计算机应用 ›› 2018, Vol. 38 ›› Issue (2): 363-369.DOI: 10.11772/j.issn.1001-9081.2017061509

• 网络空间安全 • 上一篇    下一篇

结合白名单过滤和神经网络的工业控制网络入侵检测方法

陈万志, 李东哲   

  1. 辽宁工程技术大学 电子与信息工程学院, 辽宁 葫芦岛 125105
  • 收稿日期:2017-06-19 修回日期:2017-08-10 出版日期:2018-02-10 发布日期:2018-02-10
  • 通讯作者: 李东哲
  • 作者简介:陈万志(1977-),男,辽宁阜新人,副教授,博士,CCF会员,主要研究方向:人工智能、计算机过程控制;李东哲(1991-),女,辽宁阜新人,硕士研究生,主要研究方向:人工智能、工业控制系统网络安全。
  • 基金资助:
    辽宁省自然科学基金资助项目(2015020098);辽宁工程技术大学博士启动基金资助项目(2015-1147);辽宁省教育厅服务地方类项目(LJ2017FAL009)。

Intrusion detection method in industrial control network combining white list filtering and neural network

CHEN Wanzhi, LI Dongzhe   

  1. School of Electronics and Information Engineering, Liaoning Technical University, Huludao Liaoning 125105, China
  • Received:2017-06-19 Revised:2017-08-10 Online:2018-02-10 Published:2018-02-10
  • Supported by:
    This work is partially supported by Natural Science Foundation of Liaoning Province (2015020098), the Doctoral Stantup Foundation of Liaoning Technical University (2015-1147), the Serving Local Project in Liaoning Provincial Department of Education(LJ2017FAL009).

摘要: 工控网络异常中存在部分已知通信异常行为和部分未知通信异常行为,白名单方法能够有效地检测规则库内的已知异常行为,但对未知通信异常行为检测率低。为了在充分挖掘有效信息的基础上提升检测率,提出一种结合白名单过滤和神经网络无监督学习算法的入侵检测方法AMPSO-BP,并应用在管理网络与工业网络服务器间的路由器上。首先,利用白名单技术一次过滤不符合白名单规则库的通信行为;其次,通过神经网络无监督离线方式样本训练学习的结果二次过滤白名单信任通信行为中的异常通信。利用神经网络提升在信息不完备情况下的检测率,且根据神经网络检测结果不断完善白名单规则库,提高跨网异常通信检测率;利用自适应变异粒子群优化(AMPSO)算法作为BP神经网络的训练函数,在粒子群优化(PSO)算法基础上加入了自适应变异过程,避免了训练过程中过早陷入局部最优解。实验利用两组数据集训练和测试,实验结果表明,AMPSO-BP与白名单结合的检测方法比PSO-BP与白名单结合检测方法的准确率更高。

关键词: 工业控制网络, 白名单, BP神经网络算法, 入侵检测, 粒子群优化算法

Abstract: In the industrial control network, there are some known anomaly behaviors and some unknown anomaly behaviors in network communication. The white list method can effectively detect the known abnormal behaviors in the rule library, but the detection rate of unknown anomaly behaviors is low. In order to improve the detection rate on the basis of full mining of valid information, an intrusion detection method combining white list filtering and neural network unsupervised learning algorithm named AMPSO-BP was proposed to apply on routers between the servers of manage network and industrial network. Firstly, the white list technology was used to filter the communication behaviors that could not match with the white list rules base at first time; then the results of sample training by offline unsupervised learning in neural network system were used to filter the abnormal communication behaviors that trusted with the white list at second time. The neural network was used to improve the detection rate under incomplete information, and according to the neural network detection results, the white list rule library was improved constantly to promote the detection rate of abnormal communication over network. The Particle Swarm Optimization algorithm with Adaptive Mutation (AMPSO) was used as training function for the BP (Back Propagation) neural network, and the adaptive mutation process was added to the Particle Swarm Optimization (PSO) algorithm to avoid falling into the local optimal solution prematurely during the training process. Two groups of training and testing data sets were used in experiment. The experimental results show that the detection accuracy of AMPSO-BP combined with white list is higher than that of PSO-BP combined with white list.

Key words: industrial control network, white list, Back Propagation (BP) neural network algorithm, intrusion detection, Particle Swarm Optimization (PSO) algorithm

中图分类号: