摘要
为解决病毒、木马攻击工业控制系统应用层网络协议的问题,分析了Modbus/TCP通信协议的规则,提出了一种基于聚类和支持向量机的半监督分簇策略,该策略将无监督的模糊C均值聚类(fuzzy C-means,FCM)和有监督的支持向量机(support vector machine,SVM)相结合,实现了工控异常检测的半监督机器学习.首先提取工业控制系统Modbus/TCP协议的通信流量数据,对其进行数据预处理,然后利用模糊C均值聚类得到聚类中心,计算通信数据与聚类中心的距离,将满足阈值条件的部分数据进一步由遗传算法(genetic algorithm,GA)优化的支持向量机分类.实验结果表明,与传统的入侵检测方法相比,该方法将无监督学习和有监督学习完美结合,并且在不需要提前知道类别标签的前提下即可有效地降低训练时间,提高分类精度.
In order to solve the problem of virus and Trojan attacking the application layer network protocol of industrial control system,we analyze the rule of Modbus/TCP communication protocol and propose a semi-supervised clustering strategy based on clustering and support vector machine. This strategy combines unsupervised fuzzy C-Means( FCM) and supervised support vector machine( SVM) to realize the semi-supervised machine learning of industrial anomaly detection. Firstly,we extract the communication flow data of the Modbus/TCP protocol of the industrial control system,and preprocess the data. Then we obtain the clustering center by fuzzy C-means clustering. We calculate the distance between the communication data and the clustering center. Partial data satisfying the threshold condition are further classified by support vector machines optimized by genetic algorithms. The experimental results show that compared with the traditional intrusion detection method,this method can combine the unsupervised learning and supervised learning,and can reduce the training time and improve the classification accuracy without knowing the category tag in advance.
出处
《信息与控制》
CSCD
北大核心
2017年第4期462-468,共7页
Information and Control
基金
国家863高技术计划资助项目(2015AA043901)
关键词
工业控制系统
MODBUS通信协议
入侵检测
半监督
模糊C均值聚类
支持向量机
industrial control system
Modbus communication protocol
intrusion detection
semi-supervised
fuzzy C-means clustering
support vector machine