  • 吕思才,张格,张耀方,刘红日,王子博,王佰玲.一种面向工控系统的PU学习入侵检测方法[J].信息安全学报,2021,6(4):72-89    [点击复制]
  • LV Sicai,ZHANG Ge,ZHANG Yaofang,LIU Hongri,WANG Zibo,WANG Bailing.A PU learning intrusion detection method for industrial control system[J].Journal of Cyber Security,2021,6(4):72-89   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭


过刊浏览    高级检索

本文已被:浏览 5254次   下载 5331 本文二维码信息
吕思才1,2, 张格3, 张耀方1,2, 刘红日1,2, 王子博1,2, 王佰玲1,2
(1.计算机科学与技术学院 哈尔滨工业大学(威海) 威海 中国 264209;2.网络空间安全研究院 哈尔滨工业大学 威海 中国 264209;3.国家工业信息安全发展研究中心 北京 中国 100040)
工业控制系统与物理环境联系紧密,受到攻击会直接造成经济损失,人员伤亡等后果,工业控制系统入侵检测可以提供有效的安全防护。工业控制系统中将入侵检测作为一个异常检测问题,本文围绕PU learning (Positive-unlabeled learning,PU学习)进行工业控制系统入侵检测进行研究。首先针对工业控制系统中数据维度高的特点,提出了一种特征重要度计算方法,通过正例数据集和无标签数据集的分布差异度量特征重要度,用于PU学习的特征选择;其次提出了一种基于OCSVM (One-Class SVM)的类先验估计算法,该算法可以稳定且准确的估计出类先验概率,为PU学习提供必要的先验知识;最后采用了三个公开数据集进行实验,在仅有一类标签数据的条件下,通过PU学习发现待检测数据中的异常样本,并与一些现有的模型进行对比,验证了PU学习的有效性。
关键词:  工业控制系统  入侵检测  PU学习  类先验概率估计
A PU learning intrusion detection method for industrial control system
LV Sicai1,2, ZHANG Ge3, ZHANG Yaofang1,2, LIU Hongri1,2, WANG Zibo1,2, WANG Bailing1,2
(1.School of Computer Science and Technology, Harbin Institute of Technology at Weihai, Weihai 264209, China;2.Research Institute of CyberSpace Security, Harbin Institute of Technology, Weihai 264209, China;3.China Industrial Control Systems Cyber Emergency Response Team, Beijing 100040, China)
Industrial control systems are closely related to the physical environment. Attacks will directly cause economic losses, casualties and other consequences. Intrusion detection system can provide effective security protection. In industrial control systems, intrusion detection is regarded as an anomaly detection problem. This paper focuses on the intrusion detection through PU learning (Positive-unlabeled learning). Firstly, due to the high dimensionality of data in industrial control systems, a feature importance calculation method is proposed. The feature importance is measured by the distribution difference between the positive data set and unlabeled data set, which is used for the feature selection of PU learning. Secondly, a class prior estimation algorithm based on OCSVM(One-Class SVM) is proposed. This algorithm can estimate class prior stably and accurately. It provides necessary prior knowledge for PU learning. Finally, three public data sets were used for experiments. Under the condition of only one type of label data, abnormal samples in the data to be detected were found through PU learning. Meanwhile, PU learning is compared with some existing models to verify the effectiveness of PU learning.
Key words:  industrial control system  intrusion detection  positive-unlabeled learning  class prior estimation