CN108683658A - An abnormal identification method for industrial control network traffic based on multi-RBM network construction benchmark model - Google Patents

Abstract

A method for identifying traffic anomalies in industrial control networks based on multiple RBM networks to build a benchmark model, extracting features from the industrial control network and generating a training data set, training the benchmark model and obtaining a normal benchmark model of the industrial control network including multiple RBM models and training For the abnormal data clusters in the data set, the normal benchmark model of the industrial control network is used for real-time network message evaluation to realize traffic anomaly detection; the present invention can internally complete whether to reduce the dimension and the dimension that needs to be reduced through the setting of parameters, and has better Robustness, it is not necessary to set the number of clusters in advance, and it is done through the degree of interrelationship of the model, which is more in line with the actual application situation.

Description

An abnormal identification method for industrial control network traffic based on multi-RBM network construction benchmark model

technical field

The invention relates to a technology in the computer field, in particular to a method for constructing a benchmark model based on multiple RBM networks and performing abnormal identification of network traffic according to the benchmark model.

Background technique

With the continuous change of attack methods, attack detection technology based on known attack characteristics can no longer protect the network from attacks, and it is very necessary to conduct attack detection on network traffic. The attack network traffic packet consists of massive traffic data, which records all activities and behaviors of power grid terminals. By analyzing and integrating these network traffic packets, features can be extracted from them to discover attacks. However, due to the huge amount of network traffic, in order to achieve attack identification, real-time processing must be achieved, which requires high efficiency of detection algorithms. Traditional neural network learning methods and most machine learning methods are often stretched to deal with this problem. For the power grid network traffic attack detection system, how to process these massive data efficiently and with high precision is a huge challenge.

Contents of the invention

Aiming at the deficiencies of the existing technology and the special circumstances of the industrial control environment of the power grid, the present invention proposes an abnormal identification method for industrial control network traffic based on a multi-RBM network construction benchmark model. By monitoring the quantity and time of industrial control network traffic, the industrial control The benchmark model of network traffic, and then use the benchmark model to identify various working states of industrial control equipment in the industrial control network, and find out abnormal states from it.

The present invention is achieved through the following technical solutions:

The present invention relates to a method for identifying traffic anomalies in industrial control networks based on multi-RBM network construction benchmark models, which extracts features from industrial control networks and generates training data sets, trains benchmark models and obtains normal benchmarks of industrial control networks containing multiple RBM models For the abnormal data clusters in the model and training data sets, the normal benchmark model of the industrial control network is used for real-time network message evaluation to realize traffic anomaly detection.

In the training data set, after feature extraction and merging are performed according to the network characteristics of the industrial control network, the training data in the form of data clusters are divided into time segments.

The network characteristics of the industrial control network include but are not limited to: copying messages from the bypass through the front-end collector or network equipment of the industrial control network.

The feature extraction refers to: according to the industrial control network traffic data transmission protocol, extracting characteristics such as time, quantity, and type of message transmission for feature selection, removing redundant features in the data set, and obtaining the extracted message features.

The merging refers to merging features according to the quantity of traffic data in the merging time period Ta.

The data clusters are divided according to the traffic transmission time of the industrial control network as the clustering time period Tb, and the data set is divided into each data cluster.

The benchmark model includes at least one RBM network, the benchmark model completes the update of the RBM network parameters by inputting any data cluster and the initial parameters of the benchmark model are randomly set, and the increase in the number of RBM networks is completed by accepting data clusters of different laws .

The network parameters of the RBM network include but are not limited to: learning rate α, number of iterations n, number of nodes in the visible layer and hidden layer, root mean square error threshold e, merging time period Ta, clustering time period Tb of time clusters Etc., among them: the learning rate α is the range of each change of the parameters of the RBM model after receiving feedback. The larger the learning rate, the faster the convergence speed, but it is difficult to converge to an accurate value; the number of iterations n is the RBM network training to converge. In order to prevent the RBM model from overfitting, a certain error is allowed; the number of nodes in the visible layer is determined by the characteristics of the input data, and the number of nodes in the hidden layer is related to the dimension after dimension reduction and the accuracy required for convergence. Generally, Experiments are required to obtain a reasonable setting value; the root mean square error threshold e refers to the degree of similarity between the input data and the existing RBM. The larger the root mean square error, the smaller the similarity, and the fewer models after clustering. However, the error is larger; the merging period Ta refers to the merging of individual data within the time period after the feature extraction of the industrial control network, which is used to characterize the short-term traffic transmission characteristics of the network segment; the clustering period Tb of the time cluster refers to each A time period in an RBM model, in which there are multiple combined time periods of data, indicating the traffic transmission mode of the input and output of the network segment during a period of time.

The training refers to: input the data cluster into the initialized benchmark model, test all the RBM benchmark models in the benchmark model, calculate the reconstruction output of the data cluster in the benchmark model, and calculate the square root of the reconstruction output and the original data Error, according to the size of the distance between each model, improve the training model parameters or increase the benchmark model until all training data sets are trained, and the normal benchmark model and training data set of the industrial control network containing multiple RBM models are obtained. Unusual data clusters.

The distance between the models is characterized by but not limited to the square root error.

The abnormal data cluster refers to: set the abnormality degree of each data cluster according to the number of data clusters in the RBM model after clustering, the more the number of data clusters in the RBM model, the more the model conforms to the network segment transmission rule , the lower the abnormality of the corresponding data cluster is, the message corresponding to the abnormal data cluster is the abnormal data.

The abnormality is the percentage of abnormal data in the model, determined by the number of data clusters in the RBM model after clustering, the more the number of data clusters in the RBM model, the lower the corresponding RBM model abnormality, which represents Abnormal state of the RBM model.

Adding the reference model refers to: when the distance between the output data and the original data exceeds the set threshold during the training process, it means that the features in the data cluster do not match all the existing RBM network models, that is, they belong to A new model type, so it is necessary to create a new RBM network and input the data cluster into the RBM network for training and adjust network parameters, and finally add the newly created and initialized RBM network to the benchmark model.

The adjustment of the network parameters refers to: summarizing the RBM models that meet the preset abnormality detection threshold, and then summarizing them into a multi-RBM model set, the model set corresponds to multiple RBM models, and the number of RBM models is K, each The RBM model corresponds to its own parameters and data clusters.

The original data: the data after feature extraction, which corresponds to the original data that is called reconstruction output before being input into the RBM network.

The abnormality detection threshold is the error between the RBM model and the normal benchmark model, and the smaller the threshold setting, the smaller the error, and the RBM is the normal benchmark model.

The training model parameter improvement refers to: when the distance between the output data and the original data is within the threshold range during the training process, the RBM model set with the smallest distance is selected, and the original data corresponding to the data cluster is added into the corresponding benchmark model The training data set, and retrain the RBM network at the same time, and update the model parameters.

When there is too much data in the training data set of the model, part of the redundant data is randomly discarded according to the number of data sets set in advance, a new data set is trained and the corresponding benchmark model parameters are updated.

The real-time network packet evaluation refers to: after feature extraction and merging of the network packets, the detection data clusters in the form of data clusters are divided by time periods and input into the normal benchmark model of the industrial control network, and all the RBM models are tested. And calculate the distance between the output data of the detection data cluster and the original data, and when the distance is greater than the abnormality error value, the network message corresponding to the detection data cluster is an abnormal message.

technical effect

Compared with the prior art, the technical effects of the present invention include:

1) The operating speed of real-time traffic can be improved. When all the traffic of a set network of the power grid industrial control network enters in one hour, the present invention can complete abnormal identification and parameter update within one minute; the present invention adopts RBM network For construction, whether to reduce the dimension and the dimension to be reduced can be completed internally through the setting of the parameters, and because the present invention can discard the data with little correlation in the update of the parameters, keep the data valid and avoid redundancy, so the hardware requirements lower;

2) The establishment of the benchmark model by the RBM method has nonlinear characteristics, which makes the normal benchmark model of the industrial control network adopted in the present invention have better robustness. In addition, multiple RBM modeling can effectively avoid the influence of different working states on the data. It is beneficial to grasp more normal working states, so as to identify abnormal states more accurately.

3) The present invention adopts hierarchical clustering, does not need to set the number of clusters in advance, and completes it through the degree of interrelationship of the models, which is more in line with the actual application situation.

Description of drawings

Fig. 1 is the flow chart of automatic construction of normal benchmark model of industrial control network of the present invention;

Fig. 2 is a flow chart of the abnormal traffic detection method based on the normal reference model in the present invention.

Detailed ways

The operation object of this embodiment is the uninterrupted collection of the message data of the power consumption data sampling of all network segments every day. This embodiment uses 15 days of data as the construction data of the benchmark model. Based on the data dataset in a certain set network segment, the report The data of the first 15 days in the text data is set as the benchmark model training data train_data, and the data of the last 8 days is the test data test_data.

As shown in Figure 1, it is a method for abnormal detection of electricity data collection flow in the power grid industrial control network involved in this embodiment, which specifically includes the following steps:

Initialize and set some parameters before the method detection. The data preprocessing described in the method includes the following parts: the characteristics of the data are determined according to the afn and fn of the message transmission nature in the communication protocol, and the characteristics of all data are extracted. Type, get 97 message features, and convert the data according to the set 97 features. Then according to the sampling time interval of 10 minutes, the number of messages is combined (set Ta=10mins, Tb=1hour), and every ten minutes is set as one message transmission data. When there is no data transmission in the ten minutes, it is all 0. Finally, the merged data is subjected to min-max standardization and normalization processing, and the value of each dimension of the data is adjusted to [0,1] through simple scaling. The function used for conversion is: x=(x-min)/( max-min). The normalized features can be used as the input of the K-RBM algorithm.

At the same time, set the RBM network parameters of the clustering model. The number of visible layer nodes in the RBM network is set to 96, because the model input to the RBM is 97-dimensional (the visible layer nodes of the RBM model start from 0), and the number of hidden layer nodes It is set to 11, the learning rate α=0.02, the number of iterations of the RBM model is 1000, the root mean square error of the RBM model is 0.03, and the time cluster time period Tb is set to 1 hour.

Set the abnormal degree of RBM after clustering to: when the data clusters of the RBM model account for i% of all data clusters, the corresponding abnormal degree is 1-i%, the abnormal degree detection threshold is 1%, and the abnormal degree The detection error value is 5%.

As shown in Figure 1, the specific steps are as follows:

Step 1) When the sample set of train_data after the above preprocessing is data={x1, x2...xm}, each sample feature category xi={t1, t2···t97}, and then divide the data according to the time cluster time period Tb For data segmentation, Ta is to ensure that the RBM model inputs multiple data segments at the same time, and these multiple data segments represent the time transmission law of traffic data within Tb. The segmented data clusters can be considered as data_i (i=1, 2...n), a total of n segments of data clusters, and then a benchmark model is established through iteration.

Step 2) Train the first data cluster data_1 and record the model parameter para_1 of the RBM model of the first data cluster, add the RBM model to the model set R, denoted as R1, add para_2 to the parameter set P, denoted as P1, Add each data in the data cluster to the model data set D, denoted as D1, and record the number of models K as 1. Then iteratively obtain the benchmark model, the specific process is as follows:

Step 3) extract the data cluster data_j, test the parameters of all RBM models in the parameter set P, when the root mean square e error between the data after model y training and the original data is less than the root mean square error of the RBM model, then the state parameter set stata_y =true, otherwise state_y=false, y is any model in the model set. Verify all states. If all are false, it means that the data cluster does not conform to all existing models. When the number of existing models is n, train the data cluster data_j, and record the model parameter para_j of the RBM model of the data cluster, and use the RBM model Add it to the model set R, denoted as Rn+1, add para_j to the parameter set P, denoted as Pn+1, add each data in the data cluster to the model data set D, denoted as Dn+1, record the number of models K is n+1; when _s t _a t _e is true, then find _{e_d} =min(e), where d is the corresponding model, then add the data in data_j to Dd, train Dd and update the corresponding parameter Pd , when data clusters are added to the corresponding model, when the number of data clusters is greater than 100, data cluster j is randomly discarded during training, and j is randomly selected so that the number of data clusters during training is always kept at 100.

Step 4) Iterate all the data, then calculate and calculate the abnormality of each data cluster according to the above-mentioned method of abnormality, extract and consider the RBM model greater than the threshold of abnormality as abnormal, and set the RBM model smaller than the threshold of abnormality as the benchmark model, the baseline model may include multiple RBM models.

Step 5) As shown in Figure 2, test the validity of the benchmark model in real-time data, read the test_data data after the above preprocessing test set is data_test={x1, x2...xm}, each sample feature category xi ={t1, t2···t97}, then divide the data_test into data clusters according to the time cluster time period Tb, read the data in the data clusters accordingly, and test all the parameters of the RBM model in the normal benchmark model, When there is a similar model, then the data cluster of this segment conforms to the normal benchmark model, and the message is also a normal message that conforms to the data transmission law; when there is no square root error less than the error degree of abnormal detection, it means that the message is abnormal message

In this embodiment, in order to verify the performance and effectiveness of the benchmark model constructed by multiple RBM models, the method shown in the present invention has been extensively analyzed and evaluated in the dataset of the above-mentioned power grid industrial control network. Using this method, it can be found that the power grid industrial control For abnormal traffic in the network and traffic that does not conform to the normal network transmission rules, the specific accuracy is verified by the specific implementation environment of the power grid.

The above specific implementation can be partially adjusted in different ways by those skilled in the art without departing from the principle and purpose of the present invention. The scope of protection of the present invention is subject to the claims and is not limited by the above specific implementation. Each implementation within the scope is bound by the invention.

Claims (10)

1. a kind of industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models, which is characterized in that from work Feature is extracted in control network and generates training dataset, and benchmark model is trained and is obtained comprising multiple RBM models The abnormal data cluster that industry control network normal baseline model and training data are concentrated, is carried out in real time with industry control network normal baseline model Network message is assessed, and realizes Traffic anomaly detection；

The benchmark model includes at least one RBM networks, which completes RBM nets by inputting any data cluster The update of the network parameter and initial parameter of benchmark model is set at random passes through and receives the aggregates of data of different rules and complete RBM networks The increase of quantity；

The network parameter of the RBM networks includes：Learning rate α, iterations n, visible layer and hidden layer node number, Square error threshold value e, merge period Ta, Temporal Clustering cluster period Tb.

2. according to the method described in claim 1, the training refers to：By the benchmark model after aggregate of data input initialization In, all RBM benchmark models in test benchmark model, the reconstruct for calculating the aggregate of data in benchmark model exports, and calculates weight Structure exports the square root error with initial data, perfect to training pattern parameter according to the size of distance between each model Or benchmark model is increased, until after the training of all training datasets, obtain the industry control for including multiple RBM models The abnormal data cluster that network normal baseline model and training data are concentrated.

3. according to the method described in claim 1, the training dataset, feature is carried out according to the network characteristic of industry control network After extraction and merger, the training data in the form of aggregate of data is marked off by the period.

4. according to the method described in claim 3, the feature extraction refers to：The association transmitted according to industry control network data on flows View extracts the features such as time, quantity, the type of message transmissions and carries out feature selecting, removes the high remaining feature in data set, obtains Message characteristic after extraction.

5. method according to claim 1 or 2, the abnormal data cluster refers to：According to the number in RBM models after cluster According to the abnormality degree of each aggregate of data of the quantity set of cluster, the quantity of aggregate of data is more in RBM models, illustrates that the model more meets net Section transportation law, corresponding aggregate of data abnormality degree is lower, which is exactly abnormal data；

The abnormality degree is the percentage of abnormal data in model, is determined by the quantity of the aggregate of data in RBM models after clustering, The quantity of aggregate of data is more in RBM models, and corresponding RBM models abnormality degree is lower, and what it was characterized is the abnormal shape of RBM models State.

6. according to the method described in claim 2, it is described to benchmark model carry out increase refer to：When exporting number in training process According at a distance from former data all more than given threshold when, then illustrate feature in the aggregate of data and existing all RBM networks Pattern misfits the mode type for belonging to new, it is therefore desirable to create a RBM network and the aggregate of data is inputted the RBM nets Network parameter is trained and adjusted in network, and finally this is created and the RBM networks after initializing are added in benchmark model.

7. according to the method described in claim 6, the adjustment network parameter refers to：Preset abnormality degree detection threshold will be met The RBM models of value summarize, and are RBM Models Sets more than one after summarizing, and Models Sets correspond to multiple RBM models, and the number of RBM models is K, each RBM models correspond to the parameter and aggregate of data of oneself.

8. according to the method described in claim 2, the training pattern parameter is improved refers to：When output data in training process With when part is in threshold range at a distance from former data, the RBM Models Sets of selected distance minimum add corresponding to the aggregate of data Former data enter the training dataset of corresponding benchmark model, while the networks re -training RBM, update model parameter.

9. according to the method described in claim 8, when model training data concentrate overabundance of data when, according to the number being set in advance Partial redundance data are abandoned at random according to collection data volume number, and the new data set of training simultaneously updates corresponding benchmark model parameter.

10. according to the method described in claim 1, the real-time network message assessment refers to：Network message is subjected to feature After extraction and merger, the detection data cluster in the form of aggregate of data is marked off by the period and is input to industry control network normal baseline model In, wherein all RBM models of test and calculate the output data of the detection data cluster at a distance from original data, when distance is more than When abnormality degree error amount, then the corresponding network message of detection data cluster is exception message.