CN117951695B - Industrial unknown threat detection method and system - Google Patents
Industrial unknown threat detection method and system Download PDFInfo
- Publication number
- CN117951695B CN117951695B CN202410353612.2A CN202410353612A CN117951695B CN 117951695 B CN117951695 B CN 117951695B CN 202410353612 A CN202410353612 A CN 202410353612A CN 117951695 B CN117951695 B CN 117951695B
- Authority
- CN
- China
- Prior art keywords
- data
- window
- behavior
- seasonal
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 19
- 230000001932 seasonal effect Effects 0.000 claims abstract description 75
- 239000011159 matrix material Substances 0.000 claims abstract description 70
- 238000000034 method Methods 0.000 claims abstract description 57
- 238000009499 grossing Methods 0.000 claims abstract description 46
- 239000013598 vector Substances 0.000 claims abstract description 42
- 238000012545 processing Methods 0.000 claims abstract description 12
- 238000012549 training Methods 0.000 claims abstract description 11
- 230000006399 behavior Effects 0.000 claims description 98
- 238000000354 decomposition reaction Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 7
- 238000005070 sampling Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 6
- 230000003542 behavioural effect Effects 0.000 claims description 4
- 238000010606 normalization Methods 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000012935 Averaging Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 abstract description 5
- 238000013528 artificial neural network Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 229910000831 Steel Inorganic materials 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000004513 sizing Methods 0.000 description 1
- 239000010959 steel Substances 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of regression processing of industrial equipment data, in particular to an industrial unknown threat detection method and system. In the method, the change of the fluctuation characteristic of the data value between adjacent windows is analyzed in the seasonal analysis smoothing operation, so that the state of the data contained in the corresponding window is characterized, and the window size is adjusted by utilizing the influence value of the data fluctuation. And further determining seasonal feature vectors, obtaining feature matrixes in the equipment behavior matrixes through seasonal operation, performing network training by using the feature matrixes, and accurately detecting unknown threats through a trained threat identification network. The accurate seasonal feature vector is obtained through the self-adaptive smoothing process, and then the feature matrix with strong referential property is obtained through seasonal operation, so that the accuracy of the threat identification network is improved, and the unknown threat can be effectively detected.
Description
Technical Field
The invention relates to the technical field of regression processing of industrial equipment data, in particular to an industrial unknown threat detection method and system.
Background
Along with the progress of informatization and intellectualization of an industrial system, the number of industrial internet intelligent devices is increased, and the frequency of attack on the industrial internet intelligent devices is increased remarkably. Further, because the industrial equipment system is slowly updated and even cannot be updated, a large number of security holes are accumulated in the running process, and the probability of being attacked by the network is further increased. Therefore, in order to ensure the normal operation of industrial equipment, the generated unknown threats need to be identified and detected in time in the operation process, and the measurement is formulated in time so as to ensure the normal operation of the equipment.
In the prior art, in order to avoid inaccurate unknown threat detection results caused by various equipment systems and large equipment performance differences, the prior art can train a neural network by extracting the characteristic matrix of industrial equipment, and further train the neural network according to the characteristic matrix in the history database of each equipment, so as to realize accurate identification of different equipment. However, seasonal characteristics of behavior data of industrial equipment are not considered in the prior art, so that effective information quantity of a feature matrix is small, errors of original data are large, inaccuracy of the feature matrix is further caused, behavior characteristics of corresponding industrial equipment cannot be represented accurately, accuracy of a trained neural network is low, and accurate industrial unknown threat detection cannot be achieved.
