Search

CN-121984715-A - Network anomaly detection method and device for numerical control system

CN121984715ACN 121984715 ACN121984715 ACN 121984715ACN-121984715-A

Abstract

The application discloses a network abnormality detection method and device of a numerical control system, which relate to the technical field of industrial network safety and mainly aim at discovering network abnormality of the numerical control system by identifying time sequence abnormality of key processing parameters so as to improve the accuracy of network abnormality detection of the numerical control system and reduce the omission factor of the network abnormality; the method comprises the steps of selecting a target time sequence model matched with a processing scene of a numerical control system to be detected, wherein the target time sequence model is used for representing a normal time sequence change track of parameter values of key processing parameters in the processing scene in a processing period, carrying out sliding window segmentation on network flow data continuously generated by the numerical control system based on a target time window, carrying out parallel key processing parameter time sequence abnormality detection on each time window data based on the normal time sequence change track represented by the target time sequence model if a target number of time window data are obtained through each segmentation, and determining network abnormality of the numerical control system if the key processing parameter time sequence abnormality is detected.

Inventors

  • ZHANG ZHAO
  • YANG PING
  • JI WEI

Assignees

  • 奇安信网神信息技术(北京)股份有限公司

Dates

Publication Date
20260505
Application Date
20251230

Claims (12)

  1. 1. A network anomaly detection method for a numerical control system, the method being applied to a network anomaly detection system, the method comprising: Selecting a target time sequence model matched with a processing scene of a numerical control system to be detected, wherein the target time sequence model is used for representing a normal time sequence change track of a parameter value of a key processing parameter in the processing scene in a processing period; performing sliding window segmentation on network flow data continuously generated by the numerical control system based on a target time window; Each time window data is divided to obtain a target number of time window data, and key processing parameter time sequence abnormality detection is carried out on each time window data in parallel based on a normal time sequence change track represented by the target time sequence model; and if the time sequence abnormality of the key processing parameters is detected, determining the network abnormality of the numerical control system.
  2. 2. The method of claim 1, wherein performing critical process parameter timing anomaly detection on each time window data in parallel based on the normal timing variation trajectory characterized by the target timing model comprises: The method comprises the steps of performing sliding matching on current time window data and the time sequence model, positioning first time points corresponding to key time points on a normal time sequence change track represented by the time sequence model in the current time window data, selecting target time points from the first time points in the current time window data, analyzing time deviation between the target time points and the corresponding key time points, and determining that the time sequence of the key processing parameters is abnormal if the current time window data is judged to be in a leading or lagging state relative to the normal time sequence change track based on the time deviation.
  3. 3. The method according to claim 1 or 2, wherein the parallel critical process parameter timing anomaly detection for each time window data based on the normal timing variation trace characterized by the target timing model comprises: the method comprises the steps of performing sliding matching on current time window data and the time sequence model, positioning a first time point corresponding to each key time point on a normal time sequence change track represented by the time sequence model in the current time window data, selecting a target time point from the first time points in the current time window data, comparing parameter values of each target time point with reasonable tolerance intervals of the corresponding key time points, and determining that the time sequence of the key processing parameters is abnormal if the parameter values of the target time points are not included in the reasonable tolerance intervals of the corresponding key time points.
  4. 4. The method of claim 2, wherein selecting the target point in time from the first point in time within the current time window data comprises: Determining a detection granularity value customized for the numerical control system currently; if the detection granularity value is not smaller than the full-quantity threshold value, selecting the full quantity of all the first time points as target time points; and if the detection granularity value is smaller than the full threshold, screening a target time point from the first time point in the current time window data based on the preset duty ratio corresponding to the detection granularity value.
  5. 5. The method of claim 1, wherein sliding window segmentation of network traffic data continuously generated by the numerical control system based on a target time window comprises: Continuously collecting network flow data generated by the numerical control system in a serial mode, sampling and screening the collected network flow data according to a first sampling proportion in the collecting process; Or alternatively, the first and second heat exchangers may be, Continuously acquiring network flow data generated by the numerical control system in a serial mode, writing the acquired network flow data into a cache memory, continuously sampling and screening the network flow data in the latest unit time in the cache memory according to a second sampling proportion, and performing sliding window segmentation on the sampled and screened network flow data based on a target time window.
  6. 6. The method of claim 1, wherein the network anomaly detection system maintains at least one process scene matched timing model, the method further comprising: If the fact that the target time sequence model matched with the processing scene of the numerical control system does not exist in the time sequence model maintained by the network anomaly detection system is judged, analyzing network flow data generated by the numerical control system in the processing scene, and determining the processing period of the numerical control system; collecting target network flow data of a plurality of processing periods, and fitting to obtain a time sequence model for representing a normal time sequence change track of a parameter value of a key processing parameter in the processing period in the processing scene; and selecting the time sequence model obtained by fitting as a target time sequence model matched with the processing scene of the numerical control system.
  7. 7. The method of claim 6, wherein analyzing the network traffic data generated by the numerical control system in the processing scene to determine the processing cycle of the numerical control system comprises continuously acquiring the network traffic data generated by the numerical control system in a serial manner in chronological order, and completely preserving all historical traffic data from the traffic data at the first acquisition time point; each time after a piece of flow data is acquired at a new time point, based on all currently stored time sequence flow data sequences, sequentially carrying out 1-step to N-step dislocation self-comparison operation, wherein N is the total number of the existing historical flow data before the new data acquisition, if a certain target dislocation step number exists in the comparison process, enabling the flow data at each acquisition time point in all time sequence flow data sequences to be completely consistent with the flow data at the corresponding acquisition time point of the target dislocation step number after the backward movement, and determining the numerical value obtained by multiplying the time difference of adjacent acquisition time points by the target dislocation step number as the processing period of the numerical control system; And/or the number of the groups of groups, Continuously acquiring network flow data generated by the numerical control system in a serial mode, and writing the acquired network flow data into a cache memory; according to a third sampling proportion, continuously sampling and screening the network flow data in the latest processing period in the cache memory to obtain target network flow data of the latest processing period until the number of accumulated processing periods reaches a number threshold; And/or the number of the groups of groups, The method further comprises the steps of selecting a key time point for the time sequence model to realize key processing parameter time sequence abnormality detection on the key time point based on the time sequence model and/or calibrating a periodic structure, sampling density and reasonable tolerance interval of the time sequence model according to the requirements of the processing scene before the time sequence model obtained by fitting is selected as a target time sequence model matched with the processing scene of the numerical control system.
  8. 8. The method of any of claims 1-2, 4-7, further comprising issuing a network anomaly alert for the numerical control system based on the detected critical process parameter timing anomalies and prompting an operational objective in the numerical control system affected by the critical process parameter anomalies.
  9. 9. A network anomaly detection device for a numerical control system, the device being applied to a network anomaly detection system, the device comprising: The selection module is used for selecting a target time sequence model matched with a processing scene of the numerical control system to be detected, wherein the target time sequence model is used for representing a normal time sequence change track of a parameter value of a key processing parameter in a processing period in the processing scene; the acquisition module is used for carrying out sliding window segmentation on the network flow data continuously generated by the numerical control system based on a target time window; The detection module is used for obtaining a target number of time window data in each division, and then carrying out key processing parameter time sequence abnormality detection on each time window data in parallel based on a normal time sequence change track represented by the target time sequence model; and the determining module is used for determining network abnormality of the numerical control system if the time sequence abnormality of the key processing parameter is detected.
  10. 10. A computer-readable storage medium, characterized in that the storage medium includes a stored program, wherein the program, when run, controls an apparatus in which the storage medium is located to execute the network anomaly detection method of the numerical control system according to any one of claims 1 to 8.
  11. 11. An electronic device comprising a memory for storing a program, and a processor coupled to the memory for executing the program to perform the network anomaly detection method of the numerical control system of any one of claims 1 to 8.
  12. 12. A computer program product comprising a computer program/computer executable instructions for performing the method for detecting network anomalies in a numerical control system according to any one of claims 1 to 8.

Description

Network anomaly detection method and device for numerical control system Technical Field The application relates to the technical field of industrial network security, in particular to a network anomaly detection method and device of a numerical control system. Background Along with the evolution of an industrial control system to a networking and intelligent direction, a networking numerical control system becomes an important component of the modern manufacturing industry, and equipment interconnection and remote control are realized through an open network interface, so that the production efficiency and flexibility are remarkably improved. However, networking also makes such a numerical control system face a network security threat, and an attacker may send malicious instructions through an intrusion system, resulting in production interruption, equipment damage and even security accidents, so that network anomalies of the numerical control system need to be detected. The network anomaly detection technology of the traditional numerical control system is mainly based on a static industrial white list, namely only legal instructions in the white list are allowed to control the numerical control system, so that abnormal behaviors are blocked. However, such techniques have a limitation in that if an attacker uses legal instructions in the white list to perform hidden malicious attacks, network anomaly detection will fail, resulting in network anomaly undetected, so that the digital control system is continuously attacked in communication that appears normal. Therefore, how to improve the accuracy of network anomaly detection of the numerical control system and reduce the omission factor of network anomaly is a problem to be solved urgently. Disclosure of Invention The application provides a network anomaly detection method and device of a numerical control system, which mainly aim to discover network anomalies of the numerical control system by identifying time sequence anomalies of key processing parameters so as to improve the accuracy of network anomaly detection of the numerical control system and reduce the omission ratio of the network anomalies. In order to achieve the above purpose, the present application mainly provides the following technical solutions: The network anomaly detection method of the numerical control system at least comprises the steps of selecting a target time sequence model matched with a processing scene of the numerical control system to be detected, wherein the target time sequence model is used for representing a normal time sequence change track of a parameter value of a key processing parameter in a processing period in the processing scene, carrying out sliding window segmentation on network flow data continuously generated by the numerical control system based on a target time window, carrying out parallel key processing parameter time sequence anomaly detection on each time window data based on the normal time sequence change track represented by the target time sequence model when the network flow data are segmented to obtain a target number of time window data, and determining network anomalies of the numerical control system if the key processing parameter time sequence anomaly is detected. In a second aspect, the present application provides a network anomaly detection device of a numerical control system, which is applied to the network anomaly detection system, where the network anomaly detection device of the numerical control system provided by the embodiment of the present application at least may include: The selection module is used for selecting a target time sequence model matched with a processing scene of the numerical control system to be detected, wherein the target time sequence model is used for representing a normal time sequence change track of a parameter value of a key processing parameter in a processing period in the processing scene; the acquisition module is used for carrying out sliding window segmentation on the network flow data continuously generated by the numerical control system based on a target time window; The detection module is used for obtaining a target number of time window data in each division, and then carrying out key processing parameter time sequence abnormality detection on each time window data in parallel based on a normal time sequence change track represented by the target time sequence model; and the determining module is used for determining network abnormality of the numerical control system if the time sequence abnormality of the key processing parameter is detected. In a third aspect, the present application provides a computer readable storage medium, where the storage medium includes a stored program, and when the program runs, controls a device where the storage medium is located to execute the network anomaly detection method of the numerical control system according to the first aspect. In a fourth aspect, t