Research And Implementation On Anomaly Detection In Industrial Control Network Based On Deep Learning

As advances in networking technology help to connect industrial control networks with the Internet, the threat from spammers, attackers and criminal enterprises has also grown accordingly. However,traditional Network Intrusion Detection System makes significant use of pattern matching to identify malicious behaviors and have bad performance on detecting zero-day exploits in which a new attack is employed.In this thesis, we research on the existing problems in anomaly detection techniques based on the industrial control networks by combining the deep learning with the conventional machine learning techniques in anomaly detection. We propose two methods of anomaly detection in industrial control network, which are implemented with deep learning algorithm to extract the feature vectors from raw data, and then use machine learning algorithm to classify or decide the anomalous data. Moreover, we also make some modifications the training algorithm and improve the performance of the model.The main contributions of this thesis are summarized as follows:1. We analyzed the problem of extracting features in anomaly detection, and proposed a novel RNN-GBRBM based feature decoder,which is used to learn the normal data pattern by training the decoder. If the deviation between normal data pattern and new data is too large, then we consider this new data as anomaly. Moreover, we proposed a semi-supervised incremental updating algorithm to train the decoder and the classifier with the lowest manual costs.2. We proposed a topic based model to detect anomaly in networks.Consider the traffic of network as a document in the corpus. By using LDA to extract latent topic information in network data, and using Autoencoder to reduce the dimensionality of the original feature data,we make the representation of data more tight, informative, and non-redundant without losing original information, and improve the accuracy of prediction and the efficiency of training.3. We designed two contrast experiments to compare the proposed algorithms and two traditional anomaly detection algorithms. By using different datasets, we analyzed the results of these experiments and found out that our algorithms have a better performance on the larger datasets, especially with some hidden anomaly.4. We designed and developed a network monitor system in the industrial control networks. And we applied those two proposed methods as plugins in the system. The accuracy and the performance of the anomaly detection has been greatly improved compared to the previous monitoring systems.