CN116633705A - Industrial control system abnormality detection method and system based on composite automatic encoder - Google Patents
Industrial control system abnormality detection method and system based on composite automatic encoder Download PDFInfo
- Publication number
- CN116633705A CN116633705A CN202310919286.2A CN202310919286A CN116633705A CN 116633705 A CN116633705 A CN 116633705A CN 202310919286 A CN202310919286 A CN 202310919286A CN 116633705 A CN116633705 A CN 116633705A
- Authority
- CN
- China
- Prior art keywords
- data
- time
- error
- dimension
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 239000002131 composite material Substances 0.000 title claims abstract description 32
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 230000005856 abnormality Effects 0.000 title claims abstract description 14
- 230000002159 abnormal effect Effects 0.000 claims abstract description 68
- 238000000034 method Methods 0.000 claims abstract description 29
- 230000008859 change Effects 0.000 claims abstract description 28
- 150000001875 compounds Chemical class 0.000 claims abstract description 8
- 230000015654 memory Effects 0.000 claims description 6
- 238000012935 Averaging Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 238000012549 training Methods 0.000 description 15
- 238000012360 testing method Methods 0.000 description 9
- AYFVYJQAPQTCCC-GBXIJSLDSA-N L-threonine Chemical compound C[C@@H](O)[C@H](N)C(O)=O AYFVYJQAPQTCCC-GBXIJSLDSA-N 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/04—Manufacturing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- Manufacturing & Machinery (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Health & Medical Sciences (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The application discloses an industrial control system abnormality detection method and system based on a compound automatic encoder, which belong to the technical field of industrial control system abnormality detection and comprise the following steps: acquiring multidimensional time sequence data of an industrial control system; performing time sequence division on the multi-dimensional time sequence data to obtain a plurality of sections of sub-sequence data; obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data; calculating to obtain a reconstruction error and a prediction error according to the reconstruction data, the subsequence data and the prediction data; identifying abnormal flow occurrence time according to the reconstruction error and the prediction error; calculating the total error change rate of each dimension before and after abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal. The method realizes the accurate identification of abnormal flow in the industrial control system.
Description
Technical Field
The application relates to the technical field of industrial control system abnormality detection, in particular to an industrial control system abnormality detection method and system based on a composite automatic encoder.
Background
The industrial control system is an important component of the industrial edge, and the flow entering each device in the industrial control system is detected through the intrusion detection system, so that abnormal flow is positioned, and the method for protecting the industrial control system is commonly used at present. The current common abnormal flow intrusion detection method comprises two steps, namely, acquiring flow data of equipment, reconstructing the acquired flow data, further identifying the reconstructed data, and determining whether the flow data is abnormal; the other is to obtain the historical flow data of the equipment, predict the current flow data through the historical flow data, compare the current flow data with the predicted flow data, judge whether the current flow data is abnormal, the two methods respectively and independently use the predicted data or the reconstructed data to judge the abnormality, the accuracy of the abnormality judgment is limited, and the existing method only can identify that the data is abnormal, but cannot locate the abnormal flow data.
Disclosure of Invention
In order to solve the problems, the application provides an industrial control system abnormality detection method and system based on a compound automatic encoder, which can accurately detect specific abnormal flow data.
In order to achieve the above purpose, the application adopts the following technical scheme:
in a first aspect, an industrial control system anomaly detection method based on a composite automatic encoder is provided, including:
acquiring flow time sequence data of each device in an industrial control system and forming multidimensional time sequence data;
performing time sequence division on the multi-dimensional time sequence data to obtain a plurality of sections of sub-sequence data;
obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data;
calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data;
calculating to obtain a prediction error according to the prediction data and the subsequence data;
according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time;
calculating and obtaining the average error of each time according to the total error of each dimension of each time;
judging the time when the average error is larger than the set error threshold value as abnormal flow time;
calculating the total error change rate of each dimension before and after abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
In a second aspect, an industrial control system anomaly detection system based on a composite automatic encoder is provided, comprising:
the flow data acquisition module is used for acquiring flow time sequence data of each device in the industrial control system to form multidimensional time sequence data;
the sequence dividing module is used for carrying out time sequence division on the multi-dimensional time sequence data to obtain a plurality of pieces of sub-sequence data;
the abnormal time determining module is used for obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data; calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data; calculating to obtain a prediction error according to the prediction data and the subsequence data; according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time; calculating and obtaining the average error of each time according to the total error of each dimension of each time; judging the time when the average error is larger than the set error threshold value as abnormal flow time;
the abnormal equipment positioning module is used for calculating the total error change rate of each dimension before and after the abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
In a third aspect, an electronic device is provided that includes a memory and a processor, and computer instructions stored on the memory and running on the processor that, when executed by the processor, perform the steps described in the method for detecting anomalies in an industrial control system based on a composite automatic encoder.
