Explaining The Attributes Of A Deep Learning Based Intrusion Detection System For Industrial Control System

Intrusion detection is only the beginning of the security system in industrial control systems.Due to the importance of industrial control systems,important safety-related decisions in the field of industrial control must be made by relevant industrial control safety experts.Therefore,the role of simple intrusion alarms in security systems in the field of industrial control is very limited.At the same time,due to the lack of interpretability of the model,intrusion detection models based on deep learning are difficult to provide more intrusion-related clues after intrusion alerts are issued,which greatly limits the application of deep learning methods in industrial control network intrusion detection.To solve the problem above,we studied the relevant model interpretation methods,selected relevant angles,and finally analyzed the correlation between the deep learning model in the calculation process and the classification process from the perspective of information.It is found that the relationship between the output changes of the hidden layer and the classification clues during the calculation of the model is obtained by analyzing the hidden layers of the deep learning classification model.Aiming at this finding,we designed a layer-wise transfer method for anomaly mapping using approximate derivation.This anomaly mapping method passes the output anomalous value as a contribution to the input layer layer by layer.In this way,the contribution of each feature difference in the input layer to the output anomaly and the intrusion clue can be obtained.At the same time,considering that the data set may already contain some prior information,to make better use of this prior information,we have designed a new split normalization method that can solve the problem of overscaling and increase the readability of clue discovery.For the a priori knowledge that can be obtained during the data collection process,we have designed filtering rules for a data set that can be obtained at low cost to present the calculation results in a more accurate manner,which should help industrial control safety experts to lock in faster and respond to intrusion threats.After experimental verification,it can be found that the method designed in this paper can extract the intrusion clues beyond the model output from the calculation process of the model,extract the key features of the intrusion behavior,and after simple processing can express the results in a graphical way.Moreover,it has a reasonable application of the prior knowledge obtained in the data collection stage to further simplify and improve the results of clue discovery.