动态决策驱动的工控网络数据要素威胁检测方法  

作　　者：王泽鹏 马超[1,2] 张壮壮 吴黎兵[1,2] 石小川[1,2] Wang Zepeng;Ma Chao;Zhang Zhuangzhuang;Wu Libing;Shi Xiaochuan(School of Cyber Science Engineering-WHU,Wuhan University 430072;Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University),Ministry of Education,Wuhan 430072)

机构地区：[1]武汉大学国家网络安全学院,武汉430072 [2]空天信息安全与可信计算教育部重点实验室(武汉大学),武汉430072

出　　处：《计算机研究与发展》2024年第10期2404-2416,共13页Journal of Computer Research and Development

基　　金：国家重点研发计划项目(2021YFB3101100);国家自然科学基金项目(62272352);湖北省重点研发计划项目(2021BAA039);湖北省自然科学基金项目(2022CFB012)。

摘　　要：近年来,工控网络发展势头迅猛.其数字化、智能化、自动化的优势为工业带来巨大效益的同时,也面临着愈发复杂多变的攻击威胁.在数据要素安全的背景下,及时发现和应对工控网络威胁成为一项迫切需要得到解决的任务.通过对工控网络中的数据流进行连续监测和分析,工控网络威胁检测问题可以转化为时间序列异常检测问题.然而现有时间序列异常检测方法受限于工控网络数据集的质量,且往往仅对单一类型异常敏感而忽略其他异常.针对上述问题,提出了一种基于深度强化学习和数据增强的工控网络威胁检测方法(deep reinforcement learning and data augmentation based threat detection method in industrial control networks,DELTA).该方法提出了一种新的时序数据集数据增强选择方法,可以针对不同的基准模型选择合适的数据增强操作集以提升工控网络时间序列数据集的质量;同时使用深度强化学习算法(A2C/PPO)在不同时间点从基线模型中动态选取候选模型,以利用多种类型的异常检测模型解决单一类型异常敏感问题.与现有时间序列异常检测模型对比的实验结果表明,在付出可接受的额外时间消耗成本下,DELTA在准确率和F1值上比所有基线模型有明显的提升,验证了方法的有效性与实用性.In recent years,the industrial control network has been developing rapidly.The advantages of digitization,intelligence,and automation have brought significant benefits to the industry while also introducing increasingly complex and variable attack threats.In the context of data element security,timely detection and response to industrial control network threats have become an urgent task to be solved.By continuously monitoring and analyzing the data flow in industrial control networks,the problem of industrial control network threat detection can be transformed into a time series anomaly detection problem.However,the existing time-series anomaly detection methods are limited by the quality of industrial control network datasets and are often sensitive to only a single type of anomaly while ignoring other anomalies.Therefore,in this paper,we propose a deep reinforcement learning and data augmentation based threat detection method in industrial control networks(DELTA).DELTA introduces a novel data augmentation selection technique for time series datasets,which allows for the selection of appropriate data augmentation operations sets tailored to different baseline models to enhance the quality of the industrial control network time series datasets.Simultaneously,deep reinforcement learning algorithms(A2C/PPO)dynamically select candidate models from the baseline models at different time points,leveraging multiple types of anomaly detection models to address the issue of sensitivity to single-type anomalies.The experimental results compared with the existing time series anomaly detection models show that DELTA has a significant improvement in accuracy and F1 value over all baseline models at an acceptable cost of additional time consumption,which verifies the effectiveness and practicality of the method.

关 键 词：工控网络 数据要素安全 时间序列 异常检测 深度强化学习 数据增强 模型选择 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]