CN115296830B - Network collaborative attack modeling and hazard quantitative analysis method based on game theory - Google Patents

Network collaborative attack modeling and hazard quantitative analysis method based on game theory Download PDF

Info

Publication number
CN115296830B
CN115296830B CN202210593965.0A CN202210593965A CN115296830B CN 115296830 B CN115296830 B CN 115296830B CN 202210593965 A CN202210593965 A CN 202210593965A CN 115296830 B CN115296830 B CN 115296830B
Authority
CN
China
Prior art keywords
attack
network
data
power distribution
active power
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210593965.0A
Other languages
Chinese (zh)
Other versions
CN115296830A (en
Inventor
葛辉
岳东
丁磊
解相朋
邓松
刘程子
葛愿
林达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202210593965.0A priority Critical patent/CN115296830B/en
Publication of CN115296830A publication Critical patent/CN115296830A/en
Application granted granted Critical
Publication of CN115296830B publication Critical patent/CN115296830B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network collaborative attack modeling and hazard quantitative analysis method based on a game theory, which solves the problems of modeling, quantitative calculation and response of network attack behaviors aiming at data services. Firstly, an active power distribution network safety control integrated model is established, an information physical space of the active power distribution network is depicted, then network attacks are detected, analyzed and quantified, finally threat existing in the system and cost of response of the system are evaluated through game theory, and a response strategy is timely adjusted, so that the aim of resisting network cooperative attacks is fulfilled. The method has the characteristics of short response time, strong pertinence, high attack model precision and the like.

