1. Introduction
CPS realizes the collaboration and integration of information systems and physical systems [
1], and has been widely used in the fields of power distribution, pipeline transportation, and intelligent production [
2,
3,
4]. CPS improves production quality and efficiency while also exposing security issues, the communication network as a bridge between information systems and physical systems is the key to system security. The attack detection of a communication network can effectively maintain the security of the CPS system, but it is necessary to consider the characteristics of the CPS to set up targeted attack detection methods. The continuous operation of the CPS generates a large amount of network traffic data, which can interfere with attack detection and increase computational overhead.
CPS network traffic data suffer from high dimensionality and information redundancy, which can reduce the efficiency of attack detection. Martin-Barreiro et al. mention that PCA as a popular multivariate statistical method to reduce the dimensionality of the data matrix [
5]. Zhang et al. mention that machine learning models based on hypergraph theory can represent the information in the network as low-dimensional dense real vectors, which can be effective for anomaly and attack detection [
6]. Gao et al. proposed an anomaly detection model of network traffic sequences, using PCA to reduce the dimensionality of network traffic characteristic variables, then establishing an LSTM neural network to detect anomalies in traffic sequences [
7]. The network traffic data generated by the CPS in real time include normal request and response data, and contain anomalous data that are under attack. There is an imbalance problem in the number of normal samples and abnormal samples [
8], which causes the attack detection models to be unable to effectively extract the information of the attack samples. The common solutions to the data imbalance problem encountered in classification problems are undersampling and oversampling and combined sampling, these methods can balance the number of samples between different categories [
9]. Deng et al. investigated the problem of attack detection in CPS systems and solved the problem of data imbalance by using an adversarial network to expand the rare attack samples, and verified the effectiveness of the method through experiments [
10].
With the increasing openness of CPS access to the network, the diversity and concealment of cyber attacks increase the difficulty of attack detection. Ding et al. studied CPS systems from the perspective of control theory; summarized the modeling approach of CPS and the common types of network attacks as denial-of-service attacks, replay attacks and spoofing attacks; and detected network attacks by establishing a reasonable system state estimator [
11]. The SVM model, as a machine learning model with a complete mathematical theory, has a wide range of applications in classification problems [
12], and compared with other machine learning models, SVM has better pattern recognition in complex data sets [
13]. The process data generated in real time in CPS networks have a complex structure and noise, the characteristics of the SVM model whether the model is suitable for solving the problem of identifying abnormal behavior patterns in CPS process data. PSO is an optimization algorithm driven by the intelligent population behavior of animals [
14]. The PSO algorithm has the ability to quickly find the global optimal solution. Using the PSO algorithm to optimize the SVM classifier can improve the accuracy of detection, suitable for the attack detection scenario of CPS network traffic. Chen et al. investigate the problem of network intrusion detection in industrial control systems and establish a neural network model with PSO for effective detection of unknown types of abnormal traffic data [
15]. Shang et al. analyzed the characteristics of network data based on Modbus industrial communication protocol and used an improved SVM model optimized by PSO to detect anomalies in the data, and the experimental results show the validity of the method [
16]. Current research related to CPS network attack detection focuses on the analysis of network traffic data or on the optimization and design of detection models but, in fact, these two parts have equal importance.
Therefore, in this paper, when studying the attack detection problem of the CPS system, both the characteristics of network traffic data and the accuracy of the detection model are considered to establish the PSO-SVM attack detection model. In the rest of the paper,
Section 2 investigates the composition structure of CPS, then the network characteristics of CPS are analyzed and compared with the traditional IT internet, and the attack principles of common attack types are analyzed.
Section 3 describes the principle of processing CPS network traffic data and the principle of PSO-SVM model, and illustrates the flow of the model.
Section 4 experiments on the proposed method using real CPS network traffic data, and shows the specific process and results of the experiments.
Section 5 discusses the conclusions of this study and future research.
5. Conclusions, Discussion and Future Research
This paper mainly studies the network attack detection model of CPS system. First, the model analyzes the statistical information of the CPS network traffic data and discretizes the characteristic variables with abnormal data distribution using the box plot anomaly detection method. Second, A small number of types of attack samples are augmented using the SMOTE method. The PCA method reduces the dimensionality of the network traffic dataset and analyzes the importance of characteristic variables. Then, the detection model uses an SVM model with RBF kernel function, the penalty coefficient of SVM model and the hyperparameter of the RBF kernel function are optimized using the PSO algorithm. Finally, experiments show that the method proposed in this paper can effectively distinguish network attack data from normal communication data, and has good detection effect on different types of network attacks as well. The method proposed in this study is able to perform attack detection on the network of CPS to protect the information security and system operation safety, which has practical application value, thus providing a reference for the security protection of the CPS system. Since the system structure of CPS determines a high requirement for real time network communication, future research could introduce incremental learning based on the method in this paper, which can achieve online network attack detection and improve the real time performance of detection.