﻿ 基于长短期记忆网络的工控网络异常流量检测
1. 中国科学院大学, 北京 100049;
2. 中国科学院 沈阳计算技术研究所, 沈阳 110168;
3. 国网辽宁省电力有限公司, 沈阳 110004

Detection of Abnormal Traffic in Industrial Control Network Based on LSTM Network
TIAN Wei-Hong1,2, LI Xi-Wang2, SI Zhi-Jian2,3
1. University of Chinese Academy of Sciences, Beijing 100049, China;
2. Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China;
3. State Grid Liaoning Electric Power Co. Ltd., Shenyang 110004, China
Foundation item: National Science and Technology Major Program (2017ZX01030-201)
Abstract: Aiming at the problems of low recognition accuracy and low recognition efficiency in the current abnormal flow detection methods of industrial control network, combined with the periodic characteristics of industrial control networks, this study proposes an abnormal flow detection model based on Long-Short Term Memory network (LSTM) time series prediction. This model takes the LSTM network model as the core, and uses the normal historical traffic sequence of the first 15 minutes to predict the traffic data at the next moment. On the premise that the accuracy on the test set is 98.12%, the model’s predicted value can be considered to be normal. By comparing the actual value with the predicted value, it is determined whether there is an abnormality. On the premise of not reducing the recognition accuracy rate, because the predicted value is calculated in advance, this method greatly improves the detection efficiency.
Key words: Long-Short Term Memory (LSTM) networks     timing prediction     industrial control networks     abnormal traffic detection     traffic sequence

1 工控网络现状

2 LSTM网络模型设计

2.1 异常流量检测流程

2.2 特征构造

 图 1 异常流量检测流程

2.3 模型训练

3 LSTM网络结构和参数更新 3.1 网络整体结构

LSTM网络结构由RNN加入门控机制改进得到, RNN[15]能够很好地处理不固定长度并且有序的输入序列. RNN前向传播过程如图3所示, 网络参数权重的更新不仅仅依赖每一时刻 $t$ 样本输入 ${x}_{t}$ 对参数 $w$ 的调整, 而且依赖 $t$ 时刻之前计算并保存的隐含状态 ${h}_{t-1}$ 对参数的调整. 与传统的RNN相比, LSTM[16]本质上还是基于 $t$ 时刻的输入 ${x}_{t}$ $t-1$ 时刻的隐状态 ${h}_{t-1}$ 来计算 $t$ 时刻的输出 ${y}_{t}$ $t$ 时刻的隐状态 ${{h}}_{t}$ . 但是由于门控机制的加入, LSTM网络更适合处理长依赖问题, 更加容易学习到工控网络周期性的规律, 并且容易识别由多个数据包共同作用引起的攻击类型.

 图 2 特征构造流程

 图 3 RNN前向传播过程

 图 4 LSTM 神经网络时间展开图

3.2 参数更新过程

LSTM网络相比RNN增加了存储单元用来存储长期记忆, 增加了输入门用来记忆t时刻的输入信息, 新来一个样本, 并不会完全学习记忆其中的特征, 而是自动学习除其中有多少有用信息可以用于N+1时刻的预测. 遗忘门用来选择性的忘记过去的某些信息, 起控制内部信息的作用. 输出门起控制输出信息的作用, 3个门控单元的加入让LSTM网络在用梯度下降算法更新参数时不易于陷入梯度消失的问题, 3个门的逻辑结构如图5所示.

 图 5 LSTM网络门控机制

 ${i}_{t}=\sigma \left({w}_{i}\cdot \left[{h}_{t-1},{x}_{t}\right]+{b}_{i}\right)$ (1)

 ${C}_{t}={f}_{t}*{C}_{t-1}+{i}_{t}*{\stackrel{~}{C}}_{t}$ (2)

 ${{h}}_{t}={o}_{t}*\tanh\left({C}_{t}\right)$ (3)

 $MSE\left(y,{y}'\right)=\dfrac{\displaystyle\sum\nolimits_{i=1}^{n}{\left({y}_{i}-{y}_{i}'\right)}^{2}}{n}$ (4)

 图 6 网络输出层数据流图

4 实验设计与结果分析

4.1 模型训练过程

 图 7 训练和验证损失

4.2 实验结果对比

5 总结

