CN108768795B - Non-intervention interception power dispatching service network illegal access detection method - Google Patents

Non-intervention interception power dispatching service network illegal access detection method Download PDF

Info

Publication number
CN108768795B
CN108768795B CN201810939925.0A CN201810939925A CN108768795B CN 108768795 B CN108768795 B CN 108768795B CN 201810939925 A CN201810939925 A CN 201810939925A CN 108768795 B CN108768795 B CN 108768795B
Authority
CN
China
Prior art keywords
equipment
power dispatching
service network
model
dispatching service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810939925.0A
Other languages
Chinese (zh)
Other versions
CN108768795A (en
Inventor
胡可为
刘志君
李育发
周玉光
张继国
李振元
曲绍杰
蒋宪军
孙宁
王霁松
赵巍
姜楠
佘远亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Ningtai Electric Co ltd
State Grid Jilin Electric Power Corp
Original Assignee
Nanjing Ningtai Electric Co ltd
State Grid Jilin Electric Power Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Ningtai Electric Co ltd, State Grid Jilin Electric Power Corp filed Critical Nanjing Ningtai Electric Co ltd
Priority to CN201810939925.0A priority Critical patent/CN108768795B/en
Publication of CN108768795A publication Critical patent/CN108768795A/en
Application granted granted Critical
Publication of CN108768795B publication Critical patent/CN108768795B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of power system dispatching automation, in particular to a non-intervention interception power dispatching service network illegal access detection method. Compared with the prior art, the invention realizes real-time monitoring on the power dispatching service network by using the FPGA programmable logic array chip, performs high-speed analysis and alarm by using the ARM processor, establishes a secondary equipment situation model of the power dispatching service network, and finally graphically displays the network communication captured without damage in a visual mode.

Description

Non-intervention interception power dispatching service network illegal access detection method
Technical Field
The invention relates to the field of power system dispatching automation, in particular to a non-intervention interception power dispatching service network illegal access detection method.
Background
With the rapid development of national economy, the national power grid construction is increasingly accelerated, the power grid dispatching automation system is unprecedented in development, and the importance of the automation power grid dispatching system serving as an important guarantee for safe and stable operation of power grid dispatching is further reflected in the rapid development of high-load power grids today.
The power grid dispatching automation system is a core system responsible for the safety production of a power system, is a center for dispatching and controlling a power plant, a substation, a circuit and the like, collects real-time data of the power system by using communication, electronics and computer technologies, monitors and controls the operation of the power grid, a remote power plant and the substation, and provides powerful guarantee for the aspects of the safety, the economy, the efficient power supply and the like of the power grid operation. Therefore, the power grid dispatching automation system accesses a plurality of power plants, transformer substations, lines (hereinafter, the system is referred to as a substation) and the like for management, and the substations cause frequent faults of the accessed molecular station due to the technical inconsistency of several levels of integration manufacturers, management personnel and the like, and part of the faults not only affect the substations of the substations, but also affect the power grid safety of other substations and even sub areas. If some manufacturer engineering personnel access the substation system for debugging in the construction process, because the power grid dispatching automation system is a large communication network on the communication structure, IP conflict is likely to be caused, and normal substation communication is affected. Meanwhile, viruses are possibly brought into the whole dispatching automation network in the process, great influence and potential safety hazards are brought to a normally-operated transformer substation, and even the whole power grid dispatching automation system can be broken down.
Disclosure of Invention
The invention aims to provide a non-intrusive interception power dispatching service network illegal access detection method, which realizes hardware foundation by combining an FPGA (field programmable gate array) programmable logic array chip and an ARM (advanced RISC machine) processor, realizes real-time interception of a power dispatching service network by the FPGA programmable logic array chip, performs high-speed analysis and alarm by the ARM processor, establishes a secondary equipment situation model of the power dispatching service network, and finally displays network communication captured in a lossless manner in a visualization manner.
In order to achieve the purpose, the invention adopts the following technical scheme: a non-intervention interception power dispatching service network illegal access detection method is characterized by comprising the following steps:
step one, monitoring all data in a power dispatching service network through an FPGA programmable logic array chip in a monitoring board, and recording the data captured by monitoring;
secondly, the interception board transmits the intercepted and captured data to the core board;
step three, an ARM processor in the core board receives data transmitted to the ARM processor by the listening board, and meanwhile, the data are analyzed through IEC104 and IEC6185 protocols to obtain power dispatching service data;
fourthly, the ARM processor in the core board performs cluster classification on the power dispatching service data obtained through analysis according to a multi-dimensional cluster model, wherein the multi-dimensional cluster model comprises an equipment type dimension model, a communication protocol dimension model and a manufacturer model dimension model;
step five, the ARM processor in the core board identifies whether the equipment is registered or not according to the monitored MAC physical address and the monitored IP address, if the equipment is not registered, an alarm is given, and if the equipment is registered, a connection event is generated;
step six, performing cluster identification on the connection events obtained in the step five, if non-clustered characteristic equipment exists, the characteristic equipment mainly comprises a characteristic identification library which is formed by a plurality of characteristic equipment aiming at debugging and abnormal service equipment marked by special services by operation and maintenance personnel, judging whether the equipment is the registered characteristic equipment type according to the characteristic identification library, and if the equipment is unregistered, adding the unregistered characteristic equipment into the characteristic identification library after alarm filtering;
step seven, establishing a situation model of secondary equipment of the power dispatching service network, collecting the situation models of the secondary equipment of the power dispatching service network to form a situation model base of the power dispatching service network, performing service flow analysis, service fault analysis, illegal port analysis and illegal IP address analysis based on clustering according to the situation model base of the power dispatching service network, finishing detection if the service flow is normal, or otherwise, performing equipment abnormity warning, no service fault, illegal port access and illegal IP address access, finishing detection, or performing event warning, and finally realizing illegal access detection of the power dispatching service network.
The equipment type dimension model is classified according to the types of the measurement and control device, the protection device, the background machine, the remote machine, the merging unit and the intelligent terminal equipment; the communication protocol dimension model is classified according to IEC103, IEC104, IEC61850-MMS, IEC61850-GOOSE and IEC61850-SMV protocol types; the manufacturer model dimension model is classified according to manufacturers and equipment models.
The power dispatching service network situation model library is mainly a self-growing and self-learning growing model library; the self-growing and self-learning method mainly includes that evaluation setting is not needed, a multi-dimensional clustering object is established according to a multi-dimensional clustering model, and a power dispatching service network situation model base is automatically optimized.
Through the design scheme, the invention can bring the following beneficial effects: the invention provides a non-intrusive interception power dispatching service network illegal access detection method, which adopts an FPGA programmable logic array chip to realize the function of intercepting four MAC physical addresses, can fully utilize the high real-time property, high reliability and high synchronism of a hardware system to finish interception and capture of network data of the power dispatching service network, thereby ensuring that the device has enough data throughput capacity to finish lossless capture of the power dispatching service network data and is more stable and reliable.
Drawings
Fig. 1 is a system for implementing a non-intrusive interception power dispatching service network illegal access detection method in the present invention;
fig. 2 is a flowchart of a non-intrusive interception power scheduling service network illegal access detection method according to the present invention.
Detailed Description
In order to more clearly illustrate the invention, the invention is further described below in connection with preferred embodiments. It is to be understood by persons skilled in the art that the following detailed description is illustrative and not restrictive, and is not to be taken as limiting the scope of the invention. Well-known methods and procedures have not been described in detail so as not to obscure the present invention.
Fig. 1 shows a system for implementing a non-intrusive interception power scheduling service network illegal access detection method, where the system includes: the monitoring device comprises a monitoring board and a core board, wherein the monitoring board adopts an FPGA data acquisition board with an FPGA programmable logic array chip, the FPGA data acquisition board is provided with an upper electric serial editing interface at the same time, the core board comprises an ARM processor and a data storage SSD hard disk, and the monitoring board is connected with the core board through a PCT bus; an SVG module is loaded inside the upper computer;
the FPGA data acquisition board is used for intercepting hardware and network communication and mainly intercepting all communication information on a network, the FPGA data acquisition board is in SOFT connection with an SOFT BUS of a core board through a PCT BUS, the FPGA data acquisition board transmits the intercepted data to the core board, an ARM processor in the core board performs concurrency analysis processing, the interception board mainly completes network data acquisition on a power dispatching service network through an Altera FPGA cycleeV, meanwhile, two third-generation double-data-rate synchronous dynamic random access memory DDR3 memories are used as data caches, ping-pong operation is realized through the two DDR3 memories, and the data packets are acquired by a complete dispatching service network and then submitted to the ARM processor.
The core board is provided with an ARM processor for performing rapid optimization calculation on interception connection and communication information, and the ARM processor specifically adopts an MP parallel optimization technology to exert the advantage of multiple cores and improve the optimization rate. The main thread generates a series of sub-threads, the tasks are mapped to the sub-threads to be executed, the sub-threads are executed in parallel, the threads are distributed to different physical processors by a runtime environment, data level parallelism is achieved, and the number of the data storage SSD hard disks is four to complete storage and recording of data.
The host computer passes through the RJ45 bus and is connected with the ARM treater in nuclear core plate, and the host computer is used for carrying out parameter setting and real-time data interaction to the ARM treater, and the host computer adopts standard SVG to carry out visual exhibition and looks, and the problem node is looked with the mode exhibition of graphics to the visual detection of dispatch service network is realized to the visual interface of host computer.
The non-intrusive interception power dispatching service network illegal access detection method mainly comprises the steps of establishing a power dispatching service network secondary equipment situation model, forming a power dispatching service network situation model base by the aggregation of a plurality of power dispatching service network secondary equipment situation models, judging communication data of each transformer substation secondary equipment through the automatic learning capacity of the power dispatching service network situation model base, and forming an analysis basis of the power dispatching service network safety situation.
The illegal access detection method of the non-intrusive interception power dispatching service network adopts the FPGA programmable logic array chip to realize the function of intercepting four MAC physical addresses, one MAC physical address of the method is accessed into the power dispatching service network, and the same VLAN virtual local area network is set, and as the MAC physical address is the virtual interception MAC physical address, all communication information (comprising a link layer and an application layer) on the network, such as illegal address resolution protocol ARP attack and the like, can be captured. When a new network is accessed and network information is sent (when a network card is accessed to a network, a broadcast signal is sent), the virtual interception MAC physical address detects whether the MAC physical address is a registered MAC physical address or not and an IP address, and if the MAC physical address passes the detection, a connection event is generated; otherwise, the address is tracked, the VLAN virtual local area network level and the access switch are determined, and an alarm is sent.
As shown in fig. 2, the method for detecting illegal access to power dispatching service network by non-intrusive interception provided by the present invention includes the following steps:
step one, monitoring all data in a power dispatching service network through an FPGA programmable logic array chip in a monitoring board, and recording the data captured by monitoring;
secondly, the interception board transmits the intercepted and captured data to the core board;
step three, an ARM processor in the core board receives data transmitted to the ARM processor by the listening board, and meanwhile, the data are analyzed through IEC104 and IEC6185 protocols to obtain power dispatching service data;
fourthly, the ARM processor in the core board performs cluster classification on the power dispatching service data obtained through analysis according to a multi-dimensional cluster model, wherein the multi-dimensional cluster model comprises an equipment type dimension model, a communication protocol dimension model and a manufacturer model dimension model, and the equipment type dimension model is classified according to the types of a measurement and control device, a protection device, a background machine, a remote machine, a merging unit and an intelligent terminal device; the communication protocol dimension model is classified according to IEC103, IEC104, IEC61850-MMS, IEC61850-GOOSE and IEC61850-SMV protocol types; the manufacturer model dimension model is classified according to manufacturers and equipment models;
step five, the ARM processor in the core board identifies whether the equipment is registered or not according to the monitored MAC physical address and the monitored IP address, if the equipment is not registered, an alarm is given, and if the equipment is registered, a connection event is generated;
step six, performing cluster recognition on the connection events obtained in the step five, if non-clustered characteristic equipment exists, the characteristic equipment mainly comprises a characteristic recognition library which is formed by a plurality of characteristic equipment aiming at debugging abnormal service equipment marked by special services by operation and maintenance personnel, judging whether the equipment is the registered characteristic equipment type according to the characteristic recognition library, and if the equipment is judged not to be the characteristic equipment, optimizing and adding the equipment into the characteristic recognition library after alarm filtering;
step seven, establishing a power dispatching service network secondary equipment situation model, collecting a plurality of power dispatching service network secondary equipment situation models to form a power dispatching service network situation model base, performing service flow analysis, service fault analysis, illegal port analysis and illegal IP address analysis based on clustering according to the power dispatching service network situation model base, finishing detection if the service flow is normal, or performing equipment abnormity warning if the service fault, illegal port access and illegal IP address access do not exist, or performing event warning, and finally realizing the illegal access detection of the power dispatching service network, wherein the power dispatching service network situation model base is mainly a self-growing and self-learning growing model base; the self-growing and self-learning method mainly includes that evaluation setting is not needed, a multi-dimensional clustering object is established according to a multi-dimensional clustering model, and a power dispatching service network situation model base is automatically optimized.

Claims (1)

1. A non-intervention interception power dispatching service network illegal access detection method is characterized by comprising the following steps:
step one, monitoring all data in a power dispatching service network through an FPGA programmable logic array chip in a monitoring board, and recording the data captured by monitoring;
secondly, the interception board transmits the intercepted and captured data to the core board;
step three, an ARM processor in the core board receives data transmitted to the ARM processor by the listening board, and meanwhile, the data are analyzed through IEC104 and IEC6185 protocols to obtain power dispatching service data;
fourthly, the ARM processor in the core board performs cluster classification on the power dispatching service data obtained through analysis according to a multi-dimensional cluster model, wherein the multi-dimensional cluster model comprises an equipment type dimension model, a communication protocol dimension model and a manufacturer model dimension model;
step five, the ARM processor in the core board identifies whether the equipment is registered or not according to the monitored MAC physical address and the monitored IP address, if the equipment is not registered, an alarm is given, and if the equipment is registered, a connection event is generated;
step six, performing cluster identification on the connection events obtained in the step five, if non-clustered characteristic equipment exists, the characteristic equipment mainly comprises a characteristic identification library which is formed by a plurality of characteristic equipment aiming at debugging and abnormal service equipment marked by special services by operation and maintenance personnel, judging whether the equipment is the registered characteristic equipment type according to the characteristic identification library, and if the equipment is unregistered, adding the unregistered characteristic equipment into the characteristic identification library after alarm filtering;
step seven, establishing a situation model of secondary equipment of the power dispatching service network, wherein a plurality of power dispatching service network secondary equipment situation models are integrated to form a power dispatching service network situation model base, and according to the power dispatching service network situation model base, service flow analysis, service fault analysis, illegal port analysis and illegal IP address analysis are carried out based on clustering, if the service flow is normal, detection is finished, if the service flow is normal, equipment abnormity warning is carried out, if no service fault, illegal port access and illegal IP address access exist, detection is finished, if the service fault, illegal port access and illegal IP address access do not exist, event warning is carried out, and finally illegal access detection of the power dispatching service network is realized;
the equipment type dimension model is classified according to the types of the measurement and control device, the protection device, the background machine, the remote machine, the merging unit and the intelligent terminal equipment; the communication protocol dimension model is classified according to IEC103, IEC104, IEC61850-MMS, IEC61850-GOOSE and IEC61850-SMV protocol types; the manufacturer model dimension model is classified according to manufacturers and equipment models;
the power dispatching service network situation model library is provided with a self-growing and self-learning growing model library; the self-growth and self-learning do not need evaluation and setting, and a multidimensional clustering object is established according to a multidimensional clustering model to automatically optimize a power dispatching service network situation model base.
CN201810939925.0A 2018-08-17 2018-08-17 Non-intervention interception power dispatching service network illegal access detection method Expired - Fee Related CN108768795B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810939925.0A CN108768795B (en) 2018-08-17 2018-08-17 Non-intervention interception power dispatching service network illegal access detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810939925.0A CN108768795B (en) 2018-08-17 2018-08-17 Non-intervention interception power dispatching service network illegal access detection method

Publications (2)

Publication Number Publication Date
CN108768795A CN108768795A (en) 2018-11-06
CN108768795B true CN108768795B (en) 2021-09-24

Family

ID=63967215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810939925.0A Expired - Fee Related CN108768795B (en) 2018-08-17 2018-08-17 Non-intervention interception power dispatching service network illegal access detection method

Country Status (1)

Country Link
CN (1) CN108768795B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092584A (en) * 2014-07-17 2014-10-08 国家电网公司 Smart substation network communication signal detector

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7043543B2 (en) * 1996-07-23 2006-05-09 Server Technology, Inc. Vertical-mount electrical power distribution plugstrip
CN101825894B (en) * 2010-04-30 2012-07-18 北京航空航天大学 SF6 high-voltage circuit breaker state intelligent monitoring and health management system
CN102208996B (en) * 2011-05-18 2018-06-26 河南省电力公司 Method is monitored for the network security of digital transformer substation network-enabled intelligent equipment
CN103023695B (en) * 2012-11-28 2015-04-15 绍兴电力局 Master station system monitoring model based on power dispatching automation
CN103412187A (en) * 2013-08-21 2013-11-27 何平 Non-intervening type electric energy measurement managing system
CN103546488A (en) * 2013-11-05 2014-01-29 上海电机学院 Active security defense system and method of power secondary system
CN105550798A (en) * 2015-12-07 2016-05-04 河南许继仪表有限公司 Non-intruding type load decomposition and monitoring system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092584A (en) * 2014-07-17 2014-10-08 国家电网公司 Smart substation network communication signal detector

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
电力4G无线通信网络安全技术;李坚等;《电信科学》;20151230;全文 *

Also Published As

Publication number Publication date
CN108768795A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
CN109034521B (en) Intelligent operation and maintenance architecture design method of power grid dispatching control system
CN103312037B (en) Device and method for testing pressure of intelligent substation
CN106130185B (en) A kind of monitoring system of electric substation modeling method based on status monitoring information
CN103139012B (en) A kind of Ethernet interface method of testing and the network equipment
CN105007294B (en) Power transmission and transformation equipment state monitoring big data quickly receives and dissemination system
CN110456207A (en) A kind of intelligent low-pressure method for diagnosing faults of open air
CN110503977A (en) A kind of substation equipment audio signal sample analysis system
CN107390628B (en) Distribution status monitoring and method for early warning and system
CN103513167A (en) Switch partial discharge condition monitoring device based on distributed network platforms
CN106841854A (en) Power equipment safety monitoring method and system
CN103401316A (en) Integrated type monitoring and processing method for state data of intelligent power network equipment
CN106407072A (en) Monitoring system of big data platform
CN206313530U (en) A kind of telecontrol system with on-line monitoring function
CN104579784A (en) Electric power industry control system network management method based on multi-dimensional virtual link
CN108768795B (en) Non-intervention interception power dispatching service network illegal access detection method
CN104408665B (en) Based on the event-oriented noisy data processing system of SCD models
CN109687584B (en) Power transmission internet of things communication network access optimization method
CN103904777A (en) Grid secondary device uploaded information effectiveness automatic identification method
CN110321527B (en) Data validity judging method based on multi-element basic information fusion
Jingyu et al. Statistical analysis of distribution network fault information based on multi-source heterogeneous data mining
CN113886472A (en) Data access system, access method, computer equipment and storage medium
CN206258684U (en) Base station power & environment supervision system
CN112448951B (en) Mobile substation protection system
Wang et al. Development and application of low-latency edge IoT agent device for ubiquitous power Internet of Things
Yu et al. Research on integrated operation and maintenance acquisition and monitoring technology for new generation dispatching control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210924