Research on Intrusion Detection of Industrial Control System Based on ISSA-LightGBM
-
摘要: 针对工业互联网的高速发展,产生大量的工业网络流量数据,造成传统的工控入侵检测算法检测精度不高、时间效率低的问题,本文提出了一种结合改进的麻雀搜索算法(ISSA)和轻量级梯度提升机(LightGBM)的工控入侵检测模型,它可以在不牺牲检测性能的情况下还具有高速处理大量工业数据的能力。论文采用改进的ISSA算法解决LightGBM超参数调整困难的问题,首先引入离散解码策略,避免整形超参数出现小数;其次,优化了初始种群的生成方式,提高了种群多样性;最后,改进了算法的位置更新函数,使算法具有更优的全局搜索能力。将ISSA运用到LightGBM入侵检测模型进行参数寻优,针对海量标准工控网络数据集的研究结果表明,该方法具有更高的检测精度和时间效率,特别适合处理大量工业数据。Abstract: Industrial control system (ICS) is an important part of a nation's critical infrastructure. With the continuous integration of information technology and industrial control network, critical infrastructure control system has become part of the Internet and is more vulnerable to various cyber-attacks. The abnormity or collapse of ICS may bring economic losses, environmental damage and even loss of human life. It is very important to strengthen the network security protection for ICS. Intrusion detection system is a very effective information security mechanism that can monitor network traffic, detect and prevent cyber-attacks. As the rapid development of industrial Internet, there has generated massive industrial network traffic data, which has resulted in low detection accuracy and low time efficiency of traditional intrusion detection algorithms. This paper presents an industrial control intrusion detection model that combines improved sparrow search algorithm (ISSA) and light gradient boosting machine (LightGBM). The method can process massive industrial data at high speed without sacrificing detection performance. The paper adopted the improved ISSA algorithm to solve the problem that the adjustment of LightGBM hyperparameters is difficult. First, a discrete decoding strategy is introduced to avoid decimals in the shaping hyperparameters; Secondly, the generation method of the initial population is optimized and the population diversity is improved; Finally, the position update function of SSA algorithm is improved which makes the algorithm have better global search ability. Applying ISSA to the LightGBM intrusion detection model for parameter optimization, the research results on massive standard industrial control network dataset show that this method has higher detection accuracy and time efficiency, and is especially suitable for processing massive industrial data.
-
Key words:
- industrial control system /
- intrusion detection /
- sparrow search algorithm /
- LightGBM /
- massive data
-
表 1 LightGBM模型主要超参数
Table 1. LightGBM main hyperparameters
Parameter Range Description num_leaves {1, 2, ···, n} number of leaves max_depth [3, 10] maximum tree depth min_data_in_leaf {1, 2,···, n} minimum number of data in a leaf learning_rate (0, 1] learning rate min_sum_hessian_in_leaf (0, 10] sum of minimum weights of samples bagging_fraction (0, 1] proportion of data by random selection feature_fraction (0, 1] proportion of features lambda_l1 [0, 10] L1 regularization lambda_l2 [0, 10] L2 regularization 表 2 天然气管道数据集的描述
Table 2. Description of natural gas pipeline dataset
Type Label Samples Description Normal 0 61156 Normal data NMRI 1 2763 Normal malicious response injection attack CMRI 2 15466 Complex malicious response injection attack MSCI 3 782 Malicious status command injection attack MPCI 4 7637 Malicious parameter command injection attack MFCI 5 573 Malicious function command injection attack Dos 6 1837 Denial of service attack RECO 7 6805 Reconnaissance attack 表 3 ISSA与其他优化算法实验结果比较
Table 3. Compare ISSA with other optimization algorithms
Model ACC/% FPR/% FNR/% Time/s PSO-LightGBM 98.07 1.27 3.03 1465.36 WOA- LightGBM 98.26 1.11 2.78 1253.47 SSA -LightGBM 98.78 0.82 1.89 1120.98 ISSA -LightGBM 98.92 0.67 1.77 1096.83 表 4 最优超参数
Table 4. Optimal hyperparameters
Parameter Value num_leaves 430 max_depth 6 min_data_in_leaf 21 learning_rate 0.59 min_sum_hessian_in_leaf 0.01 bagging_fraction 0.63 feature_fraction 0.64 lambda_l1 3.65 lambda_l2 5.08 -
[1] STOUFFER K, FALCO J, SCARFONE K. Guide to Industrial Control Systems (ICS) Security[M]. America: National Institute of Standards and Technology Special Publication, 2015. [2] MCLAUGHLIN S, KONSTANTINOU C, WANG X Y, et al. The Cybersecurity Landscape in Industrial Control Systems[J]. Proceedings of the IEEE, 2016, 104(5): 1039-1057. doi: 10.1109/JPROC.2015.2512235 [3] 尚文利, 石贺, 赵剑明, 等. 基于SAE-LSTM的工艺数据异常检测方法[J]. 电子学报, 2021, 49(8): 1561-1568. doi: 10.12263/DZXB.20180015 [4] YADAV G, PAUL K. Architecture and Security of SCADA Systems: A review[J]. International Journal of Critical Infrastructure Protection, 2021, 34: 100433. doi: 10.1016/j.ijcip.2021.100433 [5] 张文安, 洪榛, 朱俊威, 等. 工业控制系统网络入侵检测方法综述[J]. 控制与决策, 2019, 34(11): 2277-2288. doi: 10.13195/j.kzyjc.2019.1302 [6] YANG Z, LIU X D, LI T, et al. A Systematic Literature Review of Methods and Datasets for Anomaly-based Network Intrusion Detection[J]. Computers & Security, 2022, 116: 102675. [7] 孙海丽, 龙翔, 韩兰胜, 等. 工业物联网异常检测技术综述[J]. 通信学报, 2022, 43(3): 196-210. doi: 10.11959/j.issn.1000-436x.2022032 [8] 黄一鸣, 赵国新, 魏战红, 等. 基于特征增强和优化SVM的工控入侵检测[J]. 计算机工程与设计, 2021, 42(12): 3373-3379. doi: 10.16208/j.issn1000-7024.2021.12.010 [9] 陈汉宇, 王华忠, 颜秉勇. 基于CUDA和布谷鸟算法的SVM在工控入侵检测中的应用[J]. 华东理工大学学报(自然科学版), 2019, 45(1): 101-109. doi: 10.14135/j.cnki.1006-3080.20180102003 [10] LING J, ZHU Z S, LUO Y, et al. An Intrusion Detection Method for Industrial Control Systems based on Bidirectional Simple Recurrent Unit[J]. Computers & Electrical Engineering, 2021, 91: 107049. [11] 刘会鹏, 周治平. 基于超参数自动寻优的工控网络入侵检测[J]. 信息与控制, 2021, 50(4): 427-434. doi: 10.13976/j.cnki.xk.2021.0368 [12] NARAYANA R K, VENKATA R K, PRASAD R. A Hybrid Intrusion Detection System based on Sparse Autoencoder and Deep Neural Network[J]. Computer Communications, 2021, 180: 77-88. doi: 10.1016/j.comcom.2021.08.026 [13] KE G L, MENG Q, FINLEY T, et al. LightGBM: A Highly Efficient Gradient Boosting Decision Tree[J]. Advances in Neural Information Processing Systems, 2017, 30: 3146-3154. [14] ZHANG H, LI J L. A New Network Intrusion Detection based on Semi-supervised Dimensionality Reduction and Tri-LightGBM[C]//IEEE. 2020 International Conference on Pervasive Artificial Intelligence (ICPAI), New York, USA: IEEE, 2020: 35-40. [15] JU Y, SUN G Y, CHEN Q H, et al. A Model Combining Convolutional Neural Network and LightGBM Algorithm for Ultra-short-term Wind Power Forecasting[J]. IEEE Access, 2019, 7: 28309-28318. doi: 10.1109/ACCESS.2019.2901920 [16] WU Y, WANG Q. LightGBM Based Optiver Realized Volatility Prediction[C]// IEEE. 2021 IEEE International Conference on Computer Science, Artificial Intelligence and Electronic Engineering (CSAIEE), New York, USA: IEEE, 2021: 227-230. [17] XUE J K, SHEN B. A Novel Swarm Intelligence Optimization Approach: Sparrow Search Algorithm[J]. Systems Science & Control Engineering, 2020, 8(1): 22-34. [18] NADER P, HONEINE P, BEAUSEROY P. One-class Classification for Intrusion Detection in SCADA Systems[J]. IEEE Transactions on Industrial Informatics, 2014, 10(4): 2308-2317. doi: 10.1109/TII.2014.2330796 -