基于SAE-LSTM的工艺数据异常检测方法

doi:10.12263/DZXB.20180015

电子学报 ›› 2021, Vol. 49 ›› Issue (8): 1561-1568.DOI: 10.12263/DZXB.20180015

基于SAE-LSTM的工艺数据异常检测方法

尚文利¹, 石贺²^,³^,⁴, 赵剑明²^,³^,⁴, 曾鹏²^,³^,⁴

^1.广州大学电子与通信工程学院，广东广州 510006
^2.中国科学院沈阳自动化研究所，辽宁沈阳 110016
^3.中国科学院大学，北京 100039
^4.中科院网络化控制系统重点实验室，辽宁沈阳 110016

收稿日期:2018-12-29 修回日期:2021-05-31 出版日期:2021-08-25 发布日期:2021-08-25
作者简介:尚文利男，1974年生于黑龙江省望奎县.博士，研究员，博士生导师.现为广州大学“百人计划”学科带头人，原中国科学院沈阳自动化研究所工业控制系统信息安全方向学术带头人.主要研究方向为工业控制系统信息安全、计算智能与机器学习、边缘计算.E-mail:shangwl@gzhu.edu.cn
石贺男，1993年生于辽宁省沈阳市.中国科学院大学硕士研究生.研究方向为机器学习、数据挖掘、工业控制系统信息安全.E-mail:shihe@sia.cn
基金资助:
国家自然科学基金(61773368);之江实验室开放课题资助(2021KF0AB06)

An Anomaly Detection Method of Process Data Based on SAE-LSTM

Wen-li SHANG¹, He SHI²^,³^,⁴, Jian-ming ZHAO²^,³^,⁴, Peng ZENG²^,³^,⁴

^1.School of Electronic and Communication Engineering，Guangzhou University，Guangzhou，Guangdong 510006，China
^2.Shenyang Institute of Automation，Chinese Academy of Science，Shenyang，Liaoning 110016，China
^3.University of Chinese Academy of Sciences，Beijing 100039，China
^4.Key Laboratory of Networked Control System，CAS，Shenyang，Liaoning 110016，China

Received:2018-12-29 Revised:2021-05-31 Online:2021-08-25 Published:2021-08-25

摘要/Abstract

摘要：

为解决工业网络安全防护中工艺数据异常检测误报率较高的问题，本文提出一种基于时间序列的异常检测方法.该方法对工艺数据进行相关性分析、向量映射等处理，再采用堆叠自编码神经网络（SAE）对工艺数据特征进行降维，根据工艺数据在传输序列间的相互关联性，设计基于长短期记忆神经网络（LSTM）的异常检测模型，最后进行工艺数据异常检测仿真实验验证分析.实验结果表明，基于时间序列的异常检测模型能有效提高工艺数据异常检测准确率，并且误报率要低于传统隐马尔可夫异常检测模型，同时获得较好的异常检测实时性.

关键词: 工业控制系统, 工控异常检测, 自编码神经网络, 长短期记忆神经网络

Abstract:

In order to solve the problem of high false alarm rate of abnormal detection of process data in industrial network security protection, this paper proposes an anomaly detection method based on time series. In this method, the process data is analyzed by association analysis and vector mapping, and the stacked auto-encoder neural network (SAE) is used to reduce the dimension of process data features. According to the correlation of process data in the transmission sequence, an anomaly detection model based on long and short term memory neural network (LSTM) is designed. Finally, the simulation analysis of abnormal detection of process data is carried out. The experimental results show that the anomaly detection model based on time series can greatly improve the accuracy of process data anomaly detection, and the false positive rate is lower than the traditional hidden Markov anomaly detection model, and at the same time get better real-time performance of anomaly detection.

Key words: industrial control system, industrial control anomaly detection system, auto-encoder neural network, long and short term memory neural network

中图分类号:

TP393.08

尚文利, 石贺, 赵剑明, 曾鹏. 基于SAE-LSTM的工艺数据异常检测方法[J]. 电子学报, 2021, 49(8): 1561-1568.

Wen-li SHANG, He SHI, Jian-ming ZHAO, Peng ZENG. An Anomaly Detection Method of Process Data Based on SAE-LSTM[J]. Acta Electronica Sinica, 2021, 49(8): 1561-1568.

图/表 10

表1 工艺数据集描述

	Role	Level	Count
1	Input	Binary	17
2	Input	Category	15
3	Input	Float	10
4	Input	Int	16
5	Target	Binary	1

图1 数值型特征相关性图

图2 堆叠自编码网络结构

图3 自编码网络数据流图

图4 LSTM内部结构

图5 LSTM网络结构

图6 SAE-LSTM模型激活函数对比

图7 不同模型的准确率实验对比

图8 不同模型的交叉熵损失实验对比

表2 分层采样交叉验证实验结果

模型	分层交叉验证得分
模型	准确率	训练批次	误报率	训练批次
SVM	0.56	530	0.45	530
RF	0.54	530	0.51	530
XGboost	0.71	490	0.35	490
HMM	0.95	330	0.08	330
SAE-LSTM	0.97	250	0.03	250

参考文献 25

1	赖英旭, 刘增辉, 蔡晓田, 等. 工业控制系统入侵检测研究综述[J]. 通信学报, 2017, 38(2): 143－156.
	Lai Y X, Liu Z H, Cai X T, et al. Research on intrusion detection of industrial control system[J]. Journal on Communications, 2017, 38(2): 143－156. (in Chinese)
2	张凯一, 陈铁明, 严春. 工业控制系统安全及异常检测研究进展[J]. 信息安全研究, 2017, 3(7): 624－632.
	Zhang K Y, Chen T M, Yan C. Research survey on industrial control systems security and intrusion detection[J]. Journal of Information Security Research, 2017, 3(7): 624－632. (in Chinese)
3	毕战科, 许胜礼. 入侵检测技术的研究现状及其发展[J]. 软件导刊, 2010, 9(11): 152－154.
	Bi Z K, Xu S L. Actuality and development trend of intrusion detection technology[J]. Software Guide, 2010, 9(11): 152－154. (in Chinese)
4	Yim K, Castiglione A, Yi J H, et al. Cyber threats to industrial control systems[A]. Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats[C]. New York, NY, USA: ACM, 2015. 79－81.
5	Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks[J]. IEEE Transactions on Industrial Informatics, 2013, 9(1): 277－293.
6	尚文利, 张盛山, 万明, 等. 基于PSO-SVM的Modbus TCP通讯的异常检测方法[J]. 电子学报, 2014, 42(11): 2314－2320.
	Shang W L, Zhang S S, Wan M, et al. Modbus/TCP communication anomaly detection algorithm based on PSO-SVM[J]. Acta Electronica Sinica, 2014, 42(11): 2314－2320. (in Chinese)
7	张响亮, 王伟, 管晓宏. 基于隐马尔可夫模型的程序行为异常检测[J]. 西安交通大学学报, 2005, 39(10): 1056－1059.
	Zhang X L, Wang W, Guan X H. Detection of anomalous program behaviors based on hidden Markov models[J]. Journal of Xi'an Jiaotong University, 2005, 39(10): 1056－1059. (in Chinese)
8	谢柏林, 余顺争. 基于关键事件序列的应用层异常检测机制[J]. 小型微型计算机系统, 2010, 31(2): 249－253.
	Xie B L, Yu S Z. Application level anomaly detection based on series of events[J]. Journal of Chinese Computer Systems, 2010, 31(2): 249－253. (in Chinese)
9	张云贵, 赵华, 王丽娜. 基于工业控制模型的非参数CUSUM入侵检测方法[J]. 东南大学学报(自然科学版), 2012, 42(S1): 55－59.
	Zhang Y G, Zhao H, Wang L N. A non-parametric CUSUM intrusion detection method based on industrial control model[J]. Journal of Southeast University (Natural Science Edition), 2012, 42(S1): 55－59. (in Chinese)
10	钱叶魁, 陈鸣, 叶立新, 等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012, 23(2): 361－377.
	Qian Y K, Chen M, Ye L X, et al. Network-wide anomaly detection method based on multiscale principal component analysis[J]. Journal of Software, 2012, 23(2): 361－377. (in Chinese)
11	Hinton G E. Reducing the dimensionality of data with neural networks[J]. Science, 2006, 313(5786): 504－507.
12	Vincent P, Larochelle H, Bengio Y, et al. Extracting and composing robust features with denoising autoencoders[A]. Proceedings of the 25th International Conference on Machine Learning(ICML'08)[C]. New York, NY, USA: ACM, 2008. 1096－1103.
13	Vincent P, Larochelle H, Lajoie I, et al. Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion[J]. Journal of Machine Learning Research, 2010, 11: 3371－3408.
14	Rifai S, Vincent P, Muller X, et al. Contractive auto-encoders: Explicit invariance during feature extraction[A]. Proceedings of the 28th International Conference on International Conference on Machine Learning(ICML'11)[C]. New York, NY, USA: ACM, 2011. 833－840
15	Chen M M, Xu Z X, Weinberger K Q, et al. Marginalized denoising autoencoders for domain adaptation[A]. Proceedings of the 29th International Coference on International Conference on Machine Learning(ICML'12)[C]. New York, NY, USA: ACM, 2012. 1627－1634.
16	Bengio Y. Learning deep architectures for AI[J]. Foundations and Trends ® in Machine Learning, 2009, 2(1): 1－127.
17	Liu S J, Yang N, Li M, et al. A recursive recurrent neural network for statistical machine translation[A]. Proceedings of the 52nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)[C]. Stroudsburg, PA, USA: Association for Computational Linguistics, 2014. 1491－1500.
18	Biswas A, Karunakaran S. Cybernetic modeling of industrial control systems: Towards threat analysis of critical infrastructure[EB/OL]. , 2021.
19	Soelaiman R, Martoyo A, Purwananto Y, et al. Implementation of recurrent neural network and boosting method for time-series forecasting[A]. International Conference on Instrumentation, Communication, Information Technology, and Biomedical Engineering[C]. Bandung, Indonesia: IEEE, 2009. 1－8.
20	Ren H R, Ye Z X, Li Z W. Anomaly detection based on a dynamic Markov model[J]. Information Sciences, 2017, 411: 52－65.
21	Tsai C L, Chang A Y, Chen C J, et al. Dynamic intrusion detection system based on feature extraction and multidimensional hidden Markov model analysis[A]. International Carnahan Conference on Security Technology[C]. Zurich, Switzerland: IEEE, 2009. 85－88.
22	Marchi E, Vesperini F, Eyben F, et al. A novel approach for automatic acoustic novelty detection using a denoising autoencoder with bidirectional LSTM neural networks[A]. IEEE International Conference on Acoustics, Speech and Signal Processing[C]. South Brisbane, QLD, Australia: IEEE, 2015. 1996－2000.
23	Marchi E, Ferroni G, Eyben F, et al. Multi-resolution linear prediction based features for audio onset detection with bidirectional LSTM neural networks[A]. IEEE International Conference on Acoustics, Speech and Signal Processing[C]. Florence, Italy: IEEE, 2014. 2164－2168.
24	梁辰, 李成海, 周来恩. PCA-BP神经网络入侵检测方法[J]. 空军工程大学学报(自然科学版), 2016, 17(6): 93－98.
	Liang C, Li C H, Zhou L E. A PCA-BP neural network-based intrusion detection method[J]. Journal of Air Force Engineering University (Natural Science Edition), 2016, 17(6): 93－98. (in Chinese)
25	杨雅辉, 黄海珍, 沈晴霓, 等. 基于增量式GHSOM神经网络模型的入侵检测研究[J]. 计算机学报, 2014, 37(5): 1216－1224.
	Yang Y H, Huang H Z, Shen Q N, et al. Research on intrusion detection based on incremental GHSOM[J]. Chinese Journal of Computers, 2014, 37(5): 1216－1224. (in Chinese)

基于SAE-LSTM的工艺数据异常检测方法

An Anomaly Detection Method of Process Data Based on SAE-LSTM

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 25

相关文章 1

编辑推荐

Metrics