摘要: |
工业控制系统与物理环境联系紧密,受到攻击会直接造成经济损失,人员伤亡等后果,工业控制系统入侵检测可以提供有效的安全防护。工业控制系统中将入侵检测作为一个异常检测问题,本文围绕PU learning (Positive-unlabeled learning,PU学习)进行工业控制系统入侵检测进行研究。首先针对工业控制系统中数据维度高的特点,提出了一种特征重要度计算方法,通过正例数据集和无标签数据集的分布差异度量特征重要度,用于PU学习的特征选择;其次提出了一种基于OCSVM (One-Class SVM)的类先验估计算法,该算法可以稳定且准确的估计出类先验概率,为PU学习提供必要的先验知识;最后采用了三个公开数据集进行实验,在仅有一类标签数据的条件下,通过PU学习发现待检测数据中的异常样本,并与一些现有的模型进行对比,验证了PU学习的有效性。 |
关键词: 工业控制系统 入侵检测 PU学习 类先验概率估计 |
DOI:10.19363/J.cnki.cn10-1380/tn.2021.07.05 |
Received:September 02, 2020Revised:December 02, 2020 |
基金项目:本课题受国防基础科研计划(No.JCKY2019608B001)资助。 |
|
A PU learning intrusion detection method for industrial control system |
LV Sicai,ZHANG Ge,ZHANG Yaofang,LIU Hongri,WANG Zibo,WANG Bailing |
School of Computer Science and Technology, Harbin Institute of Technology at Weihai, Weihai 264209, China;Research Institute of CyberSpace Security, Harbin Institute of Technology, Weihai 264209, China;China Industrial Control Systems Cyber Emergency Response Team, Beijing 100040, China |
Abstract: |
Industrial control systems are closely related to the physical environment. Attacks will directly cause economic losses, casualties and other consequences. Intrusion detection system can provide effective security protection. In industrial control systems, intrusion detection is regarded as an anomaly detection problem. This paper focuses on the intrusion detection through PU learning (Positive-unlabeled learning). Firstly, due to the high dimensionality of data in industrial control systems, a feature importance calculation method is proposed. The feature importance is measured by the distribution difference between the positive data set and unlabeled data set, which is used for the feature selection of PU learning. Secondly, a class prior estimation algorithm based on OCSVM(One-Class SVM) is proposed. This algorithm can estimate class prior stably and accurately. It provides necessary prior knowledge for PU learning. Finally, three public data sets were used for experiments. Under the condition of only one type of label data, abnormal samples in the data to be detected were found through PU learning. Meanwhile, PU learning is compared with some existing models to verify the effectiveness of PU learning. |
Key words: industrial control system intrusion detection positive-unlabeled learning class prior estimation |