西安电子科技大学学报 ›› 2022, Vol. 49 ›› Issue (2): 173-181.doi: 10.19665/j.issn1001-2400.2022.02.020

• 计算机科学与技术 & 网络空间安全 • 上一篇    下一篇

一种ICS异常检测的优化GAN模型

顾兆军1(),刘婷婷1,2(),隋翯3()   

  1. 1.中国民航大学 信息安全测评中心,天津 300300
    2.中国民航大学 计算机科学与技术学院,天津 300300
    3.中国民航大学 航空工程学院,天津 300300
  • 收稿日期:2020-07-30 出版日期:2022-04-20 发布日期:2022-05-31
  • 通讯作者: 隋翯
  • 作者简介:顾兆军(1966—),男,教授,博士,E-mail: zjgu@cauc.edu.cn;|刘婷婷(1996—),女,中国民航大学硕士研究生,E-mail: max_ttliu@163.com
  • 基金资助:
    中央高校基本科研业务费中国民航大学专项(3122019072);民航安全能力建设资金项目(PESA2019073);中国民航大学信息安全测评中心开放基金(ISECCA-202004)

Latent feature reconstruction generative GAN model for ICS anomaly detection

GU Zhaojun1(),LIU Tingting1,2(),SUI He3()   

  1. 1. Information Security Evaluation Center,Civil Aviation University of China,Tianjin 300300,China
    2. College of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China
    3. College of Aeronautical Engineering,Civil Aviation University of China,Tianjin 300300,China
  • Received:2020-07-30 Online:2022-04-20 Published:2022-05-31
  • Contact: He SUI

摘要:

工业控制系统异常检测大多面临类不平衡问题,从而导致检测模型准确率下降和泛化能力变差。根据生成式对抗网络,提出一种只使用正常样本进行训练的异常检测模型——基于隐空间特征重构的生成式对抗网络模型。在训练阶段,该模型通过引入新的编码器,学习生成数据到隐空间的映射,实现生成数据的隐空间特征重构,并嵌入SE Block模块提升有效特征权重,提高隐空间特征重构能力;鉴别器同时鉴别两个编码器和一个生成器产生的3个数据对,提高模型精度和泛化能力。在检测阶段,综合考虑重构和鉴别损失,采用L2范数优化异常评分公式,克服模式崩塌。SWaT和WADI两个数据集上的验证实验结果表明,该模型在学习能力、稳定性和检测结果方面与AnoGAN、WGAN-GP和BiGAN等模型相比都具有明显优势。

关键词: 工业控制系统, 不平衡数据集, 生成式对抗网络, 异常检测

Abstract:

The anomaly detection of most of the industrial control systems (ICS) is faced with the problem of class-imbalance,which leads to a decrease in accuracy and the deterioration of generalization.According to the generative adversarial network (GAN),this paper proposes an anomaly detection model using only normal samples for training——the latent feature reconstruction generative GAN model (LFR-GAN).In the training stage,the model learns to generate the mapping of data to the latent space by a new encoder for realizing latent space feature reconstruction.In addition,an SE Block module is embedded to enhance the effective feature weight and to improve the ability of latent space feature reconstruction.For the discriminator,it identifies three data pairs produced by two encoders and one generator simultaneously,improving the model accuracy and generalization ability.In the detection stage,considering the reconstruction and identification of losses comprehensively,anomaly scoring formula optimization based on the L2 norm is adopted to overcome mode collapse.The validation experiment results on SWaT and WADI datasets show that the LFR-GAN model has obvious advantages over other GAN models in terms of learning ability,stability and detection results.

Key words: industrial control system, unbalanced data set, generative adversarial network, anomaly detection

中图分类号: 

  • TP393