基于字符距离聚类的未知工控协议分类方法

Character distance clustering-based classification algorithm forunknown industrial control protocols

未知工控协议分类是实现多类型混合工控协议识别的前提。利用工控协议报文格式精简且广泛采用二进制序列的特点,提出基于字符距离聚类的未知工控协议分类方法。该方法打破传统方法计算文本协议报文的欧氏距离而难以准确反映工控协议报文相似性的问题,通过构建二进制特征序列,计算字符距离,并开展基于字符距离K-means聚类,实现了未知工控协议分类。其中,为确保分类的准确性,提出基于最大平均字符距离的最佳聚类K值确定方法。半物理仿真结果表明,所提方法对未知工控协议分类的准确率可达96.80%,协议类型判别的正确率可达97.07%。

The classification of unknown industrial control protocol is the premise of realizing multi-type mixed industrial control protocol identification.Based on the brief and simple format of industrial control protocol messages with binary characters,this paper proposed an unknown industrial control protocol classification method based on character distance clustering.Pre-vious classification algorithms mainly calculated the Euclidean distance of text protocols,which couldn’t accurately reflect the similarity of unknown industrial control protocol messages.In contrast,the proposed algorithm realized unknown industrial control protocol classification by constructing the sequence of binary features sequences,calculating their character distances and performing K-means clustering.To guarantee the classification accuracy,it proposed an algorithm determining the optimal clustering K value based on the maximum average character distance.Semi-physical simulation results show that the protocol classification accuracy for unknown industrial control protocol classification can reach 96.80%,while the protocol type identification accuracy can reach 97.07%.