关键词: 工业控制系统, 业务行为检测, 联邦学习, 数据毒化, 攻击过滤

Abstract: In the era of industrial Internet,different manufacturers hope to get a more perfect security detection model by sharing local data.However,after accessing the Internet,local data is more vulnerable to theft,and federated learning can achieve the purpose of data privacy protection and sharing by exchanging model parameters.There are still some defects in the existing methods for industrial computer security detection: 1) the existing methods rarely consider the extraction of feature models from the business behavior;2) Current federated learning methods cannot solve the model offset problem caused by local data tampering;3) The network structure of front-end detection and back-end analysis of the existing detection system will increase the reverse communication between the back-end management network and the front-end control network,so as to introduce new attack path to the management network.In order to solve the above problems,a distributed security detection method for industrial personal computer service behavior based on federated learning,including an industrial personal computer service behavior feature detection method,federated learning model aggregation method based on information entropy distribution weight,data transmission reconstruction method based on forwarding hardware.The above method can improve the attack identification accuracy of industrial control application protocol,solve the problem of model deviation caused by internal data pollution of industrial personal computer;.The prototype system is implemented and experimentally verified in the coiling device control system.Compared with the industrial control security detection paper using non-business behavior modeling,the detection accuracy of man-in-the-middle attack and remote attack is improved by 17% and 24%,respectively.The validation results on two datasets show that the accuracy of the proposed method is more than 5% higher than that of the existing FedAvg aggregation algorithm,and the accuracy is 8% higher than that of the existing FedAvg aggregation algorithm in the case of data poisoning attack.Moreover,it can prevent attackers from using the management network to detect background vulnerabilities to launch remote attacks on the control network and reduce the attack surface.

Key words: industrial control systems, business behavior detection, federal learning, data poisoning, attack filtering