CN113691505A - Industrial internet intrusion detection method based on big data - Google Patents
Industrial internet intrusion detection method based on big data Download PDFInfo
- Publication number
- CN113691505A CN113691505A CN202110897841.7A CN202110897841A CN113691505A CN 113691505 A CN113691505 A CN 113691505A CN 202110897841 A CN202110897841 A CN 202110897841A CN 113691505 A CN113691505 A CN 113691505A
- Authority
- CN
- China
- Prior art keywords
- terminal
- target
- attack
- state
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 11
- 230000006399 behavior Effects 0.000 claims abstract description 140
- 239000013598 vector Substances 0.000 claims description 122
- 230000007123 defense Effects 0.000 claims description 108
- 238000000547 structure data Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000006378 damage Effects 0.000 claims description 11
- 238000000034 method Methods 0.000 claims description 9
- 230000009545 invasion Effects 0.000 claims description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000009776 industrial production Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
- 
        - H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
 
- 
        - H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
 
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an industrial internet intrusion detection method based on big data, which comprises the following steps: and generating a multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial Internet. Establishing a behavior prediction function according to the first time sequence behavior characteristic and the second time sequence characteristic, predicting a first behavior characteristic and a second behavior characteristic of a target terminal at the next moment according to the behavior prediction function, the first behavior characteristic and the second behavior characteristic of the target terminal at the current moment to determine a time sequence running direction of the target terminal at the next moment, and then obtaining a boundary point of a multi-dimensional steady-state domain according to the time sequence running direction of the target terminal at the next moment; and calculating the distance between the state point of the target terminal at the current moment and the boundary point of the multi-dimensional steady-state domain to obtain a domain boundary distance, and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.
    Description
Technical Field
      The invention relates to the field of big data and industrial Internet, in particular to an industrial Internet intrusion detection method based on big data.
    Background
      With the continuous deepening of the integration of industrialization and informatization, the penetration of industrial internet and manufacturing industry is accelerated, the transition of industrial production equipment from digitalization to networking is promoted, the transition of industrial production environment from closing to opening is promoted, and the transition of production process from automation to intellectualization is promoted. Industrial equipment and systems of physical space and manufacturing, management and service processes are mapped to network space through digital technology, the security boundary of information systems and industrial systems is continuously blurred, and the importance and urgency of industrial internet security protection are increasingly highlighted. In order to meet new requirements, new characteristics and new trends of industrial protection object security guarantee, industrial internet security boundaries are continuously extended and a security technology system is rapidly evolved.
      In recent years, frequent industrial internet security events have caused increasingly severe economic losses and more widespread and severe social impacts for industrial enterprises. The platform and the equipment are affected by network boundary ambiguity to become a main attack target, the industrial internet platform is still in a primary stage, a safety protection system is still imperfect, security vulnerabilities such as weak passwords, remote command execution, information leakage and authority bypass exist generally, the platform networking equipment is frequently subjected to scanning detection and malicious program monitoring, and important sensitive data is leaked at times.
    Disclosure of Invention
      In view of this, the present invention provides a big data-based industrial internet intrusion detection method, which includes: generating a multi-dimensional steady-state domain based on terminal behavior data of all first terminals and historical intrusion data of the industrial internet;
      acquiring terminal behavior data of a target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal;
      extracting the time sequence characteristics of the terminal sending data of the target terminal, and taking the time sequence characteristics as the first time sequence behavior characteristics of the target terminal; extracting the time sequence characteristics of the terminal receiving data of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal; the first time-series behavior characteristic comprises a data transmission characteristic recorded in time series; the second time series behavior characteristic comprises a chronologically recorded data reception characteristic;
      establishing a behavior prediction function based on the first time sequence behavior characteristic and the second time sequence behavior characteristic, extracting a first behavior characteristic of a target terminal at the current moment based on the first time sequence behavior characteristic, and then extracting a second behavior characteristic of the target terminal at the current moment based on the second time sequence behavior characteristic; the first behavior feature is a data transmission feature; the second behavior feature is a data reception feature;
      predicting a first behavior characteristic of the target terminal at the next moment and a second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment;
      acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
      determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
      acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment;
      continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance; and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.
      According to a preferred embodiment, the target terminal is a terminal device accessing the industrial internet; the first terminal is terminal equipment which has historically accessed the industrial Internet; the second terminal is terminal equipment with intrusion behavior; the terminal device is a device having a data transmission function and a communication function, and includes: smart phones, smart watches, tablet computers, laptops and desktop computers.
      According to a preferred embodiment, the generating of the multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial internet comprises:
      identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
      acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
      determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
      selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain a two-dimensional steady-state domain of each second terminal;
      and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
      According to a preferred embodiment, obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal includes:
      randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
      acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
      selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
      and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
      According to a preferred embodiment, determining a plurality of network attack directions of the target second terminal based on the terminal transmission characteristics and the terminal reception characteristics of the target second terminal comprises:
      generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
      acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
      acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
      and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
      According to a preferred embodiment, the obtaining of the neighboring attack node of the attack node based on the first node feature vector and the second node feature vector of the attack node comprises:
      calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
      calculating the similarity between the second node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
      calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
      and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
      According to a preferred embodiment, the obtaining of the neighboring attack node of the attack node based on the first node feature vector and the second node feature vector of the attack node comprises:
      traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
      traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
      comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
      and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
      According to a preferred embodiment, acquiring the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state comprises the following steps:
      acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
      acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
      predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
      calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
      calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
      when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
      and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
      According to a preferred embodiment, when the network structure characteristics of the industrial internet meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet in wave dynamic state is less than the similarity threshold value, the defense state of the industrial internet is in a stable state; the stable state is a defense state of the industrial internet and is a normal state;
      when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is greater than or equal to the similarity threshold value when the wave dynamics is achieved, the defense state of the industrial internet is in the wave dynamics; the fluctuation state is a defense state of the industrial internet and is a destruction state;
      when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is in the wave dynamic state is smaller than a similarity threshold value, the defense state of the industrial internet is in a critical state; the critical state is a critical state that the defense state of the industrial internet is in a stable state and wave dynamic state.
      The invention has the following beneficial effects: the method generates the multi-dimensional steady-state domain through the terminal behavior data of the first terminal and the historical intrusion data of the industrial internet, and judges the domain boundary distance between the target terminal and the multi-dimensional steady-state domain according to the terminal behavior data of the target terminal so as to judge whether the target terminal is an intrusion terminal. In addition, the invention realizes intrusion detection on the industrial Internet platform, intercepts all operation behaviors of the target terminal when the target terminal is the intrusion terminal so as to ensure the safety of data in the industrial Internet and avoid economic loss caused by data leakage.
    Drawings
      Fig. 1 is a flowchart of a big data-based intrusion detection method for an industrial internet according to an exemplary embodiment.
    Detailed Description
      The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
      Referring to fig. 1, in one embodiment, a big data based industrial internet intrusion detection method may include:
      and S1, generating a multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial Internet.
      In one embodiment, the generating the multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial internet comprises:
      identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
      acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
      determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
      selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain a two-dimensional steady-state domain of each second terminal;
      and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
      In one embodiment, obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal includes:
      randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
      acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
      selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
      and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
      In one embodiment, determining a number of network attack directions of the target second terminal based on the terminal transmission characteristics and the terminal reception characteristics of the target second terminal comprises:
      generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
      acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
      acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
      and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
      In one embodiment, obtaining a neighbor attacking node of an attacking node based on a first node feature vector and a second node feature vector of the attacking node comprises:
      calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
      calculating the similarity between the second node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
      calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
      and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
      In one embodiment, obtaining a neighbor attacking node of an attacking node based on a first node feature vector and a second node feature vector of the attacking node comprises:
      traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
      traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
      comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
      and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
      In one embodiment, acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state comprises the following steps:
      acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
      acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
      predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
      calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
      calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
      when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
      and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
      In one embodiment, the defense state of the industrial internet is in a stable state when the network structure characteristics of the industrial internet meet a steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet in wave dynamics is less than a similarity threshold value; the stable state is a defense state of the industrial internet and is a normal state;
      when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is greater than or equal to the similarity threshold value when the wave dynamics is achieved, the defense state of the industrial internet is in the wave dynamics; the fluctuation state is a defense state of the industrial internet and is a destruction state;
      when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is in the wave dynamic state is smaller than a similarity threshold value, the defense state of the industrial internet is in a critical state; the critical state is a critical state that the defense state of the industrial internet is in a stable state and wave dynamic state.
      In one embodiment, the target terminal is a terminal device accessing the industrial internet; the first terminal is a terminal device which has historically accessed the industrial Internet; the second terminal is terminal equipment with intrusion behavior; the terminal equipment is equipment with data transmission function and communication function, and it includes: smart phones, smart watches, tablet computers, laptops and desktop computers.
      S2, acquiring terminal behavior data of the target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal; extracting time sequence characteristics of terminal sending data of a target terminal, and taking the time sequence characteristics as first time sequence behavior characteristics of the target terminal; and extracting the time sequence characteristics of the data received by the terminal of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal.
      The terminal behavior data comprises terminal sending data and terminal receiving data, the terminal sending data is data sent to the industrial internet by the terminal equipment, and the terminal receiving data is data received by the terminal equipment from the industrial internet.
      The first time series behavior characteristic comprises a chronologically recorded data transmission characteristic and the second time series behavior characteristic comprises a chronologically recorded data reception characteristic.
      S3, establishing a behavior prediction function according to the first time sequence behavior characteristics and the second time sequence behavior characteristics, extracting the first behavior characteristics of the target terminal at the current time according to the first time sequence behavior characteristics, and then extracting the second behavior characteristics of the target terminal at the current time according to the second time sequence behavior characteristics.
      The first behavior feature is a data transmission feature and the second behavior feature is a data reception feature.
      And S4, predicting the first behavior characteristic of the target terminal at the next moment and the second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment.
      S5, acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment.
      The first behavior state vector characterizes a data transmission state and the second behavior state vector characterizes a data reception state.
      And S6, determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment.
      S7, acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment; continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance of the target terminal; and intercepting all operation behaviors of the target terminal when the domain boundary distance of the target terminal is smaller than the domain boundary threshold value.
      And the state point of the target terminal represents the position of the running state of the target terminal in the multidimensional steady-state domain. And the boundary point of the multi-dimensional steady-state domain is at the boundary position of the multi-dimensional steady-state domain.
      The domain boundary threshold is used for identifying whether the target terminal has the intrusion behavior, when the domain boundary distance of the target terminal is larger than the domain boundary threshold, the target terminal does not have the intrusion behavior, and when the domain boundary distance of the target terminal is smaller than the domain boundary threshold, the target terminal has the intrusion behavior.
      The method generates the multi-dimensional steady-state domain through the terminal behavior data of the first terminal and the historical intrusion data of the industrial internet, and judges the domain boundary distance between the target terminal and the multi-dimensional steady-state domain according to the terminal behavior data of the target terminal so as to judge whether the target terminal is an intrusion terminal. In addition, the invention realizes intrusion detection on the industrial Internet platform, intercepts all operation behaviors of the target terminal when the target terminal is the intrusion terminal so as to ensure the safety of data in the industrial Internet and avoid economic loss caused by data leakage.
      Various modifications and alterations of this invention may be made by those skilled in the art without departing from the spirit and scope of this invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
    Claims (7)
1. The industrial internet intrusion detection method based on big data is characterized in that a multi-dimensional steady-state domain is generated based on terminal behavior data of all first terminals and historical intrusion data of the industrial internet;
      acquiring terminal behavior data of a target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal;
      extracting the time sequence characteristics of the terminal sending data of the target terminal, and taking the time sequence characteristics as the first time sequence behavior characteristics of the target terminal; extracting the time sequence characteristics of the terminal receiving data of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal; the first time-series behavior characteristic comprises a data transmission characteristic recorded in time series; the second time series behavior characteristic comprises a chronologically recorded data reception characteristic;
      establishing a behavior prediction function based on the first time sequence behavior characteristic and the second time sequence behavior characteristic, extracting a first behavior characteristic of a target terminal at the current moment based on the first time sequence behavior characteristic, and then extracting a second behavior characteristic of the target terminal at the current moment based on the second time sequence behavior characteristic; the first behavior feature is a data transmission feature; the second behavior feature is a data reception feature;
      predicting a first behavior characteristic of the target terminal at the next moment and a second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment;
      acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
      determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
      acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment;
      continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance; and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.
    2. The method of claim 1, wherein generating the multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and historical intrusion data of the industrial internet comprises:
      identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
      acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
      determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
      selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain a two-dimensional steady-state domain of each second terminal;
      and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
    3. The method of claim 2, wherein obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal comprises:
      randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
      acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
      selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
      and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
    4. The method of claim 3, wherein determining the number of network attack directions for the target second terminal based on the terminal transmit characteristics and the terminal receive characteristics of the target second terminal comprises:
      generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
      acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
      acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
      and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
    5. The method of claim 4, wherein obtaining neighboring attacking nodes of the attacking node based on the first node feature vector and the second node feature vector of the attacking node comprises:
      calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
      calculating the similarity between the second node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
      calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
      and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
    6. The method of claim 5, wherein obtaining neighboring attacking nodes of the attacking node based on the first node feature vector and the second node feature vector of the attacking node comprises:
      traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
      traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
      comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
      and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
    7. The method of claim 6, wherein obtaining the limit point of the industrial internet when the defense state of the target network attack direction is converted from the steady state to the wave dynamic state comprises:
      acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
      acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
      predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
      calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
      calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
      when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
      and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
    Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN202110897841.7A CN113691505B (en) | 2021-08-05 | 2021-08-05 | Industrial internet intrusion detection method based on big data | 
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN202110897841.7A CN113691505B (en) | 2021-08-05 | 2021-08-05 | Industrial internet intrusion detection method based on big data | 
Publications (2)
| Publication Number | Publication Date | 
|---|---|
| CN113691505A true CN113691505A (en) | 2021-11-23 | 
| CN113691505B CN113691505B (en) | 2022-05-24 | 
Family
ID=78578945
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date | 
|---|---|---|---|
| CN202110897841.7A Active CN113691505B (en) | 2021-08-05 | 2021-08-05 | Industrial internet intrusion detection method based on big data | 
Country Status (1)
| Country | Link | 
|---|---|
| CN (1) | CN113691505B (en) | 
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| US20060288413A1 (en) * | 2005-06-17 | 2006-12-21 | Fujitsu Limited | Intrusion detection and prevention system | 
| WO2015176565A1 (en) * | 2014-05-22 | 2015-11-26 | 袁志贤 | Method for predicting faults in electrical equipment based on multi-dimension time series | 
| US20180316701A1 (en) * | 2017-04-26 | 2018-11-01 | General Electric Company | Threat detection for a fleet of industrial assets | 
| CN109951476A (en) * | 2019-03-18 | 2019-06-28 | 中国科学院计算机网络信息中心 | Time-series-based attack prediction method, device and storage medium | 
| CN112637207A (en) * | 2020-12-23 | 2021-04-09 | 中国信息安全测评中心 | A kind of network security situation prediction method and device | 
| CN112668688A (en) * | 2020-12-30 | 2021-04-16 | 江西理工大学 | Intrusion detection method, system, equipment and readable storage medium | 
- 
        2021
        - 2021-08-05 CN CN202110897841.7A patent/CN113691505B/en active Active
 
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| US20060288413A1 (en) * | 2005-06-17 | 2006-12-21 | Fujitsu Limited | Intrusion detection and prevention system | 
| WO2015176565A1 (en) * | 2014-05-22 | 2015-11-26 | 袁志贤 | Method for predicting faults in electrical equipment based on multi-dimension time series | 
| US20180316701A1 (en) * | 2017-04-26 | 2018-11-01 | General Electric Company | Threat detection for a fleet of industrial assets | 
| CN109951476A (en) * | 2019-03-18 | 2019-06-28 | 中国科学院计算机网络信息中心 | Time-series-based attack prediction method, device and storage medium | 
| CN112637207A (en) * | 2020-12-23 | 2021-04-09 | 中国信息安全测评中心 | A kind of network security situation prediction method and device | 
| CN112668688A (en) * | 2020-12-30 | 2021-04-16 | 江西理工大学 | Intrusion detection method, system, equipment and readable storage medium | 
Non-Patent Citations (2)
| Title | 
|---|
| 李晓东: "基于云平台的智慧安全态势感知系统构建", 《河北能源职业技术学院学报》 * | 
| 管博: "一种基于时序关联的多步入侵检测算法", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * | 
Also Published As
| Publication number | Publication date | 
|---|---|
| CN113691505B (en) | 2022-05-24 | 
Similar Documents
| Publication | Publication Date | Title | 
|---|---|---|
| EP4018346B1 (en) | Data breach detection | |
| CN117544420B (en) | Fusion system safety management method and system based on data analysis | |
| CN113094707B (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
| Bohara et al. | Intrusion detection in enterprise systems by combining and clustering diverse monitor data | |
| Babun et al. | A system-level behavioral detection framework for compromised CPS devices: Smart-grid case | |
| US20240179155A1 (en) | Method and system for network security situation assessment | |
| CN113452700B (en) | Method, device, equipment and storage medium for processing safety information | |
| Lee et al. | AI-based network security enhancement for 5G industrial internet of things environments | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| Rosenthal et al. | ARBA: Anomaly and reputation based approach for detecting infected IoT devices | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN113691505B (en) | Industrial internet intrusion detection method based on big data | |
| CN119449426A (en) | Domain name detection method, device and electronic equipment | |
| Banik et al. | Intrusion detection system in smart grid-a review | |
| Varshini et al. | Detection of Data Integrity Attack Using Model and Data‐Driven‐Based Approach in CPPS | |
| Guibene et al. | A data mining-based intrusion detection system for cyber physical power systems | |
| CN118337403A (en) | IOC-based attack path restoration method, device, electronic device and medium | |
| Kang et al. | Multi-dimensional security risk assessment model based on three elements in the IoT system | |
| Laazizi et al. | cybclass: classification approach for cybersecurity in industry 4.0 | |
| CN113691506B (en) | Intelligent medical platform intrusion detection system based on big data and Internet | |
| Nandhini et al. | A Comparison on Feature Selection Methods using Machine Learning Algorithms for improving the Performance Parameters of RPL-BASED IoT Attacks Classification | |
| JP6857627B2 (en) | White list management system | |
| CN111274285A (en) | Alarm correlation method based on information theory | |
| CN119545352B (en) | Security control method, system, medium and product applied to communication base station | |
| CN117896186B (en) | Vulnerability scanning method, system and storage medium based on log analysis | 
Legal Events
| Date | Code | Title | Description | 
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | Effective date of registration: 20220505 Address after: 065500 North District of Gu'an Industrial Park, Langfang City, Hebei Province Applicant after: GU'AN JULONG AUTOMATION EQUIPMENT Co.,Ltd. Address before: 610000 Financial City, north section of Tianfu Avenue, Wuhou District, Chengdu, Sichuan Applicant before: Li Yang | |
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |