Dynamic Transfer Method Based on Sensitivity in Industrial Control Network Anomaly Detection

Abstract

Abstract: With the continuous improvement of the informatization of industrial control networks， industrial control networks have gradually become more open， which on the one hand provides convenience for industrial production， but also brings security risks on the other hand. As an important infrastructure， the industrial control network will cause serious damage once it is attacked. In recent years， scholars have used network anomaly detection technology to discover potential security risks in industrial control networks， and have achieved great results. However， the data in the industrial control network often lack labels， which limits the application of traditional supervised learning algorithms in the field of industrial control network security. Algorithms based on unsupervised learning can detect anomalies in scenarios of lacking labels， but there is often a problem of poor algorithm performance， while transfer learning algorithms can get a better result by migrating to the target domain with only a few labels after learning on the source domain. In order to further improve the performance of anomaly detection in industrial control networks with few labels， this paper proposes a dynamic transfer method based on sensitivity in industrial control network anomaly detection. First of all， the algorithm is based on the idea of transfer learning， which is trained in the labeled source domain and then migrated to the target domain with a small number of labels， which can detect anomalies in the industrial control network environment with only a few labels. Secondly， benefits from the memory effect of the GRU structure， the algorithm can effectively utilize the inherent time-series correlation of industrial control network data， which further improves the ability of algorithm anomaly detection. At the same time， the method of dynamic transfer of parameters based on parameter sensitivity factor in the algorithm improves the insufficiency of the traditional transfer learning fine-tuning method for the unbalanced learning of the underlying features of the source domain and target domain data. The comparative experiments on the KDD99 dataset and the Kyoto2016 dataset show that the dynamic transfer learning method based on the sensitivity factor adopted by the algorithm has a better effect than the traditional fine-tuning method. In comparison with the latest series of unsupervised and transfer learning algorithms， the algorithm outperforms the comparison methods in precision， recall， and comprehensive F1 score， achieving excellent performances of 0.97， 0.95， and 0.96.

Key words: industrial control system, network security, transfer learning, gated recurrent unit, anomaly detection

YANG Jun, WANG Jin-lin, NI Hong, SHENG Yi-qiang, . Dynamic Transfer Method Based on Sensitivity in Industrial Control Network Anomaly Detection[J]. Computer and Modernization, 2023, 0(05): 46-51.

References

［1］ KIM S， HEO G， ZIO E， et al. Cyber attack taxonomy for digital environment in nuclear power plants［J］. Nuclear Engineering and Technology， 2020，52（5）:995-1001.
［2］卢光明. 我国工控安全现状及面临的挑战［J］. 网络空间安全， 2018，9（3）:1-7.
［3］ WILSON C. Cyber Threats to Critical Information Infrastructure［M］. Springer， 2014:123-136.
［4］张晓明，王丽宏，何跃鹰，等. 工业控制系统信息安全风险分析及漏洞检测［J］. 物联网学报， 2017，1（1）:34-39.
［5］杨佳宁，陈柯宇，曹凯，等. 工业互联网安全态势感知核心技术分析［J］. 网络空间安全， 2019，10（4）:61-66.
［6］ BASS T. Intrusion detection systems and multisensor data fusion:Creating cyberspace situational awareness［J］. Communications of the ACM， 2000，43（4）:99-105.
［7］岳巍. 工控系统安全态势感知关键技术研究［D］. 杭州:浙江理工大学， 2018.
［8］尚文利，敖建松，赵剑明，等. 基于DAE的工控系统态势理解算法［J］. 小型微型计算机系统， 2020，41（6）:1231-1236.
［9］杜蛟. 工业控制系统信息安全态势感知技术研究［D］. 重庆：重庆邮电大学， 2019.
［10］郭宾，雷濛，王得奕. 工控网络态势感知数据采集的设计［J］. 自动化博览， 2019，36（S2）:110-113.
［11］闫芮铵，张立臣.基于Focal Loss和卷积神经网络的入侵检测［J］. 计算机与现代化，2021（1）:65-69.
［12］郝怡然，盛益强，王劲林，等. 基于递归神经网络的网络安全事件预测［J］. 网络新媒体技术， 2017，6（5）:54-58.
［13］ FENG C， LI T T， CHANA D. Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks［C］// Proceedings of the 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks（DSN）. 2017:261-272.
［14］ KARANAM L， PATTANAIK K K， ALDMOUR R. Intrusion detection mechanism for large scale networks using CNN-LSTM［C］// 2020 13th International Conference on Developments in eSystems Engineering（DeSE）. 2020:323-328.
［15］ CHEN D Q， ZHANG P H， WANG H Z. Intrusion detection for industrial control systems based on an improved SVM method［J］. Journal of Tsinghua University （Science and Technology）， 2018，58（4）:380-386.
［16］孙磊. 基于随机森林的工控网络安全态势要素提取方法研究［D］. 长春：长春工业大学， 2021.
［17］ TONG W M， LIU B B， LI Z W， et al. Intrusion detection method of industrial control network based on lightGBM［C］// Proceedings of the 2021 International Conference on Communications， Information System and Computer Engineering（CISCE）. 2021:631-635.
［18］钟志琛. 基于网络流量异常检测的电网工控系统安全监测技术［J］. 电力信息与通信技术， 2017，15（1）:98-102.
［19］汪媛，陈晓. 基于t-SNE的网络攻击流量无监督聚类方法［J］. 网络新媒体技术， 2020，9（6）:26-30.
［20］郝怡然，盛益强，王劲林. 基于t-SNE降维预处理的网络流量异常检测［J］. 计算机与现代化， 2021（2）:109-116.
［21］ LIU L M， HU M D， KANG C Q， et al. Unsupervised anomaly detection for network data streams in industrial control systems［J］. Information， 2020，11（2）:105-105.
［22］邓斌涛，徐胜超. 基于动态双子种群的差分进化K中心点聚类算法［J］. 计算机与现代化， 2021（7）:54-59.
［23］李建伏，巴建军. 基于 MCMC 的 DBSCAN 改进算法［J］. 计算机工程与设计， 2020，41（1）:122-127.
［24］黄仲英，杨印根，雷震春. VAE过采样与迁移学习在网络入侵检测中的应用［J］. 计算机时代， 2021 （7）:50-54.
［25］ MASUM M， SHAHRIAR H. TL-NID:Deep neural network with transfer learning for network intrusion detection［C］// Proceedings of the 2020 15th International Conference for Internet Technology and Secured Transactions（ICITST）. 2020:1-7.
［26］肖峻，刘纯，莫易敏. 基于信息管理的工业自动化控制系统［J］. 控制工程， 2004，11（3）:232-234.
［27］黄杰. 工控网络安全浅析［J］. 网络安全技术与应用， 2021（2）:104-105.
［28］ CHO K， VAN MERRI[E]NBOER B， GULCEHRE C， et al. Learning phrase representations using RNN encoder-decoder for statistical machine translation［J］. arXiv preprint arXiv:1406.1078， 2014.
［29］ ELMAN J L. Finding structure in time［J］. Cognitive Science， 1990，14（2）:179-211.
［30］ HOCHREITER S， SCHMIDHUBER J. Long short-term memory［J］. Neural Computation， 1997，9（8）:1735-80.
［31］ DIMOPOULOS Y， BOURRET P， LEK S. Use of some sensitivity criteria for choosing networks with good generalization ability［J］. Neural Processing Letters， 1995，2（6）:1-4.
［32］ STOLFO S. KDD Cup 1999 Dataset［EB/OL］.（2005-09-09）［2022-06-28］. http://kdd.ics.uci.edu.
［33］ SONG J， TAKAKURA H， OKABE Y. Description of Kyoto University Benchmark Data［EB/OL］. （2016-03-15）［2022-
06-28］. http://www.takakura.com/Kyoto_data/ Benchmark
Data-Description-v5.pdf.

[1]	LYU Meijing1, NIAN Mei1, ZHANG Jun1, 2, FU Lusen1. Anomaly Detection of Network Traffic Based on Autoencoder [J]. Computer and Modernization, 2024, 0(12): 40-44.
[2]	LIU Xing1, 2, GUO Liang1, 2, WANG Zhengqi1, 2, WEI Xiaogang1, 2, XU Xuefei1, 2, LIU Jing3. Q-learning-based Algorithm for Orchestrating Security Service Function Chain [J]. Computer and Modernization, 2024, 0(11): 34-40.
[3]	ZHANG Huinan1, ZHANG Qiang1, SUN Hongxia2. Dynamic Analysis Model of Reservoir Production Based on Improved#br# Time-series Capsule Network [J]. Computer and Modernization, 2024, 0(09): 15-19.
[4]	XUE Hao, MA Jing, GUO Xiaoyu. Water Supply Pipeline Burr Data Detection Based on Improved LightGBM by Focal Loss [J]. Computer and Modernization, 2024, 0(09): 74-81.
[5]	MA Yong, WANG Jun, ZHANG Zijian, ZHAO Yuyang, ZHANG Jing, ZHOU Ming. Improved YOLOv8 Behavior Detection Algorithm for Intelligent Operation and#br# Maintenance System [J]. Computer and Modernization, 2024, 0(08): 43-48.
[6]	HU Mei-chen1, 2, LIU Dun-long1, 2, SANG Xue-jia1, 2, ZHANG Shao-jie3, CHEN Qiao4. Intelligent Identification Method of Debris Flow Scene Based on Camera Video Surveillance [J]. Computer and Modernization, 2024, 0(03): 41-46.
[7]	WANG Hong-jie, XU Sheng-chao, YANG Bo, MAO Ming-yang, JIANG Jin-ling. Automatic Arrangement Method of Cloud Network Security Service Chain Based on SRv6 Technology [J]. Computer and Modernization, 2024, 0(01): 1-5.
[8]	HU Chong-jia, LIU Jin-zhou, FANG Li. Unsupervised Domain Adaptation for Outdoor Point Cloud Semantic Segmentation [J]. Computer and Modernization, 2024, 0(01): 74-79.
[9]	HAN Dong-song, SHA Le-tian, ZHAO Chuang-ye. Worm and Agent-based Attack Modeling for Industrial Control Systems [J]. Computer and Modernization, 2023, 0(10): 107-114.
[10]	NONG Hao-cheng, REN De-jun, REN Qiu-lin, LIU Peng-li, HUANG De-cheng. Surface Anomaly Detection Algorithm of Flexible Plastic Packaging Based on Improved ConvNeXt [J]. Computer and Modernization, 2023, 0(08): 12-17.
[11]	ZHANG Zhi-xia, XIE Bao-qiang. Natural Gas Load Forecasting Based on FCGA-LSTM and Transfer Learning [J]. Computer and Modernization, 2023, 0(07): 7-12.
[12]	MO Yan, TANG Rong-chuan, JU Hao, SUN Shao-fei, WANG An. Commercial Cryptographic Upgrade for Industrial Internet Platform [J]. Computer and Modernization, 2023, 0(06): 118-126.
[13]	CHEN Xiao-wen, SHI Hui. A Digital Watermarking Detection Model Based on DWT-SVD and Transfer Learning [J]. Computer and Modernization, 2023, 0(04): 111-117.
[14]	MAO Ming-yang, XU Sheng-chao. A New Active Defense Model for Complex Network Security [J]. Computer and Modernization, 2023, 0(04): 118-122.
[15]	PAN Yu-qing, ZHANG Su-ning, FENG Ren-jun, JING Dong-sheng. Intrusion Detection Method Based on Particle Swarm Optimization Combined with LightGBM [J]. Computer and Modernization, 2023, 0(04): 123-126.