Tensor-based Deep Anomaly Detection And Differentiable Optimazation For Industrial Control Systems Networks

The development of the industrial Internet exposes the traditional physically isolated industrial control network to the open public network environment,which will raise complex network security threats and thus bring security risks to the stable operation of enterprises and social economy.Anomaly detection for industrial control networks can be divided into rule-based detection,behavior-based detection,and machine learning-based detection.Corresponding anomaly detection schemes are formed based on the traffic characteristics of industrial control networks,such as transmission rate,packet interval,protocol specifications,etc.,to achieve real-time analysis and monitoring network communication to identify abnormal behavior and potential network attacks.However,there are still the following problems in the anomaly detection of industrial control network traffic:1)lack of effective mathematical model for industrial control traffic data,unable to fully display the complete network characteristics;2)The influence of data missing and noise interference on the accuracy of anomaly detection model in the process of non-ideal traffic collection is ignored;3)The baseline anomaly detection model has insufficient ability to accurately represent the characteristics of traffic interaction,which deteriorates the performance of anomaly detection;4)The complexity of the anomaly detection model based on deep learning does not match the computing power of industrial control equipment,and there is a lack of model optimization method for computing power constraints.Therefore,the complete anomaly detection process of industrial control systems is realized from data modeling and preprocessing to model construction and optimization,and the specific contributions and results are summarized as follows:1.Tensor-based data model is firstly proposed to fuse the multi-dimensional traffic characteristics of industrial control networks and expand the representation ability of network traffic models.Due to the constraints on the anomaly detection scope of vector or matrix based traffic model,a network tensor composed of traffic flows,multiple features,and time slots is derived from the original capture data.Then the rank distributions of this tensor model by different decomposition methods are compared and analyzed to determine the final TSVD architecture because of its weak low rank assumption.All subsequent processes are in the T-SVD architecture to achieve anomaly detection.2.A complete data pre-processing scheme based on T-SVD architecture is proposed to solve the problems of data loss and noise interference in the non-ideal traffic collection,thus improve the baseline accuracy.The nonlinear deep tensor completion model inspired by the BCD algorithm is constructed to achieve date recovery.This deep model can simultaneously learn nonlinear correlations and corresponding sparse regularization constraints,which increases the 8.7%accuracy rate to traditional linear algorithms and the 3.2%accuracy rate to other state-of-the-art deep models.Meanwhile,the generalized tensor denoising algorithm proposes a new optimization object with an adaptive rank non-convex relaxation and a generalized noise expansion.And the ADMM algorithm was used for joint optimization of the objective function to achieve a 14.2%denoising performance increase to the matrix-based denoising algorithm and a 4.9%increase in denoising performance to non-adaptive algorithms.3.A baseline model and a tensor factorization model based on deep learning are constructed to form a joint anomaly detection architecture,which could identify and locate the anomalies.As for the anomaly identification,an autoencoder structure is proposed to enhance the characterization ability of the baseline and the convolutional neural network is used to mine the interaction of industrial control traffic.This deep baseline model can generate anomaly detection rules by the unsupervised clustering,and achieve a 3.2%increase in detection accuracy and a 21%decrease in false alarm rate.As for the anomaly location,a patch-masked deep tensor factorization model is proposed to restore each masked region in the tensor,and then realizes anomaly location by comparing the structural similarity.This model compensates for the lack of anomaly location,which increases the 11%restoration accuracy and thus improves 14.3%location precision.4.The hierarchical fine-grained differentiable sensitivity analysis is employed to achieve the sensitivity transfer in the model to complete the redundancy optimization in units and satisfy the actual deployment requirements.The gradient of each unit is calculated based on the chain rule to quantify the importance of the output to the input.Then different sensitivity analysis strategies are formed based on the training pattern,which are the "kernel-layer-moder" for the deep baseline model and the "model-layer-node" for the deep factorization model.The structure of each model can be optimized by each analysis strategy,which can effectively reduce the complexity of the model while maintaining the same performance.The optimized deep baseline model and deep tensor factorization model have improved at approximately 65%and 16.7%convergence rates respectively.