CN112073255A - Industrial control network flow prediction method and device based on deep learning - Google Patents
Industrial control network flow prediction method and device based on deep learning Download PDFInfo
- Publication number
- CN112073255A CN112073255A CN202010219936.9A CN202010219936A CN112073255A CN 112073255 A CN112073255 A CN 112073255A CN 202010219936 A CN202010219936 A CN 202010219936A CN 112073255 A CN112073255 A CN 112073255A
- Authority
- CN
- China
- Prior art keywords
- flow
- model
- industrial control
- time period
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000013135 deep learning Methods 0.000 title claims abstract description 26
- 238000012549 training Methods 0.000 claims abstract description 29
- 238000003860 storage Methods 0.000 claims abstract description 12
- 230000015654 memory Effects 0.000 claims description 30
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 claims description 17
- 108010064775 protein C activator peptide Proteins 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 10
- 238000010200 validation analysis Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000004913 activation Effects 0.000 description 5
- 238000013528 artificial neural network Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000007619 statistical method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 208000025174 PANDAS Diseases 0.000 description 1
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 1
- 240000000220 Panda oleosa Species 0.000 description 1
- 235000016496 Panda oleosa Nutrition 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 229920006395 saturated elastomer Polymers 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/049—Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Signal Processing (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an industrial control network flow prediction method, an industrial control network flow prediction device, computer equipment and a storage medium based on deep learning, wherein the method comprises the following steps: acquiring historical flow packet data in a preset time period; training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model; acquiring a time to be predicted; and inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted. The method can realize convenience, high accuracy and high stability of the predicted value.
Description
Technical Field
The application relates to the technical field of industrial control network traffic monitoring, in particular to an industrial control network traffic prediction method and device based on deep learning, computer equipment and a storage medium.
Background
Compared with the traditional information security, the industrial control system security has unique characteristics. The industrial control system is initially a special system, an operating system and a communication protocol of the industrial control system are greatly different from those of a common system, compared with an open internet environment, the industrial control system is relatively independent, the industrial control system is designed to complete various real-time control functions at the beginning, and the problem of safety protection is not considered. However, with the development of computer and network technologies, as the trends of "dualisation and integration" and "internet +" come, the network security (referred to as industrial control security for short) problem of the traditional industrial control system becomes a serious challenge facing the security of enterprises and countries, and is concerned by more and more enterprises and governments, the industrial control system has been developed after undergoing a closed state for a long time, and the industrial control system exposes itself on the internet through network interconnection, so that the system itself is easily attacked by viruses, trojans and hackers from an enterprise management network or the internet, and key infrastructures, important systems and the like controlled by the industrial control system have huge security risks and hidden dangers. In addition, the industrial network usually adopts a Transmission Control Protocol/Internet Protocol (TCP/IP) technology to perform communication, and attacks the industrial Control network by using the traditional IP security vulnerability, so that the potential safety hazard of the industrial Control system is increased.
Network flow in industrial control is mostly automatically generated by industrial control equipment according to a production process, so that the discovery of threat behaviors from industrial control network flow is one of means for protecting the safety of an industrial control system. The industrial control network is very different from the traditional information network, and has unique characteristics in the aspects of network scale, network equipment composition, safety principle and the like, so the original network anomaly detection method suitable for the traditional information network is not completely suitable for the industrial control network. The conventional statistical analysis is mostly adopted for monitoring the abnormal flow of the industrial control network, a fixed alarm threshold is obtained according to the statistical analysis in the historical flow, and the method lacks a dynamic alarm threshold adjusted according to different time periods, so that the problems of low alarm efficiency, high missing report rate, high false report rate and the like are caused. The requirement of real-time monitoring of network flow cannot be met, and a judgment basis cannot be better provided for safety protection of the industrial control system terminal. Therefore, according to the network traffic of different time periods, the threat behavior of the industrial control system terminal can be found better only by dynamically obtaining the abnormal traffic alarm threshold value in real time.
At present, some researches have been made on the flow baseline learning of an industrial control network, and the existing baseline learning mainly comprises that a fixed flow baseline is obtained based on statistical analysis of historical data in a certain period and traditional machine learning algorithms such as a support vector machine, a K-means (K-means) algorithm, a dynamic semi-supervised K-means combined with a single support vector machine and the like are used. The fixed flow baseline is lack of dynamic alarm threshold adjusted according to busy and idle time, if the fixed alarm threshold is set to be larger, the fixed alarm threshold only has significance to flow wave peaks, and the flow in other time periods is in an out-of-control state; if the fixed alarm threshold is set to be smaller and cannot meet the state alarm of the wave crest, the peak flow is in the alarm state for a long time and the alarm significance is lost. Although the traditional machine learning algorithm model obtains better results, the effect of the traditional machine learning algorithm is greatly influenced by the quality of the characteristic value extraction, and the accuracy rate is difficult to meet the requirement of industrial use.
Disclosure of Invention
In view of this, an object of the present application is to provide an industrial control network traffic prediction method and apparatus, a computer device, and a storage medium based on deep learning, so as to achieve convenience, high accuracy, and high stability of a predicted value.
Based on the above purpose, the application provides an industrial control network traffic prediction method based on deep learning, and the method includes:
acquiring historical flow packet data in a preset time period;
training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model;
acquiring a time to be predicted;
and inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted.
In an embodiment, the obtaining historical traffic packet data in a preset time period includes:
collecting PCAP flow packets of a plurality of network devices according to a preset frequency;
counting the PCAP traffic packets of the plurality of network devices, and determining the total traffic packet number of the fixed time intervals in the PCAP packets;
and determining historical traffic packet data in a preset time period according to the total traffic packet and a preset traffic baseline.
In an embodiment, the determining historical traffic packet data in a preset time period according to the total traffic packet number and a preset traffic baseline includes:
and if the total flow packet number is less than or equal to the preset flow baseline, taking the flow data of the total flow packets as historical flow packet data in a preset time period.
In an embodiment, the obtaining a traffic prediction model according to the historical traffic packet data in the preset time period and a pre-established model includes:
dividing the historical flow packet data in the preset time period into a training set and a verification set according to a proportion;
and determining a flow prediction model according to the training set, the verification set and a pre-established model.
In an embodiment, the determining a flow prediction model according to the training set, the validation set, and the pre-established model includes:
training and optimizing parameters of the pre-established model by adopting the training set to obtain an initial model;
and verifying the initial model by using the verification set to obtain a flow prediction model.
In one embodiment, the pre-established model is a tensierflow framework based LSTM model.
An industrial control network traffic prediction device based on deep learning, the device comprises:
the first acquisition module is used for acquiring historical flow packet data in a preset time period;
the model determining module is used for training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model;
the second acquisition module is used for acquiring the time to be predicted;
and the flow prediction module is used for inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method as claimed in any one of the above when the computer program is executed.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of the preceding claims.
The application provides an industrial control network flow prediction method, an industrial control network flow prediction device, computer equipment and a storage medium based on deep learning, wherein the method comprises the following steps: acquiring historical flow packet data in a preset time period; training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model; acquiring a time to be predicted; and inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted. The method can realize convenience, high accuracy and high stability of the predicted value.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flow diagram of an industrial control network traffic prediction method based on deep learning according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a deep learning-based industrial control network traffic prediction method according to another embodiment of the present application;
FIG. 3 is a diagram of LSTM inference of an embodiment of the present application;
FIG. 4 is a schematic diagram of an LSTM expanded structure according to an embodiment of the present application;
fig. 5 is a schematic diagram of a network traffic size prediction result according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an industrial control network traffic prediction device based on deep learning according to an embodiment of the present application;
fig. 7 is a schematic internal structure diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to specific embodiments and the accompanying drawings.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item identified as preceding the word, or the equivalent thereof, covers the element or item identified as following the word, and does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In order to facilitate understanding of the present application, the following keywords are required to be described, specifically as follows:
deep Learning (DL): the neural network with multiple hidden layers is a distributed characteristic representation of data, which is formed by combining lower-layer characteristics to form more abstract high-layer representation attribute categories or characteristics, and the concept of the distributed characteristic representation is derived from the research of artificial neural networks.
Flow baseline: the regular flow magnitude reference value is obtained through learning of historical periodic flow data.
Abnormal flow rate: refers to the amount of unexpected flow beyond the flow baseline.
An industrial personal computer: an industrial control computer is a general name of a tool which adopts a bus structure and detects and controls a production process, electromechanical equipment and process equipment thereof.
A flow collector: refers to a server equipped with a traffic collection tool.
Long Short-Term Memory network (LSTM): the time-cycle Neural Network is an improved cycle Neural Network (RNN), and can solve the problem that the RNN cannot handle long-distance dependence.
The industrial control network flow baseline learning algorithm based on deep learning is based on a recursive time sequence model, Long-time Memory model training is carried out on PCAP flow data packets collected by a flow collector in different time periods, the purpose is to predict the size of the flow data packets in a certain period in the future based on historical flow data packets, a Long-time Memory (LSTM) model in the recent fire-heat deep learning technology is adopted for learning, and finally, the industrial control network flow baseline learning method based on deep learning is provided. The application provides an overall flow of an industrial control network traffic prediction method based on deep learning, which is shown in fig. 1 and specifically comprises the following steps:
step S10: acquiring historical flow packet data in a preset time period;
step S20: training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model;
step S30: acquiring a time to be predicted;
step S40: and inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted.
In one embodiment, the step S10 includes:
step S101: collecting PCAP flow packets of a plurality of network devices according to a preset frequency;
step S102: counting the PCAP traffic packets of the plurality of network devices, and determining the total traffic packet number of a fixed time interval in the PCAP packets;
step S103: and determining historical flow packet data in a preset time period according to the total flow packet and a preset flow base line.
In one embodiment, the step S103 includes:
step S1031: and if the total flow packet number is less than or equal to the preset flow baseline, taking the flow data of the total flow packets as historical flow packet data in a preset time period.
In one embodiment, the step S20 includes:
step S201: dividing the historical flow packet data in the preset time period into a training set and a verification set according to a proportion;
step S202: and determining a flow prediction model according to the training set, the verification set and a pre-established model.
In one embodiment, the step S202 includes:
step S2021: training and optimizing parameters of the pre-established model by adopting the training set to obtain an initial model;
step S2022: and verifying the initial model by using the verification set to obtain a flow prediction model.
In one embodiment, the pre-established model is a tensierflow framework based LSTM model.
In one embodiment, the detailed implementation of step S10 of the present application is described in detail below. The traffic collector is used for collecting the PCAP traffic packets of the industrial control equipment once every minute, and 10080 PCAP traffic packets can be collected in one week. A PCAP traffic packet contains a complete datagram including all the information in the network protocol datagram, and the traffic baseline mainly uses the number of datagrams in a fixed time interval in the PCAP packet, which is called the number of traffic packets.
Preprocessing the PCAP packet based on python language, namely regarding all the datagrams in each time interval as a whole, calculating the sum of the number of inflow and outflow datagrams in the target network environment in the time interval, storing the sum in a csv format, and generating a standard data set for LSTM model training.
In one embodiment, the detailed implementation of step S20 of the present application is described below.
Concept and principle of one-time and long-time memory network
The hidden layer of the original RNN has only one state, h, which is very sensitive to short-term input. A state, c, is added to save a long-term state, called cell state, as shown in fig. 2.
Unfolding fig. 3 according to the time dimension results in the structure shown in fig. 4, and at time t, there are three LSTM inputs: input value X of the network at the present momenttLast time LSTM output value ht-1And cell state c at the previous timet-1(ii) a The output of the LSTM is two: output value h of current time LSTMtCurrent cell state ct。
In contrast to RNN, LSTM is still based on XtAnd ht-1To calculate htBut with the addition of an input gate i in the internal structuretForgetting door ftAnd an output gate otAnd an internal memory cell ct. The input door controls how much the new state currently calculated is updated into the memory unit; the forgetting door controls how much the information in the memory unit of the previous step is forgotten; the degree to which the output gate controls the current output depends on the current memory cell.
In the classical LSTM model, the updated calculation formula for the t-th layer is:
it=σ(Wixt+Uiht-1+bi) Equation 1
ft=σ(Wfxt+Ufht-1+bf) Equation 2
ot=σ(Woxt+Uoht-1+bo) Equation 3
ht=ot⊙Tanh(ct) Equation 6
In the formula itIs by inputting xtAnd hidden layer output h of the previous stept-1Linear transformation is carried out, and the linear transformation is obtained through an activation function sigma. Input door itThe result of (a) is a vector, where each element is a real number between 0 and 1, for controlling the amount of information flowing through the valve in each dimension; wi、UiTwo matrices and vector biThe parameters of the door are input and need to be learned in the training process. Forget door ftAnd an output gate otAre calculated in a similar manner as the input gates, with their respective parameters W, U and b. Unlike the conventional recurrent neural network, the state c of the last memory cellt-1To the current state ctThe transition of (a) does not necessarily depend entirely on the state calculated by the activation function, but is also controlled jointly by an input gate and a forgetting gate.
In a trained network, when the input sequence has no important information, the value of the forgetting gate of the LSTM is close to 1, the value of the input gate is close to 0, and the past memory is stored at the moment, so that the long-term memory function is realized; when important information appears in the input sequence, the LSTM should store it in memory, with the value of its input gate close to 1; when important information appears in the input sequence and means that the previous memory is no longer important, the value of the input gate is close to 1 and the value of the forgetting gate is close to 0, so that the old memory is forgotten and new important information is memorized.
Second, LSTM model training based on tensorflow framework
The LSTM model construction and training are carried out by adopting a tensoflow frame, firstly, loading the csv file preprocessed in the step one by using a pandas module, then randomly generating a training set (90%) and a verification set (10%) from data, then constructing a network suitable for network flow baseline learning by using an LSTM network structure of a keras module, wherein a loss function is root mean square error (mean _ squared _ error), model parameter optimization is carried out by using an Adam method, time sequence length (time _ steps) is set to be 10, iteration batch (batch _ size) is 50, hidden layer size (cell _ size) is set to be 10, learning rate is 0.005, and iteration times are 500. It should be noted that in LSTM, the forgetting gate, the input gate, and the output gate use a Sigmoid function as an activation function; in generating the candidate memory, a hyperbolic tangent function Tanh is used as the activation function. The purpose of adopting the two saturated activation functions is that under the condition that the input reaches a certain value, the output can not be obviously changed, and the gating effect is conveniently realized. The output of the Sigmoid function is between 0 and 1, and conforms to the physical definition of gating, and when the input is larger or smaller, the output of the Sigmoid function is very close to 1 or 0, so that the gate is ensured to be opened or closed. In generating the candidate memory, the Tanh function is used because its output is between-1 and 1, consistent with the feature distribution being 0 centers in most scenes. Furthermore, the Tanh function has a larger gradient around an input of 0 than the Sigmoid function, generally causing the model to converge faster.
In one embodiment, the detailed implementation of step S40 of the present application is described below.
Training the LSTM model based on the tensoflow framework, partial results are shown in fig. 5:
as can be seen from fig. 5, the light color line is the actual flow packet size, the dark color line is the LSTM prediction result, the root mean square error is 9.2157, the flow baseline can be set to be the predicted flow packet size ± 10 at each time, the flow baseline range at each time can be set to be different, the accuracy of the network flow abnormal value alarm is greatly improved, the false alarm rate is reduced, and thus a basis is provided for more accurately detecting the industrial control security threat behavior.
The beneficial technical effect of this application:
1) the method provided by the invention can set the flow baseline range of each moment by obtaining the optimal value of the network flow prediction of the same time period in the next time period through deep learning of the LSTM algorithm, thereby greatly improving the accuracy of the detection of the abnormal value of the network flow.
2) The time period of the LSTM model training can be set in an online iteration mode, namely the longer the period of the online acquired traffic packet is, the higher the accuracy of the baseline is.
3) The network flow baseline can realize end-to-end flow abnormal value alarm.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 1 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or supplementarily with other steps or at least a portion of the sub-steps or stages of other steps.
As shown in fig. 6, the present application further provides an industrial control network traffic prediction apparatus based on deep learning, where the apparatus includes:
a first obtaining module 100, configured to obtain historical traffic packet data in a preset time period;
the model determining module 200 is configured to train according to the historical traffic packet data in the preset time period and a pre-established model to obtain a traffic prediction model;
a second obtaining module 300, configured to obtain a time to be predicted;
and the flow prediction module 400 is configured to input the time to be predicted into the flow prediction model to obtain a flow prediction value at the time to be predicted.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data required by the computer program. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an information decoupling method.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is a block diagram of only a portion of the architecture associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, a computer device is provided, comprising a memory in which a computer program is stored and a processor which, when executing the computer program, carries out the steps as described in the above method.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by the relevant hardware instructed by a computer program stored in a non-volatile computer-readable storage medium, and the computer program can include the processes of the embodiments of the methods described above when executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the scope of the present description should be considered as being described in the present specification.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the protection scope of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (9)
1. An industrial control network flow prediction method based on deep learning is characterized by comprising the following steps:
acquiring historical flow packet data in a preset time period;
training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model;
acquiring a time to be predicted;
and inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted.
2. The industrial control network traffic prediction method based on deep learning of claim 1, wherein the obtaining of the historical traffic packet data within a preset time period comprises:
collecting PCAP flow packets of a plurality of network devices according to a preset frequency;
counting the PCAP traffic packets of the plurality of network devices, and determining the total traffic packet number of a fixed time interval in the PCAP packets;
and determining historical flow packet data in a preset time period according to the total flow packet and a preset flow baseline.
3. The industrial control network traffic prediction method based on deep learning of claim 2, wherein the determining historical traffic packet data in a preset time period according to a total traffic packet number and a preset traffic baseline at fixed time intervals in the PCAP packet comprises:
and if the total flow packet number at a fixed time interval in the PCAP packet is less than or equal to the preset flow baseline, taking the flow data of the total flow packet as historical flow packet data in a preset time period.
4. The industrial control network traffic prediction method based on deep learning of claim 3, wherein the obtaining of the traffic prediction model according to the historical traffic packet data in the preset time period and a pre-established model comprises:
dividing the historical flow packet data in the preset time period into a training set and a verification set according to a proportion;
and determining a flow prediction model according to the training set, the verification set and a pre-established model.
5. The deep learning-based industrial control network traffic prediction method according to claim 4, wherein determining a traffic prediction model according to the training set, the validation set, and the pre-established models comprises:
training and optimizing parameters of the pre-established model by adopting the training set to obtain an initial model;
and verifying the initial model by using the verification set to obtain a flow prediction model.
6. The deep learning-based industrial control network traffic prediction method according to claim 5, wherein the pre-established model is an LSTM model based on a tensoflow framework.
7. An industrial control network traffic prediction device based on deep learning, which is characterized by comprising:
the first acquisition module is used for acquiring historical flow packet data in a preset time period;
the model determining module is used for training according to the historical flow packet data in the preset time period and a pre-established model to obtain a flow prediction model;
the second acquisition module is used for acquiring the time to be predicted;
and the flow prediction module is used for inputting the time to be predicted into the flow prediction model to obtain a flow prediction value of the time to be predicted.
8. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219936.9A CN112073255B (en) | 2020-03-25 | 2020-03-25 | Industrial control network flow prediction method and device based on deep learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219936.9A CN112073255B (en) | 2020-03-25 | 2020-03-25 | Industrial control network flow prediction method and device based on deep learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112073255A true CN112073255A (en) | 2020-12-11 |
| CN112073255B CN112073255B (en) | 2021-07-20 |
Family
ID=73658637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010219936.9A Active CN112073255B (en) | 2020-03-25 | 2020-03-25 | Industrial control network flow prediction method and device based on deep learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073255B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910728A (en) * | 2021-01-22 | 2021-06-04 | 苏州浪潮智能科技有限公司 | Data security monitoring method and device |
| CN112966261A (en) * | 2021-03-08 | 2021-06-15 | 中电积至(海南)信息技术有限公司 | Lightweight scalable network traffic feature extraction tool and method |
| CN114285775A (en) * | 2021-12-10 | 2022-04-05 | 电子科技大学中山学院 | Network flow prediction method and device, computer equipment and storage medium |
| CN114401205A (en) * | 2022-01-21 | 2022-04-26 | 中国人民解放军国防科技大学 | Non-annotation multi-source network flow data drift detection method and device |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
| CN115002042A (en) * | 2022-05-25 | 2022-09-02 | 中国平安财产保险股份有限公司 | Special line flow management and control method and device based on machine learning and computer equipment |
| CN115150248A (en) * | 2021-03-16 | 2022-10-04 | 中国移动通信集团江苏有限公司 | Network flow abnormity detection method and device, electronic equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105340311A (en) * | 2014-06-05 | 2016-02-17 | 华为技术有限公司 | Network device, apparatus and method for network traffic prediction |
| CN108234496A (en) * | 2018-01-05 | 2018-06-29 | 宝牧科技(天津)有限公司 | A kind of method for predicting based on neural network |
| CN109816095A (en) * | 2019-01-14 | 2019-05-28 | 湖南大学 | Based on the network flow prediction method for improving gating cycle neural network |
| CN109873712A (en) * | 2018-05-18 | 2019-06-11 | 新华三信息安全技术有限公司 | A kind of network flow prediction method and device |
| KR102021992B1 (en) * | 2018-08-21 | 2019-09-18 | 한국과학기술정보연구원 | Apparatus for controling a trafic signal, method for controling a trafic signal, and recoding medium for controling a tarfic signal |
| CN110474878A (en) * | 2019-07-17 | 2019-11-19 | 海南大学 | Ddos attack situation method for early warning and server based on dynamic threshold |
| CN110650124A (en) * | 2019-09-05 | 2020-01-03 | 长沙理工大学 | Network flow abnormity detection method based on multilayer echo state network |
| US20200042799A1 (en) * | 2018-07-31 | 2020-02-06 | Didi Research America, Llc | System and method for point-to-point traffic prediction |
| CN110851782A (en) * | 2019-11-12 | 2020-02-28 | 南京邮电大学 | Network flow prediction method based on lightweight spatiotemporal deep learning model |
| CN110855519A (en) * | 2019-11-07 | 2020-02-28 | 深圳市高德信通信股份有限公司 | Network flow prediction method |
| CN110858973A (en) * | 2018-08-23 | 2020-03-03 | 中国移动通信集团山东有限公司 | Method and device for predicting network traffic of cell |
-
2020
- 2020-03-25 CN CN202010219936.9A patent/CN112073255B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105340311A (en) * | 2014-06-05 | 2016-02-17 | 华为技术有限公司 | Network device, apparatus and method for network traffic prediction |
| CN108234496A (en) * | 2018-01-05 | 2018-06-29 | 宝牧科技(天津)有限公司 | A kind of method for predicting based on neural network |
| CN109873712A (en) * | 2018-05-18 | 2019-06-11 | 新华三信息安全技术有限公司 | A kind of network flow prediction method and device |
| US20200042799A1 (en) * | 2018-07-31 | 2020-02-06 | Didi Research America, Llc | System and method for point-to-point traffic prediction |
| KR102021992B1 (en) * | 2018-08-21 | 2019-09-18 | 한국과학기술정보연구원 | Apparatus for controling a trafic signal, method for controling a trafic signal, and recoding medium for controling a tarfic signal |
| CN110858973A (en) * | 2018-08-23 | 2020-03-03 | 中国移动通信集团山东有限公司 | Method and device for predicting network traffic of cell |
| CN109816095A (en) * | 2019-01-14 | 2019-05-28 | 湖南大学 | Based on the network flow prediction method for improving gating cycle neural network |
| CN110474878A (en) * | 2019-07-17 | 2019-11-19 | 海南大学 | Ddos attack situation method for early warning and server based on dynamic threshold |
| CN110650124A (en) * | 2019-09-05 | 2020-01-03 | 长沙理工大学 | Network flow abnormity detection method based on multilayer echo state network |
| CN110855519A (en) * | 2019-11-07 | 2020-02-28 | 深圳市高德信通信股份有限公司 | Network flow prediction method |
| CN110851782A (en) * | 2019-11-12 | 2020-02-28 | 南京邮电大学 | Network flow prediction method based on lightweight spatiotemporal deep learning model |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910728A (en) * | 2021-01-22 | 2021-06-04 | 苏州浪潮智能科技有限公司 | Data security monitoring method and device |
| CN112966261A (en) * | 2021-03-08 | 2021-06-15 | 中电积至(海南)信息技术有限公司 | Lightweight scalable network traffic feature extraction tool and method |
| CN115150248A (en) * | 2021-03-16 | 2022-10-04 | 中国移动通信集团江苏有限公司 | Network flow abnormity detection method and device, electronic equipment and storage medium |
| CN115150248B (en) * | 2021-03-16 | 2023-09-19 | 中国移动通信集团江苏有限公司 | Network traffic abnormality detection method, device, electronic equipment and storage medium |
| CN114285775A (en) * | 2021-12-10 | 2022-04-05 | 电子科技大学中山学院 | Network flow prediction method and device, computer equipment and storage medium |
| CN114401205A (en) * | 2022-01-21 | 2022-04-26 | 中国人民解放军国防科技大学 | Non-annotation multi-source network flow data drift detection method and device |
| CN114401205B (en) * | 2022-01-21 | 2024-01-16 | 中国人民解放军国防科技大学 | Method and device for detecting drift of unmarked multi-source network flow data |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
| CN115002042A (en) * | 2022-05-25 | 2022-09-02 | 中国平安财产保险股份有限公司 | Special line flow management and control method and device based on machine learning and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112073255B (en) | 2021-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073255B (en) | Industrial control network flow prediction method and device based on deep learning | |
| US11927949B2 (en) | Method for anomaly classification of industrial control system communication network | |
| Xiao et al. | A dual‐stage attention‐based Conv‐LSTM network for spatio‐temporal correlation and multivariate time series prediction | |
| Yuan et al. | Insider threat detection with deep neural network | |
| CN111585948B (en) | Intelligent network security situation prediction method based on power grid big data | |
| CN112165485A (en) | Intelligent prediction method for large-scale network security situation | |
| Tufail et al. | False data injection impact analysis in ai-based smart grid | |
| CN112433518A (en) | Industrial control system intrusion detection method based on recurrent neural network | |
| Ruan et al. | Deep learning-based fault prediction in wireless sensor network embedded cyber-physical systems for industrial processes | |
| Zhu et al. | Long Short Term Memory Networks Based Anomaly Detection for KPIs. | |
| Ali et al. | ICS-IDS: application of big data analysis in AI-based intrusion detection systems to identify cyberattacks in ICS networks | |
| Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
| Fan et al. | Fast model update for iot traffic anomaly detection with machine unlearning | |
| Choukri et al. | Abnormal network traffic detection using deep learning models in iot environment | |
| CN110166422A (en) | Domain name Activity recognition method, apparatus, readable storage medium storing program for executing and computer equipment | |
| Gao et al. | The prediction role of hidden markov model in intrusion detection | |
| Wang et al. | An efficient intrusion detection model combined bidirectional gated recurrent units with attention mechanism | |
| CN112232557B (en) | Short-term prediction method for health degree of switch machine based on long-short-term memory network | |
| Wan et al. | State-based control feature extraction for effective anomaly detection in process industries | |
| Li et al. | Intrusion Detection Method for SCADA System Based on Spatio-Temporal Characteristics | |
| Fan | Machine learning and unlearning for IoT anomaly detection | |
| Zhang et al. | Intrusion Detection Method for Industrial Control System Based on Parallel CNN-LSTM Neural Network Improved by Self-Attention | |
| CN118429145B (en) | Multi-dimensional project data dynamic processing method and system | |
| Reddy et al. | An intelligent security framework for cyber-physical systems in smart city | |
| Liu et al. | Anomaly Detection via Graph Attention Networks-Augmented Mask Autoregressive Flow for Multivariate Time Series |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: Room 01, floor 1, building 104, No. 3 minzhuang Road, Haidian District, Beijing 100195 Patentee after: Changyang Technology (Beijing) Co.,Ltd. Address before: 100195 2nd floor, building 3, yuquanhuigu phase II, No.3 minzhuang Road, Haidian District, Beijing Patentee before: CHANGYANG TECH (BEIJING) Co.,Ltd. |
|
| CP03 | Change of name, title or address |