CN106502234B - Industrial control system method for detecting abnormality based on double skeleton patterns - Google Patents

Abstract

The present invention relates to a method for detecting anomalies in an industrial control system based on a dual-contour model. The industrial control network equipment involved includes: a safety gateway, a programmable logic controller, a field sensor device, a safety management platform, and an engineer station; the method includes the following steps : S1: The engineer station configures and runs the system, and the PLC in each area identifies the controlled devices connected to its IO modules, matches the controlled device information list, and forms a periodic communication mode between the master and slave stations; S2: PLC The data information is fed back to the security gateway in real time, and the data packet deep analysis system of the security gateway extracts data characteristics, removes redundant attribute characteristics, and only leaves the characteristics related to the system behavior mode, including protocol characteristics based on communication frequency and data packet transmission direction Characteristics and changing rules of register values; S3: Anomaly detection subsystem performs anomaly detection and sends an alarm to the security management platform for abnormal results.

Description

Anomaly Detection Method for Industrial Control System Based on Dual Contour Model

technical field

The invention belongs to the technical field of industrial control systems, and relates to an abnormality detection method of an industrial control system based on a double-contour model.

Background technique

Due to the widespread use of common software, hardware and network facilities in industrial control systems, as well as the integration with enterprise management information systems, industrial control systems have become more and more open, and data exchange has occurred with enterprise intranets and even with the Internet. That is to say, the relative closeness of the industrial control system in the physical environment and the specificity of the software and hardware of the industrial control system will be broken. It will be possible to obtain more detailed information about the relevant industrial control system through the Internet or the intranet, and then In addition, the security awareness of enterprises operating industrial control systems is generally poor, which creates opportunities for hostile governments, terrorist organizations, commercial espionage, internal criminals, and external illegal intruders.

There are the following disadvantages in ICS (Industrial Control System): 1) Due to the large number of equipment vendors in ICS, there is a lack of unified system hardware, operating software, application software, and protocol specification standards, resulting in its own vulnerability in ICS configuration. 2) The widely used Modbus TCP protocol in this system lacks authentication and authorization mechanisms, and the data is transmitted in plain text. It is only possible to protect the data collected at the field device layer through the security gateway in the network, while the traditional security protection methods mainly It is a filtering technology based on protocol data packet format matching. This rule configuration method is difficult to intercept the attacks of many malicious attackers, such as constructing data packets that conform to the protocol specifications to attack. 3) In the field device layer, the value of the device register is easily tampered by the attacker, but the data packet format still conforms to the protocol specification. This attack is not easy to be detected, which makes the enterprise management make wrong decisions.

Contents of the invention

In view of this, the object of the present invention is to provide a dual-contour model-based method for anomaly detection in industrial control systems, which can solve the shortcomings of identifying unknown attacks and equipment anomalies in the field device layer.

To achieve the above object, the present invention provides the following technical solutions:

An abnormality detection method for an industrial control system based on a double-contour model, the industrial control network equipment involved in the abnormality detection process includes: a security gateway, a programmable logic controller, a field sensor device, a safety management platform, and an engineer station; The security gateway includes an anomaly detection subsystem and a data packet deep analysis system, and the method specifically includes the following steps:

S1: The engineer station configures and operates the system, and the PLC in each area identifies the controlled devices connected to its IO modules, matches the controlled device information list, and forms a periodic communication mode between the master and slave stations;

S2: The PLC feeds back the data information to the security gateway in real time, and the security gateway's data packet deep analysis system extracts data features, removes redundant attribute features, and only leaves features related to system behavior patterns, including protocol features based on communication frequency, data Packet transmission direction characteristics and register value change rules;

S3: The anomaly detection subsystem performs measurement and statistics based on the feature vector extracted by the data packet depth analysis system, and classifiers, performs anomaly detection, and sends an alarm to the security management platform for the abnormal results.

Further, in step S2, the data packet deep analysis system stipulates the characteristic fields that should exist in the data packet and the expected values of these fields according to the message format of the Modbus TCP protocol, performs deep analysis on the message layer by layer, and summarizes the instructions and status of the protocol feature;

For the data packet protocol feature set, by establishing a sliding time window for communication between the master and slave stations, the frequency of important features is marked by the periodic time window, and the data packets are periodically collected and feature extracted to establish a feature vector;

According to the ICS of the Modbus TCP protocol, there is a high degree of periodicity in the communication between the master station and the slave station at the field device layer and the periodic read and write operations on the slave station equipment, the packet arrival time interval rule, the transaction identification Symbol frequency, read slave station function code frequency, write slave station function code frequency, slave station communication address frequency, data packet transmission direction, so as to construct the characteristic vector X=(x ₁ , x ₂ , x ₃ ... x _n ).

Further, the packet arrival time interval regularity means that PLC keeps consistent with the time interval of the same instruction sent by the controlled equipment; the transaction identifier frequency, read slave station function code frequency, write slave station function code frequency, slave station The communication address frequency of the station refers to the characteristic frequency of each field of the data packet obtained through the analysis of the characteristics and periodicity of the Modbus TCP protocol; The source address and destination address of the packet generate the transmission direction of the data packet.

Further, in step S3, when using the classification algorithm to detect the vector features of the Modbus TCP protocol, first use the k-means clustering algorithm to preprocess the protocol feature vectors: randomly select k objects as initial clusters, and calculate each cluster The mean value of the data in the cluster can be used to determine whether the cluster center is stable by using the standard criterion function. The standard criterion function is defined as:

Among them, x _k represents a certain point in the cluster, and _ci represents the mean value of a certain cluster; this not only shortens the classification time, but also improves the classification accuracy, and meets the real-time requirements of ICS. Once an abnormal situation is detected, it will immediately An alarm is generated to notify the security management platform.

Further, in step S3, by analyzing the sensor register value between the programmable logic controller and the on-site sensor device, the regular change of the main control PLC count register value, a mapping table of the relationship between time and register value is generated, and the characteristics of the surge attack are analyzed It is the attacker who tampers with the normal value at time t to make it suddenly increase. According to the register value relationship mapping table, the register threshold β is set to be twice the output value under normal conditions. Once the real-time detection value θ exceeds the threshold The management platform sends out an alarm; only when the real-time register value does not exceed the threshold β, the TCM-KNN algorithm classifier is used for discrimination, which is more real-time than the detection method only using the algorithm classifier;

Considering that the register value may be tampered by the attacker with a small value increment each time, the system is difficult to detect, and a complete cycle runs in the ICS, and the register value at the same time point in each cycle is The same or very little difference, according to this rule, use the TCM-KNN algorithm classifier to detect the deviation between the actual register value and the register value of the mapping table at each corresponding time point, to monitor whether the register value is normal in real time; Tampering, the security gateway immediately reports the abnormal situation to the security management platform, records the area where the abnormal situation is located and the PLC number in the area, and sends a control command to the PLC.

Further, the TCM-KNN algorithm combines the classical classification algorithm K-Nearest Neighbor with transductive confidence machines (TCM), and calculates the distance (Euclidean distance of feature vectors between samples) according to the classified The ICS register data set to classify the data to be tested;

In order to quantify the difference between the real-time register value and the register value in the mapping table, the singular value defined is represented by:

The confidence mechanism adopted in TCM is based on randomness detection, and the estimation of confidence is carried out by a randomness detection function, and the P value is defined as the value of the detection function and the P value of the real-time register value i relative to the same category y:

Each sample in the sample set to be classified has a P value corresponding to each class, and the P value can be calculated as One sample is processed at a time, and the value range of the P value is [0,1]. The larger the P value, the greater the possibility that i belongs to y.

The beneficial effects of the present invention are:

1. Adopting the idea of dual-contour model for anomaly detection, continuously adding and learning abnormal samples, and the collaborative discrimination detection of the dual-contour detection model, thereby improving the accuracy and generalization ability of anomaly detection.

2. The idea of the dual-contour model not only detects abnormal register values in the data acquisition area, but also proposes a protocol feature detection algorithm for the data transmission process of the control layer network.

3. By analyzing the high periodicity and protocol characteristics of the communication between the master and slave stations, a periodic sliding time window is established, and the important characteristic elements that can represent ICS are marked, and a representative characteristic vector with rich data elements is constructed.

c4. Draw a mapping table about time for the PLC register value, and set the threshold β according to the law of the mapping table. First, by judging whether the real-time register value is greater than the threshold β, an alarm response will be generated once an abnormality occurs, otherwise, TCM will be performed on the real-time register value. - KNN classifier monitoring, such detection by situation is conducive to improving the real-time performance of ICS.

Description of drawings

In order to make the purpose, technical scheme and beneficial effect of the present invention clearer, the present invention provides the following drawings for illustration:

Figure 1 is a structural diagram of the anomaly detection system of ICS based on Modbus TCP;

Fig. 2 is a Modbus TCP message structural diagram;

Figure 3 is an example of a PLC control system;

Fig. 4 is a flow chart of register value detection data acquisition;

Figure 5 is a cluster-based SVM abnormal behavior detection model;

Figure 6 is a flow chart of the register value anomaly detection algorithm.

Detailed ways

The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

The invention aims at the characteristics of the Modbus TCP protocol in the industrial control system, constructs a feature vector based on the communication behavior frequency, and establishes a detection model based on an abnormal behavior clustering algorithm to optimize the SVM. According to the high periodicity of the main control PLC sensor register value and counting register value, and the discrepancy between the expected output value of the control register model in the ICS and the actual value of the register, a TCM-KNN detection model based on abnormal behavior is established, thereby establishing the double contour model. Anomaly detection system.

As shown in Figure 1, the main industrial control equipment involved in this anomaly detection method are: security gateway, master control PLC, controlled equipment, security management platform, and engineer station. The roles played by each are:

1. Security gateway: including the data packet deep analysis system and anomaly detection subsystem. The data packet deep analysis system performs in-depth analysis and feature extraction of Modbus TCP data packets. Call the police. Its Modbus TCP agreement characteristic like chart 2 shows.

2. Master PLC: In ICS, according to the monitoring plan, PLC is used as a local controller. The PLC has a user-programmable memory for storing instructions to implement specific functions, such as I/O control, logic, timing, counting, three modes of proportional-integral-derivative (PID) control, communication, arithmetic, and data and file processing. The PLC is accessible through a programming interface located at the engineer's workstation. As shown in Figure 3.

3. Controlled equipment: including liquid level gauges, pressure gauges, temperature and humidity sensors, actuators, etc., responsible for the collection of physical quantities in the industrial production process, and upload the collected information to the security gateway for abnormal detection through the PLC. At the same time, the controlled equipment Accept the control instructions of PLC, complete the instruction actions, and make the industrial production process proceed in an orderly manner.

4. Security management platform: responsible for the configuration of the security gateway security mechanism and the handling of abnormal alarms.

5. Engineer Station: It is a workstation used by engineers of industrial process control to configure, program and modify computer systems.

This solution is mainly aimed at ICS based on the Modbus TCP protocol. First, the engineer station configures and operates the system. The PLC in each area identifies the controlled devices connected to its IO modules, matches the controlled device information list, and forms a master and slave. Periodic communication mode of the station.

The PLC feeds back the data information to the security gateway in real time, and the data packet deep analysis system of the gateway extracts the data characteristics, removes redundant attribute characteristics, and only leaves the characteristics related to the system behavior mode, including protocol characteristics based on communication frequency and data packet transmission direction Features and changes in register values.

Then, the data analysis module of the intrusion detection subsystem performs abnormal detection, and sends an alarm to the security management platform for the abnormal results.

The intrusion detection subsystem is based on the feature vector extracted by the data packet depth analysis system, and performs measurement and statistics according to the classifier.

For the data vector of protocol characteristics, due to the high periodicity of ICS master-slave communication, and analyzing the protocol characteristics of Modbus TCP, it is concluded that the data packet interaction time interval rule, transaction processing identifier frequency, read slave station function code frequency, write slave station Feature elements such as station function code frequency, slave station communication address frequency, and data packet transmission direction, construct a vector X=(x ₁ ,x ₂ ,x ₃ ,…,x _n ) with rich feature elements, and establish k-means clustering The algorithm optimizes the anomaly detection model of SVM. Finally, the ICS real-time packet construction decision function is obtained:

Draw a periodic time-register value relationship mapping table for the PLC sensor register value and count register value, and obtain the law of the corresponding register value of the system operation. And according to the mapping table, the threshold β of each register value is set respectively, and when the actual value is detected to be greater than or equal to the threshold β, an abnormal alarm is sent to the security management platform immediately. When the actual value of the register is less than the threshold β, the TCM-KNN algorithm is used to detect the register value in real time to prevent the abnormal situation that the increment of the tampered value is very small.

In this industrial control system, on the one hand, according to the characteristics of the Modbus TCP protocol of ICS and the high periodicity of the system operation, the protocol feature vector is obtained from the data packet deep analysis system, and the abnormal detection based on the behavior pattern is established by using the cluster-based SVM algorithm. At the same time, the abnormal detection system based on behavior patterns greatly improves the ability to identify abnormal situations. On the other hand, the change law of sensor register values and counting register values in the field device layer PLC generates a mapping table of register values about time. A TCM-KNN anomaly detection model is constructed to analyze the deviation between the ICS normal operation register value and the real-time register value to realize the abnormal detection of the register value. Therefore, from the perspective of two different categories of Modbus TCP protocol characteristics and register value change rules in ICS, an abnormality detection system with a dual-contour model is constructed to realize abnormal situations such as inconformity with the master-slave operation rule intention and register value tampering. At the same time, through the collaborative detection and judgment of the two, the abnormal detection rate of the system is greatly improved and the abnormal detection categories are expanded.

Specific examples:

The ICS anomaly detection method based on the dual-contour model mainly involves the following three modules: data packet deep analysis system, anomaly detection subsystem, and security management platform.

The data packet deep analysis system is to deeply analyze the message layer by layer. Regarding the Modbus application protocol message header, it includes the transmission identification, protocol identification, length and unit identification, as well as the periodic characteristics of the marking function code, and summarizes the characteristics of each protocol. Command and status characteristics, and record the communication behavior frequency according to the master-slave communication cycle.

The anomaly detection subsystem conducts real-time data analysis based on the information from the data packet deep analysis system, and constructs the characteristics of the transaction identifier frequency, read slave station function code frequency, write slave station function code frequency, and slave station communication address frequency for the Modbus TCP protocol Vector, establish a k-means clustering algorithm to optimize the abnormality detection model of SVM, extract the mapping relationship table about time for the register value, first judge whether there is an abnormality through the set threshold β, if the actual value is less than the threshold value, then pass TCM -The KNN algorithm classifier model performs anomaly detection and reports the judgment results to the security management platform in real time.

The safety management platform is mainly responsible for managing and monitoring the operation of the entire network from the field device layer to the process monitoring layer.

For the main method of anomaly detection based on the Modbua TCP protocol feature in the ICS, from the level analysis of the message structure, the Modbus/TCP message includes the Modbus application protocol message header (MBAP, Modbus ApplicationProtocol) and the protocol data unit (PDU, Protocol Data Unit) two parts, for the Modbus application protocol header, it includes the transmission identification (Transaction ID), protocol identification (Protocol ID), length (Length) and unit identification (Unit ID). For the function codes commonly used in Modbus TCP communication, for example, read coil function code 01, read input discrete value 02, write single coil 05, write multiple coils 15, read input register 04, write single register 06, etc. , There is a high degree of periodicity in the communication of the slave station. Therefore, construct the eigenvectors of data packet time interval, transaction processing identifier frequency, read slave station function code frequency, write slave station function code frequency, slave station communication address frequency, and data packet transmission direction, and establish the SVM of k-means clustering Anomaly detection model.

In the normal operation of ICS, the training samples are obtained by the security gateway, and the classification method combining k-means and SVM is used for anomaly detection. The clustered k classes are subdivided by the support vector machine, which not only shortens the classification time, but also improves the classification accuracy. Its specific algorithm flow is shown in Figure 5.

Firstly, the sample data X ₁ , X ₂ , X ₃ ,...,X _n are taken as input samples, and k categories are generated through the k-means clustering algorithm. Then, the data generated by clustering is used as input to construct an SVM classifier for real-time anomaly detection on ICS.

Set the training parameter penalty factor as c, the radial basis kernel function K( _xi , x), and construct the classification hyperplane as w x _i +b=0 for the result of the clustering algorithm, and complete the data classification:

w x _i +b≥1→y _i =+1 (1)

w x _i +b≤1→y _i =-1 (2)

The SVM linear classification problem is reduced to a quadratic regression problem:

Where: y _i (w· _xi + b)-1+ξ _i ≥0, ξ _i ≥0, i=1,2,...n, c>0 is the penalty factor, and ξ _i is the slack variable. Then introduce the Lagrangian factor α=[α ₁ ,α ₂ …α _n ] to construct the dual support vector machine

Construct a decision function for unknown real-time detection data

When using SVM to classify the vector features of the Modbus TCP protocol, first use the k-means clustering algorithm to preprocess the protocol feature vectors, and then subdivide the clustered k classes with a support vector machine, and randomly select k objects. As an initialization cluster, calculate the mean value of the data in each cluster, and judge whether the cluster center is stable by using the standard criterion function. The standard criterion function can be defined as:

Among them, x _k represents a certain point in the cluster, and _ci represents the mean value of a certain cluster.

For the master control PLC sensor register value and counting register value in ICS, the law of periodic changes with respect to time, the register value detection data acquisition process is shown in Figure 4, through the normal operation of the system under multiple cycles, the register value is drawn with respect to time The mapping table is used to analyze the change of the register value and set the register threshold β. Firstly, by judging whether the real-time register value is greater than the threshold β, an alarm response will be generated once an abnormality occurs. Otherwise, the real-time register value will be monitored by the TCM-KNN classifier. Methods as below:

The TCM-KNN algorithm is to classify the samples to be tested according to the classified sample categories. This anomaly detection model is shown in Figure 6. In order to quantify the difference between the samples to be tested and the existing samples, the defined singular value is expressed as:

in, Indicates the distance between sample i and all samples in category y, that is, the distance sequence, Represents the sequence The jth smallest distance in , represents the sequence of distances between sample i and all samples in categories other than category y, representative sequence The jth shortest distance in , and k represents the number of nearest neighbors selected. Due to the similarity of samples of the same category, the distribution of their feature vectors in the feature space is clustered, and the distance between samples is relatively small, and the opposite is true for samples of different categories.

The confidence degree mechanism adopted in TCM is based on randomness detection, and the estimation of confidence degree is carried out by a randomness detection function, and the defined P value is the value of the detection function.

Defines the P value of the sample i to be tested relative to the category y:

Among them, # is the "potential" of the set, which represents the number of elements in the finite set; α _i represents the singular value of i; α _j is the singular value of any sample in the set; j is the singular value of the singular value greater than i in the category y The number of samples; n is the number of elements in the set; the P value is the probability that the sample to be classified belongs to several existing sample spaces. Each sample in the sample set to be classified has a P value corresponding to each class, and the P value can be calculated as One sample is processed at a time, and the value range of the P value is [0,1]. The larger the P value, the greater the possibility that i belongs to y.

The anomaly detection mechanism based on the TCM-KNN algorithm is run in the security gateway device located on the upper layer of the PLC, and the normal sample set X' of the register value is constructed according to the periodic mapping table of the register value with respect to time.

Calculate the singular value α _x relative to a certain feature f in the normal sample set X' according to formula (8).

The real-time data collected by the security gateway is used as the sample Y to be tested, and the singular value α _y of the sample Y to be tested relative to the normal sample is calculated by formula (8).

Thus, the P value P(α _y ) of the sample Y can be obtained according to formula (9). Usually, the threshold τ of P(α _i ) is set to 0.95. When the sample to be detected P(α _y )≥τ, it is judged as a normal register value, and when P(α _y )<τ, it is judged as an abnormal register value. And send an alert response to the security management platform.

Therefore, for the highly periodic characteristics of ICS, according to the feature extraction of ICS protocol and the change law of sensor register value and count register value in the main control PLC, the SVM and TCM-KNN algorithm classifiers based on k-means clustering algorithm are used to construct Anomaly detection model, thus constructing a dual-contour anomaly detection model, starting from the two perspectives of protocol features and regular changes in register values, the collaborative detection and discrimination of the dual-contour anomaly detection model greatly improves the anomaly detection rate and abnormality category.

Finally, it should be noted that the above preferred embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail through the above preferred embodiments, those skilled in the art should understand that it can be described in terms of form and Various changes may be made in the details without departing from the scope of the invention defined by the claims.

Claims (6)

1. An industrial control system anomaly detection method based on a double-contour model is characterized by comprising the following steps: respectively constructing an anomaly detection model by using an SVM (support vector machine) and a TCM-KNN (TCM-belief-K-nearest neighbor) algorithm classifier based on a k-means clustering algorithm according to ICS (interference cancellation system) protocol feature extraction and the change rule of a sensor register value and a counting register value in the PLC, thereby constructing a double-profile anomaly detection model; the industrial control network device involved in the abnormality detection process includes: the system comprises a security gateway, a PLC, a field sensor device, a security management platform and an engineer station; the security gateway comprises an anomaly detection subsystem and a data packet deep analysis system;

the method specifically comprises the following steps:

s1: the engineer station identifies the system configuration and operation, and the PLC of each area identifies the controlled equipment connected with the IO module, matches the controlled equipment information list and forms a periodic communication mode of the master station and the slave station;

s2: the PLC feeds data information back to the security gateway in real time, a data packet deep analysis system of the security gateway extracts data features, removes redundant attribute features, and only leaves features related to a system behavior mode, wherein the features include protocol features based on communication frequency, data packet transmission direction features and register value change rules;

s3: and the anomaly detection subsystem carries out measurement and statistics according to the characteristic vector X extracted by the data packet deep analysis system and the classifier, carries out anomaly detection and sends an alarm to the security management platform according to an anomaly result.

2. The method for detecting the abnormality of the industrial control system based on the double-contour model according to claim 1, characterized in that: in step S2, the packet deep parsing system specifies the characteristic fields that should exist in the packet and the expected values of these fields according to the packet format of the Modbus TCP protocol, performs deep parsing on the packet layer by layer, and summarizes the instruction and state characteristics of the protocol;

for the data packet protocol feature set, establishing a sliding time window of communication of a master station and a slave station, carrying out frequency marking on important features by a periodic time window, carrying out periodic acquisition and feature extraction on a data packet, and establishing a feature vector X;

according to the high-periodicity characteristics of communication between a master station and a slave station in a field device layer in ICS of a Modbus TCP protocol and the periodic read-write operation of the slave station device, a packet arrival time interval rule, a transaction identifier frequency, a slave station function code reading frequency, a slave station function code writing frequency, a slave station communication address frequency and a data packet transmission direction are obtained, and therefore a characteristic vector X (X) is constructed for each type of regular characteristic values based on the communication frequency₁,x₂,x₃,…,x_n)。

3. The method for detecting the abnormality of the industrial control system based on the double-contour model according to claim 2, characterized in that: the packet arrival time interval rule means that the time intervals of the same instructions sent by the PLC to the controlled equipment are kept consistent; the transaction processing identifier frequency, the slave station reading function code frequency, the slave station writing function code frequency and the slave station communication address frequency are characterized in that the characteristic frequency of each field of the data packet is obtained through Modbus TCP protocol characteristic and periodic rule analysis; the direction of the data packet refers to the transmission direction of the data packet generated according to the source address and the destination address of the data packet when the PLC and the controlled equipment perform data interaction.

4. The double-contour-model-based industrial control system anomaly detection method according to claim 3, wherein the method comprises the following steps: in step S3, when the vector feature of the Modbus TCP protocol is detected by using the classification algorithm, the protocol feature vector is preprocessed by using the k-means clustering algorithm: randomly selecting k objects as initialization cluster, calculating the mean value of data in each cluster, and judging whether the center of the cluster is stable by using a standard criterion function, wherein the standard criterion function is defined as:

wherein x is_kOne of k points representing a cluster, c_iRepresenting the mean value of the ith cluster in the cluster clusters; therefore, the classification time is shortened, the classification accuracy is improved, the real-time requirement of ICS is met, and once the abnormal condition is detected, an alarm is generated immediately to inform the safety management platform.

5. the method for detecting the abnormality of the industrial control system according to claim 4, wherein in step S3, the PLC counts the regular changes of the register value by analyzing the sensor register value between the PLC and the field sensor device, generates the relation mapping table of the time and the register value, analyzes the characteristics of the surge attack, i.e. the attacker tampers the normal value at time t to increase it suddenly, compares the relation mapping table of the register value, sets the threshold value β to be 2 times of the output value under normal condition, finds that the real-time detection value theta immediately gives an alarm to the security management platform once exceeding the threshold beta, and judges by using the TCM-KNN algorithm classifier only when the real-time register value does not exceed the threshold beta, thus having more real-time than the detection method using only the algorithm classifier;

detecting the deviation between the real-time register value and the mapping table register value at each corresponding time point by using a TCM-KNN algorithm classifier to monitor whether the register value is normal or not in real time; once the register value is tampered, the security gateway immediately reports the abnormal condition to the security management platform, records the area where the abnormal condition is located and the PLC number of the area, and sends a control instruction to the PLC.

6. The double-contour-model-based industrial control system abnormality detection method according to claim 5, characterized in that: the TCM-KNN algorithm combines a classical classification algorithm K-nearest neighbor with a direct trust engine, and classifies data to be detected according to a register data set of classified ICS by a distance calculation method, namely a characteristic vector Euclidean distance between samples;

to quantify the degree of difference between the real-time register values and the register values in the mapping table, singular values are defined to represent:

wherein,the distance, i.e. the sequence of distances,representing a sequenceThe (j) th minimum distance in (d),representing the sequence of distances of sample i from all samples in the other classes except class y,representative sequencesThe j-th shortest distance, k represents the number of the selected nearest neighbors;

the confidence mechanism adopted in TCM is based on randomness detection, the estimation of the confidence is carried out by using a randomness detection function, and the value of a real-time register value relative to the detection function of the same category y is defined, namely the P value is as follows:

where α is the "potential" of the set, representing the number of elements of the finite set, α_irepresenting the singular value of i, alpha_jIs the singular value of any sample in the set; j is the number of samples of singular values in the category y, the singular value of which is greater than i; n is the number of elements of the set; the P value is the probability that the sample to be classified belongs to the existing several types of sample spaces;

each sample in the sample set to be classified has a P value corresponding to each class, and the P value is calculated asOne sample is processed at a time, and the value range of the P value is [0,1 ]]A larger value of P indicates a greater likelihood that i is attributed to y.