基于改进单类支持向量机的工业控制网络入侵检测方法

针对单类支持向量机（OCSVM）入侵检测方法无法检测内部异常点和离群点导致决策函数偏离训练样本的问题，提出了一种结合具有噪声的密度聚类（DBSCAN）方法和K-means方法的OCSVM异常入侵检测算法。首先通过DBSCAN算法，剔除训练数据中的离群点，消除离群点的影响；然后利用K-means划分数据类簇的方法筛选出内部异常点；最后利用OCSVM算法为每一个类簇建立单分类器用于检测异常数据。工控网络数据集上的实验结果表明，该组合分类器能够利用无异常数据样本检测出工控网络入侵，并且提高了OCSVM方法的检测效果。在气体管道网络数据集入侵检测实验中，所提方法的总体检测率为91.81%；而原始OCSVM算法则为80.77%。

Intrusion detection algorithm of industrial control network based on improved one-class support vector machine

Since the intrusion detection method based on One-Class Support Vector Machine (OCSVM) can not detect internal abnormal points and outliers, which leads to the deviation of decision function from training samples. A new OCSVM anomaly detection function combining DBSCAN (Density-Based Spatial Clustering of Applications with Noise) and K-means was proposed. Firstly, the outliers in the training data were removed by DBSCAN algorithm to eliminate the influence of outliers. Then, K-means clustering method was used to classify normal data clusters, so that the internal abnormal points could be selected. Finally, a one-class classifier for each data cluster was created to detect exception data by OCSVM algorithm. The experimental results on industrial control networks show that the combined classifier can detect the intrusion attacks of the industrial control network by using normal data, and it can improve the detection effect of OCSVM algorithm. In intrusion detection experiment of gas pipeline, the overall detection rate of the proposed method is 91.81%, while the overall detection rate of OCSVM algorithm is 80.77%.