CN117390637B - Method and system for protecting safety of safety access area system - Google Patents
Method and system for protecting safety of safety access area system Download PDFInfo
- Publication number
- CN117390637B CN117390637B CN202311289276.1A CN202311289276A CN117390637B CN 117390637 B CN117390637 B CN 117390637B CN 202311289276 A CN202311289276 A CN 202311289276A CN 117390637 B CN117390637 B CN 117390637B
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- ciphertext
- security
- access area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012544 monitoring process Methods 0.000 claims abstract description 32
- 238000001514 detection method Methods 0.000 claims abstract description 29
- 230000002265 prevention Effects 0.000 claims abstract description 16
- 230000000903 blocking effect Effects 0.000 claims abstract description 8
- 238000002955 isolation Methods 0.000 claims abstract description 7
- 238000004422 calculation algorithm Methods 0.000 claims description 34
- 238000013519 translation Methods 0.000 claims description 18
- 230000002159 abnormal effect Effects 0.000 claims description 14
- 238000006467 substitution reaction Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 11
- 238000002156 mixing Methods 0.000 claims description 9
- 230000002441 reversible effect Effects 0.000 claims description 9
- 230000017105 transposition Effects 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 claims description 8
- 230000005856 abnormality Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 6
- 230000000670 limiting effect Effects 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 238000005336 cracking Methods 0.000 claims description 3
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 230000009931 harmful effect Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 239000000463 material Substances 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 4
- 238000013515 script Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004870 electrical engineering Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for safety protection of a safety access area system, comprising the following steps: the virtual power plant reads data from each adjustable resource intelligent terminal, the data is primarily encrypted by a longitudinal encryption authentication device at the local side, and the encrypted data is transmitted to a longitudinal encryption device of a security access area by an operator for secondary encryption; the data after the secondary encryption of the longitudinal encryption device of the security access area is detected by intrusion detection equipment, network security monitoring equipment and malicious code prevention equipment, and then enters a security I area through a positive and negative isolation device; and if the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment find unsafe data, blocking and giving out a warning. The method and the system form a comprehensive safety protection net, and can effectively identify and block unsafe data so as to ensure the stable and safe operation of the power system.
Description
Technical Field
The invention relates to the technical field of electrical engineering equipment, in particular to a method and a system for safety protection of a safety access area system.
Background
The core task of the safety protection of the virtual power plant monitoring system is to ensure the safety of the power real-time closed-loop monitoring system and the dispatching data network, resist malicious damage and attack behaviors of hackers, viruses, malicious codes and the like, which are initiated to the system through various forms, and particularly resist group attack and prevent the collapse or paralysis of the virtual power plant monitoring system. The overall goals of virtual power plant monitoring system security include:
a. the interruption of core services such as virtual power plant monitoring system service is prevented;
b. the virtual power plant monitoring system is prevented from collapsing;
c. the malicious damage and attack of external personnel on the power monitoring system are resisted, and the influence on the connected dispatching automation system is prevented;
d. Malicious programs such as viruses, trojans and the like are prevented from maliciously damaging and attacking the power production and connected dispatching automation system from the inside of the virtual power plant monitoring system local area network;
e. And protecting real-time and historical data of the virtual power plant monitoring system and preventing the data from being modified by unauthorized.
The virtual power plant project is used as an demonstration application, and no targeted safety protection technical requirement exists in the current safety protection technical Specification of the electric power monitoring system. The project can consider a network architecture construction scheme under the principle of not damaging the safety of the existing power monitoring system.
Disclosure of Invention
The present invention has been made in view of the above-described problems.
Therefore, the technical problems solved by the invention are as follows: at present, no specific safety protection technical requirement exists in a virtual power plant.
In order to solve the technical problems, the invention provides the following technical scheme: a method of security protection for a secure access area system, comprising: the virtual power plant reads data from each adjustable resource intelligent terminal, the data is primarily encrypted by a longitudinal encryption authentication device at the local side, and the encrypted data is transmitted to a longitudinal encryption device of a security access area by an operator for secondary encryption.
And after the data subjected to secondary encryption by the longitudinal encryption device of the security access area is detected by the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment, the data enters the security I area through the positive and negative isolation device.
And if the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment find unsafe data, blocking and giving out a warning.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: the longitudinal encryption authentication device includes,
And encrypting the data by adopting an encryption algorithm, and filtering and controlling access of the comprehensive message based on the IP, the transmission protocol and the application port number.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: the primary encryption may include the steps of,
The encryption method adopts an AES-256 algorithm, and comprises the following steps:
key expansion: a new set of keys is generated from a 256-bit key K by the Rijndael key expansion algorithm.
Initial round key addition: the first part of the new key is xored with the data read by the virtual power plant from the respective adjustable resource intelligent terminal, in particular the data block and the key are both considered as 128 bit binary sequences. The binary bits at the corresponding positions are xored.
9 Main wheels: including byte substitution, row shifting, column mixing, and round key addition.
Final wheel: including byte substitution, row shifting, and round key addition.
Wherein the byte substitution performs a non-linear substitution of data through a predefined table.
The row shift performs a cyclic shift of the rows in a two-dimensional array representation of the data block.
The round key addition xored with a specific round key generated in the key expansion.
The column blending performs column blending with a specific polynomial expressed as:
(03)x3+(01)x2+(01)x+(02)
where x represents a polynomial variable and 01, 02, 03 represent 8-bit binary numbers.
The AES-256 algorithm has the following formula:
Ciphertext=AES-256-Encrypt(P,Kexpanded)
Wherein Ciphertext represents data encrypted by an AES-256 algorithm, P represents data read by a virtual power plant from each adjustable resource intelligent terminal, and K expanded represents a key sequence after key expansion.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: the secondary encryption includes the steps of,
The data C after primary encryption by the AES-256 algorithm is divided into two parts: c1 and C2, and the length n of C is obtained. If n cannot be divided by 2, adopting an upward rounding mode to process:
n2=n-n1
Wherein n 1 represents the length of C1, n 2 represents the length of C2, Representing not less than/>Is a minimum integer of (a).
Inverting the bytes of C1 using the transpose algorithm:
C1'=reverse(C1)
Where C1' represents inverted C1 data, and reverse () represents a transposition algorithm.
Obtaining the length of the current timestamp and the ciphertext C, and performing exclusive OR calculation to obtain a 16-byte confusion timestamp with a fixed length:
where t represents the current timestamp.
Constructing a final ciphertext, presetting a transposition mark T as TRANS, inserting the transposition mark T into transposed ciphertext data C1', inserting a confusion timestamp into C2, and constructing a final ciphertext C':
C'=C1'||T||C2||TS
Where || denotes a connection operation.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: the intrusion detection device can monitor the network and prevent threat to the network when the secure access area is attacked, and provides real-time protection against internal attack, external attack and misoperation.
The network security monitoring equipment comprises the functions of monitoring the real-time operation, processing security events and communicating in real time of the power secondary system server, the workstation, the network equipment and the security protection equipment when the security access area is attacked.
The anti-malware device includes limiting known suspicious, harmful activity when the secure access area is under attack.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: the intrusion detection device, the network security monitoring device, and the anti-malicious code device discovering unsafe data includes,
Decrypting the final ciphertext C' obtained by the secondary encryption:
The transpose label TRANS is identified, and the ciphertext C1' before the transpose label is inverted and transposed:
C1”=Reverse(C1')
wherein, C1 'represents ciphertext obtained by cracking C1';
Identifying 16-byte confusion time stamp from the end of the final ciphertext, obtaining a second section ciphertext C 2 ' from the transposed mark to the confusion time stamp, performing exclusive OR operation on the ciphertext length n ' with the transposed mark and the confusion time stamp removed and the confusion time stamp, and obtaining a time stamp t ':
if t '=t, the ciphertext is not tampered, and if t' =t, the ciphertext is valid, a warning is issued.
Obtaining decrypted data:
C”=C1”||C2
And decrypting the primary encryption according to the key sequence subjected to the key expansion to obtain final decrypted data.
As a preferred embodiment of the method for protecting the security of the security access area system according to the present invention, the method comprises: and the decryption further comprises the steps of applying for re-translation if the ciphertext in translation is abnormal in translation or the ciphertext after translation is substantially different from the original plaintext information in verification, and applying for re-encryption and sending the plaintext if the re-translation result still shows abnormality or substantial difference.
When the translation of the encrypted ciphertext still shows abnormality or has substantial difference, marking the position of the abnormal ciphertext, marking the corresponding position of the plaintext through the tracing of an encryption algorithm, and uploading the ciphertext with the mark and the plaintext with the mark to a technical department for repairing the bug.
The substantial difference comprises extracting core content in original text, searching the core content in decrypted content, and if 95% of the core content is searched, preliminarily identifying that the substantial difference is not present. If 95% of the core content is not searched, a substantial difference is deemed to exist. When it is initially determined that there is no substantial difference, the non-core content is retrieved.
D(s1,s2)=Levenshtein(s1,s2)
Wherein D (s 1, s 2) represents an edit distance between the uncore content s1 of the original plaintext information and the uncore content s2 of the translated plaintext, levenshtein () represents an edit distance algorithm, s 1 represents the uncore content of the original plaintext information, and s 2 represents the uncore content of the translated plaintext.
Normalizing the edit distance D (s 1, s 2):
where, |s 1 | and |s 2 | are the lengths of the strings s 1 and s 2, respectively.
Wherein T represents a preset retrieval threshold of non-core content, 1 represents a substantial difference, and 0 represents no substantial difference.
A system for security protection of a secure access area system, characterized by: comprising the steps of (a) a step of,
And the encryption module is used for reading data from each adjustable resource intelligent terminal by the virtual power plant, carrying out primary encryption by the longitudinal encryption authentication device at the local side, and transmitting the encrypted data to the longitudinal encryption device of the security access area by the operator for secondary encryption.
And the data after the secondary encryption of the longitudinal encryption device of the security access area is detected by the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment, and then enters the security I area through the positive and negative isolation device. And if the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment find unsafe data, blocking and giving out a warning.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method as described above when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor realizes the steps of the method as described above.
The invention has the beneficial effects that: the method has the advantages of improving the data safety and the protection capability of the safety access area of the power system. By introducing double encryption and time stamping, not only is the complexity of data encryption enhanced, but data replay attacks are also effectively prevented. The use of two independently generated keys provides multiple layers of protection for the data, reducing the risk of a single key being compromised. The addition of the time stamp further improves the non-falsifiability of the data and ensures the integrity of the data in the transmission process. In addition, by setting a safety access area and providing intrusion detection, network safety monitoring and malicious code prevention equipment, the invention forms a comprehensive safety protection network, can effectively identify and block unsafe data, and further ensures the stable and safe operation of a power system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
fig. 1 is a general flowchart of a method and a system for security protection of a security access area system according to a first embodiment of the present invention;
Fig. 2 is a device connection diagram of a method and a system for security protection of a security access area system according to a first embodiment of the present invention;
Detailed Description
So that the manner in which the above recited objects, features and advantages of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
While the embodiments of the present invention have been illustrated and described in detail in the drawings, the cross-sectional view of the device structure is not to scale in the general sense for ease of illustration, and the drawings are merely exemplary and should not be construed as limiting the scope of the invention. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Also in the description of the present invention, it should be noted that the orientation or positional relationship indicated by the terms "upper, lower, inner and outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first, second, or third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected, and coupled" should be construed broadly in this disclosure unless otherwise specifically indicated and defined, such as: can be fixed connection, detachable connection or integral connection; it may also be a mechanical connection, an electrical connection, or a direct connection, or may be indirectly connected through an intermediate medium, or may be a communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Example 1
Referring to fig. 1, for one embodiment of the present invention, a method for security protection of a security access area system is provided, including:
S1: the virtual power plant reads data from each adjustable resource intelligent terminal, the data is primarily encrypted by a longitudinal encryption authentication device at the local side, and the encrypted data is transmitted to a longitudinal encryption device of a security access area by an operator for secondary encryption.
The longitudinal encryption authentication device comprises the steps of encrypting data by adopting an encryption algorithm, and filtering and controlling access of a comprehensive message based on IP, a transmission protocol and an application port number.
The primary encryption comprises the steps of encrypting by adopting an AES-256 algorithm, wherein the steps comprise:
key expansion: a new set of keys is generated from a 256-bit key K by the Rijndael key expansion algorithm.
It should be noted that the generation of the new key by the Rijndael key expansion algorithm is as follows:
an initialization stage: an initial 256 bit (32 byte) key is used.
Initial key assignment: this initial 256-bit key is taken as the first 32 bytes of output key material.
Key expansion loop: an iterative loop is performed, generating new 16 bytes of keying material each time, and adding to the existing keying material.
In each cycle, the last 4 bytes of the output key material are taken and stored in a temporary variable.
If a 32 byte cycle is completed, then special processing is performed on this temporary variable:
The 4 bytes are shifted by one cycle, i.e. the last byte is shifted to the forefront.
Each of these 4 bytes is replaced with an S-box.
Finally, the first of these 4 bytes is exclusive-ored with a value called the round constant (Rcon).
Whether or not a special treatment is performed, the following steps are performed:
the temporary variable is exclusive-ored with those 4 bytes of the output key material that are 8 "words" from it, and the result is then added to the end of the output key material.
A key material of 240 bytes in length is finally obtained. This keying material would be used for each encryption round of the AES-256 encryption algorithm.
Initial round key addition: the first part of the new key (i.e. the first sub-array of the key array) is xored with the data read by the virtual power plant from the respective adjustable resource intelligent terminal, in particular considering both the data block and the key as a 128 bit binary sequence. The binary bits at the corresponding positions are xored.
