Research On Multi-scale Anomaly Detection Method For State Pattern

With the continuous penetration of new technologies such as Internet of Things,cloud computing and blockchain into industrial production activities,the trend of mutual integration is becoming more and more obvious.The scale of industrial control system is becoming larger and larger,and the process is becoming more and more complex.The attendant information security threats are also increasing,and the connotation and denotation of industrial security are becoming more abundant.However,the traditional IT security technology cannot well meet the special requirements of industrial control system for information security.According to the attack characteristics of industrial control system and the vulnerability analysis of key industrial equipment,this thesis takes the behavior state of industrial equipment as the research object,divides the data sequence into long mode and short mode,and completes the data mining of industrial equipment.Furthermore,this thesis puts forward the protection mechanism for control equipment,and puts forward the multiscale anomaly detection method for state mode in this thesis,so as to realize the overall anomaly identification and detection of industrial control system.Firstly,based on the periodicity and control characteristics of industrial control system production process,this thesis proposes a long-mode anomaly detection method based on functional state analysis.The method divides the long-mode sequence of measurement data and control data,establishes the model by mode association and finite state machine,and identifies the multi-dimensional mode transfer by the longmode anomaly detection engine based on probability suffix,and then realizes the effective detection of the long-mode abnormal functional state of industrial control system production.Secondly,based on the key control mode extracted above,in order to realize the timely detection of abnormal production status,this thesis proposes a short mode anomaly detection method based on dynamic update GRU.This method provides highprecision prediction results for real-time data of industrial equipment based on dynamic update GRU neural network.Through the window-based short-mode anomaly detection engine,the effective detection of short-mode anomaly points and periods of sensor measurement data is realized.Thirdly,in view of the important role of control equipment in industrial control system and the high risk of being attacked,this paper also proposes a process-level anomaly detection and protection method based on whitelist.This method creates events through Hook operation and LKM capture process,and realizes timely detection of intrusion behavior and real-time protection of controller and other industrial equipment systems based on whitelist exception detection and protection engine.Finally,the multi-scale anomaly detection method proposed in this paper is further verified and analyzed by using the small water treatment system and the Modbus/TCP industrial control network simulation experiment environment.A large number of experimental results show that compared with other methods,the long-and-short-mode anomaly detection method in this paper has higher accuracy and lower missing rate.The protection efficiency of process-level protection on the system is significantly higher than that of traditional user mode protection.