Search

WO-2026091013-A1 - METHOD, APPARATUS, DEVICE, AND MEDIUM FOR DETECTING ANOMALY IN OT NETWORK

WO2026091013A1WO 2026091013 A1WO2026091013 A1WO 2026091013A1WO-2026091013-A1

Abstract

Embodiments of the present disclosure disclose a method, apparatus, device, and medium for detecting anomaly in OT network. The method comprises: determining a first weight representing importance of a device in an OT network; determining a second weight representing importance of a connection in the OT network; determining a feature vector of the OT network based on the first weight and the second weight; and detecting an anomaly in the OT network based on the feature vector of the OT network. Determining feature vector of OT network based on the importance of devices and connections in the OT network can accurately detect OT network anomalies. Moreover, clustering algorithm is used to optimize graph structure of OT network, key features of the graph structure can be accurately and effectively extracted, thus improving the anomaly detection accuracy.

Inventors

  • DIAO, Hai Yang

Assignees

  • SIEMENS AKTIENGESELLSCHAFT
  • SIEMENS LTD., CHINA

Dates

Publication Date
20260507
Application Date
20241031

Claims (14)

  1. A method for detecting anomaly in an OT network, comprising: determining (101) a first weight representing importance of a device in an OT network; determining (102) a second weight representing importance of a connection in the OT network; determining (103) a feature vector of the OT network based on the first weight and the second weight; and detecting (104) an anomaly in the OT network based on the feature vector of the OT network.
  2. The method according to claim 1, wherein the determining (101) a first weight representing importance of a device in an OT network comprises at least one of the following: determining the first weight based on an average load of the device in a predetermined time, wherein the first weight increases with the average load; determining the first weight based on type of the device, wherein the first weight increases with importance of the type of the device; determining the first weight based on a setting parameter of the device, wherein the first weight increases with importance of the setting parameter; determining the first weight based on authorization level of the device, wherein the first weight increases with the authorization level.
  3. The method according to claim 1, wherein the determining (102) a second weight representing importance of a connection in the OT network comprises at least one of the following: determining the second weight based on an average network traffic of the connection in a predetermined time, wherein the second weight increases with the average network traffic; determining the second weight based on type of the connection, wherein the second weight increases with importance of the type of the connection; determining the second weight based on communication frequency of the connection, wherein the second weight increases with the communication frequency; determining the second weight based on communication rate of the connection, wherein the second weight increases with the communication rate; determining the second weight based on source address of the connection, wherein the second weight increases with importance of the source address; determining the second weight based on destination address of the connection, wherein the second weight increases with importance of the destination address.
  4. The method according to claim 3, wherein the determining the second weight based on type of the connection comprises: determining the second weight as a first value when the type is an industrial communication connection; determining the second weight as a second value when the type is a universal communication connection; wherein the first value is greater than the second value.
  5. The method according to claim 1, wherein the determining (103) a feature vector of the OT network based on the first weight and the second weight comprises: determining a diagram structure of the OT network; clustering the graph structure to obtain a cluster graph, the cluster graph comprises a cluster node and a cluster edge, wherein the cluster node corresponds to a cluster of devices, and the cluster edge corresponds to a connection between clusters; determining a feature vector of the cluster node based on feature vectors of respective devices in the cluster and the first weights of the respective devices; determining a feature vector of the cluster edge based on feature vectors of respective connections with respective devices in an adjacent cluster and the second weights of the respective connections; determining a feature vector of the OT network based on the feature vector of the cluster node and the feature vector of the cluster edge.
  6. The method according to any one of claims 1-5, wherein the detecting (104) an anomaly in the OT network based on the feature vector of the OT network comprises: performing a full connection operation on the feature vector of the OT network; inputting the feature vector performed the full connection operation into a trained classifier, wherein the classifier is suitable for predicting probability of anomaly based on the feature vector performed the full connection operation; determining anomaly occurs in the OT network when the probability is greater than a predetermined threshold.
  7. The method according to claim 6, wherein the performing a full connection operation on the feature vector of the OT network comprises: inputting the feature vector of the OT network into a full connection module comprising a first full connection layer and a second full connection layer, wherein the first full connection layer performs a full connection operation on a concatenated feature vector of all cluster nodes in the feature vector of the OT network, and the second full connection layer performs a full connection operation on a concatenated feature vector of all cluster edges in the feature vector of the OT network; concatenating output vector of the first fully connected layer and output vector of the second fully connected layer.
  8. An apparatus for detecting anomaly in an OT network, comprising: a first determining module (601) , configured to determine a first weight representing importance of a device in an OT network; a second determining module (602) , configured to determine a second weight representing importance of a connection in the OT network; a third determining module (603) , configured to determine a feature vector of the OT network based on the first weight and the second weight; and a detecting module (604) , configured to detect an anomaly in the OT network based on the feature vector of the OT network.
  9. The apparatus according to claim 8, wherein the first determining module (601) is configured to perform at least one of the following: determining the first weight based on an average load of the device in a predetermined time, wherein the first weight increases with the average load; determining the first weight based on type of the device, wherein the first weight increases with importance of the type; determining the first weight based on a setting parameter of the device, wherein the first weight increases with importance of the setting parameter; determining the first weight based on authorization level of the device, wherein the first weight increases with the authorization level.
  10. The apparatus according to claim 8, wherein the second determining module (602) is configured to perform at least one of the following: determining the second weight based on an average network traffic of the connection in a predetermined time, wherein the second weight increases with the average network traffic; determining the second weight based on type of the connection, wherein the second weight increases with importance of the type; determining the second weight based on communication frequency of the connection, wherein the second weight increases with the communication frequency; determining the second weight based on communication rate of the connection, wherein the second weight increases with the communication rate; determining the second weight based on source address of the connection, wherein the second weight increases with importance of the source address; determining the second weight based on destination address of the connection, wherein the second weight increases with importance of the destination address.
  11. The apparatus according to claim 8, wherein the third determining module (603) is configured to determine a diagram structure of the OT network, cluster the graph structure to obtain a cluster graph, the cluster graph comprises a cluster node and a cluster edge, wherein the cluster node corresponds to a cluster of devices, and the cluster edge corresponds to a connection between clusters, determine a feature vector of the cluster node based on feature vectors of respective devices in the cluster and the first weights of the respective devices; determine a feature vector of the cluster edge based on feature vectors of respective connections with respective devices in an adjacent cluster and the second weights of the respective connections; determine a feature vector of the OT network based on the feature vector of the cluster node and the feature vector of the cluster edge.
  12. An electronic device, comprising a processor (701) and a memory (702) , wherein an application program executable by the processor (701) is stored in the memory (702) for causing the processor (701) to execute a method for detecting anomaly in an OT network according to any one of claims 1-7.
  13. A computer-readable medium comprising computer-readable instructions stored thereon, wherein the computer-readable instructions for executing a method for detecting anomaly in an OT network according to any one of claims 1-7.
  14. A computer program product comprising a computer program, upon the computer program is executed by a processor for executing a method for detecting anomaly in an OT network according to any one of claims 1-7.

Description

Method, apparatus, device, and medium for detecting anomaly in OT network TECHNICAL FIELD The present disclosure relates to the technical field of network security, in particular to a method, apparatus, device, and medium for detecting anomaly in Operational Technology (OT) network. BACKGROUND OT network is an industrial communication network used to connect production field devices and various systems to realize automatic control. OT network usually includes Programmable Logic Controller (PLC) , Distributed Control System (DCS) and Supervisory Control and Data Acquisition (SCADA) systems, which are responsible for controlling and monitoring physical processes in enterprise, such as manufacturing process, power generation and water treatment. OT network anomalies include network connection problems or system failures. OT network anomalies usually include: network connection interruption; device failure; data transmission error; network security issues, etc. At present, no distinction is made between devices or connections between devices when detecting OT network anomalies, which has the disadvantage of low detection accuracy. SUMMARY Embodiments of the present disclosure propose a method, apparatus, device, and medium for detecting anomaly in OT network. In a first aspect, a method for detecting anomaly in an OT network is provided. The method includes: determining a first weight representing importance of a device in an OT network; determining a second weight representing importance of a connection in the OT network; determining a feature vector of the OT network based on the first weight and the second weight; and detecting an anomaly in the OT network based on the feature vector of the OT network. In a second aspect, an apparatus for detecting anomaly in an OT network is provided. The apparatus includes: a first determining module, configured to determine a first weight representing importance of a device in an OT network; a second determining module, configured to determine a second weight representing importance of a connection in the OT network; a third determining module, configured to determine a feature vector of the OT network based on the first weight and the second weight; and a detecting module, configured to detect an anomaly in the OT network based on the feature vector of the OT network. In a third aspect, an electronic device is provided. The electronic device comprising a processor and a memory, wherein an application program executable by the processor is stored in the memory for causing the processor to execute a method for detecting anomaly in an OT network as described in any of the above. In a fourth aspect, a computer-readable medium comprising computer-readable instructions stored thereon is provided, wherein the computer-readable instructions for executing a method for detecting anomaly in an OT network as described in any of the above. In a fifth aspect, a computer program product comprising a computer program, when the computer program is executed by a processor for executing a method for detecting anomaly in an OT network as described in any of the above. According to the above technical solutions, determining a first weight representing importance of a device in an OT network; determining a second weight representing importance of a connection in the OT network; determining a feature vector of the OT network based on the first weight and the second weight; and detecting an anomaly in the OT network based on the feature vector of the OT network. Therefore, determining feature vector of the OT network based on the importance of devices and connections in the OT network can accurately detect OT network anomalies. Moreover, clustering algorithm is used to optimize graph structure of OT network, key features of the graph structure can be accurately and effectively extracted, thus improving the anomaly detection accuracy. BRIEF DESCRIPTION OF THE DRAWINGS To make technical solutions of examples of the present disclosure clearer, accompanying drawings to be used in description of the examples will be simply introduced hereinafter. Obviously, the accompanying drawings to be described hereinafter are only some examples of the present disclosure. Those skilled in the art may obtain other drawings according to these accompanying drawings without creative labor. Fig. 1 is an exemplary flow chart of a method for detecting anomaly in OT network according to an embodiment of the present disclosure. Fig. 2 is an exemplary schematic diagram of an OT network according to an embodiment of the present disclosure. Fig. 3 is an exemplary schematic diagram of clustering process of the OT network according to an embodiment of the present disclosure. Fig. 4 is an exemplary schematic diagram of cluster graph of the OT network according to an embodiment of the present disclosure. Fig. 5 is a flowchart of an exemplary process for detecting anomaly in a factory network according to an embodiment of the pr