基于多新息扩展Kalman粒子群的Modbus协议攻击检测方法

Attack Detection Algorithm of Modbus Protocol Based on Extended Kalman Particle Swarm Optimization with Multi-innovation

因为工控系统数据有高维度和非线性的特点,所以针对基于Modbus TCP协议的工控系统提出一种融合Fisher分析、核主成分分析法和多新息扩展Kalman粒子群方法的攻击检测模型。利用Fisher分析和核主成分分析法(kernel principal component analysis,KPCA)对初始数据集进行预处理,实现特征提取和降低数据维度的作用;使用多新息扩展Kalman粒子群算法对支持向量机进行参数寻优,使用以前时刻的新息和当前时刻粒子观测值预估粒子位置,避免传统粒子群算法易陷入局部极小和扩展卡尔曼滤波算法在强非线性系统易导致精度降低的问题。在原始数据集上的仿真结果表明,所提算法在检测准确率、精确率和误报率上与传统的检测算法比较有显著的的提高。

Because of the high dimensional and nonlinear characteristics of industrial control system data, an attack detection model is proposed for industrial control system based on Modbus TCP protocol, and by integrating Fisher’s sub-analysis, nuclear main component analysis method and multi-innovation expansion Kalman particle group method. The initial data set is preprocessed by Fisher and KPCA(kernel principal component analysis), to do feature extraction and reduction of data dimensions, and the support vector machine is parameterized by the multi-innovation extended Kalman particle group algorithm, and the particle position is estimated by the innovation of the previous moment and the particle observations of the current moment. It avoids the problem to get caught up in the local extremes, and solves that the extended Kalman filter algorithm can easily lead to the reduction of accuracy in the strong nonlinear system. The simulation results on the original data set show that the proposed algorithm has significantly improved the detection accuracy and false positive rate compared with the traditional detection algorithm.