It should be noted that 0XOR 0= 0,1XOR0 = 1,0XOR1 = 1,1XOR1 =0, this operation is performed on a bit basis, i.e. the first bit of the block of data is xored with the first bit of the key, the second bit is xored with the second bit, and so on.
9 Main wheels: including byte substitution, row shifting, column mixing, and round key addition.
Final wheel: including byte substitution, row shifting, and round key addition.
Wherein the byte substitution performs a non-linear substitution of the data through a predefined table.
It should be noted that the predefined table (S-Box) is calculated by a specific mathematical operation: the inverse operation and affine transformation over the finite field GF (2^8) is pre-generated as a look-up table of 8-bit inputs to 8-bit outputs, each 8-bit byte being replaced by another 8-bit byte by an S-Box.
The row shift performs a cyclic shift of the rows in a two-dimensional array representation of the data block.
It should be noted that the source of the two-dimensional array is that at the beginning of the AES-256 encryption process, the plaintext is organized into a 4x4 two-dimensional array, called the state array. The state array contains what is actually the data to be encrypted (or decrypted).
Round key addition xored with a specific round key generated in the key expansion.
Column blending the column blending is performed with a specific polynomial expressed as:
(03)x3+(01)x2+(01)x+(02)
where x represents a polynomial variable and 01, 02, 03 represent 8-bit binary numbers.
It should be noted that polynomial multiplication is performed with each column of the data block, and the result is used to replace the original column to increase the complexity of encryption.
The formula of the AES-256 algorithm is as follows:
Ciphertext=AES-256-Encrypt(P,Kexpanded)
Wherein Ciphertext represents data encrypted by an AES-256 algorithm, P represents data read by a virtual power plant from each adjustable resource intelligent terminal, the data is a 128-bit plaintext block, and K expanded represents a key sequence after key expansion.
The secondary encryption steps are as follows:
the data C after primary encryption by the AES-256 algorithm is divided into two parts: c1 and C2, and the length n of C is obtained. If n cannot be divided by 2, adopting an upward rounding mode to process:
n2=n-n1
Wherein n 1 represents the length of C1, n 2 represents the length of C2, Representing not less than/>Is a minimum integer of (a).
Inverting the bytes of C1 using the transpose algorithm:
C1'=reverse(C1)
Where C1' represents inverted C1 data, and reverse () represents a transposition algorithm.
The length of the current time stamp and the length of the ciphertext C are obtained, and exclusive OR calculation is carried out, so that a 16-byte confusion time stamp TS with fixed length is obtained:
where t represents the current timestamp.
It should be noted that, the reason for adding the confusion timestamp is that the complexity of the ciphertext can be increased, and whether the ciphertext is tampered or not can be judged according to the related calculation of the confusion timestamp in the subsequent decryption, so that the security is improved.
Furthermore, the fixed length of the confusion time stamp is set for identifying the confusion time stamp in the subsequent decryption, but when the ciphertext is leaked, the last confusion time stamp is difficult to judge under the condition that the outside does not know the encryption rule of the invention, because the confusion time stamp is mixed with the ciphertext, and the length of each ciphertext is different from the encryption time, the confusion time stamp is also different.
It should be noted that, the fixed confusion time stamp is set according to the maximum ciphertext length, and if the confusion time stamp is smaller than 16 bytes, the final blank of the confusion time stamp is filled with 0.
Constructing a final ciphertext, presetting a transposition mark T as TRANS, inserting the transposition mark T into transposed ciphertext data C1', inserting a confusion timestamp into C2, and constructing a final ciphertext C':
C'=C1'||T||C2||TS
Where || denotes a connection operation.
S2: the data after the secondary encryption of the longitudinal encryption device of the security access area is detected by the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment, and then enters the security I area through the positive and negative isolation device.
The intrusion detection device comprises a device for detecting intrusion,
The network security technology actively protects the network from attack, can monitor the network, prevent and alleviate the threat to the network, and provides real-time protection for internal attack, external attack and misoperation.
The network safety monitoring equipment is deployed in a transformer substation and a power plant production control area, and achieves the functions of monitoring the real-time operation of a power secondary system server, a workstation, network equipment, safety protection equipment, safety event processing, real-time communication, service agent, local safety management and the like.
The anti-malicious code device includes a policy that limits known suspicious or harmful activity to a minimum to ensure that the likelihood of an attacker gaining access is reduced. Malicious code forms various forms such as viruses, spyware, worms, advertisements, backdoors, and phishing websites. To protect information systems, protection against malicious code reduces damage caused by viruses, spyware, phishing websites, and the like.
Intrusion detection devices, network security monitoring devices and anti-malicious code devices find unsafe data including,
Decrypting the final ciphertext C' obtained by the secondary encryption:
the transpose label TRANS is identified, and the ciphertext C 1' before the transpose label is inverted and transposed:
C1”=Reverse(C1')
wherein, C1 'represents ciphertext obtained by cracking C1';
Identifying 16-byte confusion time stamp from the end of the final ciphertext, obtaining a second section ciphertext C 2 ' from the transposed mark to the confusion time stamp, performing exclusive OR operation on the ciphertext length n ' with the transposed mark and the confusion time stamp removed and the confusion time stamp, and obtaining a time stamp t ':
if t '=t, the ciphertext is not tampered, and if t' =t, the ciphertext is valid, a warning is issued.
Obtaining decrypted data:
C”=C1”||C2
and decrypting the primary encryption according to the key sequence after the key expansion to obtain final decrypted data.
It should be noted that AES-256 is a symmetric algorithm, and the shared key is transmitted through the secure shared channel of the device during decryption.
And the decryption further comprises the steps of applying for re-translation if the ciphertext in translation is abnormal in translation or the ciphertext after translation is substantially different from the original plaintext information in verification, and applying for re-encryption and sending the plaintext if the re-translation result still shows abnormality or substantial difference.
When the translation of the encrypted ciphertext still shows abnormality or has substantial difference, marking the position of the abnormal ciphertext, marking the corresponding position of the plaintext through the tracing of an encryption algorithm, and uploading the ciphertext with the mark and the plaintext with the mark to a technical department for repairing the bug.
It should be noted that the tracing of the encryption algorithm is mainly to determine in which operation an abnormal error occurs, and the specific steps of tracing are as follows:
Primary encryption audit:
and confirming whether the plaintext is complete or not without damage.
It is ensured that the keys or parameters used in the encryption of AES-256 are not set or corrupted by errors.
And verifying the encryption result to obtain the ciphertext C with the expected length and format.
Secondary encryption inspection:
It is checked whether the ciphertext C is correctly divided equally into C1, C2.
Confirm whether C1 is transposed correctly.
Verify if the transpose mark is in the correct position and is not damaged.
Checking the length exclusive or operation of the time stamp and the ciphertext C ensures that the generation and insertion of the obfuscated time stamp is correct.
Verifying whether the overall ciphertext structure matches the expected encryption format.
Further, in each encryption and decryption step, the device records a detailed operation log, and the log record needs to be checked during the tracing.
The substantial difference comprises extracting core content in original text, searching the core content in decrypted content, and if 95% of the core content is searched, preliminarily identifying that the substantial difference is not present. If 95% of the core content is not searched, determining that a substantial difference exists; when it is initially determined that there is no substantial difference, the non-core content is retrieved.
D(s1,s2)=Levenshtein(s1,s2)
Wherein D (s 1, s 2) represents an edit distance between the uncore content s1 of the original plaintext information and the uncore content s2 of the translated plaintext, levenshtein () represents an edit distance algorithm, s 1 represents the uncore content of the original plaintext information, and s 2 represents the uncore content of the translated plaintext.
It should be noted that the 95% threshold is set empirically or according to a specific application scenario. The invention relates to the technical field of network security information, so that the threshold value needs to be set high to ensure the accuracy and the integrity of data.
Normalizing the edit distance D (s 1, s 2):
where, |s 1 | and |s 2 | are the lengths of the strings s 1 and s 2, respectively.
Wherein T represents a preset retrieval threshold of non-core content, 1 represents a substantial difference, and 0 represents no substantial difference.
S3: if the intrusion detection device, the network security monitoring device and the malicious code prevention device find unsafe data, blocking is carried out and a warning is sent out.
Blocking the unsafe data includes, among others,
The detection rules of the intrusion detection device are as follows:
timestamp checking: if the time stamp of the data packet is different from the current time of the system for more than ten minutes, the data packet is judged to be abnormal.
Data frequency checking: if packets from the source reach an abnormally high frequency within three seconds, they are considered potential DoS attacks.
Known attack pattern matching: it is checked whether the data packet matches a known attack pattern, e.g., SQL injection, cross-site scripting attack, etc.
It should be noted that the known attack patterns originate from the built-in database of the device and the dynamically updated external database.
The detection rules of the network security monitoring device are as follows:
flow analysis: if irregular port activity and an abnormal increase in data traffic are detected, they are considered abnormal.
Protocol checking: and detecting whether the data packet accords with the specification of the internal communication protocol of the power system, and if not, regarding the data packet as abnormal.
It should be noted that the specification of the internal communication protocol of the power system is derived from the national standard specification.
Key integrity check: if the encryption key is detected to be tampered, the encryption key is regarded as abnormal.
The anti-malicious code device detection rules are as follows:
file type checking: only JSON and XML formatted data is allowed to pass.
Malicious code scanning: it is checked whether the data content contains known malicious code and executable scripts.
It should be noted that known malicious code and executable scripts originate from both the built-in database of the device and the dynamically updated external database.
In the above embodiment, a system for security protection of a security access area system is further included, specifically:
And the encryption module is used for reading data from each adjustable resource intelligent terminal by the virtual power plant, carrying out primary encryption by the longitudinal encryption authentication device at the local side, and transmitting the encrypted data to the longitudinal encryption device of the security access area by the operator for secondary encryption.
And the monitoring and warning module is used for enabling data after the secondary encryption of the longitudinal encryption device of the security access area to enter the security I area through the positive and negative isolation device after the data are detected by the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment. If the intrusion detection device, the network security monitoring device and the malicious code prevention device find unsafe data, blocking is carried out and a warning is sent out.
The computer device may be a server. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing data cluster data of the power monitoring system. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile memory may include Read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high density embedded nonvolatile memory, resistive random access memory (ReRAM), magnetic random access memory (MagnetoresistiveRandomAccessMemory, MRAM), ferroelectric memory (FerroelectricRandomAccessMemory, FRAM), phase change memory (PhaseChangeMemory, PCM), graphene memory, and the like. Volatile memory can include random access memory (RandomAccessMemory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can take many forms, such as static random access memory (StaticRandomAccessMemory, SRAM) or dynamic random access memory (DynamicRandomAccessMemory, DRAM), among others. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
Example 2
Referring to fig. 2, for one embodiment of the present invention, a method and a system for security protection of a security access area system are provided, and in order to verify the beneficial effects of the present invention, a scientific demonstration is performed through a simulation experiment.
The experimental environment settings are shown in fig. 1, and the experimental data are shown in the following table:
TABLE 1 configuration of intelligent terminals for virtual Power plants
| Intelligent terminal | Voltage (V) | Electric current |
| 1 | 220V | 10A |
| 2 | 210V | 12A |
| 3 | 225V | 11A |
Randomly inserting malicious data into the data:
TABLE 2 malicious data
| Malicious code | <script>alert('Hacked');</script> |
| Unauthorized data | Voltage 500V, current 50A |
The data after primary encryption and secondary encryption by using AES-256 and the key SuperSecretKey123_ SuperSecretKey123 are subjected to three devices, and the detection results are as follows:
TABLE 5 detection results
Table 6 identifies abnormal accuracy
| Apparatus and method for controlling the operation of a device | Identifying abnormal accuracy rate |
| Intrusion detection device | 100% |
| Network security monitoring device | 100% |
| Malicious code prevention device | 100% |
As can be seen from the above table, all original and encrypted data can successfully enter the secure I-zone without intrusion; in the case of a malicious intrusion (simulated insertion of malicious code and unauthorized data), these data are successfully identified and blocked, while a warning is issued.
In summary, the invention has high effectiveness and feasibility in the aspect of virtual power plant data security.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.
Claims (8)
1. A method for security protection of a secure access area system, comprising:
the virtual power plant reads data from each adjustable resource intelligent terminal, the data is primarily encrypted by a longitudinal encryption authentication device at the local side, and the encrypted data is transmitted to a longitudinal encryption device of a security access area by an operator for secondary encryption;
The data after the secondary encryption of the longitudinal encryption device of the security access area is detected by intrusion detection equipment, network security monitoring equipment and malicious code prevention equipment, and then enters a security I area through a positive and negative isolation device;
If the intrusion detection device, the network security monitoring device and the malicious code prevention device find unsafe data, blocking is carried out and a warning is sent out;
The primary encryption may include the steps of,
The encryption method adopts an AES-256 algorithm, and comprises the following steps:
Key expansion: generating a new set of keys from a 256-bit key K by a Rijndael Key expansion algorithm;
initial round key addition: performing an XOR operation on the first part of the new key and the data read by the virtual power plant from each adjustable resource intelligent terminal, specifically regarding the data block and the key as 128-bit binary sequences; performing an XOR operation on the binary bit at the corresponding position;
9 main wheels: including byte substitution, row shifting, column mixing, and round key addition;
Final wheel: including byte substitution, row shifting, and round key addition;
wherein the byte substitution performs nonlinear substitution of data through a predefined table;
the line shift is in the two-dimensional array representation of the data block, performing a cyclic shift of the line;
performing an XOR operation on the round key addition and the specific round key generated in the key expansion;
The column blending performs column blending with a specific polynomial expressed as:
(03)x3+(01)x2+(01)x+(02)
Wherein x represents a polynomial variable, and 01, 02 and 03 represent 8-bit binary numbers;
the AES-256 algorithm has the following formula:
Ciphertext=AES256(P,Kexpanded)
Wherein Ciphertext represents data encrypted by an AES-256 algorithm, P represents data read by a virtual power plant from each adjustable resource intelligent terminal, and K expanded represents a key sequence after key expansion;
the secondary encryption includes the steps of,
The data C after primary encryption by the AES-256 algorithm is divided into two parts: c1 and C2, obtaining the length n of C; if n cannot be divided by 2, adopting an upward rounding mode to process:
n2=n-n1
Wherein n 1 represents the length of C1, n 2 represents the length of C2, Representing not less than/>Is the smallest integer of (a);
inverting the bytes of C1 using the transpose algorithm:
C1'=reverse(C1)
Wherein, C1' represents inverted C1 data, and reverse () represents a transposition algorithm;
the length of the current time stamp and the length of the ciphertext C are obtained, and exclusive OR calculation is carried out, so that a 16-byte confusion time stamp TS with fixed length is obtained:
Wherein t represents the current timestamp;
Constructing a final ciphertext, presetting a transpose mark T as TRANS, inserting the transpose mark T into C1', inserting a confusion timestamp into C2, and constructing a final ciphertext C':
C′=C1′||T||C2||TS
Where || denotes a connection operation.
2. The method for security access area system security protection of claim 1, wherein: the longitudinal encryption authentication device includes,
And encrypting the data by adopting an encryption algorithm, and filtering and controlling access of the comprehensive message based on the IP, the transmission protocol and the application port number.
3. The method for security access area system security protection of claim 2, wherein: the intrusion detection device can monitor the network and prevent threat to the network when the security access area is attacked, and provides real-time protection for internal attack, external attack and misoperation;
The network security monitoring equipment comprises the functions of monitoring the real-time operation, processing security events and communicating in real time of a power secondary system server, a workstation, network equipment and security protection equipment when the security access area is attacked;
The anti-malware device includes limiting known suspicious, harmful activity when the secure access area is under attack.
4. A method of security access area system security protection as defined in claim 3, wherein: the intrusion detection device, the network security monitoring device, and the anti-malicious code device discovering unsafe data includes,
Decrypting the final ciphertext C' obtained by the secondary encryption:
The transposed mark T is identified, and the ciphertext C1' before the transposed mark is inverted:
C1”=Reverse(C1')
wherein, C1 'represents ciphertext obtained by cracking C1';
identifying 16-byte confusion time stamp from the end of the final ciphertext, obtaining a second section ciphertext C2 from the transposition mark to the confusion time stamp, performing exclusive OR operation on the ciphertext length n 'with the transposition mark and the confusion time stamp removed and the confusion time stamp to obtain a time stamp t':
if the obtained t' =t, the ciphertext is not tampered, and if the ciphertext is valid, a warning is sent out;
Obtaining decrypted data:
C″=C1″||C2
And decrypting the primary encryption according to the key sequence subjected to the key expansion to obtain final decrypted data.
5. The method for security access area system security protection of claim 4, wherein: the decryption further comprises the steps of applying for re-translation if the ciphertext in translation is abnormal in translation or the ciphertext after translation is substantially different from the original plaintext information in verification, and applying for re-encryption of the plaintext and sending the re-encrypted plaintext if the re-translation result still shows abnormality or substantial difference;
When the translation of the encrypted ciphertext still shows abnormality or has substantial difference, marking the position of the abnormal ciphertext, marking the corresponding position of the plaintext through tracing of an encryption algorithm, and uploading the ciphertext with the mark and the plaintext with the mark to a technical department to apply for repairing bug;
The substantial difference comprises extracting core content in original text, searching the core content in decrypted content, and if 95% of the core content is searched, preliminarily identifying that the substantial difference is not present; if 95% of the core content is not searched, determining that a substantial difference exists; when the initial determination is that there is no substantial difference, searching the uncore content;
D(s1,s2)=Levenshtein(s1,s2)
wherein D (s 1, s 2) represents an edit distance between the uncore content s1 of the original plaintext information and the uncore content s2 of the translated plaintext, levenshtein () represents an edit distance algorithm, s 1 represents the uncore content of the original plaintext information, and s 2 represents the uncore content of the translated plaintext;
Normalizing the edit distance D (s 1, s 2):
Where, |s 1 | and |s 2 | are the lengths of strings s 1 and s 2, respectively;
wherein T represents a preset retrieval threshold of non-core content, 1 represents that there is a substantial difference in the non-core content, and 0 represents that there is no substantial difference.
6. A system for security protection of a secure access area system employing the method of any of claims 1-5, characterized by:
The encryption module is used for reading data from each adjustable resource intelligent terminal by the virtual power plant, carrying out primary encryption by the longitudinal encryption authentication device at the local side, and transmitting the encrypted data to the longitudinal encryption device of the security access area by the operator for secondary encryption;
The monitoring and warning module is used for enabling data after secondary encryption of the longitudinal encryption device of the security access area to enter the security I area through the positive and negative isolation device after detection of intrusion detection equipment, network security monitoring equipment and malicious code prevention equipment; and if the intrusion detection equipment, the network security monitoring equipment and the malicious code prevention equipment find unsafe data, blocking and giving out a warning.
7. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 5 when the computer program is executed.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311289276.1A CN117390637B (en) | 2023-09-28 | 2023-09-28 | Method and system for protecting safety of safety access area system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311289276.1A CN117390637B (en) | 2023-09-28 | 2023-09-28 | Method and system for protecting safety of safety access area system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117390637A CN117390637A (en) | 2024-01-12 |
| CN117390637B true CN117390637B (en) | 2024-05-07 |
Family
ID=89462237
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311289276.1A Active CN117390637B (en) | 2023-09-28 | 2023-09-28 | Method and system for protecting safety of safety access area system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117390637B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117592091B (en) * | 2024-01-19 | 2024-03-29 | 石家庄学院 | Computer information anti-theft method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108390846A (en) * | 2017-12-29 | 2018-08-10 | 国网浙江武义县供电有限公司 | A kind of Organization of African Unity's tune power plant aut omation information access safety management system and method |
| WO2022126980A1 (en) * | 2020-12-15 | 2022-06-23 | 平安科技(深圳)有限公司 | Data transmission method and apparatus, terminal, and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11126718B2 (en) * | 2017-07-12 | 2021-09-21 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
-
2023
- 2023-09-28 CN CN202311289276.1A patent/CN117390637B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108390846A (en) * | 2017-12-29 | 2018-08-10 | 国网浙江武义县供电有限公司 | A kind of Organization of African Unity's tune power plant aut omation information access safety management system and method |
| WO2022126980A1 (en) * | 2020-12-15 | 2022-06-23 | 平安科技(深圳)有限公司 | Data transmission method and apparatus, terminal, and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 基于AES算法的文件加密;张文锦;周荣;高燕;汪金虎;;软件导刊;20170615(第06期);第183-185页 * |
| 远程监控设备上报数据的安全性研究;李顺达;;现代电信科技;20130925(第09期);第48-52页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117390637A (en) | 2024-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ghosh et al. | A survey of security in SCADA networks: Current issues and future challenges | |
| US10873458B2 (en) | System and method for securely storing and utilizing password validation data | |
| Biham et al. | Rogue7: Rogue engineering-station attacks on s7 simatic plcs | |
| US7127067B1 (en) | Secure patch system | |
| US10097342B2 (en) | Encoding values by pseudo-random mask | |
| Noura et al. | DistLog: A distributed logging scheme for IoT forensics | |
| CN110008745B (en) | Encryption method, computer equipment and computer storage medium | |
| JP2004534333A (en) | Integrated protection method and system for distributed data processing in computer networks | |
| CN117390637B (en) | Method and system for protecting safety of safety access area system | |
| CN104704501B (en) | Securely generate and store in computer systems password | |
| CN112115461B (en) | Equipment authentication method and device, computer equipment and storage medium | |
| US11784985B2 (en) | Network security devices and method | |
| CN105095695B (en) | The incorrect behaviour realized via white box, which is realized, to be authorized | |
| EP3697021B1 (en) | Secure and encrypted logging systems and methods with data recovery | |
| Katulić et al. | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes | |
| CN116663047A (en) | Fine-granularity safe data sharing method for privacy protection of patient health record | |
| KR101687492B1 (en) | Storing method of data dispersively and credential processing unit | |
| EP3413509B1 (en) | Cmac computation using white-box implementations with external encodings | |
| CN114553557A (en) | Key calling method, key calling device, computer equipment and storage medium | |
| US10984139B2 (en) | Tamper-resistant data encoding for mobile devices | |
| CN112910630A (en) | Method and device for replacing expanded key | |
| KR101290818B1 (en) | Secure patch system | |
| CN105262755B (en) | The Internet of things node secure storage method of data for preventing sensitive information from leaking | |
| KR102239762B1 (en) | The packet-based threats detection method of providing encrypt traffic visiblity | |
| CN113572599B (en) | Power data transmission method, data source equipment and data access equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |