Multi-knowledge fusion and semantic enhancement-based industrial control network intrusion detection method and system

By employing multi-knowledge fusion and semantic enhancement methods, this approach addresses the shortcomings of existing technologies in identifying covert attack chains and adapting to cross-protocol migration in intrusion detection of industrial control network traffic. It achieves high accuracy and low false alarm rate detection, meeting the protection needs of complex industrial control scenarios.

CN122394940APending Publication Date: 2026-07-14SHANGHAI JIAOTONG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANGHAI JIAOTONG UNIV
Filing Date
2026-05-13
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing industrial control network traffic intrusion detection technologies cannot effectively identify covert attack chains, have weak cross-protocol and cross-device migration and adaptation capabilities, insufficient model generalization, scarce and imbalanced data, lack of incremental learning and dynamic evolution mechanisms, poor interpretability of detection results, and are difficult to meet the protection needs of complex industrial control scenarios.

Method used

We employ a multi-knowledge fusion and semantic enhancement approach, using transfer learning and deep neural networks to achieve protocol feature mapping, constructing an attention-based screening model, combining generative adversarial networks to generate compliant simulated traffic, building a knowledge graph and introducing a domain-adaptive Transformer model, integrating online detection and feedback learning mechanisms, performing dynamic weight allocation and incremental learning, and outputting detection results and interpretable reports.

Benefits of technology

It significantly improves the ability to identify covert attack chains, increases detection accuracy and generalization ability, reduces false positive and false negative rates, enhances model adaptability and interpretability of detection results, and adapts to the detection needs of complex and dynamic industrial control scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394940A_ABST
    Figure CN122394940A_ABST
Patent Text Reader

Abstract

The application provides an industrial control network traffic intrusion detection method and system based on multi-knowledge fusion and semantic enhancement, and belongs to the technical field of industrial control network security. The application preprocesses industrial control traffic and general traffic data and extracts multi-dimensional features, performs protocol feature mapping, dynamic data screening and multi-source data fusion, combines a generative adversarial network to complete compliant traffic data enhancement, constructs a process specification, a device topology and a historical attack knowledge graph and dynamically injects a model, realizes deep semantic enhancement of industrial control traffic through a domain adaptive Transformer, completes model iteration optimization through a dynamic evolution and an incremental learning mechanism, and finally realizes multi-granularity anomaly scoring and attack intention reasoning. The application solves the problems of insufficient semantic understanding, poor generalization, data scarcity and weak dynamic adaptation of the prior art, greatly improves the detection accuracy of hidden attacks and cross-protocol attacks, reduces the false alarm rate, has strong adaptability and interpretability, and is suitable for complex dynamic industrial control scene protection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of industrial control network security technology, specifically to an industrial control network intrusion detection method and system based on multi-knowledge fusion and semantic enhancement. Background Technology

[0002] Industrial Control Systems (ICS) serve as a core support for critical national information infrastructure in sectors such as power, petrochemicals, and intelligent manufacturing. With the deep integration of industrialization and informatization, industrial control networks are gradually achieving interconnection and interoperability between IT and OT networks, and network communication boundaries are becoming increasingly open. Targeted attacks on industrial control networks, exemplified by Stuxnet and Industroyer, are becoming more frequent, significantly increasing the intrusion risks faced by industrial control systems. Traffic intrusion detection has become a key technology in industrial control security protection systems for identifying abnormal behavior and resisting malicious attacks.

[0003] Current industrial control network traffic intrusion detection technologies can be mainly divided into three categories: The first category is traditional rule-based and statistical feature-driven methods, which rely on manual extraction of network layer and transport layer surface features and configuration of fixed rule bases to achieve detection. This type of method depends on expert experience, has poor generalization ability, cannot identify unknown attacks and zero-day vulnerabilities, and its detection effect drops significantly when facing encrypted traffic and protocol variants. The second category is general deep learning-driven methods, which use models such as CNN, LSTM, and GNN to automatically extract traffic features. Related patents, such as CN202510865547.6, disclose a lightweight industrial control attack traffic detection scheme based on deep learning and knowledge distillation. Although it reduces computing power, it does not incorporate industrial control domain-specific knowledge, cannot adapt to the diversity of industrial control protocols and the dynamic evolution of attack methods, and suffers from problems such as data scarcity, domain bias, and insufficient cross-scenario transferability. The third category is preliminary solutions for knowledge fusion and semantic enhancement. Some technologies attempt to introduce knowledge graphs and semantic parsing to improve understanding capabilities, but they generally suffer from defects such as single knowledge sources, disconnect between semantics and spatiotemporal features, and lack of dynamic evolution mechanisms, making it difficult to meet the detection needs of complex industrial control scenarios.

[0004] In summary, existing industrial control network traffic intrusion detection technologies suffer from the following core shortcomings: relying solely on surface features fails to understand the semantics of industrial control traffic and attack intent, making it difficult to identify covert attack chains; cross-protocol and cross-device migration and adaptation capabilities are weak, and model generalization is insufficient; private industrial control data is scarce and imbalanced, resulting in low adaptability between general data and target scenarios; the model lacks incremental learning and dynamic evolution mechanisms, making it unable to adapt to process adjustments and attack iterations; and the interpretability of detection results is poor, hindering security personnel from making judgments and responses. These issues prevent existing technologies from achieving high accuracy, low false alarm rate, and strong adaptability in industrial control traffic intrusion detection, thus failing to meet the actual protection needs of industrial scenarios.

[0005] Therefore, there is a market need for an industrial control network intrusion detection method and system that can achieve the understanding of traffic semantics and the identification of attack intent, while improving the detection accuracy and generalization ability of the model in complex and dynamic industrial control scenarios through multi-knowledge fusion and semantic enhancement. Summary of the Invention

[0006] To address the shortcomings of existing technologies, the purpose of this invention is to provide a method and system for detecting intrusions into industrial control networks that integrates multiple knowledge bases and enhances semantics.

[0007] The present invention provides an industrial control network intrusion detection method based on multi-knowledge fusion and semantic enhancement, comprising: The input general network traffic data and industrial control protocol data are preprocessed, and features of the network layer, transport layer and application layer are extracted. Function code sequence, register address distribution and data value range features are extracted from the industrial control protocol data and semantic labels are added. Transfer learning and deep neural networks are used to realize the spatial mapping of IT protocol features to industrial control protocol features. Reconstruction loss, semantic preservation loss and distribution alignment loss functions are introduced to complete semantic alignment. Construct an attention-based screening model to evaluate the correlation between general data and target industrial control scenarios, and dynamically adjust the screening threshold based on validation set performance feedback to complete sample screening; The filtered general data is merged with private industrial control data, and dynamic weight allocation is achieved through a two-layer optimization framework to form a composite dataset; Generative adversarial networks are used to generate compliant simulation traffic under the constraints of industrial control protocols. Function code constraints, register address constraints and timing consistency loss functions are introduced to complete data augmentation. Construct a knowledge graph that includes process knowledge, equipment topology, and historical attack cases, and dynamically inject structured knowledge into a deep learning model through a knowledge attention mechanism; A domain-adaptive Transformer model is built, and a protocol-aware embedding layer, a temporal-causal attention mechanism, and a knowledge-guided cross-attention module are introduced to extract deep semantic features of industrial control traffic and complete semantic enhancement. An integrated online detection and feedback learning mechanism is used to send low-confidence samples to a manual review pool, and an elastic weight consolidation strategy is adopted to complete incremental learning. At the same time, the knowledge graph is dynamically updated through conflict detection and arbitration mechanisms. Based on the enhanced semantic features, perform multi-granularity anomaly scoring and attack intent inference, and output detection results and interpretability reports.

[0008] Preferably, the IT protocol feature mapping includes mapping rules defined separately for the Modbus and OPC UA industrial control protocols, including: The mapping of TCP flags to Modbus operation types, the mapping of packet length to Modbus operation types, and the mapping of protocol types to Modbus transmission modes; For the OPC UA protocol, it also includes mappings from service type to OPC UA service, from packet size to OPC UA message type, and from timestamp features to OPC UA time features.

[0009] Preferably, in the dynamic data filtering strategy, the filtering model includes a feature extraction layer, an attention layer, and a scoring layer, which extract local features through a convolutional neural network, weight key features through the attention layer, and output relevance scores through the scoring layer. The screening threshold is dynamically adjusted based on the rate of change of the validation set loss; the threshold is lowered when the validation loss decreases and raised when the validation loss increases.

[0010] Preferably, the outer optimization layer of the two-layer optimization framework is used to adjust the weights of general data and private industrial control data, while the inner optimization layer is used to train model parameters under fixed weights. The weighting is calculated by weighting three indicators: data quality, scenario relevance, and model performance feedback.

[0011] Preferably, during the incremental learning process, samples that have been manually reviewed and confirmed trigger model fine-tuning; A flexible weighting consolidation strategy is adopted to constrain important parameters of old tasks to mitigate catastrophic forgetting, while version management is used to dynamically update the knowledge graph.

[0012] Preferably, the knowledge graph includes: a process knowledge subgraph, an equipment topology subgraph, and an attack behavior subgraph. Each subgraph is interconnected through core entities of equipment and process variables to form a multi-source heterogeneous knowledge fusion system for the field of industrial control security.

[0013] An industrial control network intrusion detection system based on multi-knowledge fusion and semantic enhancement, provided by the present invention, includes: The data preprocessing module is used to preprocess general network traffic data and industrial control protocol data and extract multi-dimensional features; The protocol feature mapping module is used to realize the spatial mapping and semantic alignment of IT protocol features to industrial control protocol features; The dynamic data filtering module is used to evaluate the relevance of data to the target industrial control scenario and dynamically adjust the filtering threshold. The multi-source data fusion module is used to merge filtered general data and private industrial control data, and to complete dynamic weight allocation; A generative adversarial network module is used to generate compliant simulated traffic that conforms to industrial control protocol constraints and time-dependent requirements. The structured knowledge modeling module is used to construct knowledge graphs and dynamically inject knowledge into deep learning models through a knowledge attention mechanism. Domain-adaptive Transformer semantic enhancement module is used to extract deep semantic features of industrial control traffic and perform semantic enhancement; The dynamic evolution and incremental learning module is used to perform online detection and feedback learning, enabling collaborative updates between the model and the knowledge graph; The detection decision and output module is used to complete multi-granularity anomaly scoring, attack intent reasoning, and output detection results and interpretability reports.

[0014] Preferably, the protocol feature mapping module has a built-in Modbus protocol mapping unit and an OPC UA protocol mapping unit, which respectively adapt to the feature conversion rules of the two industrial control protocols; The dynamic data filtering module includes an attention filtering unit and a dynamic threshold adjustment unit; The attention filtering unit is used to calculate the data relevance score, and the dynamic threshold adjustment unit is used to adaptively adjust the filtering threshold according to the validation set performance.

[0015] Preferably, the multi-source data fusion module is equipped with a two-layer optimized weight allocation unit, which realizes the weighted fusion of general data and private industrial control data based on data quality, scenario relevance, and model performance feedback.

[0016] Preferably, the dynamic evolution and incremental learning module includes an elastic weight consolidation unit, a manual review buffer unit, and a knowledge graph conflict arbitration and version management unit, to realize incremental fine-tuning of the model and dynamic updating of the knowledge graph.

[0017] Compared with the prior art, the present invention has the following beneficial effects: 1. This invention employs multi-source structured knowledge injection and domain-adaptive Transformer semantic enhancement techniques, overcoming the limitations of traditional methods that rely solely on surface features. It accurately understands the semantics of industrial control traffic and attack intent, significantly improving the ability to identify and detect covert attack chains.

[0018] 2. This invention addresses the challenges of scarce industrial control data and domain bias by employing dynamic data filtering, multi-source data fusion, and GAN-compliant data enhancement techniques. It improves the model's cross-protocol and cross-device generalization capabilities and effectively reduces false positive and false negative rates.

