematic diagram of the top-level steps of a covert cooperative attack tracing method for heterogeneous industrial sensor networks provided in an embodiment of the present invention; Figure 3 Provided for embodiments of the present invention Figure 2A detailed flowchart of steps S6 and S7. Detailed Implementation
[0018] To make the objectives, technical solutions, and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are only for explaining the present invention and are not intended to limit the present invention.
[0019] This invention provides a method for tracing the source of covert collaborative attacks in heterogeneous industrial sensor networks, primarily targeting multi-source heterogeneous sensor nodes deployed in industrial IoT environments. These sensor nodes may include, but are not limited to, flow sensors, pressure sensors, temperature sensors, level sensors, valve position sensors, current sensors, vibration sensors, and other sensing nodes related to industrial control processes. Due to differences in sampling periods, measurement accuracy, measurement objects, and communication stability among different types of sensors, traditional monitoring methods relying on single statistical correlations or single-point threshold judgments are insufficient to effectively identify low-amplitude, gradual, cross-node collaborative covert attack behaviors under complex industrial conditions. This invention introduces mechanisms such as physical invariance benchmarks, benchmark state estimation, anomaly propagation subgraphs, and reverse path inversion to accurately locate the source nodes of malicious collaborative attacks and interpret their propagation relationships.
[0020] Example 1: Reference Figure 1 As shown in the figure, the covert collaborative attack tracing method for heterogeneous industrial sensor networks provided by this invention can be deployed in an industrial IoT edge computing gateway. The edge computing gateway is connected to the underlying industrial sensor network and is used to aggregate, analyze, and output observation data from multiple heterogeneous sensor nodes. Logically, the edge computing gateway includes a physical invariance benchmark construction module, a benchmark state estimation and interval establishment module, an online anomaly feature calculation module, an anomaly propagation subgraph extraction module, and an inverse path inversion and confidence output module.
[0021] The physical invariance benchmark construction module is used to group nodes in a heterogeneous industrial sensor network according to the sensor's measurement object, sampling period, process stage, and physical coupling relationship between nodes, and establish a physical invariance benchmark reflecting the normal mechanism of the industrial process. The physical invariance benchmark can at least include process conservation relationships, equipment operating boundary constraints, and measurement mapping relationships. Through this module, the normal physical associations between sensor nodes can be solidified in the form of explicit constraints, providing a basis for subsequent anomaly detection and propagation analysis. The physical invariance benchmark can be jointly characterized by process conservation constraints and equipment boundary constraints, assuming a time... Next The observed values of each node are The credibility weight is Then the baseline state estimation vector corresponding to each node It can be obtained through the following optimization model: ; Its constraint form can be expressed as: ; in, This indicates process conservation constraints. Indicates equipment boundary constraints. This represents the vector of state variables of the system at a given moment. and These represent the number of corresponding constraints. Through these constraints, the technological logic, operational boundaries, and state mapping relationships that the system should satisfy under normal operating conditions can be uniformly incorporated into the subsequent analysis process.
[0022] The baseline state estimation and interval establishment module is used to estimate the baseline state of each node under attack-free calibration conditions, combining historical normal operation data, and to establish the baseline residual interval and normal propagation delay interval. Based on historical normal samples, the node's... The baseline residual interval: ; in, and They are nodes Historical residual mean and standard deviation For node pairs, the coefficients are interval coefficients. Furthermore, a normal transmission delay interval can be established: ; in, and It is a quantile function. Represents nodes in historical samples To the node The estimated propagation delay.
[0023] The online anomaly feature calculation module is used to receive the observation sequence of the sensor network in real time during online operation, and calculate anomaly features based on the aforementioned baseline state estimation and interval information. For any node... Its observation residuals can be defined as: ; in, For baseline state estimation at nodes The corresponding value on the [data point]. Further, the system can calculate information such as the residual change rate, cross-node time delay deviation, and closed-loop constraint non-closure degree to form a node-level anomaly representation vector. The time delay deviation can be expressed as: ; in, This is the propagation proportionality coefficient. The degree of non-closure of the closed-loop constraint can be expressed as: ; in, Represents the set of closed nodes. Represents the sign coefficient of the node. This indicates compensation for delay. Ultimately, the node... The anomaly representation vector can be written as: ; in, Represents nodes A set of nodes that have physical coupling or normal propagation relationships.
[0024] The anomaly propagation subgraph extraction module is used to filter anomaly seed nodes based on anomaly feature information and construct an anomaly propagation subgraph. When a node simultaneously meets the criteria of continuously exceeding deviation limits and exceeding the anomaly change rate limit within multiple consecutive monitoring windows, and there is a significant propagation mismatch between it and its associated nodes, or the consistency of its closed loop is significantly disrupted, it can be identified as an anomaly seed node. Subsequently, starting from the anomaly seed node, the local anomaly propagation structure is extracted by combining the anomaly initiation time, anomaly correlation strength, and propagation direction to form an anomaly propagation subgraph, which compresses the scope for subsequent source tracing searches. The anomaly propagation subgraph can be represented as: ; in, This represents the set of nodes in the anomaly propagation subgraph. This represents the set of edges in the anomaly propagation subgraph. The set of nodes consists of the anomaly seed node and its related nodes in its local propagation neighborhood. The set of edges consists of node pairs that satisfy the conditions of anomaly sequence order, propagation temporal consistency, and anomaly correlation. Further, for any node in the anomaly propagation subgraph... The system can define its shared anomaly stimulus intensity as follows: ; in, For edge weights, This represents the abnormal correlation strength after time delay compensation. Nodes exceeding a preset threshold are identified as candidate suspected source nodes. In this way, the system can further identify key nodes that play a dominant role in multiple abnormal propagation links from the local propagation structure.
[0025] The reverse path inversion and confidence output module is used to calculate the set of malicious coordinated attack source nodes and their propagation order based on the abnormal propagation subgraph and candidate source nodes, and output confidence information. The results output by this module can be sent to external systems such as security protection devices, industrial control centers, or firewalls to support real-time early warning and isolation response. In one implementation, for any set of candidate source nodes... and its propagation path set The system can construct a comprehensive interpretation cost function: ; in, Indicates the number of candidate source nodes. Indicates path length. This represents the cost of violating the physical constraints corresponding to the path. This represents the interpretative residual of the candidate source node set for the current anomalous observation. , , and Here are the weighting coefficients. Further, the explained residuals can be expressed as: ; in, This represents the nodes reconstructed under the assumptions of the candidate source node set and its propagation path. The abnormal residuals. Based on the optimal candidate solution, the system can further define the corresponding confidence level as: ; in, For the set of candidate source nodes The corresponding set of optimal propagation paths, This is a normalization constant. Through the above processing, the system can output the source tracing results and simultaneously provide the reliability of the corresponding conclusions.
[0026] Example 2: Reference Figure 2 As shown, this embodiment of the invention provides a detailed process scheme for a method to trace the source of covert collaborative attacks in heterogeneous industrial sensor networks. The method can be deployed in an industrial IoT edge computing gateway, executed by a processor calling program instructions from memory. This method revolves around the physical constraints, normal propagation laws, and local anomaly propagation structures in industrial processes, sequentially completing data organization, normal baseline establishment, anomaly feature extraction, local propagation location, and source node inversion, thereby achieving the identification and tracing of covert collaborative attacks. Specifically, it includes the following steps: Step S1: Multi-source observation and acquisition and node grouping. The system first acquires historical observation data of the industrial sensor network under normal operating conditions and real-time observation data during online operation. The observation data can come from various heterogeneous nodes such as flow sensors, pressure sensors, temperature sensors, liquid level sensors, valve position sensors, current sensors, and vibration sensors. Since different nodes have significant differences in measurement objects, sampling periods, process locations, and communication stability, the system groups them according to the sensor's measurement object, sampling period, process stage, and physical coupling relationship between nodes, providing a structured basis for subsequent normal operating condition constraint extraction and anomaly propagation analysis.
[0027] Step S2: Normal Operating Condition Constraint Extraction and Baseline Generation. After completing node grouping, the system extracts normal operating condition constraint information within and between each group from historical normal samples, forming a physical invariance benchmark reflecting the normal mechanism of the industrial process. This physical invariance benchmark includes at least process conservation relationships, equipment operating boundary constraints, and measurement mapping relationships. This step explicitly expresses the normal physical correlations originally implicit in the industrial process, allowing subsequent judgments of node states to no longer rely solely on numerical fluctuations but are based on whether they conform to the normal process mechanism, thereby enhancing the stability and interpretability of anomaly detection.
[0028] Step S3: Reference State Determination and Normal Range Generation. After extracting the constraints of normal operating conditions, the system further determines the reference state of each node under normal operating conditions based on historical observation data under attack-free calibration conditions. Based on this, it establishes the normal deviation range of each node and the normal propagation time series range between nodes. The core purpose of this step is to provide a stable comparison benchmark for subsequent online monitoring, enabling the system to distinguish between "normal operating condition fluctuations" and "abnormal offsets that violate physical laws." Specifically, the system comprehensively considers the reliability differences of node observation data, process conservation relationships, equipment operating boundaries, and measurement mapping relationships to estimate the response level of each node under normal conditions. Subsequently, it statistically analyzes the reasonable deviation range that each node may exhibit in normal samples and, combined with historical propagation sequence relationships, determines the normal propagation time series characteristics between nodes. This step not only provides a node-level comparison baseline for subsequent anomaly identification but also provides a time series reference for anomaly propagation relationship analysis, thereby avoiding misjudgments caused by relying solely on single-point numerical fluctuations.
[0029] Step S4: Real-time Deviation Perception and Anomaly Feature Fusion. During the online monitoring phase, the system compares the real-time collected multi-source observation data with the reference state and normal range established in Step S3, extracting multi-dimensional information reflecting the degree of node anomaly and propagation characteristics. This multi-dimensional information may include the amplitude of the node observation deviation, the trend of deviation changes, the degree of deviation from the propagation timeline between the node and associated nodes, and the degree of consistency disruption within the process closed loop to which the node belongs. The system further fuses this multi-dimensional information to form comprehensive anomaly features characterizing the current abnormal state of the node.
[0030] Step S5: Anomaly Seed Screening and Local Propagation Structure Construction. Based on the comprehensive anomaly characteristics formed in Step S4, the system continuously screens all network nodes. When a node simultaneously exhibits continuously exceeding deviation limits and significant anomaly changes across multiple consecutive monitoring windows, and shows obvious propagation mismatch with its associated nodes or a disruption of consistency in its process closed loop, the system identifies this node as an anomaly seed node. Subsequently, starting from the anomaly seed node, and combining the anomaly's occurrence time, the correlation strength between anomalies, possible propagation directions, and physical connections between nodes, the system extracts the local propagation structure most relevant to the current anomaly event from all network nodes, forming the local candidate range required for subsequent source tracing analysis. Through this step, the system can eliminate most normal nodes that are not directly related to the current anomaly while ensuring the integrity of the anomaly propagation relationship. This compresses the search space for subsequent source node inversion and path evaluation into a more compact and physically meaningful local region, improving computational efficiency and source tracing interpretability.
[0031] Step S6: Evaluation of Candidate Source Nodes and Path Combinations. The system takes the candidate suspected source nodes and their local propagation structures obtained in Step S5 as input, and traverses and evaluates different sets of candidate source nodes and their corresponding propagation path combinations. This step focuses on the explanatory power of each candidate solution for the current abnormal propagation phenomenon, the consistency of physical constraints on the path, and the structural rationality of the results.
[0032] Step S7: Output and Feedback Update of Source Tracing Results. After evaluating candidate solutions, the system outputs the set of malicious coordinated attack source nodes, propagation order, and corresponding confidence levels. The results can be sent to external systems such as security protection devices, industrial control centers, or firewalls to support real-time early warning and isolation responses. Furthermore, the system can update the reference state, normal deviation range, normal propagation delay interval, and relevant thresholds based on the feedback results to enhance the method's adaptability to equipment aging, operating condition drift, and network environment changes. Therefore, this invention can not only determine whether a system anomaly has occurred, but also identify which nodes are responsible for the anomaly, how it propagates, and the reliability of the conclusions, thereby improving interpretable security protection capabilities in industrial scenarios.
[0033] Example 3: Reference Figure 3 As shown, Figure 3 It shows Figure 2 The detailed implementation process of steps S6 and S7 is used to perform reverse path inversion based on the anomaly propagation subgraph and candidate source nodes, determine the optimal set of source nodes and their propagation order, and output the corresponding confidence information. The specific process is as follows: Step S601: Input the anomaly propagation subgraph and candidate source nodes. The system receives the anomaly propagation subgraph extracted from the previous stage and selects nodes with high shared anomaly excitation intensity, potential for upstream propagation, or recurrence in multiple anomaly paths as candidate source nodes to be input into the inversion module.
[0034] Step S602: Traverse source nodes and path combinations. The system constructs multiple candidate solutions around the candidate source node set. Each candidate solution includes a candidate source node set and a set of propagation paths corresponding to that set. Candidate paths can be constrained based on the abnormal start time, physical connection direction, normal propagation delay interval, and current abnormal delay offset relationship, thereby reducing the participation of unreasonable paths.
[0035] Step S603: This step quantitatively evaluates the explanatory power of the candidate source node set and its propagation path combinations. The system comprehensively considers the number of candidate source nodes, propagation path length, the degree of violation of physical constraints on the path, and the reconstruction error of the candidate results to the current anomaly observation, generating a corresponding comprehensive explanation cost. Based on this, a confidence level reflecting the reliability of the current source tracing conclusion is further obtained. The smaller the comprehensive explanation cost, the better the current candidate solution can explain the observed anomaly propagation phenomenon with lower structural complexity and higher physical consistency. When the comprehensive explanation costs are similar, the candidate solution with higher confidence has stronger result stability and better explanatory credibility. Therefore, the system prioritizes retaining the candidate solution with better comprehensive explanation effect as the current optimal solution and completes the subsequent source tracing result output accordingly.
[0036] Step S604: Update the optimal solution. The system compares the current candidate solution with the existing optimal solution. When the current candidate solution has a lower overall interpretation cost, or has a higher confidence level when the interpretation cost is similar, the system updates the optimal solution.
[0037] Step S605: Output the set of malicious coordinated attack source nodes and their propagation order. After traversing all candidate solutions, the system outputs the optimal set of source nodes, propagation order, and their confidence levels. The method determines the propagation order based on the temporal relationship of paths in the optimal path set, the anomaly start time, or the path topology level. When the output result meets the preset confidence threshold and involves at least two sensor groups with physical coupling, the system can trigger a coordinated attack warning; otherwise, the event can be marked as an anomaly to be verified, and further analysis can be conducted using subsequent sampling data.
[0038] As an example, in a continuous process industrial scenario, if an attacker applies small-amplitude synchronous offsets to the upstream flow sensor and the downstream valve position sensor respectively, observing a single node alone may not immediately trigger a traditional threshold alarm. However, this coordinated offset will gradually cause abnormal changes in the propagation delay relationship between flow, level, pressure, and valve position, resulting in an increase in the non-closure of the corresponding process loop. This invention first identifies abnormal seed nodes based on baseline state estimation and interval information, then compresses the candidate space to a local region through an abnormal propagation subgraph, and finally concludes that "upstream flow sensor + downstream valve position sensor" is the set of malicious coordinated attack source nodes through reverse path inversion, and provides the corresponding propagation order and confidence level. Therefore, this invention can not only identify system anomalies, but also further explain how the anomalies propagate, which nodes are dominant, and the reliability of the conclusions, thus providing stronger support for safe handling in industrial settings.
[0039] In summary, this invention achieves the detection, interpretation, and tracing of covert collaborative attacks in heterogeneous industrial sensor networks through the coordinated efforts of constructing a physically invariant benchmark, estimating benchmark states and establishing intervals, calculating online anomaly features, extracting anomaly propagation subgraphs, and performing reverse path inversion and confidence output. This method not only leverages the physical laws of industrial processes to improve the reliability of judgments but also reduces the computational burden of full-network search through local propagation structures and path inversion. Therefore, it is suitable for edge computing devices with limited computing power and industrial IoT scenarios requiring real-time security responses.
