Intrusion Detection Method Based On One-class Classifier For Industrial Control System

Industrial control systems have been widely used in important infrastructures related to the national economy and people's livelihoods,such as power grid systems,water conservancy projects,oil and gas,and transportation.With the development of computer and communication technology,industrial control systems have become increasingly open due to the gradual networking of the standard communication protocols they use,which has led to a substantial increase in the number of network attacks against industrial control systems.On the other hand,the types of attacks have become more complex and diverse.Once the industrial control system is attacked,it may cause the leakage of confidential information,destroy the industrial production process,damage the industrial infrastructure and even endanger the lives of personnel.Therefore,the information security of industrial control systems is facing more and more serious challenges.Intrusion detection technology is designed to effectively detect and prevent network attacks for industrial control systems,which is currently a hot topic in the field of industrial control system security protection.The core method is to accurately detect whether the system is under network attacks according to whether the classification of the collected data from the industrial detection systems.Many intrusion detection methods have been proposed in the field.However,there still exists some common issues that need to be solved urgently:(1)Real-time industrial control systems can produce a great deal of data in real-time yet without labeling information.It is a common wisdom that acquiring high-quality label information is expensive.(2)The data distribution in the industrial control system is often unbalanced,that is,the number of samples in the normal working state of the system is far greater than the number of abnormal samples in the network attack.Therefore,traditional classification algorithms applied to balanced data are no longer suitable for this problem.How to effectively classify unbalanced data remains a difficult problem for intrusion detection in industrial control systems.For the high cost of data annotation and the poor real-time performance of intrusion detection algorithm,this paper adopts a concept of active learning and proposes an active selection method and an expert annotation method for data samples of significance characteristics.A method of online learning and a classification model of online fast training method are introduced in this paper.As for the unbalanced distribution of data samples,this paper comes up with an online classification method based on AdaBoost integrated learning framework,which efficiently reduces the annotation cost and satisfies the real time requirement of industrial control intrusion detection system.In order to assess the efficiency of the algorithm,comparative experiments have been carried out in this paper on multiple commonly used UCI classification data sets based on the classical online learning classifier algorithms.The experiment results show that the effectiveness of the proposed algorithm in general classification task has been preliminarily verified.Further,for the classification of unbalanced data samples,the algorithm has realized the efficient recognition of the abnormal behaviors of industrial control system in online environment without reducing the normal behavior recognition rate.As the results have indicated,the algorithm proposed in this paper can reduce the cost for sample annotation and satisfy the real-time requirement for intrusion detection in the online environment of industrial control system.It also provide technical supports for the unbalanced sample classification task in other areas.