Description

Network collaborative attack modeling and hazard quantitative analysis method based on game theory
Technical Field
The invention discloses a network collaborative attack modeling and hazard quantitative analysis method based on a game theory, which is mainly used for solving the problems of network attack modeling and defense strategies aiming at an active power distribution network and belongs to the field of computer security.
Background
An active distribution network is a distribution network with distributed energy sources inside and active control and operation capabilities. The distributed energy sources comprise various forms of distributed power generation, distributed energy storage, electric vehicle charging and changing facilities and demand response resources, namely controllable loads, which are connected into a power distribution network. The core of the active distribution network is distributed renewable energy from passive digestion to active guidance and active utilization. By the technology, the power distribution network can be changed from a traditional passive power grid to an active power distribution network which can be actively regulated according to the actual running state of the power grid and participates in the running and control of the power grid. The active power distribution network has the main characteristics of improving response speed, network visibility, network flexibility, higher electric energy quality, power supply reliability and the like. With the continuous popularization and development of computer networks, attacks against active distribution networks are becoming increasingly rampant, wherein network collaboration attacks are a more typical attack approach. Network cooperative attack is an evolving attack technique that occurs with the development of network technology and the widespread use of network applications. Particularly, a network attack platform typified by a Botnet appears, and a command and control mechanism of the network attack platform serves as a core foundation of cooperation, so that widely distributed infected hosts can adopt a more flexible and intelligent cooperation mode to implement large-scale malicious actions to achieve the purpose of attack. Different from the traditional attack event, the distributed cooperative attack has the characteristics of high efficiency, robustness, concealment and the like, brings great challenges to detection and defense technologies, and the traditional method for defending the cooperative attack such as a firewall, an IDS, security hole detection and the like is single in the prior art, and is difficult to deal with the challenge of the cooperative attack, so that modeling and hazard quantitative analysis methods for the network cooperative attack become very important.
The traditional defense scheme belongs to a passive defense technology, can not effectively monitor activities in an active power distribution network, does not have active defense capability, lacks self-adaptive response capability to network attacks, and cannot prevent increasingly serious network security threats.
Disclosure of Invention
Technical problems: the invention aims to provide a network collaborative attack modeling and hazard quantitative analysis method based on a game theory, which solves the problems of modeling, quantitative calculation and response of network attacks aiming at data services.
According to the invention, the collaborative attack is firstly subjected to integrated modeling, then the model is subjected to quantitative calculation, and finally the response strategy is adjusted according to loss evaluation and response cost analysis, so that the aim of resisting the network collaborative attack is fulfilled.
The network collaborative attack modeling and hazard quantitative analysis method based on the game theory mainly needs to consider three problems: (1) How to construct an active power distribution network safety control integrated model integrating network attacks. A clear depiction of the complex, dynamic characteristics of information, physical space crossover, and dynamic changes in an active distribution network system will be disclosed. (2) How to establish a method for detecting, analyzing and quantifying network cooperative attack. (3) The impact of an attack on data services in the active distribution network is minimized according to how the nash equalization solution system responds. Therefore, the network collaborative attack modeling and hazard quantitative analysis method based on the game theory can effectively evaluate potential influence of the attack on the data service of the active power distribution network when the system is attacked, and then adjust the response strategy according to the loss evaluation and the response cost.
The technical scheme is as follows:
based on the above consideration, the invention provides a network collaborative attack modeling and hazard quantitative analysis method based on game theory, which comprises the following steps:
step one, constructing a hybrid integrated model for fusing network attacks aiming at an active power distribution network
Aiming at an active power distribution network system, a mixed integrated model fused with network attack is constructed by adopting a finite state machine method; the built hybrid integrated model is a network collaborative attack dynamic combination model, the influence of network attack behaviors can be detected and identified by collecting and analyzing network attack data, and the decoupling of the network collaborative attack behaviors is completed by data cleaning and data association;
step two, quantifying risks generated by network attack behaviors
According to the extraction of the network cooperative attack behavior characteristics in the running process of the active power distribution network system, attack detection is carried out, and the influence generated by the corresponding network attack behavior is calculated so as to comprehensively complete analysis of the network cooperative attack situation;
responding to network attack behaviors by constructing a security attack game model
Adopting a zero and dynamic game method, constructing a safe attack and defense game model according to the game conditions of two attack and defense parties by refining Bayesian equilibrium, responding to corresponding network cooperative attack behaviors by solving Nash equilibrium solutions of the safe attack and defense game model, enabling the influence of the network cooperative attack behaviors on the data service of an active power distribution network system to be minimized, determining whether an alarm is required according to the obtained Nash equilibrium solutions, and screening, removing and correcting abnormal data fused with the network attack behaviors;
step four, screening, eliminating abnormal data fused with network attack behaviors and correcting
And (3) after the Nash equilibrium solution obtained in the step (III) is used for determining that an alarm is required, screening and eliminating abnormal data fused with network attack behaviors by adopting a clustering method based on density, and correcting.
Preferably, in the first step, the method for constructing the hybrid integrated model specifically includes the following steps:
step 1.1: data sampling and defining Δt l L e {1,2,., m } represents the data sampling time intervals of the corresponding different states l in the active distribution network system; step 1.2 is entered;
step 1.2: taking Δt as { Δt for the sampling period of the different system parameters and states 1 ,Δt 2 ,...,Δt n Maximum common factor for obtaining synchronous time within a limited time period in a heterogeneous/synchronous bimodal hybrid systemStep 1.3 is entered;
step 1.3: when network attack in the active power distribution network system occurs, switching is performed by taking a fast-changing signal of a signal with a short sampling period and a high sampling frequency as a main part and adopting a nearby principle; step 1.4 is entered;
step 1.4: the influence brought by the network attack is defined as an uncertain variable delta, and the component with random dynamic change is fused into a 'discrete-continuous' hybrid active power distribution network system to form a hybrid integrated model fused with the network attack.
Preferably, the above hybrid integration model fused with network attacks is as follows:
wherein x is i (t) represents the continuous system state of the continuous time variable i of the system with time t, S 1 Representing a set of continuous time variables i; x is x j (t) represents the discrete system state of the discrete time variable j of the system as a function of time t, j ε S 2 ,S 2 Representing a set of discrete-time variables j; s represents a collection of continuous time variable i and discrete time variable j; omega i (t) and ω j (t) represents the disturbance, delta, of a continuous and discrete system, respectively i (t) and delta j (t) represent network attack behavior influencing components of continuous and discrete systems, respectively; a is that i Coefficient matrix for continuous system state, B i Coefficient matrix for continuous system disturbance, D i Coefficient matrixes of network attack behavior influence components in the continuous system respectively; a is that j Coefficient matrix for discrete system states, B j Coefficient matrix for discrete system disturbances, D j The coefficient matrix of the component is affected for network attacks in discrete systems.
Preferably, in the second step, quantifying the risk generated by the network attack behavior specifically includes the following steps:
step 2.1: defining probability of attack of component element i by network attack a in active power distribution network system as rho ia The impact on system safety is pi ia Computing a risk quantification computation V for a constituent element i that may be subject to network attacks i The method comprises the following steps:
step 2.2: calculating V according to the risk quantification obtained in the step 2.1 i Computing security risk quantification computation V that the entire system may encounter:
γ i representing that the constituent element i of the active power distribution network is in [1, n ]]The weight occupied in (a) is calculated.
Preferably, in the third step, the construction method of the security attack and defense game model and the response of the security attack and defense game model to the network attack behavior are performed in the following manner:
step 3.1: defining a power distribution network security attack and defense game model G= (P, Z, Θ, S), wherein:
P=(P A ,P D ) Representing the participant set of both the offender and the defender, P A As aggressor, P D Is a defending party;
Z={z 0 z 1 ... z N -to represent a set of network security states;
i=0, 1, 2..n is used to represent the set of policy sets for both offenders, ++>And->Respectively, are used to indicate that the system is about to reach the safe state z I At the time, the set of all possible policies of the aggressor and defender,
i=0, 1,2, N is used for representing utility functions of two game parties;
step 3.2: defined in reaching the safe state z I When the attack and defense party strategies are in the same, the probability distribution corresponding to the strategy is respectively as follows:
wherein:j=1, 2, …, M, k=1, 2, …, N and there is +.>
Step 3.3: to reach the safe state z I Summarizing expected benefit functions of both the attack and the defense;
step 3.4: an optimal control strategy for resisting moderate risks is obtained by utilizing a nonlinear programming method, and a Nash equilibrium solution is finally obtained
Step 3.5: whether to issue a warning is selected based on the Nash equalization solution system.
Preferably, in the fourth step, the method of screening and removing the abnormal data fused with the network attack behavior and correcting the abnormal data specifically includes the following steps:
step 4.1: initializing a data set D acquired in a data service and marking all objects as unread, defining epsilon-neighborhood by a Minkofski distance formula, N ε (x c )=(x c ∈D|dist(x c ,x d ) ε), where N ε (x c ) Representing a set of all points in an epsilon-neighborhood, epsilon representing a radius parameter, and defining rho as a minimum object parameter; when object x c When the number of data objects in epsilon-neighborhood is larger than rho, the number is called x c As core object;
Step 4.2: fetching data set D containing arbitrary data object p from data set D c Wherein D is C E, D, c=1, 2,3., and D c Marking as read;
step 4.2: judging the data object p through epsilon and rho parameters, if p is a core object, finding out all the data objects with reachable density of p, and marking as read; if p is not the core object and no object is reachable to p density, marking p as noise data;
step 4.3: is satisfied thatRepeating steps 4.2 and 4.3 until all data is marked as read;
step 4.4: taking one of the core objects as a seed, classifying all density reachable points of the object into one type, and forming a data object set with a larger range;
step 4.5: step 4.2 to step 4.4 are circulated until all the core objects are traversed, and the remaining data which are not classified into one type are abnormal data;
step 4.6: taking the average value of the data sets of different normal data types to replace abnormal data to execute normal operation;
step 4.7: the cycle ends.
The beneficial effects are that: the invention provides a network collaborative attack modeling and hazard quantitative analysis method based on game theory, which is mainly used for solving the response problem of an active power distribution network suffering from network collaborative attack. By using the method provided by the invention to establish an integrated attack model and a Nash equilibrium solution of a game model solving system of a user, an optimal response strategy is selected according to the Nash equilibrium solution, so that the influence of network collaborative attack on the power grid data service is minimized.
Drawings
FIG. 1 is a diagram of the structure of a network collaborative attack modeling and hazard quantitative analysis method based on game theory. Mainly comprises the following steps: a mixed model generator, a risk quantizer, a game model generator, a data filter and a data restorer.
Fig. 2 is a schematic diagram of a reference architecture. Representing the components comprised by the method of the present invention.
FIG. 3 is a schematic flow chart of the method of the present invention.
Detailed Description
For convenience of description, we assume that there are the following application examples:
with the development of computer technology at a high speed in recent years, due to the influence of a series of factors such as military, politics and the like, network attack means aiming at the Internet are endless, and collaborative attack is a typical attack type, so that huge influence is caused on data service of an active power distribution network. The data service of the active power distribution network is now supposed to be attacked, the network security states of the attacking and defending parties and the cost of the two parties are evaluated by using a game method, and the optimal strategy of the response system is obtained. Firstly, a hybrid switching systemized model is established for a method of an active power distribution network finite state machine, decoupling of collaborative attack behaviors is completed through data cleaning and data association, a network collaborative attack dynamic combination model is established, then decoupling modeling of collaborative attack is completed, attack detection is carried out according to extraction of attack behavior characteristics in a system operation process, influence generated by a certain attack behavior is calculated, and cost benefits of both attack and defense parties are analyzed by a game theory method, so that an optimal response strategy is obtained.
The specific embodiment for fig. 1 is:
fig. 1 mainly constructs a network collaborative attack modeling and hazard quantitative analysis method structure based on game theory, which mainly comprises five parts, namely a mixed model generator, a risk analyzer, a game model generator, a data filter and a data restorer. The hybrid model generator in the figure is a complex, dynamic feature that depicts information, physical space crossover, and dynamic changes in an active power distribution network system; the risk analyzer completes decoupling modeling of collaborative attack from the communication point of view, then carries out attack detection according to the extraction of attack behavior characteristics in the system operation process, and calculates the influence generated by a certain attack behavior; the game model generator analyzes the cost and the network security state of both parties when the system detects the attack, and obtains the game model of both the attack and the defense parties; the data filter is used for screening out a core object from the acquired data. The data restorer classifies all the core objects, screens abnormal data, and the data sets of different normal data types are averaged to replace the abnormal data to execute normal operation. The following gives a specific description:
(1) Hybrid model generator
The hybrid model generator is a complex and dynamic characteristic for revealing information, physical space intersection and dynamic change in the active power distribution network system, and provides a theoretical basis for analyzing the influence of network attack, security defense strategy design, security risk assessment and the like in the active power distribution network system.
The hybrid model generator establishes a hybrid switching systematized model from a method of an active power distribution network finite state machine, acquires and analyzes attack data, detects and identifies the influence of the attack behavior, completes decoupling of the cooperative attack behavior through data cleaning and data association, and establishes a network cooperative attack dynamic combination model. The complex and dynamic characteristics of information, physical space intersection and dynamic change in the active power distribution network system are disclosed, and a theoretical basis is provided for analysis of influence of network attack, security defense strategy design, security risk assessment and the like in the active power distribution network.
(2) Risk analyzer
And the risk analyzer completes decoupling modeling of the collaborative attack from the communication angle, then carries out attack detection according to extraction of attack behavior characteristics in the system operation process, calculates the influence generated by a certain attack behavior, and comprehensively completes collaborative attack situation analysis.
(3) Game model generator
The game model generator adopts a zero and dynamic game method, acquires the probability of the participant according to the public knowledge mastered by the participant and the historical behavior of the participant, decides the next strategy according to the probability, and can be developed into a power distribution network security attack and defense game model G= (P, Z, Θ, S) by refining Bayesian equilibriumAnd i=0, 1,2,..n is used to represent the utility function of both gaming parties, a defensive strategy set is obtained, namely->And->Respectively representing a defending strategy set under the strategy of an attacker, a strategy set of the attacker under the defending strategy and a strategy set under the mutual influence of the attacker; />Representing the set of final defensive policies an attacker makes based on the defender policy and other attacker policies.
Defined in reaching the safe state z I When the attack and defense party strategies are integrated, the probability distribution corresponding to the strategies is respectively as followsAnd->Further solving expected benefit functions of the attack and defense parties, and finally obtaining Nash equilibrium solution by using a nonlinear programming method>And->And a dynamic comprehensive control strategy for resisting moderate risks is realized.
(4) Data screening device
The data filter mainly marks all initialized data unread, defines epsilon-neighborhood, and uses the epsilon-neighborhood as an object x c When the number of data objects in epsilon-neighborhood is larger than minimum object parameter rho, it is called x c Taking a data set D containing any data object p from the data set D as a core object c Wherein D is c E D, c=1, 2,3 …, and D c The flag is read. And judging the data p through epsilon and rho parameters, if p is a core object, finding out all the data objects with reachable densities of p, and marking as read. If p is not a core object and no object is reachable for p density, marking p as noise data, thereby screening out different types of data.
(5) Target identifier
Is satisfied thatWhen all data are marked as read, one of the core objects is used as a seed, and all density reachable points of the object are classified into one type, so that a large-range data object set, also called a cluster, is formed. And repeatedly cycling until all the core objects are traversed, and obtaining abnormal data without data classified into one type. And eliminating the identified abnormal data, and performing normal operation by taking an arithmetic mean value by using a normal data set of different data types instead of the abnormal data.
According to fig. 1 to 3, the method provided by the invention comprises the following steps:
1. hybrid model generator
Definition Δt l L e {1,2,..m } represents the sampling times of the corresponding different states in the active distribution network system. Because of the differences in equipment and information, the period of sampling differs, and the system state, which is a mixture of discrete and continuous systems in presentation form, can be expressed by the following equation:
wherein x is i (t),i∈S 1 Representing a fast-changing system state, presenting a continuous system state, x j (t),i∈S 2 Representing a slowly changing system state, which is presented as a discrete system state, A i ,B i ,D i Respectively coefficient matrix omega i (t) and ω j (t) represents external disturbances in the continuous and discrete components, respectively.
Taking Δt as { Δt for the sampling period of the different system parameters and states 1 ,Δt 2 ,...,Δt n Maximum common factor of } from deltat, the synchronization time within a limited time period in a heterogeneous/synchronous bimodal hybrid system can be obtained When an attack occurs in the system, the system mainly uses a fast-changing signal with a short sampling period and a high sampling frequency, and in order to avoid larger signal mutation, a nearby principle is adopted for switching. The influence caused by network attack is defined as an uncertain variable delta, and the component with random dynamic change is fused into a 'discrete-continuous' hybrid active power distribution network system to form an integrated system model with the following structure.
Wherein x is i (t),i∈S 1 Representing a continuous system state, x j (t),j∈S 2 Representing discrete system states omega i (t) and ω j (t) is system disturbance, Δ i (t) and delta j (t) represents components in continuous and discrete systems, respectively, that are dynamically changing and random.
2. Risk quantizer
Before performing quantitative calculation, some conventional industrial safety protection software, industrial firewall and the like are installed in the system, and system abnormality is monitored and recorded. Definition of active distribution network systemsThe probability of the component element i in the network attack a being attacked is ρ ia Impact pi on system security ia The quantitative computation that system element i may encounter a system attack is calculated asWhere m represents that the system may be subject to m types of network attacks. Assuming that n system elements are present in the system, the security risk that the whole system may encounter can be quantitatively calculated as +.>
