# 基于深度卷积网络及K均值的工控系统入侵检测研究Research on Intrusion Detection of Industrial Control System Based on Deep Convolution Network and K-Means

DOI: 10.12677/CSA.2020.1011225, PDF, HTML, XML, 下载: 74  浏览: 181  国家自然科学基金支持

Abstract: With the rise of the Internet of things and intelligent manufacturing, the information security of industrial control system has been paid more and more attention, especially when the public security control points are attacked by network. It is easy to lead to the paralysis of urban living network. In order to avoid serious network attacks disaster, this project makes an indepth study on intrusion IDS, and proposes an intrusion detection method of industrial control system based on deep convolution network and k-means. Experimental results show that this method is superior to other methods in most performance indicators on a data set of a reservoir in Quzhou.

1. 引言

2. 国内外研究现状

2.1. 基于误用的入侵检测系统

2.2. 基于异常的入侵检测系统

3. 测量原理

3.1. 联合K-Means异常侦测与卷积自动编码器异常侦测

Figure 1. System architecture

1) 采用半监督的方式训练异常侦测器，在实际使用过程中只用正常数据训练，学习正常行为的特性，即可区分偏离正常的异常行为。

2) 选择k-means学习各属性值的正常区间，以此找测试数据中出不在这些范围的异常值。

3) 利用深度学习卷积自动编码器学习数据正常变化模式，用以检测的异常行为。

${F}_{CAD}\left({x}_{t}\right)=\left\{\begin{array}{l}1\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{if}\text{\hspace{0.17em}}\text{MSE}\left({x}_{T},{\stackrel{⌢}{x}}_{T}\right)\succ 0\\ 0\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{otherwise}\end{array}$ (1)

${F}_{CAD}\left({x}_{t}\right)$ 输出为1时表示CAE异常侦测方法将x判断为异常，反之则是正常。其中 $MSE\left({x}_{T},{\stackrel{⌢}{x}}_{T}\right)$ 为均方误差(Mean Square Error, MSE)。

${F}_{CAD}\left({x}_{t}\right)=\left\{\begin{array}{l}1\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{ }\text{if}\text{\hspace{0.17em}}{F}_{KAD}\left({x}_{t}\right)\succ 0\text{\hspace{0.17em}}\text{and}\text{\hspace{0.17em}}{F}_{CAD}\left({x}_{t}\right)=0\text{ }\text{ }\\ 0\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{otherwise}\end{array}$ (2)

${F}_{KAD}\left({x}_{t}\right)=\left\{\begin{array}{l}1\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{ }\text{if}\text{ }\text{ }\exists \text{ }\text{ }{d}_{ti}\succ g\left({l}_{ti},i\right)\text{,}\text{\hspace{0.17em}}\text{for}\text{\hspace{0.17em}}i=0,1,2\cdots \text{ }\\ 0\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{otherwise}\end{array}$ (3)

3.2. 结果分析

Figure 2. Combined k-means and convolution encoder automatically

Table 1. Comparison of the effectiveness of a reservoir data set

4. 结论

 [1] Zheng, Z. and Reddy, A.L.N. (2017) Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis. 2017 26th International Conference on Computer Communication and Networks (ICCCN), Vancouver, BC, 31 July-3 August 2017, 1-11. https://doi.org/10.1109/ICCCN.2017.8038393 [2] Chalapathy, R., Menon, A.K. and Chawla, S. (2020) Anomaly Detection Using One Class Neural Networks. arXiv preprint arXiv,2020.1802.06360 [3] White, J.S., Fitsimmons, T. and Matthews, J.N. (2013) Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata. SPIE Defense Security & Sensing Cyber Security Conference, Baltimore, 875704. https://doi.org/10.1117/12.2015616 [4] Nisioti, A., Mylonas, A., Katos, V., et al. (2017) You Can Run But You Cannot Hide from Memory: Extracting IM Evidence of Android Apps. 2017 IEEE Symposium on Computers and Communications (ISCC), Heraklion, 3-6 July 2017, 457-464. https://doi.org/10.1109/ISCC.2017.8024571 [5] Wan, M., Shang, W. and Zeng, P. (2017) Double Behavior Characteristics for One Class Classification Anomaly Detection in Networked Control Systems. IEEE Transactions on Information Forensics and Security, 12, 3011-3023. https://doi.org/10.1109/TIFS.2017.2730581 [6] Mantere, M., Sailio, M. and Noponen, S. (2014) A Module for Anomaly Detection in ICS Networks. The Proceedings of the 3rd International Conference on High Confidence Net-worked Systems, Berlin, April 2014, 49-56. https://doi.org/10.1145/2566468.2566478 [7] 张文安, 洪榛, 朱俊威. 工业控制系统网络入侵检测方法综述[J]. 控制与决策, 2021(11): 2277-2288.