基于MSCNN与OCSVM的工业入侵检测方法

Industrial intrusion detection method based on MSCNN and OCSVM

针对实际工业控制系统(industrial control systems,ICS)的异常检测中大样本、正负数据不平衡和检测模型鲁棒性差的问题,提出了一种基于多尺度卷积神经网络(multiscale convolutional neural network,MSCNN)和改进单类支持向量机(improved one class support vector machine,IOCSVM)的复式工业网络入侵检测方法。在IOCSVM中引进随机傅里叶特征近似RBF核函数的方法消除了复式检测模型在不同阶段的耦合,使模型具有更好的检测性能。该方法首先将原始数据预处理为二维矩阵,然后利用MSCNN模块充分学习模块提取到的不同层次的样本特征,最后通过IOCSVM分类器进行样本判别。采用入侵检测领域权威数据集-CIC-IDS-2017对该模型进行验证,通过与MSCNN,RST-SVM和AE-SVM等现有主流检测的模型相比后发现,该检测模型具有更佳的检测性能。利用MSU基础设施保护中心建立的工控标准入侵检测数据集能重构出更贴合实际ICS网络流量分布的鲁棒性验证数据集,证明该模型具有强鲁棒性。

Aiming at the problems of large sample,unbalanced positive and negative data and poor robustness of detection model in anomaly detection of industrial control systems(ICS),a new method based on multiscale convolutional neural network(MSCNN)and improved one class support vector machine(IOCSVM)is proposed,The random Fourier feature is used to approximate the radial basis function in IOCSVM,which eliminates the coupling of segmented detection model in different stages and makes the model have better detection performance.Firstly,the original data is preprocessed into two-dimensional matrix;then the MSCNN module is used to fully learn the different levels of sample features extracted by the module;finally,the IOCSVM classifier is used for sample discrimination.CIC-IDS-2017 is used to verify the model.Compared with MSCNN,RST-SVM and other mainstream detection models,the model has better detection performance.The industrial control standard intrusion detection data set established by MSU infrastructure protection center is used to reconstruct the robustness verification data set which is more suitable for the actual ICS network traffic distribution.The results show that the model has strong robustness.