3. Game model generator
Because of uncertainty, the probability of the participant is obtained according to the public knowledge mastered by the participant and the historical behavior of the participant, the next strategy is decided according to the probability, and the power distribution network security attack and defense game model G= (P, Z, Θ, S) is assumed by refining Bayesian equilibrium, wherein: p= (P) A ,P D ) Representing the participant set of both the offender and the defender, P A As aggressor, P D Is a defending party; z= { Z 0 z 1 ... z N -to represent a set of network security states;i=0, 1, 2..n is used to represent the set of policy sets for both offenders, ++>And->Respectively, are used to indicate that the system is about to reach the safe state z I The set of all possible policies of the aggressor and defender can be expanded to +.>And-> I=0, 1,2,..n is used to represent the utility function of both gaming parties, the method can obtain:
wherein the method comprises the steps ofAnd->Respectively representing a defending strategy set under the strategy of an attacker, a strategy set of the attacker under the defending strategy and a strategy set under the mutual influence of the attacker; />Representing the set of final defensive policies an attacker makes based on the defender policy and other attacker policies.
Since the attacking and defending parties cannot grasp the characteristics of all the information of the other party, a simple strategic Nash equilibrium solution does not exist, so that the strategy randomness exists and is defined until the security state z is reached I When the attack and defense party strategies are integrated, the probability distribution corresponding to the strategies is respectively as followsAndwherein-> j=1, 2, …, M, k=1, 2, …, N and there is +.>
At this time, if the safe state z is to be reached i The expected benefit functions of both the offender and the defender can be summarized as:
using a method of nonlinear programming, the optimal control strategy against "moderate risk" can be expressed as:
s.t.
where c is the maximum system safety factor,and->Respectively represent corresponding unit row vectors, +.>And->Respectively representing the expectations of an attacker and a defender under Nash equilibrium, and finally obtaining Nash equilibrium solution +.>And->
4. Data screening device
The data filter mainly marks all initialized data unread, defines epsilon-neighborhood and N ε (x i )=(x i ∈D|dist(x i ,x j ) ε), where N ε (x i ) Representing the set of all points in the epsilon-neighborhood and epsilon representing the radius parameter. When object x i The number of data objects in the epsilon-neighborhood is greater than ρ, i.e., |N ε (x i ) When | > ρ, then x i Referred to as a core object. In one dataset, not all data objects are core objects, but also edge objects and noise objects. The edge object indicates that the data object is not a core object, but exists in epsilon-neighborhood of a certain core object; the noise object indicates that the data object is not a core object nor is it present in the epsilon-neighborhood of any core object. Fetching data set D containing arbitrary data object p from data set D i Wherein D is i E D, i=1, 2, 3..and D i The flag is read. And judging the data p through epsilon and rho parameters, if p is a core object, finding out all the data objects with reachable densities of p, and marking as read. If p is not a core object and no object is reachable for p density, marking p as noise data, thereby screening out different types of data.
5. Data restorer
Is satisfied thatWhen all data are marked as read, one of the core objects is used as a seed, and all density reachable points of the object are classified into one type, so that a large-range data object set, also called a cluster, is formed. And repeatedly cycling until all the core objects are traversed, and obtaining abnormal data without data classified into one type. And eliminating the identified abnormal data, and performing normal operation by taking an arithmetic mean value by using a normal data set of different data types instead of the abnormal data.
The specific embodiments of the device are as follows for fig. 2 and 3:
step 1: definition Δt l L epsilon {1,2,.. M } represents the sampling times of the corresponding different states in the system, resulting in a system state equation that is a mixture of discrete and continuous systems.
Taking Δt as { Δt for the sampling period of the different system parameters and states 1 ,Δt 2 ,...,Δt n The maximum common factor of the two can obtain the synchronous moment in the limited time period in the hetero/synchronous bimodal hybrid system
When the attack occurs in the system, the fast-changing signal of the signal with short sampling period and high sampling frequency is used as the main signal, and the nearby principle is adopted for switching.
Step 2: the influence caused by network attack is defined as an uncertain variable delta, and the component with random dynamic change is fused into a 'discrete-continuous' hybrid active power distribution network system to form an integrated system model.
Step 3: defining probability of attack of component element i by network attack a in active power distribution network system as rho ia Impact pi on system security ia The quantitative computation that system element i may encounter a system attack is calculated asWhere m represents that the system may be subject to m types of network attacks.
Step 4: assuming that n system elements exist in the system, the security risk possibly encountered by the system is obtained and calculated as
Step 5: by refining bayesian equilibrium, it is assumed that a power distribution network security attack and defense game model g= (P, Z, Θ, S), wherein: p= (P) A ,P D ) Representing the participant set of both the offender and the defender, P A As aggressor, P D Is a defending party; z= { Z 0 z 1 ... z N Used to represent a set of network security states,i=0, 1,2,..n is used to represent the utility function of both gaming parties, the defending strategy set ++under the attacker strategy can be obtained>Policy set of attacker under defensive policy +.>And policy set under the influence of aggressors +.>
Step 6: defining probability distribution corresponding to strategy in strategy set of both attack and defense parties as respectivelyAnd->Obtaining expected profit functions of the attacking and defending parties, and showing an optimal control strategy for resisting moderate risks, and finally obtaining Nash equilibrium solution +.>Andan optimal response is achieved.
Step 7: the data set D collected in the data service is initialized and all objects are marked as unread, defining ρ as the minimum object parameter. When object x c When the number of data objects in epsilon-neighborhood is larger than rho, the number is called x c Taking a data set D containing any data object p from the data set D as a core object c And D is combined with c The flag is read.
Step 8: and judging the data p through epsilon and rho parameters, if p is a core object, finding out all the data objects with reachable densities of p, and marking as read. If p is not the core object and no object is reachable for p density, marking p as noise data, repeating the marking until all data is marked as read.
Step 9: and determining a core object, classifying all density reachable points of the object into one type, forming a cluster with a larger range, iterating repeatedly until all the core objects are traversed, screening out abnormal data, and taking the average value of the data sets of different normal data types to replace the abnormal data to execute normal operation.

Claims (1)

1. A network collaborative attack modeling and hazard quantitative analysis method based on game theory is characterized by comprising the following steps:
step one, constructing a hybrid integrated model for fusing network attacks aiming at an active power distribution network
Aiming at an active power distribution network system, a mixed integrated model fused with network attack is constructed by adopting a finite state machine method; the built hybrid integrated model is a network collaborative attack dynamic combination model, the influence of network attack behaviors can be detected and identified by collecting and analyzing network attack data, and the decoupling of the network collaborative attack behaviors is completed by data cleaning and data association;
step two, quantifying risks generated by network attack behaviors
According to the extraction of the network cooperative attack behavior characteristics in the running process of the active power distribution network system, attack detection is carried out, and the influence generated by the corresponding network attack behavior is calculated so as to comprehensively complete analysis of the network cooperative attack situation;
responding to network attack behaviors by constructing a security attack game model
Adopting a zero and dynamic game method, constructing a safe attack and defense game model according to the game conditions of two attack and defense parties by refining Bayesian equilibrium, responding to corresponding network cooperative attack behaviors by solving Nash equilibrium solutions of the safe attack and defense game model, enabling the influence of the network cooperative attack behaviors on the data service of an active power distribution network system to be minimized, determining whether an alarm is required according to the obtained Nash equilibrium solutions, and screening, removing and correcting abnormal data fused with the network attack behaviors;
step four, screening, eliminating abnormal data fused with network attack behaviors and correcting
After the Nash equilibrium solution obtained in the step three is used for determining that an alarm is required, a clustering method based on density is adopted for screening and eliminating abnormal data fused with network attack behaviors and correcting;
in the first step, the construction mode of the hybrid integrated model specifically comprises the following steps:
step 1.1: data sampling and defining Δt l L e {1,2,., m } represents the data sampling time intervals of the corresponding different states l in the active distribution network system; step 1.2 is entered;
step 1.2: taking Δt as { Δt for the sampling period of the different system parameters and states 1 ,Δt 2 ,...,Δt n Maximum common factor for obtaining synchronous time within a limited time period in a heterogeneous/synchronous bimodal hybrid systemStep 1.3 is entered;
step 1.3: when network attack in the active power distribution network system occurs, switching is performed by taking a fast-changing signal of a signal with a short sampling period and a high sampling frequency as a main part and adopting a nearby principle; step 1.4 is entered;
step 1.4: the influence brought by the network attack is defined as an uncertain variable delta, and the component with random dynamic change is fused into a 'discrete-continuous' hybrid active power distribution network system to form a hybrid integrated model fused with the network attack;
the hybrid integrated model fused with network attacks is as follows:
wherein x is i (t) represents the continuous system state of the continuous time variable i of the system with time t, S 1 Representing a set of continuous time variables i; x is x j (t) represents the discrete system state of the discrete time variable j of the system as a function of time t, j ε S 2 ,S 2 Representing a set of discrete-time variables j; s represents a collection of continuous time variable i and discrete time variable j; omega i (t) and ω j (t) represents the disturbance, delta, of a continuous and discrete system, respectively i (t) and delta j (t) represent network attack behavior influencing components of continuous and discrete systems, respectively; a is that i Coefficient matrix for continuous system state, B i Coefficient matrix for continuous system disturbance, D i Coefficient matrixes of network attack behavior influence components in the continuous system respectively; a is that j Coefficient matrix for discrete system states, B j Coefficient matrix for discrete system disturbances, D j A coefficient matrix for influencing components for network attack behavior in a discrete system;
in the second step, the risk generated by the network attack behavior is quantified specifically including the following steps:
step 2.1: defining probability of attack of component element i by network attack a in active power distribution network system as rho ia The impact on system safety is pi ia Computing a risk quantification computation V for a constituent element i that may be subject to network attacks i The method comprises the following steps:
step 2.2: calculating V according to the risk quantification obtained in the step 2.1 i Computing security risk quantification computation V that the entire system may encounter:
γ i representing that the constituent element i of the active power distribution network is in [1, n ]]The weight of the model (a);
in the third step, the construction mode of the security attack and defense game model and the response of the security attack and defense game model to the network attack behavior are carried out according to the following modes:
step 3.1: defining a power distribution network security attack and defense game model G= (P, Z, Θ, S), wherein:
P=(P A ,P D ) Representing the participant set of both the offender and the defender, P A As aggressor, P D Is a defending party;
Z={z 0 z 1 ...z N -to represent a set of network security states;
policy set for representing both offender and defenses, < ->And->Respectively, are used to indicate that the system is about to reach the safe state z I At the time, the set of all possible policies of the aggressor and defender,
for representing both parties of gameA utility function;
step 3.2: defined in reaching the safe state z I When the attack and defense party strategies are in the same, the probability distribution corresponding to the strategy is respectively as follows:
wherein:and have->
Step 3.3: to reach the safe state z I Summarizing expected benefit functions of both the attack and the defense;
step 3.4: an optimal control strategy for resisting moderate risks is obtained by utilizing a nonlinear programming method, and a Nash equilibrium solution is finally obtained
Step 3.5: whether to issue a warning is selected according to the Nash equilibrium solution system;
in the fourth step, the method for screening and eliminating abnormal data fused with network attack behaviors and correcting the abnormal data specifically comprises the following steps:
step 4.1: initializing a data set D acquired in a data service and marking all objects as unread, defining epsilon-neighborhood by a Minkofski distance formula, N ε (x c )=(x c ∈D|dist(x c ,x d ) ε), where N ε (x c ) Representing a set of all points in an epsilon-neighborhood, epsilon-tableRadius-indicating parameters, defining ρ as a minimum object parameter; when object x c When the number of data objects in epsilon-neighborhood is larger than rho, the number is called x c Is a core object;
step 4.2: fetching data set D containing arbitrary data object p from data set D c Wherein D is C E D, c=1, 2,3 …, and D c Marking as read;
step 4.2: judging the data object p through epsilon and rho parameters, if p is a core object, finding out all the data objects with reachable density of p, and marking as read; if p is not the core object and no object is reachable to p density, marking p as noise data;
step 4.3: is satisfied thatRepeating steps 4.2 and 4.3 until all data is marked as read;
step 4.4: taking one of the core objects as a seed, classifying all density reachable points of the object into one type, and forming a data object set with a larger range;
step 4.5: step 4.2 to step 4.4 are circulated until all the core objects are traversed, and the remaining data which are not classified into one type are abnormal data;
step 4.6: taking the average value of the data sets of different normal data types to replace abnormal data to execute normal operation;
step 4.7: the cycle ends.
CN202210593965.0A 2022-05-27 2022-05-27 Network collaborative attack modeling and hazard quantitative analysis method based on game theory Active CN115296830B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210593965.0A CN115296830B (en) 2022-05-27 2022-05-27 Network collaborative attack modeling and hazard quantitative analysis method based on game theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210593965.0A CN115296830B (en) 2022-05-27 2022-05-27 Network collaborative attack modeling and hazard quantitative analysis method based on game theory

Publications (2)

Publication Number Publication Date
CN115296830A CN115296830A (en) 2022-11-04
CN115296830B true CN115296830B (en) 2024-02-13

Family

ID=83819510

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210593965.0A Active CN115296830B (en) 2022-05-27 2022-05-27 Network collaborative attack modeling and hazard quantitative analysis method based on game theory

Country Status (1)

Country Link
CN (1) CN115296830B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2271047A1 (en) * 2009-06-22 2011-01-05 Deutsche Telekom AG Game theoretic recommendation system and method for security alert dissemination
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN107483486A (en) * 2017-09-14 2017-12-15 中国人民解放军信息工程大学 Cyber-defence strategy choosing method based on random evolution betting model
CN108366047A (en) * 2018-01-08 2018-08-03 南京邮电大学 Active power distribution network data safety high efficiency of transmission optimization method and device based on game theory
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game
CN108565900A (en) * 2018-05-14 2018-09-21 南京邮电大学 A kind of distributed energy optimizing operation method based on game theory
CN108833401A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 Network active defensive strategy choosing method and device based on Bayes's evolutionary Game
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN110278198A (en) * 2019-06-04 2019-09-24 西安邮电大学 The safety risk estimating method of assets in network based on game theory
CN111464501A (en) * 2020-03-09 2020-07-28 南京邮电大学 Data service-oriented adaptive intrusion response gaming method and system thereof
CN112819300A (en) * 2021-01-21 2021-05-18 南京邮电大学 Power distribution network risk assessment method based on random game network under network attack
CN113098908A (en) * 2021-05-11 2021-07-09 南方电网科学研究院有限责任公司 False data injection attack defense method and device based on multi-stage game
CN114139156A (en) * 2021-12-01 2022-03-04 浙江大学 Micro-grid information physical system defense method based on game theory

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11641365B2 (en) * 2019-10-10 2023-05-02 Honeywell International Inc. Hybrid intrusion detection model for cyberattacks in avionics internet gateways using edge analytics

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2271047A1 (en) * 2009-06-22 2011-01-05 Deutsche Telekom AG Game theoretic recommendation system and method for security alert dissemination
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN107483486A (en) * 2017-09-14 2017-12-15 中国人民解放军信息工程大学 Cyber-defence strategy choosing method based on random evolution betting model
CN108366047A (en) * 2018-01-08 2018-08-03 南京邮电大学 Active power distribution network data safety high efficiency of transmission optimization method and device based on game theory
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game
CN108565900A (en) * 2018-05-14 2018-09-21 南京邮电大学 A kind of distributed energy optimizing operation method based on game theory
CN108833401A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 Network active defensive strategy choosing method and device based on Bayes's evolutionary Game
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN110278198A (en) * 2019-06-04 2019-09-24 西安邮电大学 The safety risk estimating method of assets in network based on game theory
CN111464501A (en) * 2020-03-09 2020-07-28 南京邮电大学 Data service-oriented adaptive intrusion response gaming method and system thereof
WO2021180017A1 (en) * 2020-03-09 2021-09-16 南京邮电大学 Data service-oriented adaptive intrusion response game method and system thereof
CN112819300A (en) * 2021-01-21 2021-05-18 南京邮电大学 Power distribution network risk assessment method based on random game network under network attack
CN113098908A (en) * 2021-05-11 2021-07-09 南方电网科学研究院有限责任公司 False data injection attack defense method and device based on multi-stage game
CN114139156A (en) * 2021-12-01 2022-03-04 浙江大学 Micro-grid information physical system defense method based on game theory

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
Analysis of cyber physical systems security via networked attacks;Hui Ge,Dong Yue等;《2017 36th Chinese Control Conference(CCC)》;全文 *
Game Theory based Modified Naïve-bayes Algorithm to detect DoS attacks using Honeypot;Rajesh Kumar Shrivastava;《2019 IEEE 16th India Council International Conference (INDICON)》;全文 *
Security Analysis of Energy Internet With Robust Control Approaches and Defense Design;Hui Ge,Zhenjiang Zhao;《IEEE Access》;全文 *
信息物理融合的主动配电网分析与风险评估研究;孙辰;《中国优秀博硕士学位论文全文数据库(博士) 信息科技辑》(第05期);全文 *
基于博弈论的电网信息物理系统网络攻防策略研究;邰伟;《中国优秀硕士学位论文全文数据库 工程科技辑》(第06期);全文 *
基于网络的入侵检测系统数据包采样策略研究;王卫平;朱卫未;陈文惠;梁樑;;中国科学院研究生院学报(04);全文 *
网络攻击下信息物理融合系统的安全控制方法研究;葛辉;《中国优秀博硕士学位论文全文数据库(博士) 信息科技辑》(第01期);第47页-68页 *
面向分布式网络结构的APT攻击双重博弈模型;张为;苏旸;陈文武;;计算机应用(第05期);全文 *

Also Published As

Publication number Publication date
CN115296830A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
Nguyen et al. Deep reinforcement learning for cyber security
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
WO2021180017A1 (en) Data service-oriented adaptive intrusion response game method and system thereof
Hu et al. Optimal network defense strategy selection based on incomplete information evolutionary game
CN110830287B (en) Internet of things environment situation sensing method based on supervised learning
CN113094707B (en) Lateral movement attack detection method and system based on heterogeneous graph network
Masarat et al. A novel framework, based on fuzzy ensemble of classifiers for intrusion detection systems
Eigner et al. Towards resilient artificial intelligence: Survey and research issues
Liu et al. FlipIt game model-based defense strategy against cyberattacks on SCADA systems considering insider assistance
Huang et al. Socialwatch: detection of online service abuse via large-scale social graphs
Singh et al. Mitigation of Cyber Attacks in SDN-Based IoT Systems Using Machine Learning Techniques
CN115296830B (en) Network collaborative attack modeling and hazard quantitative analysis method based on game theory
Chen et al. Dynamic threshold strategy optimization for security protection in Internet of Things: An adversarial deep learning‐based game‐theoretical approach
Potteti et al. Intrusion detection system using hybrid Fuzzy Genetic algorithm
TianYu et al. Research on security threat assessment for power iot terminal based on knowledge graph
Sharma et al. Recent trend in Intrusion detection using Fuzzy-Genetic algorithm
Huang et al. Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection
Yang et al. Malicious software spread modeling and control in cyber–physical systems
Wei et al. Defense strategy of network security based on dynamic classification
Guan et al. A Bayesian Improved Defense Model for Deceptive Attack in Honeypot-Enabled Networks
Kadam et al. Real-time intrusion detection with genetic, fuzzy, pattern matching algorithm
Sakhnini Security of smart cyber-physical grids: a deep learning approach
CN111107035B (en) Security situation sensing and protecting method and device based on behavior identification
Zhang et al. Network security situation awareness technology based on multi-source heterogeneous data
Alheeti et al. Intelligent Botnet Detection Approach in Modern Applications.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant