CN106778210B - Industrial control system function safety verification method based on immune learning - Google Patents
Industrial control system function safety verification method based on immune learning Download PDFInfo
- Publication number
- CN106778210B CN106778210B CN201611169479.7A CN201611169479A CN106778210B CN 106778210 B CN106778210 B CN 106778210B CN 201611169479 A CN201611169479 A CN 201611169479A CN 106778210 B CN106778210 B CN 106778210B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- behavior
- abnormal
- data set
- parameter data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 230000006870 function Effects 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 title claims abstract description 15
- 230000006399 behavior Effects 0.000 claims abstract description 89
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims abstract description 22
- 238000012360 testing method Methods 0.000 claims abstract description 20
- 230000007547 defect Effects 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims description 36
- 238000012847 principal component analysis method Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000003066 decision tree Methods 0.000 claims description 7
- 230000001575 pathological effect Effects 0.000 claims description 7
- 230000009466 transformation Effects 0.000 claims description 7
- 230000006855 networking Effects 0.000 claims description 6
- 235000012907 honey Nutrition 0.000 claims description 5
- 238000004088 simulation Methods 0.000 claims description 5
- 238000009826 distribution Methods 0.000 claims description 4
- 238000005065 mining Methods 0.000 claims description 4
- 230000001737 promoting effect Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000002955 isolation Methods 0.000 claims description 3
- 230000010076 replication Effects 0.000 claims description 3
- 230000007704 transition Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 6
- 238000005259 measurement Methods 0.000 description 8
- 238000011161 development Methods 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000003745 diagnosis Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000003750 conditioning effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000007493 shaping process Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000005284 excitation Effects 0.000 description 1
- 230000008076 immune mechanism Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an industrial control system function safety verification method based on immune learning, which comprises the following steps: A. acquiring behavior parameter data of industrial control, wherein the mode of testing an industrial control component in an off-line and on-loop manner is adopted; B. according to the behavior parameter data, a safety reference mode library for industrial control under multiple scales is modeled; C. identifying abnormal control behaviors through a safety reference pattern library; D. constructing an abnormal behavior pattern database based on the abnormal control behavior; the method does not depend on prior information such as normal analysis rules, abnormal black characteristics and the like, and can accurately lock failure and hidden dangers from the aspect of behavior expression on the premise of not mastering specific defect causes, characteristics and utilization details of the characteristics, so that the functional safety risk is obviously reduced.
Description
Technical Field
The invention relates to the field of industrial control system function safety guarantee, in particular to an industrial control system function safety verification method based on immune learning.
Background
The industrial control system is an important component of national key infrastructure and is related to national strategic safety. Under the background that the transformation and upgrade of the industry are becoming the new competitive focus of the global economic development, the "manufacturing regression" in the united states, the "industry 4.0" in germany and the "china manufacturing 2025" strategy in china all express the same contents by different koji and the same work: the technology of internet of things perception, cloud computing, big data, industrial interconnection and the like is used for leading the change of industrial production modes and pulling the innovative development of industrial economy. Hitherto, the curtain of the deep integration of the control system and the information technology has been pulled open, the industrial control system taking the monitoring and control of the industrial processes such as power, energy, traffic and the like as the core is also undergoing an unprecedented transformation trend that intellectualization, networking, service and integration become irreversible trend, and the evolution transformation thereof is characterized by the following three aspects: one is the evolution of specificity towards generality. The industrial control system develops along with the development of the IT technology, and a great deal of IT general software and hardware are adopted, such as a PC, an operating system, a database system, an Ethernet, a TCP/IP protocol and the like; the second is the evolution of the closure to the development. The development of the internet and the internet of things technology and the deep integration of industrialization and informatization make the industrial control system not be an independent system any more. And thirdly, the hardware type is evolved to the software type. The industrial control system is continuously evolving from mechanization, electrification and electronization to software intellectualization. Namely, the industrial control system continuously evolves from hard to soft.
And (3) technical path selection of functional safety verification of the industrial control system:
"force" is not from the heart. The common problems in the field of modern industrial control are closed product principle, privacy of code documents, missing positions of development teams and dependence of three-party software, so that the existing control system and equipment quality safety guarantee technology thereof can only deal with known faults and risks of own brands. The support of main stream companies of industrial control markets such as general electricity, Siemens, Schneider and the like is difficult to effectively obtain in a cross-industry and cross-equipment mechanism analysis mode, and the innovative active defense based on prior information is developed by collecting control data rather than speaking. Typical representatives include the Predix platform of general electric and the Sinalytics platform of siemens, etc.
"prevent" does not prevail. At present, a safety system formed by industrial system deployment and taking industrial-grade firewalls, antivirus, tamper-proofing, denial-proofing and intrusion-proofing as cores is a passive safety solution idea mainly based on 'prevention'. However, "prevent" is not the best one, and security monitoring using black features such as "illegal", "abnormal", "malicious", etc. as detection purposes cannot cope with active, dynamic, and diverse cyberspace attacks at all. Typical representatives include a starry star industrial control vulnerability scanning system and a distinguished communication industrial control intrusion prevention system and the like.
The "name" does not match the reality. The white listing of process services such as industrial control PC, HMI, operator and engineer stations, WEB server and database server, the white listing of industrial system access control list and user assets are only authenticated and identified nominally, and the behavior function of the industrial system cannot be verified and audited in the actual industrial process. The risk hidden danger that the name is not in accordance with the reality enables the traditional industrial system safety guarantee to be similar to the nominal one. Typical representatives include industrial grade firewalls in Hainan weishi industry and industrial control security monitoring systems of three-zero weirs.
Disclosure of Invention
The invention provides an industrial control system function safety verification method based on immune learning, which is used for solving the technical problems, does not depend on prior information such as normal analysis rules, abnormal black characteristics and the like, accurately locking failure and hidden dangers from a behavior expression level on the premise of not mastering specific defect causes, characteristics and utilization details thereof, and remarkably reducing function safety risks.
The invention is realized by the following technical scheme:
an industrial control system function safety verification method based on immune learning comprises the following steps:
A. acquiring behavior parameter data of industrial control in a mode of testing the industrial control assembly in an off-line and in-loop manner;
B. according to the behavior parameter data, a safety reference mode library for industrial control under multiple scales is modeled;
C. identifying abnormal control behaviors through a safety reference pattern library;
D. and constructing an abnormal behavior pattern database based on the abnormal control behavior.
The method comprises the steps of driving and shaping a safety reference mode library through behavior big data of an industrial control assembly offline test, realizing active defense, learning and constructing an abnormal behavior mode database by using a defect-induced abnormal behavior example set, generating a defect immune antibody library similar to evolutionary selection, promoting standard conformity identification of control functions under various scales through double-factor joint diagnosis of the safety reference mode library and the abnormal behavior mode database, and improving the safety of an industrial control system. By adopting the method, the safety reference mode library is directly constructed based on a large amount of off-line behavior parameter data, the prior information such as normal analysis rules, abnormal black characteristics and the like is not relied on, the safety reference mode library for industrial control under multiple scales is constructed on the premise of not mastering the specific defect cause, characteristics and utilization details thereof, failure and hidden danger are accurately locked from the aspect of behavior expression, and the functional safety risk is obviously reduced.
The step B specifically comprises the following steps:
b1, reconstructing data distribution traces by adopting a Bayesian network construction and probability inference based method according to the behavior parameter data;
b2, converting the process transition instance into a behavior function model by a principal component analysis method according to the actual industrial control object states built in each industrial control process instance; converting the ontology attribute examples into a processing service model by a principal component analysis method and the like in combination with actual industrial control operation instructions built in each industrial control operation process example;
and B3, expressing information flow form in the industrial control access and operation process by using the graphic symbols according to the behavior function model and the processing service model to form a safety reference mode library.
Further, step B1 is specifically:
b1-1, sorting the behavior parameter data according to the relevance influence degree of each variable on other variables, ranking the variables with the largest influence on the other variables at the 1 st position, firstly entering a networking step, and in the networking stage, each variable iteratively searches nodes capable of increasing the current score from the variables entering the Bayesian network to add into a father node set until all scores are not increased any more;
b1-2, carrying out probability inference based on the Bayesian network aiming at each incomplete behavior parameter data, finding out all candidate values and relative probabilities thereof, and filling the candidate value with the highest probability as the vacant data.
Further, the specific method for constructing the behavior function model based on the principal component analysis method in the step B2 is as follows:
b2-1-1, converting the industrial control object state expression data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1;
b2-1-2, establishing an industrial control access process principal element model through the standard data set, and extracting principal elements;
b2-1-3, calculating the statistics of the master model of the industrial control access process of the standard data set and the corresponding control limit.
Further, the specific method for constructing the processing service model based on the principal component analysis method in step B2 is as follows:
b2-2-1, converting the industrial control assembly behavior instruction data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1;
b2-2-2, establishing an industrial control operation process principal component model through the standard data set, and extracting principal components;
further, the identification method in the step C specifically includes:
c-1, promoting standard conformity determination of control functions under all scales by using a safety reference mode library, and identifying whether abnormal behavior tendency occurs from a performance level by a principal component analysis method;
c-2, aiming at the abnormal control behavior, if the defect can be judged to utilize cluster attribution, locking the pathological behavior; if the determination is impossible, the process proceeds to step D.
Further, the method for identifying the abnormal behavior tendency from the expression level in the step C-1 specifically comprises the following steps:
c-1-1, acquiring the increased state expression behavior parameter data on line and standardizing;
c-1-2, calculating statistic Hotelling's T for standard data set respectively2And the square prediction error SPE is used for monitoring whether the value exceeds the control limit of the normal state or not, if not, the step C-1-1 is repeated, and if the value exceeds the control limit, the step C-1-3 is carried out;
c-1-3, calculating the Houtelling's T for each variable pair2And the contribution rate of the statistic and the square prediction error SPE statistic, wherein the variable with the largest contribution rate is the variable which can cause the fault.
Further, step D specifically comprises:
d-1, building an industrial control honey net supporting network and system high simulation reproduction, user behavior replication, automatic resource configuration and release, environment safety isolation and controlled exchange by utilizing a computer technology, and trapping pathological behaviors;
d-2, on the premise of defining the defect utilization mechanism, adopting a decision tree constructed by a rough set under a characteristic relation, mining prior black characteristics, and constructing an abnormal behavior pattern database.
The method for constructing the abnormal behavior pattern database in the step D-2 specifically comprises the following steps:
d-2-1, calling a cloud transformation algorithm based on a peak method to discretize all continuous attributes in the behavior parameter data to obtain a new behavior parameter data set;
d-2-2, calculating the upper and lower approximation degrees of each condition attribute relative to each division set of the decision attribute and the weighted average roughness of each condition attribute for the new behavior parameter data set;
d-2-3, selecting the attribute B with the minimum weighted average roughness under the characteristic relation as a current splitting node, and constructing a decision tree by taking the B as a root, namely obtaining a sample branch Q for each value of the B;
d-2-4, for each sample branch Q, if he has not reached a leaf node, continue repeating step D-2-2.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention realizes active defense by driving and shaping a safety reference mode library through behavior big data of an industrial control assembly offline test, learns and constructs an abnormal behavior mode database by using a defect-induced abnormal behavior example set, generates a defect immune antibody library similar to evolutionary selection, promotes standard conformity identification of control functions under various scales through double-factor joint diagnosis of the safety reference mode library and the abnormal behavior mode database, and improves the safety of an industrial control system.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flow chart of the method of the present invention.
FIG. 2 is a functional block diagram of the present invention in off-line in-loop testing of an industrial control component.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Example 1
An industrial control system function safety verification method based on immune learning comprises the following steps:
A. acquiring behavior parameter data of industrial control in a mode of testing the industrial control assembly in an off-line and in-loop manner;
B. according to the behavior parameter data, a safety reference mode library for industrial control under multiple scales is modeled;
C. in the actual industrial control process, identifying abnormal control behaviors through a safety reference pattern library;
D. and constructing an abnormal behavior pattern database based on the abnormal control behavior.
Aiming at the defect that the existing industrial control system function safety verification method is limited by an open mechanism and diagnosis is carried out under the known fault condition, the invention explores an innovative guarantee mechanism independent of a mechanism analysis model and a prior fault mode, develops a risk-controllable industrial control system established on the basis of a closed principle component and a latent fault component, and has the invisibility and the acquaintance to the risk control. A safety reference mode library of industrial control is constructed by using a large amount of behavior parameter data of a controlled object, and the problem of functional safety is supported and solved; and a large amount of behavior parameter data is generated, mainly by off-line in-loop test manufacturing, and is not dependent on monitoring data of online state performance. Data obtained by online monitoring often cannot correspond to specific functional behaviors and has too much noise; furthermore, it is not possible to distinguish between normal or abnormal performance data, which is too difficult to label.
Example 2
This example specifically refines each step based on example 1.
Before the step A is carried out, the operation process and the industrial control access process of the industrial control system need to be formally expressed:
first, the explanation of the access function is developed: the specific behavior function of the industrial control access process is explained by clearly defining the controlled object, the initial state and the termination state before and after the industrial control is implemented and each key intermediate state of the state change during the implementation; the behavior function is used as an entity for bearing the industrial control access process, and the controlled object state is used as the information following the logic flow between the entities.
Secondly, the functional explanation of the expansion operation is as follows: the service for processing information is used as an entity for bearing the industrial control operation process, the functional agent for scheduling the processing service is used as a behavior functional role, and the industrial control operation instruction is used as information which flows according to logic among the entities.
Thirdly, drawing an industrial control information flow diagram: expressing information flow form in the process of industrial control access and operation by using normalized graphic symbols; each entity in the access and job information flow diagram is regarded as an information input and output unit, namely an IPO unit, and the input information source, the input information content, the output information flow direction, the output information content and the like of the unit are specified.
In the step A, hardware-in-loop simulation drive test can be specifically developed around the industrial control assembly, and the large data of the behavior parameters of the industrial control is manufactured in an off-line mode.
In step a, the off-line in-loop test mainly comprises: a1, defining deliverable level components in an industrial control system with a common accepted granularity that carry homogeneous functional characteristics; in the industrial control field, two types of deliverable-level components are of particular interest, namely: a computing component and a communication component; a2, developing an offline hardware-in-loop test around the industrial control component by using a measurement and control platform supporting test tool calling, test sequence generation and test model simulation, and manufacturing behavior parameter big data. As shown in fig. 2, the measurement and control platform includes three functional components: the main control computer, the bus instrument measurement and control combination, the signal conditioning and switching device. The main control computer provides development and operation environment of the test execution program, controls the test and measurement instrument through the control bus to complete execution of the test execution program and retrieve test data. The bus instrument measurement and control combination mainly comprises a modular test and measurement instrument, various control switches, a communication bus and the like. The signal conditioning and switching device mainly comprises switching and adapting of various measurement and excitation control signals.
Based on a large amount of behavior parameter data of industrial control behavior instantiation collected in the step A, modeling an endogenous immune mechanism and modeling a safety benchmark model library with approximate mechanism, the method specifically comprises the following steps:
b1, reconstructing data distribution traces by adopting a Bayesian network construction and probabilistic reasoning-based method according to the behavior parameter data, wherein the reconstructed data distribution traces are mainly used for completely supplementing necessary industrial process data to avoid data defects and model bias caused by test blind points and measurement break points by aiming at ensuring the effectiveness of behavior instance modeling and functional structure modeling;
b2, converting the process transition instance into a behavior function model by a principal component analysis method according to the actual industrial control object states built in each industrial control process instance; converting the ontology attribute examples into a processing service model by a principal component analysis method and the like in combination with actual industrial control operation instructions built in each industrial control operation process example;
and B3, expressing information flow forms in the process of industrial control access and operation by using the graphic symbols according to the behavior function model, the processing service model and the route navigation model to form a safety reference model library.
Wherein, B1 is specifically:
b1-1, sequencing the original behavior parameter data according to the degree of influence of each variable on the correlation of other variables, ranking the variables with the greatest influence on the other variables at the 1 st position, and entering a networking step firstly, so that most variables can find related father nodes as much as possible; in the network building stage, each variable is iteratively searched for nodes which can increase the current score from the variables which enter the Bayesian network and added into a father node set until all the scores are not increased any more;
b1-2, carrying out probability inference based on the Bayesian network aiming at each incomplete behavior parameter data, finding out all candidate values and relative probabilities thereof, and filling the candidate value with the highest probability as the vacant data.
The concrete method for constructing the behavior function model in the B2 comprises the following steps:
b2-1-1, converting the industrial control object state expression data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1;
b2-1-2, establishing an industrial control access process principal element model through the standard data set, and extracting principal elements;
b2-1-3, calculating the statistics of the master model of the industrial control access process of the standard data set and the corresponding control limit.
The specific method for constructing the processing service model in the step B2 comprises the following steps:
b2-2-1, converting the industrial control assembly behavior instruction data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1;
b2-2-2, establishing an industrial control operation process principal component model through the standard data set, and extracting principal components;
and B2-2-3, calculating the statistics of the principal component model of the standard data set industrial control operation process and corresponding control limits.
And step C is realized in the actual industrial control process, online data is collected, sensing points are arranged, and the characterization behavior parameter data of the industrial control process in the component category is monitored and collected on site.
The online data acquisition mainly comprises the following steps: 1. measuring points are selected, the sensors are optimally configured, and the optimal safety detection effect and the minimum dynamic performance influence on the industrial control assembly are ensured; 2. a control process data integration platform based on an industrial real-time database is established, on-line information such as field operation, operation instructions and equipment states is fully acquired, and functional mode detection, logic behavior capture of real-time control and monitoring software and communication transmission analysis of industrial control network protocols facing programmable embedded electronic equipment are supported. The industrial real-time database should conform to the following schema: the method supports equipment and software with different brands by high-precision time resolution, supports wide data source forms by multi-protocol acquisition adaptation rate, and supports transmission and storage performance of large data by ultra-efficient data compression rate.
The identification method in the step C comprises the following specific steps:
c-1, promoting standard conformity determination of control functions under all scales by a safety reference mode library established by a behavior function model, a processing service model and a route navigation model, and identifying whether abnormal behavior tendency occurs from a performance level by a principal component analysis method;
c-2, aiming at the abnormal control behaviors, judging the defect of the abnormal control behaviors by utilizing the cluster attribution by utilizing the decision rule stored in the abnormal behavior feature library, and locking the pathological behaviors if the abnormal control behaviors are clearly classified; if the determination is impossible, the process proceeds to step D.
The method for identifying the abnormal behavior tendency from the expression level specifically comprises the following steps:
c-1-1, acquiring the increased state expression behavior parameter data on line and standardizing;
c-1-2, calculating statistic Hotelling's T for standard data set respectively2And the square prediction error SPE is used for monitoring whether the value exceeds the control limit of the normal state or not, if not, the step C-1-1 is repeated, and if the value exceeds the control limit, the step C-1-3 is carried out;
c-1-3, calculating the Houtelling's T for each variable pair2And the contribution rate of the statistic and the square prediction error SPE statistic, wherein the variable with the largest contribution rate is the variable which can cause the fault.
In C-2, the method for judging the defect of the abnormal behavior characteristic library by using the decision rule stored in the library and using the cluster attribution specifically comprises the following steps:
c-2-1, calling a cloud transformation algorithm based on a peak method to discretize all continuous attributes in the behavior parameter data to obtain a new data record;
c-2-2, calling a decision tree which is stored in an abnormal behavior feature library and constructed based on a rough set under a characteristic relation to judge the attribution of the defect utilization cluster class of the abnormal control behavior.
Step D, constructing an abnormal behavior pattern database of static and dynamic defects based on abnormal control behaviors, which comprises the following steps:
d-1, building an industrial control redundancy honey net supporting network and system high simulation reproduction, user behavior replication, automatic resource configuration and release, environment safety isolation and controlled exchange by utilizing a computer technology, and trapping pathological behaviors;
d-2, on the premise of defining the defect utilization mechanism, adopting a decision tree constructed by a rough set under a characteristic relation, mining prior black characteristics, and constructing an abnormal behavior pattern database.
The abnormal control behavior which can not be judged to have defects and belongs to clusters is induced into a sparse industrial control redundancy honey net which takes industrial control operation as gene bearing and supports simulated reconstruction, potential pathological tendency research and judgment and prior black characteristic mining are carried out on the sparse industrial control redundancy honey net, an abnormal behavior pattern database is constructed, the abnormal behavior pattern database has acquaintance, and can be updated according to abnormal data such as the prior black characteristic and the like, so that the attack of the prior black characteristic is prevented.
The method for constructing the abnormal behavior pattern database in the step D-2 specifically comprises the following steps:
d-2-1, calling a cloud transformation algorithm based on a peak method to discretize all continuous attributes in the behavior parameter data to obtain a new behavior parameter data set;
d-2-2, calculating the upper and lower approximation degrees of each condition attribute relative to each division set of the decision attribute and the weighted average roughness of each condition attribute for the new behavior parameter data set;
d-2-3, selecting the attribute B with the minimum weighted average roughness under the characteristic relation as a current splitting node, and constructing a decision tree by taking the B as a root, namely obtaining a sample branch Q for each value of the B, wherein the Q is a subsample meeting the attribute value v of the B in a behavior parameter data set;
d-2-4, for each sample branch Q, if he has not reached a leaf node, continue repeating step D-2-2.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (6)
1. An industrial control system function safety verification method based on immune learning is characterized by comprising the following steps: A. acquiring behavior parameter data of industrial control in a mode of testing the industrial control assembly in an off-line and in-loop manner; b. According to the behavior parameter data, a safety reference mode library for industrial control under multiple scales is modeled; c. Identifying abnormal control behaviors through a safety reference pattern library; d. Constructing an abnormal behavior pattern database based on the abnormal control behavior;
the step B specifically comprises the following steps: b1, reconstructing data distribution traces by adopting a Bayesian network construction and probability inference based method according to the behavior parameter data; b2, converting the process transition instance into a behavior function model by a principal component analysis method according to the actual industrial control object states built in each industrial control process instance; converting the ontology attribute examples into a processing service model by a principal component analysis method in combination with actual industrial control operation instructions built in the industrial control operation process examples; b3, expressing information flow form in the process of industrial control access and operation by using a graphic symbol according to the behavior function model and the processing service model to form a safety reference mode library;
the identification method in the step C comprises the following specific steps: c-1, promoting standard conformity determination of control functions under all scales by using a safety reference mode library, and identifying whether abnormal behavior tendency occurs from a performance level by a principal component analysis method; c-2, aiming at the abnormal control behavior, if judging that the defects utilize cluster attribution, locking the pathological behavior; if the judgment cannot be made, the step D is carried out;
the step D is specifically as follows: d-1, building an industrial control redundancy honey net supporting network and system high simulation reproduction, user behavior replication, automatic resource configuration and release, environment safety isolation and controlled exchange by utilizing a computer technology, and trapping pathological behaviors; d-2, on the premise of defining the defect utilization mechanism, adopting a decision tree constructed by a rough set under a characteristic relation, mining prior black characteristics, and constructing an abnormal behavior pattern database.
2. The industrial control system function safety verification method based on immune learning of claim 1, wherein: the step B1 specifically includes: b1-1, sorting the behavior parameter data according to the relevance influence degree of each variable on other variables, ranking the variables with the largest influence on the other variables at the 1 st position, firstly entering a networking step, and in the networking stage, each variable iteratively searches nodes capable of increasing the current score from the variables entering the Bayesian network to add into a father node set until all scores are not increased any more; b1-2, carrying out probability inference based on the Bayesian network aiming at each incomplete behavior parameter data, finding out all candidate values and relative probabilities thereof, and filling the candidate value with the highest probability as the vacant data.
3. The industrial control system function safety verification method based on immune learning of claim 1, wherein: the concrete method for constructing the behavior function model based on the principal component analysis method in the step B2 is as follows: b2-1-1, converting the industrial control object state expression data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1; b2-1-2, establishing an industrial control access process principal element model through the standard data set, and extracting principal elements; b2-1-3, calculating the statistics of the master model of the industrial control access process of the standard data set and the corresponding control limit.
4. The industrial control system function safety verification method based on immune learning of claim 1, wherein: the specific method for constructing the processing service model based on the principal component analysis method in the step B2 is as follows: b2-2-1, converting the industrial control assembly behavior instruction data set under the normal working condition into a standard data set with a mean value of 0 and a variance of 1; b2-2-2, establishing an industrial control operation process principal component model through the standard data set, and extracting principal components; and B2-2-3, calculating the statistics of the principal component model of the standard data set industrial control operation process and corresponding control limits.
5. The industrial control system function safety verification method based on immune learning of claim 1, wherein: the method for identifying the abnormal behavior tendency from the expression level in the step C-1 specifically comprises the following steps: c-1-1, acquiring the increased state expression behavior parameter data on line, and standardizing to form a standard data set; c-1-2, calculating statistic Hotelling's T for standard data set respectively2And the square prediction error SPE is used for monitoring whether the value exceeds the control limit of the normal state or not, if not, the step C-1-1 is repeated, and if the value exceeds the control limit, the step C-1-3 is carried out; c-1-3, calculating the Houtelling's T for each variable pair2And the contribution rate of the statistic and the square prediction error SPE statistic, wherein the variable with the largest contribution rate is the variable which can cause the fault.
6. The industrial control system function safety verification method based on immune learning of claim 1, wherein: the method for constructing the abnormal behavior pattern database in the step D-2 specifically comprises the following steps: d-2-1, calling a cloud transformation algorithm based on a peak method to discretize all continuous attributes in the behavior parameter data to obtain a new behavior parameter data set; d-2-2, calculating the upper and lower approximation degrees of each condition attribute relative to each division set of the decision attribute and the weighted average roughness of each condition attribute for the new behavior parameter data set; d-2-3, selecting the attribute B with the minimum weighted average roughness under the characteristic relation as a current splitting node, and constructing a decision tree by taking the B as a root, namely obtaining a sample branch Q for each value of the B; d-2-4, for each sample branch Q, if he has not reached a leaf node, continue repeating step D-2-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611169479.7A CN106778210B (en) | 2016-12-16 | 2016-12-16 | Industrial control system function safety verification method based on immune learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611169479.7A CN106778210B (en) | 2016-12-16 | 2016-12-16 | Industrial control system function safety verification method based on immune learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106778210A CN106778210A (en) | 2017-05-31 |
| CN106778210B true CN106778210B (en) | 2020-04-07 |
Family
ID=58892374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611169479.7A Expired - Fee Related CN106778210B (en) | 2016-12-16 | 2016-12-16 | Industrial control system function safety verification method based on immune learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778210B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107370732B (en) * | 2017-07-14 | 2021-08-17 | 成都信息工程大学 | Abnormal behavior discovery system of industrial control system based on neural network and optimal recommendation |
| CN108769071B (en) * | 2018-07-02 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Attack information processing method and device and Internet of things honeypot system |
| CN109445406B (en) * | 2018-10-18 | 2021-05-18 | 西南交通大学 | Industrial control system safety detection method based on scene test and transaction search |
| CN111239529A (en) * | 2020-03-05 | 2020-06-05 | 西南交通大学 | Excitation test method and system supporting predictive maintenance of electromechanical equipment |
| CN113378151A (en) * | 2021-06-23 | 2021-09-10 | 上海红阵信息科技有限公司 | Unified identity authentication system and method based on mimicry structure |
| CN115001866B (en) * | 2022-08-01 | 2022-11-08 | 成都市以太节点科技有限公司 | Safety protection method based on immune mechanism, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102637019A (en) * | 2011-02-10 | 2012-08-15 | 武汉科技大学 | Intelligent integrated fault diagnosis method and device in industrial production process |
| CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
| EP3076291A1 (en) * | 2015-03-30 | 2016-10-05 | Rockwell Automation Germany GmbH & Co. KG | Method for assignment of verification numbers |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959144B (en) * | 2016-06-02 | 2019-08-06 | 中国科学院信息工程研究所 | Secure data acquisition and method for detecting abnormality and system towards industrial control network |
-
2016
- 2016-12-16 CN CN201611169479.7A patent/CN106778210B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102637019A (en) * | 2011-02-10 | 2012-08-15 | 武汉科技大学 | Intelligent integrated fault diagnosis method and device in industrial production process |
| EP3076291A1 (en) * | 2015-03-30 | 2016-10-05 | Rockwell Automation Germany GmbH & Co. KG | Method for assignment of verification numbers |
| CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106778210A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778210B (en) | Industrial control system function safety verification method based on immune learning | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN106709613B (en) | Risk assessment method applicable to industrial control system | |
| Sommestad et al. | The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures | |
| CN112114579B (en) | Industrial control system safety measurement method based on attack graph | |
| CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| CN111881452A (en) | Safety test system for industrial control equipment and working method thereof | |
| CN111435393A (en) | Object vulnerability detection method, device, medium and electronic equipment | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| JP2019523512A (en) | System and method for analyzing and authenticating scenarios and actions performed in a plant or factory | |
| Daubner et al. | Towards verifiable evidence generation in forensic-ready systems | |
| CN113704772A (en) | Safety protection processing method and system based on user behavior big data mining | |
| Kummerow et al. | Cyber-physical data stream assessment incorporating Digital Twins in future power systems | |
| Jiang et al. | Model-Based Cybersecurity Analysis: Extending Enterprise Modeling to Critical Infrastructure Cybersecurity | |
| Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering | |
| Wu et al. | Security Evaluation Method of Smart Home Cloud Platform | |
| CN117749426A (en) | Abnormal flow detection method based on graph neural network | |
| CN110995747A (en) | Distributed storage security analysis method | |
| Larrinaga et al. | Implementation of a reference architecture for cyber physical systems to support condition based maintenance | |
| CN116208416A (en) | Attack link mining method and system for industrial Internet | |
| Lamp et al. | Exsol: Collaboratively assessing cybersecurity risks for protecting energy delivery systems | |
| CN111698199A (en) | Firewall monitoring method and device | |
| Ganesh et al. | The Industry 4.0 for Secure and Smarter Manufacturing | |
| Lamp et al. | Ontoeds: Protecting energy delivery systems by collaboratively analyzing security requirements | |
| Barletta et al. | Quantum-based Automotive Threat Intelligence and Countermeasures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200407 |