CN118214584A - Industrial control network security risk prediction method and device - Google Patents
Industrial control network security risk prediction method and device Download PDFInfo
- Publication number
- CN118214584A CN118214584A CN202410203895.2A CN202410203895A CN118214584A CN 118214584 A CN118214584 A CN 118214584A CN 202410203895 A CN202410203895 A CN 202410203895A CN 118214584 A CN118214584 A CN 118214584A
- Authority
- CN
- China
- Prior art keywords
- risk prediction
- security risk
- industrial control
- layer
- control network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000013058 risk prediction model Methods 0.000 claims abstract description 46
- 238000007781 pre-processing Methods 0.000 claims abstract description 22
- 239000000284 extract Substances 0.000 claims abstract description 17
- 230000006870 function Effects 0.000 claims description 57
- 238000013528 artificial neural network Methods 0.000 claims description 22
- 239000011159 matrix material Substances 0.000 claims description 22
- 239000013598 vector Substances 0.000 claims description 19
- 238000012549 training Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000015654 memory Effects 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 8
- 230000014509 gene expression Effects 0.000 claims description 5
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000009826 distribution Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000010606 normalization Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000003064 k means clustering Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 238000010187 selection method Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012847 principal component analysis method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an industrial control network security risk prediction method and device, and relates to the technical field of artificial intelligence. The method comprises the following steps: acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data; carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result; the method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics. The apparatus performs the above method. The industrial control network security risk prediction method and the industrial control network security risk prediction device provided by the embodiment of the invention can improve the accuracy of industrial control network security risk prediction.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to an industrial control network security risk prediction method and device.
Background
In recent years, the number of attacks encountered by industrial control networks and industrial control systems rises year by year, attackers who attack the industrial Internet are specialized and organized gradually, and attack behaviors are updated continuously, so that the attack behaviors are gradually changed from the traditional attack modes to higher attack forms such as 0-day vulnerability exploitation, nested attack, trojan latent implantation and the like, and a large number of interference factors in multiple aspects such as AI engineering, information engineering, avoidance engineering and social engineering are utilized. Similarly, as the closed industrial control environment is accessed to the relatively open enterprise information network, the security threat of the internet is also permeated into the industrial field, and as the relatively closed production environment in the traditional industrial field is accessed to the relatively open internet, the attack path is increased, and the diversified network attack directly invades the production line, so that the potential safety hazard of industrial production is more serious. In this case, prediction of risk of the industrial control network is important.
The prior art builds a network security risk prediction RBF neural network model through a great deal of experiments and training. According to the method, the network risk is predicted by combining the neural network, so that the risk prediction efficiency is greatly improved, but at the same time, the problems of difficult base function selection and large data size exist.
There is also a prior art proposed a markov time-varying model that uses a time-varying system state transition probability matrix, breaking the assumption that the conventional markov predictions do not vary with time for the system state transition probability matrix. However, the model is not well suitable for an industrial control network system, because the network model adopts a principal component analysis method during data sampling classification to well realize data dimension reduction, so that the operation workload is lightened, but the too simple model cannot meet the actual requirements of an industrial control network on data tightness and data precision.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides an industrial control network security risk prediction method and device, which can at least partially solve the problems in the prior art.
In one aspect, the invention provides an industrial control network security risk prediction method, which comprises the following steps:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
Wherein, the preprocessing the data to be detected includes:
Performing numerical processing on the data to be detected to obtain a numerical characteristic vector;
and carrying out standardization processing on the numerical characteristic vector to obtain a normalized numerical characteristic vector.
Wherein extracting sample features from the denoising self-encoder with a weighted loss function, comprises:
Obtaining a loss function of the denoising self-encoder with a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss item corresponding to the regularization item, the weight matrix and the sample characteristic number;
And extracting the sample characteristics according to the loss function.
