A Lightweight Anomaly Detection Method for Industrial Processes Based on Event Correlation Behavior

In recent years, the industrial Internet has faced severe threats of production process attacks. By injecting malicious commands or data into the application layer protocols, the attackers change the industrial control flow and disrupt the normal production process, leading to equipment failures and even production accidents. From a network perspective, the traffic of production process attacks does not violate the syntax of communication protocols. However, from the industrial system point of view, the production process attack violates some restrictive rules or physical laws of the industrial production process. This paper proposes a lightweight industrial process anomaly detection method based on event-associated behavior for the characteristics of industrial production process attacks, adopts HsMM with low model complexity to model the state data of field devices in the industrial production process, analyzes the temporal behavioral evolution law of the production process, constructs the temporal behavioral model of the production equipment, and then constructs a lightweight production process anomaly detection method based on behavioral offset.