CN107872464A - Traffic anomaly detection method and device - Google Patents
Traffic anomaly detection method and device Download PDFInfo
- Publication number
- CN107872464A CN107872464A CN201711230946.7A CN201711230946A CN107872464A CN 107872464 A CN107872464 A CN 107872464A CN 201711230946 A CN201711230946 A CN 201711230946A CN 107872464 A CN107872464 A CN 107872464A
- Authority
- CN
- China
- Prior art keywords
- load value
- plc
- host computer
- time series
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to industrial control field, in particular to a kind of Traffic anomaly detection method and device.Methods described includes:Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and the time series is modeled using autoregressive moving-average model;According to the autoregressive moving-average model of foundation, the subsequent prediction traffic load value between the host computer and the PLC is predicted;Obtain the follow-up actual flow load value between the host computer and the PLC;The follow-up actual flow load value is compared with the subsequent prediction traffic load value;According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.The timely detection of the Traffic Anomaly between host computer and the PLC, effective guarantee ICS safe operation can be realized by the Traffic anomaly detection method and device.
Description
Technical field
The present invention relates to industrial control field, in particular to a kind of Traffic anomaly detection method and device.
Background technology
Industrial control system (Industrial Control System, ICS) is the important set of national critical infrastructures
Into part, ICS safety is significant to National Security Strategy.However, intersect with industrializing with the continuous of IT application process
Fusion, ICS relies on closure and professional safety curtain disappears, and starts to face the challenge of security threat, meanwhile, in ICS
In, the network node between host computer and PLC is important security node, Stuxnet, BlackEnergy malicious code,
The virus such as W32.Ramnit, Conficker is all to realize the manipulation to system equipment by this network node, thus may be used
See, ensure that the safety of network node between host computer and PLC is particularly significant to ICS security guarantee.
Study and find through inventor, the ICS of normal table can keep the stream more stable than general network during operation
Amount is horizontal, when ICS network flow level occurs abnormal within a period of time, then probably mean system equipment by
The attack of virus, or there occurs failure, so as to influence system equipment, or even whole ICS safe operation.Therefore, how
Realize that it is those skilled in the art's technical barrier urgently to be resolved hurrily to carry out abnormality detection to ICS network traffics.
The content of the invention
In view of this, it is an object of the invention to provide a kind of Traffic anomaly detection method and device, to solve above-mentioned ask
Topic.
The embodiment provides a kind of Traffic anomaly detection method, methods described includes:
Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and uses and returns certainly
Moving average model is returned to be modeled the time series;
According to the autoregressive moving-average model of foundation, the subsequent prediction stream between the host computer and the PLC is predicted
Measure load value;
Obtain the follow-up actual flow load value between the host computer and the PLC;
The follow-up actual flow load value is compared with the subsequent prediction traffic load value;
According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.
Further, the step follow-up actual flow load value being compared with the subsequent prediction traffic load value
Suddenly, including:
Continuous first predetermined number sample value is selected from the follow-up actual flow load value;
Obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value;
The first predetermined number sample value is compared with the default confidential interval respectively.
Further, according to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal
The step of, including:
Obtain the sample size for exceeding the default confidential interval in the first predetermined number sample value;
When the sample size beyond the default confidential interval is more than the second predetermined number, the host computer and institute are judged
The traffic load value stated between PLC is abnormal.
Further, time series of the traffic load value on preset time yardstick between host computer and PLC is obtained, and
The step of being modeled using autoregressive moving-average model to the time series, including:
Obtain the packet between the host computer and the PLC in communication link in preset duration;
The packet is filtered, to select the traffic load value between the host computer and the PLC pre-
If the time series in time scale;
Riding Quality Analysis is carried out to the time series;
When according to analysis result judge the time series for stationary sequence when, using autoregressive moving-average model to this
Time series is modeled.
Further, methods described also includes:
When according to comparison result, when judging the traffic load value exception between the host computer and the PLC, startup flow
Load value exception response system.
The embodiment of the present invention additionally provides a kind of Traffic anomaly detection device, and described device includes:
Model building module, for obtain the traffic load value between host computer and PLC on preset time yardstick when
Between sequence, and the time series is modeled using autoregressive moving-average model;
Predicted value acquisition module, for the autoregressive moving-average model according to foundation, predict the host computer with it is described
Subsequent prediction traffic load value between PLC;
Actual value acquisition module, for obtaining the follow-up actual flow load value between the host computer and the PLC;
Comparing module, for the follow-up actual flow load value to be compared with the subsequent prediction traffic load value
It is right;
Anomalous mode block is sentenced, for whether according to comparison result, judging the traffic load value between the host computer and the PLC
It is abnormal.
Further, the comparing module includes:
Sample value acquiring unit, for selecting continuous first predetermined number from the follow-up actual flow load value
Individual sample value;
Confidential interval acquiring unit, it is corresponding with the time series of the subsequent prediction traffic load value default for obtaining
Confidential interval;
Comparing unit, for respectively being compared the first predetermined number sample value and the default confidential interval
It is right.
Further, it is described to sentence anomalous mode block and include:
Exceptional sample number obtainment unit, pre-seted for obtaining in the first predetermined number sample value beyond described
Believe the sample size in section;
Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, judging
Traffic load value between the host computer and the PLC is abnormal.
Further, the model building module includes:
Packet acquiring unit, for obtaining in preset duration between the host computer and the PLC in communication link
Packet;
Time series chooses unit, for being filtered to the packet, to select the host computer and the PLC
Between time series of the traffic load value on preset time yardstick;
Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series;
Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, using from returning
Moving average model is returned to be modeled the time series.
Further, described device also includes:
Exception response module, for working as according to comparison result, judge the flow load between the host computer and the PLC
When being worth abnormal, start traffic load value exception response system.
Traffic anomaly detection method and device provided in an embodiment of the present invention, by obtaining the stream between host computer and PLC
Time series of the load value on preset time yardstick is measured, and the time series is built using autoregressive moving-average model
Mould, according to the autoregressive moving-average model of foundation, predict the subsequent prediction flow load between the host computer and the PLC
Value, obtains the follow-up actual flow load value between the host computer and the PLC, and will the subsequently actual flow load value
It is compared with the subsequent prediction traffic load value, so as to according to comparison result, judge between the host computer and the PLC
Traffic load value it is whether abnormal, realize the timely detection of the Traffic Anomaly between host computer and the PLC, effectively ensure
ICS safe operation.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached
Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair
The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this
A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is a kind of schematic block diagram of flow detection device provided in an embodiment of the present invention.
A kind of Fig. 2 schematic flow sheets of Traffic anomaly detection method provided in an embodiment of the present invention.
Fig. 3 is the sub-step flow chart of step S100 in Fig. 2.
Fig. 4 is the sub-step flow chart of step S400 in Fig. 2.
Fig. 5 is the sub-step flow chart of step S500 in Fig. 2.
Another schematic flow sheet of Fig. 6 Traffic anomaly detection methods provided in an embodiment of the present invention.
Fig. 7 is a kind of schematic block diagram of Traffic anomaly detection device provided in an embodiment of the present invention.
Icon:100- flow detection devices;110- Traffic anomaly detection devices;111- model building modules;112- is predicted
It is worth acquisition module;113- actual value acquisition modules;114- comparing modules;115- sentences anomalous mode block;120- processors;130- is stored
Device.
Embodiment
Below in conjunction with accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Generally exist
The component of the embodiment of the present invention described and illustrated in accompanying drawing can be configured to arrange and design with a variety of herein.Cause
This, the detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit claimed invention below
Scope, but it is merely representative of the selected embodiment of the present invention.Based on embodiments of the invention, those skilled in the art are not doing
The every other embodiment obtained on the premise of going out creative work, belongs to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi
It is defined, then it further need not be defined and explained in subsequent accompanying drawing in individual accompanying drawing.Meanwhile the present invention's
In description, unless otherwise clearly defined and limited, term " installation ", " setting ", " connection " should be interpreted broadly, for example, can
To be to be fixedly connected or be detachably connected, or it is integrally connected;Can be mechanical connection or electrical connection;Can
It to be to be joined directly together, can also be indirectly connected by intermediary, can be the connection of two element internals.For this area
For those of ordinary skill, the concrete meaning of above-mentioned term in the present invention can be understood with concrete condition.
Referring to Fig. 1, it is a kind of stream using the Traffic anomaly detection method and device provided in an embodiment of the present invention
Measure detection device 100, the flow detection device 100 can with ICS host computer and/or plc communication, to obtain the host computer
Traffic load value between PLC.
The flow detection device 100 includes Traffic anomaly detection device 110, processor 120 and memory 130.It is described
Directly or indirectly it is electrically connected between processor 120 and memory 130, to realize the transmission of data or interaction.The flow
Abnormal detector 110 can be stored in the memory 130 including at least one in the form of software or firmware (Firmware)
In or the software module that is solidificated in the operating system (Operating System, OS) of the server.The processor 120
For performing the executable module stored in memory 130, for example, the software included by the Traffic anomaly detection device 110
Functional module and computer program etc..The processor 120 can perform the computer journey after execute instruction is received
Sequence.
The processor 120 can be a kind of IC chip, have signal handling capacity.Processor 120 can also
It is general processor, for example, central processing unit (Central Processing Unit, CPU), network processing unit (Network
Processing, NP) etc., it can also be digital signal processor (DSP), application specific integrated circuit (ASIC), field programmable gate
Array (FPGA), discrete gate or transistor logic, discrete hardware components.Wherein, the general processor can be micro- place
Manage device or any conventional processors.
The memory 130 may be, but not limited to, random access memory (Random Access Memory,
RAM), read-only storage (Read Only Memory, ROM), programmable read only memory Programmable Read-Only
Memory, PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM),
Electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read-Only Memory, EEPROM) etc..
It should be appreciated that the structure shown in Fig. 1 is only to illustrate, the flow detection device 100 can also have less than Fig. 1
Or more component, or there is the configuration different from shown in Fig. 1.In addition, each component shown in Fig. 1 can be by software, hard
Part or its combination are realized.
Referring to Fig. 2, Fig. 2 is a kind of schematic flow sheet of Traffic anomaly detection method provided in an embodiment of the present invention, institute
Traffic anomaly detection method is stated applied to the flow detection device 100 shown in Fig. 1.It should be noted that side provided by the invention
Method is not using Fig. 2 and particular order as shown below as limitation, the specific stream below in conjunction with Fig. 2 to the Traffic anomaly detection method
Journey and step are described in detail.
Step S100, time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and
The time series is built using autoregressive moving average (Autoregressive moving average, ARMA) model
Mould.
Alternatively, in the present embodiment, the preset time is 10 seconds, but it should be recognized that on the preset time
Concrete numerical value, the present embodiment is not specifically limited.It should be noted that in the present embodiment, the time series is periodically
Time series.In addition it is also necessary to explanation, carry out volume forecasting conventional time series models be roughly divided into stationary model and
The class of non-stationary model two, stationary model mainly include arma modeling, autoregression (auto regressive, AR) model and returned certainly
Return fraction integrate moving average (fractional autoregressive integration moving average,
FARIMA) model, non-stationary model mainly include autoregression integration moving average (Autoregressive Integrated
Moving Average, ARIMA) model.In view of in the present embodiment, the time series for modeling need to be stationary sequence,
Thus, in the present embodiment, the time series can be modeled by arma modeling, can also be modeled by AR models,
It can also be modeled by FARIMA models, the present embodiment is not specifically limited to this.
Incorporated by reference to Fig. 3, alternatively, in the present embodiment, the step S100 includes step S110, step S120, step
S130 and the sub-steps of step S140 tetra-.
Step S110, obtain the packet between the host computer and the PLC in communication link in preset duration.
Step S120 filters to the packet, is born with selecting the flow between the host computer and the PLC
Time series of the load value on preset time yardstick.
Step S130, riding Quality Analysis is carried out to the time series.
Step S140, when according to analysis result judge the time series for stationary sequence when, using arma modeling to this
Time series is modeled.
, can be by calling Wireshark softwares to obtain communication chain between the host computer and the PLC in the present embodiment
Packet in road.Specifically, Wireshark softwares can be obtained between the host computer and the PLC in communication link
All packets reach the information such as time, bag length, source IP, agreement, and are led the packet of needs by the filter of setting
Go out, namely export the communication flows between the host computer and the PLC, export the time sequence on the preset time yardstick of flow
Row, hereafter, can be by drawing flow-time sequence chart, to carry out riding Quality Analysis to the time series.If predetermined number
Individual sample point have on the preset time yardstick it is obvious periodically, and becoming of substantially not changing over time of average, variance
Gesture, then the time series is judged for stationary sequence, the time series is modeled using arma modeling immediately.
Step S200, according to the arma modeling of foundation, predict the subsequent prediction flow between the host computer and the PLC
Load value.
In the present embodiment, econometrics software kit (Econometrics Views, Eviews) can be used to described
Subsequent prediction traffic load value between host computer and the PLC is predicted.
Step S300, obtain the follow-up actual flow load value between the host computer and the PLC.
In the present embodiment, the follow-up actual flow load value between the host computer and the PLC again may be by adjusting
Obtained with Wireshark softwares, the present embodiment is not being repeated this.In addition, in the present embodiment, can be at interval of a preset duration
Acquisition is once sampled to the follow-up actual flow load value between the host computer and the PLC, follow-up actual to ensure
Traffic load value sampling has higher real-time, accuracy and referring to property.
Step S400, the follow-up actual flow load value is compared with the subsequent prediction traffic load value.
Incorporated by reference to Fig. 4, alternatively, in the present embodiment, the step S400 can include step S410, step S420 and step
The rapid sub-steps of S430 two.
Step S410, continuous first predetermined number sample value is selected from the follow-up actual flow load value.
Step S420, obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value.
Step S430, the first predetermined number sample value is compared with the default confidential interval respectively.
In the present embodiment, the first predetermined number sample value is to obtain the continuous sample value of time acquisition time, institute
It can be 3 or 5 to state the first predetermined number, and the default confidential interval is 95%, or 98%, this reality
Example is applied to be not specifically limited this.
Step S500, according to comparison result, judge whether the traffic load value between the host computer and the PLC is different
Often.
Incorporated by reference to Fig. 5, alternatively, in the present embodiment, the step S500 includes two sons of step S510 and step S520
Step.
Step S510, obtain the sample number for exceeding the default confidential interval in the first predetermined number sample value
Amount.
Step S520, when the sample size beyond the default confidential interval is more than the second predetermined number, described in judgement
Traffic load value between host computer and the PLC is abnormal.
In the present embodiment, second predetermined number can be 1 or 2, and the present embodiment is not limited specifically this
System.Using first predetermined number as 3, the default confidential interval is 95%, exemplified by second predetermined number is 1, when
Judgement is when showing that any 2 sample values exceed 95% confidential interval in 3 sample values, then judge the host computer with it is described
Traffic load value between PLC is abnormal.
Referring to Fig. 6, alternatively, in the present embodiment, methods described also includes:
Step S600, when according to comparison result, judging that the traffic load value between the host computer and the PLC is abnormal
When, start traffic load value exception response system.
In the present embodiment, the exception response system can be that control sends alarm to prompt staff to carry out exception
The warning system of reason or ICS switching system, the traffic load value between the judgement host computer and the PLC
When abnormal, control ICS is closed with out of service.
Referring to Fig. 7, the embodiment of the present invention additionally provides a kind of Traffic anomaly detection device 110, described device includes:
Model building module 111, for obtaining the traffic load value between host computer and PLC on preset time yardstick
Time series, and the time series is modeled using arma modeling.The description as described in the model building module 111 is specific
The detailed description to the step S100 shown in Fig. 2 is referred to, that is, step S100 can be by the model building module 111
Perform.
Predicted value acquisition module 112, for the arma modeling according to foundation, predict between the host computer and the PLC
Subsequent prediction traffic load value.The description as described in the predicted value acquisition module 112 is specifically referred to the step as shown in Fig. 2
Rapid S200 detailed description, that is, step S200 can be performed by the predicted value acquisition module 112.
Actual value acquisition module 113, for obtaining the load of the follow-up actual flow between the host computer and the PLC
Value.The description as described in the actual value acquisition module 113 specifically refers to the detailed description to the step S300 as shown in Fig. 2,
That is, step S300 can be performed by the actual value acquisition module 113.
Comparing module 114, for the follow-up actual flow load value to be carried out with the subsequent prediction traffic load value
Compare.The description as described in the comparing module 114 specifically refers to the detailed description to the step S400 as shown in Fig. 2, that is,
Step S400 can be performed by the comparing module 114.
Anomalous mode block 115 is sentenced, for according to comparison result, judging the traffic load value between the host computer and the PLC
It is whether abnormal.It is described sentence anomalous mode block 115 as described in description specifically refer to detailed description to the step S500 as shown in Fig. 2,
That is, step S500 can be sentenced anomalous mode block 115 and performed by described.
Alternatively, in the present embodiment, the model building module 111 includes:
Packet acquiring unit, for obtaining in preset duration between the host computer and the PLC in communication link
Packet.The description as described in the packet acquiring unit specifically refers to the detailed description to the step S110 as shown in Fig. 3,
That is, step S110 can be performed by the packet acquiring unit.
Time series chooses unit, for being filtered to the packet, to select the host computer and the PLC
Between time series of the traffic load value on preset time yardstick.The description as described in the time series chooses unit is specific
The detailed description to the step S120 shown in Fig. 3 is referred to, that is, step S120 can choose unit by the time series
Perform.
Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series.On the riding Quality Analysis list
The description of member specifically refers to the detailed description to the step S130 shown in Fig. 3, that is, step S130 can be by described steady
Property analytic unit perform.
Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, using ARMA
Model is modeled to the time series.The description as described in the sample value acquiring unit is specifically referred to as shown in Fig. 3
Step S140 detailed description, that is, step S140 can be established unit execution by the model.
Alternatively, in the present embodiment, the comparing module 114 includes:
Sample value acquiring unit, for selecting continuous first predetermined number from the follow-up actual flow load value
Individual sample value.The description as described in the sample value acquiring unit specifically refers to retouching in detail to the step S410 as shown in Fig. 4
State, that is, step S410 can be performed by the sample value acquiring unit.
Confidential interval acquiring unit, it is corresponding with the time series of the subsequent prediction traffic load value default for obtaining
Confidential interval.The description as described in the confidential interval acquiring unit is specifically referred to the detailed of the step S420 as shown in Fig. 4
Description, that is, step S420 can be performed by the confidential interval acquiring unit.
Comparing unit, for respectively being compared the first predetermined number sample value and the default confidential interval
It is right.The description as described in the comparing unit specifically refers to the detailed description to the step S430 as shown in Fig. 4, that is, step
S430 can be performed by the comparing unit.
Alternatively, it is described to sentence anomalous mode block 115 and include in the present embodiment:
Exceptional sample number obtainment unit, pre-seted for obtaining in the first predetermined number sample value beyond described
Believe the sample size in section.The description as described in the exceptional sample number obtainment unit is specifically referred to the step as shown in Fig. 5
Rapid S510 detailed description, that is, step S510 can be performed by the exceptional sample number obtainment unit.
Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, judging
Traffic load value between the host computer and the PLC is abnormal.It is described sentence anticoincidence unit as described in description specifically refer to Fig. 5
Shown in step S520 detailed description, that is, step S520 can by it is described sentence anticoincidence unit perform.
Alternatively, in the present embodiment, described device also includes exception response module, for when according to comparison result, judgement
During traffic load value exception between the host computer and the PLC, start traffic load value exception response system.On described
The description of exception response module specifically refers to the detailed description to the step S600 shown in Fig. 6, that is, step S600 can be with
Performed by the exception response module.
In summary, Traffic anomaly detection method and device provided in an embodiment of the present invention, by obtaining host computer and PLC
Between time series of the traffic load value on preset time yardstick, and the time series is built using arma modeling
Mould, according to the arma modeling of foundation, the subsequent prediction traffic load value between the host computer and the PLC is predicted, obtains institute
State the follow-up actual flow load value between host computer and the PLC, and by the follow-up actual flow load value with it is described after
Continuous predicted flow rate load value is compared, so as to according to comparison result, judge that the flow between the host computer and the PLC is born
Whether load value is abnormal, realizes the timely detection of the Traffic Anomaly between host computer and the PLC, has effectively ensured ICS's
Safe operation.
In embodiment provided herein, it should be understood that disclosed apparatus and method, can also be by other
Mode realize.Device embodiment described above is only schematical, for example, the flow chart and block diagram in accompanying drawing are shown
Devices in accordance with embodiments of the present invention, architectural framework in the cards, function and the behaviour of method and computer program product
Make.At this point, each square frame in flow chart or block diagram can represent a part for a module, program segment or code, institute
The part for stating module, program segment or code includes one or more executable instructions for being used to realize defined logic function.
It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be with different from accompanying drawing
The order marked occurs.For example, two continuous square frames can essentially perform substantially in parallel, they sometimes can also be by
Opposite order performs, and this is depending on involved function.It is also noted that each square frame in block diagram and/or flow chart,
And the combination of the square frame in block diagram and/or flow chart, the special based on hardware of function or action as defined in performing can be used
System realize, or can be realized with the combination of specialized hardware and computer instruction.
It should be noted that herein, term " comprising ", "comprising" or its any other variant are intended to non-row
His property includes, so that process, method, article or equipment including a series of elements not only include those key elements, and
And also include the other element being not expressly set out, or also include for this process, method, article or equipment institute inherently
Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including institute
State in process, method, article or the equipment of key element and other identical element also be present.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area
For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies
Change, equivalent substitution, improvement etc., should be included in the scope of the protection.It should be noted that:Similar label and letter exists
Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, is then not required in subsequent accompanying drawing
It is further defined and explained.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (10)
- A kind of 1. Traffic anomaly detection method, it is characterised in that methods described includes:Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and is slided using autoregression Dynamic averaging model is modeled to the time series;According to the autoregressive moving-average model of foundation, predict that the subsequent prediction flow between the host computer and the PLC is born Load value;Obtain the follow-up actual flow load value between the host computer and the PLC;The follow-up actual flow load value is compared with the subsequent prediction traffic load value;According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.
- 2. Traffic anomaly detection method according to claim 1, it is characterised in that by the follow-up actual flow load value The step of being compared with the subsequent prediction traffic load value, including:Continuous first predetermined number sample value is selected from the follow-up actual flow load value;Obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value;The first predetermined number sample value is compared with the default confidential interval respectively.
- 3. Traffic anomaly detection method according to claim 2, it is characterised in that according to comparison result, judge on described The whether abnormal step of traffic load value between position machine and the PLC, including:Obtain the sample size for exceeding the default confidential interval in the first predetermined number sample value;When the sample size beyond the default confidential interval is more than the second predetermined number, judge the host computer with it is described Traffic load value between PLC is abnormal.
- 4. Traffic anomaly detection method according to claim 1, its feature are being, obtain between host computer and PLC Time series of the traffic load value on preset time yardstick, and the time series is carried out using autoregressive moving-average model The step of modeling, including:Obtain the packet between the host computer and the PLC in communication link in preset duration;The packet is filtered, to select the traffic load value between the host computer and the PLC when default Between time series on yardstick;Riding Quality Analysis is carried out to the time series;When according to analysis result judge the time series for stationary sequence when, using autoregressive moving-average model to the time Sequence is modeled.
- 5. the Traffic anomaly detection method according to Claims 1 to 4 any one, it is characterised in that methods described is also wrapped Include:When according to comparison result, when judging the traffic load value exception between the host computer and the PLC, startup flow load It is worth exception response system.
- 6. a kind of Traffic anomaly detection device, it is characterised in that described device includes:Model building module, for obtaining time sequence of the traffic load value between host computer and PLC on preset time yardstick Row, and the time series is modeled using autoregressive moving-average model;Predicted value acquisition module, for the autoregressive moving-average model according to foundation, predict the host computer and the PLC it Between subsequent prediction traffic load value;Actual value acquisition module, for obtaining the follow-up actual flow load value between the host computer and the PLC;Comparing module, for the follow-up actual flow load value to be compared with the subsequent prediction traffic load value;Anomalous mode block is sentenced, for according to comparison result, judging whether the traffic load value between the host computer and the PLC is different Often.
- 7. Traffic anomaly detection device according to claim 6, it is characterised in that the comparing module includes:Sample value acquiring unit, for selecting continuous first predetermined number sample from the follow-up actual flow load value This value;Confidential interval acquiring unit, for obtaining default confidence corresponding with the time series of the subsequent prediction traffic load value Section;Comparing unit, for the first predetermined number sample value to be compared with the default confidential interval respectively.
- 8. Traffic anomaly detection device according to claim 7, it is characterised in that described to sentence anomalous mode block and include:Exceptional sample number obtainment unit, exceed the default confidence area in the first predetermined number sample value for obtaining Between sample size;Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, described in judgement Traffic load value between host computer and the PLC is abnormal.
- 9. Traffic anomaly detection device according to claim 6, its feature are being that the model building module includes:Packet acquiring unit, for obtaining the data in preset duration between the host computer and the PLC in communication link Bag;Time series chooses unit, for being filtered to the packet, to select between the host computer and the PLC Time series of the traffic load value on preset time yardstick;Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series;Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, slided using autoregression Dynamic averaging model is modeled to the time series.
- 10. the Traffic anomaly detection device according to claim 6~9 any one, it is characterised in that described device is also wrapped Include:Exception response module, for working as according to comparison result, judge that the traffic load value between the host computer and the PLC is different Chang Shi, start traffic load value exception response system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711230946.7A CN107872464A (en) | 2017-11-29 | 2017-11-29 | Traffic anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711230946.7A CN107872464A (en) | 2017-11-29 | 2017-11-29 | Traffic anomaly detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107872464A true CN107872464A (en) | 2018-04-03 |
Family
ID=61754989
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711230946.7A Pending CN107872464A (en) | 2017-11-29 | 2017-11-29 | Traffic anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107872464A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109245913A (en) * | 2018-08-02 | 2019-01-18 | 浙江口碑网络技术有限公司 | A kind of cloud Physical Examination System and method |
CN109768995A (en) * | 2019-03-06 | 2019-05-17 | 国网甘肃省电力公司电力科学研究院 | A kind of network flow abnormal detecting method based on circular prediction and study |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
CN102625312A (en) * | 2012-04-25 | 2012-08-01 | 重庆邮电大学 | Sensor network safety system based on delaminated intrusion detection |
-
2017
- 2017-11-29 CN CN201711230946.7A patent/CN107872464A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
CN102625312A (en) * | 2012-04-25 | 2012-08-01 | 重庆邮电大学 | Sensor network safety system based on delaminated intrusion detection |
Non-Patent Citations (2)
Title |
---|
周强 等: "基于自回归滑动平均的网络数据流量预测模型", 《计算机科学》 * |
彭军 等: "基于流量预测的WSN入侵检测技术", 《计算机应用与软件》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109245913A (en) * | 2018-08-02 | 2019-01-18 | 浙江口碑网络技术有限公司 | A kind of cloud Physical Examination System and method |
CN109768995A (en) * | 2019-03-06 | 2019-05-17 | 国网甘肃省电力公司电力科学研究院 | A kind of network flow abnormal detecting method based on circular prediction and study |
CN109768995B (en) * | 2019-03-06 | 2021-08-13 | 国网甘肃省电力公司电力科学研究院 | Network flow abnormity detection method based on cyclic prediction and learning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111262722B (en) | Safety monitoring method for industrial control system network | |
AU2015302129B2 (en) | Analyzing cyber-security risks in an industrial control environment | |
CN112995196B (en) | Method and system for processing situation awareness information in network security level protection | |
CN101854340B (en) | Behavior based communication analysis carried out based on access control information | |
CN108055282A (en) | Industry control abnormal behaviour analysis method and system based on self study white list | |
CN107241224A (en) | The network risks monitoring method and system of a kind of transformer station | |
CN109391613A (en) | A kind of intelligent substation method for auditing safely based on SCD parsing | |
CN109164786A (en) | A kind of anomaly detection method based on time correlation baseline, device and equipment | |
CN107786532A (en) | The system and method that Virtual honeypot is used in industrial automation system and cloud connector | |
CN110752951A (en) | Industrial network flow monitoring and auditing method, device and system | |
CN111654489A (en) | Network security situation sensing method, device, equipment and storage medium | |
CN106254137B (en) | The alarm root analysis system and method for supervisory systems | |
Polet et al. | Theory of safety-related violations of system barriers | |
CN107797465A (en) | Monitoring method and device | |
CN107872464A (en) | Traffic anomaly detection method and device | |
CN107911240A (en) | A kind of fault detection method and device | |
CN108111487A (en) | A kind of safety monitoring method and system | |
CN106385339A (en) | Monitoring method and monitoring system for access performance of enterprise network | |
CN112688946B (en) | Method, module, storage medium, device and system for constructing abnormality detection features | |
CN115550145B (en) | Industrial internet security dynamic protection method and protection system | |
CN110113336A (en) | A kind of exception of network traffic analysis and recognition methods for substation network environment | |
CN111934951A (en) | Network packet loss detection method and device | |
CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
CN112558562A (en) | Pump station management system | |
WO2021064144A1 (en) | Method and system for continuous estimation and representation of risk |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180403 |
|
RJ01 | Rejection of invention patent application after publication |