CN114124478B - Method and system for detecting abnormal industrial control flow of power system - Google Patents

Method and system for detecting abnormal industrial control flow of power system Download PDF

Info

Publication number
CN114124478B
CN114124478B CN202111311047.6A CN202111311047A CN114124478B CN 114124478 B CN114124478 B CN 114124478B CN 202111311047 A CN202111311047 A CN 202111311047A CN 114124478 B CN114124478 B CN 114124478B
Authority
CN
China
Prior art keywords
message
abnormal
judging
protocol
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111311047.6A
Other languages
Chinese (zh)
Other versions
CN114124478A (en
Inventor
刘绚
王文博
宋宇飞
张博
于宗超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202111311047.6A priority Critical patent/CN114124478B/en
Publication of CN114124478A publication Critical patent/CN114124478A/en
Application granted granted Critical
Publication of CN114124478B publication Critical patent/CN114124478B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The invention discloses a method and a system for detecting industrial control flow abnormality of an electric power system, which are used for detecting abnormality of network layer flow characteristics of flow data acquired in real time; extracting an application layer message of each frame of flow data, carrying out field level analysis according to the message protocol type and carrying out abnormality detection on the message field level; and finally, establishing a normal behavior model of various electric power services, and realizing anomaly detection based on the service model. The invention overcomes the defects that the existing method for detecting the abnormal flow of the electric power industrial control is focused on the network layer flow statistical analysis and lacks deep consideration for electric power business logic, and improves the accuracy and reliability of detecting the abnormal flow data of the electric power industrial control.

Description

Method and system for detecting abnormal industrial control flow of power system
Technical Field
The invention relates to the technical field of information security of power systems, in particular to a method and a system for detecting industrial control flow abnormality of a power system.
Background
With the rapid development of smart grids, power systems have been transformed from conventional physical systems to information physical systems that incorporate new information technologies. The electric power industrial control system is an important component of the electric power information physical system, and the operation control of the power grid is more convenient and flexible by transmitting message information through a large number of communication protocols, but potential safety hazards such as message stealing, tampering, service refusing and the like are faced at the same time, so that the method for effectively monitoring the abnormal behavior of the electric power industrial control system has important significance for the safe and stable operation of the electric power industrial control system.
The abnormal detection of the power industrial control flow is used as one of important technical means of safety protection of a power industrial control system, and can identify various network attack behaviors and send out alarm signals to perform network defense. However, the existing method for detecting abnormal flow of the electric power industrial control is to detect according to flow statistics characteristics in a network layer, so that abnormal detection cannot be effectively performed on the characteristics of an application layer of attack behaviors, and abnormal behavior monitoring of the electric power industrial control system cannot be effectively realized. Therefore, a new monitoring method for abnormal flow behaviors of the industrial control of the power system is needed to be invented, the identification capability of unknown attack behaviors is improved, and the safe and reliable operation of the power system is ensured.
Disclosure of Invention
The technical problem to be solved by the invention is to provide the method and the system for detecting the abnormal flow of the power system industrial control aiming at the defects of the prior art, so that the limitation that the existing detection method cannot detect the abnormal behavior of the power business at the application layer is effectively solved, and the safety and the reliability of the flow information transmission of the power industrial control system are improved.
In order to solve the technical problems, the invention adopts the following technical scheme: the method for detecting the abnormal industrial control flow of the power system is characterized by comprising the following steps of:
S1, capturing an industrial control flow data packet of an electric power system in real time, acquiring a time stamp, a source, a destination IP and a byte number of current frame flow data, and extracting an application layer message;
s2, calculating a network layer flow characteristic index threshold according to the normal flow data, calculating a network layer flow characteristic index according to the flow data time stamp, the source IP, the destination IP and the byte number obtained in the step S1, judging that the flow data is abnormal if a certain flow characteristic index is larger than a corresponding threshold, and otherwise, entering the step S3;
s3, analyzing each field in an application protocol control unit and an application service data unit of the message according to the protocol of the message to which the application layer message extracted in the step S1 belongs, and obtaining a message length field, message control fields 1-4, a type identifier and a specific numerical value of a transmission reason;
s4, according to the specific values of the message length field, the control domain 1-4 field, the type identifier and the transmission reason after the analysis in the step S3, carrying out abnormality detection on the corresponding field characteristics, and if the associated field of the message does not accord with the normal service logic or the value of the single field exceeds the protocol specified range, judging that the message is abnormal.
The invention comprehensively considers the abnormal conditions of the power industrial control flow data in the network layer and the application layer, establishes the network layer flow characteristics, the field characteristics of the application layer message and the service characteristic abnormality detection model of the power industrial control flow data, overcomes the limitation that the existing abnormality detection method focuses on the flow statistical analysis of the network layer, and improves the safety and the reliability of the flow information transmission of the power industrial control system.
In step S2, taking the maximum value of the flow characteristic index in unit time as a network flow characteristic index threshold; the flow characteristic indexes comprise source IP information entropy, destination IP information entropy, large packet number, small packet number, flow average value, flow variance, average flow and peak flow.
By comparing the real-time network layer flow characteristic index with the corresponding threshold value, the abnormal condition of the power industrial control flow data in the network layer can be effectively identified, and the detection and defending capacity of the power industrial control system for network layer attacks is improved.
The specific implementation process of the step S4 comprises the following steps:
1) For the IEC 60870-5-104 protocol message captured in real time, detecting whether the theoretical length of the message is equal to the actual length of the message, if not, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 2);
2) Detecting whether the actual length of the message exceeds the maximum message length specified by the IEC 60870-5-104 protocol, if so, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 3);
3) Detecting whether the type identifier and the transmission reason field value of the IEC 60870-5-104 protocol message are in the protocol specified range, if so, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 4);
4) Detecting whether the lowest bit [ bit0] of the message control domain 1 is 1 and whether the lowest bit [ bit0] of the control domain 3 is 1, if not, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 5);
5) Detecting whether a U frame message of an IEC 60870-5-104 protocol is abnormal or not, wherein the U frame message comprises testing, stopping and starting functions, and judging that the U frame message is abnormal if the number of three functions in a control domain 1 is greater than 1 or the field values of a control domain 2 and a control domain 4 are not 0.
The invention carries out the abnormality detection of the single field threshold value, the single field internal coupling logic and the multi-field association logic of the message based on the field characteristics of the single frame message, and overcomes the defect that the existing message abnormality detection method can only carry out simple abnormality verification aiming at the message format.
Further comprises:
s5, establishing a normal business behavior model of telemetry, remote signaling and remote control business, carrying out abnormal detection on the analyzed message based on the business model, and judging that the message is abnormal if the message does not accord with the normal business behavior model.
The specific implementation process of the step S5 comprises the following steps:
if the message is a telemetry service, analyzing the characteristics of the telemetry service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal;
If the message is a remote signaling service, analyzing the characteristics of the remote signaling service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal;
if the message is a remote control service, analyzing the characteristics of the remote control service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal.
According to the invention, a normal behavior model of the power service is established according to IEC 60870-5-104 protocol specification, and the abnormal detection is carried out on the power industrial control flow data by utilizing the service model, so that the accurate identification of the abnormal behavior of the power industrial control flow data on the power service level is realized, and the accuracy of monitoring the power industrial control flow abnormal is improved.
If the message is a telemetry service, analyzing the characteristics of the telemetry service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, determining that the message is abnormal comprises the following specific implementation processes:
I) If the formula is
Figure BDA0003341808990000031
If not, judging that the message is abnormal, otherwise, entering the step II); wherein P is an application layer message of flow data, P RM Telemetry messages representing IEC 60870-5-104 protocol, COT (P RM ) A transmission cause field value representing a message; 01 represents a period and a cycle; 02 denotes background scan; 03 denotes a burst; 20 represents a response aggregate call;
II) if the formula is
Figure BDA0003341808990000032
If not, judging that the message is abnormal, otherwise, entering the step III); wherein IOA (P RM ) The message body address of the message is represented, and H represents a value of 16;
III) if the formula is
Figure BDA0003341808990000033
If not, judging that the message is abnormal, otherwise, entering the step IV); wherein, QU (P) RM ) Quality descriptors of the remote measurement message are represented, OV represents overflow marks of the quality descriptors, IV represents effective marks of the quality descriptors, SB represents replacement marks of the quality descriptors, and NT represents refresh marks of the quality descriptors;
IV) if the formula is
Figure BDA0003341808990000041
If not, judging that the message is abnormal, otherwise, entering the step V); wherein TYP_BYTE (P) RM ) Representing the number of BYTEs of data per body of information represented by the type identifier, QU_BYTE (P RM ) j The length of the jth information volume data is represented, and m represents the number of message information volume data;
v) if the formula RMV (i) E [ RMV (i)) min ,RMV(i) max ]If not, judging that the message is abnormal, otherwise, entering step VI); wherein RMV (i) represents the ith telemetry value, RMV (i) min Representing the telemetry value lower boundary from normal flow statistics, RMV (i) max Representing the upper boundary of the telemetry value derived from the normal flow statistics;
VI) if the formula is
Figure BDA0003341808990000042
If not, judging that the message is abnormal, otherwise, judging the current frame flow data as normal flow, and returning to the step S1 to continue the abnormal detection of the next frame flow data; where RMV1 (i) represents the current value of the ith telemetry, RMV2 (i) represents the last transmitted telemetry value of the telemetry device that uploaded RMV1 (i).
The invention establishes a normal behavior model aiming at the characteristics of telemetry service, carries out abnormal detection of a single-field threshold, a multi-field coupling logic, a telemetry value threshold and a telemetry value dead zone on telemetry messages according to the normal service model, realizes comprehensive detection of abnormal conditions of telemetry data, and reduces the occurrence of normal execution events affecting the monitoring and control functions of a master station due to the wrong uploading of the telemetry data.
In the invention, if the message is a remote signaling service, the characteristics of the remote signaling service are analyzed according to IEC 60870-5-104 protocol, a normal service behavior model is established, abnormal detection is carried out according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, the specific implementation process for judging the message abnormality comprises the following steps:
i) If the formula is
Figure BDA0003341808990000043
If not, judging that the message is abnormal, otherwise, entering step ii); wherein P is RS Remote signaling messages representing IEC 60870-5-104 protocol, COT (P RS ) A transmission cause field value representing a message; 01 represents a period and a cycle; 02 denotes background scan; 20 represents a response aggregate call;
ii) if the formula is
Figure BDA0003341808990000051
If not, judging that the message is abnormal, otherwise, entering step iii); IOA (P) RS ) Information body representing messageAn address; />
iii) If the formula is
Figure BDA0003341808990000052
If not, judging that the message is abnormal, otherwise, entering the step iv); p (P) D-RS Single-point remote signaling message representing IEC 60870-5-104 protocol, SPI (P D-RS ) A value of SPI bit representing message quality descriptor;
iv) if the formula
Figure BDA0003341808990000053
If not, judging that the message is abnormal, otherwise, entering the step v); p (P) S-RS Double-point remote signaling message representing IEC 60870-5-104 protocol, DPI (P S-RS ) A value of DPI bits representing a message quality descriptor;
v) if the formula is
Figure BDA0003341808990000054
If not, judging that the message is abnormal, otherwise, entering a step vii); RSV1 (P) RS )、RSV2(P RS ) The remote signaling states of the same information body address remote signaling data frame and the last frame are respectively represented;
vi) if the formula
Figure BDA0003341808990000055
If not, judging that the message is abnormal, otherwise, judging the current frame flow data as normal flow, and returning to the step S1 to continue the abnormal detection of the next frame flow data; t is a time period for counting the number of remote signaling shifts, rsv_sum is the total number of remote signaling shifts in t time, and rsv_max is a threshold of remote signaling shifts in t time counted according to normal flow.
According to the method, the normal behavior model is established aiming at the characteristics of the remote signaling service, and the abnormal detection of the single-field threshold value, the multi-field coupling logic, the remote signaling deflection logic and the remote signaling deflection threshold value is carried out on the remote signaling message according to the normal service model, so that the comprehensive detection of the abnormal condition of the remote signaling message is realized, and the occurrence of scheduling and decision events of a master station can be effectively prevented from being influenced due to malicious injection and tampering of the remote signaling message.
If the message is a remote control service, analyzing the characteristics of the remote control service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, determining that the message is abnormal comprises the following specific implementation processes:
a) If the formula is
Figure BDA0003341808990000056
If not, judging that the message is abnormal, otherwise, entering the step b); wherein P is RC Remote control messages representing IEC 60870-5-104 protocol, COT (P RC ) A transmission cause field value representing a message; 06 denotes activation, 07 denotes activation confirmation, 08 denotes deactivation, 09 denotes deactivation confirmation, 10 denotes activation termination;
b) If the formula is
Figure BDA0003341808990000061
If not, judging that the message is abnormal, otherwise, entering the step c); wherein IOA (P RC ) An information body address representing the message;
c) If the formula is
Figure BDA0003341808990000062
If not, judging that the message is abnormal, otherwise, entering the step d); wherein P is D-RC Single point remote control message, SPI (P) representing IEC 60870-5-104 protocol D-RC ) A value of SPI bit representing message quality descriptor; if the formula->
Figure BDA0003341808990000063
If not, judging that the message is abnormal, otherwise, entering the step d); wherein P is S-RC Double-point remote control message representing IEC 60870-5-104 protocol, DPI (P S-RC ) A value of DPI bits representing a message quality descriptor;
d) If formula P RC1 →P RC2 →P RC3 →P RC4 If not, judging that the message is abnormal, otherwise, entering the step e); wherein P is RC1 Representing remote control selection instructions, P RC2 Indicating a remote control selection confirmation instruction, P RC3 Representing remote control execution instruction, P RC4 Representing a remote control execution confirmation instruction;
e) If the formula is
Figure BDA0003341808990000064
If not, judging that the message is abnormal, otherwise, entering the step f); t is a time period for counting the number of remote control instructions, RCV_SUM is the total number of remote control instructions in t time, and RCV_MAX is a threshold value for counting the number of remote control instructions in t time according to normal flow;
f) If the remote control instruction is subjected to remote signaling deflection in the execution process, the execution of the remote control instruction is immediately stopped, and if the remote control instruction is continuously executed, the message is judged to be abnormal.
The invention establishes the normal behavior model aiming at the characteristics of the remote control service, carries out the abnormal detection of the single-field threshold value, the multi-field coupling logic, the remote control execution logic, the remote control instruction threshold value and the service association logic on the remote control message according to the normal service model, realizes the comprehensive detection of the abnormal condition of the remote control message, and can effectively prevent the occurrence of equipment break-up and input cutting-off abnormal events caused by malicious interception, injection and tampering of the remote control message.
As an inventive concept, the present invention also provides a computer system comprising a memory, a processor and a computer program stored on the memory; the processor executes the computer program to implement the steps of the above-described method of the present invention.
As an inventive concept, the present invention also provides a computer program product comprising a computer program/instructions; wherein the computer program/instructions, when executed by a processor, implement the steps of the above-mentioned method of the invention.
Compared with the prior art, the invention has the following beneficial effects:
(1) The invention comprehensively considers the abnormal conditions of the power industrial control flow data in the network layer and the application layer, establishes the network layer flow characteristics, the field characteristics of the application layer message and the service characteristic abnormality detection model of the power industrial control flow data, and overcomes the limitation that the traditional abnormality detection method focuses on the flow statistical analysis of the network layer.
(2) The invention overcomes the defect that the existing message anomaly detection method can only carry out simple malformation verification aiming at the message format by carrying out anomaly detection on the single-field threshold value, the single-field internal coupling logic and the multi-field association logic on the application layer message of the electric power industrial control flow data.
(3) According to the invention, a normal behavior model of the power service is established according to IEC communication protocol specifications, the abnormal detection is carried out on the power industrial control flow data by utilizing the service model, the accurate identification of the abnormal behavior of the power industrial control flow data on the power service level is realized, and the accuracy of monitoring the power industrial control flow abnormal is improved.
Drawings
Fig. 1 is a flowchart of abnormality detection in the embodiment of the present invention.