Disclosure of Invention
In order to solve the technical problems that the accuracy of a neural network is low and the accurate detection of the unknown industrial threat cannot be realized due to inaccurate construction of a behavior feature matrix of industrial equipment in the prior art, the invention aims to provide an industrial unknown threat detection method and system, and the adopted technical scheme is as follows:
The invention provides an industrial unknown threat detection method, which comprises the following steps:
Acquiring various behavior data sequences of industrial equipment in time sequence in a historical database;
the behavior data sequence obtains seasonal feature vectors based on smoothing operation; the smoothing operation includes:
Constructing a window by taking each data point on the sequence to be smoothed as a center according to a preset initial size; acquiring the fluctuation characteristics of the data values of the data points in the windows, and acquiring the data fluctuation influence value of each window according to the change of the fluctuation characteristics of the data values between each window; adjusting the initial size according to the data fluctuation influence value, and performing smoothing according to the adjusted window;
Constructing a device behavior matrix of the corresponding industrial device according to all the behavior data sequences; performing seasonal operation on the equipment behavior matrix according to the seasonal feature vector of each behavior data to obtain a feature matrix;
Taking the feature matrix as training data of a threat identification network; and detecting unknown threats of the industrial equipment to be identified by using the trained threat identification network.
Further, the obtaining the behavior data sequence further includes: and carrying out preprocessing operation on the behavior data sequence, wherein the preprocessing operation at least comprises data cleaning and data denoising.
Further, the method for acquiring the fluctuation characteristic of the data value comprises the following steps:
obtaining a relative degree of data offset from differences between data points within the window; obtaining a coefficient of variation of the data points within the window; and taking the product of the relative deviation degree of the data and the variation coefficient as the fluctuation characteristic of the data value.
Further, the method for acquiring the relative offset degree of the data comprises the following steps:
obtaining an average data value and a data value variance in the window, obtaining a data value difference between each data point in the window and the average data value, taking the ratio of the data value difference to the data value variance as a deviation characteristic of the corresponding data point, and averaging the deviation characteristics of all the data points in the window to obtain the data relative deviation degree.
Further, the method for acquiring the data fluctuation influence value comprises the following steps:
In the sequence to be smoothed, the data fluctuation influence value is obtained by using a data fluctuation influence value calculation formula for the windows except for the first window and the last window, wherein the data fluctuation influence value calculation formula comprises:
; wherein/> For/>The data fluctuation influence value of the window corresponding to each sliding process,/>As a logarithmic function based on natural constants,/>For/>Data value fluctuation characteristic of each window,/>Is the firstData value fluctuation characteristic of each window,/>First/>Data value fluctuation characteristics of window corresponding to sliding process,/>Is the sequence number of the window on the sequence to be smoothed.
Further, the adjusting the initial size according to the data fluctuation influence value includes:
obtaining the adjusted size according to a size adjustment formula, wherein the size adjustment formula comprises:
; wherein/> For/>Size after window adjustment,/>For the initial size,/>For/>The data fluctuation influence value of the window corresponding to each sliding process,/>As a function of the normalization,To round down the symbol.
Further, the seasonal feature vector obtaining method includes:
Obtaining a behavior data smoothing sequence of the behavior data sequence based on the smoothing operation; extracting a trend component of the behavior data smoothing sequence, and subtracting the trend component from the behavior data sequence to obtain a residual sequence; and performing the smoothing operation on the residual sequence to obtain a smoothed residual sequence, performing seasonal decomposition on the smoothed residual sequence to obtain a seasonal component, and performing the smoothing operation on the seasonal component to obtain a seasonal feature vector.
Further, the device behavior matrix acquisition method includes:
Sampling in the behavior data sequence according to a preset sampling proportion, and arranging the sampled data into an initial behavior matrix, wherein each row in the initial behavior matrix represents one type of behavior data; and carrying out standardized processing on the elements in the initial behavior matrix to obtain the equipment behavior matrix.
Further, the method for acquiring the feature matrix comprises the following steps:
Combining the companion vectors of the seasonal feature vectors of each behavior data into a seasonal feature matrix; the seasonal feature matrix comprises a seasonal feature vector associated with each behavior data sequence for each behavior; multiplying the equipment behavior matrix by a transpose matrix of the seasonal feature matrix to obtain the feature matrix.
The invention also provides an industrial unknown threat detection system, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the steps of any industrial unknown threat detection method when executing the computer program.
The invention has the following beneficial effects:
in order to improve the referential of the subsequent seasonal analysis, the embodiment of the invention sets the smooth operation capable of adaptively adjusting the size of the flat window opening. And analyzing the change of the fluctuation characteristics of the data values between adjacent windows in the smoothing operation, further representing the state of the data contained in the corresponding windows, and adjusting the window size by utilizing the influence value of the data fluctuation, so that the reference data in the smoothing processing process in the windows is more reasonable, and effective smoothing is realized. And further, seasonal feature vectors are determined, and feature matrixes are obtained in the equipment behavior matrixes through seasonal operation, so that the feature matrixes contain effective information as much as possible, and more accurate and obvious industrial equipment information can be represented according to the feature matrixes. And further, the trained threat identification network is utilized to realize accurate detection of unknown threats. According to the method, the accurate seasonal feature vector is obtained through the self-adaptive smoothing process, and further the feature matrix with strong referential property is obtained through seasonal operation, so that the accuracy of threat identification network is improved, and the unknown threat can be effectively detected.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for detecting an unknown threat in industry according to one embodiment of the invention.
Detailed Description
In order to further describe the technical means and effects adopted by the present invention to achieve the preset purpose, the following detailed description refers to specific implementation, structure, characteristics and effects of an industrial unknown threat detection method and system according to the present invention, which are provided by the present invention, with reference to the accompanying drawings and preferred embodiments. In the following description, different "one embodiment" or "another embodiment" means that the embodiments are not necessarily the same. Furthermore, the particular features, structures, or characteristics of one or more embodiments may be combined in any suitable manner.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
The following specifically describes a specific scheme of the method and system for detecting an industrial unknown threat provided by the invention with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of a method for detecting an unknown threat in industry according to an embodiment of the invention is shown, where the method includes:
step S1: various behavior data sequences of the industrial equipment in time sequence in the historical database are obtained.
It should be noted that, because the embodiment of the present invention aims at a threat identification network with high accuracy in training, the training data of the network should be sufficiently numerous and of various types, so that it is necessary to obtain each item of behavior data of the industrial equipment in the historical database, where the behavior data includes information of multiple dimensions such as running time, power consumption, equipment working temperature, equipment noise, equipment vibration, etc. The behavior data sequences in all dimensions form a behavior data matrix, the behavior data matrix corresponds to one industrial device and the state of the industrial device, wherein the state information can be directly obtained through a historical database and can be used as label information of training data in the subsequent training process. In one embodiment of the present invention, the status information can be divided into two kinds, i.e., an abnormal operation status and a normal operation status.
Preferably, in one embodiment of the present invention, in order to ensure accuracy of subsequent data processing, a preprocessing operation is further required for each behavior data sequence after obtaining various behavior data sequences, so as to ensure accuracy and integrity of data, where the preprocessing operation includes at least a data cleaning and data denoising process, and further corrects missing values and abnormal values therein. It should be noted that the data preprocessing operation is a technical means well known to those skilled in the art, and will not be described herein.
Step S2: the behavior data sequence obtains seasonal feature vectors based on smoothing operations; the smoothing operation includes: constructing a window by taking each data point on the sequence to be smoothed as a center according to a preset initial size; acquiring the fluctuation characteristics of the data values of the data points in the windows, and acquiring the data fluctuation influence value of each window according to the change of the fluctuation characteristics of the data values between each window; and adjusting the initial size according to the data fluctuation influence value, and performing smoothing processing according to the adjusted window.
For industrial equipment, seasonal changes along with corresponding industrial orders exist, so that seasonal changes are generated in behavior data, seasonal feature vectors of a behavior data sequence are extracted, and in the subsequent process, seasonal operation can be carried out on the equipment behavior matrix, so that a feature matrix with stronger feature references is obtained. The extraction process of the seasonal feature vector is actually a process of performing STL decomposition on the behavior data sequence, and the data sequence is continuously smoothed in the decomposition process mainly through a data smoothing process, so that the extraction of the seasonal feature vector is realized by performing decomposition operation according to a smoothing result. I.e. the smoothing effect in the smoothing process will greatly influence the accuracy of extracting seasonal feature vectors. Therefore, the embodiment of the invention constructs a smoothing operation capable of adaptively adjusting the window size, and seasonal feature vectors with strong references can be obtained based on the smoothing operation.
The smoothing operation in the embodiment of the invention firstly constructs a window on the sequence to be smoothed according to the preset initial size, and the window slides on the sequence to be smoothed by taking each data point as a center point. The principle of smoothing in the window is that the center point data are reassigned according to other data in the window, so that the size of the window feels the content of other data, and the window needs to be larger under the condition that the data in the window have a large amount of fluctuation, so that more data participate in the smoothing process, and the smoothed local part can be similar to the trend of the adjacent part; if the fluctuation of the data in the window is less, that is, the change trend of the local content in sequence is closer to that of the adjacent part, the window size can be reduced to reduce the smooth calculation amount. Therefore, firstly, the data value fluctuation characteristics of the data points in the windows are obtained, the data change trend in the windows is represented by the data value fluctuation characteristics, and then the data fluctuation influence value of each window is obtained according to the change of the data value fluctuation characteristics between each window and the adjacent window. The data fluctuation influence value characterizes the fluctuation trend specificity of the data in the current window, and the larger the fluctuation influence value is, the larger the fluctuation change trend of the data in the window is, and the window size is required to be increased; the smaller the fluctuation influence value, the smaller the fluctuation change trend of the data in the window, and the more the window size needs to be reduced. Therefore, the initial size can be adjusted according to the data fluctuation influence value, and smoothing processing can be performed according to the adjusted window.
It should be noted that, the STL decomposition algorithm is a technical means well known to those skilled in the art, and the processes of trend decomposition, seasonal decomposition, data smoothing, etc. are all technical means well known to those skilled in the art, and are not described and limited herein.
Preferably, in one embodiment of the present invention, the method for acquiring the fluctuation feature of the data value includes:
Obtaining a relative degree of offset of the data according to the difference between the data points in the window; obtaining a coefficient of variation of the data points in the window; and taking the product of the relative deviation degree of the data and the variation coefficient as the fluctuation characteristic of the data value. The relative data offset degree characterizes the data change trend of the window by utilizing the offset characteristic of the data points in the window, and the larger the offset degree is, the larger the change among the data values of the data points in the current window is, and the larger the fluctuation characteristic of the data values is; the variation coefficient characterizes the variation trend of the data in the window by utilizing the fluctuation degree of the data points in the window, and the larger the variation coefficient is, the larger the fluctuation of the data points in the window is, and the larger the fluctuation characteristic of the data value is.
It should be noted that, the method for obtaining the variation coefficient is a technical means well known to those skilled in the art, and the larger the variation coefficient, the larger the fluctuation of the corresponding data point, and the specific algorithm will not be described again.
Preferably, the method for acquiring the relative offset degree of the data in one embodiment of the present invention includes:
And obtaining the average data value and the data value variance in the window, obtaining the data value difference between each data point in the window and the average data value, and representing the deviation of the corresponding data point relative to the whole data value by utilizing the data value difference. The ratio of the data value difference to the data value variance is used as the deviation characteristic of the corresponding data point. The result of the deviation feature can be regarded as a multiple of the difference of the data values relative to the variance, and the larger the multiple is, the larger the deviation of the corresponding data points is, so that the deviation features of all the data points in the window are averaged to obtain the relative deviation degree of the data. The relative degree of offset of data in one embodiment of the invention is formulated as:
; wherein/> For/>Data relative offset degree of each window,/>For/>Number of data points within each window,/>For/>The/>, in the windowData values for data points,/>For/>Average data value within each window,/>For/>The variance of the data values within the windows.
Preferably, the method for acquiring the influence value of the data fluctuation in one embodiment of the present invention includes:
Considering that in the sequence to be smoothed, the first window and the last window have only one adjacent window, and they may not be analyzed as a start position and an end position, that is, the other windows except the first window and the last window obtain the data fluctuation influence value using the data fluctuation influence value calculation formula including:
; wherein/> For/>The sliding process corresponds to the data fluctuation influencing value of the window,As a logarithmic function based on natural constants,/>For/>Data value fluctuation characteristic of each window,/>For/>Data value fluctuation characteristic of each window,/>First/>Data value fluctuation characteristics of window corresponding to sliding process,/>Is the sequence number of the window on the sequence to be smoothed.
In the calculation formula of the influence value of the data fluctuation, the utilization is utilizedRepresenting the change of the fluctuation characteristics of the data values between the adjacent windows, if the numerator is larger than the denominator, indicating that the adjacent windows have more obvious data change trend, smoothing the window at the current moment by referring to the data change trend in the adjacent windows, and enabling the influence value of the data fluctuation to be larger than 0; if the denominator is larger than the numerator, the current window has more obvious data change trend compared with the adjacent window, so that the window at the current moment does not need to be smoothed by referring to the data change trend in the adjacent window, and the data fluctuation influence value is smaller than 0. Thus in this embodiment adjusting the initial size according to the data fluctuation influencing value comprises:
obtaining an adjusted size according to a size adjustment formula, wherein the size adjustment formula comprises:
; wherein/> For/>Size after window adjustment,/>For the initial size,/>For/>Data fluctuation influence value of window corresponding to sliding process,/>As a normalization function,/>To round down the symbol.
In the formula for the sizing of the steel sheet,The result of (1) is 1 or-1, namely the window needs to be enlarged or reduced according to the item, if the result is 1, the description/>If the window is positive, the adjacent window has more obvious data change trend, and the window size needs to be enlarged to contain the data information in the adjacent local area, so that effective smoothing is realized; if the result is-1, the description/>The window size is reduced without enlarging the window size, so that the influence of other information on the local change trend of the central data point is avoided. Thus utilizingRepresenting the scaling factor, and multiplying the scaling factor by the initial size to obtain the adjusted size. In one embodiment of the present invention the initial size is set to 9 x 1.
Preferably, in one embodiment of the present invention, the method for acquiring seasonal feature vectors includes:
Obtaining a behavior data smoothing sequence of the behavior data sequence based on the smoothing operation; extracting trend components of the behavior data smoothing sequence, and subtracting the trend components from the behavior data sequence to obtain a residual sequence; and performing smoothing operation on the residual sequence to obtain a smoothed residual sequence, performing seasonal decomposition on the smoothed residual sequence to obtain a seasonal component, and performing smoothing operation on the seasonal component to obtain a seasonal feature vector. By utilizing the smoothing operation for a plurality of times, each component is sufficiently smoothed, and accurate seasonal analysis is realized.
Step S3: constructing a device behavior matrix corresponding to the industrial device according to all the behavior data sequences; and carrying out seasonal operation on the equipment behavior matrix according to the seasonal feature vector of each behavior data to obtain a feature matrix.
Because multiple behavior data exist, each behavior data sequence of the behavior data can obtain corresponding seasonal feature vectors. And constructing an equipment behavior matrix corresponding to the industrial equipment according to all the behavior data sequences, namely, each equipment behavior matrix corresponds to one industrial equipment and corresponds to each behavior data sequence under the industrial equipment. And carrying out seasonal operation on the equipment behavior matrix according to the seasonal feature vector of each behavior data, so as to obtain the feature matrix with obvious features.
Preferably, in one embodiment of the present invention, for simplicity and clarity of data, sampling is performed in a behavior data sequence according to a preset sampling proportion, the sampled data is arranged into an initial behavior matrix, and each line in the initial behavior matrix represents one behavior data; and carrying out standardized processing on the elements in the initial behavior matrix to obtain the equipment behavior matrix. In one embodiment of the invention, the preset sampling proportion is set to be one tenth, and the standardization is adoptedNormalization is performed in which/>Represents the/>Category/>, in behavioral dataNormalized results of individual data,/>Represents the/>Seed behavior dataInitial data value of individual data,/>Represents the/>Number of data points in the behavioral data.
As one example, a device behavior matrixThe expression of (2) is:
Wherein, First normalized sample data representing first behavior data,/>First behavior dataNormalized sample data,/>Represents the/>First normalized sample data of species behavior data,/>Represents the/>Category behavior data/>Normalized sample data,/>As the number of kinds of the behavior data,Is the amount of sampled data.
Preferably, in one embodiment of the present invention, the method for acquiring a feature matrix includes:
Since each value of the seasonal feature vector can represent a seasonal dimension exhibited by the current time period, processing is performed with the concomitant vector in order to eliminate the dimension influence. Combining the companion vectors of the seasonal feature vectors of each behavior data into a seasonal feature matrix; seasonal feature matrix each behavior is a companion vector of the seasonal feature vector corresponding to each behavior data sequence; and multiplying the equipment behavior matrix by a transposed matrix of the seasonal feature matrix to obtain the feature matrix. In one embodiment of the invention, the feature matrix Expressed by the formula:
Wherein, Seasonal feature vector companion vector representing first behavioral data,/>Represents the/>Companion vector to seasonal feature vector of seed behavior data,/>Representing the transpose of the seasonal feature matrix.
It should be noted that the accompanying vector and the specific seasonal algorithm are technical measures well known to those skilled in the art, and are not described herein.
Step S4: taking the feature matrix as training data of a threat identification network; and detecting unknown threats of the industrial equipment to be identified by using the trained threat identification network.
In one embodiment of the invention, the threat identification network may be a fully connected neural network, the state information of the industrial equipment corresponding to the feature matrix is used as the tag information, and the feature matrix is used as the training data to train, so that the threat identification network can be obtained. The input of the threat identification network is the characteristic matrix of the industrial equipment to be identified, and the input is the corresponding state information. If the state information is abnormal, the industrial equipment to be identified generates unknown threat, and maintenance or shutdown processing is needed. It should be noted that, the feature matrix of the industrial equipment to be identified is also obtained according to the above seasonal analysis process, which is not described herein.
It should be noted that the specific structure and the training method of the fully-connected neural network are technical means well known to those skilled in the art, and are not described herein.
It should be noted that, the threat identification network in the embodiment of the invention can be continuously trained and updated through the data in the database, so that the network can cope with various novel threats and ensure the stability and safety of industrial production.
In summary, in the embodiment of the invention, the change of the fluctuation characteristic of the data value between adjacent windows is analyzed in the smoothing operation of seasonal analysis, so that the state of the data contained in the corresponding window is characterized, and the window size is adjusted by using the influence value of the data fluctuation. And further determining seasonal feature vectors, obtaining feature matrixes in the equipment behavior matrixes through seasonal operation, performing network training by using the feature matrixes, and accurately detecting unknown threats through a trained threat identification network. The accurate seasonal feature vector is obtained through the self-adaptive smoothing process, and then the feature matrix with strong referential property is obtained through seasonal operation, so that the accuracy of the threat identification network is improved, and the unknown threat can be effectively detected.
The invention also provides an industrial unknown threat detection system, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes any one step of the industrial unknown threat detection method when executing the computer program.
It should be noted that: the sequence of the embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. The processes depicted in the accompanying drawings do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
Claims (5)
1. A method of industrial unknown threat detection, the method comprising:
Acquiring various behavior data sequences of industrial equipment in time sequence in a historical database;
the behavior data sequence obtains seasonal feature vectors based on smoothing operation; the smoothing operation includes:
Constructing a window by taking each data point on the sequence to be smoothed as a center according to a preset initial size; acquiring the fluctuation characteristics of the data values of the data points in the windows, and acquiring the data fluctuation influence value of each window according to the change of the fluctuation characteristics of the data values between each window; adjusting the initial size according to the data fluctuation influence value, and performing smoothing according to the adjusted window;
the method for acquiring the fluctuation characteristics of the data value comprises the following steps:
Obtaining a relative degree of data offset from differences between data points within the window; obtaining a coefficient of variation of the data points within the window; taking the product of the relative deviation degree of the data and the variation coefficient as the fluctuation characteristic of the data value;
the method for acquiring the relative offset degree of the data comprises the following steps:
Obtaining an average data value and a data value variance in the window, obtaining a data value difference between each data point in the window and the average data value, taking the ratio of the data value difference to the data value variance as a deviation characteristic of the corresponding data point, and averaging the deviation characteristics of all the data points in the window to obtain the data relative deviation degree;
the method for acquiring the data fluctuation influence value comprises the following steps:
In the sequence to be smoothed, the data fluctuation influence value is obtained by using a data fluctuation influence value calculation formula for the windows except for the first window and the last window, wherein the data fluctuation influence value calculation formula comprises:
; wherein/> For/>The sliding procedure corresponds to the data fluctuation influencing value of the window,As a logarithmic function based on natural constants,/>For/>Data value fluctuation characteristic of each window,/>For/>Data value fluctuation characteristic of each window,/>First/>Data value fluctuation characteristics of window corresponding to sliding process,/>The sequence number of the window on the sequence to be smoothed;
said adjusting said initial size according to said data fluctuation influencing value comprises:
obtaining the adjusted size according to a size adjustment formula, wherein the size adjustment formula comprises:
; wherein/> For/>Size after window adjustment,/>For the initial size,/>For/>The data fluctuation influence value of the window corresponding to each sliding process,/>As a normalization function,/>Rounding down the symbol;
Constructing a device behavior matrix of the corresponding industrial device according to all the behavior data sequences; performing seasonal operation on the equipment behavior matrix according to the seasonal feature vector of each behavior data to obtain a feature matrix;
the method for acquiring the feature matrix comprises the following steps:
Combining the companion vectors of the seasonal feature vectors of each behavior data into a seasonal feature matrix; the seasonal feature matrix comprises a seasonal feature vector associated with each behavior data sequence for each behavior; multiplying the equipment behavior matrix by a transpose matrix of the seasonal feature matrix to obtain the feature matrix;
Taking the feature matrix as training data of a threat identification network; and detecting unknown threats of the industrial equipment to be identified by using the trained threat identification network.
2. A method of industrial unknown threat detection in accordance with claim 1, wherein after obtaining the behavioral data sequence, further comprises: and carrying out preprocessing operation on the behavior data sequence, wherein the preprocessing operation at least comprises data cleaning and data denoising.
3. The method of claim 1, wherein the method of obtaining seasonal feature vectors comprises:
Obtaining a behavior data smoothing sequence of the behavior data sequence based on the smoothing operation; extracting a trend component of the behavior data smoothing sequence, and subtracting the trend component from the behavior data sequence to obtain a residual sequence; and performing the smoothing operation on the residual sequence to obtain a smoothed residual sequence, performing seasonal decomposition on the smoothed residual sequence to obtain a seasonal component, and performing the smoothing operation on the seasonal component to obtain a seasonal feature vector.
4. The method for detecting an industrial unknown threat of claim 1, wherein the device behavior matrix obtaining method comprises:
Sampling in the behavior data sequence according to a preset sampling proportion, and arranging the sampled data into an initial behavior matrix, wherein each row in the initial behavior matrix represents one type of behavior data; and carrying out standardized processing on the elements in the initial behavior matrix to obtain the equipment behavior matrix.
5. An industrial unknown threat detection system comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, performs the steps of a method of industrial unknown threat detection as claimed in any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410353612.2A CN117951695B (en) | 2024-03-27 | 2024-03-27 | Industrial unknown threat detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410353612.2A CN117951695B (en) | 2024-03-27 | 2024-03-27 | Industrial unknown threat detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117951695A CN117951695A (en) | 2024-04-30 |
| CN117951695B true CN117951695B (en) | 2024-06-11 |
Family
ID=90796589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410353612.2A Active CN117951695B (en) | 2024-03-27 | 2024-03-27 | Industrial unknown threat detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117951695B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111971942A (en) * | 2018-04-05 | 2020-11-20 | 微软技术许可有限责任公司 | Anomaly detection and processing of seasonal data |
| CN114221790A (en) * | 2021-11-22 | 2022-03-22 | 浙江工业大学 | BGP (Border gateway protocol) anomaly detection method and system based on graph attention network |
| CN116451866A (en) * | 2023-04-23 | 2023-07-18 | 苏州盈科电子有限公司 | Prediction method and device, electronic equipment and storage medium |
| CN117271987A (en) * | 2023-11-23 | 2023-12-22 | 国网吉林省电力有限公司长春供电公司 | Intelligent acquisition and processing method for environmental state data of power distribution equipment |
| CN117527295A (en) * | 2023-09-26 | 2024-02-06 | 广东省信息安全测评中心 | Self-adaptive network threat detection system based on artificial intelligence |
| CN117540336A (en) * | 2023-10-20 | 2024-02-09 | 腾讯科技(深圳)有限公司 | Time sequence prediction method and device and electronic equipment |
| CN117575332A (en) * | 2024-01-12 | 2024-02-20 | 唐山伟仁建筑工程有限公司 | Road construction safety monitoring method and system |
-
2024
- 2024-03-27 CN CN202410353612.2A patent/CN117951695B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111971942A (en) * | 2018-04-05 | 2020-11-20 | 微软技术许可有限责任公司 | Anomaly detection and processing of seasonal data |
| CN114221790A (en) * | 2021-11-22 | 2022-03-22 | 浙江工业大学 | BGP (Border gateway protocol) anomaly detection method and system based on graph attention network |
| CN116451866A (en) * | 2023-04-23 | 2023-07-18 | 苏州盈科电子有限公司 | Prediction method and device, electronic equipment and storage medium |
| CN117527295A (en) * | 2023-09-26 | 2024-02-06 | 广东省信息安全测评中心 | Self-adaptive network threat detection system based on artificial intelligence |
| CN117540336A (en) * | 2023-10-20 | 2024-02-09 | 腾讯科技(深圳)有限公司 | Time sequence prediction method and device and electronic equipment |
| CN117271987A (en) * | 2023-11-23 | 2023-12-22 | 国网吉林省电力有限公司长春供电公司 | Intelligent acquisition and processing method for environmental state data of power distribution equipment |
| CN117575332A (en) * | 2024-01-12 | 2024-02-20 | 唐山伟仁建筑工程有限公司 | Road construction safety monitoring method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117951695A (en) | 2024-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111222290B (en) | Multi-parameter feature fusion-based method for predicting residual service life of large-scale equipment | |
| Tong et al. | An adaptive multimode process monitoring strategy based on mode clustering and mode unfolding | |
| CN108549908B (en) | Chemical process fault detection method based on multi-sampling probability kernel principal component model | |
| CN112862127B (en) | Sensor data exception handling method and device, electronic equipment and medium | |
| CN113008583B (en) | Method and device for monitoring state and automatically alarming abnormality of rotating machine | |
| CN109934301B (en) | Power load cluster analysis method, device and equipment | |
| CN114861788A (en) | Load abnormity detection method and system based on DBSCAN clustering | |
| CN108399434B (en) | Analysis and prediction method of high-dimensional time series data based on feature extraction | |
| Ahmad et al. | On median control charting under double sampling scheme | |
| CN112213687B (en) | Gateway electric energy meter data anomaly detection method and system based on pseudo-anomaly point identification | |
| CN115359846A (en) | Batch correction method and device for group data, storage medium and electronic equipment | |
| CN112417371A (en) | Method for monitoring running state of intelligent electric energy meter in distribution network area | |
| Qin et al. | Statistical process monitoring based on just-in-time feature analysis | |
| CN113128612B (en) | Processing method of abnormal value in power data and terminal equipment | |
| CN113110961B (en) | Equipment abnormality detection method and device, computer equipment and readable storage medium | |
| CN117951695B (en) | Industrial unknown threat detection method and system | |
| CN107274025B (en) | System and method for realizing intelligent identification and management of power consumption mode | |
| CN117092581A (en) | Segment consistency-based method and device for detecting abnormity of electric energy meter of self-encoder | |
| CN117010442A (en) | Equipment residual life prediction model training method, residual life prediction method and system | |
| Cerqueira et al. | Vest: Automatic feature engineering for forecasting | |
| CN116975535A (en) | Multi-parameter data analysis method based on soil environment monitoring data | |
| CN111091243A (en) | PCA-GM-based power load prediction method, system, computer-readable storage medium, and computing device | |
| CN111008673A (en) | Method for collecting and extracting malignant data chain in power distribution network information physical system | |
| CN115270861A (en) | Product composition data monitoring method and device, electronic equipment and storage medium | |
| CN115130584A (en) | Time series prediction method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |