ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (11): 2330-2338.doi: 10.7544/issn1000-1239.2019.20190376

所属专题: 2019密码学与智能安全研究专题

• 信息安全 • 上一篇    下一篇

基于相关信息熵和CNN-BiLSTM的工业控制系统入侵检测

石乐义,朱红强,刘祎豪,刘佳   

  1. (中国石油大学(华东)计算机科学与技术学院 山东青岛 266580) (shileyi@upc.edu.cn)
  • 出版日期: 2019-11-12
  • 基金资助: 
    国家自然科学基金项目(61772551);山东省自然科学基金项目(ZR2019MF034)

Intrusion Detection of Industrial Control System Based on Correlation Information Entropy and CNN-BiLSTM

Shi Leyi, Zhu Hongqiang, Liu Yihao, Liu Jia   

  1. (College of Computer Science and Technology, China University of Petroleum, Qingdao, Shandong 266580)
  • Online: 2019-11-12

摘要: 入侵检测技术旨在有效地检测网络中异常的攻击,对网络安全至关重要.针对传统的入侵检测方法难以从工业控制系统通信数据中提取有效数据特征的问题,提出一种基于相关信息熵和CNN-BiLSTM的入侵检测模型,该模型将基于相关信息熵的特征选择和融合的深度学习算法相结合,因此能够有效去除噪声冗余,减少计算量,提高检测精度.首先针对不平衡样本等问题进行相应预处理,并通过基于相关信息熵的算法进行特征选择,达到去除噪声数据和冗余特征的目的;然后分别运用卷积神经网络(CNN)和双向长短期记忆神经网络(BiLSTM)从时间和空间维度提取数据特征,通过多头注意力机制进行特征融合,进而得出最终检测结果;最后通过单一变量原则和交叉验证方式获得最优的模型.通过与其他传统入侵检测方法实验对比得出:该模型具有更高的准确率(99.21%)和较低的漏报率(0.77%).

关键词: 工业控制系统, 入侵检测, 相关信息熵, 卷积-双向长短期记忆网络, 多头注意力机制

Abstract: Intrusion detection aims to effectively detect abnormal attacks in the network, which is critical for cyber security. Considering the problem that traditional intrusion detection methods are difficult to extract effective data features from industrial control system communication data, a intrusion detection model based on correlation information entropy and CNN-BiLSTM is proposed. It combines feature selection based on correlation information entropy with fused deep learning algorithms, and thus it can effectively remove noise redundancy, reduce computation and improve detection accuracy. Firstly, the corresponding pre-processing is carried out for the imbalanced samples, and the algorithm based on correlation information entropy is implied to select the features of the samples to achieve the purposes of removing noise data and redundant features. Then, convolutional neural network (CNN) and bidirectional long short-term memory (BiLSTM) network are applied respectively to extract data features from time and space dimensions, and realize feature fusion through multi-head attention mechanism to obtain the final test results. Finally, the optimal model is obtained by the single variable principle and cross-validation method. Compared with other traditional intrusion detection methods, the model has higher accuracy (99.21%) and lower false negative rate (0.77%).

Key words: industrial control system (ICS), intrusion detection, correlation information entropy, CNN-BiLSTM, multi-head attention

中图分类号: