CN-121750371-B - Industrial control system abnormal intrusion detection method and system based on behavior analysis

Abstract

The invention relates to the technical field of industrial control system safety, and discloses an industrial control system abnormal intrusion detection method and system based on behavior analysis, wherein the method comprises the steps of firstly collecting equipment running, network interaction and operation behavior multi-source data and carrying out cleaning and standardized pretreatment; furthermore, in a set time window, calculating the peak deviation degree and the change rate abnormality degree of the equipment parameter, calculating the frequency and the message size deviation degree of the network communication flow, calculating the frequency and the sequence logic abnormality degree of the operation behavior, and respectively weighting and fusing to form three behavior abnormality indexes of the equipment, the network and the operation; finally, whether abnormal invasion exists or not is judged by directly comparing the indexes with the early warning threshold value or calculating cosine similarity between the characteristic vector and the standard vector which are formed by the indexes. The invention realizes the accurate quantification and fusion perception of multi-level and multi-dimensional abnormal behaviors of the industrial control system and effectively improves the detection capability of complex attack.

Inventors

• Chai Yuzhong
• LIU YANG
• ZHANG YUCHAO
• SHEN ZHEHUI
• WU BIN
• LIU JIANGNAN
• XU CHAO
• ZHONG TIANYI

Assignees

• 浙江瑞通电子科技有限公司

Dates

Publication Date

20260508

Application Date

20260224

Claims (6)

1. 1. The industrial control system abnormal intrusion detection method based on behavior analysis is characterized by comprising the following steps: step S1, multi-source behavior data in an industrial control system are collected in real time, wherein the multi-source behavior data comprise equipment operation behavior data, network interaction behavior data and operation behavior data; step S2, preprocessing the behavior data acquired in the step S1, wherein the preprocessing comprises cleaning and standardization processing; S3, extracting features of the preprocessed data to obtain feature indexes representing each behavior; s4, judging whether abnormal invasion exists or not based on the characteristic indexes representing the behaviors and the characteristic index early warning threshold values representing the behaviors; the working process of the step S3 further includes: The operation types in the system are as follows Class, item I Class operation type is noted , wherein, Belonging to Based on the historical normal data, the normal behavior base line of the vehicle in the period T is counted, wherein the average occurrence frequency is calculated Standard deviation of frequency And allowed set of operating contexts, for the first Class operation type is noted Calculate it in the current time window Internal corresponding operating frequency anomaly And operating sequence anomaly degree ; The operating frequency anomaly degree The calculation process comprises the following steps: Acquiring a window of time at the present time In, operate Number of actual occurrences Its frequency is Operating frequency anomaly degree ; Degree of abnormality of the operation sequence The calculation process comprises the following steps: Defining a transfer matrix , , =1 Denotes operation Then allow for subsequent execution , =0 Denotes operation Then follow to execute Never occurs or is disabled in the normal flow; Acquiring a current time window Inner part Co-occurrence of Secondary operations forming a sequence of operations According to the operation log, statistics The number of illegal transfers after the secondary operation, i.e. in progress Then the number of operations never occurring or prohibited in the normal flow is performed Operational sequence anomaly , wherein, More than or equal to 2, if Less than 2, then =0; Operational behavioral anomaly indicators In which, in the process, For the weight coefficient corresponding to the operating frequency anomaly, Is the first The weight coefficient corresponding to the class operation type; the working process of the step S4 includes: And respectively comparing the current equipment behavior abnormal index, the network behavior abnormal index and the operation behavior abnormal index with characteristic index early warning thresholds of all behaviors, judging that abnormal invasion exists if any abnormal index is larger than the corresponding early warning threshold, otherwise, further constructing a current behavior characteristic vector by the current equipment behavior abnormal index, the network behavior abnormal index and the operation behavior abnormal index, acquiring characteristic index early warning thresholds of all behaviors to construct a standard behavior characteristic vector, calculating cosine similarity between the current behavior characteristic vector and the standard behavior characteristic vector, and indicating that abnormal invasion exists currently if the cosine similarity is smaller than a deviation threshold set by a system.
2. 2. The method for detecting abnormal intrusion of an industrial control system based on behavioral analysis according to claim 1, wherein in step S1: The device behavior data comprises various device operation parameters, the network behavior data comprises communication frequency and message size, and the operation behavior data comprises various operation type occurrence times.
3. 3. The method for detecting abnormal intrusion of an industrial control system based on behavioral analysis according to claim 2, wherein the operation of step S2 includes: the method comprises the steps of data cleaning, namely adopting a mean filling, median filling or interpolation filling method according to the data type for missing values, adopting a3 sigma criterion and a box diagram method for identifying and eliminating abnormal values, and directly carrying out duplicate removal treatment for repeated data; after the cleaning is finished, the data is standardized, wherein a standardized formula is adopted to convert the data into standardized data with uniform magnitude, and the standardized formula is as follows: Wherein As the raw data is to be processed, For the minimum of all historical normal data in the current behavioral data dimension, For the maximum of all historical normal data in the current behavioral data dimension, Is normalized data.
4. 4. The method for detecting abnormal intrusion of an industrial control system based on behavioral analysis according to claim 2, wherein the operation of step S3 comprises: The device in the system has n operation parameters, and for the ith operation parameter of the device, the current setting time window In the method, ith equipment operation parameter data of m continuous sampling time points are acquired, and the ith equipment operation parameter data in a time window is constructed The observation sequence in the inner part is Wherein i thereof belongs to n, , Is the current moment; For sequences In m parameters, the system calculates two characteristic quantities, namely peak deviation degree And rate of change abnormality ; The degree of deviation of the peak value The calculation process comprises the following steps: In a set time window In, find the maximum value of the operation parameter data of the ith equipment Calculating the operation parameters of the ith equipment in a time window according to the sequence A Mean value of the interior And standard deviation Peak deviation: ; Degree of abnormality in the rate of change The calculation process comprises the following steps: first calculate the sequence Two continuous data change rates of m parameters in a window are constructed, and the continuous data change rates in the window are constructed The observation sequence in the inner part is , wherein, J is m, in the set time window In, find the maximum value of the variation rate of the operation parameters of the ith equipment Calculating the change rate of the ith equipment operation parameter in a time window according to the sequence B Mean value of the interior And standard deviation The rate of change anomaly: ; Device behavioral abnormality indicators , wherein, For the weight coefficient corresponding to the degree of peak deviation, And the weight coefficient corresponding to the ith equipment operation parameter.
5. 5. The method for detecting abnormal intrusion of an industrial control system based on behavior analysis according to claim 2, wherein the operation of step S3 further comprises: The network in the system has x communication flows, each communication flow is marked as the y-th communication flow, wherein y belongs to x, and the current setting time window is that The working state parameters of the monitoring of the y-th communication flow comprise communication frequency and message size, and the corresponding frequency deviation index is calculated And degree of deviation of message size ; The frequency deviates from the finger The calculation process comprises the following steps: acquiring the communication frequency of the y-th communication in the current time window T According to the historical normal data, the communication frequency of the y-th communication flow is in a period Internal compliance mean And standard deviation Then the frequency deviates from the finger ; The deviation of the message size The calculation process comprises the following steps: acquiring the size of the y-th communication flow message in the current time window T According to the historical normal data, the message size of the y-th communication flow is in a time window Internal compliance mean And standard deviation Message size deviation degree ; Network behavior anomaly index , wherein, For the weight coefficient corresponding to the frequency deviation finger, And the weight coefficient corresponding to the y-th communication flow.
6. 6. An industrial control system anomaly intrusion detection system based on behavioral analysis for implementing the industrial control system anomaly intrusion detection method based on behavioral analysis of any one of claims 1 to 5, the system comprising: The data acquisition module is used for acquiring equipment operation behavior data, network interaction behavior data and operation behavior data related in the industrial control system; the data preprocessing module is connected with the data acquisition module and is used for cleaning, standardizing and extracting the acquired behavior data; the abnormality detection module is connected with the data acquisition module and the data preprocessing module and is used for judging whether abnormal invasion exists or not.

Description

Industrial control system abnormal intrusion detection method and system based on behavior analysis Technical Field The invention relates to the technical field of industrial control system safety, in particular to an industrial control system abnormal intrusion detection method and system based on behavior analysis. Background The industrial control system is widely applied to the key infrastructure fields of electric power, petroleum, chemical industry, intelligent manufacturing and the like, and the safe and stable operation of the industrial control system is directly related to national economic safety and public benefits. With the development of the industrial internet, the industrial control system gradually shifts from a closed offline operation mode to an open networking mode, which greatly increases the risk of network attacks and intrusion faced by the industrial control system. Aiming at the abnormal intrusion detection of the industrial control system, the existing detection means usually analyze network traffic, equipment logs or single dimension in user operation in an isolated way, and lack the capability of carrying out multidimensional association and fusion analysis on the physical running state of equipment, the network communication mode and the control behavior of an operator (or a program), so that the problems are not solved. Disclosure of Invention The invention aims to provide an industrial control system abnormal intrusion detection method and system based on behavior analysis, which solve the technical problems. An industrial control system abnormal intrusion detection method based on behavior analysis, the method comprises the following steps: step S1, multi-source behavior data in an industrial control system are collected in real time, wherein the multi-source behavior data comprise equipment operation behavior data, network interaction behavior data and operation behavior data; step S2, preprocessing the behavior data acquired in the step S1, wherein the preprocessing comprises cleaning and standardization processing; S3, extracting features of the preprocessed data to obtain feature indexes representing each behavior; And S4, judging whether the abnormal invasion is caused or not based on the characteristic indexes representing the behaviors and the characteristic index early warning threshold value representing the behaviors. As a further description of the technical solution of the present invention, in the step S1: The device behavior data comprises various device operation parameters, the network behavior data comprises communication frequency and message size, and the operation behavior data comprises various operation type occurrence times. As a further description of the technical solution of the present invention, the working process of step S2 includes: the method comprises the steps of data cleaning, namely adopting a mean filling, median filling or interpolation filling method according to the data type for missing values, adopting a3 sigma criterion and a box diagram method for identifying and eliminating abnormal values, and directly carrying out duplicate removal treatment for repeated data; after the cleaning is finished, the data is standardized, wherein a standardized formula is adopted to convert the data into standardized data with uniform magnitude, and the standardized formula is as follows: Wherein As the raw data is to be processed,For the minimum of all historical normal data in the current behavioral data dimension,For the maximum of all historical normal data in the current behavioral data dimension,Is normalized data. As a further description of the technical solution of the present invention, the working process of step S3 includes: The device in the system has n operation parameters, and for the ith operation parameter of the device, the current setting time window In the method, ith equipment operation parameter data of m continuous sampling time points are acquired, and the ith equipment operation parameter data in a time window is constructedThe observation sequence in the inner part isWherein i thereof belongs to n,,Is the current moment; For sequences In m parameters, the system calculates two characteristic quantities, namely peak deviation degreeAnd rate of change abnormality; The degree of deviation of the peak valueThe calculation process comprises the following steps: In a set time window In, find the maximum value of the operation parameter data of the ith equipmentCalculating the operation parameters of the ith equipment in a time window according to the sequence AMean value of the interiorAnd standard deviationPeak deviation:; Degree of abnormality in the rate of change The calculation process comprises the following steps: first calculate the sequence Two continuous data change rates of m parameters in a window are constructed, and the continuous data change rates in the window are constructedThe observation sequence in the inner p