Claims
1. A method for tracing the source of covert cooperative attacks in heterogeneous industrial sensor networks, characterized in that, Includes the following steps: S1. Multi-source observation and acquisition and node grouping: Collect multi-source observation data of heterogeneous industrial sensor networks under non-attack calibration and online monitoring conditions, and group sensor nodes in the heterogeneous industrial sensor network according to the sensor's measurement object, sampling period, process link, and physical coupling relationship between nodes. S2. Normal operating condition constraint extraction and baseline generation: Extract normal operating condition constraints for each group, including process conservation relationships, equipment operating boundaries and node measurement mapping relationships, and establish physical invariance benchmarks. S3. Reference state acquisition and normal range generation: Under the condition of no attack calibration, asynchronous time alignment and confidence weighting are performed on the multi-source observation sequences of each group to obtain the baseline state estimate, baseline residual interval and normal propagation delay interval between nodes for each sensor node. S4. Real-time deviation perception and abnormal feature fusion: Under online monitoring conditions, the real-time observation sequence is substituted into the physical invariance benchmark to calculate the observation residual, residual change rate, cross-node time delay consistency and closed-loop constraint non-closure degree of each sensor node, forming an abnormal characterization vector that reflects the degree of deviation of the system from normal operating conditions. S5. Anomaly seed screening and local propagation structure construction: Based on the anomaly representation vector, screen nodes and node pairs that simultaneously satisfy the conditions of residual continuous out-of-bounds, time delay consistency anomaly, and closed-loop constraint non-closure degree exceeding the limit, construct an anomaly propagation subgraph, and extract candidate suspected source nodes whose shared anomaly excitation intensity exceeds a preset threshold from the anomaly propagation subgraph. S6. Evaluation of candidate source nodes and paths: With the goal of minimizing the comprehensive interpretation cost consisting of the number of source nodes required to interpret the abnormal propagation subgraph, the propagation path length, the constraint violation cost, and the interpretation residual of the current abnormal observation, reverse path inversion is performed on the candidate suspected source nodes to determine the set of malicious collaborative attack source nodes and their attack propagation paths. S7. Output and update the source tracing results: Output the set of malicious collaborative attack source nodes, the corresponding propagation order, the working condition label and confidence level, and update the baseline residual interval and normal propagation delay interval according to the feedback of subsequent handling.
2. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S2, the physical invariance benchmark includes at least: process constraints reflecting the conservation relationship of process medium quantity, energy quantity or flow rate; equipment boundary constraints reflecting the equipment start-up and shutdown state, upper operating limit and lower operating limit; and measurement mapping constraints reflecting the correspondence between the measurement values of different types of sensors and the same process state variable.
3. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S3, the asynchronous time alignment is achieved by constructing a common time axis based on the minimum sampling period and combining it with a missing measurement mask. The confidence weighting is determined based on the sensor health status, communication stability, and historical drift. The baseline state estimate is obtained by constraint optimization that satisfies the physical invariance baseline. The baseline residual interval is determined by the confidence interval of the residual statistical distribution under the calibration conditions.
4. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S4, the time delay matching degree is used to characterize the degree of matching between the actual abnormal propagation time delay between node pairs and the normal propagation time delay interval. The closed-loop constraint non-closure degree is used to characterize the degree to which the residuals of multiple nodes in the same process closed loop cannot cancel each other after time delay compensation. The abnormal characterization vector is composed of at least the node residual amplitude, residual change rate, time delay matching degree and closed-loop non-closure amount.
5. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S5, nodes that satisfy the condition of continuous residual out-of-bounds and consistent abnormal representation vector direction within multiple consecutive monitoring windows are identified as abnormal seed nodes. Starting from the abnormal seed nodes, the abnormal propagation subgraph is expanded by combining the abnormal start time, abnormal correlation strength and propagation direction to obtain local suspected propagation areas. Candidate suspected source nodes are identified based on nodes whose shared abnormal excitation intensity exceeds a preset threshold.
6. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S6, the reverse path inversion includes: searching for reachable paths along the reverse edges of the anomaly propagation subgraph starting from each candidate suspected source node; traversing the set of candidate suspected source nodes and their propagation path combinations; calculating the interpretation residuals of each propagation path combination for the observed anomaly and the corresponding constraint violation costs; eliminating paths that can be independently explained by a single natural disturbance, equipment aging, or communication jitter; and selecting the candidate suspected source node combinations with the minimum comprehensive interpretation cost and that satisfy the physical invariance benchmark as the set of malicious collaborative attack source nodes.
7. The method for tracing the source of covert cooperative attacks on heterogeneous industrial sensor networks according to claim 1, characterized in that, In step S7, a coordinated attack warning is output only when the set of malicious coordinated attack source nodes involves at least two sensor groups that have a physical coupling relationship and their corresponding confidence level is higher than a preset warning threshold. Otherwise, mark the current abnormal event as an event to be verified and continue to expand the subsequent monitoring window.