Research On Anomaly Detection Algorithm Based On Double Contour Model For Industrial Control System

Traditional IT network is based on the computer network composed of Internet protocol.Data exchange protocol uses TCP/IP protocol stack,which has low real-time requirement and relatively mature security technology,products and schemes.Therefore,it has strong protection capabilities such as anti-virus,patch management and so on.Industrial control system is based on industrial control equipment such as PLC,DCS,SCADA,and uses special communication protocol or protocol,which requires high real-time performance,but generally lacks security consideration.Because of the difference between traditional IT network system and industrial control system,the existing perfect safety protection technology suitable for traditional IT network can not be directly applied to industrial control system,so a set of safety protection technology suitable for industrial control system needs to be studied.Industrial control system security measures include border security capability,attack detection and prevention,periodic security detection,security situational awareness,endogenous security capability,etc.As a dynamic defense technology,intrusion detection can intercept and intrude before industrial control system receives hazards,which is one of the feasible methods to solve industrial control network security.Aiming at the abnormal behavior characteristics of industrial control network,this paper analyses the communication protocol of Modbus TCP industrial control network and extracts the abnormal detection characteristic traffic,including the communication data characteristics extracted directly from the traffic data of industrial control network and the detection characteristics of reaction operation differences constructed according to the abnormal behavior pattern and the actual traffic data characteristics,forming the data set.By analyzing the data characteristics,it is found that the traffic data of industrial control network presents the characteristics of more normal data and fewer abnormal data.In order to reduce the rate of false alarm and false alarm,and to improve the accuracy of anomaly detection,this paper proposes a double contour model anomaly detection method based on single class support vector machine,which can train the model only with one class of samples.The normal one-class support vector machine model and the abnormal one-class support vector machine model are constructed to simulate the normal and abnormal modes of industrial control system communication,respectively.The abnormal detection of industrial control system network is realized by cooperative discrimination mechanism.In order to detect abnormal industrial control behavior better,this paper uses PSO to optimize the key parameters that determine the performance of one-class support vector machine classifier.Important parameters that need to be optimized include penalty factor of one-class support vector machine and width parameter of radial basis function.At the same time,in order to reduce the modeling time and detection time of one-class support vector machine,the auto-encoder network is selected to input the extracted network traffic data into independent variable dimension reduction and compression processing,and the over-fitting phenomenon of one-class support vector machine model is restrained.In this disseration,the anomaly detection method based on auto-encoder network of one-class support vector machine double contour model is presented.Through simulation and verification of the model,it can be seen that the rate of false alarm and false alarm of industrial control system are significantly reduced,and the detection time is shortened.It has great application value for the research of anomaly detection of industrial control system.