计算机科学与探索

• 学术研究 •    下一篇

基于深度元学习的工控系统异常检测方法

李新春, 谭新欢, 李琳, 许驰   

  1. 1.辽宁工程技术大学 电子与信息工程学院, 辽宁 葫芦岛 125105
    2.辽宁理工学院 智能工程学院, 辽宁 锦州 121013
    3.中国科学院沈阳自动化研究所 机器人学国家重点实验室, 沈阳 110016
    4.中国科学院网络化控制系统重点实验室, 沈阳 110016

Deep meta learning-based anomaly detection for industrial control systems

LI Xinchun,  TAN Xinhuan,  LI Lin,  XU Chi   

  1. 1. School of Electronic and Information Engineering, Liaoning Technical University, Huludao, Liaoning 125105, China
    2. School of Intelligent Engineering, Liaoning Institute of Science and Engineering, Jinzhou, Liaoning 121013, China
    3. State Key Laboratory of Robotics, Shenyang Institute of Automation, Chinese Academy of Sciences, Shenyang 110016, China
    4. Key Laboratory of Networked Control Systems, Chinese Academy of Sciences, Shenyang 110016, China

摘要: 工控系统在不断网络化的过程中,正面临着层出不穷的新型网络攻击,导致传统异常检测方法因样本数量有限、泛化能力不足而造成检测精度低的问题。为此,本文采用模型无关的元学习(Model Agnostic Meta Learning,MAML)架构,提出基于卷积神经网络的深度元学习(Deep MAML,D-MAML)异常检测方法。首先,构建D-MAML的内、外双循环异常检测架构。其中,内循环提取样本特征,外循环动态更新参数,以提高模型泛化能力,满足少样本检测需求。然后,设计元模块增强的卷积神经网络,并基于梯度下降法更新内循环模型参数,提高特征提取能力。进一步,提出基于多步损失函数的外循环模型参数更新算法,提高算法稳定性。同时,采用余弦退火算法动态更新外循环学习率,解决算法泛化能力不足问题。最后,基于三个公开的数据集对D-MAML进行了5分类实验验证。结果表明,D-MAML的单样本最佳准确率为67.17%,多样本最佳准确率可进一步提升到92.84%。

关键词: 工控系统, 异常检测, 少样本, MAML

Abstract: With the continuously networking process of industrial control systems, it is facing an endless stream of new types of network attacks, which lowers the detection accuracy of traditional anomaly detection methods due to the limited samples and with limited generalization ability. For this reason, Model Agnostic Meta Learning (MAML) architecture is adopted to propose a Deep MAML (D-MAML) anomaly detection method based on a convolutional neural network in this paper. Firstly, the inner and outer loop anomaly detection architecture of D-MAML is constructed. Among them, the inner loop extracts the sample features and the outer loop dynamically updates the parameters to improve the model generalization ability and meet the demand of small sample detection. Then, a meta module enhanced convolutional neural network is designed and the inner loop model parameters are updated based on the gradient descent method to improve the feature extraction capability. Further, an outer loop model parameter update algorithm based on a multistep loss function is proposed to improve the stability of the algorithm. Meanwhile, the cosine annealing algorithm is used to dynamically update the learning rate of the outer loop to solve the problem of insufficient algorithm generalization ability. Finally, the 5-classification experimental validation of D-MAML is carried out based on three publicly available datasets. The results show that the single-sample best accuracy of D-MAML is 67.17%, and the multi-sample best accuracy can be further improved to 92.84%.

Key words: industrial control systems, anomaly detection, small sample, MAML