The obtaining a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss term corresponding to the regularization term, the weight matrix and the sample characteristic number comprises the following steps:
The weighted loss function is expressed according to the following expression:
wherein, L DAE is the weighted loss function, L mse is the reconstruction error obtained by mean square error calculation, L reg is the loss term corresponding to the regularization term, W L is the weight matrix, and m is the number of sample features.
Wherein the LSTM integrated with the attention layer comprises a multi-attention layer, an LSTM layer, a Dropout layer and a self-attention layer;
Wherein the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer are sequentially connected.
The method for training the LSTM integrated with the attention layer according to the sample features to obtain a preset industrial control network security risk prediction model comprises the following steps:
Obtaining an LSTM neural network layer output state according to the sample characteristics, the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer;
Inputting the output state of the LSTM neural network layer to a full-connection layer to obtain a safety risk prediction value, and outputting the safety risk prediction value through an output layer;
And continuously optimizing the output safety risk prediction value through multiple times of training to obtain the preset industrial control network safety risk prediction model.
Wherein obtaining an LSTM neural network layer output state according to the sample feature, the multi-attention layer, the LSTM layer, the Dropout layer, and the self-attention layer includes:
inputting a training set obtained by dividing according to the sample characteristics into the multi-attention layer to obtain new sample characteristics dynamically allocated by an attention mechanism;
inputting the new sample characteristics to the LSTM layer to obtain model parameters;
inputting the model parameters to the Dropout layer to obtain optimized model parameters for improving the generalization capability of the model;
Inputting the optimized model parameters to the self-attention layer to obtain the output state of the LSTM neural network layer.
In one aspect, the present invention provides an industrial control network security risk prediction apparatus, including:
The system comprises an acquisition unit, a preprocessing unit and a control unit, wherein the acquisition unit is used for acquiring to-be-detected data of industrial control network security risk prediction and preprocessing the to-be-detected data;
The prediction unit is used for predicting the safety risk of the preprocessed data to be detected based on a preset industrial control network safety risk prediction model to obtain a safety risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
In still another aspect, an embodiment of the present invention provides an electronic device, including: a processor, a memory, and a bus, wherein,
The processor and the memory complete communication with each other through the bus;
The memory stores program instructions executable by the processor, the processor invoking the program instructions capable of performing the method of:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
Embodiments of the present invention provide a non-transitory computer readable storage medium comprising:
The non-transitory computer readable storage medium stores computer instructions that cause the computer to perform the method of:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
According to the industrial control network security risk prediction method and device provided by the embodiment of the invention, the data to be detected of industrial control network security risk prediction is obtained, and the data to be detected is preprocessed; carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result; the preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, trains LSTM integrated with an attention layer according to the sample characteristics, and can improve accuracy of industrial control network security risk prediction.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
Fig. 1 is a flowchart of an industrial control network security risk prediction method according to an embodiment of the present invention.
Fig. 2 is a flowchart of an industrial control network security risk prediction method according to another embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an industrial control network security risk prediction device according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present application and their descriptions herein are for the purpose of explaining the present application, but are not to be construed as limiting the application. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be arbitrarily combined with each other.
Fig. 1 is a flow chart of an industrial control network security risk prediction method provided by an embodiment of the present invention, as shown in fig. 1, where the industrial control network security risk prediction method provided by the embodiment of the present invention includes:
Step S1: and acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data.
Step S2: carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
In the step S1, the device acquires the data to be tested for industrial control network security risk prediction, and performs preprocessing on the data to be tested. The apparatus may be a computer device, for example a server, performing the method. It should be noted that, the data acquisition and analysis according to the embodiments of the present invention are authorized by the user. The data to be tested comprises industrial control network flow, safety logs, monitoring video and other data, and the data to be tested is preprocessed, and the method comprises the following steps:
Performing numerical processing on the data to be detected to obtain a numerical characteristic vector;
and carrying out standardization processing on the numerical characteristic vector to obtain a normalized numerical characteristic vector.
In the step S2, the device performs security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result; the preprocessed data to be detected can be input into a preset industrial control network security risk prediction model, and the output result of the preset industrial control network security risk prediction model is used as a security risk prediction result, and specifically may include security risk prediction grades, such as high risk, medium risk and low risk.
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics. Prior to extracting the sample features, a dataset may be constructed, as follows:
The risk prediction model data set adopted by the invention mainly comprises industrial control network flow, safety logs, monitoring video and other data, and the data are connected into one data set.
1) Industrial control network traffic refers to various data packets transmitted over a network. By analyzing the industrial control network traffic, abnormal network traffic such as attack traffic, malware propagation and the like can be detected.
2) Attack event data: the attack event data mainly includes records of various network attack events. The data contains information such as the type of attack, the target, the time, etc.
3) Security log data: the security log data includes security log records for various network devices and systems.
Preprocessing data in a data set, including:
the numerical processing is described as follows:
Before data in a dataset is input to a model, it is necessary to convert the non-digital features of the data into numerical features and perform feature mapping, a process known as feature encoding. The invention adopts One-hot coding to convert the nominal feature into binary vector and convert the nominal feature into numerical value.
The normalization process is described as follows:
Because the numerical feature vectors have inconsistent feature dimensions in different dimensions, if they are not normalized, the model may be too sensitive to certain features, thereby affecting the reliability and stability of the model. In order to convert all features to the same scale, the data is normalized to facilitate better analysis and comparison. The standardized data and the original data keep the same linear distribution relation, which is beneficial to the improvement of the convergence speed and the precision of the model. Therefore, the characteristics are normalized, the numerical value of the macro parameters of the industrial control network security data is mapped in the interval [0,1], and the formula is as follows:
x' is the normalized numerical eigenvector and x is the numerical eigenvector before normalization.
The explanation of preprocessing the data to be tested in the use process of the preset industrial control network security risk prediction model is the same as the explanation of preprocessing the data in the data set, and is not repeated.
Extracting sample features from a denoising self-encoder with a weighted loss function, comprising:
Obtaining a loss function of the denoising self-encoder with a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss item corresponding to the regularization item, the weight matrix and the sample characteristic number;
And extracting the sample characteristics according to the loss function.
The obtaining a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss term corresponding to the regularization term, the weight matrix and the sample characteristic number comprises the following steps:
The weighted loss function is expressed according to the following expression:
wherein, L DAE is the weighted loss function, L mse is the reconstruction error obtained by mean square error calculation, L reg is the loss term corresponding to the regularization term, W L is the weight matrix, and m is the number of sample features.
The description is as follows:
in order to improve the accuracy of model prediction, feature selection is also required after data are digitized and standardized. Through feature selection, features in the data set, which are irrelevant to risk prediction and redundant, can be removed, so that interference and noise are reduced, and the data dimension is reduced. By selecting the feature subset most relevant to network security from the plurality of feature sets, the computational complexity is reduced, and thus the generalization capability and accuracy of the model are improved.
Common feature selection methods include k-means clustering, statistical methods based on information gain, principal component analysis and the like. Although the method has the advantages of high classification speed, compact system and the like, the detection precision is low, and the requirements of industrial control network risk prediction cannot be met.
The method thus uses a de-noised self-encoder (DAE) with a weighted loss function to perform feature selection on the data set, extracting more meaningful features by introducing noise.
The DAE is a nonlinear feature extraction method, and can effectively capture complex modes and nonlinear relations in data. In the training process of the DAE, different weights are distributed to the industrial control network data characteristics by using a weighted loss function, so that the reconstruction of attack samples is induced to be more focused, and the selected characteristics are more beneficial to the improvement of the risk prediction accuracy. The L2 norm of the row vector of each feature in the encoder weight matrix is calculated as the weight of that feature. The loss function of DAE is:
Wherein m is the number of sample features; l mse is the reconstruction error calculated from the mean square error MSE; l reg is a penalty term corresponding to the regularization term; w L is the weight matrix, and the final loss function is obtained by combining the weight matrix into the mean square error loss.
As shown in fig. 2, the LSTM integrated with the attention layer includes a multi-attention layer, an LSTM layer, a Dropout layer, and a self-attention layer;
Wherein the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer are sequentially connected.
Training the LSTM integrated with the attention layer according to the sample characteristics to obtain a preset industrial control network security risk prediction model, wherein the method comprises the following steps:
Obtaining an LSTM neural network layer output state according to the sample characteristics, the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer;
Inputting the output state of the LSTM neural network layer to a full-connection layer to obtain a safety risk prediction value, and outputting the safety risk prediction value through an output layer;
And continuously optimizing the output safety risk prediction value through multiple times of training to obtain the preset industrial control network safety risk prediction model.
The obtaining an LSTM neural network layer output state according to the sample feature, the multi-attention layer, the LSTM layer, the Dropout layer, and the self-attention layer includes:
inputting a training set obtained by dividing according to the sample characteristics into the multi-attention layer to obtain new sample characteristics dynamically allocated by an attention mechanism;
inputting the new sample characteristics to the LSTM layer to obtain model parameters;
inputting the model parameters to the Dropout layer to obtain optimized model parameters for improving the generalization capability of the model;
Inputting the optimized model parameters to the self-attention layer to obtain the output state of the LSTM neural network layer.
The sample features after DAE feature selection are divided into a training set X t and a test set X c, and the training set is input to an ATT-LSTM-ATT (attention layer-long and short term memory network-attention layer) model.
The ATT-LSTM-ATT model input layer calculates feature attention allocation. The multi-attention layer distributes attention to various features, and the specific formula is as follows:
XtWQ=Q,XtWK=K,XtWV=V
Wherein g t is the attention distribution matrix; w Q,WK,WV are the corresponding linear transformation matrices respectively; x t is the sample feature after feature selection; q is a query vector; k is a key vector; v is a value vector; t represents a transpose; tanh is the activation function.
Normalizing the obtained attention distribution matrix:
Wherein Softmax is a normalization function; alpha t is the normalized attention distribution matrix; f is the number of the characteristic values; x' t is a new sample feature dynamically adapted via the attention mechanism.
Inputting the new sample characteristics to the LSTM layer to obtain model parameters.
The ATT-LSTM-ATT model output layer calculates the time series attention distribution. And analyzing the influence of the historical time node on the current hidden layer state through a self-attention mechanism by combining with a prediction target, dynamically allocating the time sequence attention weight and weighting with the global hidden layer state to obtain the optimal output result of the ATT-LSTM-ATT model hidden layer. The expressions of the process are respectively:
ht=tanh(Wh[ct;ht])
wherein f (h i,ht) represents the attention distribution; w a and W h are respectively corresponding linear transformation matrices; h i is the ith input; alpha i,t represents the attention weight; n is the sample size; m is the number of steps of the sliding window; s is the total number of inputs; h t is hidden layer state quantity output; c t is the intermediate vector after the time sequence attention distribution of the LSTM neural network layer; h t represents the LSTM neural network layer output state; [ c t;ht ] is a matrix formed by transversely splicing c t and h t.
It should be noted that, the two linear transformation matrices are weight parameter matrices to be trained, belong to black box variables, have no actual parameter definition, and only represent corresponding linear transformation matrices of different steps.
And outputting the ATT-LSTM-ATT model result. Inputting the output state of the LSTM neural network in the last step into a full-connection layer, and obtaining a final output result of the model, wherein the calculation formula is as follows:
yt=tanh(V'ht)
Wherein y t is a security risk prediction value, and V' is a total weight matrix formed by splicing W Q and W K.
And obtaining an optimal model through multiple times of training, and arranging the optimal model on an industrial control system to predict the network security risk.
