Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model

Abstract

Proposed is an anomaly detection method for communication behaviors in an industrial control system based on an OCSVM algorithm. According to the present invention, a normal behavior profile model and an abnormal behavior profile model, i.e. a dual-outline model, of communication behaviors in an industrial control system are established, parameter optimization is performed by means of a particle swarm optimization (PSO) algorithm, an optimal intrusion detection model is obtained, and abnormal Modbus TCP communication traffic is identified. According to the present invention, the false alarm rate is reduced by means of cooperative discrimination of the dual-outline detection model, the efficiency and reliability of anomaly detection are improved, and the method is more applicable to practical applications.

Claims

1. A Modbus TCP communication behaviour anomaly detection method, comprising the following steps: feature extraction, wherein: Modbus TCP normal communication traffic and abnormal communication traffic collected in a system is converted into two respective sequences which each comprise Modbus function codes; data preprocessing, wherein: a length r of short sequences is set; the two sequences of the Modbus function codes are cyclically processed respectively with a sliding window with the length of r; the two sequences of the Modbus function codes are each respectively converted into a plurality of short sequences with the length of r; in each plurality of short sequences, repeated short sequences are eliminated to obtain a set of short sequences arranged according to an appearance order for constructing, respectively, a one-class support vector machine (OCSVM) normal communication feature vector and an OCSVM abnormal communication feature vector; modeling, wherein: a libsvm toolkit is invoked for generating a positive profile OCSVM model and a negative profile OCSVM model from, respectively, the OCSVM normal communication feature vector and the OCSVM abnormal communication feature vector; particle swarm optimization (PSO) optimization, wherein: parameter optimization is performed on the positive profile OCSVM model and the negative profile OCSVM model respectively: initialized particles are transmitted to the positive profile OCSVM model/the negative profile OCSVM model as an OCSVM inherent parameter and a gauss radial base parameter g; classification accuracy rates returned by the positive profile OCSVM model/the negative profile OCSVM model under the significance of cross verification are used as fitness values in a PSO model; and accordingly, iterative update is performed on a particle swarm; dual-outline OCSVM anomaly detection, wherein: the positive profile OCSVM model and the negative profile OCSVM model are updated with an optimal OCSVM inherent parameter and the gauss radial base parameter g respectively so as to perform anomaly detection, and the classification accuracy rates under the significance of cross verification are returned respectively; and cooperative discrimination rule of dual one-class support vector machines, wherein: Modbus TCP communication traffic collected in the system is assessed relative to both the positive profile OCSVM model and the negative profile OCSVM model; communication traffic that satisfies the positive profile OCSVM model is deemed normal, and communication traffic that does not satisfy the positive profile OCSVM model is deemed abnormal; communication traffic that satisfies the negative profile OCSVM model is deemed abnormal, and communication traffic that does not satisfy the negative profile OCSVM model is deemed normal; if a judgment result of the positive profile OCSVM model is normal and a judgment result of the negative profile OCSVM model is normal, a final result is normal; if a judgment result of the positive profile OCSVM model is abnormal and a judgment result of the negative profile OCSVM model is abnormal, a final result is abnormal; under the condition that two judgment results are inconsistent, if a false alarm rate needs to be inhibited, the judgment result is normal, and if a missed alarm rate needs to be inhibited, the judgment result is abnormal.

2. The Modbus TCP communication behaviour anomaly detection method according to claim 1, wherein: the method further comprises the following steps: data collection, wherein: normal Modbus TCP communication traffic data packets in the network are captured by wireshark packet capturing software; when the system is attacked by viruses, abnormal Modbus TCP communication traffic data packets in the network are captured by the wireshark packet capturing software; and said feature extraction further comprises: data packets, not containing the Modbus function codes, of the normal data packets and the abnormal data packets respectively, are separated from the data packet information to obtain communication traffic at a Modbus TCP client and a Modbus TCP server; the Modbus function codes are separated from the remaining data packet information; and the Modbus function codes are arranged according to a time order.

3. The Modbus TCP communication behaviour anomaly detection method according to claim 1, wherein said data preprocessing further comprises: normalization processing is performed on the OCSVM feature vectors, allowing each element in the vectors to belong to the same order of magnitude.

4. The Modbus TCP communication behaviour anomaly detection method according to claim 1, wherein said PSO optimization further comprises: maximum iteration times k.sub.max of a PSO algorithm under the condition that an end condition is always not satisfied, and limiting ranges for particle speed and locations are set; swarms are randomly generated and parameter initialization is performed on the PSO algorithm according to the positive profile OCSVM model and the negative profile OCSVM model respectively, wherein each particle comprises an inherent parameter of the one-class support vector machine and a gauss kernel function parameter g; and an initialization speed vector and a location vector are set for each particle; OCSVM training is performed on the particles which act as the inherent parameter of the one-class support vector machine and the kernel parameter g of the gauss kernel function; the returned classification accuracy rates under the significance of cross verification are used as the fitness values of the particles; individual extremums and swarm extremums are continuously updated, with individual or swarm fitness values updated when a corresponding better fitness value appears; whether an iteration exiting condition is satisfied is judged: if the maximum iteration times are exceeded or a set threshold is not exceeded after N times of continuous changes of the fitness values, the iteration process is exited; then the swarm extremum is a required optimal parameter; and the N is a set maximum continuous limiting value; the particle swarm is updated according to particle location and speed update formulas; meanwhile, whether different dimensions of all the particles are within allowed limits is inspected; and if the different dimensions exceed the allowed limits, the different dimensions are limited within a pre-set range section.

5. The Modbus TCP communication behaviour anomaly detection method according to claim 1, wherein said dual-outline OCSVM anomaly detection respectively executes the following steps on the positive profile OCSVM model and the negative profile OCSVM model: a particle transmitted in a PSO parameter optimization flow is accepted; two components of the particle are respectively set as the inherent parameter of the one-class support vector machine and the gauss kernel function parameter g; a set of the normal and abnormal Modbus TCP communication traffic data packets is acquired; +1 category labels are given to normal traffic data; and 1 category labels are given to abnormal traffic data; a one-class support vector machine model for solving dual problems is constructed; a decision function is constructed; the classification accuracy rates under the significance of cross verification are calculated according to the decision function and the category labels; the classification accuracy rates are returned to the PSO flow and are used as the particle fitness for calculating the value of the function Fit(i).

6. The Modbus TCP communication behaviour anomaly detection method according to claim 5, wherein said support vector machine model for solving dual problems is constructed such that: $\min_{_{i}} L_{D} = \frac{1}{2} {.Math.}_{i = 1}^{l} {.Math.}_{j = 1}^{l}_{i}_{j} K (x_{i}, x_{j})$ wherein =(.sub.1, .sub.2, . . . , .sub.n) indicates a lagrangian operator, and K(x.sub.i,x.sub.j) indicates a gauss kernel function to obtain the solution *=(.sub.1*, .sub.2*, . . . , .sub.n*).

7. The Modbus TCP communication behaviour anomaly detection method according to claim 5, wherein said decision function is: $f (x) = sgn ({.Math.}_{i = 1}^{l} * K (x_{i}, x_{j}) -^{*})$ $^{*} = {.Math.}_{i = 1}^{l} * K (x_{i}, x_{j})$ wherein * is a compensation value of a terminal decision function of the one-class support vector machine, sgn( ) indicates a sign function and K(x.sub.i,x.sub.j) indicates a gauss kernel function.

8. The Modbus TCP communication behaviour anomaly detection method according to claim 5, wherein said classification accuracy rates under the significance of cross verification are calculated by a 5-fold verification mode, specifically: training sets are equally divided into five parts; 4 parts are used for training the anomaly detection model every time; and the remaining part is used as a test set for verifying a detection effect.

Description

DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a data unit structure of a Modbus TCP application layer;

(2) FIG. 2 is an overall frame diagram of Modbus TCP communication traffic anomaly detection based on an OCSVM dual-outline model;

(3) FIG. 3 is a modeling flow of a PSO-OCSVM anomaly detection model;

(4) FIG. 4 is a dual-outline OCSVM anomaly detection model.

DETAILED DESCRIPTION

(5) The present invention will be further described in details below in combination with the drawings and the embodiments.

(6) As shown in FIG. 2 and FIG. 3, the communication behaviour anomaly detection method based on OCSVM comprises:

(7) a. Data collection part, as shown in FIG. 1 1 A simulation experimental environment platform is established, so that the system is in a normal operation state; the traffic data packets are captured with wireshark; and at this moment, the captured data packets are normal communication traffic data. 2 A U disk with viruses is inserted into a computer; at this moment, the system is invaded by the viruses; the traffic data packets are captured with wireshark; and at this moment, the captured data packets are abnormal communication traffic data. 3 The captured communication traffic data is respectively stored in different files, and feature extraction is performed on the data respectively.

(8) b. Feature extraction and preprocessing part 1 A Modbus TCP message format extends some data structures on the basis of reserving all Modbus functions. The Modbus TCP message format mainly comprises three parts: MBAP message headers, Modbus function codes and data. When the client transmits a message to the server device, the field of the function codes is the only data of the server for distinguishing read operation, write operation, data types and data categories. Therefore, the Modbus function codes are used as the feature vectors. 2 The traffic data packets, not containing the Modbus function codes, of the captured data packets are firstly eliminated; and then redundant and unimportant features are eliminated and only a set of effective key features and the Modbus function codes are reserved. 3 The acquired sequences of the Modbus function codes are randomly partitioned into different lengths of short sequences of the Modbus function codes and are given labels, wherein the sequences of the Modbus function codes of normal traffic data packets are labeled as +1 and the sequences of the Modbus function codes of abnormal traffic data packets are labeled as 1. 4 The length r of short sequences is set as needed; samples of the Modbus function codes are cyclically processed with a sliding window with the length of r; and repeated sequences are eliminated to obtain a set of the short sequences. 5 In any sequence of the Modbus function codes, OCSVM feature vectors are constructed according to the appearance frequency of the short sequences in each mode.

(9) c. PSO flow 1 Maximum iteration times k.sub.max of a PSO algorithm under the condition that an end condition is always not satisfied are set; 2 Locations X=(X.sub.1, X.sub.2, . . . , X.sub.N) and speed V=(V.sub.1, V.sub.2, . . . , V.sub.N) the particles are randomly generated in a D-dimensional problem space, and N is the number of the particles, wherein X.sub.i=(x.sub.ig,x.sub.i) indicates that the i.sub.th particle is formed by two components which respectively represent the locations of the OCSVM parameter and the radial basic kernel function parameter g; and the limiting ranges of the two components are set as [X.sub.g min, X.sub.g max] and [X.sub.min, X.sub.max]; 3 The particle fitness Fit(i) is calculated. The particle fitness values Fit(i) are selected from the classification accuracy rates under the significance of cross verification detected by the sequences of the Modbus function codes based on OCSVM using x.sub.ig and x.sub.iv as parameters. 4 The individual extremums and the swarm extremums are updated according to the fitness values. If the fitness value Fit(X.sub.i.sup.k+1)>Fit(X.sub.i.sup.k), then P.sup.k=X.sup.k+1, otherwise, P.sup.k=X.sup.k. If j exists to cause Fit(X.sub.j.sup.k)>Fit(X.sub.i.sup.k) and Fit(X.sub.j.sup.k)>Fit(G.sup.k), then G.sub.j.sup.k+1=X.sub.j.sup.k, otherwise, G.sub.j.sup.k+1=G.sub.j.sup.k. 5 Whether the iteration exiting condition is satisfied is judged. If the maximum iteration times are exceeded or 0.01% is not exceeded after 50 times of continuous changes of the fitness values, the iteration process is exited; then the swarm extremum is a required optimal parameter. 6 Update is performed according to the particle speed and location update formulas. After each round of update is ended, each dimension of the locations is determined whether to be limited within a specified range; the component beyond the range needs to be limited within the range; for example, x.sub.ig<x.sub.g min, then set x.sub.ig=x.sub.g min, and if x.sub.ig>x.sub.g max, the x.sub.ig=x.sub.g max. The speed and the locations are updated according to the following two formulas:
V.sup.k+1=V.sup.k+c.sub.1r.sub.1(P.sup.kX.sup.k)+c.sub.2r.sub.2(G.sup.kX.sup.k)
X.sup.k+1=X.sup.k+V.sup.k+1

(10) In the above formulas, the first part is the current speed of the particle, and reflects the influence of the current speed of the particle on the next-iteration speed; the second part reflects the cognitive capability of a single particle, for mainly controlling the global search capability of the particle, so as to avoid bringing local optimum; and the third part reflects the social cognition capability of the whole particle swarm, indicates the mutual information influence among the particles, and is beneficial to enhancing the global search capability of the particle, wherein c.sub.1 and c.sub.2 are learning factors, and acceleration factors r.sub.1 and r.sub.2 are random numbers in [0, 1].

(11) d. OCSVM dual-outline anomaly detection model:

(12) A training flow of a positive profile one-class support vector machine:

(13) 1. The data packets are captured from the industrial control systems, and a new normal training sample is acquired from a preprocessing unit.

(14) 2. The inherent parameter of the one-class support vector machine and the gauss kernel function parameter g, which are transmitted in the PSO parameter optimization flow, are accepted.

(15) 3. A one-class support vector machine model for solving dual problems is constructed:

(16) $\min_{a_{i}} L_{D} = \frac{1}{2} {.Math.}_{i = 1}^{l} {.Math.}_{j = 1}^{l} a_{i} a_{j} K (x_{i}, x_{j})$

(17) wherein =(.sub.1, .sub.2, . . . , .sub.n) indicates a lagrangian operator, and K(x.sub.i,x.sub.j) indicates a gauss radial basic kernel function to obtain the solution *=(.sub.1*, .sub.2*, . . . , .sub.n*).

(18) 4 A decision function is constructed:

(19) $^{*} = {.Math.}_{i = 1}^{l} a * K (x_{i}, x_{j})$ $f (x) = sgn ({.Math.}_{i = 1}^{l} a * K (x_{i}, x_{j}) -^{*})$

(20) wherein * is a compensation value of the one-class support vector machine, and sgn( ) indicates a sign function.

(21) 5 The classification accuracy rates are returned to the PSO parameter optimization flow and are used as the particle fitness for calculating the value of the function Fit(i).

(22) The training flow of the negative profile one-class support vector machine is similar to that of the positive profile one-class support vector machine, but the data packets are captured from the industrial control systems and an abnormal sample is acquired from the preprocessing unit for performing training.

(23) e. Design of the cooperative discriminating rules of the OCSVM dual-outline model:

(24) As shown in FIG. 4, when the OCSVM dual-outline model performs decision judgment on a test sample, the following rules are followed:

(25) The test sample is detected through the positive profile model and the negative profile model respectively, and two models make a judgment respectively:

(26) 1 If the judgment results of the positive profile model and the negative profile model are normal, a final result is normal; this sample is normal data traffic and is allowed to pass by the system.

(27) 2 If the judgment results of the positive profile model and the negative profile model are abnormal, a final result is abnormal; this sample is abnormal data traffic and the system gives an alarm.

(28) 3 Under the condition that the judgment results of the positive profile model and the negative profile model are inconsistent, if the system needs to inhibit a false alarm rate, the judgment result is normal, and if the system needs to inhibit a missed alarm rate, the judgment result is abnormal.

Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model

Assignee

Inventors

Cpc classification

Classification Explorer

G05B19/4185

PHYSICS

Classification Explorer

H04L2012/40228

ELECTRICITY

Classification Explorer

H04L12/40

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

H04L12/40039

ELECTRICITY

Classification Explorer

H04L63/1425

ELECTRICITY

International classification

Classification Explorer

H04L29/06

ELECTRICITY

Classification Explorer

G05B19/418

PHYSICS

Classification Explorer

H04L12/40

ELECTRICITY

Abstract

Claims

Description