CN103634296A - Intelligent electricity network attack detection method based on physical system and information network abnormal data merging - Google Patents

Intelligent electricity network attack detection method based on physical system and information network abnormal data merging Download PDF

Info

Publication number
CN103634296A
CN103634296A CN201310549061.9A CN201310549061A CN103634296A CN 103634296 A CN103634296 A CN 103634296A CN 201310549061 A CN201310549061 A CN 201310549061A CN 103634296 A CN103634296 A CN 103634296A
Authority
CN
China
Prior art keywords
node
abnormality degree
network
information
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310549061.9A
Other languages
Chinese (zh)
Other versions
CN103634296B (en
Inventor
刘烃
管晓宏
刘杨
赵宇辰
孙鸿
桂宇虹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN201310549061.9A priority Critical patent/CN103634296B/en
Publication of CN103634296A publication Critical patent/CN103634296A/en
Application granted granted Critical
Publication of CN103634296B publication Critical patent/CN103634296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an intelligent electricity network attack detection method based on physical system and information network abnormal data merging. The intelligent electricity network attack detection method comprises the following steps that (1) at a physical layer, the abnormal degree of electric power data of each node is calculated on the basis of the electric power monitoring data in an intelligent electricity network; (2) at an information layer, an invasion detection system is utilized for monitoring the communication flow rate, warning events aiming at the abnormal communication flow rate are generated, and the abnormal degree of network communication of each node of the system is calculated; (3) the electric power data of each node is correlated with the abnormal degree of the network communication on the basis of an ID-IP (identity- internet protocol) mapping table of the node, and whether each node is attacked or not is judged. The intelligent electricity network attack detection method has the advantages that by aiming at the characteristics that the physical layer and the information layer of the intelligent electricity network are tightly correlated, the traditional electricity network abnormal data detection method is effectively combined with the attack detection method in the information system, and the detection precision of the attack detection in the intelligent electricity network can be obviously improved.

Description

Intelligent grid attack detection method based on physical system and the fusion of information network abnormal data
Technical field:
The present invention relates to intelligent grid attack detecting field, particularly a kind of intelligent grid attack detection method based on physical system and the fusion of information network abnormal data.
Background technology:
Intelligent grid utilizes information network technique to carry out Real-Time Monitoring and optimal control to generating in conventional electric power network, transmission of electricity, distribution and current consuming apparatus, has realized the two-way flow of information and electric power, realizes energy-saving and emission-reduction, strengthens the targets such as stability.Yet being introduced in when offering convenience to people of information network technique, has also introduced new security threat.In conventional electric power network, assailant mainly realizes the destruction of electrical network and interference by destroying the physical infrastructure of electrical network; In intelligent grid, assailant can pass through information network, attack the equipment in intelligent grid, altered data, make the data of electrical network occur mistake, thereby cause the condition monitoring of electrical network and decision-making to be made a fault, reach the object of attack, this attack pattern is penetrated into physical layer by Information Level, has simultaneously and Information Level and the related feature of physical layer.
Therefore, people have proposed the detection method that intelligent grid is attacked.The detection method of attacking for intelligent grid at present is mainly divided into two classes:
1) detection method that traditional electrical network adopts, the state estimation of electrical network and standardized residual detect (RN detection).
2) detection method that information network adopts, carries out attack detecting by intruding detection system, according to alert event, analyzes.
The RN detection method that traditional electrical network adopts, because internodal data intercouple closely, cause the rate of false alarm after calculating very high, there is possibly having attacked node i, several nodes beyond result i detect attack, and i node does not detect attack on the contrary.Reduce decision threshold that RN detects and can reduce to fail to report and improve rate of false alarm simultaneously, improve decision threshold that RN detects and can reduce rate of false alarm and improve rate of failing to report simultaneously.Between rate of false alarm and rate of failing to report, must compromise to some extent, by changing the threshold value of RN detection, can not reduce rate of false alarm and rate of failing to report merely simultaneously.
The intrusion detection method that information network adopts, first carries out the matching analysis based on communication data packet feature, produces alert event, then passes through the Threat of the Threat computing node of alert event, by the size of Threat, determines that whether node is under attack.Intruding detection system also needs compromise in rate of failing to report and rate of false alarm, in practical application in order to reduce as far as possible rate of failing to report (threat of failing to report is more much bigger than the threat of wrong report) in real system, make system have very high rate of false alarm, too much attack is reported to the police and is made the processing to reporting to the police become very difficult.
Summary of the invention:
The object of the present invention is to provide a kind of intelligent grid attack detection method merging based on physical system and information network abnormal data, to overcome above-mentioned limitation of carrying out separately intelligent grid attack detecting from physical layer or Information Level.
Object of the present invention is achieved through the following technical solutions:
Intelligent grid attack detection method based on physical system and the fusion of information network abnormal data, comprises the steps:
Step S1: intelligent grid control centre, according to the electric power observation value reporting from each measurement node of electrical network, carries out abnormal data detection, obtains each node of intelligent grid at the abnormality degree of physical layer;
Step S2: by being deployed in the intruding detection system of intelligent grid, the alert event of information generated layer, calculates the abnormality degree of these alert events, utilizes the abnormality degree of these alert events to calculate each node of intelligent grid at the abnormality degree of Information Level;
Step S3: each node is carried out to standardization in physical layer with at the abnormality degree of Information Level, associated coupling, and the abnormality degree vector after coupling is judged, judge that whether each node is under attack.
The present invention further improves and is: step S1 specifically comprises the following steps:
Step S101: according to the measured value Z of each measurement node of network system, the method for utilizing weighted least-squares to estimate is carried out state estimation to electric power system, calculates the estimation of network system time of day value the target function of its estimation is
Figure BDA0000410143640000032
measured value z comprises node active power, node reactive power; X represents the state of network system, comprises voltage magnitude, voltage phase angle; E represents observation error, and h characterizes the conversion function that is calculated z by x, is determined z=h (x)+e by structure and the line impedance parameter of network system; R represents error matrix, and diagonal entry is the variance of each node error in measurement, and all the other elements are zero;
Step S102: by
Figure BDA0000410143640000033
the estimation of the observer state value of computing system
Figure BDA0000410143640000034
Step S103: the estimation of calculating observation state value
Figure BDA0000410143640000035
with the deviation of the actual observed value z abnormality degree as physical layer, the numbering that note id is node, the node physical layer abnormality degree that t is numbered id is constantly designated as AP ( id , t ) = z id - z ^ id .
The present invention further improves and is: step S2 specifically comprises the following steps:
Step S201: by rule-based intruding detection system, the data communication of monitoring in intruding detection system is carried out to filter analysis, produce alert event according to rule default in intruding detection system, and deposit alarm log database in;
Step S202: the Threat that calculates alert event: m (ip, j, t)=k priority (AC (ip, t, j)), the node that m (ip, j, t) the expression network address is ip is at the Threat of t j alert event constantly, and K is constant, and value is 3 or 5; The node that priority (AC (ip, t, j)) the expression network address is ip is at the threaten degree of t j alert event constantly, the integer that value is 1~5;
Step S203: the Threat that calculates each node according to the Threat of alert event:
Node in Information Level abnormality degree computational methods is:
AC ( ip , t ) = Σ j = 1 NumAC ( ip , t ) m ( ip , j , t ) = Σ j = 1 NumAC ( ip , t ) k priority ( AC ( ip , t , j ) )
NumAC (ip, t) be illustrated in [t, t+T) sum of alert event of the object network address in the section node that is ip, T is the sampling interval; The node that AC (ip, t) expression network destination address is ip is at t abnormality degree constantly, and the node that AC (ip, t, j) the expression network address is ip is at t j alert event constantly, 1≤j≤NumAC (ip, t).
The present invention further improves and is: the data analysis that extracts the alert event that the time period to be detected produces in step S202 from alarm log database, data format to be analyzed is: <ip_src, ip_dst, timestamp, sig_id, sig_name, sig_pripority>, wherein ip_src represents the network source address of packet; Ip_dst represents the network destination address of packet; Timestamp represents timestamp; The numbering of sig_id presentation of events; Sig_name describes the specific features of event; The threaten degree of sig_pripority presentation of events, span 1~5.
The present invention further improves and is: a corresponding physical node of ip in step S2.
The present invention further improves and is: described step S3 specifically comprises the following steps:
Step S301, S302: each node is carried out respectively to standardization at the abnormality degree of physical layer with at the abnormality degree of Information Level;
Step S303: the numbering-network address mapping table based on node, generates the abnormality degree vector after association
Figure BDA0000410143640000042
Step S304: by the method for significance test, structure acceptance region and critical region, to abnormality degree vector carry out attack detecting, export each node testing result whether under attack.
The present invention further improves and is: standardized method adopts Z-score method, to sample X, standardization sample
Figure BDA0000410143640000044
wherein μ is the average of sample X, and σ is the standard deviation of sample X; After the physical abnormalities degree of node and the standardization of information abnormality degree, be respectively
Figure BDA0000410143640000051
with
The present invention further improves and is: in step S304, acceptance region is S1 or S2:
S 1={(AP i,AC i)|AP i+AC i1}
S 2={(AP i,AC i)|AP i*AC i2}
If detect sample outside acceptance region, system has been subject to attack, otherwise that system does not have is under attack; Wherein, the vector of the abnormality degree after association
Figure BDA0000410143640000053
brief note is (AP i, AC i).
The present invention further improves and is: Ω 1and Ω 2value be 2.25.
With respect to prior art, the present invention has the following advantages:
(1) the present invention combines the original physical layer of using separately and the attack detection method of Information Level dexterously.Attack detection method rate of false alarm and the rate of failing to report of conventional physical are all not ideal enough, and the attack detection method of Information Level inevitably exists high wrong report in order to reduce rate of failing to report, both is merged to the effect that can effectively improve detection, improves accuracy of detection.
(2) on the basis that the present invention detects at original physical layer and Information Level, physical layer and Information Level abnormality degree are combined and carry out hypothesis testing, compare with original method, computation complexity and original basic identical while using two kinds of methods separately respectively.
(3) the present invention is the improvement of carrying out on the basis of original physical layer and Information Level detection method, can multiplexing former methodical infrastructure, do not need extra hardware spending, concrete good adaptability.
Owing to considering to carry out attack detecting from physical layer or Information Level merely, effect all has limitation, therefore for above problem, the present invention proposes a kind of better attack detection method, utilize the physical layer of intelligent grid and the data of Information Level simultaneously, according to attacking simultaneously and Information Level and the related feature of physical layer, both amount of information are carried out to effective complementary combination, the operand of algorithm is lower, by very little cost, have than detecting all better accuracy of detection from physical layer or Information Level merely.
Accompanying drawing explanation
Fig. 1 is the intelligent grid attack detection method overall flow schematic diagram that the present invention is based on physical system and the fusion of information network abnormal data;
Fig. 2 is each node physical layer abnormality degree generative process flow chart of intelligent grid;
Fig. 3 is each nodal information layer abnormality degree generative process flow chart of intelligent grid;
Fig. 4 is the attack detecting flow chart based on physical layer and Information Level data fusion;
Fig. 5 is the structure chart of IEEE14bus standard testing case.
Embodiment
Below in conjunction with accompanying drawing, describe the execution mode of the intelligent grid attack detection method that the present invention is based on physics and Information data fusion in detail.
Fig. 5 is the system construction drawing of the standard testing case of IEEE14bus, comprises 14 nodes (bus) He20Ge branches (branch).On matlab, utilize matpower to carry out the emulation of test cases, the mode that structure is attacked is: No. 13 nodes are attacked, the active power of this node is revised as to original 1.5 times; The rule that the alert event of Information Level produces is: without producing the quantity of reporting to the police under attack condition, obeying the very little binomial distribution of parameter probability valuing, the threaten degree of warning is obeyed another binomial distribution that probability is very little equally; The probability phase strain of the alert event quantity of No. 13 nodes under attack and the distribution of warning threaten degree is large.
Fig. 1 is the intelligent grid attack detection method overall flow figure based on physical network and the fusion of information network abnormal data, the basic framework that has shown the intelligent grid attack detection method of the fusion based on physical network abnormal data and information network abnormal data, its concrete steps comprise:
S1: intelligent grid control centre, according to the electric power measured value reporting from each measurement node of electrical network physical network, carries out abnormal data detection, obtains each node of intelligent grid at the abnormality degree of physical layer.
S2: by being deployed in the intruding detection system of intelligent grid, the alert event of information generated layer, calculates the abnormality degree of these alert events, utilizes the abnormality degree of these alert events to calculate each node of intelligent grid at the abnormality degree of Information Level.
S3: each node is carried out to standardization in physical layer with at the abnormality degree of Information Level, associated coupling, and the abnormality degree vector after coupling is judged, judge that whether each node is under attack.
In conjunction with Fig. 2, in step S1, each node physical layer abnormality degree generative process of intelligent grid specifically comprises the steps:
Step S101: according to the measured value Z of each measurement node of network system, utilize the method for weighted least-squares estimation (WLS) to carry out state estimation to electric power system, calculate the estimation of network system time of day value
Figure BDA0000410143640000071
the target function of its estimation is
Figure BDA0000410143640000072
measured value z comprises node active power, node reactive power; Z=h (x)+e; X represents the state of network system, comprises voltage magnitude, voltage phase angle; E represents observation error; H characterizes the conversion function that is calculated z by x, by structure and the line impedance parameter of network system, determined, and be known quantity, between them, meet: z=h (x)+e is known quantity; R is error in measurement matrix (variance that diagonal entry is each node error in measurement, all the other elements are zero), R -1for weight matrix, the error in measurement of node is larger, and corresponding weight of distributing is less.
Step S102: by
Figure BDA0000410143640000073
the estimation of the observer state value of computing system
Figure BDA0000410143640000074
Step S103: the estimation of calculating observation state value
Figure BDA0000410143640000075
with the deviation of the actual observed value z abnormality degree as physical layer, the numbering that note id is node, the node physical layer abnormality degree that t is numbered id is constantly designated as AP ( id , t ) = z id - z ^ id .
In conjunction with Fig. 3, each nodal information layer abnormality degree generative process of intelligent grid specifically comprises the steps:
Step S201: by rule-based intruding detection system, the data communication of monitoring in intruding detection system is carried out to filter analysis, produce alert event according to rule default in intruding detection system, and deposit alarm log database in;
Step S202: the Threat that calculates alert event; From alarm log database, extract the data analysis of the alert event that the time period to be detected produces, data format to be analyzed is: <ip_src, ip_dst, timestamp, sig_id, sig_name, sig_pripority>, wherein ip_src represents the network source address of packet; Ip_dst represents the network destination address of packet; Timestamp represents timestamp; The numbering of sig_id presentation of events; Sig_name describes the specific features of event; The threaten degree of sig_pripority presentation of events, span 1~5, the larger corresponding warning threaten degree of value is higher.
Make the sampling interval get T,, at moment t, from log database, extract [t, t+T) alert event in section calculates; Make NumAC (ip, t) be illustrated in [t, t+T) the object network address ip_dst in section is the corresponding physical node of ip of ip() the sum of alert event, the node that AC (ip, t) expression network destination address is ip is at t abnormality degree constantly, AC (ip, t, j) node that the expression network address is ip is at t j alert event constantly, 1≤j≤NumAC (ip, t).The abnormality degree computational methods of alert event are: m (ip, j, t)=k priority (AC (ip, t, j)); K is constant, and value is 3 or 5; The node that priority (AC (ip, t, j)) the expression network address is ip is at the threaten degree of t j alert event constantly, the integer that value is 1~5.
Step S203: the Threat that calculates each node according to the Threat of alert event.
Node in Information Level abnormality degree computational methods is:
AC ( ip , t ) = &Sigma; j = 1 NumAC ( ip , t ) m ( ip , j , t ) = &Sigma; j = 1 NumAC ( ip , t ) k priority ( AC ( ip , t , j ) )
In conjunction with Fig. 4, the attack detecting flow process based on physical layer and Information Level data fusion comprises the steps:
Step S301, S302: each node is carried out respectively to standardization at the abnormality degree of physical layer with at the abnormality degree of Information Level, prepare for merging.Standardized method adopts Z-score method, to sample X, standardization sample wherein μ is the average of sample X, and σ is the standard deviation of sample X.After the physical abnormalities degree of node and the standardization of information abnormality degree, be respectively
Figure BDA0000410143640000083
with
Step S303: the numbering-network address based on node (ID-IP) mapping table, generates the abnormality degree vector after association
Figure BDA0000410143640000091
Step S304: by the method for significance test, structure acceptance region and critical region, to abnormality degree vector carry out attack detecting, export each node testing result whether under attack.
In step S304, by the method for significance test, supposing the system does not have in situation under attack, set acceptance region S, if detect sample outside acceptance region, think that null hypothesis is false, the system of making has been subject to the conclusion of attacking, otherwise it is under attack to think that system does not have.Abnormality degree vector after association
Figure BDA0000410143640000093
brief note is (AP i, AC i), acceptance region is set according to following two kinds of modes respectively:
1)S 1={(AP i,AC i)|AP i+AC i1}
2)S 2={(AP i,AC i)|AP i*AC i2}
Utilize independent physical system abnormal deviation data examination method (threshold value is made as 2.5), independent information network abnormality detection data method (threshold value is made as 2.5), and the present invention is based on the attack detection method that physical system and information network abnormal data merge (Ω wherein 1and Ω 2value be 2.25), the testing result obtaining is as shown in table 1, overstriking be to detect abnormal data with the data of underscore in table.
The attack detecting result of table 1IEEE14bus standard testing case
Figure BDA0000410143640000094
From table 1, data can be found out, utilize independent physical system abnormal deviation data examination method, and 12 and No. 19 node abnormality degree has exceeded threshold value, have detected attack (wrong report), and No. 13 node does not detect attack (failing to report); Utilize independent information network abnormality detection data method, No. 13 node successfully detects attack (correctly reporting to the police), and No. 16 node also detects attack (wrong report); Adopt two kinds of methods based on merging, all successfully detect the attack (correctly reporting to the police) of No. 13 nodes.Result shows, adopts the method based on merging, and originally uses separately physical system abnormal data and information network abnormal data to carry out, and can effectively reduce rate of false alarm and rate of failing to report, has improved the precision detecting.

Claims (9)

1. the intelligent grid attack detection method based on physical system and the fusion of information network abnormal data, is characterized in that, comprises the steps:
Step S1: intelligent grid control centre, according to the electric power observation value reporting from each measurement node of electrical network, carries out abnormal data detection, obtains each node of intelligent grid at the abnormality degree of physical layer;
Step S2: by being deployed in the intruding detection system of intelligent grid, the alert event of information generated layer, calculates the abnormality degree of these alert events, utilizes the abnormality degree of these alert events to calculate each node of intelligent grid at the abnormality degree of Information Level;
Step S3: each node is carried out to standardization in physical layer with at the abnormality degree of Information Level, associated coupling, and the abnormality degree vector after coupling is judged, judge that whether each node is under attack.
2. according to the method described in claims 1, it is characterized in that, step S1 specifically comprises the following steps:
Step S101: according to the measured value Z of each measurement node of network system, the method for utilizing weighted least-squares to estimate is carried out state estimation to electric power system, calculates the estimation of network system time of day value
Figure FDA0000410143630000011
the target function of its estimation is
Figure FDA0000410143630000012
measured value z comprises node active power, node reactive power; X represents the state of network system, comprises voltage magnitude, voltage phase angle; E represents observation error, and h characterizes the conversion function that is calculated z by x, is determined z=h (x)+e by structure and the line impedance parameter of network system; R represents error matrix, and diagonal entry is the variance of each node error in measurement, and all the other elements are zero;
Step S102: by the estimation of the observer state value of computing system
Figure FDA0000410143630000014
Step S103: the estimation of calculating observation state value
Figure FDA0000410143630000015
with the deviation of the actual observed value z abnormality degree as physical layer, the numbering that note id is node, the node physical layer abnormality degree that t is numbered id is constantly designated as AP ( id , t ) = z id - z ^ id .
3. according to the method described in claims 1, it is characterized in that, step S2 specifically comprises the following steps:
Step S201: by rule-based intruding detection system, the data communication of monitoring in intruding detection system is carried out to filter analysis, produce alert event according to rule default in intruding detection system, and deposit alarm log database in;
Step S202: the Threat that calculates alert event: m (ip, j, t)=k priority (AC (ip, t, j)), the node that m (ip, j, t) the expression network address is ip is at the Threat of t j alert event constantly, and K is constant, and value is 3 or 5; The node that priority (AC (ip, t, j)) the expression network address is ip is at the threaten degree of t j alert event constantly, the integer that value is 1~5;
Step S203: the Threat that calculates each node according to the Threat of alert event:
Node in Information Level abnormality degree computational methods is:
AC ( ip , t ) = &Sigma; j = 1 NumAC ( ip , t ) m ( ip , j , t ) = &Sigma; j = 1 NumAC ( ip , t ) k priority ( AC ( ip , t , j ) )
NumAC (ip, t) be illustrated in [t, t+T) sum of alert event of the object network address in the section node that is ip, T is the sampling interval; The node that AC (ip, t) expression network destination address is ip is at t abnormality degree constantly, and the node that AC (ip, t, j) the expression network address is ip is at t j alert event constantly, 1≤j≤NumAC (ip, t).
4. according to the method described in claims 3, it is characterized in that, in step S202, from alarm log database, extract the data analysis of the alert event that the time period to be detected produces, data format to be analyzed is: <ip_src, ip_dst, timestamp, sig_id, sig_name, sig_pripority>, wherein ip_src represents the network source address of packet; Ip_dst represents the network destination address of packet; Timestamp represents timestamp; The numbering of sig_id presentation of events; Sig_name describes the specific features of event; The threaten degree of sig_pripority presentation of events, span 1~5.
5. according to the method described in claims 4, it is characterized in that a corresponding physical node of ip in step S2.
6. according to the method described in claims 1, it is characterized in that, described step S3 specifically comprises the following steps:
Step S301, S302: each node is carried out respectively to standardization at the abnormality degree of physical layer with at the abnormality degree of Information Level;
Step S303: the numbering-network address mapping table based on node, generates the abnormality degree vector after association
Figure FDA0000410143630000031
Step S304: by the method for significance test, structure acceptance region and critical region, to abnormality degree vector
Figure FDA0000410143630000032
carry out attack detecting, export each node testing result whether under attack.
7. according to the method described in claims 6, it is characterized in that, standardized method adopts Z-score method, to sample X, standardization sample
Figure FDA0000410143630000033
wherein μ is the average of sample X, and σ is the standard deviation of sample X; After the physical abnormalities degree of node and the standardization of information abnormality degree, be respectively
Figure FDA0000410143630000034
with
Figure FDA0000410143630000035
8. according to the method described in claims 7, it is characterized in that, in step S304, acceptance region is S1 or S2:
S 1={(AP i,AC i)|AP i+AC i1}
S 2={(AP i,AC i)|AP i*AC i2}
If detect sample outside acceptance region, system has been subject to attack, otherwise that system does not have is under attack; Wherein, the vector of the abnormality degree after association brief note is (AP i, AC i).
9. according to the method described in claims 8, it is characterized in that Ω 1and Ω 2value be 2.25.
CN201310549061.9A 2013-11-07 2013-11-07 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging Active CN103634296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310549061.9A CN103634296B (en) 2013-11-07 2013-11-07 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310549061.9A CN103634296B (en) 2013-11-07 2013-11-07 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging

Publications (2)

Publication Number Publication Date
CN103634296A true CN103634296A (en) 2014-03-12
CN103634296B CN103634296B (en) 2017-02-08

Family

ID=50214924

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310549061.9A Active CN103634296B (en) 2013-11-07 2013-11-07 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging

Country Status (1)

Country Link
CN (1) CN103634296B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125112A (en) * 2014-07-29 2014-10-29 西安交通大学 Physical-information fuzzy inference based smart power grid attack detection method
CN108683642A (en) * 2018-04-25 2018-10-19 长沙学院 The detector and detection method of intelligent grid line status wrong data injection attacks
CN108767844A (en) * 2018-04-25 2018-11-06 上海大学 The adaptive state estimation method of Data Injection Attacks lower network multi-region power system
CN108923415A (en) * 2018-06-28 2018-11-30 国网湖北省电力有限公司荆门供电公司 Information physical concerted attack analysis method in a kind of smart grid route protection
CN109150872A (en) * 2018-08-16 2019-01-04 长沙学院 A kind of dynamic path searching method therefor of smart grid-oriented cross-layer attack
CN109191021A (en) * 2018-10-30 2019-01-11 全球能源互联网研究院有限公司 The correlation rule matching process and device of power grid anomalous event
CN109389181A (en) * 2018-10-30 2019-02-26 全球能源互联网研究院有限公司 The correlation rule generation method and device of power grid anomalous event
CN109743224A (en) * 2018-12-27 2019-05-10 国网北京市电力公司 Electrically-charging equipment data processing method and device
CN109861383A (en) * 2018-11-30 2019-06-07 国网江苏省电力有限公司南京供电分公司 A kind of event preprocess method merging electric network information physical abnormalities
CN109937577A (en) * 2016-11-09 2019-06-25 索尼半导体解决方案公司 Reception device, method of reseptance, sending device and sending method
CN110704838A (en) * 2019-09-30 2020-01-17 浙江大学 Malicious data injection attack detection method based on information physical fusion
CN112261042A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 Anti-seepage system based on attack hazard assessment
CN114650166A (en) * 2022-02-07 2022-06-21 华东师范大学 Fusion anomaly detection system for open heterogeneous network
CN117574135A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012061674A2 (en) * 2010-11-04 2012-05-10 Siemens Corporation Stochastic state estimation for smart grids
CN102761122A (en) * 2012-07-06 2012-10-31 华北电力大学 Defense method of false data injection attack of power state estimation system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012061674A2 (en) * 2010-11-04 2012-05-10 Siemens Corporation Stochastic state estimation for smart grids
CN102761122A (en) * 2012-07-06 2012-10-31 华北电力大学 Defense method of false data injection attack of power state estimation system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SUNYANAN: "A Cyber-Physical Monitoring System for Attack Detection in Smart Grid", 《COMPUTER COMMUNICATIONS WORKSHOPS(INFOCOM WKSHPS)》,2013 IEEE CONFERENCE》 *
孔维聪: "配电网状态估计方法及试验研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125112B (en) * 2014-07-29 2017-04-19 西安交通大学 Physical-information fuzzy inference based smart power grid attack detection method
CN104125112A (en) * 2014-07-29 2014-10-29 西安交通大学 Physical-information fuzzy inference based smart power grid attack detection method
CN109937577A (en) * 2016-11-09 2019-06-25 索尼半导体解决方案公司 Reception device, method of reseptance, sending device and sending method
CN109937577B (en) * 2016-11-09 2021-09-24 索尼半导体解决方案公司 Receiving apparatus, receiving method, transmitting apparatus, and transmitting method
CN108767844B (en) * 2018-04-25 2021-06-04 上海大学 Self-adaptive state estimation method of networked multi-region power system under data injection attack
CN108683642A (en) * 2018-04-25 2018-10-19 长沙学院 The detector and detection method of intelligent grid line status wrong data injection attacks
CN108767844A (en) * 2018-04-25 2018-11-06 上海大学 The adaptive state estimation method of Data Injection Attacks lower network multi-region power system
CN108923415B (en) * 2018-06-28 2022-04-01 国网湖北省电力有限公司荆门供电公司 Information physical cooperative attack analysis method in intelligent power grid line protection
CN108923415A (en) * 2018-06-28 2018-11-30 国网湖北省电力有限公司荆门供电公司 Information physical concerted attack analysis method in a kind of smart grid route protection
CN109150872A (en) * 2018-08-16 2019-01-04 长沙学院 A kind of dynamic path searching method therefor of smart grid-oriented cross-layer attack
CN109191021B (en) * 2018-10-30 2021-02-09 全球能源互联网研究院有限公司 Association rule matching method and device for power grid abnormal event
CN109191021A (en) * 2018-10-30 2019-01-11 全球能源互联网研究院有限公司 The correlation rule matching process and device of power grid anomalous event
CN109389181A (en) * 2018-10-30 2019-02-26 全球能源互联网研究院有限公司 The correlation rule generation method and device of power grid anomalous event
CN109389181B (en) * 2018-10-30 2020-11-24 全球能源互联网研究院有限公司 Association rule generation method and device for power grid abnormal event
CN109861383A (en) * 2018-11-30 2019-06-07 国网江苏省电力有限公司南京供电分公司 A kind of event preprocess method merging electric network information physical abnormalities
CN109743224A (en) * 2018-12-27 2019-05-10 国网北京市电力公司 Electrically-charging equipment data processing method and device
CN110704838A (en) * 2019-09-30 2020-01-17 浙江大学 Malicious data injection attack detection method based on information physical fusion
CN112261042A (en) * 2020-10-21 2021-01-22 中国科学院信息工程研究所 Anti-seepage system based on attack hazard assessment
CN114650166A (en) * 2022-02-07 2022-06-21 华东师范大学 Fusion anomaly detection system for open heterogeneous network
CN117574135A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium
CN117574135B (en) * 2024-01-16 2024-03-26 国网浙江省电力有限公司丽水供电公司 Power grid attack event detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN103634296B (en) 2017-02-08

Similar Documents

Publication Publication Date Title
CN103634296B (en) Intelligent electricity network attack detection method based on physical system and information network abnormal data merging
Hu et al. A collaborative intrusion detection approach using blockchain for multimicrogrid systems
Deng et al. CCPA: Coordinated cyber-physical attacks and countermeasures in smart grid
CN106453417B (en) A kind of network attack target prediction method based on neighbour&#39;s similitude
Ashok et al. Experimental evaluation of cyber attacks on automatic generation control using a CPS security testbed
Chen et al. A novel online detection method of data injection attack against dynamic state estimation in smart grid
US20200302054A1 (en) Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus
CN106817363B (en) Intelligent ammeter abnormity detection method based on neural network
CN104125112A (en) Physical-information fuzzy inference based smart power grid attack detection method
CN113037745A (en) Intelligent substation risk early warning system and method based on security situation awareness
Ayad et al. Cyber–physical attacks on power distribution systems
Zhu et al. Intrusion detection against MMS-based measurement attacks at digital substations
Kamal et al. Cyberattacks against event-based analysis in micro-PMUs: Attack models and counter measures
Zhou et al. Multi-agent-based hierarchical detection and mitigation of cyber attacks in power systems
Samdarshi et al. A triple layer intrusion detection system for SCADA security of electric utility
Ruan et al. Deep learning for cybersecurity in smart grids: Review and perspectives
CN117787718A (en) Novel security risk assessment method, device and storage medium for power system situation
An et al. Toward data integrity attacks against distributed dynamic state estimation in smart grid
Giani et al. Metrics for assessment of smart grid data integrity attacks
Singh et al. Cyber kill chain-based hybrid intrusion detection system for smart grid
Sen et al. Towards an approach to contextual detection of multi-stage cyber attacks in smart grids
Wu et al. Online detection of false data injection attacks to synchrophasor measurements: A data-driven approach
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
Sen et al. On holistic multi-step cyberattack detection via a graph-based correlation approach
CN104239785A (en) Intrusion detection data classification method based on cloud model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant