一种面向工控系统的PU学习入侵检测方法  被引量：4

作　　者：吕思才 张格 张耀方 刘红日 王子博[1,3] 王佰玲 LV Sicai;ZHANG Ge;ZHANG Yaofang;LIU Hongri;WANG Zibo;WANG Bailing(School of Computer Science and Technology,Harbin Institute of Technology at Weihai,Weihai 264209,China;China Industrial Control Systems Cyber Emergency Response Team,Beijing 100040,China;Research Institute of CyberSpace Security,Harbin Institute of Technology,Weihai 264209,China)

机构地区：[1]哈尔滨工业大学(威海)计算机科学与技术学院,威海264209 [2]国家工业信息安全发展研究中心,北京100040 [3]哈尔滨工业大学网络空间安全研究院,威海264209

出　　处：《信息安全学报》2021年第4期72-89,共18页Journal of Cyber Security

基　　金：国防基础科研计划(No.JCKY2019608B001)资助。

摘　　要：工业控制系统与物理环境联系紧密,受到攻击会直接造成经济损失,人员伤亡等后果,工业控制系统入侵检测可以提供有效的安全防护。工业控制系统中将入侵检测作为一个异常检测问题,本文围绕PU learning(Positive-unlabeled learning, PU学习)进行工业控制系统入侵检测进行研究。首先针对工业控制系统中数据维度高的特点,提出了一种特征重要度计算方法,通过正例数据集和无标签数据集的分布差异度量特征重要度,用于PU学习的特征选择;其次提出了一种基于OCSVM(One-Class SVM)的类先验估计算法,该算法可以稳定且准确的估计出类先验概率,为PU学习提供必要的先验知识;最后采用了三个公开数据集进行实验,在仅有一类标签数据的条件下,通过PU学习发现待检测数据中的异常样本,并与一些现有的模型进行对比,验证了PU学习的有效性。Industrial control systems are closely related to the physical environment.Attacks will directly cause economic losses,casualties and other consequences.Intrusion detection system can provide effective security protection.In industrial control systems,intrusion detection is regarded as an anomaly detection problem.This paper focuses on the intrusion detection through PU learning(Positive-unlabeled learning).Firstly,due to the high dimensionality of data in industrial control systems,a feature importance calculation method is proposed.The feature importance is measured by the distribution difference between the positive data set and unlabeled data set,which is used for the feature selection of PU learning.Secondly,a class prior estima-tion algorithm based on OCSVM(One-Class SVM)is proposed.This algorithm can estimate class prior stably and accurately.It provides necessary prior knowledge for PU learning.Finally,three public data sets were used for experiments.Under the condi-tion of only one type of label data,abnormal samples in the data to be detected were found through PU learning.Meanwhile,PU learning is compared with some existing models to verify the effectiveness of PU learning.

关 键 词：工业控制系统 入侵检测 PU学习 类先验概率估计 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]