面向工业计算机的网络入侵行为检测

Network intrusion detection for industrial computer

工业计算机在工业控制系统(ICS)中负责控制现场设备的核心控制器,直接面临来自开放网络的攻击威胁。针对工业计算机面临的外部网络攻击威胁,提出了适用于工业计算机的网络通信行为模型及高准确率的入侵检测方法。首先,分别从训练数据和训练算法两个维度优化模型;然后,针对高维流量数据导致的训练成本过高、准确率低等问题,提出了基于相关性分析的网络行为特征选择方法;最后,采用差分进化算法对支持向量机(SVM)进行参数优化。以烟草行业场景下工控设备进行实验验证,实验结果表明,优化后的模型准确率达到97%,曲线下面积(AUC)值为0.98,可有效识别网络攻击。相较于随机森林(RandomForest)、SVM、遗传算法优化的支持向量机(GASVM)等机器学习算法,所提优化方法的准确率提升了1%~7%,精确率提升了1%~4%。

Industrial computer is responsible for controlling the core controllers of field devices in Industrial Control System(ICS),which is directly facing the threat of attacks from open network.Aiming at the threat of external network attacks faced by industrial computer,a network communication behavior model that was suitable for industrial computer and a high-accuracy intrusion detection method were proposed.Firstly,the model was optimized from the two dimensions of training data and training algorithm.Then,in view of the problems of high training cost and low accuracy caused by high-dimensional traffic data,a network behavior feature selection method based on correlation analysis was proposed.Finally,differential evolution algorithm was used to optimize the parameters of Support Vector Machine(SVM).Experimental verification is carried out with industrial control equipment in the tobacco industry scenario.The experimental results show that the optimized model has an accuracy rate of 97%and AUC(Area Under Curve)value of 0.98,which can effectively identify the cyber attacks.Compared with RandomForest,SVM,Genetic Algorithm-SVM(GA-SVM)and other machine learning algorithms,the accuracy of the proposed optimization method is improved by 1%~7%,and the precision is improved by 1%~4%.