Fig. 2 is a schematic structural diagram of an abnormal behavior monitoring system for industrial control flow of an electric power system according to an embodiment of the present invention.
Fig. 3 is a system unit diagram of a network layer traffic feature anomaly detection module in an embodiment of the present invention.
FIG. 4 is a block diagram of an anomaly detection module based on field characteristics in an embodiment of the present invention.
FIG. 5 is a block diagram of an anomaly detection module system based on a business model in an embodiment of the present invention.
Detailed Description
Fig. 1 is a flowchart of a method for detecting abnormal industrial control flow of an electric power system according to an embodiment of the present invention, and specifically implemented steps are as follows:
step S1: capturing a flow data packet in real time by using a mirror port of the switch, acquiring a time stamp, a source, a destination IP and the byte number of the current frame flow data, and extracting an application layer message;
Step S2: calculating a network layer flow characteristic index threshold according to the normal flow data, calculating a network layer flow characteristic index according to the flow data time stamp, the source, the destination IP and the byte number obtained in the step S1, judging that the flow data is abnormal if a certain flow characteristic index is larger than the corresponding threshold, otherwise, entering the step S3;
step S3: analyzing each field in an application protocol control unit and an application service data unit of the message according to the protocol of the message to which the application layer message extracted in the step S1 belongs, and obtaining specific values of the fields such as a message length field, message control fields 1-4, a type identifier, a transmission reason and the like;
step S4: performing abnormality detection of corresponding field characteristics according to the specific values of the message length field, the control field 1-4 field, the type identifier and the transmission reason after the analysis in the step S3, and judging that the message is abnormal if the associated field of the message does not accord with normal service logic or the value of a single field exceeds the range specified by a protocol;
step S5: and (3) establishing a normal business behavior model of telemetry, remote signaling and remote control business, performing business model-based anomaly detection on the application layer message analyzed in the step (S3), and judging that the message is abnormal if the message does not accord with the normal business behavior model.
Further, the specific implementation method of step S2 is as follows:
s2-1: and calculating the threshold values of flow characteristic indexes such as source IP information entropy, destination IP information entropy, large packet number, small packet number, flow average value, flow variance, average flow, peak flow and the like according to the normal flow data, wherein the maximum value of the flow characteristic index in unit time is taken as the threshold value, and the unit time value is 60 seconds. The information entropy calculation formula is as follows:
Figure BDA0003341808990000081
where k is the total number of source or destination IPs,
Figure BDA0003341808990000082
probability of occurrence for the respective source IP or destination IP,/->
Figure BDA0003341808990000083
The source IP information entropy or the destination IP information entropy is adopted.
The average flow calculation formula is as follows:
Figure BDA0003341808990000084
wherein Deltat is the time interval, n is the total number of frames of flow data in the time interval, x α The number of bytes of single frame traffic data, K is the average traffic in b/s.
The flow average calculation formula is as follows:
Figure BDA0003341808990000085
wherein n is the total frame number of the flow data in unit time, and M is the flow average value.
The flow variance calculation formula is as follows:
Figure BDA0003341808990000086
wherein s is 2 Is the flow variance. S2-2: and (3) calculating corresponding flow characteristic index values in unit time according to the current frame flow data time stamp, the source, the destination IP, the byte number and other network layer information acquired in the step (S1), judging that the flow data is abnormal if the flow characteristic index values exceed the threshold value of the flow characteristic index calculated in the step (S2-1), and otherwise, entering the step (S3).
Further, step S4 includes:
s4-1: for IEC 60870-5-104 protocol messages captured in real time, detecting whether the theoretical length of the message is equal to the actual length of the message, if not, namely, violating the formula (5), judging as abnormal, otherwise, entering the step S4-2.
Figure BDA0003341808990000091
Wherein P is an application layer message of flow data, P IEC104 Representing IEC 60870-5-104 protocol messages, THE (P IEC104 ) Representing the theory calculated from the message length fieldMessage length, LEN (P IEC104 ) Indicating the actual string length of the message.
S4-2: and detecting whether the actual length of the message exceeds the maximum message length specified by the IEC 60870-5-104 protocol, if so, violating the formula (6), judging as abnormal, otherwise, entering the step S4-3.
Figure BDA0003341808990000092
Wherein LEN (P IEC104 ) max Representing the maximum message length specified by the protocol.
S4-3: detecting whether the type identifier and the transmission reason field value of the message are in the protocol specified range, if the type identifier and the transmission reason field value are beyond the protocol specified range, namely, violate the formula (7), judging that the message is abnormal, otherwise, entering the step S4-4.
Figure BDA0003341808990000093
Wherein FIE (P IEC104 ) Field value representing message type identification or transmission reason, FIE (P IEC104 ) min Representing the minimum value of the fields specified by the protocol, FIE (P IEC104 ) max Representing the maximum value of the fields specified by the protocol.
S4-4: and detecting whether the lowest bit [ bit0] of the message control domain 1 is 1 and whether the lowest bit [ bit0] of the control domain 3 is 1, if not, judging that the message is abnormal, otherwise, entering step S4-5.
S4-5: and detecting whether the U frame message of the IEC 60870-5-104 protocol is abnormal or not. The U frame message has three functions, namely testing, stopping and starting, only one of the functions can exist in one U frame message, and if the number of the three functions in the control domain 1 is more than 1 or the field values of the control domain 2 and the control domain 4 are not 0, the abnormality of the U frame message is judged.
Further, step S5 includes:
s5-1: judging the specific telecontrol service to which the message belongs according to the type identification field of the message, and if the message is a telemetry service, entering a step S5-2 to perform abnormality detection; if the message is a remote signaling service, entering a step S5-3 to perform abnormality detection; if the message is the remote control service, the step S5-4 is entered for abnormality detection. The telecontrol service corresponding to the type identifier is shown in the following table:
type identification Telecontrol service
09、0a、0b、0c、0d、0e、15 Telemetry
01、03、14 Remote signaling
2d、2e、3a、3b Remote control
S5-2: analyzing the characteristics of telemetry service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, detecting abnormality according to the established normal service behavior model, and judging abnormality if the normal service behavior model is not met.
S5-3: and analyzing the characteristics of remote signaling service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and judging anomaly if the normal service behavior model is not met.
S5-4: and analyzing the characteristics of the remote control service according to the IEC 60870-5-104 protocol, establishing a normal service behavior model, detecting the abnormality according to the established normal service behavior model, and judging the abnormality if the normal service behavior model is not met.
Further, the step S5-2 includes:
s5-2-1: and establishing a normal model of a transmission reason field of the telemetry service. The telemetry service transmission reasons are only 4 of 01 (period, cycle), 02 (background scan), 03 (burst) and 20 (response total call), if the transmission is illegal (8), the transmission is judged to be abnormal, otherwise, the step S5-2-2 is carried out.
Figure BDA0003341808990000101
Wherein P is RM Telemetry messages representing IEC 60870-5-104 protocol, COT (P RM ) A transmission reason field value representing the message.
S5-2-2: and establishing an information body address field normal model of the telemetry service. The information body address range of the remote measurement message is between 4001H and 6000H, if the information body address range is illegal, the information body address range is abnormal (9), otherwise, the step S5-2-3 is carried out.
Figure BDA0003341808990000102
Wherein IOA (P RM ) The message body address of the message is represented, and H represents a value of 16.
S5-2-3: and establishing a quality parameter descriptor field normal model of the telemetry service. And (4) each flag bit of the quality descriptor of the telemetry data has fixed logic, if the flag bit is illegal (10), the flag bit is judged to be abnormal, otherwise, the step S5-2-4 is carried out.
Figure BDA0003341808990000103
Wherein, QU (P) RM ) The quality descriptor of the remote measurement message is represented, OV represents an overflow flag of the quality descriptor, IV represents a valid flag of the quality descriptor, SB represents a replacement flag of the quality descriptor, and NT represents a refresh flag of the quality descriptor.
S5-2-4: and establishing a normal model of association between the telemetry service message type identification and the information body data field. The type identification of the remote measurement message determines the byte number of each information body data, if the byte numbers are inconsistent, namely the illegal transmission (11), the exception is determined, otherwise, the step S5-2-5 is entered.
Figure BDA0003341808990000111
Wherein TYP_BYTE (P) RM ) Representing the number of BYTEs of data per body of information represented by the type identifier, QU_BYTE (P RM ) j The j-th information volume data length is represented, and m represents the number of message information volume data.
S5-2-5: and establishing a telemetry value normal range model of telemetry service. And (5) obtaining a telemetry value with an upper boundary range and a lower boundary range according to the statistical result of the normal flow, judging that the telemetry value is abnormal if the threshold value is exceeded, namely, the traffic is illegal (12), otherwise, entering the step S5-2-6.
RMV(i)∈[RMV(i) min ,RMV(i) max ] (12)
Wherein RMV (i) represents the ith telemetry value, RMV (i) min Representing the telemetry value lower boundary from normal flow statistics, RMV (i) max Representing the upper boundary of the telemetry value derived from the normal flow statistics.
S5-2-6: and establishing a telemetry value dead zone normal model of telemetry service. The remote communication protocol of the power system requires that the dead zone of the telemetry data is 2 per mill, namely the change rate of the telemetry value is not up-sent within 2 per mill, if the up-sending of the telemetry value violates the formula (13), the abnormity is judged, otherwise, the current frame flow data is judged to be normal flow, and the abnormity detection of the next frame flow data is continued in the step S1.
Figure BDA0003341808990000112
Where RMV1 (i) represents the current value of the ith telemetry, RMV2 (i) represents the last transmitted telemetry value of the telemetry device that uploaded RMV1 (i).
Further, the step S5-3 includes:
s5-3-1: and establishing a normal model of a transmission reason field of the remote signaling service. The reason for the remote signaling business transmission is only 3 of 01 (period, cycle), 03 (burst) and 20 (response total call), if the remote signaling business transmission is illegal (14), the remote signaling business transmission is judged to be abnormal, otherwise, the step S5-3-2 is carried out.
Figure BDA0003341808990000113
Wherein P is RS Remote signaling messages representing IEC 60870-5-104 protocol, COT (P RS ) A transmission reason field value representing the message.
S5-3-2: and establishing an information body address field normal model of the remote signaling service. The information body address range of the remote signaling message is between 0001H and 4000H, if the information body address range is illegal, the information body address range is abnormal (15), otherwise, the step S5-3-3 is carried out.
Figure BDA0003341808990000121
Wherein IOA (P RS ) Representing the information body address of the message.
S5-3-3: and establishing a remote signaling type and quality association model of the remote signaling service. If the message is single-point remote signaling, the SPI bit of the quality descriptor only has two values of 0 and 1, if the formula (16) is violated, the exception is judged, otherwise, the step S5-3-4 is carried out.
Figure BDA0003341808990000122
Wherein P is D-RS Single-point remote signaling message representing IEC 60870-5-104 protocol, SPI (P D-RS ) The value of the SPI bit representing the message quality descriptor.
If the message is a two-point remote signaling, the DPI bit of the quality descriptor only has 4 values of 0, 1, 2 and 3, if the formula (17) is violated, the exception is judged, otherwise, the step S5-3-4 is entered.
Figure BDA0003341808990000123
Wherein P is S-RS Double-point remote signaling message representing IEC 60870-5-104 protocol, DPI (P S-RS ) The value of the DPI bit representing the message quality descriptor.
S5-3-4: and establishing a remote signaling displacement logic normal model of the remote signaling service. In the normal communication process, the remote signaling shift of the same information body address is from on (0) to off (1) or from off (1) to on (0), if continuous on (0) or off (1) occurs, i.e. the formula (18) is violated, the exception is judged, otherwise, the step S5-3-5 is carried out.
Figure BDA0003341808990000124
Wherein RSV1 (P RS )、RSV2(P RS ) And the remote signaling states of the same information body address remote signaling data frame and the last frame are respectively shown.
S5-3-5: and establishing a remote signaling deflection threshold normal model of the remote signaling service. Under normal conditions, the power system is in a stable running state, the number of remote signaling deflection is small, if a large number of remote signaling deflection occurs in a short time, namely, the formula (19) is violated, the abnormality is judged, otherwise, the current frame flow data is judged to be normal flow, and the step S1 is returned to continue the abnormality detection of the next frame flow data.
Figure BDA0003341808990000131
Wherein t is a time period for counting the number of remote signaling displacements, RSV_SUM is the total number of remote signaling displacements in t time, and RSV_MAX is a threshold value of remote signaling displacements in t time counted according to normal flow.
Further, step S5-4 includes:
s5-4-1: and establishing a normal model of a transmission reason field of the remote control service. The reason for the remote control service transmission is only 3 of 06 (activated), 07 (activated confirmation), 08 (deactivated), 09 (deactivated confirmation), and 10 (activated termination), if the transmission is illegal (20), the transmission is judged to be abnormal, otherwise, the step S5-4-2 is entered.
Figure BDA0003341808990000132
Wherein P is RC Remote control messages representing IEC 60870-5-104 protocol, COT (P RC ) A transmission reason field value representing the message.
S5-4-2: and establishing an information body address field normal model of the remote control service. The information body address range of the remote control message is between [6001H-6100H ], if the information body address range is illegal (21), the abnormality is judged, otherwise, the step S5-4-3 is carried out.
Figure BDA0003341808990000133
Wherein IOA (P RC ) Representing the information body address of the message.
S5-4-3: and establishing a remote control type and quality association model of the remote control service. If the message is a single-point remote control, the SPI bit of the quality descriptor only has two values of 0 and 1, if the formula (22) is violated, the exception is judged, otherwise, the step S5-4-4 is entered.
Figure BDA0003341808990000134
Wherein P is D-RC Single point remote control message, SPI (P) representing IEC 60870-5-104 protocol D-RC ) The value of the SPI bit representing the message quality descriptor.
If the message is a two-point remote control, the DPI bit of the quality descriptor only has 4 values of 0, 1, 2 and 3, if the formula (23) is violated, the exception is judged, otherwise, the step S5-4-4 is entered.
Figure BDA0003341808990000135
Wherein P is S-RC Double-point remote control message representing IEC 60870-5-104 protocol, DPI (P S-RC ) The value of the DPI bit representing the message quality descriptor.
S5-4-4: and establishing a remote control execution logic normal model of the remote control service. The normal remote control execution process is remote control selection, remote control selection confirmation, remote control execution confirmation, and if the process is not the process, i.e. the violation of formula (24), the abnormality is determined, otherwise, the process proceeds to step S5-4-5.
P RC1 →P RC2 →P RC3 →P RC4 (24)
Wherein P is RC1 Representing remote control selection instructions, P RC2 Indicating a remote control selection confirmation instruction, P RC3 Representing remote control execution instruction, P RC4 Indicating that the remote control executes the confirmation instruction.
S5-4-5: and establishing a remote control instruction threshold normal model of the remote control service. Under normal conditions, the power system is in a stable running state, the number of remote control instructions is small, and if a large number of remote control instructions, namely, illegal transmission (25) occur in a short time, abnormality is judged.
Figure BDA0003341808990000141
Wherein t is the time period for counting the number of remote control instructions, RCV_SUM is the total number of remote control instructions in t time, and RCV_MAX is the threshold value of the number of remote control instructions in t time counted according to the normal flow.
S5-4-6: and establishing a remote control service and remote signaling service association model. If remote control instruction is changed during execution, the remote control instruction must be stopped immediately, and if the remote control instruction is continued to be executed, the abnormality is determined.
The invention relies on massive power industrial control flow data, carries out anomaly detection according to the statistical characteristics of each flow characteristic index on a network layer by extracting flow data network layer information and application layer messages, and then obtains specific numerical values of each field of the message by carrying out field-level analysis on the message according to a protocol format. And finally, abnormality detection is carried out on the application layer message segment characteristic layer and the service model layer, so that the accurate monitoring of abnormal flow behaviors of the power industrial control is realized, and the safe and reliable operation of the power industrial control system is ensured.
Fig. 2 is a schematic structural diagram of an abnormal behavior monitoring system for industrial control flow of an electric power system according to an embodiment of the present invention, where the system is adapted to execute a method provided by any embodiment of the present invention, and includes: the system comprises a flow data acquisition module 100, a network layer flow characteristic anomaly detection module 200, an application layer message analysis module 300, a field characteristic-based anomaly detection module 400 and a service model-based anomaly detection module 500.
The flow data obtaining module 100 is configured to collect flow data in a mirror image manner, obtain a timestamp, source and destination IPs and byte numbers of the flow data, and extract an application layer message.
The network layer flow characteristic anomaly detection module 200 is configured to determine each flow characteristic index threshold according to normal flow data, and perform network layer flow characteristic anomaly detection on flow data acquired in real time according to the threshold.
The application layer message parsing module 300 is configured to parse the application layer message according to a protocol format to obtain a specific value of each field of the message.
The abnormality detection module 400 based on field characteristics is configured to perform abnormality detection on the application layer packet at the field characteristic level.
The anomaly detection module 500 based on the service model is configured to perform anomaly detection on the application layer packet at the service model level.
The output end of the traffic data acquisition module 100 is connected to the input end of the network layer traffic characteristic anomaly detection module 200, and is used for inputting the time stamp of the traffic data, the source and destination IP, the byte number and the extracted application layer message.
The output end of the network layer traffic characteristic abnormality detection module 200 is connected to the input end of the application layer message parsing module 300, and is used for inputting the application layer message of the frame traffic data.
The output end of the application layer message parsing module 300 is connected to the input end of the abnormality detection module 400 based on field characteristics, and is used for inputting the parsing result of the application layer message.
The output end of the field feature-based anomaly detection module 400 is connected to the input end of the business model-based anomaly detection module 500, and is used for inputting the analysis result of the application layer message.
As shown in fig. 3, further, the network layer traffic characteristic anomaly detection module 200 includes: the data acquisition unit 201, the network layer traffic characteristic index construction unit 202, the network layer traffic characteristic anomaly detection unit 203.
The output end of the data acquisition unit 201 is connected to the input end of the network layer traffic characteristic index construction unit 202, and is used for inputting the time stamp of the traffic data, the source and destination IP, the byte number and the application layer message.
The output end of the network layer traffic characteristic index construction unit 202 is connected to the input end of the network layer traffic characteristic abnormality detection unit 203, and is used for inputting the threshold value of the traffic characteristic index.
In one embodiment, the data obtaining unit 201 reads the source, destination IP and byte number of the traffic data and the application layer packet, and the unit passes the read information to the network layer traffic characteristic index constructing unit 202 and the network layer traffic characteristic anomaly detecting unit 203.
The network layer traffic characteristic index construction unit 202 is configured to construct a network layer traffic characteristic index.
In one embodiment, the threshold values of all flow characteristic indicators are counted from the normal flow data, and the unit passes the threshold values of the flow characteristic indicators to the second calculation unit 203.
The network layer traffic characteristic anomaly detection unit 203 is configured to perform network layer traffic characteristic anomaly detection on the traffic data at the network layer.
In one embodiment, flow data acquired in real time is subjected to flow characteristic index calculation, the result is compared with a threshold value of the flow characteristic index calculation, and if the flow characteristic index calculation is larger than the threshold value, abnormality is judged. If no abnormality exists, the unit takes the application layer message of the traffic data as the output end of the network layer traffic characteristic abnormality detection module 200. If an anomaly occurs, the unit takes the corresponding anomaly content as an output end of the network layer traffic characteristic anomaly detection module 200.
As shown in fig. 4, further, the anomaly detection module 400 based on field features includes: a data acquisition unit 401, a first detection unit 402, a second detection unit 403, a third detection unit 404, a fourth detection unit 405, and a fifth detection unit 406.
The output end of the data acquisition unit 401 is connected to the input end of the first detection unit 402, and is used for inputting an application layer message and an analysis result thereof.
The output end of the first detection unit 402 is connected to the input end of the second detection unit 403, the output end of the second detection unit 403 is connected to the input end of the third detection unit 404, the output end of the third detection unit 404 is connected to the input end of the fourth detection unit 405, and the output end of the fourth detection unit 405 is connected to the input end of the fifth detection unit 406.
In one embodiment, the data obtaining unit 401 reads an application layer message of the IEC 60870-5-104 protocol and its analysis result in the traffic data, and the unit transfers the read information to the first detecting unit 402, the second detecting unit 403, the third detecting unit 404, the fourth detecting unit 405, and the fifth detecting unit 406.
The first detecting unit 402 is configured to detect whether the theoretical length of the message is equal to the actual length of the message, and if not, determine that the message is abnormal.
The second detecting unit 403 is configured to detect whether the actual message length exceeds the maximum message length specified by the IEC 60870-5-104 protocol, and if so, determine that the message is abnormal.
The third detecting unit 404 is configured to detect whether the type identifier and the transmission reason field of the message are within a protocol specified range, and if the type identifier and the transmission reason field are out of the protocol specified range, determine that the message is abnormal.
The fourth detecting unit 405 is configured to detect whether the lowest bit [ bit0] of the message control field 1 is 1, and whether the lowest bit [ bit0] of the control field 3 is 1, and if not, determine that the message is abnormal.
The fifth detecting unit 406 is configured to detect whether the U frame message is abnormal. The U frame message has three functions, namely testing, stopping and starting, only one of the functions can exist in one U frame message, and if the number of the three functions in the control domain 1 is more than 1 or the field values of the control domain 2 and the control domain 4 are not 0, the abnormality is judged.
As shown in fig. 5, further, the anomaly detection module 500 based on the service model includes: a data acquisition unit 501, a first detection unit 502, a second detection unit 503, and a third detection unit 504.
The output end of the data acquisition unit 501 is connected to the input end of the first detection unit 502, and is used for inputting a specific telecontrol service to which the message belongs.
The output end of the first detection unit 502 is connected to the input end of the second detection unit 503, and the output end of the second detection unit 503 is connected to the input end of the third detection unit 504.
In one embodiment, the data obtaining unit 501 obtains a specific tele service to which the message belongs, and the unit transmits the read information to the first detecting unit 502, the second detecting unit 503, and the third detecting unit 504.
The first detecting unit 502 is configured to detect an abnormal situation occurring in the telemetry service.
In one embodiment, features of the telemetry service are analyzed according to the IEC 60870-5-104 protocol, a normal service behavior model is established, anomaly detection is performed according to the established normal service behavior model, if the normal service behavior model is not met, anomalies are determined, and the unit takes the anomaly results as output ends of the anomaly detection module 500 based on the service model.
The second detecting unit 503 is configured to detect an abnormal situation occurring in the remote signaling service.
In one embodiment, the features of the remote signaling service are analyzed according to the IEC 60870-5-104 protocol, a normal service behavior model is established, abnormality detection is performed according to the established normal service behavior model, if the normal service behavior model is not met, abnormality is determined, and the unit takes the abnormal result as the output end of the abnormality detection module 500 based on the service model.
The third detecting unit 504 is configured to detect an abnormal situation occurring in the remote control service.
In one embodiment, the features of the remote control service are analyzed according to the IEC 60870-5-104 protocol, a normal service behavior model is established, abnormality detection is performed according to the established normal service behavior model, if the normal service behavior model is not met, abnormality is determined, and the unit takes the abnormal result as an output end of the abnormality detection module 500 based on the service model.

Claims (4)

1. The method for detecting the abnormal industrial control flow of the power system is characterized by comprising the following steps of:
s1, capturing an industrial control flow data packet of an electric power system in real time, acquiring a time stamp, a source, a destination IP and a byte number of current frame flow data, and extracting an application layer message;
s2, calculating a network layer flow characteristic index threshold according to the normal flow data, calculating a network layer flow characteristic index according to the flow data time stamp, the source IP, the destination IP and the byte number obtained in the step S1, judging that the flow data is abnormal if a certain flow characteristic index is larger than a corresponding threshold, and otherwise, entering the step S3;
s3, analyzing each field in an application protocol control unit and an application service data unit of the message according to the protocol of the message to which the application layer message extracted in the step S1 belongs, and obtaining a message length field, message control fields 1-4, a type identifier and a specific numerical value of a transmission reason;
S4, carrying out abnormality detection on the corresponding field characteristics according to the specific values of the message length field, the control domain 1-4 field, the type identifier and the transmission reason after the analysis in the step S3, and judging that the message is abnormal if the associated field of the message does not accord with the normal service logic or the value of a single field exceeds the protocol specified range;
s5, establishing a normal business behavior model of telemetry, remote signaling and remote control business, carrying out abnormal detection on the analyzed message based on the business model, and judging that the message is abnormal if the message does not accord with the normal business behavior model;
the specific implementation process of the step S5 comprises the following steps:
if the message is a telemetry service, analyzing the characteristics of the telemetry service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal;
if the message is a remote signaling service, analyzing the characteristics of the remote signaling service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal;
If the message is a remote control service, analyzing the characteristics of the remote control service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, judging that the message is abnormal;
if the message is a telemetry service, analyzing the characteristics of the telemetry service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, determining that the message is abnormal comprises the following specific implementation processes:
i) If the formula is
Figure FDA0003972113020000021
If not, judging that the message is abnormal, otherwise, entering the step II); wherein P is an application layer message of flow data, P RM Telemetry messages representing IEC 60870-5-104 protocol, COT (P RM ) A transmission cause field value representing a message; 01 represents a period and a cycle; 02 denotes background scan; 03 denotes a burst; 20 represents a response aggregate call;
II) if the formula is
Figure FDA0003972113020000022
If not, judging that the message is abnormal, otherwise, entering the step III); wherein IOA (P RM ) The message body address of the message is represented, and H represents a value of 16;
III) if the formula is
Figure FDA0003972113020000023
If not, judging that the message is abnormal, otherwise, entering the step IV); wherein, QU (P) RM ) Quality descriptors of the remote measurement message are represented, OV represents overflow marks of the quality descriptors, IV represents effective marks of the quality descriptors, SB represents replacement marks of the quality descriptors, and NT represents refresh marks of the quality descriptors; />
IV) if the formula is
Figure FDA0003972113020000024
If not, judging that the message is abnormal, otherwise, entering the step V); wherein TYP_BYTE (P) RM ) Representing the number of BYTEs of data per body of information represented by the type identifier, QU_BYTE (P RM ) j The length of the jth information volume data is represented, and m represents the number of message information volume data;
v) if the formula RMV (i) E [ RMV (i)) min ,RMV(i) max ]If not, judging that the message is abnormal, otherwise, entering step VI); wherein RMV (i) represents the ith telemetry value, RMV (i) min Representing the telemetry value lower boundary from normal flow statistics, RMV (i) max Representing the upper boundary of the telemetry value derived from the normal flow statistics;
VI) if the formula is
Figure FDA0003972113020000031
If not, judging that the message is abnormal, otherwise, judging the current frame flow data as normal flow, and returning to the step S1 to continue the abnormal detection of the next frame flow data; wherein RMV1 (i) represents the current value of the ith telemetry, RMV2 (i) represents the last transmitted telemetry value of the telemetry device that uploaded RMV1 (i);
if the message is a remote signaling service, analyzing the characteristics of the remote signaling service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, determining that the message is abnormal comprises the following specific implementation processes:
i) If the formula is
Figure FDA0003972113020000032
If not, judging that the message is abnormal, otherwise, entering step ii); wherein P is RS Remote signaling messages representing IEC 60870-5-104 protocol, COT (P RS ) A transmission cause field value representing a message; 01 represents a period and a cycle; 02 denotes background scan; 20 represents a response aggregate call;
ii) if the formula is
Figure FDA0003972113020000033
If not, judging that the message is abnormal, otherwise, entering step iii); IOA (P) RS ) An information body address representing the message;
iii) If the formula is
Figure FDA0003972113020000034
If not, judging that the message is abnormal, otherwise, entering the step iv); p (P) D-RS Single-point remote signaling message representing IEC 60870-5-104 protocol, SPI (P D-RS ) A value of SPI bit representing message quality descriptor;
iv) if the formula
Figure FDA0003972113020000035
If not, judging that the message is abnormal, otherwise, entering the step v); p (P) S-RS Double-point remote signaling message representing IEC 60870-5-104 protocol, DPI (P S-RS ) A value of DPI bits representing a message quality descriptor;
v) if the formula is
Figure FDA0003972113020000036
If not, judging that the message is abnormal, otherwise, entering a step vii); RSV1 (P) RS )、RSV2(P RS ) The remote signaling states of the same information body address remote signaling data frame and the last frame are respectively represented;
vi) if the formula
Figure FDA0003972113020000041
If not, judging that the message is abnormal, otherwise, judging the current frame flow data as normal flow,returning to the step S1 to continue the abnormality detection of the flow data of the next frame; t is a time period for counting the number of remote signaling displacements, RSV_SUM is the total number of remote signaling displacements in t time, and RSV_MAX is a remote signaling displacement threshold value in t time counted according to normal flow;
If the message is a remote control service, analyzing the characteristics of the remote control service according to IEC 60870-5-104 protocol, establishing a normal service behavior model, performing anomaly detection according to the established normal service behavior model, and if the message does not accord with the normal service behavior model, determining that the message is abnormal comprises the following specific implementation processes:
a) If the formula is
Figure FDA0003972113020000042
If not, judging that the message is abnormal, otherwise, entering the step b); wherein P is RC Remote control messages representing IEC 60870-5-104 protocol, COT (P RC ) A transmission cause field value representing a message; 06 denotes activation, 07 denotes activation confirmation, 08 denotes deactivation, 09 denotes deactivation confirmation, 10 denotes activation termination;
b) If the formula is
Figure FDA0003972113020000043
If not, judging that the message is abnormal, otherwise, entering the step c); wherein IOA (P RC ) An information body address representing the message;
c) If the formula is
Figure FDA0003972113020000044
If not, judging that the message is abnormal, otherwise, entering the step d); wherein P is D-RC Single point remote control message, SPI (P) representing IEC 60870-5-104 protocol D-RC ) A value of SPI bit representing message quality descriptor; if the formula->
Figure FDA0003972113020000045
If not, judging that the message is abnormal, otherwise, entering the step d); p (P) S-RC Double-point remote control message representing IEC 60870-5-104 protocol, DPI (P S-RC ) Representing message quality descriptors The value of the DPI bit;
d) If formula P RC1 →P RC2 →P RC3 →P RC4 If not, judging that the message is abnormal, otherwise, entering the step e); wherein P is RC1 Representing remote control selection instructions, P RC2 Indicating a remote control selection confirmation instruction, P RC3 Representing remote control execution instruction, P RC4 Representing a remote control execution confirmation instruction;
e) If the formula is
Figure FDA0003972113020000051
If not, judging that the message is abnormal, otherwise, entering the step f); t is a time period for counting the number of remote control instructions, RCV_SUM is the total number of remote control instructions in t time, and RCV_MAX is a threshold value for counting the number of remote control instructions in t time according to normal flow;
f) If the remote control instruction is subjected to remote signaling deflection in the execution process, the execution of the remote control instruction is immediately stopped, and if the remote control instruction is continuously executed, the message is judged to be abnormal.
2. The method for detecting abnormal flow rate of industrial control of electric power system according to claim 1, wherein in step S2, a maximum value of the flow rate characteristic index in a unit time is used as a network flow rate characteristic index threshold; the flow characteristic indexes comprise source IP information entropy, destination IP information entropy, large packet number, small packet number, flow average value, flow variance, average flow and peak flow.
3. The method for detecting abnormal flow of industrial control in an electric power system according to claim 1, wherein the specific implementation process of step S4 includes:
1) For the IEC 60870-5-104 protocol message captured in real time, detecting whether the theoretical length of the message is equal to the actual length of the message, if not, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 2);
2) Detecting whether the actual length of the message exceeds the maximum message length specified by the IEC 60870-5-104 protocol, if so, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 3);
3) Detecting whether the type identifier and the transmission reason field value of the IEC 60870-5-104 protocol message are in the protocol specified range, if so, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 4);
4) Detecting whether the lowest bit [ bit0] of the message control domain 1 is 1 and whether the lowest bit [ bit0] of the control domain 3 is 1, if not, judging that the IEC 60870-5-104 protocol message is abnormal, otherwise, entering the step 5);
5) Detecting whether a U frame message of an IEC 60870-5-104 protocol is abnormal or not, wherein the U frame message comprises testing, stopping and starting functions, and judging that the U frame message is abnormal if the number of three functions in a control domain 1 is greater than 1 or the field values of a control domain 2 and a control domain 4 are not 0.
4. A computer system comprising a memory, a processor, and a computer program stored on the memory; characterized in that the processor executes the computer program to carry out the steps of the method according to one of claims 1 to 3.
CN202111311047.6A 2021-11-08 2021-11-08 Method and system for detecting abnormal industrial control flow of power system Active CN114124478B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111311047.6A CN114124478B (en) 2021-11-08 2021-11-08 Method and system for detecting abnormal industrial control flow of power system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111311047.6A CN114124478B (en) 2021-11-08 2021-11-08 Method and system for detecting abnormal industrial control flow of power system

