CN107872464A - Traffic anomaly detection method and device - Google Patents

Traffic anomaly detection method and device Download PDF

Info

Publication number
CN107872464A
CN107872464A CN201711230946.7A CN201711230946A CN107872464A CN 107872464 A CN107872464 A CN 107872464A CN 201711230946 A CN201711230946 A CN 201711230946A CN 107872464 A CN107872464 A CN 107872464A
Authority
CN
China
Prior art keywords
load value
plc
host computer
time series
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711230946.7A
Other languages
Chinese (zh)
Inventor
张磊
刘亮
陈航
方勇
邹晓波
胡晓晴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Silent Information Technology Co Ltd
Sichuan University
Original Assignee
Sichuan Silent Information Technology Co Ltd
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Silent Information Technology Co Ltd, Sichuan University filed Critical Sichuan Silent Information Technology Co Ltd
Priority to CN201711230946.7A priority Critical patent/CN107872464A/en
Publication of CN107872464A publication Critical patent/CN107872464A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to industrial control field, in particular to a kind of Traffic anomaly detection method and device.Methods described includes:Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and the time series is modeled using autoregressive moving-average model;According to the autoregressive moving-average model of foundation, the subsequent prediction traffic load value between the host computer and the PLC is predicted;Obtain the follow-up actual flow load value between the host computer and the PLC;The follow-up actual flow load value is compared with the subsequent prediction traffic load value;According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.The timely detection of the Traffic Anomaly between host computer and the PLC, effective guarantee ICS safe operation can be realized by the Traffic anomaly detection method and device.

Description

Traffic anomaly detection method and device
Technical field
The present invention relates to industrial control field, in particular to a kind of Traffic anomaly detection method and device.
Background technology
Industrial control system (Industrial Control System, ICS) is the important set of national critical infrastructures Into part, ICS safety is significant to National Security Strategy.However, intersect with industrializing with the continuous of IT application process Fusion, ICS relies on closure and professional safety curtain disappears, and starts to face the challenge of security threat, meanwhile, in ICS In, the network node between host computer and PLC is important security node, Stuxnet, BlackEnergy malicious code, The virus such as W32.Ramnit, Conficker is all to realize the manipulation to system equipment by this network node, thus may be used See, ensure that the safety of network node between host computer and PLC is particularly significant to ICS security guarantee.
Study and find through inventor, the ICS of normal table can keep the stream more stable than general network during operation Amount is horizontal, when ICS network flow level occurs abnormal within a period of time, then probably mean system equipment by The attack of virus, or there occurs failure, so as to influence system equipment, or even whole ICS safe operation.Therefore, how Realize that it is those skilled in the art's technical barrier urgently to be resolved hurrily to carry out abnormality detection to ICS network traffics.
The content of the invention
In view of this, it is an object of the invention to provide a kind of Traffic anomaly detection method and device, to solve above-mentioned ask Topic.
The embodiment provides a kind of Traffic anomaly detection method, methods described includes:
Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and uses and returns certainly Moving average model is returned to be modeled the time series;
According to the autoregressive moving-average model of foundation, the subsequent prediction stream between the host computer and the PLC is predicted Measure load value;
Obtain the follow-up actual flow load value between the host computer and the PLC;
The follow-up actual flow load value is compared with the subsequent prediction traffic load value;
According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.
Further, the step follow-up actual flow load value being compared with the subsequent prediction traffic load value Suddenly, including:
Continuous first predetermined number sample value is selected from the follow-up actual flow load value;
Obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value;
The first predetermined number sample value is compared with the default confidential interval respectively.
Further, according to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal The step of, including:
Obtain the sample size for exceeding the default confidential interval in the first predetermined number sample value;
When the sample size beyond the default confidential interval is more than the second predetermined number, the host computer and institute are judged The traffic load value stated between PLC is abnormal.
Further, time series of the traffic load value on preset time yardstick between host computer and PLC is obtained, and The step of being modeled using autoregressive moving-average model to the time series, including:
Obtain the packet between the host computer and the PLC in communication link in preset duration;
The packet is filtered, to select the traffic load value between the host computer and the PLC pre- If the time series in time scale;
Riding Quality Analysis is carried out to the time series;
When according to analysis result judge the time series for stationary sequence when, using autoregressive moving-average model to this Time series is modeled.
Further, methods described also includes:
When according to comparison result, when judging the traffic load value exception between the host computer and the PLC, startup flow Load value exception response system.
The embodiment of the present invention additionally provides a kind of Traffic anomaly detection device, and described device includes:
Model building module, for obtain the traffic load value between host computer and PLC on preset time yardstick when Between sequence, and the time series is modeled using autoregressive moving-average model;
Predicted value acquisition module, for the autoregressive moving-average model according to foundation, predict the host computer with it is described Subsequent prediction traffic load value between PLC;
Actual value acquisition module, for obtaining the follow-up actual flow load value between the host computer and the PLC;
Comparing module, for the follow-up actual flow load value to be compared with the subsequent prediction traffic load value It is right;
Anomalous mode block is sentenced, for whether according to comparison result, judging the traffic load value between the host computer and the PLC It is abnormal.
Further, the comparing module includes:
Sample value acquiring unit, for selecting continuous first predetermined number from the follow-up actual flow load value Individual sample value;
Confidential interval acquiring unit, it is corresponding with the time series of the subsequent prediction traffic load value default for obtaining Confidential interval;
Comparing unit, for respectively being compared the first predetermined number sample value and the default confidential interval It is right.
Further, it is described to sentence anomalous mode block and include:
Exceptional sample number obtainment unit, pre-seted for obtaining in the first predetermined number sample value beyond described Believe the sample size in section;
Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, judging Traffic load value between the host computer and the PLC is abnormal.
Further, the model building module includes:
Packet acquiring unit, for obtaining in preset duration between the host computer and the PLC in communication link Packet;
Time series chooses unit, for being filtered to the packet, to select the host computer and the PLC Between time series of the traffic load value on preset time yardstick;
Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series;
Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, using from returning Moving average model is returned to be modeled the time series.
Further, described device also includes:
Exception response module, for working as according to comparison result, judge the flow load between the host computer and the PLC When being worth abnormal, start traffic load value exception response system.
Traffic anomaly detection method and device provided in an embodiment of the present invention, by obtaining the stream between host computer and PLC Time series of the load value on preset time yardstick is measured, and the time series is built using autoregressive moving-average model Mould, according to the autoregressive moving-average model of foundation, predict the subsequent prediction flow load between the host computer and the PLC Value, obtains the follow-up actual flow load value between the host computer and the PLC, and will the subsequently actual flow load value It is compared with the subsequent prediction traffic load value, so as to according to comparison result, judge between the host computer and the PLC Traffic load value it is whether abnormal, realize the timely detection of the Traffic Anomaly between host computer and the PLC, effectively ensure ICS safe operation.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is a kind of schematic block diagram of flow detection device provided in an embodiment of the present invention.
A kind of Fig. 2 schematic flow sheets of Traffic anomaly detection method provided in an embodiment of the present invention.
Fig. 3 is the sub-step flow chart of step S100 in Fig. 2.
Fig. 4 is the sub-step flow chart of step S400 in Fig. 2.
Fig. 5 is the sub-step flow chart of step S500 in Fig. 2.
Another schematic flow sheet of Fig. 6 Traffic anomaly detection methods provided in an embodiment of the present invention.
Fig. 7 is a kind of schematic block diagram of Traffic anomaly detection device provided in an embodiment of the present invention.
Icon:100- flow detection devices;110- Traffic anomaly detection devices;111- model building modules;112- is predicted It is worth acquisition module;113- actual value acquisition modules;114- comparing modules;115- sentences anomalous mode block;120- processors;130- is stored Device.
Embodiment
Below in conjunction with accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Generally exist The component of the embodiment of the present invention described and illustrated in accompanying drawing can be configured to arrange and design with a variety of herein.Cause This, the detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit claimed invention below Scope, but it is merely representative of the selected embodiment of the present invention.Based on embodiments of the invention, those skilled in the art are not doing The every other embodiment obtained on the premise of going out creative work, belongs to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent accompanying drawing in individual accompanying drawing.Meanwhile the present invention's In description, unless otherwise clearly defined and limited, term " installation ", " setting ", " connection " should be interpreted broadly, for example, can To be to be fixedly connected or be detachably connected, or it is integrally connected;Can be mechanical connection or electrical connection;Can It to be to be joined directly together, can also be indirectly connected by intermediary, can be the connection of two element internals.For this area For those of ordinary skill, the concrete meaning of above-mentioned term in the present invention can be understood with concrete condition.
Referring to Fig. 1, it is a kind of stream using the Traffic anomaly detection method and device provided in an embodiment of the present invention Measure detection device 100, the flow detection device 100 can with ICS host computer and/or plc communication, to obtain the host computer Traffic load value between PLC.
The flow detection device 100 includes Traffic anomaly detection device 110, processor 120 and memory 130.It is described Directly or indirectly it is electrically connected between processor 120 and memory 130, to realize the transmission of data or interaction.The flow Abnormal detector 110 can be stored in the memory 130 including at least one in the form of software or firmware (Firmware) In or the software module that is solidificated in the operating system (Operating System, OS) of the server.The processor 120 For performing the executable module stored in memory 130, for example, the software included by the Traffic anomaly detection device 110 Functional module and computer program etc..The processor 120 can perform the computer journey after execute instruction is received Sequence.
The processor 120 can be a kind of IC chip, have signal handling capacity.Processor 120 can also It is general processor, for example, central processing unit (Central Processing Unit, CPU), network processing unit (Network Processing, NP) etc., it can also be digital signal processor (DSP), application specific integrated circuit (ASIC), field programmable gate Array (FPGA), discrete gate or transistor logic, discrete hardware components.Wherein, the general processor can be micro- place Manage device or any conventional processors.
The memory 130 may be, but not limited to, random access memory (Random Access Memory, RAM), read-only storage (Read Only Memory, ROM), programmable read only memory Programmable Read-Only Memory, PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM), Electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read-Only Memory, EEPROM) etc..
It should be appreciated that the structure shown in Fig. 1 is only to illustrate, the flow detection device 100 can also have less than Fig. 1 Or more component, or there is the configuration different from shown in Fig. 1.In addition, each component shown in Fig. 1 can be by software, hard Part or its combination are realized.
Referring to Fig. 2, Fig. 2 is a kind of schematic flow sheet of Traffic anomaly detection method provided in an embodiment of the present invention, institute Traffic anomaly detection method is stated applied to the flow detection device 100 shown in Fig. 1.It should be noted that side provided by the invention Method is not using Fig. 2 and particular order as shown below as limitation, the specific stream below in conjunction with Fig. 2 to the Traffic anomaly detection method Journey and step are described in detail.
Step S100, time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and The time series is built using autoregressive moving average (Autoregressive moving average, ARMA) model Mould.
Alternatively, in the present embodiment, the preset time is 10 seconds, but it should be recognized that on the preset time Concrete numerical value, the present embodiment is not specifically limited.It should be noted that in the present embodiment, the time series is periodically Time series.In addition it is also necessary to explanation, carry out volume forecasting conventional time series models be roughly divided into stationary model and The class of non-stationary model two, stationary model mainly include arma modeling, autoregression (auto regressive, AR) model and returned certainly Return fraction integrate moving average (fractional autoregressive integration moving average, FARIMA) model, non-stationary model mainly include autoregression integration moving average (Autoregressive Integrated Moving Average, ARIMA) model.In view of in the present embodiment, the time series for modeling need to be stationary sequence, Thus, in the present embodiment, the time series can be modeled by arma modeling, can also be modeled by AR models, It can also be modeled by FARIMA models, the present embodiment is not specifically limited to this.
Incorporated by reference to Fig. 3, alternatively, in the present embodiment, the step S100 includes step S110, step S120, step S130 and the sub-steps of step S140 tetra-.
Step S110, obtain the packet between the host computer and the PLC in communication link in preset duration.
Step S120 filters to the packet, is born with selecting the flow between the host computer and the PLC Time series of the load value on preset time yardstick.
Step S130, riding Quality Analysis is carried out to the time series.
Step S140, when according to analysis result judge the time series for stationary sequence when, using arma modeling to this Time series is modeled.
, can be by calling Wireshark softwares to obtain communication chain between the host computer and the PLC in the present embodiment Packet in road.Specifically, Wireshark softwares can be obtained between the host computer and the PLC in communication link All packets reach the information such as time, bag length, source IP, agreement, and are led the packet of needs by the filter of setting Go out, namely export the communication flows between the host computer and the PLC, export the time sequence on the preset time yardstick of flow Row, hereafter, can be by drawing flow-time sequence chart, to carry out riding Quality Analysis to the time series.If predetermined number Individual sample point have on the preset time yardstick it is obvious periodically, and becoming of substantially not changing over time of average, variance Gesture, then the time series is judged for stationary sequence, the time series is modeled using arma modeling immediately.
Step S200, according to the arma modeling of foundation, predict the subsequent prediction flow between the host computer and the PLC Load value.
In the present embodiment, econometrics software kit (Econometrics Views, Eviews) can be used to described Subsequent prediction traffic load value between host computer and the PLC is predicted.
Step S300, obtain the follow-up actual flow load value between the host computer and the PLC.
In the present embodiment, the follow-up actual flow load value between the host computer and the PLC again may be by adjusting Obtained with Wireshark softwares, the present embodiment is not being repeated this.In addition, in the present embodiment, can be at interval of a preset duration Acquisition is once sampled to the follow-up actual flow load value between the host computer and the PLC, follow-up actual to ensure Traffic load value sampling has higher real-time, accuracy and referring to property.
Step S400, the follow-up actual flow load value is compared with the subsequent prediction traffic load value.
Incorporated by reference to Fig. 4, alternatively, in the present embodiment, the step S400 can include step S410, step S420 and step The rapid sub-steps of S430 two.
Step S410, continuous first predetermined number sample value is selected from the follow-up actual flow load value.
Step S420, obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value.
Step S430, the first predetermined number sample value is compared with the default confidential interval respectively.
In the present embodiment, the first predetermined number sample value is to obtain the continuous sample value of time acquisition time, institute It can be 3 or 5 to state the first predetermined number, and the default confidential interval is 95%, or 98%, this reality Example is applied to be not specifically limited this.
Step S500, according to comparison result, judge whether the traffic load value between the host computer and the PLC is different Often.
Incorporated by reference to Fig. 5, alternatively, in the present embodiment, the step S500 includes two sons of step S510 and step S520 Step.
Step S510, obtain the sample number for exceeding the default confidential interval in the first predetermined number sample value Amount.
Step S520, when the sample size beyond the default confidential interval is more than the second predetermined number, described in judgement Traffic load value between host computer and the PLC is abnormal.
In the present embodiment, second predetermined number can be 1 or 2, and the present embodiment is not limited specifically this System.Using first predetermined number as 3, the default confidential interval is 95%, exemplified by second predetermined number is 1, when Judgement is when showing that any 2 sample values exceed 95% confidential interval in 3 sample values, then judge the host computer with it is described Traffic load value between PLC is abnormal.
Referring to Fig. 6, alternatively, in the present embodiment, methods described also includes:
Step S600, when according to comparison result, judging that the traffic load value between the host computer and the PLC is abnormal When, start traffic load value exception response system.
In the present embodiment, the exception response system can be that control sends alarm to prompt staff to carry out exception The warning system of reason or ICS switching system, the traffic load value between the judgement host computer and the PLC When abnormal, control ICS is closed with out of service.
Referring to Fig. 7, the embodiment of the present invention additionally provides a kind of Traffic anomaly detection device 110, described device includes:
Model building module 111, for obtaining the traffic load value between host computer and PLC on preset time yardstick Time series, and the time series is modeled using arma modeling.The description as described in the model building module 111 is specific The detailed description to the step S100 shown in Fig. 2 is referred to, that is, step S100 can be by the model building module 111 Perform.
Predicted value acquisition module 112, for the arma modeling according to foundation, predict between the host computer and the PLC Subsequent prediction traffic load value.The description as described in the predicted value acquisition module 112 is specifically referred to the step as shown in Fig. 2 Rapid S200 detailed description, that is, step S200 can be performed by the predicted value acquisition module 112.
Actual value acquisition module 113, for obtaining the load of the follow-up actual flow between the host computer and the PLC Value.The description as described in the actual value acquisition module 113 specifically refers to the detailed description to the step S300 as shown in Fig. 2, That is, step S300 can be performed by the actual value acquisition module 113.
Comparing module 114, for the follow-up actual flow load value to be carried out with the subsequent prediction traffic load value Compare.The description as described in the comparing module 114 specifically refers to the detailed description to the step S400 as shown in Fig. 2, that is, Step S400 can be performed by the comparing module 114.
Anomalous mode block 115 is sentenced, for according to comparison result, judging the traffic load value between the host computer and the PLC It is whether abnormal.It is described sentence anomalous mode block 115 as described in description specifically refer to detailed description to the step S500 as shown in Fig. 2, That is, step S500 can be sentenced anomalous mode block 115 and performed by described.
Alternatively, in the present embodiment, the model building module 111 includes:
Packet acquiring unit, for obtaining in preset duration between the host computer and the PLC in communication link Packet.The description as described in the packet acquiring unit specifically refers to the detailed description to the step S110 as shown in Fig. 3, That is, step S110 can be performed by the packet acquiring unit.
Time series chooses unit, for being filtered to the packet, to select the host computer and the PLC Between time series of the traffic load value on preset time yardstick.The description as described in the time series chooses unit is specific The detailed description to the step S120 shown in Fig. 3 is referred to, that is, step S120 can choose unit by the time series Perform.
Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series.On the riding Quality Analysis list The description of member specifically refers to the detailed description to the step S130 shown in Fig. 3, that is, step S130 can be by described steady Property analytic unit perform.
Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, using ARMA Model is modeled to the time series.The description as described in the sample value acquiring unit is specifically referred to as shown in Fig. 3 Step S140 detailed description, that is, step S140 can be established unit execution by the model.
Alternatively, in the present embodiment, the comparing module 114 includes:
Sample value acquiring unit, for selecting continuous first predetermined number from the follow-up actual flow load value Individual sample value.The description as described in the sample value acquiring unit specifically refers to retouching in detail to the step S410 as shown in Fig. 4 State, that is, step S410 can be performed by the sample value acquiring unit.
Confidential interval acquiring unit, it is corresponding with the time series of the subsequent prediction traffic load value default for obtaining Confidential interval.The description as described in the confidential interval acquiring unit is specifically referred to the detailed of the step S420 as shown in Fig. 4 Description, that is, step S420 can be performed by the confidential interval acquiring unit.
Comparing unit, for respectively being compared the first predetermined number sample value and the default confidential interval It is right.The description as described in the comparing unit specifically refers to the detailed description to the step S430 as shown in Fig. 4, that is, step S430 can be performed by the comparing unit.
Alternatively, it is described to sentence anomalous mode block 115 and include in the present embodiment:
Exceptional sample number obtainment unit, pre-seted for obtaining in the first predetermined number sample value beyond described Believe the sample size in section.The description as described in the exceptional sample number obtainment unit is specifically referred to the step as shown in Fig. 5 Rapid S510 detailed description, that is, step S510 can be performed by the exceptional sample number obtainment unit.
Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, judging Traffic load value between the host computer and the PLC is abnormal.It is described sentence anticoincidence unit as described in description specifically refer to Fig. 5 Shown in step S520 detailed description, that is, step S520 can by it is described sentence anticoincidence unit perform.
Alternatively, in the present embodiment, described device also includes exception response module, for when according to comparison result, judgement During traffic load value exception between the host computer and the PLC, start traffic load value exception response system.On described The description of exception response module specifically refers to the detailed description to the step S600 shown in Fig. 6, that is, step S600 can be with Performed by the exception response module.
In summary, Traffic anomaly detection method and device provided in an embodiment of the present invention, by obtaining host computer and PLC Between time series of the traffic load value on preset time yardstick, and the time series is built using arma modeling Mould, according to the arma modeling of foundation, the subsequent prediction traffic load value between the host computer and the PLC is predicted, obtains institute State the follow-up actual flow load value between host computer and the PLC, and by the follow-up actual flow load value with it is described after Continuous predicted flow rate load value is compared, so as to according to comparison result, judge that the flow between the host computer and the PLC is born Whether load value is abnormal, realizes the timely detection of the Traffic Anomaly between host computer and the PLC, has effectively ensured ICS's Safe operation.
In embodiment provided herein, it should be understood that disclosed apparatus and method, can also be by other Mode realize.Device embodiment described above is only schematical, for example, the flow chart and block diagram in accompanying drawing are shown Devices in accordance with embodiments of the present invention, architectural framework in the cards, function and the behaviour of method and computer program product Make.At this point, each square frame in flow chart or block diagram can represent a part for a module, program segment or code, institute The part for stating module, program segment or code includes one or more executable instructions for being used to realize defined logic function. It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be with different from accompanying drawing The order marked occurs.For example, two continuous square frames can essentially perform substantially in parallel, they sometimes can also be by Opposite order performs, and this is depending on involved function.It is also noted that each square frame in block diagram and/or flow chart, And the combination of the square frame in block diagram and/or flow chart, the special based on hardware of function or action as defined in performing can be used System realize, or can be realized with the combination of specialized hardware and computer instruction.
It should be noted that herein, term " comprising ", "comprising" or its any other variant are intended to non-row His property includes, so that process, method, article or equipment including a series of elements not only include those key elements, and And also include the other element being not expressly set out, or also include for this process, method, article or equipment institute inherently Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including institute State in process, method, article or the equipment of key element and other identical element also be present.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should be included in the scope of the protection.It should be noted that:Similar label and letter exists Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, is then not required in subsequent accompanying drawing It is further defined and explained.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (10)