[0019] 3. This invention relies on dynamic evolution and incremental learning mechanisms to achieve collaborative updates of the model and knowledge graph, alleviate catastrophic forgetting, improve the long-term adaptability of the system and the interpretability of the detection results, and adapt to dynamic industrial control scenarios. Attached Figure Description

[0020] Other features, objects, and advantages of the present invention will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings: Figure 1 This is a schematic diagram of the working method of the present invention; Figure 2 This is a schematic diagram of the multi-source data fusion module in this invention; Figure 3 This is a schematic diagram of the industrial control traffic semantic enhancement detection algorithm framework based on multi-knowledge fusion of the present invention; Figure 4 This invention provides a lightweight, domain-adaptive Transformer architecture. Figure 5 This is a schematic diagram of the semantic enhancement detection and dynamic evolution process of the present invention. Detailed Implementation

[0021] The present invention will now be described in detail with reference to specific embodiments. These embodiments will help those skilled in the art to further understand the present invention, but do not limit the invention in any way. It should be noted that those skilled in the art can make several changes and improvements without departing from the concept of the present invention. These all fall within the protection scope of the present invention.

[0022] This invention injects knowledge such as process specifications, equipment topology, and historical attack patterns into a deep neural network model to achieve understanding of traffic semantics and identification of attack intent; at the same time, it adopts a domain-adaptive Transformer structure and dynamic evolution mechanism to improve the detection accuracy and generalization ability of the model in complex and dynamic industrial control scenarios.

[0023] Example 1 According to the present invention, an industrial control network intrusion detection method based on multi-knowledge fusion and semantic enhancement is provided, such as... Figure 1 As shown, it includes: Step S1: Data Preprocessing and Feature Extraction. Obtain general network traffic data, denoted as the general dataset, and industrial control protocol data, denoted as the industrial control dataset. Preprocess the general network traffic data and the industrial control protocol data to extract network layer, transport layer, and application layer features. Specifically, extract 42-dimensional standard features from the general dataset and extract industrial control protocol semantic features from the industrial control dataset. The industrial control protocol semantic features include function code sequences, register address distribution, data value ranges, etc., and are labeled with semantic tags.

[0024] Step S2: Protocol Feature Mapping and Semantic Alignment. Transfer learning and deep neural networks are used to spatially map IT protocol features to industrial control protocol semantic features; reconstruction loss, semantic preservation loss, and distribution alignment loss functions are introduced to ensure that the mapped features retain industrial control semantics.

[0025] For the reconstruction loss function, to ensure that the decoded semantic features of the industrial control protocol are as close as possible to the true features, the mean squared error is used, and the formula is as follows:

[0026] in, This represents the reconstruction loss function, where N represents the number of mapped samples. and These represent the real and reconstructed industrial control feature vectors, respectively.

[0027] The semantic preservation loss ensures that the mapped features retain the industrial control semantics, which is achieved through a semantic label classifier, as shown in the following formula:

[0028] in, Indicates sample Does it have semantic tags? For the classifier to classify samples With tags The predicted probability is given by m, which represents the number of all possible industrial control semantic operation types defined in this detection task. Based on the semantic preservation loss, a domain adaptation loss term is introduced to improve the robustness of the model in cross-domain scenarios by minimizing the distribution difference between the source and target domains in the semantic space. The formula is as follows:

[0029]

[0030] in, This represents the domain adaptation loss term. and These represent the semantic label distributions of the source and target domains, respectively. Let KL divergence be the KL divergence. Adjust the loss weights for the domain.

[0031] For the distribution alignment loss, to ensure that the mapped IT feature distribution is consistent with the semantic feature distribution of the industrial control protocol, the maximum mean difference is used, as shown in the following formula:

[0032] in Represents the distribution alignment loss function. For feature mapping function, For the regenerating nucleus Hilbert space, and These represent the number of mapped samples and the number of real industrial control samples, respectively.

[0033] The total loss function is the weighted sum of the above loss functions, expressed as:

[0034] in, This is a hyperparameter used to balance the importance of different loss terms.

[0035] Protocol-specific mapping rules were developed for the Modbus and OPC UA industrial control protocols to improve mapping accuracy.

[0036] For the Modbus protocol, the following mapping rules are defined: 1. Mapping of TCP flags to Modbus operation types: Let S be the TCP flag vector. ,in , These represent flag vectors indicating connection establishment, normal response, data push, abnormal termination, and normal termination, respectively. This indicates that all the above vectors satisfy this restriction. The function that maps to Modbus operation types is defined as follows: ,in For the weight vector, For bias terms, This is a softmax function, and its output is the probability distribution of operation types. An initial weight for Modbus operation type mapping is provided using a TCP flag classification model pre-trained on an IT network dataset, accelerating convergence and improving generalization ability.

[0037] 2. Mapping of data packet length to Modbus operation type: Short packets (<50 bytes) correspond to reading / writing a single register, medium-long packets (50-200 bytes) correspond to reading / writing multiple registers, and long packets (>200 bytes) correspond to operations such as file transfer. Let the data packet length be... (Bytes). Define characteristic functions. ,in This is an indicator function. The function mapped to the Modbus operation type is... ,in This is the weight matrix. This is the bias vector.

[0038] 3. Mapping of Protocol Types to Modbus Transport Modes: TCP protocol corresponds to Modbus / TCP, and UDP protocol corresponds to Modbus / UDP (used for diagnostic functions). Let the protocol type vector be... ,in and , These represent the Modbus / TCP and Modbus / UDP protocol types, respectively. This indicates that all the above vectors satisfy this constraint. The function mapping to Modbus transport modes is: ,in This is the weight matrix. This is the bias vector.

[0039] For the OPC UA protocol, the following mapping rules are defined: 1. Mapping of service types to OPC UA services: HTTP requests correspond to read / write services, WebSocket connections to subscription services, and SOAP messages to method call services. Let the service type vector be... ,in and , These represent service type vectors for read / write services, subscription services, and method call services, respectively. This indicates that all the above vectors meet this constraint. The function mapped to the OPC UA service is... ,in This is the weight matrix. This is the bias vector.

[0040] 2. Mapping of packet size to OPC UA message type: Small packets correspond to status queries, medium packets to data reads, and large packets to historical data reads or batch writes. Let the packet size be... (Bytes). Define characteristic functions. ,in These represent the threshold ranges for small, medium, and large packets, respectively. The function mapping to the OPC UA message type is... ,in This is the weight matrix. This is the bias vector.

[0041] 3. Mapping of timestamp features to OPC UA time characteristics: High-frequency requests correspond to real-time data access, low-frequency requests correspond to configuration information access, and burst requests correspond to alarm events. The timestamp feature vector is... ,in Indicates the average request frequency. Indicates the requested interval variance. This represents a sudden change in performance. The function mapping to the time characteristics of OPC UA is: ,in This is the weight matrix. This is the bias vector.

[0042] Step S3: Dynamic Data Filtering Strategy. An attention-based filtering model is constructed. This model automatically evaluates the relevance of samples in a general dataset to the target industrial control scenario and selects highly relevant samples for subsequent training. The filtering threshold is dynamically adjusted based on the model validation set performance feedback to achieve efficient sample selection.

[0043] The screening model The input is the mapped feature vector. The output is a correlation score. This indicates the degree of relevance between the sample and the target scene. The model includes a feature extraction layer, an attention layer, and a scoring layer.

[0044] First, a convolutional neural network is used in the feature extraction layer to extract spatial local patterns of features, as shown in the following formula:

[0045] in Indicates the kernel size as convolutional layers, ReLU represents the ReLU activation function, which is a non-linear activation function used after the output of a convolutional layer.

[0046] Secondly, the importance weight of each position in the feature map is calculated in the attention layer to enhance key features and suppress irrelevant features, as shown in the following formula: ,

[0047] in and For learnable parameters, This represents element-wise multiplication. The function ensures that the weights sum to 1.

[0048] Finally, a relevance score is calculated at the scoring layer based on attention-weighted features. The formula is as follows:

[0049] in and For learnable parameters, The sigmoid activation function maps the scores to... interval, attention-weighted feature maps Flattened into a one-dimensional vector, This refers to the dimension of the flattened vector, that is, the total number of elements in the entire feature map in both spatial and channel dimensions.

[0050] To adapt to different scenarios and data distributions, the filtering threshold is set to be dynamically adjusted. Let the threshold be... The sample selection decision is: if If, then retain; if If the threshold is not met, then it will be removed. The dynamic adjustment is based on the model's performance feedback on the validation set. Let the validation set loss be... The rate of change in performance is:

[0051] in This indicates the training epoch. The threshold adjustment rule is as follows:

[0052] in The learning rate controls the adjustment range. When the validation loss decreases ( This indicates that the current screening strategy is effective, and the threshold can be appropriately lowered to retain more samples; when the validation loss increases ( This indicates that irrelevant samples may have been introduced, and the threshold should be increased to enhance the rigor of the screening.

[0053] Step S4: Multi-source data fusion and dynamic weight allocation: The filtered general data and private industrial control data are merged proportionally to form a composite dataset; a two-layer optimization framework is used for dynamic weight allocation, combining data quality, relevance, and model performance feedback to balance generalization and specificity. Figure 2 As shown, the multi-source data fusion framework will filter the general data. and private industrial control data By proportionally merging, a composite dataset is formed. Let the samples of the general dataset be... Private industrial control dataset samples are ,in , and Let represent the feature vector of the i-th sample in the general dataset and its corresponding label, respectively. and Let represent the feature vector of the j-th sample in the private industrial control dataset and its corresponding label, respectively.

[0054] The composite dataset is constructed as follows:

[0055]

[0056] in This represents the total number of samples in the merged composite dataset. This represents the total number of samples in the filtered general dataset. This represents the total number of samples in the private industrial control dataset. and Let represent the feature vector of the k-th sample in the composite dataset and its corresponding label, respectively. It should be noted that the samples are weighted according to dynamic weights, assigning appropriate weights to different data sources to achieve an optimal balance between generalization ability and scene specificity in the trained model. Specifically, a feature relevance evaluation module based on an attention mechanism is first constructed. By calculating the semantic similarity between each sample in the general dataset and the feature space of the target industrial control scene, it automatically identifies and filters a subset of samples highly relevant to the target scene. This retains the generalization advantage of the general dataset while reducing noise interference introduced by domain differences. For the general data weights... Weighting of private industrial control data The weight allocation can be formalized into a two-level optimization problem:

[0057]

[0058] in To verify the set loss, and The training losses are for general-purpose data and private industrial control data, respectively. For outer layer optimization, the weights are adjusted. and To minimize the validation loss, gradient descent is used to calculate... The gradient is calculated using the chain rule. For inner layer optimization, train the model parameters with fixed weights. Minimize the weighted training loss. Calculate using stochastic gradient descent. .

[0059] The weight allocation is based not only on the validation loss, but also on the following factors: Data quality assessment: Data quality is evaluated by calculating the signal-to-noise ratio, label consistency, and feature diversity. Let the general data quality be denoted as... Private industrial control data quality is The quality adjustment weight is then: .

[0060] Scenario relevance assessment: The relevance of the data is assessed by calculating the semantic similarity between the data and the target industrial control scenario. Let the general data relevance be denoted as . The correlation of private industrial control data is The relevance-adjusted weights are then: .

[0061] Model performance feedback: Weights are dynamically adjusted based on the model's performance on the validation set. Let the model's performance on the general data in the current round be... Performance on private industrial control data is The performance tuning weights are: .

[0062] The final weight is a weighted average of the three weights mentioned above:

[0063]

[0064] in For hyperparameters, satisfying .

[0065] Step S5: Generative Adversarial Network-Driven Data Augmentation. High-quality simulated traffic is generated using a generative adversarial network (GAN) while satisfying industrial control protocol constraints and timing dependencies. Function code constraints, register address constraints, and a timing consistency loss function are introduced to ensure that the generated samples conform to actual industrial control behavior. Multiple augmentation strategies are implemented, including abnormal traffic generation, scene variation augmentation, noise injection, and data balancing augmentation.

[0066] The generation of industrial control traffic must not only maintain statistical characteristics, but also conform to the structural constraints and behavioral patterns of industrial control protocols. To this end, this invention constructs a multi-layered constraint mechanism: Protocol function code constraints: Modbus protocol function codes have strict semantic definitions, and generated traffic must conform to the usage specifications of the function codes. Let the set of function codes be... When generating function code sequences, the generator must satisfy the following conditions: Meanwhile, based on the industrial control operation mode, the probability distribution of function code usage is set as follows:

[0067]

[0068] in , and These are pre-set parameters that reflect the relative frequency of different operation types.

[0069] Register address constraints: Register addresses in industrial control systems typically follow specific naming rules and functional divisions. The generator must ensure that the generated register addresses satisfy the following constraints:

[0070] The effective address range includes the input register (40001-49999), the holding register (30001-39999), and the coil register (1-65535), etc.

[0071] Temporal Dependency Constraints: Industrial control traffic exhibits significant temporal dependencies, with correlations existing between traffic characteristics at adjacent time steps. By introducing a temporal consistency loss function, the generated traffic is forced to satisfy temporal constraints.

[0072] This loss function encourages the generated traffic to change smoothly over time, avoiding abrupt changes.

[0073] Step S6: Structured Knowledge Modeling and Injection: Construct a knowledge graph covering process knowledge, equipment topology relationships, and historical attack cases; dynamically inject structured knowledge into the deep learning model through a knowledge attention mechanism to improve the model's understanding of business logic. This invention constructs a multi-source heterogeneous knowledge fusion system, the core of which is to build a knowledge graph for the industrial control security field. This graph is not a single entity, but is composed of process knowledge subgraphs, equipment topology subgraphs, attack behavior subgraphs, etc., interconnected through core entities such as equipment and process variables.

[0074] The instantiation of industrial knowledge and industry standards primarily involves extracting key semantic elements from unstructured text information and converting them into formal knowledge representations. This process begins with deep analysis of text content from heterogeneous data sources such as technical documents, operating procedures, and industry standards. Natural language processing techniques are used to identify core elements such as equipment entities, process parameters, control logic, and safety constraints. Subsequently, a combination of rule extraction and machine learning is employed to classify and map the identified semantic elements according to a predefined ontology structure, forming standardized knowledge triples. This transformation process not only requires maintaining the semantic integrity of the original knowledge but also ensuring compatibility of information from different sources within a unified semantic space, providing a reliable knowledge foundation for subsequent semantic enhancement detection.

[0075] Taking an automated warehouse control system as an example, this system involves several key aspects, including goods inbound and outbound management, equipment coordination and control, and safety protection. At the process flow level, the system needs to strictly adhere to specific operational sequences and control logic. For instance, when a stacker crane performs goods storage and retrieval tasks, it must operate according to a predetermined path plan and time sequence, and its operating status has complex interrelationships with auxiliary equipment such as conveyor lines and elevators. Through natural language processing and rule extraction technology, these process constraints are formalized into structured knowledge triples, such as: • (Stacker crane_01, operatesIn, racking area_A) • (Conveyor Line_01, connectsTo, Hoist_01) • (Stacker_01, coordinatesWith, Conveyor_01) • (Goods storage / retrieval task requires a security confirmation signal) • (Task execution time, mustBeWithin, [08:00, 17:00]) These triples accurately describe the working relationships and time constraints between equipment, reflecting the standardized management requirements for operational processes in the warehousing system. Simultaneously, the system must also meet relevant industry standards and specifications, such as mandatory requirements for safety distances, equipment load-bearing capacity, and emergency response procedures. These standards and specifications can also be formalized as knowledge triples: • (Equipment spacing, must maintain, ≥50cm) • (Maximum load capacity, mustNotExceed, 1000kg) • (Emergency Stop button, mustBeAccessible, all operating areas) Through a formal modeling process similar to that described above, the system can transform complex technological processes, industry standards, and safety regulations into structured knowledge representations.

[0076] Topology modeling encompasses not only the physical connections between devices but also emphasizes logical control and data flow dependencies. In industrial control systems, the connections between devices are not merely simple hardware connections but also representations of control logic and data transmission paths. Taking a device's instrumentation system as an example, the core of device topology modeling lies in accurately depicting the complete control loop from sensor to actuator. Specifically, the system establishes the following types of relationships: • Physical connection relationships: the physical connection methods and communication media between devices (Engineer's Station) , Controller (via Ethernet) • Control logic relationships: control signal transmission paths and security level requirements ( Controller Emergency shut-off valve 201)(via hardwire or security bus) • Data flow relationship: Measurement data acquisition and transmission process (pressure transmitter) 101, , Controller)(4 20 analog signal) • Communication protocols: Communication protocols and data exchange mechanisms between different control systems ( Controller , Controller (via (Communication interlocking) The constructed topology subgraph can clearly depict the complete data and control loop from sensing and control to execution, providing a basis for identifying abnormal behaviors that deviate from the normal communication path.

[0077] The construction of a historical attack case library is a systematic knowledge engineering process, the core of which lies in deconstructing known attack events into reusable knowledge units. This process goes beyond simple attack classification, delving into the various stages of the attack chain and mapping them to specific devices, protocols, and behavioral patterns. Taking the Triton attack as an example, the complexity of this attack lies in its multi-stage attack process and its deep disruption of the security control system. The attacker first penetrates the industrial network environment through initial penetration, then moves laterally to the engineering station, reverse-engineers the Triton controller, uploads malicious logic code, and ultimately tamperes with the security logic function, causing the security function to fail.

[0078] Attack phase breakdown: Initial penetration -> Lateral movement to engineering station -> Reverse engineering of Tricon controller -> Uploading malicious logic code -> Tampering with security logic.

[0079] Knowledge graph mapping: – Malicious entity: Malicious_Code_Upload – Affected device: Tricon_Controller – Attack methods: Attack_Action, hasTechnique – Potential consequences: Malicious_Code_Upload, mayLeadTo, Safety_Function_Disabled The resulting attack pattern knowledge graph is highly matchable and practical, and can be accurately matched with currently detected traffic behavior.

[0080] The knowledge injection mechanism is a core technical component of the entire semantic enhancement detection framework. Its goal is to dynamically and effectively integrate structured knowledge into the traffic feature representation during model training and inference. The core idea of ​​this mechanism is to introduce contextual knowledge information during traffic feature extraction through a knowledge attention gating mechanism, thereby achieving dynamic knowledge fusion. For a given traffic sample (such as a Modbus TCP write register request, target: TIC101.SP), the system first retrieves relevant entities and relationships in the knowledge graph (such as the limits of TIC101, related variables FIC102, control source PLC_01, etc.). Then, it calculates the traffic feature vector. With each relevant knowledge entity vector semantic relevance score ,in, , For learnable parameters, This is a vector dimension. This calculation process is essentially a measure of the semantic similarity between traffic samples and knowledge entities, reflecting the degree of matching between current traffic behavior and related concepts in the knowledge graph. Ultimately, the features are enhanced with knowledge. It is obtained by fusing original features and weighted knowledge features. ,in, This indicates a splicing operation. The transformation matrix is ​​a value transformation matrix.

[0081] Step S7: Semantic Enhancement Mechanism Based on Domain Adaptive Transformer. A lightweight domain adaptive Transformer model is constructed to extract deep semantic features of industrial control traffic; a protocol-aware embedding layer, a temporal-causal attention mechanism, and a knowledge-guided cross-attention module are introduced to enhance semantic expressive capabilities.

[0082] Based on the specific requirements of industrial control systems for real-time performance, accuracy, and interpretability, this invention constructs a lightweight, domain-adaptive Transformer architecture. This architecture, while maintaining sufficient expressive power, effectively solves the problems of parameter redundancy, poor domain adaptability, and insufficient real-time performance faced by traditional large models in industrial control scenarios. Figure 4 As shown, the architecture adopts an encoder-decoder structure, where the encoder is the core semantic extraction module and the decoder is used for the final detection decision. However, considering the characteristics of industrial control traffic detection, the decoder is simplified to a classifier structure in practical applications.

[0083] The specific architecture of the lightweight domain-adaptive Transformer constructed in this invention is as follows: Figure 3 As shown, the input layer employs a protocol-aware embedding strategy, mapping the original traffic feature sequence into a fixed-dimensional vector representation. For protocol type information, a single effective encoding is used, followed by projection onto the embedding space through a learnable parameter matrix. Function code information is encoded using classification embedding, with each function code corresponding to a specific embedding vector. Numerical data is quantized using a segmented approach, dividing continuous values ​​into several intervals and mapping them to discrete labels, which are then converted into vector representations by the embedding layer. The entire embedding layer is set to 128 dimensions to balance information capacity and computational efficiency.

[0084] The encoder consists of three core components: a multi-head self-attention mechanism, a feedforward neural network, and a residual connection structure. The self-attention mechanism uses eight heads, each with a 32-dimensional dimension, for a total of 256 dimensions. This construction captures long-range dependencies in the flow sequence without excessive computational complexity. A causal mask is introduced into the attention mechanism to ensure that the model can only access historical information when processing the flow at the current moment, conforming to the temporal sequence characteristics of industrial control system commands. The feedforward neural network employs a two-layer structure: the first layer has a 512-dimensional dimension, and the second layer has a 256-dimensional dimension. The GELU activation function is used, which effectively enhances the model's nonlinear expressive power.

[0085] To enhance the model's semantic understanding capabilities, a knowledge-guided attention enhancement module was specifically constructed. This module integrates contextual information from the knowledge graph with traffic features through a cross-attention mechanism, enhancing the model's understanding of industrial control scenarios. The knowledge enhancement module has a 256-dimensional input dimension while maintaining a consistent output dimension, and uses a gating mechanism to effectively fuse knowledge information with the original features. The entire encoder consists of three stacked layers, each containing a self-attention mechanism, a feedforward network, and residual connections, ensuring the model has sufficient depth to learn complex industrial control traffic patterns.

[0086] The semantic enhancement module is constructed as follows: its input is a preprocessed traffic sequence. Each of them Encoding that includes fields such as protocol type, function code, address, and data payload.

[0087] 1. Protocol-aware embedding layer. Constructing a joint embedding. ,in Segmented quantization encoding is used for numerical data to better capture the magnitude and significance of changes in process parameter values.

[0088] 2. Temporal-Causal Attention. A multi-head self-attention mechanism with causal masking is used in the encoder, so that when the model encodes the current flow, it can only focus on its historical sequence, which conforms to the natural temporal order of flow generation and helps to capture the causal dependencies between control commands.

[0089] 3. Domain Knowledge-Guided Attention Enhancement. This part is key to semantic enhancement. An external semantic enhancement module is built that receives the hidden states from the Transformer intermediate layer. and contextual knowledge vectors obtained from the knowledge injection layer This module computes through a cross-attention layer. and The interaction generates a knowledge-aware context vector, which is then fused back into the main Transformer stream through residual connections and a gating mechanism.

[0090] For this module, the specific implementation steps are shown on the left side of the attached diagram in step S8: Input preprocessing: raw traffic -> protocol parsing -> key field extraction and standardization -> serialization organization.

[0091] Knowledge-related retrieval: Using device addresses, function codes, etc., in the traffic as keys, query the knowledge graph to obtain related knowledge sets such as process constraints, topology context, and historical attack patterns. .

[0092] Semantic Feature Extraction and Enhancement: A domain-adaptive Transformer encoder is used to input sequential data, and semantic enhancement modules and knowledge are added in the intermediate layer. The fusion process yields an enhanced semantic feature sequence. .

[0093] Detection decision: The aggregated representation (such as the [CLS] flag) is input into the multilayer perceptron classifier, and the anomaly score is output. Simultaneously, reasoning can be performed using a knowledge graph: rule verification: checking whether traffic behavior violates hard security rules in the graph; attack chain matching: matching the current anomalous behavior with the attack pattern subgraph in the graph to assess the likelihood of it forming a complete attack chain.

[0094] Output and Explanation: Output the final label, which includes the normal / abnormal value. If the value is determined to be abnormal, it includes the attack type and probability.

[0095] Step S8: Dynamic Evolution and Incremental Learning Mechanism. An online detection and feedback learning mechanism is integrated, sending low-confidence samples to a manual review pool. An elastic weight consolidation strategy is employed for incremental model fine-tuning to mitigate catastrophic forgetting; the knowledge graph is dynamically updated to achieve co-evolution of knowledge and the model.

[0096] like Figure 5As shown on the right, the system processes real-time traffic data in a streaming manner after deployment. During the detection process, samples judged as "abnormal" but with low confidence, or samples marked as "normal" but whose characteristics significantly deviate from the historical normal distribution, are temporarily stored in a "pending review buffer pool." By submitting these samples to security operations personnel for manual review, high-quality annotation information can be effectively obtained. Once a sample is manually confirmed as a new positive sample, i.e., a new type of attack or a negative sample, i.e., a normal system change, the system will automatically trigger an incremental learning process. This process first performs feature extraction and knowledge association retrieval on the newly annotated samples to generate corresponding enhanced semantic features. Subsequently, the system uses these new samples to fine-tune the current detection model, updating its parameters to adapt to new threat patterns or environmental changes. At the same time, newly confirmed attack cases or device change information are transformed into structured knowledge triples and incorporated into the knowledge graph update process.

[0097] For parameter update rules, during incremental learning, to prevent catastrophic forgetting of the model, which could lead to a loss of the ability to recognize classic attack patterns or a forgetting of the normal behavior of key process parameters, an elastic weight consolidation strategy is used for model fine-tuning. The core idea of ​​this method is to impose constraints on parameters that are crucial to the old task when updating model parameters, preventing drastic changes. Specifically, based on new data... Update parameters At that time, constrain important parameters Changes to protect the old mission The knowledge of loss function expansion to ,in, It is a parameter exist The diagonal elements of the Fisher information matrix are used to measure their importance; It is the regularization coefficient. This allows the model to retain its original detection capabilities to the greatest extent while adapting to new attack patterns.

[0098] The dynamic update mechanism of the knowledge graph mainly includes conflict detection and arbitration mechanisms. When adding new knowledge, the system first performs semantic consistency checks on candidate triples, distinguishing between different types of conflicts such as redundancy and contradiction. For redundant cases, the system selects to retain more representative knowledge items; for contradictory cases, a credibility assessment mechanism is introduced, comprehensively considering factors such as the authority of the data source and the frequency of verification to arbitrate and decide whether to accept the new knowledge. In addition, all change records are saved in the version repository for easy subsequent auditing and traceability. At the same time, an adaptive threshold adjustment mechanism automatically adjusts the detection threshold based on false positives and false negatives during system operation. This mechanism is based on the concept of control graphs, monitoring the distribution of normal traffic feature scores. Once an abnormal trend is detected, such as multiple consecutive normal samples having high scores, the threshold is appropriately increased to reduce false positives; conversely, the threshold is decreased to improve detection sensitivity, thereby maintaining security while considering system response efficiency.

[0099] Meanwhile, in order to better adapt to the dynamic changes in the industrial control environment, the confidence detection threshold in the detection decision-making process is adjusted. Instead of a fixed value, the detection threshold is dynamically optimized through real-time monitoring of operational status and detection performance. The system establishes a baseline model by monitoring the semantic feature score distribution of normal traffic samples. When multiple consecutive normal samples are detected to have abnormally clustered scores in high partitions, the system triggers a threshold adjustment mechanism; conversely, if normal sample scores are detected to be consistently low, a threshold adjustment mechanism is initiated. Specifically, the adaptive threshold adjustment strategy includes the following three aspects: Basic threshold maintenance: The system periodically calculates the statistical characteristics of the scores of normal traffic samples, including the mean. and standard deviation When the score of a normal sample deviates from the baseline by more than [a certain amount] When this occurs, the system determines it to be an abnormal operating condition and automatically adjusts the threshold. ,in This is an adjustable parameter.

[0100] Short-term fluctuation compensation: For short-term system disturbances, a sliding window mechanism is used to monitor the most recent fluctuations. The trend of score changes for each sample. If a continuous trend is found... All samples have scores that are either higher or lower than the current threshold. If the value is more than one standard deviation, the threshold should be adjusted accordingly to adapt to the current operating conditions.

[0101] Long-term trend prediction: Time series analysis is used to model and predict the threshold change trend during system operation. When a significant change in the system's operating state is detected, the threshold is adjusted in advance to avoid a decrease in detection performance due to changes in system characteristics.

[0102] Step S9: Detection Decision and Result Output: Perform multi-granularity anomaly scoring and attack intent inference based on enhanced semantic features; output detection labels and explanation reports to facilitate understanding and response by security personnel.

[0103] Example 2 The present invention also provides an industrial control network intrusion detection system with multi-knowledge fusion and semantic enhancement. The industrial control network intrusion detection system with multi-knowledge fusion and semantic enhancement can be implemented by executing the process steps of the industrial control network intrusion detection method with multi-knowledge fusion and semantic enhancement. That is, those skilled in the art can understand the industrial control network intrusion detection method with multi-knowledge fusion and semantic enhancement as a preferred embodiment of the industrial control network intrusion detection system with multi-knowledge fusion and semantic enhancement.

[0104] An industrial control network intrusion detection system based on multi-knowledge fusion and semantic enhancement, provided by the present invention, includes: The data preprocessing module is used to preprocess general network traffic data and industrial control protocol data and extract multi-dimensional features.

[0105] The protocol feature mapping module is used to realize the spatial mapping and semantic alignment of IT protocol features to industrial control protocol features. The protocol feature mapping module has built-in Modbus protocol mapping unit and OPC UA protocol mapping unit, which are adapted to the feature conversion rules of the two industrial control protocols respectively.

[0106] A dynamic data filtering module is used to evaluate the relevance of data to the target industrial control scenario and dynamically adjust the filtering threshold. The dynamic data filtering module includes an attention filtering unit and a dynamic threshold adjustment unit. The attention filtering unit calculates the data relevance score, and the dynamic threshold adjustment unit adaptively adjusts the filtering threshold based on the validation set performance.

[0107] The multi-source data fusion module is used to fuse filtered general data and private industrial control data, and to perform dynamic weight allocation. This module is equipped with a two-layer optimized weight allocation unit, which achieves weighted fusion of general data and private industrial control data based on data quality, scenario relevance, and model performance feedback.

[0108] The Generative Adversarial Network (GAN) module is used to generate compliant simulated traffic that conforms to industrial control protocol constraints and time-dependent requirements.

[0109] The structured knowledge modeling module is used to construct knowledge graphs and dynamically inject knowledge into deep learning models through a knowledge attention mechanism.

[0110] The Domain Adaptive Transformer Semantic Enhancement Module is used to extract deep semantic features of industrial control traffic and perform semantic enhancement.

[0111] The dynamic evolution and incremental learning module is used to perform online detection and feedback learning, enabling collaborative updates of the model and knowledge graph. This module includes an elastic weight consolidation unit, a manual review buffer unit, and a knowledge graph conflict arbitration and version management unit, achieving incremental fine-tuning of the model and dynamic updates of the knowledge graph.

[0112] The detection decision and output module is used to complete multi-granularity anomaly scoring, attack intent reasoning, and output detection results and interpretability reports.

[0113] Those skilled in the art will understand that, besides implementing the system and its various devices, modules, and units provided by this invention in the form of purely computer-readable program code, the same functions can be achieved entirely through logical programming of the method steps, making the system and its various devices, modules, and units of this invention function in the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, the system and its various devices, modules, and units provided by this invention can be considered as a hardware component, and the devices, modules, and units included therein for implementing various functions can also be considered as structures within the hardware component; alternatively, the devices, modules, and units for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.

[0114] Specific embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above, and those skilled in the art can make various changes or modifications within the scope of the claims, which do not affect the essence of the present invention. Unless otherwise specified, the embodiments and features described in this application can be arbitrarily combined with each other.

Claims

1. An industrial control network intrusion detection method based on multi-knowledge fusion and semantic enhancement, characterized in that, include: The input general network traffic data and industrial control protocol data are preprocessed, and features of the network layer, transport layer and application layer are extracted. Function code sequence, register address distribution and data value range features are extracted from the industrial control protocol data and semantic labels are added. Transfer learning and deep neural networks are used to realize the spatial mapping of IT protocol features to industrial control protocol features. Reconstruction loss, semantic preservation loss and distribution alignment loss functions are introduced to complete semantic alignment. Construct an attention-based screening model to evaluate the correlation between general data and target industrial control scenarios, and dynamically adjust the screening threshold based on validation set performance feedback to complete sample screening; The filtered general data is merged with private industrial control data, and dynamic weight allocation is achieved through a two-layer optimization framework to form a composite dataset; Generative adversarial networks are used to generate compliant simulation traffic under the constraints of industrial control protocols. Function code constraints, register address constraints and timing consistency loss functions are introduced to complete data augmentation. Construct a knowledge graph that includes process knowledge, equipment topology, and historical attack cases, and dynamically inject structured knowledge into a deep learning model through a knowledge attention mechanism; A domain-adaptive Transformer model is built, and a protocol-aware embedding layer, a temporal-causal attention mechanism, and a knowledge-guided cross-attention module are introduced to extract deep semantic features of industrial control traffic and complete semantic enhancement. An integrated online detection and feedback learning mechanism is used to send low-confidence samples to a manual review pool, and an elastic weight consolidation strategy is adopted to complete incremental learning. At the same time, the knowledge graph is dynamically updated through conflict detection and arbitration mechanisms. Based on the enhanced semantic features, perform multi-granularity anomaly scoring and attack intent inference, and output detection results and interpretability reports.

2. The method according to claim 1, characterized in that, The IT protocol feature mapping includes mapping rules defined separately for the Modbus and OPC UA industrial control protocols, including: The mapping of TCP flags to Modbus operation types, the mapping of packet length to Modbus operation types, and the mapping of protocol types to Modbus transmission modes; For the OPC UA protocol, it also includes mappings from service type to OPC UA service, from packet size to OPC UA message type, and from timestamp features to OPC UA time features.

3. The method according to claim 1, characterized in that, In the dynamic data filtering strategy, the filtering model includes a feature extraction layer, an attention layer, and a scoring layer. Local features are extracted through a convolutional neural network, key features are weighted by the attention layer, and relevance scores are output by the scoring layer. The screening threshold is dynamically adjusted based on the rate of change of the validation set loss; the threshold is lowered when the validation loss decreases and raised when the validation loss increases.

4. The method according to claim 1, characterized in that, The outer optimization layer of the two-layer optimization framework is used to adjust the weights of general data and private industrial control data, while the inner optimization layer is used to train model parameters under fixed weights. The weighting is calculated by weighting three indicators: data quality, scenario relevance, and model performance feedback.

5. The method according to claim 1, characterized in that, During the incremental learning process, samples that have been manually reviewed and confirmed trigger model fine-tuning. A flexible weighting consolidation strategy is adopted to constrain important parameters of old tasks to mitigate catastrophic forgetting, while version management is used to dynamically update the knowledge graph.

6. The method according to claim 1, characterized in that, The knowledge graph includes: a process knowledge subgraph, an equipment topology subgraph, and an attack behavior subgraph. Each subgraph is interconnected through core entities of equipment and process variables, forming a multi-source heterogeneous knowledge fusion system for the field of industrial control security.

7. An industrial control network intrusion detection system based on multi-knowledge fusion and semantic enhancement, characterized in that, include: The data preprocessing module is used to preprocess general network traffic data and industrial control protocol data and extract multi-dimensional features; The protocol feature mapping module is used to realize the spatial mapping and semantic alignment of IT protocol features to industrial control protocol features; The dynamic data filtering module is used to evaluate the relevance of data to the target industrial control scenario and dynamically adjust the filtering threshold. The multi-source data fusion module is used to merge filtered general data and private industrial control data, and to complete dynamic weight allocation; A generative adversarial network module is used to generate compliant simulated traffic that conforms to industrial control protocol constraints and time-dependent requirements. The structured knowledge modeling module is used to construct knowledge graphs and dynamically inject knowledge into deep learning models through a knowledge attention mechanism. Domain-adaptive Transformer semantic enhancement module is used to extract deep semantic features of industrial control traffic and perform semantic enhancement; The dynamic evolution and incremental learning module is used to perform online detection and feedback learning, enabling collaborative updates between the model and the knowledge graph; The detection decision and output module is used to complete multi-granularity anomaly scoring, attack intent reasoning, and output detection results and interpretability reports.

8. The system according to claim 7, characterized in that, The protocol feature mapping module has built-in Modbus protocol mapping unit and OPC UA protocol mapping unit, which are adapted to the feature conversion rules of the two industrial control protocols respectively. The dynamic data filtering module includes an attention filtering unit and a dynamic threshold adjustment unit; The attention filtering unit is used to calculate the data relevance score, and the dynamic threshold adjustment unit is used to adaptively adjust the filtering threshold according to the validation set performance.

9. The system according to claim 7, characterized in that, The multi-source data fusion module is equipped with a two-layer optimized weight allocation unit, which realizes the weighted fusion of general data and private industrial control data based on data quality, scenario relevance, and model performance feedback.

10. The system according to claim 7, characterized in that, The dynamic evolution and incremental learning module includes an elastic weight consolidation unit, a manual review buffer unit, and a knowledge graph conflict arbitration and version management unit, enabling incremental fine-tuning of the model and dynamic updates of the knowledge graph.