CN-121411274-B - Abnormal behavior identification method, equipment and device of industrial control system

Abstract

The application relates to the technical field of industrial data analysis, in particular to an abnormal behavior identification method, equipment and a device of an industrial control system, wherein the method comprises the steps of determining a first noise interference value for fitting errors in the fitting process of each type of operation data and correlation among all types of operation data based on the distribution of each type of operation data difference among all adjacent acquisition moments in each historical period; determining a second noise interference value based on the autocorrelation of the network flow data at all the acquisition moments in each historical period, and determining a rejection coefficient by combining the first noise interference value, so as to reject all the operation data in each historical period, and identifying the abnormal behavior of the industrial control system based on the operation data after the rejection. By evaluating and removing the noisy data, the accuracy and reliability of identifying the abnormal running state of the industrial control system are improved.

Inventors

• XU PAN
• LAN CHENXI
• HENG JUN

Assignees

• 中坤能源科技研究院(西安)有限公司

Dates

Publication Date

20260512

Application Date

20251105

Claims (8)

1. 1. A method for identifying abnormal behavior of an industrial control system, the method comprising the steps of: acquiring all kinds of operation data and network flow data of an industrial control system at any acquisition time in each preset historical period; Determining a slowly-varying continuous characteristic value in each history period based on the distribution of each running data difference between all adjacent acquisition moments in each history period and fitting errors in the fitting process of each running data, determining a correlation characteristic value in each history period based on the correlation between all running data in each history period, and determining a first noise interference value in each history period by combining the slowly-varying continuous characteristic values; Determining a second noise interference value in each historical period based on the autocorrelation of the network flow data at all the acquisition moments in each historical period, and determining a rejection coefficient in each historical period by combining the first noise interference value; performing rejection processing on all operation data in each historical period based on the rejection coefficient, and identifying abnormal behaviors of the industrial control system based on the operation data after the rejection processing; The first noise interference value in each history period is the result of taking the reciprocal of the average value of the normalized value of the slowly-varying continuous characteristic value and the normalized value of the correlation characteristic value in each history period; And the second noise interference value under each history period is the reciprocal of the maximum value in the autocorrelation coefficients of the network flow data under all acquisition moments in each history period under all time lags.
2. 2. The method for identifying abnormal behavior of an industrial control system according to claim 1, wherein the method for determining the gradual continuous characteristic value in each history period is as follows: Calculating the sum of absolute values of all elements in a first-order differential sequence of each operation data in each history period, and recording the reciprocal of the sum as a slowly-varying characteristic value of each operation data in each history period; Fitting each piece of operation data in each historical period to obtain a fitted curve, calculating the average value of the difference between each piece of operation data and the fitted value on the fitted curve, and recording the reciprocal of the average value as the continuous characteristic value of each piece of operation data in each historical period; Calculating the average value of the normalized value of the gradual change characteristic value and the normalized value of the continuous characteristic value of each kind of operation data in each history period, recording the average value as the comprehensive characteristic value of each kind of operation data in each history period, and taking the average value of the comprehensive characteristic values of all kinds of operation data in each history period as the gradual change continuous characteristic value in each history period.
3. 3. The method for identifying abnormal behavior of industrial control system according to claim 1, wherein the correlation characteristic value in each history period is a mean value of absolute values of correlation coefficients between all kinds of operation data in each history period.
4. 4. The method for identifying abnormal behavior of industrial control system according to claim 1, wherein the rejection coefficient in each history period is a result of forward fusion of the first noise interference value and the second noise interference value in each history period.
5. 5. The method for identifying abnormal behavior of an industrial control system according to claim 1, wherein said removing all kinds of operation data in each history period based on said removing coefficient comprises: And eliminating all kinds of operation data under the previous preset number of historical time periods in the eliminating coefficient descending order arrangement results in all the historical time periods.
6. 6. The method for identifying abnormal behavior of an industrial control system according to claim 1, wherein the identifying abnormal behavior of the industrial control system based on the operation data after the culling process comprises: Acquiring the operation states of the industrial control system in all the historical time periods, setting labels for the operation states, eliminating all the operation data in the residual historical time periods in all the historical time periods and the operation state labels in the corresponding time periods as the input of the neural network, and outputting a trained neural network model; And taking all operation data in the industrial control system in the current period as input of a trained neural network model, and outputting an operation state identification result of the industrial control system in the current period.
7. 7. An abnormal behavior recognition apparatus of an industrial control system, the apparatus having stored therein a computer program, characterized in that the computer program, when executed by a processor, implements an abnormal behavior recognition method of an industrial control system according to any one of claims 1-6.
8. 8. An abnormal behavior recognition device of an industrial control system, comprising a memory, a processor and a computer program stored in the memory and running on the processor, characterized in that the processor, when executing the computer program, realizes the steps of an abnormal behavior recognition method of an industrial control system according to any one of claims 1-6.

Description

Abnormal behavior identification method, equipment and device of industrial control system Technical Field The application relates to the technical field of industrial data analysis, in particular to a method, equipment and a device for identifying abnormal behaviors of an industrial control system. Background An industrial control system is a computer system for an automated production process, and is used for monitoring, controlling and optimizing the automated production process of an industry, so that abnormal operation behaviors in the industrial control system need to be identified to discover potential faults and safety problems of industrial equipment in time, and to avoid the occurrence of interruption of the automated production, degradation of product quality or safety accidents. Existing methods typically use historical data randomly drawn from an empirical playback buffer to train an abnormal behavior recognition model, however, industrial control systems are noisy in the environment and sensors can introduce disturbances in data acquisition and transmission. If the random samples containing noise are directly used for training, the model learns false modes generated by the noise, but not real system behaviors, so that the accuracy and generalization capability of the model are seriously damaged, and finally, the real anomalies are difficult to effectively identify in a complex industrial control environment, and the accuracy and reliability of identifying the anomalies of the operation state of the industrial control system are reduced. Disclosure of Invention In a first aspect, an embodiment of the present application provides a method for identifying abnormal behavior of an industrial control system, including the steps of: acquiring all kinds of operation data and network flow data of an industrial control system at any acquisition time in each preset historical period; Determining a slowly-varying continuous characteristic value in each history period based on the distribution of each running data difference between all adjacent acquisition moments in each history period and fitting errors in the fitting process of each running data, determining a correlation characteristic value in each history period based on the correlation between all running data in each history period, and determining a first noise interference value in each history period by combining the slowly-varying continuous characteristic values; Determining a second noise interference value in each historical period based on the autocorrelation of the network flow data at all the acquisition moments in each historical period, and determining a rejection coefficient in each historical period by combining the first noise interference value; and carrying out rejection processing on all operation data in each history period based on the rejection coefficient, and identifying abnormal behaviors of the industrial control system based on the operation data after the rejection processing. Preferably, the method for determining the gradual continuous characteristic value under each history period comprises the following steps: Calculating the sum of absolute values of all elements in a first-order differential sequence of each operation data in each history period, and recording the reciprocal of the sum as a slowly-varying characteristic value of each operation data in each history period; Fitting each piece of operation data in each historical period to obtain a fitted curve, calculating the average value of the difference between each piece of operation data and the fitted value on the fitted curve, and recording the reciprocal of the average value as the continuous characteristic value of each piece of operation data in each historical period; Calculating the average value of the normalized value of the gradual change characteristic value and the normalized value of the continuous characteristic value of each kind of operation data in each history period, recording the average value as the comprehensive characteristic value of each kind of operation data in each history period, and taking the average value of the comprehensive characteristic values of all kinds of operation data in each history period as the gradual change continuous characteristic value in each history period. Preferably, the correlation characteristic value under each history period is a mean value of absolute values of correlation coefficients between all kinds of operation data in each history period. Preferably, the first noise interference value in each history period is the result of taking the reciprocal of the average value of the normalized value of the slowly varying continuous characteristic value and the normalized value of the correlation characteristic value in each history period. Preferably, the second noise interference value in each history period is the reciprocal of the maximum value in the autocorrelation coefficients of the network traffic