The industrial control network security risk prediction method provided by the embodiment of the invention has the advantages that firstly, the characteristic selection methods such as principal component analysis, k-means clustering and the like used at the present stage have the problem of low detection precision, and are not beneficial to preliminary screening of industrial control network security data. In view of the above, the denoising self-encoder with the weighted loss function in the feature selection part gives more importance to the features related to attack, removes irrelevant features and noise, and ensures that the selection result is more beneficial to the prediction of the next model; then, the LSTM model is improved based on improving the internal structure view angle of the neural network, a multi-attention mechanism and a self-attention mechanism are respectively introduced into the LSTM neural network, an ATT-LSTM-ATT prediction model is constructed, and more attention weights are further distributed to more key features through dynamic allocation of the attention mechanism. On the other hand, a self-attention mechanism is introduced, the time sequence characteristics of industrial control network safety data are analyzed by combining the historical information, the historical key time point information is mined, more weight is given to the key time point, the model output is optimized, and the model prediction accuracy is greatly improved.
According to the industrial control network security risk prediction method provided by the embodiment of the invention, the data to be detected of industrial control network security risk prediction is obtained, and the data to be detected is preprocessed; carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result; the preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, trains LSTM integrated with an attention layer according to the sample characteristics, and can improve accuracy of industrial control network security risk prediction.
Further, the preprocessing the data to be detected includes:
Performing numerical processing on the data to be detected to obtain a numerical characteristic vector; the description of the embodiments may be referred to above, and will not be repeated.
And carrying out standardization processing on the numerical characteristic vector to obtain a normalized numerical characteristic vector. The description of the embodiments may be referred to above, and will not be repeated.
Further, extracting sample features from the encoder according to denoising with weighted loss function, comprising:
Obtaining a loss function of the denoising self-encoder with a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss item corresponding to the regularization item, the weight matrix and the sample characteristic number; the description of the embodiments may be referred to above, and will not be repeated.
And extracting the sample characteristics according to the loss function. The description of the embodiments may be referred to above, and will not be repeated.
Further, the obtaining a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss term corresponding to the regularization term, the weight matrix and the sample feature number comprises the following steps:
The weighted loss function is expressed according to the following expression:
Wherein, L DAE is the weighted loss function, L mse is the reconstruction error obtained by mean square error calculation, L reg is the loss term corresponding to the regularization term, W L is the weight matrix, and m is the number of sample features. The description of the embodiments may be referred to above, and will not be repeated.
Further, the LSTM integrated with the attention layer includes a multi-attention layer, an LSTM layer, a Dropout layer, and a self-attention layer;
Wherein the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer are sequentially connected. The description of the embodiments may be referred to above, and will not be repeated.
Further, training the LSTM integrated with the attention layer according to the sample features to obtain a preset industrial control network security risk prediction model, including:
obtaining an LSTM neural network layer output state according to the sample characteristics, the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer; the description of the embodiments may be referred to above, and will not be repeated.
Inputting the output state of the LSTM neural network layer to a full-connection layer to obtain a safety risk prediction value, and outputting the safety risk prediction value through an output layer; the description of the embodiments may be referred to above, and will not be repeated.
And continuously optimizing the output safety risk prediction value through multiple times of training to obtain the preset industrial control network safety risk prediction model. The description of the embodiments may be referred to above, and will not be repeated.
Further, the obtaining an LSTM neural network layer output state according to the sample feature, the multi-attention layer, the LSTM layer, the Dropout layer, and the self-attention layer includes:
inputting a training set obtained by dividing according to the sample characteristics into the multi-attention layer to obtain new sample characteristics dynamically allocated by an attention mechanism; the description of the embodiments may be referred to above, and will not be repeated.
Inputting the new sample characteristics to the LSTM layer to obtain model parameters; the description of the embodiments may be referred to above, and will not be repeated.
Inputting the model parameters to the Dropout layer to obtain optimized model parameters for improving the generalization capability of the model; the description of the embodiments may be referred to above, and will not be repeated.
Inputting the optimized model parameters to the self-attention layer to obtain the output state of the LSTM neural network layer. The description of the embodiments may be referred to above, and will not be repeated.
Fig. 3 is a schematic structural diagram of an industrial control network security risk prediction device according to an embodiment of the present invention, and as shown in fig. 3, the industrial control network security risk prediction device according to an embodiment of the present invention includes an obtaining unit 301 and a prediction unit 302, where:
The acquiring unit 301 is configured to acquire data to be tested for industrial control network security risk prediction, and pre-process the data to be tested; the prediction unit 302 is configured to perform security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model, so as to obtain a security risk prediction result; the method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
Specifically, an acquiring unit 301 in the device is configured to acquire data to be tested for industrial control network security risk prediction, and perform preprocessing on the data to be tested; the prediction unit 302 is configured to perform security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model, so as to obtain a security risk prediction result; the method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
The industrial control network security risk prediction device provided by the embodiment of the invention acquires the data to be detected of industrial control network security risk prediction, and carries out preprocessing on the data to be detected; carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result; the preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, trains LSTM integrated with an attention layer according to the sample characteristics, and can improve accuracy of industrial control network security risk prediction.
The embodiment of the present invention provides an industrial control network security risk prediction device, which may be specifically used to execute the processing flow of each method embodiment, and the functions thereof are not described herein again, and may refer to the detailed description of the method embodiments.
Fig. 4 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention, as shown in fig. 4, where the electronic device includes: a processor (processor) 401, a memory (memory) 402, and a bus 403;
Wherein, the processor 401 and the memory 402 complete the communication with each other through the bus 403;
the processor 401 is configured to call the program instructions in the memory 402 to perform the methods provided in the above method embodiments, for example, including:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the above-described method embodiments, for example comprising:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
The present embodiment provides a computer-readable storage medium storing a computer program that causes the computer to execute the methods provided by the above-described method embodiments, for example, including:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In the description of the present specification, reference to the terms "one embodiment," "one particular embodiment," "some embodiments," "for example," "an example," "a particular example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The industrial control network security risk prediction method is characterized by comprising the following steps of:
acquiring to-be-detected data of industrial control network security risk prediction, and preprocessing the to-be-detected data;
carrying out security risk prediction on the preprocessed data to be detected based on a preset industrial control network security risk prediction model to obtain a security risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
2. The industrial control network security risk prediction method according to claim 1, wherein the preprocessing the data to be detected comprises:
Performing numerical processing on the data to be detected to obtain a numerical characteristic vector;
and carrying out standardization processing on the numerical characteristic vector to obtain a normalized numerical characteristic vector.
3. The industrial control network security risk prediction method according to claim 1, wherein extracting sample features from a denoising self-encoder with a weighted loss function comprises:
Obtaining a loss function of the denoising self-encoder with a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss item corresponding to the regularization item, the weight matrix and the sample characteristic number;
And extracting the sample characteristics according to the loss function.
4. The industrial control network security risk prediction method according to claim 3, wherein the obtaining a weighted loss function according to the reconstruction error obtained by the mean square error calculation, the loss term corresponding to the regularization term, the weight matrix and the number of sample features includes:
The weighted loss function is expressed according to the following expression:
wherein, L DAE is the weighted loss function, L mse is the reconstruction error obtained by mean square error calculation, L reg is the loss term corresponding to the regularization term, W L is the weight matrix, and m is the number of sample features.
5. The industrial control network security risk prediction method according to any one of claims 1 to 4, wherein the LSTM integrated with the attention layer includes a multi-attention layer, an LSTM layer, a Dropout layer, and a self-attention layer;
Wherein the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer are sequentially connected.
6. The method for predicting the industrial personal network security risk according to claim 5, wherein training the LSTM integrated with the attention layer according to the sample features obtains a preset industrial personal network security risk prediction model, and the method comprises:
Obtaining an LSTM neural network layer output state according to the sample characteristics, the multi-attention layer, the LSTM layer, the Dropout layer and the self-attention layer;
Inputting the output state of the LSTM neural network layer to a full-connection layer to obtain a safety risk prediction value, and outputting the safety risk prediction value through an output layer;
And continuously optimizing the output safety risk prediction value through multiple times of training to obtain the preset industrial control network safety risk prediction model.
7. The method for predicting the industrial control network security risk according to claim 6, wherein the obtaining the LSTM neural network layer output state according to the sample feature, the multi-attention layer, the LSTM layer, the Dropout layer, and the self-attention layer includes:
inputting a training set obtained by dividing according to the sample characteristics into the multi-attention layer to obtain new sample characteristics dynamically allocated by an attention mechanism;
inputting the new sample characteristics to the LSTM layer to obtain model parameters;
inputting the model parameters to the Dropout layer to obtain optimized model parameters for improving the generalization capability of the model;
Inputting the optimized model parameters to the self-attention layer to obtain the output state of the LSTM neural network layer.
8. An industrial control network security risk prediction device, which is characterized by comprising:
The system comprises an acquisition unit, a preprocessing unit and a control unit, wherein the acquisition unit is used for acquiring to-be-detected data of industrial control network security risk prediction and preprocessing the to-be-detected data;
The prediction unit is used for predicting the safety risk of the preprocessed data to be detected based on a preset industrial control network safety risk prediction model to obtain a safety risk prediction result;
The method comprises the steps that a preset industrial control network security risk prediction model extracts sample characteristics according to a denoising self-encoder with a weighted loss function, and trains LSTM integrated with an attention layer according to the sample characteristics.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 7 when the computer program is executed by the processor.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410203895.2A CN118214584A (en) | 2024-02-23 | 2024-02-23 | Industrial control network security risk prediction method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410203895.2A CN118214584A (en) | 2024-02-23 | 2024-02-23 | Industrial control network security risk prediction method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118214584A true CN118214584A (en) | 2024-06-18 |
Family
ID=91445415
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410203895.2A Pending CN118214584A (en) | 2024-02-23 | 2024-02-23 | Industrial control network security risk prediction method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118214584A (en) |
-
2024
- 2024-02-23 CN CN202410203895.2A patent/CN118214584A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112905421B (en) | Container abnormal behavior detection method of LSTM network based on attention mechanism | |
| CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
| CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN109446804B (en) | Intrusion detection method based on multi-scale feature connection convolutional neural network | |
| CN112668688B (en) | Intrusion detection method, system, equipment and readable storage medium | |
| CN112738014A (en) | Industrial control flow abnormity detection method and system based on convolution time sequence network | |
| CN110868414B (en) | Industrial control network intrusion detection method and system based on multi-voting technology | |
| CN113705809B (en) | Data prediction model training method, industrial index prediction method and device | |
| CN113660196A (en) | Network traffic intrusion detection method and device based on deep learning | |
| CN112134862A (en) | Coarse-fine granularity mixed network anomaly detection method and device based on machine learning | |
| Ding et al. | Efficient BiSRU combined with feature dimensionality reduction for abnormal traffic detection | |
| CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
| CN114528547A (en) | ICPS (information storage and protection System) unsupervised online attack detection method and device based on community feature selection | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| CN117176417A (en) | Network traffic abnormality determination method, device, electronic equipment and readable storage medium | |
| CN116702143A (en) | Intelligent malicious software detection method based on API (application program interface) characteristics | |
| KR102548321B1 (en) | Valuable alert screening methods for detecting malicious threat | |
| CN115883424A (en) | Method and system for predicting traffic data between high-speed backbone networks | |
| CN116170200A (en) | Power monitoring system time sequence abnormality detection method, system, equipment and storage medium | |
| CN118214584A (en) | Industrial control network security risk prediction method and device | |
| CN114760128A (en) | Network abnormal flow detection method based on resampling | |
| CN114091021A (en) | Malicious code detection method for electric power enterprise safety protection | |
| CN113852612A (en) | Network intrusion detection method based on random forest | |
| CN115831339B (en) | Medical system risk management and control pre-prediction method and system based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |