An optimization technique for intrusion detection of industrial control network vulnerabilities based on BP neural network

The aim of this research is to solve the problem that the intrusion detection model of industrial control system has low detection rate and detection efficiency against various attacks, a method of optimizing BP neural network based on Adaboost algorithm is proposed. Firstly, principal component analysis (PCA) is used to preprocess the original data set to eliminate its correlation. Secondly, Adaboost algorithm is used to continuously adjust the weight of training samples, to obtain the optimal weight and threshold of BP neural network. The results show that there are 13,817 pieces of data collected in the industrial control experiment, of which 9817 pieces of data are taken as the test data set, including 9770 pieces of normal data and 47 pieces of abnormal data. In addition, as a test data set of 4000 pieces, there are 3987 pieces of normal data and 13 pieces of abnormal data. It can be seen that the average detection rate and detection speed of the algorithm of optimizing BP neural network by Adaboost algorithm proposed in this paper are better than other algorithms on each attack type. It is proved that Adaboost algorithm can effectively solve the intrusion detection problem by optimizing BP neural network.


Introduction
Intrusion detection is the process of identifying attempted, ongoing, or already occurring intrusions. The standard TCP/IP protocol in the communication protocol is widely used in the vast majority of the current network environment, leading to the vast majority of the current intrusion objects are also aimed at this protocol. Therefore, the interception and analysis of data packets based on TCP/IP protocol is the focus of data analysis in intrusion detection system. Generally speaking, intrusion detection is divided into abuse and anomalies. The former has the advantage of high detection rate and low false positive rate, but its disadvantage is that it can only detect known attack model patterns. Therefore, to maintain or improve the efficiency, it is necessary to continuously update the detection method. The advantage of anomaly detection lies in the detection of unknown intrusion behavior. From the current usage situation, the abuse detection is more applied, but various forms of anomaly, intrusion detection technology and anomaly detection module are also increasing attention. Intrusion detection mainly includes data fusion, data mining, genetic algorithm, computer immunology, neural network and so on among which the application of neural network is increasing extensive.
The most representative one is BP neural network algorithm. The BP neural network technology used in intrusion detection system has obvious advantages and disadvantages, such as slow learning speed and convergence. The convergence speed of traditional BP network algorithm is slow and the network is easy to fall into the local minimum. Therefore, many related improved algorithms have emerged to solve these problems, and some achievements have been made. For example, Adaboost algorithm, when testing the intrusion detection system, KDD99 data set contains more than 7 million data (these data include TCP connection data and TCP test records), so it is often used in the simulation test of the intrusion detection system. In the TCP records used for testing, 41 characteristics existed in each TCP connection record. These characteristics could be divided into four categories: Basic TCP characteristics, capacity characteristics, timebased traffic characteristics, and host-based traffic characteristics. The data in the training data set has been marked as normal or attacked, and there are a total of 38 types of attacks. Among the 24 types of original attacks, 4 new attacks have been added for the test data. Among the four new attack methods, including unauthorized access to local root privilege (U2R), denial of service attack (DoS), data resource theft (Probing), unauthorized access to remote computers (R2L), the supply of denial of service accounts for nearly 50%, which is the largest among all attack categories.
As of January 24, 2017, there were 979 industrial control system vulnerabilities published by the national new security vulnerability sharing platform, of which Siemens vulnerability accounted for 40.86%, Advantech vulnerability accounted for 19.43%, Schneider vulnerability accounted for 15.43, Rockwell vulnerabilities accounted for 12%, The rest, the Parallels bug for virtualization, accounted for 12.29%. Among these vulnerabilities, high risk vulnerability accounted for 48.18%, medium risk vulnerability accounted for 45.97%, and low risk vulnerabilities accounted for 5.85%. The common industrial control system vulnerabilities include communication transmission protocol vulnerability, industrial control equipment vulnerability, industrial control, software vulnerability, configuration error vulnerability, etc. The communication transmission protocol vulnerability is mainly TCP/IP, RPC, UDP, and other protocols. The industrial control software vulnerability is mainly due to the lack of unified security protection specifications of industrial control software and the widespread existence of security design defects. Therefore, the industrial control software is easy to be attacked by attackers and obtain the control of the equipment, resulting in serious consequences.
According to this research problem, scholars proposed a series of IDS related algorithm models. Chen et al. proposed the intrusion detection of improved genetic algorithm to optimize the neural network (Chen et al. 2019). They optimized BP neural network by using rough set and improved genetic algorithm and proposed the best initial parameters to solve the problem of slow detection speed and local minimization of BP neural network. Lai et al. studied the intrusion detection method based on PCA-BP neural network by using PCA to preprocess the data set, to accelerate the convergence speed and detection efficiency, but the effect of this method was not obvious in the detection of U2R and R2L attack types (Zhanwei and Zenghui 2019). Lai et al. combined the intrusion detection method of whitelist filtering and neural network, and constantly improved the whitelist rule base according to the detection results of neural network to improve the detection rate of abnormal communication, but this method did not optimize the detection speed (Lai et al. 2020). Nuraeni et al. proposed an improved fish swarm algorithm optimization method for communication anomaly detection of industrial control network. Shang et al. introduces a new intrusion detection algorithm based on One-Class Support Vector Machine (OCSVM) where a normal communication behavior model is established by using OCSVM, and the Particle Swarm Optimization algorithm is designed to optimize OCSVM model parameters (Shang et al. 2015). The optimization method uses the improved fish swarm algorithm to optimize the initial input weights and thresholds of the neural network for optimization. The method improves the accuracy of anomaly detection and shortens the detection time, but the detection effect is not obvious to each typical attack type.
To sum up, although the current industrial control system vulnerability detection has adopted many methods, the main ones are Fuzzy-based abnormal data detection method, eigenvalue matching method and rule judgment method. The BP (Back Propagation) neural network, a multi-layer feedforward network trained by error Back Propagation algorithm, is mostly used for pattern recognition and rarely appears in the field of industrial control system vulnerability mining. Due to the real-time operation of the industrial control system, the vulnerability of the industrial control system can not be mined online, there is no way to analyze the relationship between data, there is also a lack of automatic learning ability, to solve the current problem, we published a BP neural network based on the vulnerability of the industrial control system automatic mining method.

Experimental methods
An automatic mining method of industrial control system vulnerability based on BP neural network is presented. The method includes data acquisition module, neuron design module, neural network structure design module and algorithm implementation module of the industrial control system. Data acquisition module of industrial control system: Including original data collection and data normalization processing; original data acquisition of industrial control system, sensor data acquisition of industrial control system, including temperature, pressure, humidity, speed, switching state information, such as valve state and control command; data normalization processing: due to the different types of data collected, the range of data expression is also very different, so it can not be directly used as the input vector of BP neural network. Therefore, it is necessary to normalize the data, define the conversion method, and convert it into the input data that can be accepted by BP neural network (Table 1).
Principal component analysis (PCA) and Adaboost algorithm are added to the router between the administrator's network client and web server to optimize the intrusion detection model of BP neural network, and the abnormal communication data between the administrator and the server are detected by using the data characteristics in the communication network, to improve the detection accuracy and detection speed (Sanober et al. 2021).

Feature selection in intrusion detection
In the KDD99 data set used in the experiment in this paper, the data of intrusion attacks are mainly divided into: (1) DoS attack attackers attack network protocol defects or system resources, so that the normal system is paralyzed, thus denying users access to the service. (2) A common method used by an attacker to initiate an attack on a target and to obtain relevant information by this method.
(3) U2R attack attacks users with low permissions, obtaining permissions through system or website vulnerabilities, and then carrying out illegal operations. (4) R2L Attack Attackers operate and access resources in an unauthorized way through a remote host.

Data preprocessing
Through the analysis of KDD99 data set, there are a lot of repeated records in the data set, so the learning efficiency and detection rate of intrusion detection algorithm are low.
To improve the learning efficiency and detection rate of the algorithm, this paper uses PCA to preprocess the data set and eliminate the correlation between the data. Standardization processing formula: :::; m; j ¼ 1; 2; :::; p ð Þ ð 1Þ , x ij is the value of each sample in the matrix, z ij is the normalized matrix after data processing, x j is the mean of each column, and s j is the normalization of each column.
Type r ij ¼ P z kj Áz kj mÀ1 ; i; j ¼ 1; 2; :::; p; R is the correlation matrix, x is the random variable, z T is the normalized matrix Z transpose. Calculate p eigenvalues k i through kE p À R ¼ 0, the contribution rate k i P p i¼1 k i was used for feature extraction. Calculate n principal components, and you get the matrix D mÃn .

BP neural network algorithm
BP neural network is a classic algorithm in neural network. Feature extraction is carried out according to the data and used as the input value of BP neural network to express the mapping relationship between input and output, as shown in Fig. 1. In Fig. 1,x 1 ; x 2 ; :::; x n is the input value of BP neural network and y 1 ; y 2 ; :::; y m is the output value of BP neural network. When the signal is transmitted forward, it is assumed that the weight between neuron i and neuron j is x ij , the threshold value of neuron j is b j , the output value of each neuron is s j , and the correlation is x where, f is the S-shaped excitation function (Nuraeni et al. 2020).

Adaboost-BP neural network algorithm
Adaboost algorithm seeks to combine the simplest weak classifiers to obtain a strong classifier (Chopra et al. 2021). In terms of the use of the algorithm, it only needs to specify the number of iterations, and all the parameters in the operation process are adjusted adaptively by the algorithm. The procedure of the algorithm is as follows (Table 2): Step 1: Select n data for training, set the weight distribution of training data as D t ðiÞ ¼ 1=m, and obtain the initial weight and threshold values randomly by the algorithm.
Step 2: Weak classifier. The sum of the classification error of classification sequence gðtÞ obtained when training the t weak classifier is where, y is the expected value.
Step 3: Calculate the weight of the classification sequence. Calculate the weight according to the classification error e t a t ¼ Step 4 Adjust the weight. Adjust the weight of samples in the next round according to the weight a t . The formula is as follows: In the formula, B t is the normalization factor and y is the expected value.
Step 5: Strong classifier function. After T iterations, strong classifier h x ð Þ is generated from the weak classifier function f g t ; a t ð Þ of T group. ...
Forw ard signal transmission Error back prop agation  Login successfully or not 7 The number of connections with the same service as the current connection in the past 2 s 8 The number of connections that have the same destination address as the current connection in the past 2 s 9 The percentage of the top 100 connections that have the same source destination port at the same destination address as the current connection 10 The number of connections in the top 100 that have the same service at the same destination address as the current connection

Intrusion detection model of adaboost BP neural network
The weight of BP weak classifier is adjusted continuously through Adaboost algorithm, and the training results are calculated. Several BP weak classifiers are combined into BP strong classifiers as the final decision classifier (Rizwan and Alvi 2010). Thus, the intrusion detection model of industrial control network is established.
3 Results and analysis

Validation of algorithm
(1) Description of experimental data. The data of the simulation experiment is KDD99 data set, which is widely used in intrusion detection. The data set includes 514,092 training data sets and 336,463 test data sets, respectively. Each data contains 41-dimensional features, the last of which is the label attribute. It mainly includes 6 categories of relevant data, namely, Normal, DoS attack, Probe attack, U2R attack, R2L attack, and Unknow. (2) Experimental environment and relevant data The hardware environment of the simulation test was INTELI5-7200U2. 70 GHz, the memory is 4G, the operating system is Winows10, the software environment used is Matlab2016a, PyCharm2017. Relevant experimental data after processing (Lai et al. 2019).
Firstly, the principal component analysis method mentioned above was used to extract features from the data set, and PyCharm was used to conduct principal component analysis on 12 features of 514092 data. Then the corresponding principal component number can be extracted by using the above contribution rate calculation. Then, the carrying capacity of each principal component in the original data is compared. The larger the carrying capacity of each principal component is, the larger the corresponding data information quantity is. Finally, the main original data characteristics reflected by the 10 principal components were extracted (Yuxia 2019;Fakhar et al. 2020).
In the Matlab environment, the BP neural network improved by Adaboost algorithm is used to select the most widely used three-layer forward feedforward neural network. The number of neurons in the input layer is 10, the number of neurons in the hidden layer is 30, and the number of output neurons is 6, respectively, which are normal data. DoS attack, U2R attack, R2L attack, Probe attack, Unknow unknown attack (Chen et al. 2021;Feng 2020).
According to the standard of intrusion detection, the detection rate and false positive rate of the intrusion detection model combined with Adaboost algorithm and BP neural network in this paper are compared, where: Detection rate ¼ Normal detection of abnormal data Total number of abnormal data The rate of false positives ¼ The error judgment is the total number of abnormal data Total normal data Here, the detection rate of the intrusion detection method in this paper is compared with the following three methods, as shown in Fig. 2.
As shown in Fig. 3 below, the false positive rate of the four groups of intrusion detection models is compared, and it is found that the false positive rate of the algorithm The training time of the BP neural network optimized by Adaboost is 3.256 s, while the training time of the traditional BP neural network is 3.912 s (Prasanalakshmi et al. 2011;Shang et al. 2021).The difference in training time is mainly due to the fact that Adaboost reduces the effect of a single BP neural network falling into the local optimum (Li et al. 2019).

Industrial control simulation test
A total of 13,817 pieces of partially collected data were obtained from a wind power plant, including 13,757 pieces of normal data and 60 pieces of abnormal data. In the experiment of industrial control system, four groups of data features are extracted respectively: source IP address, target IP address, protocol and data length Anton et al. 2021). The obtained data were used to extract the features of the four groups of data by principal component analysis, and then were input as input nodes (Awotunde et al. 2021;Prasanalakshmi et al. 2019). The output nodes of the algorithm model were normal and abnormal respectively. 13,817 pieces of data were collected in the industrial control experiment, among which 9817 pieces of data were taken as the test data set, including 9770 pieces of normal data and 47 pieces of abnormal data (Deshmukh et al. 2021;Kumari et al. 2021). In addition, 4000 of them as test data sets contain 3987 normal data and 13 abnormal data. Now the proposed algorithm and the traditional BP algorithm are tested and compared by using the data collected by the industrial control system (Akpinar and Ozcelik 2019). Due to the large normal database in the normal operation of the industrial control network, the false positive rate is not compared here.

Conclusions
An algorithm model of Adaboost algorithm to optimize BP neural network is proposed. The concrete content of this method is (1) using principal component analysis (PCA) to extract features and reduce dimensionality of data sets, (2) Adaboost algorithm to update the sample distribution constantly (3) combining multiple types of BP weak classifiers with BP strong classifiers by Adaboost algorithm. Through experimental observation, a total of 13,817 pieces of partially collected data were obtained from a wind power plant, including 13,757 pieces of normal data and 60 pieces of abnormal data. In the experiment of industrial control system, four groups of data features are extracted respectively: source IP address, target IP address, protocol and data length. The obtained data were used to extract the features of the four groups of data by principal component analysis, and then were input as input nodes. The output nodes of the algorithm model were Normal and Abnormal respectively. 13,817 pieces of data were collected in the industrial control experiment, among which 9817 pieces of data were taken as the test data set, including 9770 pieces of normal data and 47 pieces of abnormal data. In addition, 4000 of them as test data sets contain 3987 normal data and 13 abnormal data. To prove that the average detection rate and detection speed of the BP neural network optimized by Adaboost algorithm for each attack type are better than other algorithms, better improve the detection speed and detection accuracy, solve the BP neural network into local optimal problem, and improve the detection rate and detection speed of abnormal data. Funding This research work is self-funded.

Declarations
Conflict of interest The authors declare that they have no conflict of interest and all ethical issues including human or animal participation has been done. No such consent is applicable.