Publications (2)

Publication Number Publication Date
CN114124478A CN114124478A (en) 2022-03-01
CN114124478B true CN114124478B (en) 2023-05-09

Family

ID=80381074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111311047.6A Active CN114124478B (en) 2021-11-08 2021-11-08 Method and system for detecting abnormal industrial control flow of power system

Country Status (1)

Country Link
CN (1) CN114124478B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760103B (en) * 2022-03-21 2023-10-31 广州大学 Industrial control system abnormality detection system, method, equipment and storage medium
CN114938287B (en) * 2022-04-02 2023-09-05 湖南大学 Power network abnormal behavior detection method and device integrating service characteristics
CN116318872B (en) * 2023-02-13 2023-10-27 山东云天安全技术有限公司 Method for determining abnormal session through message, electronic equipment and storage medium
CN116112271B (en) * 2023-02-13 2024-02-20 山东云天安全技术有限公司 Session data processing method, electronic equipment and storage medium
CN115955414B (en) * 2023-03-13 2023-05-23 广东电网有限责任公司佛山供电局 Remote control abnormality analysis method and related device for distribution network automation terminal
CN117118709A (en) * 2023-08-25 2023-11-24 国网山东省电力公司泰安供电公司 Abnormal flow early warning method, system, equipment and medium for electric power system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850
CN109167796A (en) * 2018-09-30 2019-01-08 浙江大学 A kind of deep-packet detection platform based on industrial SCADA system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281293A (en) * 2013-03-22 2013-09-04 南京江宁台湾农民创业园发展有限公司 Network flow rate abnormity detection method based on multi-dimension layering relative entropy
CN104486101B (en) * 2014-11-28 2018-03-06 国家电网公司 A kind of online power remote IEC104 transmission abnormality detection methods
WO2017093783A1 (en) * 2015-12-01 2017-06-08 Ilradiflow Ltd. Network security agent
CN110401624A (en) * 2018-04-25 2019-11-01 全球能源互联网研究院有限公司 The detection method and system of source net G system mutual message exception
CN111163043B (en) * 2018-11-08 2023-03-21 全球能源互联网研究院有限公司 Deep analysis method and system for real-time interactive protocol of source-network-load system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850
CN109167796A (en) * 2018-09-30 2019-01-08 浙江大学 A kind of deep-packet detection platform based on industrial SCADA system

Also Published As

Publication number Publication date
CN114124478A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN114124478B (en) Method and system for detecting abnormal industrial control flow of power system
US11343116B2 (en) Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy
CN105429977B (en) Deep packet inspection device abnormal flow monitoring method based on comentropy measurement
CN106656627A (en) Performance monitoring and fault positioning method based on service
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN114362368B (en) Intelligent substation network flow abnormal behavior monitoring method and system
CN111478893B (en) Detection method for slow HTTP attack
Dong et al. Research on abnormal detection of ModbusTCP/IP protocol based on one-class SVM
CN115776449B (en) Train Ethernet communication state monitoring method and system
CN114444096B (en) Network data storage encryption detection system based on data analysis
CN117560196A (en) Intelligent substation secondary system testing system and method
CN115766471B (en) Network service quality analysis method based on multicast flow
CN114938287B (en) Power network abnormal behavior detection method and device integrating service characteristics
CN114785617B (en) 5G network application layer anomaly detection method and system
CN114825607A (en) Attack behavior monitoring method and device for relay protection information processing system
CN106385384B (en) Message sending method and network equipment
CN115333849A (en) Computer network safety intrusion detection system
CN112637118A (en) Flow analysis implementation method based on internal and external network drainage abnormity
CN116820896B (en) Physical signal-based non-invasive industrial control terminal abnormality detection method
CN111651326B (en) Block chain-based distributed data management system and method
CN108322362A (en) Monitoring method, electronic equipment and the storage medium of service transmission quality in a kind of transmission network
CN113783710B (en) Process layer network fault positioning method and device based on self-learning criteria
CN114363944B (en) Equipment communication performance test system based on C-V2X and test method thereof
CN113890814B (en) Fault perception model construction and fault perception method and system, equipment and medium
CN112636461B (en) Remote restart method and system for fault recorder

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant