Research On Production Process Anomaly Detection Method Based On Spatiotemporal Regularities Of Production Behavior

There are various types of industrial equipment and industrial control systems in the industrial Internet,with a large number of them and countless vulnerabilities and backdoor resources.The attack paths are complex,and the accessibility of attacks is strong,posing unprecedented security threats to industrial control systems.Among the numerous security threats,attacks on the industrial production process in industrial control systems maliciously manipulate the production control process,hinder production tasks,induce equipment failures,or even cause production accidents,without causing obvious deviations in network traffic characteristics.Existing methods mostly rely on the detection of industrial control system attacks based on network traffic characteristics,and their effectiveness in detecting attacks on the industrial production process is not ideal.Therefore,this paper focuses on the characteristics of attacks on the industrial production process and studies an abnormal detection method based on the temporal and spatial correlation features of production behavior,aiming to ensure the security of industrial systems.The main research contents are as follows:(1)Research on a lightweight abnormal detection method for production equipment behavior based on event duration.In different stages of the production process,industrial equipment exhibits different durations of states due to variations in production tasks.When industrial equipment is attacked or malfunctions,the behavioral evolution of equipment running states will become abnormal,such as changes in states not following the usual pattern or drifting durations of states.This paper uses the Hidden Semi-Markov Model(HSMM)to model the operating data of industrial equipment,analyzes the temporal behavior evolution patterns of the production process,constructs an event duration-aware temporal behavior model for production equipment,and proposes a behavior deviation-based abnormal detection method for the production process,achieving the detection of abnormal events for individual devices.The HSMM model has low complexity and can meet the requirements of lightweight algorithm models for industrial equipment.By directly modeling the durations of hidden states in the production process and using discrete states with good interpretability,it can better learn the influence of event durations on the temporal consistency of production behavior,thus improving the accuracy of abnormal detection.(2)Research on an abnormal detection method for the production process based on the behavioral collaboration between production equipment.To address the issue of collaborative imbalance among multiple devices in the industrial control system caused by attacks on the production process,a method combining Graph Convolutional Networks(GCN)and Long Short-Term Memory(LSTM)is proposed for abnormal detection in the industrial production process(GCN-LSTM).GCN is used to learn the spatial correlation features among production equipment,and LSTM is employed to capture the temporal variation patterns of spatial correlations among production equipment.Based on the construction of the behavioral collaboration model among production equipment,a method for detecting abnormal events in the production process based on behavioral imbalances between devices is proposed,realizing the detection of distributed attack anomalies among multiple devices.Extensive experiments are conducted on publicly available datasets to validate the effectiveness of the proposed methods and evaluate the performance of the algorithms.The experimental results demonstrate that the proposed methods can effectively construct temporal behavior models for individual production equipment and behavioral collaboration models among multiple devices,and can detect abnormal events of individual devices and collaborative behavioral anomalies among multiple devices in the production process.The abnormal detection method based on HSMM achieves a detection accuracy of 96% for abnormal events of individual device behavior,which is a 2% and 4% improvement over the detection methods based on LSTM and autoencoders,respectively.The abnormal detection method based on GCN-LSTM achieves a detection accuracy of 97% for collaborative anomalies among multiple devices,which is a 10% and 8% improvement over the detection methods based on GCN and GAT,respectively.