  1. A kind of 1. Traffic anomaly detection method, it is characterised in that methods described includes:
    Time series of the traffic load value between host computer and PLC on preset time yardstick is obtained, and is slided using autoregression Dynamic averaging model is modeled to the time series;
    According to the autoregressive moving-average model of foundation, predict that the subsequent prediction flow between the host computer and the PLC is born Load value;
    Obtain the follow-up actual flow load value between the host computer and the PLC;
    The follow-up actual flow load value is compared with the subsequent prediction traffic load value;
    According to comparison result, judge whether the traffic load value between the host computer and the PLC is abnormal.
  2. 2. Traffic anomaly detection method according to claim 1, it is characterised in that by the follow-up actual flow load value The step of being compared with the subsequent prediction traffic load value, including:
    Continuous first predetermined number sample value is selected from the follow-up actual flow load value;
    Obtain default confidential interval corresponding with the time series of the subsequent prediction traffic load value;
    The first predetermined number sample value is compared with the default confidential interval respectively.
  3. 3. Traffic anomaly detection method according to claim 2, it is characterised in that according to comparison result, judge on described The whether abnormal step of traffic load value between position machine and the PLC, including:
    Obtain the sample size for exceeding the default confidential interval in the first predetermined number sample value;
    When the sample size beyond the default confidential interval is more than the second predetermined number, judge the host computer with it is described Traffic load value between PLC is abnormal.
  4. 4. Traffic anomaly detection method according to claim 1, its feature are being, obtain between host computer and PLC Time series of the traffic load value on preset time yardstick, and the time series is carried out using autoregressive moving-average model The step of modeling, including:
    Obtain the packet between the host computer and the PLC in communication link in preset duration;
    The packet is filtered, to select the traffic load value between the host computer and the PLC when default Between time series on yardstick;
    Riding Quality Analysis is carried out to the time series;
    When according to analysis result judge the time series for stationary sequence when, using autoregressive moving-average model to the time Sequence is modeled.
  5. 5. the Traffic anomaly detection method according to Claims 1 to 4 any one, it is characterised in that methods described is also wrapped Include:
    When according to comparison result, when judging the traffic load value exception between the host computer and the PLC, startup flow load It is worth exception response system.
  6. 6. a kind of Traffic anomaly detection device, it is characterised in that described device includes:
    Model building module, for obtaining time sequence of the traffic load value between host computer and PLC on preset time yardstick Row, and the time series is modeled using autoregressive moving-average model;
    Predicted value acquisition module, for the autoregressive moving-average model according to foundation, predict the host computer and the PLC it Between subsequent prediction traffic load value;
    Actual value acquisition module, for obtaining the follow-up actual flow load value between the host computer and the PLC;
    Comparing module, for the follow-up actual flow load value to be compared with the subsequent prediction traffic load value;
    Anomalous mode block is sentenced, for according to comparison result, judging whether the traffic load value between the host computer and the PLC is different Often.
  7. 7. Traffic anomaly detection device according to claim 6, it is characterised in that the comparing module includes:
    Sample value acquiring unit, for selecting continuous first predetermined number sample from the follow-up actual flow load value This value;
    Confidential interval acquiring unit, for obtaining default confidence corresponding with the time series of the subsequent prediction traffic load value Section;
    Comparing unit, for the first predetermined number sample value to be compared with the default confidential interval respectively.
  8. 8. Traffic anomaly detection device according to claim 7, it is characterised in that described to sentence anomalous mode block and include:
    Exceptional sample number obtainment unit, exceed the default confidence area in the first predetermined number sample value for obtaining Between sample size;
    Anticoincidence unit is sentenced, for when the sample size beyond the default confidential interval is more than the second predetermined number, described in judgement Traffic load value between host computer and the PLC is abnormal.
  9. 9. Traffic anomaly detection device according to claim 6, its feature are being that the model building module includes:
    Packet acquiring unit, for obtaining the data in preset duration between the host computer and the PLC in communication link Bag;
    Time series chooses unit, for being filtered to the packet, to select between the host computer and the PLC Time series of the traffic load value on preset time yardstick;
    Riding Quality Analysis unit, for carrying out riding Quality Analysis to the time series;
    Model establishes unit, for when according to analysis result judge the time series for stationary sequence when, slided using autoregression Dynamic averaging model is modeled to the time series.
  10. 10. the Traffic anomaly detection device according to claim 6~9 any one, it is characterised in that described device is also wrapped Include:
    Exception response module, for working as according to comparison result, judge that the traffic load value between the host computer and the PLC is different Chang Shi, start traffic load value exception response system.
CN201711230946.7A 2017-11-29 2017-11-29 Traffic anomaly detection method and device Pending CN107872464A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711230946.7A CN107872464A (en) 2017-11-29 2017-11-29 Traffic anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711230946.7A CN107872464A (en) 2017-11-29 2017-11-29 Traffic anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN107872464A true CN107872464A (en) 2018-04-03

Family

ID=61754989

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711230946.7A Pending CN107872464A (en) 2017-11-29 2017-11-29 Traffic anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN107872464A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109245913A (en) * 2018-08-02 2019-01-18 浙江口碑网络技术有限公司 A kind of cloud Physical Examination System and method
CN109768995A (en) * 2019-03-06 2019-05-17 国网甘肃省电力公司电力科学研究院 A kind of network flow abnormal detecting method based on circular prediction and study

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651568A (en) * 2009-07-01 2010-02-17 青岛农业大学 Method for predicting network flow and detecting abnormality
CN102625312A (en) * 2012-04-25 2012-08-01 重庆邮电大学 Sensor network safety system based on delaminated intrusion detection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651568A (en) * 2009-07-01 2010-02-17 青岛农业大学 Method for predicting network flow and detecting abnormality
CN102625312A (en) * 2012-04-25 2012-08-01 重庆邮电大学 Sensor network safety system based on delaminated intrusion detection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
周强 等: "基于自回归滑动平均的网络数据流量预测模型", 《计算机科学》 *
彭军 等: "基于流量预测的WSN入侵检测技术", 《计算机应用与软件》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109245913A (en) * 2018-08-02 2019-01-18 浙江口碑网络技术有限公司 A kind of cloud Physical Examination System and method
CN109768995A (en) * 2019-03-06 2019-05-17 国网甘肃省电力公司电力科学研究院 A kind of network flow abnormal detecting method based on circular prediction and study
CN109768995B (en) * 2019-03-06 2021-08-13 国网甘肃省电力公司电力科学研究院 Network flow abnormity detection method based on cyclic prediction and learning

Similar Documents

Publication Publication Date Title
CN111262722B (en) Safety monitoring method for industrial control system network
AU2015302129B2 (en) Analyzing cyber-security risks in an industrial control environment
CN112995196B (en) Method and system for processing situation awareness information in network security level protection
CN101854340B (en) Behavior based communication analysis carried out based on access control information
CN108055282A (en) Industry control abnormal behaviour analysis method and system based on self study white list
CN107241224A (en) The network risks monitoring method and system of a kind of transformer station
CN109391613A (en) A kind of intelligent substation method for auditing safely based on SCD parsing
CN109164786A (en) A kind of anomaly detection method based on time correlation baseline, device and equipment
CN107786532A (en) The system and method that Virtual honeypot is used in industrial automation system and cloud connector
CN110752951A (en) Industrial network flow monitoring and auditing method, device and system
CN111654489A (en) Network security situation sensing method, device, equipment and storage medium
CN106254137B (en) The alarm root analysis system and method for supervisory systems
Polet et al. Theory of safety-related violations of system barriers
CN107797465A (en) Monitoring method and device
CN107872464A (en) Traffic anomaly detection method and device
CN107911240A (en) A kind of fault detection method and device
CN108111487A (en) A kind of safety monitoring method and system
CN106385339A (en) Monitoring method and monitoring system for access performance of enterprise network
CN112688946B (en) Method, module, storage medium, device and system for constructing abnormality detection features
CN115550145B (en) Industrial internet security dynamic protection method and protection system
CN110113336A (en) A kind of exception of network traffic analysis and recognition methods for substation network environment
CN111934951A (en) Network packet loss detection method and device
CN115225385B (en) Flow monitoring method, system, equipment and computer readable storage medium
CN112558562A (en) Pump station management system
WO2021064144A1 (en) Method and system for continuous estimation and representation of risk

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180403

RJ01 Rejection of invention patent application after publication