In a fourth aspect, a computer readable storage medium is provided for storing computer instructions that, when executed by a processor, perform the steps described in a method for anomaly detection in an industrial control system based on a composite automatic encoder.
Compared with the prior art, the application has the beneficial effects that:
1. on the basis of locating the abnormal flow time of the industrial control system, the method and the system realize the location of specific abnormal flow data by calculating the total error change rate of each flow data before and after the abnormal flow time.
2. When the abnormal flow time occurs in the positioning industrial control system, the method calculates the reconstruction error, calculates the prediction error through the prediction data, calculates the average error of each time through the reconstruction error and the prediction error, and improves the accuracy of positioning the abnormal flow time.
3. The application processes the total error of each dimension of each time by an exponential weighted moving average method, so that the final total error of each dimension of each time is reduced, the error generated by abrupt change of flow data is reduced, the accuracy of the total error of each dimension of each time is improved, and the accuracy of time positioning of abnormal flow is further improved.
4. The application calculates the average error of each time through the right technology, and improves the accuracy of positioning the time when abnormal flow occurs.
Additional aspects of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application.
FIG. 1 is a flow chart of the method disclosed in example 1;
FIG. 2 is a block diagram of an automatic encoder of the method disclosed in example 1;
FIG. 3 is a training loss graph disclosed in example 1;
fig. 4 is a test result of attack number 5 disclosed in example 1;
fig. 5 shows the detection error of attack number 5 disclosed in example 1;
fig. 6 is a detection result of the attack number 31 disclosed in example 1;
fig. 7 shows the detection error of the attack number 31 disclosed in example 1;
fig. 8 is a Recall value for all attacks disclosed in example 1.
Detailed Description
The application will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the application. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
Example 1
In this embodiment, an industrial control system anomaly detection method based on a composite automatic encoder is disclosed, as shown in fig. 1, including:
s1: flow time sequence data of each device in the industrial control system are obtained, and multidimensional time sequence data are formed.
In an industrial control system comprising a plurality of devicesSuch as water supply equipment, power equipment, intelligent logistics equipment and the like. In order to realize abnormality detection of flow data of each device in an industrial control system, the embodiment obtains flow time sequence data of each device in the industrial control system for a set time length to form multidimensional time sequence dataX,Wherein, N is the time length,x t the traffic data set for all devices at time t, the m-dimensional vector, t=1,N,x t =,/>is the flow data of the equipment m at the time t, t<N。
S2: and carrying out time sequence division on the multi-dimensional time sequence data to obtain a plurality of sections of sub-sequence data.
The embodiment adopts a window with the length of T in multidimensional time sequence dataXUp-sliding to obtain multiple segments of subsequence data, with subsequences from time T to t+T beingX t:t+T ,X t:t+T ={x t ,x t+1 ,...,x t+T }。
S3: obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data; calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data; calculating to obtain a prediction error according to the prediction data and the subsequence data; according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time; calculating and obtaining the average error of each time according to the total error of each dimension of each time; and judging the time when the average error is larger than the set error threshold value as abnormal flow time.
The purpose of anomaly detection for multi-dimensional time series data in this embodiment is to find an anomaly by using a regularity pattern that appears in history data.
Reconstructing the multi-segment sub-sequence data by adopting a composite automatic encoder to obtain reconstructed data; and predicting the next segment of sub-sequence data according to each segment of sub-sequence data to obtain prediction data. The composite automatic encoder takes the multi-segment sub-sequence data as input, reconstructs the multi-segment sub-sequence data and outputs the reconstructed data; and predicting the next segment of sub-sequence data according to each segment of sub-sequence data, and outputting predicted data.
A composite automatic encoder is a hierarchical structure composed of a plurality of Automatic Encoders (AEs). Each AE consists of two parts, an encoder and a decoder, wherein the encoder compresses the input data into a low-dimensional representation, and the decoder restores the low-dimensional representation to the input data. In a compound automatic encoder, the output of the encoder of the upper layer AE serves as the input to the next layer AE until the output of the last layer AE is the final compressed representation. Similarly, the decoder is also a hierarchical structure composed of a plurality of decoders, and each layer of decoder uses the output of the previous layer of decoder as input, and finally outputs the reconstruction result of the original data. The compound automatic encoder is often used in unsupervised learning and is used for tasks such as dimension reduction and feature extraction of data.
The composite automatic Encoder adopted in this embodiment may reconstruct Input, may also be used as a future predictor, as shown in fig. 2, and includes an Encoder (Encoder) and a Decoder (Decoder), where a potential space (latency space) is formed between the Encoder (Encoder) and the Decoder (Decoder), the Encoder and the Decoder are both constructed by using an LSTM (long short-term memory network) model, the Input (Input) of the Encoder is sub-sequence data, the Encoder predicts sub-sequence data of a next period according to the sub-sequence data through the LSTM model, obtains a prediction result, compresses the Input sub-sequence data and the prediction result, reconstructs the compressed data through the Decoder, and outputs (Output) reconstructed data and prediction data.
When the input of the composite automatic encoder is a subsequenceX t:t+T When the composite automatic encoder outputs the reconstruction datay t:t+T And predictive dataz t+T:t+2T For example, when the input subsequence of the complex automatic encoder is { x } 1 ,x 2 ,x 3 ,x 4 ,x 5 When { y }, the reconstruction data { y } is output 1 ,y 2 ,y 3 ,y 4 ,y 5 Sum of the prediction data { z } 1 ,z 2 ,z 3 ,z 4 ,z 5 }。
Mean Square Error (MSE) is used to calculate the difference between the actual input and output of the complex automatic encoder, taking into account an input sequence xt whose mth dimension value isThe output reconstruction data or prediction data is +.>Then the MSE is:
the MSE of the input data and the MSE of the reconstruction data are calculated respectively, the MSE of the input data and the MSE of the prediction data are input, the loss Lc of the reconstruction part and the loss Lp of the prediction part are calculated respectively according to the two MSE, and then the loss function Ls is calculated and obtained:
。
when the abnormal flow time appears in the positioning, firstly matching the subsequence data, the reconstruction data and the prediction data in the time dimension, and calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data; calculating to obtain a prediction error according to the prediction data and the subsequence data; and calculating and obtaining the total error of each dimension of each time according to the reconstruction error and the prediction error.
The process of obtaining the total error for each dimension at each time is:
according to the reconstruction data and the subsequence data, calculating to obtain a reconstruction error of each dimension of each time;
calculating and obtaining a prediction error of each dimension of each time according to the prediction data and the subsequence data;
and adding the reconstruction error of each dimension of each time to the prediction error to obtain the total error of each dimension of each time.
Wherein,,reconstruction error->For prediction error +.>Is the total error.
To eliminate errors resulting from abrupt changes in the sub-sequence data, the final total error per dimension per time is calculated using an Exponentially Weighted Moving Average (EWMA)SEt,SEtIs a smooth error.
Where H is the decay constant.
In order to improve the accuracy of time positioning of abnormal flow, the embodiment also calculates and obtains the average error of each time according to the total error of each dimension of each time:
When average errorAbove a set error threshold V thre When the abnormal flow rate time is detected, it is determined that the flow rate data of the existing device is abnormal flow rate data at time t.
In order to reconstruct sub-sequence data through a composite automatic encoder and predict data of a next time period, the embodiment selects normal flow data as training data to train the constructed composite automatic encoder, and the training is completed to obtain reconstruction data and prediction data during training; according to the training data, the reconstruction data and the prediction data during training, calculating to obtain the average error of each time during training, and selecting the maximum value of the average error of each time during training as an error threshold V thre 。
S5: calculating the total error change rate of each dimension before and after abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
Since the calculated total error is larger than the total error when the equipment receives normal flow after an equipment is attacked by abnormal flow, the embodiment also determines specific abnormal flow data by the total error change rate before and after the abnormal flow time is determined, and further determines the attacked equipment.
According to the embodiment, a first average error of a set time period before abnormal flow time occurs in each dimension and a second average error of a set time period after the abnormal flow time occurs are calculated according to the total error of each dimension in each time; for each dimension, calculating the absolute value of the difference between the second average error and the first average error, and dividing the absolute value by the length of the time period to obtain the total error change rate of each dimension before and after the abnormal flow time.
Averaging the total errors of all times in a set time period before the abnormal flow time occurs in the same dimension to obtain a first average error of each dimension;
and averaging the total errors of all the times in the set time period after the abnormal flow time occurs in the same dimension to obtain a second average error of each dimension.
Wherein,,for the total error rate, +.>For the second average error +>As a result of the first average error being the first,T c to set the period length.
In this embodiment, 45 devices in the industrial control system are represented by screening stable, representative 45 variables from 51 variables in the SWAT data set, selecting 496800 pieces of normal flow data from the stable, representative 45 variables to train the composite automatic encoder, selecting 449919 pieces of flow data as test data, wherein the test data contains 36 pieces of abnormal flow data, and testing the method according to the present application by using the test data.
In the test, the original time sequence is divided by adopting a sliding window method, the length of the window is 1, and the sliding windows are overlapped in adjacent time periods in order to learn the whole mode in the training stage. Overlapping refers to two consecutive subsequences having the same portion, the starting overlap length of the second portion being the same as the ending overlap length of the first portion. However, there is no overlap in the partitioning of the data when calculating the training error and selecting the error threshold or test model.
To speed up training and improve detection accuracy, all training data is scaled to (0, 1). Since the reconstructed data and the predicted data output by the composite automatic encoder of this embodiment are not in the same time window, only the reconstructed data is needed for the first sub-sequence, and only the reconstruction error is needed for this portion.
In the test, 1 was set to 120 seconds and the overlap length was 115 seconds. The maximum average error obtained by training on non-overlapping time sequences is used as the error threshold. The two layers of neuron data of the encoder portion of the composite encoder are 64 and 32, respectively, with the first layer being larger than the input dimension and not strictly adhering to rules that the hidden layer is smaller than the input layer. The number of neurons in the reconstruction portion and the prediction portion is 32 and 64, which is symmetrical to the encoder portion, the complex encoder is trained with training data, and the training loss is shown in fig. 3.
In the dataset, each second of recorded traffic data is marked as "attack" or "normal", the label is used directly to evaluate the test results, and when one piece of recorded abnormal traffic data is marked as an attack, it is True Positive (TP). When one piece of recorded abnormal traffic data is marked as normal, it is a False Negative (FN). When the normal flow data is marked as normal, it is True Negative (TN). When normal traffic data is marked as an attack, the performance of the disclosed method of this example is evaluated for False Positives (FP) using Precision, recall, and F1 scores.
Precision=TP/(TP+FP);
Recall=TP/(TP+FN);
F 1=(2*Precision*Recall)/(Precision+Recall)。
By analyzing the detection results of the abnormal traffic data of the attack number 5 and the abnormal traffic data of the attack number 31, the results are shown in fig. 4, 5, 6 and 7, and recall rates of all the abnormal traffic data are shown in fig. 8. The original values of the construction part and the prediction part are shown in fig. 4. Its value drops to a lower value during the attack. Since the EWMA method is used to smooth the error, the shape of the error is not a rectangle. This embodiment detects such attacks at 100% recall. As the sensor value decreases to an extremely low value, the greater the error resulting from the p-power processing. Thus, such attacks are relatively easy to detect. As shown in fig. 6 and 7, the value change caused by the attack No. 31 is lower than that caused by the attack No. 5, the value of the error is also small, the influence on the detection performance is large, and the recall rate is less than 80%. From fig. 4 and 6, it can be seen that the error does not shrink rapidly after the attack is over, since this system takes time to settle.
Comparing the detection results of the method disclosed in this embodiment with the detection results of DNN, SVM and TABOR, the results are shown in table 1, and compared with the other methods, the method disclosed in this embodiment obtains higher recall and F1 score, and detailed comparison of recall of each abnormal data is shown in table 2, and for 36 abnormal traffic data, the abnormal traffic data detected by the method disclosed in this embodiment is the largest.
TABLE 1
TABLE 2
According to the anomaly detection method disclosed by the embodiment, the original time sequence flow data is reconstructed and predicted to obtain reconstructed data and predicted data, a reconstruction error and a prediction error are calculated respectively, the time of occurrence of the anomaly flow is identified based on the reconstruction error and the prediction error, the total error change rate before and after the time of occurrence of the anomaly flow is calculated on the basis, and accurate identification of the anomaly flow data is achieved.
