CN113779045A

Movatterモバイル変換

Info

Publication number: CN113779045A
Application number: CN202111337679.XA
Authority: CN
Inventors: 丁醒醒; 孙鹏程; 刘萱; 李瑞群; 王潇茵; 杜婉茹
Original assignee: Aerospace Hongkang Intelligent Technology Beijing Co ltd
Current assignee: Aerospace Hongkang Intelligent Technology Beijing Co ltd
Priority date: 2021-11-12
Filing date: 2021-11-12
Publication date: 2021-12-10
Anticipated expiration: 2041-11-12
Also published as: CN113779045B

Abstract

The training method and the training device of the industrial control protocol data anomaly detection model are disclosed, the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, and the training method comprises the following steps: acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence; converting the index sequence into a first feature vector sequence based on the pre-training model; and based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation, thereby training the industrial control protocol data anomaly detection model. The training method can enable the trained model to accurately identify the abnormality of the industrial control protocol data under the condition of no label.

Description

Training method and training device for industrial control protocol data anomaly detection model

Technical Field

The present disclosure relates generally to the field of data anomaly detection technology, and more particularly, to a training method and a training apparatus for an industrial control protocol data anomaly detection model.

Background

The industrial control protocol has the characteristics of semi-open and semi-transparent, but many industrial control protocols do not fully consider the communication safety problem at the beginning of design, so that various abnormal messages cause the abnormality of master equipment or slave equipment, and a plurality of potential safety hazards exist.

Anomaly detection (or outlier detection) is the identification of rare events from events or observations that are suspected to be anomalous due to significant differences from most data. At present, no matter credit card fraud, spam fraud and other aspects of telecommunication fraud, network attack and the like exist security risks, but in industrial control protocol data flow, more special security threats face, because in the uninterrupted operation of an industrial control system, protective measures such as updating systems, patches and the like are difficult to achieve in real time. In consideration of the fact that abnormal data can be removed from data in abnormal detection, the influence of noise of the data on normal data is reduced, and therefore, the method has practical special significance in data safety aspect when the abnormal detection is carried out on industrial control protocol data.

The existing anomaly detection technology carries out anomaly detection on communication protocols, behavior data, network data, system states and the like in a data analysis mode, and also carries out anomaly detection based on a machine learning classification model, a clustering model and the like, and the models usually need data with anomaly labels, namely, whether the training data are anomalous or not needs to be added manually for supervision training. However, the difficulty of manually labeling tens of millions of pieces of data is enormous, and it also takes a lot of time to manually analyze the labeled data in large quantities.

Disclosure of Invention

The invention provides a training method and a training device for an industrial control protocol data anomaly detection model based on a new combined coding mode, so that the trained model can accurately identify the anomaly of the industrial control protocol data under the condition of no label.

In one general aspect, there is provided a training method for an industrial control protocol data anomaly detection model, where the industrial control protocol data anomaly detection model includes a combinatorial coding module, a pre-training model, and a self-coding network, and the training method includes: acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence; converting the index sequence into a first feature vector sequence based on the pre-training model; and based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation, thereby training the industrial control protocol data anomaly detection model.

Optionally, the industrial control protocol data stream includes a first number of hexadecimal numbers, and the index sequence includes a second number of index values, where the first number is 2 times the second number.

Optionally, the step of binding every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code based on the combined coding module, and converting the combined code into an index value, so as to obtain an index sequence includes: binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code.

Optionally, the index dictionary database includes 256 index values and corresponding relations of the combined codes.

Optionally, the step of converting the index sequence into a first feature vector sequence based on the pre-training model includes: converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.

Optionally, the step of converting the first feature vector sequence into a second feature vector sequence based on the self-coding network and performing loss calculation, so as to train the industrial control protocol data anomaly detection model includes: based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality; and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.

Optionally, the self-coding network includes an encoder and a decoder, where the step of performing dimension reduction compression and decoding restoration on each feature vector in the first feature vector sequence based on the self-coding network to obtain a second feature vector sequence includes: performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.

Optionally, the step of converting the first feature vector sequence into a second feature vector sequence based on the self-coding network and performing loss calculation, so as to train the industrial control protocol data anomaly detection model further includes: and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.

In another general aspect, there is provided an anomaly detection method for industrial control protocol data, the anomaly detection method including: acquiring an industrial control protocol data stream to be detected, wherein the industrial control protocol data stream to be detected is data expressed in hexadecimal; taking the industrial control protocol data stream to be detected as input, and performing loss calculation by using the industrial control protocol data anomaly detection model obtained by the training method; and determining that the industrial control protocol data stream to be detected is an abnormal data stream based on the fact that the loss value obtained by the loss calculation is larger than a preset threshold value.

In another general aspect, there is provided a training apparatus for an industrial control protocol data anomaly detection model, the industrial control protocol data anomaly detection model including a combinatorial coding module, a pre-training model, and a self-coding network, wherein the training apparatus includes: the data acquisition unit is configured to acquire an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; the combined coding unit is configured to bind every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and convert the combined code into an index value, so as to obtain an index sequence; a vector representation unit configured to convert the index sequence into a first feature vector sequence based on the pre-training model; and the network training unit is configured to convert the first characteristic vector sequence into a second characteristic vector sequence and perform loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model.

Optionally, the combined encoding unit is configured to: binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code.

Optionally, the vector representation unit is configured to: converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.

Optionally, the network training unit is configured to: based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality; and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.

Optionally, the network training unit is configured to: performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.

Optionally, the network training unit is configured to: and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.

In another general aspect, there is provided a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a training method of an industrial control protocol data anomaly detection model as described above or an anomaly detection method of industrial control protocol data as described above.

In another general aspect, there is provided a computing device, comprising: a processor; and a memory storing a computer program that, when executed by the processor, implements the method for training the industrial control protocol data anomaly detection model or the method for detecting the industrial control protocol data anomaly as described above.

According to the training method and the training device for the industrial control protocol data anomaly detection model, a new coding mode can be applied to the training of the industrial control protocol data anomaly detection model, heavy manual design participation is not needed, namely, data labels are not needed, data streams are not needed to be analyzed additionally, the trained model has good identification performance for the industrial control protocol data, and anomalies in the industrial control protocol data can be identified efficiently and accurately. In addition, according to the training method and the training device for the industrial control protocol data anomaly detection model, the anomaly detection is performed on the industrial control protocol data according to the model trained by the training device, not only can the intentional damage be effectively prevented, but also the correctness of the message data can be ensured.

Additional aspects and/or advantages of the present general inventive concept will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the general inventive concept.

Drawings

The above and other objects and features of the embodiments of the present disclosure will become more apparent from the following description taken in conjunction with the accompanying drawings illustrating embodiments, in which:

FIG. 1 is a flow diagram illustrating a method of training an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure;

FIG. 2 is an illustrative diagram showing an industrial control protocol data processing procedure in accordance with an embodiment of the disclosure;

FIG. 3 is a loss plot illustrating an industrial control protocol data anomaly detection model training process according to an embodiment of the present disclosure;

FIG. 4 is a flow chart illustrating a method of anomaly detection of industrial control protocol data according to an embodiment of the present disclosure;

FIG. 5 is a block diagram illustrating a training apparatus for an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure;

fig. 6 is a block diagram illustrating a computing device according to an embodiment of the present disclosure.

Detailed Description

The following detailed description is provided to assist the reader in obtaining a thorough understanding of the methods, devices, and/or systems described herein. However, various changes, modifications, and equivalents of the methods, apparatus, and/or systems described herein will be apparent to those skilled in the art after reviewing the disclosure of the present application. For example, the order of operations described herein is merely an example, and is not limited to those set forth herein, but may be changed as will become apparent after understanding the disclosure of the present application, except to the extent that operations must occur in a particular order. Moreover, descriptions of features known in the art may be omitted for clarity and conciseness.

The features described herein may be embodied in different forms and should not be construed as limited to the examples described herein. Rather, the examples described herein have been provided to illustrate only some of the many possible ways to implement the methods, devices, and/or systems described herein, which will be apparent after understanding the disclosure of the present application.

As used herein, the term "and/or" includes any one of the associated listed items and any combination of any two or more.

Although terms such as "first", "second", and "third" may be used herein to describe various elements, components, regions, layers or sections, these elements, components, regions, layers or sections should not be limited by these terms. Rather, these terms are only used to distinguish one element, component, region, layer or section from another element, component, region, layer or section. Thus, a first element, component, region, layer or section referred to in the examples described herein could also be referred to as a second element, component, region, layer or section without departing from the teachings of the examples.

In the specification, when an element (such as a layer, region or substrate) is described as being "on," "connected to" or "coupled to" another element, it can be directly on, connected to or coupled to the other element or one or more other elements may be present therebetween. In contrast, when an element is referred to as being "directly on," "directly connected to," or "directly coupled to" another element, there may be no intervening elements present.

The terminology used herein is for the purpose of describing various examples only and is not intended to be limiting of the disclosure. The singular is also intended to include the plural unless the context clearly indicates otherwise. The terms "comprises," "comprising," and "having" specify the presence of stated features, quantities, operations, elements, components, and/or combinations thereof, but do not preclude the presence or addition of one or more other features, quantities, operations, components, elements, and/or combinations thereof.

Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs after understanding the present disclosure. Unless explicitly defined as such herein, terms (such as those defined in general dictionaries) should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and should not be interpreted in an idealized or overly formal sense.

Further, in the description of the examples, when it is considered that detailed description of well-known related structures or functions will cause a vague explanation of the present disclosure, such detailed description will be omitted.

According to the training method and the training device for the industrial control protocol data anomaly detection model, a new coding mode can be applied to the training of the industrial control protocol data anomaly detection model, heavy manual design participation is not needed, namely, data labels are not needed, data streams are not needed to be analyzed additionally, the trained model has good identification performance for the industrial control protocol data, and anomalies in the industrial control protocol data can be identified efficiently and accurately.

A method and an apparatus for training an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure will be described in detail below with reference to fig. 1 to 5. Here, the industrial control protocol data anomaly detection model may include a combinatorial coding module, a pre-training model, and a self-coding network.

FIG. 1 is a flow chart illustrating a training method of an industrial control protocol data anomaly detection model according to an embodiment of the disclosure.

Referring to fig. 1, in step S101, an industrial control protocol data stream may be acquired. Here, the industrial control protocol data stream may be data in hexadecimal representation. In particular, the industrial control protocol data stream may include data streams under various communication protocols (e.g., FTP protocol, TCP protocol, UDP protocol, etc.), each of which transports messages to each other, represented by hexadecimal data streams. Further, the industrial control protocol data stream may include a first number of hexadecimal numbers. Further, the first number may be an even number, and the numerical value of the first number may be set by a worker skilled in the art according to the actual situation. In addition, when the length of the obtained industrial control protocol data stream is less than the first quantity, data filling can be carried out by workers in the field according to the actual situation; when the length of the obtained industrial control protocol data stream exceeds the first number, data truncation can be performed by workers in the field according to actual conditions, so that the length of the industrial control protocol data stream is fixed to the first number.

Next, in step S102, each two adjacent hexadecimal numbers in the industrial control protocol data stream may be bound to be a combined code based on the combined coding module, and the combined code is converted into an index value, so as to obtain an index sequence. Here, the index sequence may include a second number of index values. Further, the first number as described above may be 2 times the second number.

According to the embodiment of the disclosure, the sample sequence can be obtained by binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code. Here, the sample sequence may include a second number of combined codes. Then, the combined code in the sample sequence may be converted into an index value based on a preset index dictionary library, thereby converting the sample sequence into an index sequence. Here, each index value in the index dictionary base corresponds to one combined code. Further, the index dictionary repository may include 256 index value and combination code correspondences. Further, the specific correspondence between the index value in the index dictionary library and the combined code can be set by those skilled in the art according to actual situations.

Next, in step S103, the index sequence may be converted into a first feature vector sequence based on the pre-training model. Here, the pre-trained model (pre-trained model) is a model obtained by unsupervised learning or unsupervised learning, and data can be expressed as feature vectors (features). As an example, the pre-training model may be a BERT model.

According to an embodiment of the present disclosure, index values in an index sequence may be converted into feature vectors based on a pre-training model, thereby converting the index sequence into a first feature vector sequence. Here, each index value may be individually converted into a feature vector of a preset dimension, and the first feature vector sequence may include a second number of feature vectors. Further, the numerical value of the preset dimension can be set by a worker in the field according to the actual situation.

Next, in step S104, the first eigenvector sequence may be converted into a second eigenvector sequence based on the self-coding network and loss calculation may be performed, so as to train the industrial control protocol data anomaly detection model. Here, the self-coded network may be a Fully connected neural network (FCN) for deep learning.

According to the embodiment of the disclosure, each feature vector in the first feature vector sequence can be subjected to dimensionality reduction compression and decoding reduction based on a self-coding network, so as to obtain a second feature vector sequence. Here, the second feature vector sequence includes a second number of feature vectors of a preset dimension.

According to an embodiment of the present disclosure, a self-encoding network may include an Encoder (Encoder) and a Decoder (Decoder). The encoder can compress the characteristic vector, essentially reduces the dimension of the characteristic vector, and can reduce the noise of the data in a dimension reduction way; the decoder can perform decoding operation on the feature vector with reduced dimension, that is, restore the feature vector with original dimension, at this time, the new feature vector can be used as noise-free data. As an example, the self-encoding network may be an AutoEncoder model that includes self-supervised learning of the encoder and decoder. On the basis, each feature vector in the first feature vector sequence can be subjected to dimension reduction compression based on an encoder, and each feature vector subjected to dimension reduction compression can be decoded and restored based on a decoder, so that a second feature vector sequence is obtained.

Next, according to an embodiment of the present disclosure, a loss calculation may be performed on the industrial control protocol data anomaly detection model based on the first eigenvector sequence and the second eigenvector sequence. Here, the model loss (model loss) may be calculated by calculating a Mean Square Error (MSE) between the first eigenvector sequence and the second eigenvector sequence, but is not limited thereto, and a person skilled in the art may determine a loss function of the model according to actual circumstances.

Next, according to an embodiment of the present disclosure, parameters of the pre-training model and the self-coding network may be adjusted based on a result of the loss calculation, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets a preset requirement. The industrial control protocol data anomaly detection model carries out loss calculation according to the first characteristic vector sequence and the second characteristic vector sequence, namely according to the input and the output of the self-coding network, then the loss calculation result is propagated reversely to adjust parameters in the model, finally the model learns the format of a normal data stream, and anomalies or noises in the data stream are abandoned. Further, the preset requirement that the second feature vector sequence needs to satisfy may be consistent with or close to the first feature vector sequence, i.e. the final convergence of the result of the loss calculation. The industrial control protocol data processing procedure according to an embodiment of the present disclosure is described in detail below with reference to fig. 2.

Fig. 2 is an explanatory diagram illustrating an industrial control protocol data processing procedure according to an embodiment of the present disclosure.

Referring to fig. 2, as an example, for an industrial control protocol data stream "8 c1645976363 …" represented by hexadecimal with a data length of 2n, binding every two adjacent hexadecimal numbers thereof may obtain "8 c1645976363 …". Then, the combined codes of 8c, 16, 45, 97, 63, etc. are mapped one to one according to the index dictionary library as described above, and then converted into an index sequence (not shown in fig. 2) as shown in "222, 34, 56, 74, 69, 69 …". Next, the index sequence is converted into a first feature vector sequence [ x1, x2, x3, x4, x5 … ] by the pre-training model as described above. Next, each eigenvector in the first eigenvector sequence is input into the self-coding network as described above, in the process, the m-dimensional eigenvector is subjected to dimension reduction compression by the encoder, and is converted into a new m-dimensional eigenvector after being decoded and restored by the decoder, and finally, the second eigenvector sequence [ y1, y2, y3, y4, y5 … ] is output from the self-coding network. The loss curve of the industrial control protocol data anomaly detection model training process according to the embodiment of the disclosure is described in detail below with reference to fig. 3.

FIG. 3 is a loss plot illustrating an industrial control protocol data anomaly detection model training process according to an embodiment of the present disclosure.

Referring to fig. 3, as an example, the abscissa represents a value of a training period (epoch), the ordinate represents a value of a mean square error (mse), a curve train is a training set data loss curve, and a curve val is a verification set data loss curve. As shown in fig. 3, in the training process of the model, as the number of iterations increases, the mean square error loss of the model gradually decreases, and finally the model learns the format of the normal data stream, and discards the anomaly or noise in the data stream. Here, a person skilled in the art may take a model with a relatively good validation set effect as a final industrial control protocol data anomaly detection model, and then perform anomaly detection by using the industrial control protocol data anomaly detection model. An anomaly detection method for industrial control protocol data according to an embodiment of the present disclosure is described in detail below with reference to fig. 4.

Fig. 4 is a flowchart illustrating an anomaly detection method for industrial control protocol data according to an embodiment of the present disclosure.

Referring to fig. 4, in step S401, an industrial control protocol data stream to be detected may be acquired. Here, the industrial control protocol data stream to be detected is data expressed in hexadecimal.

Next, in step S402, the industrial control protocol data stream to be detected may be used as an input, and the loss calculation may be performed by using the industrial control protocol data anomaly detection model obtained by the training method of the industrial control protocol data anomaly detection model according to the embodiment of the present disclosure.

Next, in step S403, it may be determined that the industrial control protocol data stream to be detected is an abnormal data stream based on that the loss value obtained by the loss calculation is greater than the preset threshold. Here, the loss calculation may be performed by calculating a mean square error as described above. Because the trained model learns the format of the normal data stream, when the industrial control protocol data stream to be detected is provided as the input of the model, the model can abandon the abnormity or noise in the data stream, thereby outputting the normal data. Further, the preset threshold may be set to 0.13, that is, when the loss value is greater than 0.13, it is determined that the industrial control protocol data stream to be detected is an abnormal data stream. In addition, the numerical value of the preset threshold value can also be set by those skilled in the art according to actual situations.

According to the training method of the industrial control protocol data anomaly detection model, the new coding mode is applied to the training of the industrial control protocol data anomaly detection model, and the trained model can accurately identify the anomaly of the industrial control protocol data under the condition of no label. In addition, the industrial control protocol data anomaly detection method can quickly and accurately detect the industrial control protocol data anomaly, not only can effectively prevent deliberate damage, but also can ensure the correctness of message data.

FIG. 5 is a block diagram illustrating a training apparatus of an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure. The training device of the industrial control protocol data anomaly detection model according to the embodiment of the disclosure can be realized in a computing device with enough computing capability.

Referring to fig. 5, atraining apparatus 500 of an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure may include adata acquisition unit 510, acombinatorial coding unit 520, avector representation unit 530, and anetwork training unit 540. Here, the industrial control protocol data anomaly detection model may include a combinatorial coding module, a pre-training model, and a self-coding network.

Data acquisition unit 510 may acquire an industrial control protocol data stream. As described above, an industrial control protocol data stream is data in hexadecimal representation.

The combinedencoding unit 520 may bind every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code based on the combined encoding module, and convert the combined code into an index value, thereby obtaining an index sequence.

Alternatively, as described above, the industrial control protocol data stream may include a first number of hexadecimal numbers and the index sequence may include a second number of index values. Here, the first number may be 2 times the second number.

The combinedencoding unit 520 may obtain the sample sequence by binding every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code. Here, the sample sequence may include a second number of combined codes.

The combinedencoding unit 520 may convert the sample sequence into an index sequence by converting the combined code in the sample sequence into an index value based on a preset index dictionary library. Here, each index value in the index dictionary base may correspond to one combined code.

Alternatively, as described above, the index dictionary repository may include 256 index value-to-combined code correspondences.

Thevector representation unit 530 may convert the index sequence into a first feature vector sequence based on a pre-training model.

Alternatively, thevector representation unit 530 may convert the index sequence into the first feature vector sequence by converting the index values in the index sequence into the feature vectors based on the pre-trained model. Here, each index value may be individually converted into a feature vector of a preset dimension, and the first feature vector sequence may include a second number of feature vectors.

Thenetwork training unit 540 may convert the first eigenvector sequence into a second eigenvector sequence based on the self-coding network and perform loss calculation, thereby training the industrial control protocol data anomaly detection model.

Thenetwork training unit 540 may perform dimension reduction compression and decoding restoration on each feature vector in the first feature vector sequence based on the self-coding network, thereby obtaining a second feature vector sequence. Here, the second feature vector sequence may include a second number of feature vectors of preset dimensions. Alternatively, the self-encoding network may include an encoder and a decoder, and thenetwork training unit 540 may perform dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on a decoder so as to obtain a second feature vector sequence.

Thenetwork training unit 540 may perform loss calculation on the industrial control protocol data anomaly detection model based on the first feature vector sequence and the second feature vector sequence.

Thenetwork training unit 540 may further adjust parameters of the pre-training model and the self-coding network based on the result of the loss calculation, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.

Referring to fig. 6, acomputing device 600 according to an embodiment of the disclosure may include aprocessor 610 and amemory 620. Theprocessor 610 may include, but is not limited to, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a microcomputer, a Field Programmable Gate Array (FPGA), a system on a chip (SoC), a microprocessor, an Application Specific Integrated Circuit (ASIC), and the like. Thememory 620 stores computer programs to be executed by theprocessor 610.Memory 620 includes high speed random access memory and/or non-volatile computer-readable storage media. Whenprocessor 610 executes the computer program stored inmemory 620, the method of training the industrial control protocol data anomaly detection model described above or the method of anomaly detection of industrial control protocol data described above may be implemented.

Although a few embodiments of the present disclosure have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the disclosure, the scope of which is defined in the claims and their equivalents.

Claims

1. A training method for an industrial control protocol data anomaly detection model is characterized in that the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, wherein the training method comprises the following steps:

acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal;

binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence;

converting the index sequence into a first feature vector sequence based on the pre-training model;

and based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation, thereby training the industrial control protocol data anomaly detection model.

2. The training method of claim 1, wherein the industrial control protocol data stream comprises a first number of hexadecimal numbers and the index sequence comprises a second number of index values, wherein the first number is 2 times the second number.

3. The training method as claimed in claim 2, wherein the step of binding each two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value, thereby obtaining an index sequence comprises:

binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes;

converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code.

4. The training method of claim 3, wherein the index dictionary repository includes 256 index value-to-combined code correspondences.

5. A training method according to claim 3, wherein the step of converting the index sequence into a first sequence of feature vectors based on the pre-trained model comprises:

converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.

6. The training method of claim 5, wherein the step of converting the first feature vector sequence into a second feature vector sequence and performing loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model comprises:

based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality;

and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.

7. The training method of claim 6, wherein the self-coding network comprises an encoder and a decoder, and wherein the step of performing dimension reduction compression and decoding recovery on each feature vector in the first feature vector sequence based on the self-coding network to obtain a second feature vector sequence comprises:

performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder;

and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.

8. The training method of claim 7, wherein the step of training the industrial control protocol data anomaly detection model by converting the first feature vector sequence into a second feature vector sequence and performing loss calculation based on the self-coding network further comprises:

and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.

9. An anomaly detection method for industrial control protocol data is characterized by comprising the following steps:

acquiring an industrial control protocol data stream to be detected, wherein the industrial control protocol data stream to be detected is data expressed in hexadecimal;

taking the industrial control protocol data stream to be detected as input, and performing loss calculation by using an industrial control protocol data anomaly detection model obtained by the training method according to any one of claims 1 to 8;

and determining that the industrial control protocol data stream to be detected is an abnormal data stream based on the fact that the loss value obtained by the loss calculation is larger than a preset threshold value.

10. The training device for the industrial control protocol data anomaly detection model is characterized in that the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, wherein the training device comprises:

the data acquisition unit is configured to acquire an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal;

the combined coding unit is configured to bind every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and convert the combined code into an index value, so as to obtain an index sequence;

a vector representation unit configured to convert the index sequence into a first feature vector sequence based on the pre-training model;

and the network training unit is configured to convert the first characteristic vector sequence into a second characteristic vector sequence and perform loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model.

11. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a method for training an industrial control protocol data anomaly detection model according to any one of claims 1 to 8 or a method for anomaly detection of industrial control protocol data according to claim 9.

12. A computing device, the computing device comprising:

a processor; and

a memory storing a computer program which, when executed by the processor, implements a method of training an industrial control protocol data anomaly detection model according to any one of claims 1 to 8 or a method of anomaly detection of industrial control protocol data according to claim 9.