Aiming at the problem that traditional single detection algorithm models have low detection rate and slow detection speed on different types of attacks in industrial control system, an intrusion detection model combining optimized Support Vector Machine (SVM) and K-means++algorithm was proposed. Firstly, the original dataset was preprocessed by Principal Component Analysis (PCA) to eliminate its correlation. Secondly, an adaptive mutation process was added to Particle Swarm Optimization (PSO) algorithm to avoid falling into local optimal solution during the training process. Thirdly, the PSO with Adaptive Mutation (AMPSO) algorithm was used to optimize the kernel function and penalty parameters of the SVM. Finally, a K-means algorithm improved by density center method was united with the optimized support vector machine to form the intrusion detection model, achieving anomaly detection of industrial control system. The experimental results show that the proposed method can significantly improve the detection speed and the detection rate of various attacks.

In the industrial control network, there are some known anomaly behaviors and some unknown anomaly behaviors in network communication. The white list method can effectively detect the known abnormal behaviors in the rule library, but the detection rate of unknown anomaly behaviors is low. In order to improve the detection rate on the basis of full mining of valid information, an intrusion detection method combining white list filtering and neural network unsupervised learning algorithm named AMPSO-BP was proposed to apply on routers between the servers of manage network and industrial network. Firstly, the white list technology was used to filter the communication behaviors that could not match with the white list rules base at first time; then the results of sample training by offline unsupervised learning in neural network system were used to filter the abnormal communication behaviors that trusted with the white list at second time. The neural network was used to improve the detection rate under incomplete information, and according to the neural network detection results, the white list rule library was improved constantly to promote the detection rate of abnormal communication over network. The Particle Swarm Optimization algorithm with Adaptive Mutation (AMPSO) was used as training function for the BP (Back Propagation) neural network, and the adaptive mutation process was added to the Particle Swarm Optimization (PSO) algorithm to avoid falling into the local optimal solution prematurely during the training process. Two groups of training and testing data sets were used in experiment. The experimental results show that the detection accuracy of AMPSO-BP combined with white list is higher than that of PSO-BP combined with white list.