Example 2
In this embodiment, an industrial control system anomaly detection system based on a compound automatic encoder is disclosed, comprising:
the flow data acquisition module is used for acquiring flow time sequence data of each device in the industrial control system to form multidimensional time sequence data;
the sequence dividing module is used for carrying out time sequence division on the multi-dimensional time sequence data to obtain a plurality of pieces of sub-sequence data;
the abnormal time determining module is used for obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data; calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data; calculating to obtain a prediction error according to the prediction data and the subsequence data; according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time; calculating and obtaining the average error of each time according to the total error of each dimension of each time; judging the time when the average error is larger than the set error threshold value as abnormal flow time;
the abnormal equipment positioning module is used for calculating the total error change rate of each dimension before and after the abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
Example 3
In this embodiment, an electronic device is disclosed that includes a memory and a processor, and computer instructions stored on the memory and running on the processor that, when executed by the processor, perform the steps described in the industrial control system anomaly detection method based on the composite automatic encoder disclosed in embodiment 1.
Example 4
In this embodiment, a computer readable storage medium is disclosed for storing computer instructions that, when executed by a processor, perform the steps described in the industrial control system anomaly detection method based on the composite automatic encoder disclosed in embodiment 1.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present application and not for limiting the same, and although the present application has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the application without departing from the spirit and scope of the application, which is intended to be covered by the claims.
Claims (10)
1. The industrial control system abnormality detection method based on the compound automatic encoder is characterized by comprising the following steps:
acquiring flow time sequence data of each device in an industrial control system and forming multidimensional time sequence data;
performing time sequence division on the multi-dimensional time sequence data to obtain a plurality of sections of sub-sequence data;
obtaining reconstruction data and prediction data according to the composite automatic encoder and the multi-segment sub-sequence data;
calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data;
calculating to obtain a prediction error according to the prediction data and the subsequence data;
according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time;
calculating and obtaining the average error of each time according to the total error of each dimension of each time;
judging the time when the average error is larger than the set error threshold value as abnormal flow time;
calculating the total error change rate of each dimension before and after abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
2. The method for detecting an abnormality of an industrial control system based on a composite automatic encoder according to claim 1, wherein the composite automatic encoder takes a plurality of pieces of sub-sequence data as input, reconstructs the plurality of pieces of sub-sequence data, and outputs reconstructed data; and predicting the next segment of sub-sequence data according to each segment of sub-sequence data, and outputting predicted data.
3. The method for detecting anomalies in an industrial control system based on a complex automatic encoder according to claim 1, wherein the process of obtaining the total error for each dimension at each time is:
according to the reconstruction data and the subsequence data, calculating to obtain a reconstruction error of each dimension of each time;
calculating and obtaining a prediction error of each dimension of each time according to the prediction data and the subsequence data;
and adding the reconstruction error of each dimension of each time to the prediction error to obtain the total error of each dimension of each time.
4. The method for detecting anomalies in an industrial control system based on a complex automatic encoder according to claim 3, wherein the final total error per dimension per time is obtained by calculating the total error per dimension per time by an exponentially weighted moving average method.
5. The method for detecting anomalies in an industrial control system based on a complex automatic encoder according to claim 1, wherein the total error for all dimensions at the same time is averaged to obtain an average error for each time.
6. The method for detecting the abnormality of the industrial control system based on the compound automatic encoder according to claim 1, wherein a first average error of a set period of time before the occurrence of the abnormal flow time in each dimension and a second average error of a set period of time after the occurrence of the abnormal flow time are calculated based on the total error of each dimension in each time, respectively; for each dimension, calculating the absolute value of the difference between the second average error and the first average error, and dividing the absolute value by the length of the time period to obtain the total error change rate of each dimension before and after the abnormal flow time.
7. The method for detecting the abnormality of the industrial control system based on the compound automatic encoder according to claim 6, wherein the total error of all times in a set period of time before the occurrence of the abnormal flow in the same dimension is averaged to obtain a first average error in each dimension;
and averaging the total errors of all the times in the set time period after the abnormal flow time occurs in the same dimension to obtain a second average error of each dimension.
8. An industrial control system anomaly detection system based on a composite automatic encoder, comprising:
the flow data acquisition module is used for acquiring flow time sequence data of each device in the industrial control system and forming multidimensional time sequence data;
the sequence dividing module is used for carrying out time sequence division on the multi-dimensional time sequence data to obtain a plurality of pieces of sub-sequence data;
the abnormal time determining module is used for reconstructing each segment of sub-sequence data to obtain reconstructed data; predicting the next segment of sub-sequence data according to each segment of sub-sequence data to obtain predicted data; calculating to obtain a reconstruction error according to the reconstruction data and the subsequence data; calculating to obtain a prediction error according to the prediction data and the subsequence data; according to the reconstruction error and the prediction error, calculating and obtaining the total error of each dimension of each time; calculating and obtaining the average error of each time according to the total error of each dimension of each time; judging the time when the average error is larger than the set error threshold value as abnormal flow time;
the abnormal equipment positioning module is used for calculating the total error change rate of each dimension before and after the abnormal flow time according to the total error of each dimension in each time; and judging that the flow data corresponding to the dimension of which the total error change rate is larger than the change rate threshold value is abnormal.
9. An electronic device comprising a memory and a processor and computer instructions stored on the memory and running on the processor, which when executed by the processor, perform the steps of the composite automatic encoder-based industrial control system anomaly detection method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions which, when executed by a processor, perform the steps of the composite automatic encoder-based industrial control system anomaly detection method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310919286.2A CN116633705B (en) | 2023-07-26 | 2023-07-26 | Industrial control system abnormality detection method and system based on composite automatic encoder |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310919286.2A CN116633705B (en) | 2023-07-26 | 2023-07-26 | Industrial control system abnormality detection method and system based on composite automatic encoder |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116633705A true CN116633705A (en) | 2023-08-22 |
| CN116633705B CN116633705B (en) | 2023-10-13 |
Family
ID=87613891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310919286.2A Active CN116633705B (en) | 2023-07-26 | 2023-07-26 | Industrial control system abnormality detection method and system based on composite automatic encoder |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633705B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190124045A1 (en) * | 2017-10-24 | 2019-04-25 | Nec Laboratories America, Inc. | Density estimation network for unsupervised anomaly detection |
| CN111343147A (en) * | 2020-02-05 | 2020-06-26 | 北京中科研究院 | Network attack detection device and method based on deep learning |
| CN112134875A (en) * | 2020-09-18 | 2020-12-25 | 国网山东省电力公司青岛供电公司 | IoT network abnormal flow detection method and system |
| CN113179264A (en) * | 2021-04-26 | 2021-07-27 | 哈尔滨工业大学 | Attack detection method for data transmission in networked control system |
| CN114528547A (en) * | 2022-01-17 | 2022-05-24 | 中南大学 | ICPS (information storage and protection System) unsupervised online attack detection method and device based on community feature selection |
| WO2022141871A1 (en) * | 2020-12-31 | 2022-07-07 | 平安科技(深圳)有限公司 | Time sequence data anomaly detection method, apparatus and device, and storage medium |
| CN115115019A (en) * | 2021-03-19 | 2022-09-27 | 复旦大学 | Anomaly detection method based on neural network |
| CN115456107A (en) * | 2022-09-29 | 2022-12-09 | 中国农业银行股份有限公司 | Time series abnormity detection system and method |
| CN115510975A (en) * | 2022-09-28 | 2022-12-23 | 山东省计算中心(国家超级计算济南中心) | Multivariable time sequence abnormality detection method and system based on parallel Transomer-GRU |
| WO2023041907A1 (en) * | 2021-09-15 | 2023-03-23 | Bae Systems Plc | System and method for training an autoencoder to detect anomalous system behaviour |
| CN115982235A (en) * | 2022-12-19 | 2023-04-18 | 昭通亮风台信息科技有限公司 | Abnormal time sequence data detection method, equipment and medium |
| CN116340872A (en) * | 2023-03-29 | 2023-06-27 | 深圳智现未来工业软件有限公司 | Method for determining abnormality based on combination of reconstruction and prediction |
-
2023
- 2023-07-26 CN CN202310919286.2A patent/CN116633705B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190124045A1 (en) * | 2017-10-24 | 2019-04-25 | Nec Laboratories America, Inc. | Density estimation network for unsupervised anomaly detection |
| CN111343147A (en) * | 2020-02-05 | 2020-06-26 | 北京中科研究院 | Network attack detection device and method based on deep learning |
| CN112134875A (en) * | 2020-09-18 | 2020-12-25 | 国网山东省电力公司青岛供电公司 | IoT network abnormal flow detection method and system |
| WO2022141871A1 (en) * | 2020-12-31 | 2022-07-07 | 平安科技(深圳)有限公司 | Time sequence data anomaly detection method, apparatus and device, and storage medium |
| CN115115019A (en) * | 2021-03-19 | 2022-09-27 | 复旦大学 | Anomaly detection method based on neural network |
| CN113179264A (en) * | 2021-04-26 | 2021-07-27 | 哈尔滨工业大学 | Attack detection method for data transmission in networked control system |
| WO2023041907A1 (en) * | 2021-09-15 | 2023-03-23 | Bae Systems Plc | System and method for training an autoencoder to detect anomalous system behaviour |
| CN114528547A (en) * | 2022-01-17 | 2022-05-24 | 中南大学 | ICPS (information storage and protection System) unsupervised online attack detection method and device based on community feature selection |
| CN115510975A (en) * | 2022-09-28 | 2022-12-23 | 山东省计算中心(国家超级计算济南中心) | Multivariable time sequence abnormality detection method and system based on parallel Transomer-GRU |
| CN115456107A (en) * | 2022-09-29 | 2022-12-09 | 中国农业银行股份有限公司 | Time series abnormity detection system and method |
| CN115982235A (en) * | 2022-12-19 | 2023-04-18 | 昭通亮风台信息科技有限公司 | Abnormal time sequence data detection method, equipment and medium |
| CN116340872A (en) * | 2023-03-29 | 2023-06-27 | 深圳智现未来工业软件有限公司 | Method for determining abnormality based on combination of reconstruction and prediction |
Non-Patent Citations (1)
| Title |
|---|
| 戚琦;申润业;王敬宇;: "GAD:基于拓扑感知的时间序列异常检测", 通信学报, no. 06 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116633705B (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111914873A (en) | Two-stage cloud server unsupervised anomaly prediction method | |
| CN109492193B (en) | Abnormal network data generation and prediction method based on deep machine learning model | |
| CN112257263B (en) | Equipment residual life prediction system based on self-attention mechanism | |
| CN116320042B (en) | Internet of things terminal monitoring control system for edge calculation | |
| CN114167838B (en) | Multi-scale health assessment and fault prediction method for servo system | |
| CN112766429B (en) | Method, device, computer equipment and medium for anomaly detection | |
| CN115903741B (en) | Industrial control system data anomaly detection method | |
| CN117150402A (en) | Power data anomaly detection method and model based on generation type countermeasure network | |
| CN115587335A (en) | Training method of abnormal value detection model, abnormal value detection method and system | |
| Fu et al. | MCA-DTCN: A novel dual-task temporal convolutional network with multi-channel attention for first prediction time detection and remaining useful life prediction | |
| CN116842520A (en) | Anomaly perception method, device, equipment and medium based on detection model | |
| CN115936248A (en) | Attention network-based power load prediction method, device and system | |
| CN114582325A (en) | Audio detection method and device, computer equipment and storage medium | |
| CN116633705B (en) | Industrial control system abnormality detection method and system based on composite automatic encoder | |
| CN117591860A (en) | Data anomaly detection method and device | |
| CN117113139A (en) | Training method and device for fault detection model, computer equipment and storage medium | |
| CN117171713A (en) | Cross self-adaptive deep migration learning method and system based on bearing service life | |
| CN111885084A (en) | Intrusion detection method and device and electronic equipment | |
| CN116148906A (en) | Multi-attention-based fishing boat track anomaly detection method and system | |
| CN115600116A (en) | Dynamic detection method, system, storage medium and terminal for time series abnormity | |
| CN114841196A (en) | Mechanical equipment intelligent fault detection method and system based on supervised learning | |
| CN113052060B (en) | Bearing residual life prediction method and device based on data enhancement and electronic equipment | |
| Wang et al. | A novel multiscale deep health indicator with bidirectional LSTM network for bearing performance degradation trend prognosis | |
| KR20220028727A (en) | Method and Apparatus for Real Time Fault Detection Using Time series data According to Degradation | |
| CN116700213B (en) | Industrial equipment abnormality detection method and related device based on gating circulation unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |