工业物联网异常检测技术综述

doi:10.11959/j.issn.1000-436x.2022032

通信学报 ›› 2022, Vol. 43 ›› Issue (3): 196-210.doi: 10.11959/j.issn.1000-436x.2022032

工业物联网异常检测技术综述

孙海丽¹, 龙翔¹^,², 韩兰胜¹^,³, 黄炎⁴, 李清波¹

¹ 华中科技大学网络空间安全学院，湖北武汉 430074
² 湖北生物科技职业学院，湖北武汉 430070
³ 鹏城实验室网络空间安全研究中心，广东深圳 518000
⁴ 华中科技大学计算机科学与技术学院，湖北武汉 430074

修回日期:2022-01-24 出版日期:2022-03-25 发布日期:2022-03-01
作者简介:孙海丽（1991- ），女，湖北武汉人，华中科技大学博士生，主要研究方向为工业物联网安全、入侵检测与预防、隐私保护、恶意行为识别等
龙翔（1973- ），男，湖北武汉人，华中科技大学博士生，湖北生物科技职业学院副教授，主要研究方向为网络空间安全、网络虚拟化、网络空间安全仿真等
韩兰胜（1972- ），男，湖北武汉人，华中科技大学教授、博士生导师，主要研究方向为网络安全、大数据安全、软件安全、恶意代码、移动终端安全等
黄炎（1988- ），男，湖北武汉人，华中科技大学博士生，主要研究方向为网络功能虚拟化、人工智能安全、知识图谱等
李清波（1998- ），女，江西宜春人，华中科技大学硕士生，主要研究方向为移动终端安全、隐私保护等
基金资助:
国家自然科学基金资助项目(61272033);国家自然科学基金资助项目(62072200);国家自然科学基金资助项目(6217071437);国家自然科学基金资助项目(62127808)

Overview of anomaly detection techniques for industrial Internet of things

Haili SUN¹, Xiang LONG¹^,², Lansheng HAN¹^,³, Yan HUANG⁴, Qingbo LI¹

¹ School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
² Hubei Vocational College of Bio-Technology, Wuhan 430070, China
³ Cyberspace Security Center, Peng Cheng Laboratory, Shenzhen 518000, China
⁴ School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China

Revised:2022-01-24 Online:2022-03-25 Published:2022-03-01
Supported by:
The National Natural Science Foundation of China(61272033);The National Natural Science Foundation of China(62072200);The National Natural Science Foundation of China(6217071437);The National Natural Science Foundation of China(62127808)

摘要/Abstract

摘要：

针对不同的异常检测方法的差异及应用于工业物联网（IIoT）安全防护的适用性问题，从技术原理出发，调研分析2000—2021年发表的关于网络异常检测的论文，总结了工业物联网面临的安全威胁，归纳了9种网络异常检测方法及其特点，通过纵向对比梳理了不同方法的优缺点和适用工业物联网场景。另外，对常用数据集做了统计分析和对比，并从4个方向对未来发展趋势进行展望。分析结果可以指导按应用场景选择适配方法，发现待解决关键问题并为后续研究指明方向。

关键词: 工业物联网, 异常检测, 网络入侵, 网络攻击

Abstract:

In view of the differences of existing anomaly detection methods and the applicability when applied to security protection of the industrial Internet of things (IIoT), based on technical principles, the network anomaly detection papers published from 2000 to 2021 were investigated and the security threats faced by IIoT were summarized.Then, network anomaly detection methods were classified into 9 classes and the characteristics of each class was studied.Through longitudinal comparison, the merits and shortcomings of different methods and their applicability to IIoT scenarios were sorted out.In addition, statistical analysis and comparison of common data sets were made, and the development trend in the future was forecasted from 4 directions.The analysis results can guide the selection of adaptive methods according to application scenarios, identify key problems to be solved, and point out the direction for subsequent research.

Key words: industrial Internet of things, anomaly detection, network intrusion, cyber attack

中图分类号:

TN92

孙海丽, 龙翔, 韩兰胜, 黄炎, 李清波. 工业物联网异常检测技术综述[J]. 通信学报, 2022, 43(3): 196-210.

Haili SUN, Xiang LONG, Lansheng HAN, Yan HUANG, Qingbo LI. Overview of anomaly detection techniques for industrial Internet of things[J]. Journal on Communications, 2022, 43(3): 196-210.

图/表 10

表1

表2

表3

表4

工业系统中的基于深度学习的异常检测研究成果"

方法	文献	使用的数据集	性能指标	被引用数
CNN	文献[52]	SWAT数据集	精确率为0.95，召回率为0.79，F1得分为0.87	132
RNN+LSTM	文献[54]	网络流量包	均方差为265.65，平均绝对误差为3.23，R2为0.97	3
包签名+LSTM	文献[66]	Gas pipeline system数据集	准确率为0.92，精确率为0.94，召回率为0.78，F1得分为0.85	134
向量卷积深度学习	文献[67]	UNSW Bot-IoT 数据集	准确率为0.99，精确率为0.99，召回率为0.99	11
LSTM	文献[68]	Modbus/TCP网络流量数据集	准确率为0.99，精确率为0.99，召回率为0.98，F1得分为0.99	16
CNN cuDNNLSTM	文献[69]	Bot-IoT数据集	准确率为0.99，精确率为0.99，召回率为0.99，F1得分为0.99，假阳率为0.059	8
k-means + 卷积自动编码器	文献[71]	Gas pipeline system数据集	准确率为0.95，精确率为0.95，召回率为0.83，F1得分为0.89	5
		Water storage tank 数据集	准确率为0.96，精确率为0.93，召回率为0.94，F1得分为0.93	5
堆叠变分神经网络	文献[72]	Windows勒索软件数据集	准确率为0.92，检测率为0.99，假阳率为0.139	7
自动编码器+极限学习机	文献[73]	Gas pipeline数据集	准确率为0.97，假阳率为0.0035，ROC为曲线	1
GRU+多头注意力	文献[74]	Bot-IoT数据集	准确率为0.98，F1得分为0.97，AUC 为0.99	2
		UNSW_NB15数据集	准确率为0.99， F1得分为0.98，AUC为0.99	2
双向LSTM	文献[75]	CTU-13数据集	准确率为0.95，检测率为0.67，假阳率为0.53，假阴率为0.21	6
		AWID 数据集	准确率为0.97，检测率为0.83，假阳率为0.20，假阴率为0.602	6
深度随机神经网络	文献[76]	UNSW_NB15数据集	准确率为0.9954	4
孪生卷积神经网络	文献[77]	UNSW_NB15数据集	精确率为0.90，召回率为0.96，F1得分为0.93，误报率为0.047	21

表4

表5

表6

表7

表8

表9

每种检测方法的优缺点以及现有研究成果"

方法	优点	缺点	研究成果
系统不变性	一旦挖掘出系统不变性，只要是违反这些不变性的动作，都被认为是异常的；能够应对工业系统数据的动态性	不能发掘系统所有的不变性；适用性较差；不适合处理高维传感器数据	文献[11-16]
物理状态建模	一旦完成物理模型的构建，只要是偏离物理模型的操作，都被识别为异常；计算量小，时间复杂度低；为特定系统量身定做	不适合处理高维传感器数据；网络攻击者可以躲避控制理论建模方法的检测；构建模型需要专家知识；适用性较差	文献[17-22]
统计学习	一旦获得合适的概率分布模型，就能够有效识别异常；利用时间相关性可以检测出传感器的故障和异常值	由于通常没有以前的传感器数据分布知识，参数统计方法是没有好处的，而非参数统计模型不适用于数据密集的物联网在实时环境下的工作。通常，管理产生的多变量数据的计算成本很高	文献[23-29]
特征选择	筛选出强相关性的特征，降低数据的噪声和冗余性；能够处理高维传感器数据	需要通过人工选择或自动提取方式找到合适的特征，人工特征选择依赖专家经验，自动提取方式模型可解释性较差	文献[30-38]
机器学习	适用于物联网系统中不同传感器产生的各种类型的数据，有监督、半监督和无监督等多种学习方式	性能很大程度上依赖所采用的特征工程技术的稳健性；应用于大规模高维数据时，性能会严重恶化；学习能力不够强，无法应对工业物联网环境中数据（网络攻击）的动态性	文献[39-51]
深度学习	具有自动学习能力，且学习能力强大，可处理高维传感器数据；可应对物联网环境中数据（网络攻击）的动态性；不需要特征工程；实时检测异常	模型需要进行多次微调和模拟，才能在现实生活中投入使用；模型计算成本高，不适合资源不足的传感器；依赖大量标注数据	文献[52-73]
联邦学习	在多方数据源聚合的场景下协同训练全局最优模型，同时能够保护数据隐私，支持样本数量不足的情况	通信效率短板明显、隐私安全仍有缺陷、缺乏信任与激励机制	文献[78-81]
边缘/雾计算	减轻云和核心网络的网络负担；能够处理对时间要求严格的物联网的能源效率和时延敏感型应用	依赖网络传输、存在通信时延和隐私问题	文献[82-88]
图	能够学习多传感器数据之间的相互依赖；检测并发攻击	依赖图结构数据，需要构建数据之间的复杂关联，并且可能存在数据稀疏情况下的学习不平衡问题	文献[89-91]
指纹	通过建模ICS网络的静态和低时延特征或者信号传输的模式来建立设备的指纹，不符合该指纹模式的数据皆被识别为异常	不能应对工业网络数据的动态性；若系统特征少，则无法建立指纹	文献[92-95]
生物免疫	建立在精确数据模型或进化计算的基础上；数学模型简单，易于实现	功能不强，容易失真	文献[96-98]

表9

表10

参考文献 104

[1]	DAUGHERTY P , BERTHON B . Winning with the industrial Internet of things:how to accelerate the journey to productivity and growth[R]. 2015.
[2]	TANGE K , DONNO M D , FAFOUTIS X ,et al. A systematic survey of industrial Internet of things security:requirements and fog computing opportunities[J]. IEEE Communications Surveys ＆ Tutorials, 2020,22(4): 2489-2520.
[3]	SPOGNARDI A , DONNO M D , DRAGONI N ,et al. Analysis of DDoS-capable IoT malwares[C]// Proceedings of the 2017 Federated Conference on Computer Science and Information Systems,Annals of Computer Science and Information Systems. Piscataway:IEEE Press, 2017: 807-816.
[4]	ZHOU L Y , GUO H Q . Anomaly detection methods for IIoT networks[C]// Proceedings of 2018 IEEE International Conference on Service Operations and Logistics,and Informatics. Piscataway:IEEE Press, 2018: 214-219.
[5]	LANGNER R . Stuxnet:dissecting a cyberwarfare weapon[J]. IEEE Security ＆ Privacy, 2011,9(3): 49-51.
[6]	LEE R . CRASHOVERRIDE:analysis of the threat to electric grid operations[R]. 2017.
[7]	BUCZAK A L , GUVEN E . A survey of data mining and machine learning methods for cyber security intrusion detection[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(2): 1153-1176.
[8]	CHANDOLA V , BANERJEE A , KUMAR V . Anomaly detection[J]. ACM Computing Surveys, 2009,41(3): 1-58.
[9]	BHUYAN M H , BHATTACHARYYA D K , KALITA J K . Network anomaly detection:methods,systems and tools[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(1): 303-336.
[10]	GARCíA-TEODORO P , DíAZ-VERDEJO J , MACIá-FERNáNDEZ G ,et al. Anomaly-based network intrusion detection:techniques,systems and challenges[J]. Computers ＆ Security, 2009,28(1/2): 18-28.
[11]	CHOUDHARI A , RAMAPRASAD H , PAUL T ,et al. Stability of a cyber-physical smart grid system using cooperating invariants[C]// Proceedings of 2013 IEEE 37th Annual Computer Software and Applications Conference. Piscataway:IEEE Press, 2013: 760-769.
[12]	PAUL T , KIMBALL J W , ZAWODNIOK M ,et al. Unified invariants for cyber-physical switched system stability[J]. IEEE Transactions on Smart Grid, 2014,5(1): 112-120.
[13]	PAL K , ADEPU S , GOH J . Effectiveness of association rules mining for invariants generation in cyber-physical systems[C]// Proceedings of 2017 IEEE 18th International Symposium on High Assurance Systems Engineering. Piscataway:IEEE Press, 2017: 124-127.
[14]	MOMTAZPOUR M , ZHANG J H , RAHMAN S ,et al. Analyzing invariants in cyber-physical systems using latent factor regression[C]// Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2015: 2009-2018.
[15]	CHEN Y Q , POSKITT C M , SUN J . Learning from mutants:using code mutation to learn and monitor invariants of a cyber-physical system[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2018: 648-660.
[16]	FENG C , PALLETI V R , MATHUR A ,et al. A systematic framework to generate invariants for anomaly detection in industrial control systems[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[17]	ASHOK A , GOVINDARASU M , WANG J H . Cyber-physical attack-resilient wide-area monitoring,protection,and control for the power grid[J]. Proceedings of the IEEE, 2017,105(7): 1389-1407.
[18]	AMIN S , LITRICO X , SASTRY S S ,et al. Cyber security of water SCADA systems—part II:attack detection using enhanced hydrodynamic models[J]. IEEE Transactions on Control Systems Technology, 2013,21(5): 1679-1693.
[19]	LIN H , SLAGELL A , KALBARCZYK Z ,et al. Semantic security analysis of SCADA networks to detect malicious control commands in power grids[C]// Proceedings of the First ACM Workshop on Smart Energy Grid Security. New York:ACM Press, 2013: 29-34.
[20]	SRIDHAR S , GOVINDARASU M . Model-based attack detection and mitigation for automatic generation control[J]. IEEE Transactions on Smart Grid, 2014,5(2): 580-591.
[21]	MO Y L , KIM T H J , BRANCIK K ,et al. Cyber–physical security of a smart grid infrastructure[J]. Proceedings of the IEEE, 2012,100(1): 195-209.
[22]	ETCHEVéS M E , SETOLA R , BERNIERI G ,et al. Fault diagnosis and network anomaly detection in water infrastructures[J]. IEEE Design ＆ Test, 2017,34(4): 44-51.
[23]	RAJASEGARAR S , LECKIE C , PALANISWAMI M . Anomaly detection in wireless sensor networks[J]. IEEE Wireless Communications, 2008,15(4): 34-40.
[24]	RAJASEGARAR S , LECKIE C , PALANISWAMI M . Detecting data anomalies in wireless sensor networks[M]. Singapore: World Scientific, 2009.
[25]	费欢, 肖甫, 李光辉 ,等. 基于多模态数据流的无线传感器网络异常检测方法[J]. 计算机学报, 2017,40(8): 1829-1842.
	FEI H , XIAO F , LI G H ,et al. An anomaly detection method of wireless sensor network based on multi-modals data stream[J]. Chinese Journal of Computers, 2017,40(8): 1829-1842.
[26]	AKIYAMA Y , KASAI Y J , IWATA M ,et al. Anomaly detection of solar power generation systems based on the normalization of the amount of generated electricity[C]// Proceedings of 2015 IEEE 29th International Conference on Advanced Information Networking and Applications. Piscataway:IEEE Press, 2015: 294-301.
[27]	NGUYEN L V , KAPINSKI J , JIN X Q ,et al. Abnormal data classification using time-frequency temporal logic[C]// Proceedings of the 20th International Conference on Hybrid Systems:Computation and Control. New York:ACM Press, 2017: 237-242.
[28]	ZHAO P S , KURIHARA M , TANAKA J ,et al. Advanced correlation-based anomaly detection method for predictive maintenance[C]// Proceedings of 2017 IEEE International Conference on Prognostics and Health Management. Piscataway:IEEE Press, 2017: 78-83.
[29]	ZANG D , LIU J H , WANG H Z . Markov chain-based feature extraction for anomaly detection in time series and its industrial application[C]// Proceedings of 2018 Chinese Control and Decision Conference (CCDC). Piscataway:IEEE Press, 2018: 1059-1063.
[30]	LAKHINA M , SINI J , BHUPENDRA V . Feature reduction using principal component analysis for effective anomaly–based intrusion detection on NSL-KDD[J]. International Journal of Engineering Science and Technology, 2010,2(6): 1790-1799.
[31]	ZHOU Y , YU L , LIU M S ,et al. Network intrusion detection based on Kernel principal component analysis and extreme learning machine[C]// Proceedings of 2018 IEEE 18th International Conference on Communication Technology. Piscataway:IEEE Press, 2018: 860-864.
[32]	GAO J L , CHAI S C , ZHANG B H ,et al. Research on network intrusion detection based on incremental extreme learning machine and adaptive principal component analysis[J]. Energies, 2019,12(7): 1223.
[33]	KANG S H , . A feature selection algorithm to find optimal feature subsets for detecting DoS attacks[C]// Proceedings of 2015 5th International Conference on IT Convergence and Security (ICITCS). Piscataway:IEEE Press, 2015: 1-3.
[34]	KANG S H , KIM K J . A feature selection approach to find optimal feature subsets for the network intrusion detection system[J]. Cluster Computing, 2016,19(1): 325-333.
[35]	FERRIYAN A , THAMRIN A H , TAKEDA K ,et al. Feature selection using genetic algorithm to improve classification in network intrusion detection system[C]// Proceedings of 2017 International Electronics Symposium on Knowledge Creation and Intelligent Computing (IES-KCIC). Piscataway:IEEE Press, 2017: 46-49.
[36]	CHEN F , YE Z W , WANG C Z ,et al. A feature selection approach for network intrusion detection based on tree-seed algorithm and K-nearest neighbor[C]// Proceedings of 2018 IEEE 4th International Symposium on Wireless Systems within the International Conferences on Intelligent Data Acquisition and Advanced Computing Systems. Piscataway:IEEE Press, 2018: 68-72.
[37]	ZHANG X Y , LI J , ZHANG D J ,et al. Research on feature selection for cyber attack detection in industrial Internet of things[C]// Proceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies. New York:ACM Press, 2020: 256-262.
[38]	CHENG X X , LI W , XIAO Z ,et al. Intrusion detection system based on QBSO-FS[C]// Proceedings of 2020 International Conference on Artificial Intelligence and Computer Engineering (ICAICE). Piscataway:IEEE Press, 2020: 372-377.
[39]	YAN W Z , . One-class extreme learning machines for gas turbine combustor anomaly detection[C]// Proceedings of 2016 International Joint Conference on Neural Networks (IJCNN). Piscataway:IEEE Press, 2016: 2909-2914.
[40]	NARAYANASWAMY B , BALAJI B , GUPTA R ,et al. Data driven investigation of faults in HVAC systems with model,cluster and compare (MCC)[C]// Proceedings of the 1st ACM Conference on Embedded Systems for Energy-Efficient Buildings. New York:ACM Press, 2014: 50-59.
[41]	HAYES M A , CAPRETZ M A M . Contextual anomaly detection in big sensor data[C]// Proceedings of 2014 IEEE International Congress on Big Data. Piscataway:IEEE Press, 2014: 64-71.
[42]	FU L D , ZHANG W B , TAN X B ,et al. An algorithm for detection of traffic attribute exceptions based on cluster algorithm in industrial Internet of things[J]. IEEE Access, 2021,9: 53370-53378.
[43]	TAMY S , BELHADAOUI H , RABBAH M A ,et al. An evaluation of machine learning algorithms to detect attacks in SCADA network[C]// Proceedings of 2019 7th Mediterranean Congress of Telecommunications (CMT). Piscataway:IEEE Press, 2019: 1-5.
[44]	ELNOUR M , MESKIN N , KHAN K ,et al. A dual-isolation- forests-based attack detection framework for industrial control systems[J]. IEEE Access, 2020,8: 36639-36651.
[45]	ALSHAMMARI A , ZOHDY M A . Internet of things attacks detection and classification using tiered hidden Markov model[C]// Proceedings of the 2019 8th International Conference on Software and Computer Applications. New York:ACM Press, 2019: 550-554.
[46]	CARINO J A , ZURITA D , PICOT A ,et al. Novelty detection methodology based on multi-modal one-class support vector machine[C]// Proceedings of 2015 IEEE 10th International Symposium on Diagnostics for Electrical Machines,Power Electronics and Drives. Piscataway:IEEE Press, 2015: 184-190.
[47]	LEE S , YOO H , SEO J ,et al. Packet diversity-based anomaly detection system with OCSVM and representative model[C]// Proceedings of 2016 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data. Piscataway:IEEE Press, 2016: 498-503.
[48]	YANG H H , ZHOU Z P . A novel intrusion detection scheme using cloud grey wolf optimizer[C]// Proceedings of 2018 37th Chinese Control Conference (CCC). Piscataway:IEEE Press, 2018: 8297-8302.
[49]	DENG X W , JIANG P , PENG X N ,et al. An intelligent outlier detection method with one class support tucker machine and genetic algorithm toward big sensor data in Internet of things[J]. IEEE Transactions on Industrial Electronics, 2019,66(6): 4672-4683.
[50]	WU C W , CHEN M . Early anomaly detection in wind turbine bolts breaking problem—methodology and application[C]// Proceedings of 2018 IEEE 3rd International Conference on Big Data Analysis. Piscataway:IEEE Press, 2018: 402-406.
[51]	WANG B , LI M X , SHU F ,et al. Bayesian-based industrial Internet service abnormal detection algorithm[C]// Proceedings of the 2nd International Conference on Information Technologies and Electrical Engineering. New York:ACM Press, 2019: 1-4.
[52]	KRAVCHIK M , SHABTAI A . Detecting cyber attacks in industrial control systems using convolutional neural networks[C]// Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and Privacy. New York:ACM Press, 2018: 72-83.
[53]	FERRAG M A , MAGLARAS L , MOSCHOYIANNIS S ,et al. Deep learning for cyber security intrusion detection:approaches,datasets,and comparative study[J]. Journal of Information Security and Applications, 2020,50:102419.
[54]	PARK S H , PARK H J , CHOI Y J . RNN-based prediction for network intrusion detection[C]// Proceedings of 2020 International Conference on Artificial Intelligence in Information and Communication (ICAIIC). Piscataway:IEEE Press, 2020: 572-574.
[55]	GOH J , ADEPU S , TAN M ,et al. Anomaly detection in cyber physical systems using recurrent neural networks[C]// Proceedings of 2017 IEEE 18th International Symposium on High Assurance Systems Engineering. Piscataway:IEEE Press, 2017: 140-145.
[56]	KORONIOTIS N , MOUSTAFA N , SITNIKOVA E ,et al. Towards the development of realistic botnet dataset in the Internet of things for network forensic analytics:Bot-IoT dataset[J]. Future Generation Computer Systems, 2019,100: 779-796.
[57]	FREITAS D A P , KADDOUM G , CAMPELO D R ,et al. Intrusion detection for cyber–physical systems using generative adversarial networks in fog environment[J]. IEEE Internet of Things Journal, 2021,8(8): 6247-6256.
[58]	ZHOU P , . Payload-based anomaly detection for industrial Internet using encoder assisted GAN[C]// Proceedings of 2020 IEEE 6th International Conference on Computer and Communications. Piscataway:IEEE Press, 2020: 669-673.
[59]	LIU H P , ZHOU Z P , ZHANG M . Application of optimized bidirectional generative adversarial network in ICS intrusion detection[C]// Proceedings of 2020 Chinese Control and Decision Conference (CCDC). Piscataway:IEEE Press, 2020: 3009-3014.
[60]	IBITOYE O , SHAFIQ O , MATRAWY A . Analyzing adversarial attacks against deep learning for intrusion detection in IoT networks[C]// Proceedings of 2019 IEEE Global Communications Conference. Piscataway:IEEE Press, 2019: 1-6.
[61]	KORONIOTIS N , MOUSTAFA N , SITNIKOVA E . A new network forensic framework based on deep learning for Internet of things networks:a particle deep framework[J]. Future Generation Computer Systems, 2020,110: 91-106.
[62]	ZHOU X K , HU Y Y , LIANG W ,et al. Variational LSTM enhanced anomaly detection for industrial big data[J]. IEEE Transactions on Industrial Informatics, 2020,17(5): 3469-3477.
[63]	KONG F H , LI J Q , JIANG B ,et al. Integrated generative model for industrial anomaly detection via Bi-directional LSTM and attention mechanism[J]. IEEE Transactions on Industrial Informatics, 2021,PP(99): 1.
[64]	WU D , JIANG Z K , XIE X F ,et al. LSTM learning with Bayesian and Gaussian processing for anomaly detection in industrial IoT[J]. IEEE Transactions on Industrial Informatics, 2020,16(8): 5244-5253.
[65]	ROY B , CHEUNG H . A deep learning approach for intrusion detection in Internet of things using Bi-directional long short-term memory recurrent neural network[C]// Proceedings of 2018 28th International Telecommunication Networks and Applications Conference (ITNAC). Piscataway:IEEE Press, 2018: 1-6.
[66]	FENG C , LI T T , CHANA D . Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks[C]// Proceedings of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Piscataway:IEEE Press, 2017: 261-272.
[67]	BHUVANESWARI A , SELVAKUMAR S . Anomaly detection framework for Internet of things traffic using vector convolutional deep learning approach in fog environment[J]. Future Generation Computer Systems, 2020,113: 255-265.
[68]	SAHARKHIZAN M , AZMOODEH A , DEHGHANTANHA A ,et al. An ensemble of deep recurrent neural networks for detecting IoT cyber attacks using network traffic[J]. IEEE Internet of Things Journal, 2020,7(9): 8852-8859.
[69]	LIAQAT S , AKHUNZADA A , SHAIKH F S ,et al. SDN orchestration to combat evolving cyber threats in Internet of medical things (IoMT)[J]. Computer Communications, 2020,160: 697-705.
[70]	KIM D , YANG H , CHUNG M ,et al. Squeezed convolutional variational autoencoder for unsupervised anomaly detection in edge device industrial Internet of things[C]// Proceedings of 2018 International Conference on Information and Computer Technologies (ICICT). Piscataway:IEEE Press, 2018: 67-71.
[71]	CHANG C P , HSU W C , LIAO I . Anomaly detection for industrial control systems using k-means and convolutional autoencoder[C]// Proceedings of 2019 International Conference on Software,Telecommunications and Computer Networks (SoftCOM). Piscataway:IEEE Press, 2019: 1-6.
[72]	AL-HAWAWREH M , SITNIKOVA E . Industrial Internet of things based ransomware detection using stacked variational neural network[C]// Proceedings of the 3rd International Conference on Big Data and Internet of Things. New York:ACM Press, 2019: 126-130.
[73]	LI Y Z , LI Y , ZHANG S P . Intrusion detection algorithm based on deep learning for industrial control networks[C]// Proceedings of the 2019 2nd International Conference on Robotics,Control and Automation Engineering. New York:ACM Press, 2019: 40-44.
[74]	ABDEL-BASSET M , CHANG V , HAWASH H ,et al. Deep-IFS:intrusion detection approach for industrial Internet of things traffic in fog environment[J]. IEEE Transactions on Industrial Informatics, 2021,17(11): 7704-7715.
[75]	LI X H , XU M F , VIJAYAKUMAR P ,et al. Detection of low-frequency and multi-stage attacks in industrial Internet of things[J]. IEEE Transactions on Vehicular Technology, 2020,69(8): 8820-8831.
[76]	LATIF S , IDREES Z , ZOU Z ,et al. DRaNN:a deep random neural network model for intrusion detection in industrial IoT[C]// Proceedings of 2020 International Conference on UK-China Emerging Technologies (UCET). Piscataway:IEEE Press, 2020: 1-4.
[77]	ZHOU X K , LIANG W , SHIMIZU S ,et al. Siamese neural network based few-shot learning for anomaly detection in industrial cyber-physical systems[J]. IEEE Transactions on Industrial Informatics, 2020,17(8): 5790-5798.
[78]	LIU Y , KUMAR N , XIONG Z H ,et al. Communication-efficient federated learning for anomaly detection in industrial Internet of things[C]// Proceedings of 2020 IEEE Global Communications Conference. Piscataway:IEEE Press, 2020: 1-6.
[79]	LIU Y , GARG S , NIE J T ,et al. Deep anomaly detection for time-series data in industrial IoT:a communication-efficient on-device federated learning approach[J]. IEEE Internet of Things Journal, 2021,8(8): 6348-6358.
[80]	LI B B , WU Y H , SONG J R ,et al. DeepFed:federated deep learning for intrusion detection in industrial cyber–physical systems[J]. IEEE Transactions on Industrial Informatics, 2021,17(8): 5615-5624.
[81]	WANG X D , GARG S , LIN H ,et al. Towards accurate anomaly detection in industrial Internet-of-things using hierarchical federated learning[J]. IEEE Internet of Things Journal, 2021,PP(99): 1.
[82]	LA Q D , NGO M V , DINH T Q ,et al. Enabling intelligence in fog computing to achieve energy and latency reduction[J]. Digital Communications and Networks, 2019,5(1): 3-9.
[83]	CHEN Z , HU W L , WANG J J ,et al. An empirical study of latency in an emerging class of edge computing applications for wearable cognitive assistance[C]// Proceedings of the Second ACM/IEEE Symposium on Edge Computing. New York:ACM Press, 2017: 1-14.
[84]	NGO M V , LUO T , CHAOUCHI H ,et al. Contextual-bandit anomaly detection for IoT data in distributed hierarchical edge computing[C]// Proceedings of 2020 IEEE 40th International Conference on Distributed Computing Systems. Piscataway:IEEE Press, 2020: 1227-1230.
[85]	PENG Y H , TAN A P , WU J J ,et al. Hierarchical edge computing:a novel multi-source multi-dimensional data anomaly detection scheme for industrial Internet of things[J]. IEEE Access, 2019,7: 111257-111270.
[86]	KONG D Q , LIU D S , ZHANG L ,et al. Sensor anomaly detection in the industrial Internet of things based on edge computing[J]. Turkish Journal of Electrical Engineering ＆ Computer Sciences, 2020,28(1): 331-346.
[87]	NGO M V , CHAOUCHI H , LUO T ,et al. Adaptive anomaly detection for IoT data in hierarchical edge computing[J]. arXiv Preprint,arXiv:2001.03314, 2020.
[88]	YU X , SHAN C , BIAN J L ,et al. AdaGUM:an adaptive graph updating model-based anomaly detection method for edge computing environment[J]. Security and Communication Networks,2021, 2021:9954951.
[89]	MA G , GU W X , HUANG Q Y ,et al. Anomaly detection for mobile devices in industrial Internet[C]// Proceedings of the 2020 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of the 2020 ACM International Symposium on Wearable Computers. New York:ACM Press, 2020: 75-77.
[90]	VELAMPALLI S , EBERLE W . Novel graph based anomaly detection using background knowledge[C]// Proceedings of the Thirtieth International Florida Artificial Intelligence Research Society Conference(FLAIRS). New York:ACM Press, 2017: 538-543.
[91]	LIN Q , ADEPU S , VERWER S ,et al. TABOR:a graphical model-based approach for anomaly detection in industrial control systems[C]// Proceedings of the 2018 on Asia Conference on Computer and Communications Security. New York:ACM Press, 2018: 525-536.
[92]	FORMBY D , SRINIVASAN P , LEONARD A ,et al. Who’s in control of your control system? device fingerprinting for cyber-physical systems[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-15.
[93]	SHEN C , LIU C , TAN H L ,et al. Hybrid-augmented device fingerprinting for intrusion detection in industrial control system networks[J]. IEEE Wireless Communications, 2018,25(6): 26-31.
[94]	CHEN Y F , HU W T , ALAM M ,et al. Fiden:intelligent fingerprint learning for attacker identification in the industrial Internet of things[J]. IEEE Transactions on Industrial Informatics, 2021,17(2): 882-890.
[95]	AHMED C M , PRAKASH J , QADEER R ,et al. Process skew:fingerprinting the process for anomaly detection in industrial control systems[C]// Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. New York:ACM Press, 2020: 219-230.
[96]	BENYETTOU N , BENYETTOU A , RODIN V . The cooperation of immune agents for intrusion detection system[C]// Proceedings of the 2017 International Conference on Industrial Design Engineering. New York:ACM Press, 2017: 133-137.
[97]	PINTO R , GONCALVES G , TOVAR E ,et al. Attack detection in cyber-physical production systems using the deterministic dendritic cell algorithm[C]// Proceedings of 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA). Piscataway:IEEE Press, 2020: 1-8.
[98]	AHMAD S , LAVIN A , PURDY S ,et al. Unsupervised real-time anomaly detection for streaming data[J]. Neurocomputing, 2017,262: 134-147.
[99]	IGBE O , DARWISH I , SAADAWI T . Deterministic dendritic cell algorithm application to smart grid cyber-attack detection[C]// Proceedings of 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud). Piscataway:IEEE Press, 2017: 199-204.
[100]	MOUSTAFA N , SLAY J . UNSW-NB15:a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)[C]// Proceedings of 2015 Military Communications and Information Systems Conference (MilCIS). Piscataway:IEEE Press, 2015: 1-6.
[101]	GOH J , ADEPU S , JUNEJO K N ,et al. A dataset to support research in the design of secure water treatment systems[C]// International Conference on Critical Information Infrastructures Security. Berlin:Springer, 2016: 88-99.
[102]	TAVALLAEE M , BAGHERI E , LU W ,et al. A detailed analysis of the KDD Cup 99 data set[C]// Proceedings of 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. Piscataway:IEEE Press, 2009: 1-6.
[103]	GARCíA S , GRILL M , STIBOREK J ,et al. An empirical comparison of botnet detection methods[J]. Computers ＆ Security, 2014,45: 100-123.
[104]	BANOS O , GARCIA R , HOLGADO-TERRIZA J A ,et al. mHealthDroid:a novel framework for agile development of mobile health applications[C]// International Workshop on Ambient Assisted Living. Berlin:Springer, 2014: 91-98.

方法	数据性质	异常类型	可用的数据	传感器类型	应用领域	评价标准	被引用数
统计学习	连续型数据	点异常	温度、湿度、光照强度等数据	温度、湿度传感器等	野外监测	准确率和误报率	17
时序逻辑	连续型数据	点异常	在50个轨迹集合上进行监督学习	空压机电机转速	燃料电池车辆	误分类率	18
关联性分析	连续型数据	上下文异常	在 5 个机器数据上进行监督学习	发动机上的传感器	工厂里的发电机	相关性系数	36
密度函数模型	连续型数据	点异常	在24个太阳能面板数据上进行监督学习	电流数据	太阳能发电系统	ROC曲线	6
马尔可夫链	连续型数据	点异常	在压力传感器数据上进行监督学习	压力传感器	石油管道	准确率	14

方法	文献	使用的数据集	性能指标	被引次数
PCA-神经网络	文献[30]	NSL-KDD数据集	训练时间、检测时间、检测到的记录数	126
KPCA+ELM	文献[31]	KDD Cup 99数据集	准确率为0.98，误报率为0.02，检测时间为0.75 ms	2
IELM+APCA	文献[32]	NSL-KDD数据集	准确率为0.81，检测时间为19.97，误报率为0.30	20
		UNSW-NB15数据集	准确率为0.70，检测时间为476.19，误报率为0.35	20
元启发式算法+k-means	文献[34]	NSL-KDD数据集	准确率为0.97，检测率为0.96，误报率为0.02	60
TSA+KNN	文献[36]	KDD Cup 99数据集	准确率为0.873 4	16
MRMR + SVM	文献[37]	UNSW-NB15数据集MSU数据集	准确率为0.699 6准确率为0.956 7	00
QBSO-FS+机器学习	文献[38]	NSL-KDD数据集	准确率、召回率	0

方法	异常类型	实验数据	传感器类型	评价标准
ELM	点异常	燃烧室排气数据	温度传感器	ROC曲线
多元聚类	上下文异常	真实的感知数据	来自电力、水和天然气系统的传感器数据	误分类率
聚类	上下文异常	在五层建筑物的非监督学习	温度传感器	错误警报
GBDT	上下文异常	风力涡轮机数据的监督学习	150个风力涡轮机的测量参数	准确率
双重孤立森林+主成分分析	集合异常	安全水处理实验台和水分配试验	压力传感器、红外传感器等	分类精度、召回率
		台数据
OCSTuM+GA-OCSTuM	点异常	蒙特斯传感器数据集等	54个不同种类的传感器	准确率

方法	文献	使用的数据集	性能指标	被引次数
联邦学习+CNN-LSTM	文献[78]	Power demand数据集	准确率：约0.94，均方根误差：约3.8	6
		Statlog数据集	准确率：约0.93，均方根误差：约4	6
联邦学习+注意力机制+CNN-LSTM	文献[79]	Power demand数据集	准确率：约0.97，均方根误差：约3.7	32
		Statlog数据集	准确率：约0.95，均方根误差：约3.75	32
联邦学习+CNN-GRU	文献[80]	Gas pipeline数据集	精确率，召回率，F1得分	26
联邦学习+深度强化学习	文献[81]	—	系统吞吐量，平均时延，准确率	4

方法	文献	使用的数据集	性能指标	被引次数
HEC-自动编码器+LSTM	文献[84]	Power consumption数据集	准确率为0.99，F1得分为0.87，时延为144.5 ms	2
		mHealth数据集	准确率为0.98，F1得分为0.97，时延为674.87 ms	2
HEC-深度神经网络	文献[87]	Power consumption数据集	准确率为0.98，F1得分为0.83，时延为16.28 ms	9
HEC-模糊理论	文献[85]	单个/多个传感器数据	准确率，算法执行时间，平均时延	11
边缘计算-深度学习	文献[88]	BaIoT、EI Nino数据集	真阳率，假阳率，时耗	0

工业物联网异常检测技术综述

Overview of anomaly detection techniques for industrial Internet of things

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 104

相关文章 15

Metrics

推荐阅读 0

数据集	数据类型	正常实例数	异常实例数	特征数	通信协议	详情	被引次数
Bot-IoT数据集	物联网网络流量	9 543	73 360 900	—	—	文献[56]	284
Smart grid数据集	网络流量	470	391	14	DNP3	文献[98]	22
UNSW_NB15数据集	网络流量	2 218 761	321 283	49	TCP,UDP,ICMP	文献[99]	992
SWAT数据集	CPS网络流量	15 000 000（未区分）		19	MODBUS	文献[101]	193
	物理属性	946 722（未区分）		51	—	—	—
NSL-KDD数据集	网络流量	训练集：125 973，测试集：22 544（未区分）		41	TCP/IP	文献[102]	3 085
KDD Cup 99数据集	网络流量	训练集：4 900 000，测试集：2 000 000（未区分）		41	TCP/IP	文献[102]	3 085
CTU-13数据集	网络流量	59 190	21 760	11	HTTP	文献[103]	493
mHealth数据集	多元时间序列	120（未区分）		23	—	文献[104]	227

[1]	霍纬纲, 梁锐, 李永华. 基于随机Transformer的多维时间序列异常检测模型[J]. 通信学报, 2023, 44(2): 94-103.
[2]	康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135.
[3]	廖建新, 付霄元, 戚琦, 王敬宇, 孙海峰. 6G-ADM：基于知识空间的6G网络管控体系[J]. 通信学报, 2022, 43(6): 3-15.
[4]	杨小东, 田甜, 王嘉琪, 李梅娟, 王彩芬. 基于云边协同的无证书多用户多关键字密文检索方案[J]. 通信学报, 2022, 43(5): 144-154.
[5]	段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13.
[6]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[7]	陈卓, 朱淼, 杜军威. 基于多视角图神经网络的欺诈检测算法[J]. 通信学报, 2022, 43(11): 225-232.
[8]	段雪源, 付钰, 王坤, 刘涛涛, 李彬. 基于多尺度特征的网络流量异常检测方法[J]. 通信学报, 2022, 43(10): 65-76.
[9]	朱会娟, 陈锦富, 李致远, 殷尚男. 基于多特征自适应融合的区块链异常交易检测方法[J]. 通信学报, 2021, 42(5): 41-50.
[10]	田辉, 伍浩, 田洋, 任建阳, 崔亚娟, 艾文宝, 袁健华. 工业物联网中大规模受损边缘计算网络修复机制[J]. 通信学报, 2021, 42(4): 89-99.
[11]	周由胜,谭畅,唐飞. 面向雾增强型工业物联网的多维安全查询方案[J]. 通信学报, 2020, 41(8): 175-186.
[12]	陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138.
[13]	戚琦,申润业,王敬宇. GAD：基于拓扑感知的时间序列异常检测[J]. 通信学报, 2020, 41(6): 152-160.
[14]	杨晓晖,张圣昌. 基于多粒度级联孤立森林算法的异常检测模型[J]. 通信学报, 2019, 40(8): 133-142.
[15]	李佳,云晓春,李书豪,张永铮,谢江,方方. 基于混合结构深度神经网络的HTTP恶意流量检测方法[J]. 通信学报, 2019, 40(1): 24-33.

方法	文献	使用的数据集	性能指标	被引次数
指纹识别-贝叶斯算法	文献[92]	真实世界的变电站数据集	准确率为0.92，精确率为0.89，召回率为0.95	135
指纹识别-机器学习	文献[93]	TCP/Modbus流量	准确率	37
指纹识别	文献[94]	CAN总线原型	准确率为0.93，精确率为0.92，召回率为0.94，F1得分为0.92	2
指纹识别-CUSUM	文献[95]	SWAT数据集	真阳率，假阳率	5