CN106685928A - SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level - Google Patents
SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level Download PDFInfo
- Publication number
- CN106685928A CN106685928A CN201611108354.3A CN201611108354A CN106685928A CN 106685928 A CN106685928 A CN 106685928A CN 201611108354 A CN201611108354 A CN 201611108354A CN 106685928 A CN106685928 A CN 106685928A
- Authority
- CN
- China
- Prior art keywords
- data
- smv
- detection
- packet
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 57
- 230000005856 abnormality Effects 0.000 claims abstract description 14
- 230000002159 abnormal effect Effects 0.000 claims abstract description 8
- 238000001914 filtration Methods 0.000 claims abstract description 5
- 230000009545 invasion Effects 0.000 claims description 10
- 238000012360 testing method Methods 0.000 claims description 7
- 238000013499 data model Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 8
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 238000004458 analytical method Methods 0.000 abstract description 3
- 238000004364 calculation method Methods 0.000 abstract description 3
- 238000011156 evaluation Methods 0.000 abstract 2
- 230000005540 biological transmission Effects 0.000 description 8
- 238000004088 simulation Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 239000011159 matrix material Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000272814 Anser sp. Species 0.000 description 2
- 241001269238 Data Species 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013450 outlier detection Methods 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005183 dynamical system Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses an SMV (sampled measured value) network attack grading detection method applicable to a digital substation bay level. The method includes steps of packet decryption, packet filtering, packet analysis, MAC (media access control) address abnormity detection, specification-based intrusion detection and historical event based data detection and further includes a final step that final detection results are classified and written into normal event logs and alarm logs and stored after abnormality evident acquisition, abnormal evaluation index calculation is performed according to intrusion data, and alarm and intrusion data and abnormal evaluation indexes are sent to a master station or local alarm display is performed. The SMV network attack grading detection method applicable to the digital substation bay level has advantages that by arrangement of various indicators for abnormal states including MAC address abnormality, SMV bad data, data packet logic detection, data traffic threshold abnormality, primary failure similarity, network attack similarity, uploading SMV faking, uploading SMV tampering and the like, intrusion forms and possible intrusion positions can be determined conveniently and quickly, and dispatch side operation monitoring personnel can be informed conveniently and quickly.
Description
Technical field
The present invention relates to one kind is under digital substation interval layer, to the network attack hierarchical detection of its SMV message
Method, belongs to power system information security fields.
Background technology
SMV (Sampled Measured Values) crude sampling message, is the true of side apparatus operation of power system
Real reflection;Transformer station is very high (must not exceed 4ms) to SMV transmission requirement of real-time, and current MU (Merging Unit) is often right
SMV is not added with any protecting information safety measure, therefore there is the very big probability of false data injection attacks;Protection class SMV message
Maliciously distorted and reset, relay protection system malfunction, tripping may be caused, caused serious accident;Observing and controlling class SMV is reported
Text, is the Main Basiss for regulating and controlling central data collection and monitoring system SCADA/EMS state estimation, and it is maliciously distorted and weight
Put, SCADA/EMS may be caused to make mistake or even dangerous decision-making.
Information security intrusion detection forensic technologies are referred to by contrasting each predefined performance indications come to dynamical system
Judgement, one kind theory of decision-making and technology, are considered the premise for improving information safety defense, and in every field height is all caused
Pay attention to.When system is attacked by UNKNOWN TYPE, intruding detection system will try one's best accurate seat offence position, attack class
Type, and be avoided that before software destruction attack vestige is removed, evidence under fire is accessed, to help the safe skill of electric network information
Art personnel's analytical attack feature, formulates as early as possible corresponding defence policies, it is to avoid other regional power grids are subjected to similar attack.
In recent years, domestic and international experts and scholars were made that substantial amounts of contribution in power system information security fields.Relatively have
It is representational such as:1) Ida. National Laboratory (Idaho Nation Laboratory) is using actual intelligence
The industrial software of grid generation, power transmitting device/system and standard constructs SCADA information securities test system/platform NSTB
(NationalSCADA TestBed).2) Arizona, USA university (University of Arizona) utilizes OPNET nets
Network simulation software, Power World power system simulation softwares are constructed for abnormality detection (such as intrusion detection) research
SCADA control systems information security analysis test platform/system (testbed for analyzing security of
SCADA control system,TASSCS).3) the different intelligent grid information peace of Europe CRUTIAL project developments two
Full test platform/system, for studying the impact caused by various network attacks.
In recent years the country have also been made extensive work in terms of electric power and information consolidation emulation platform is set up, such as 2003
HopkinsonK.M. doctor, J.S.Thorp professors and doctor's Wang Xiaoru cooperative research and development electric power and communication synchronization emulation platform
(EPOCHS), using Power System Analysis and simulation software PSCAD, PSS/E, PSLF etc. as electric system simulation instrument, adopt
Communication network simulation software NS2 is used as Communication System Simulation instrument, it is intended to the process that analog network is attacked.It is simultaneously Chinese in recent years
The units such as Nanrui Group Co., the Central China University of Science and Technology, Southeast China University have carried out the preliminary study of some union simulation platforms, build
Power system simulation software and networks simulation technology software kit (OPNET) union simulation platform, to attempt to explore network attack
Feature.
In view of this, the present inventor is studied this, is specially developed a kind of suitable for digital substation interval layer
Thus SMV network attack hierarchical detection methods, this case produces.
The content of the invention
It is an object of the invention to provide a kind of be applied to digital substation interval layer SMV network attacks hierarchical detection side
Method.
To achieve these goals, solution of the invention is:
One kind is applied to digital substation interval layer SMV network attack hierarchical detection methods, comprises the steps:
Step 1. bag decryption:Checking is digitally signed through the SMV bags of digital signature to MU, according to encrypting and decrypting rule
Carry out processing data packets;
Step 2. packet filtering:According to the difference of SMV packet MVC initial addresses, SMV packets are filtered out;
Step 3. Packet analyzing:The MAC Address agreement of SMV packet outer layers is peeled off, the data in bag, and handle is extracted
MAC Address and bag data are sent to bag abnormality detection module;
Step 4.MAC address abnormality detection:All MAC Address for reaching intrusion detection module will strictly observe predefined
Address receive table, once occur with address base in unmatched MAC Address, then detect indicator γMACTrue is set to, is stood
Alert and abandon data quarter;
Intrusion detection of the step 5. based on specification:Including mainly for cause Tripping data, bad data, violate logic,
Super flow threshold alarm etc.;
Data Detection of the step 6. based on historical events:Whether the current sampled data of detection meets the triggering of historical events
Condition, such as excessively stream, overvoltage, short trouble historical events, if meeting, arrange primary fault γlsftIt is designated as true;Then
Check whether sampled data meets certain web-based history and attack data model, if meeting, history invasion γ is setlsitIndicate
For true etc..
Step 7. last testing result classification write normal event daily record, alarm log, to protecting after abnormal evidence obtaining
Deposit;Anomaly assessment index ν is carried out according to invasion datanCalculate;Alarm and invasion data, anomaly assessment index νnBy Shang Song main websites;
Or alerted display on the spot.
It is of the present invention suitable for digital substation interval layer SMV network attack hierarchical detection methods, be provided with MAC ground
Location exception, SMV bad datas, packet logic detection, data traffic threshold values are extremely, primary fault is similar, network attack is similar,
On send SMV to forge, on various abnormality indicators such as send SMV to distort, can fast and easy seat offence form and possible
Position is attacked, quickly to inform scheduling side operation monitoring personnel.
The present invention is described in further detail below in conjunction with drawings and the specific embodiments.
Description of the drawings
Fig. 1 is the SMV data detection module block diagrams based on specification of the present embodiment;
Fig. 2 is the SMV messages integrity and digital signature identification process flow diagram flow chart of the present embodiment.
Specific embodiment
As shown in figure 1, a kind of be applied to digital substation interval layer SMV network attack hierarchical detection methods, including such as
Lower step:
Step 1. bag decryption:Checking is digitally signed through the SMV bags of digital signature to MU, according to encrypting and decrypting rule
Carry out processing data packets;
Step 2. packet filtering:Because GOOSE/SMV is very high to requirement of real-time, GOOSE/SMV message transmissions are by application layer
Data Link Layer is directly arrived, UDP/TCP/IP agreements is not used, it is therefore desirable to according to the difference of SMV packet MVC initial addresses, mistake
Leach SMV packets;
Step 3. Packet analyzing:The MAC Address agreement of SMV packet outer layers is peeled off, the data in bag, and handle is extracted
MAC Address and bag data are sent to bag abnormality detection module.
Step 4.MAC address abnormality detection:All MAC Address for reaching intrusion detection module will strictly observe predefined
Address receive table, once occur with address base in unmatched MAC Address, then detect indicator γMACTrue is set to, is stood
Alert and abandon data quarter;
Intrusion detection of the step 5. based on specification:Including mainly for cause Tripping data, bad data, violate logic,
Super flow threshold alarm etc.;
Data Detection of the step 6. based on historical events:Whether the current sampled data of detection meets the triggering of historical events
Condition, such as excessively stream, overvoltage, short trouble historical events, if meeting, arrange primary fault γlsftIt is designated as true;Then
Check whether sampled data meets certain web-based history and attack data model, if meeting, history invasion γ is setlsitIndicate
For true etc..
Step 7. last testing result classification write normal event daily record, alarm log, to protecting after abnormal evidence obtaining
Deposit;Anomaly assessment index ν is carried out according to invasion datanCalculate;Alarm and invasion data, anomaly assessment index νnBy Shang Song main websites;
Or alerted display on the spot.
Digital signature described in the present embodiment, not only can guarantee information transmission integrity, differentiate certification sender body
Part and prevent information from denial behavior occur in exchanging, while and real-time and safety can be taken into account, thus be considered as transformer station
The effective safety measures of station communication.Due in whole SMV messages it is most crucial be also the external world most want intercept and capture information be each should
With the data of 4B before each electric parameters in the DataSet domains of service data unit (ASDU) latter half, as long as ensureing this portion
Divide the confidentiality of information, then SMV messages essential information will not be revealed.Therefore take to reduce cryptographic calculation, just for adopting
It is digitally signed with the key content of message, so improves the real-time of message transmissions.The present embodiment is carried out using SM2 systems
Digital signature identification, is to reduce time-consuming, and using based on Hua Da letter peace SSM0901 encryption chips hardware encryption is carried out.By quantitative
Encryption it is time-consuming calculate and OPNET softwares transmission delay simulation result, it is final to confirm that result meets IEC62351 communications
The requirement to the time delay of SMV message transmissions less than 4ms in system standard.
SMV threshold values Outlier Detection Algorithms:The present embodiment is incorporated into measuring value state estimation algorithm in SCADA/EMS locally
In SVDE, local second state estimation is carried out, meet the verifiability feature of information.
State estimation model based on DC power flow is as follows to detect raw data detection algorithm:
Z=Hx+e (1)
In formula, measurement matrix Hm×nIt is a constant Jacobian matrix, normal conditions lower sensor measuring value number is greater than
State variable number, i.e. m > n.X is quantity of state to be estimated, and e is measurement error.
State estimation problem solves object function J (x) using weighted least-squares method herein based on redundant measurements
Minima obtaining state estimation result, its expression formula is as follows:
J (x)=(z-Hx)TW(z-Hx) (2)
W is the diagonal matrix related to systematic error in formula, the minima that method of least square is solved:
WhenWhen (C is threshold values) sets up, show to measure in vector and contain bad data, will measure in vector and estimate to miss
The maximum variable of difference is filtered, raw data detection positioning indicator γblTrue is set to, state estimation is re-started, until passing through
Till raw data detection.
SMV flow threshold values Outlier Detection Algorithms:SMV packets threshold values depends on sampling rate.In packet filtering module, SMV
What the MVC addresses of packet can start from 01-0C-CD-04-00-00, therefore can check that SMV numbers are obtained in its MVC address to flutter
According to bag, the quantity and other detailed information of packet per second are recorded.In intrusion detection module, if flutterring the data for obtaining in 1s
Bag quantityMore than predefined packet threshold valuesSo this exception will be written into abnormal log and produce alarm, make
For the judgment basis that SMV bags can suffer from DoS attack.SMV packet threshold values abnormality detection indicators γfzIt is set to true.SMV
Packet threshold valuesComputing formula is as follows:
Wherein m is the quantity of combining unit in 1s,It is sample magnitude resolution, fiIt is the frequency of i-th packet, μsv
It is threshold values calculation error coefficient.
The design of intrusion detection storehouse is as follows:
1) Tripping data detection is caused:Whether predominantly detect in bag data containing overvoltage, the mistake for causing relay protection to trip
The warning values such as stream.If detecting such data, alarm log is charged to, above send transformer station's integrated system, and regulation and control main website.
2) SMV data Shang Song main website is tampered or forges detection:Cipher mode is only reduction of SMV data from MU to relay
Protection device is tampered probability, but SMV reaches main website by telemechanical apparatus long transmission path, and message is tampered
Probability it is very big, while also likely to be present SMV data forgery possibility;By upper local state estimation, while receiving
The state estimation that main website is beamed back, and contrasted:If 1. unpaired, show to measure original SMV in wide area network transmission mistake
There is data forgery in journey, then put and send SMV to forge instruction γSVfkFor true;2. two values differ greatly, then show that measurement is original
There is data tampering possibility in SMV, then put and send SMV to distort instruction γ during wide area network transmissionSVtpFor true.
3) logic detection is predefined:The order that sends and receives of packet is to meet certain logical specification (such as data
The serial number size of bag), for the packet for not being inconsistent logical is once detected, just it is abandoned, and logic detection is set
Indicate γljFor true, alerted.
4) data traffic threshold values exception:Data are have one to make a reservation for into the speed of intrusion detection module through parsing module
Adopted threshold values;For those are always more than the bag of threshold values, just have reason to suspect that this MAC Address has been subjected to DoS attack or network
Storm attack.
The present embodiment is in intrusion detection lab setting:1. digital signature authentication does not pass through γgj;2. bad data γbl;③
Logic detection does not pass through γlj;4. threshold values exception γfz;5. the similar γ of history primary faultlsft;6. web-based history is attacked similar
γlsit;7. SMV is sent to forge γ onSVfk;8. SMV is sent to distort γ onSVtp;9. MAC Address exception γMACDeng 9 kinds of abnormality indicators,
And stored count is carried out to it, for the on-line monitoring of detection state and historical statistics of process-level network attack.
Online anomaly assessment index νnCan be defined as follows:
νn=γgl∩γbl∩γlj∩γfz∩γlsft∩γlsit∩γMVfk∩γMVtp∩γMAC (5)
If a certain item testing result exception, positioning indicator value is true, anomaly assessment index νnIt is worth for 1, represents
There is abnormal intrusion event in intrusion detection module, intelligent apparatus SVDE to Zhan Kong main websites, regulation and control main website and itself external LED show
Screen produces alarm prompt.If anomaly assessment index νnIt is worth for 0, then it represents that original message invasion without exception.
Described in the present embodiment suitable for digital substation interval layer SMV network attack hierarchical detection methods, be provided with MAC
Address exception, SMV bad datas, packet logic detection, data traffic threshold values exception, primary fault are similar, network attack phase
Like, on send SMV to forge, on various abnormality indicators such as send SMV to distort, can fast and easy seat offence form and may
Attack position, so as to quickly inform scheduling side operation monitoring personnel.
The product form and style of above-described embodiment and schema and the non-limiting present invention, any art it is common
Appropriate change or modification that technical staff is done to it, all should be regarded as the patent category without departing from the present invention.
Claims (1)
1. it is a kind of to be applied to digital substation interval layer SMV network attack hierarchical detection methods, it is characterised in that including as follows
Step:
Step 1. bag decryption:Checking is digitally signed through the SMV bags of digital signature to MU, is carried out according to encrypting and decrypting rule
Processing data packets;
Step 2. packet filtering:According to the difference of SMV packet MVC initial addresses, SMV packets are filtered out;
Step 3. Packet analyzing:The MAC Address agreement of SMV packet outer layers is peeled off, the data in bag are extracted, and MAC ground
Location and bag data are sent to bag abnormality detection module;
Step 4.MAC address abnormality detection:All MAC Address for reaching intrusion detection module will be strictly observed predefinedly
Location receives table, once occurring and unmatched MAC Address in address base, then detects indicator γMACTrue is set to, is accused at once
Warn and abandon data;
Intrusion detection of the step 5. based on specification:Including mainly for initiation Tripping data, bad data, violation logic, super stream
Amount threshold alarm etc.;
Data Detection of the step 6. based on historical events:Whether the current sampled data of detection meets the triggering bar of historical events
Part, such as excessively stream, overvoltage, short trouble historical events, if meeting, arrange primary fault γlsftIt is designated as true;Then examine
Look into whether sampled data meets certain web-based history attack data model, if meeting, history invasion γ is setlsitIt is designated as
True etc..
Step 7. last testing result classification write normal event daily record, alarm log, to preserving after abnormal evidence obtaining;Root
Anomaly assessment index ν is carried out according to invasion datanCalculate;Alarm and invasion data, anomaly assessment index νnBy Shang Song main websites;Or
Display is alerted on the spot.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611108354.3A CN106685928A (en) | 2016-12-06 | 2016-12-06 | SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611108354.3A CN106685928A (en) | 2016-12-06 | 2016-12-06 | SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106685928A true CN106685928A (en) | 2017-05-17 |
Family
ID=58866318
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611108354.3A Pending CN106685928A (en) | 2016-12-06 | 2016-12-06 | SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106685928A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108809727A (en) * | 2018-06-15 | 2018-11-13 | 北京科技大学 | A kind of intrusion prevention system of DC motor control system |
US20210112090A1 (en) * | 2019-10-10 | 2021-04-15 | Alliance For Sustainable Energy, Llc | Network visualization, intrusion detection, and network healing |
US11399042B2 (en) * | 2018-07-25 | 2022-07-26 | George Mason University | Secure overlay communication model for decentralized autonomous power grid |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103457791A (en) * | 2013-08-19 | 2013-12-18 | 国家电网公司 | Self-diagnosis method of network sampling and control link of intelligent substation |
US20140136002A1 (en) * | 2011-06-30 | 2014-05-15 | Abb Research Ltd | Method for distributed waveform recording in a power distribution system |
CN103915897A (en) * | 2014-02-28 | 2014-07-09 | 电信科学技术仪表研究所 | Method and device for monitoring digital substation sampled values |
CN105656713A (en) * | 2015-12-22 | 2016-06-08 | 国电南瑞科技股份有限公司 | SMV and GOOSE message filter method based on FPGA |
CN106130950A (en) * | 2016-05-20 | 2016-11-16 | 南京理工大学 | Method for detecting abnormality for IEC61850 agreement SV message |
-
2016
- 2016-12-06 CN CN201611108354.3A patent/CN106685928A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140136002A1 (en) * | 2011-06-30 | 2014-05-15 | Abb Research Ltd | Method for distributed waveform recording in a power distribution system |
CN103457791A (en) * | 2013-08-19 | 2013-12-18 | 国家电网公司 | Self-diagnosis method of network sampling and control link of intelligent substation |
CN103915897A (en) * | 2014-02-28 | 2014-07-09 | 电信科学技术仪表研究所 | Method and device for monitoring digital substation sampled values |
CN105656713A (en) * | 2015-12-22 | 2016-06-08 | 国电南瑞科技股份有限公司 | SMV and GOOSE message filter method based on FPGA |
CN106130950A (en) * | 2016-05-20 | 2016-11-16 | 南京理工大学 | Method for detecting abnormality for IEC61850 agreement SV message |
Non-Patent Citations (1)
Title |
---|
侯连全等: "变电站过程层与SMV安全传输的网络攻击检测与取证设计", 《电力系统自动化》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108809727A (en) * | 2018-06-15 | 2018-11-13 | 北京科技大学 | A kind of intrusion prevention system of DC motor control system |
CN108809727B (en) * | 2018-06-15 | 2020-08-07 | 北京科技大学 | Intrusion prevention system of direct current motor control system |
US11399042B2 (en) * | 2018-07-25 | 2022-07-26 | George Mason University | Secure overlay communication model for decentralized autonomous power grid |
US20210112090A1 (en) * | 2019-10-10 | 2021-04-15 | Alliance For Sustainable Energy, Llc | Network visualization, intrusion detection, and network healing |
US11902318B2 (en) * | 2019-10-10 | 2024-02-13 | Alliance For Sustainable Energy, Llc | Network visualization, intrusion detection, and network healing |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Sun et al. | Cyber security of a power grid: State-of-the-art | |
Hong et al. | Detection of cyber intrusions using network-based multicast messages for substation automation | |
CN105407103A (en) | Network threat evaluation method based on multi-granularity anomaly detection | |
CN106982235A (en) | A kind of power industry control network inbreak detection method and system based on IEC 61850 | |
CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
CN103067192B (en) | A kind of analytical system of network traffics and method | |
CN109889476A (en) | A kind of network safety protection method and network security protection system | |
CN103149549B (en) | Method and system of data processing based on electric energy metering device | |
CN103581186A (en) | Network security situation awareness method and system | |
CN106685928A (en) | SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level | |
CN105868629A (en) | Security threat situation assessment method suitable for electric power information physical system | |
CN106713354A (en) | Method for evaluating vulnerability node of electric cyber-physical system based on undetectable information attack pre-warning technology | |
CN104811437B (en) | A kind of system and method that security strategy is generated in industrial control network | |
CN105141573B (en) | A kind of safety protecting method and system based on WEB access compliance audit | |
CN107135183A (en) | A kind of data on flows monitoring method and device | |
CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
CN106789351A (en) | A kind of online intrusion prevention method and system based on SDN | |
CN105867347A (en) | Trans-space cascade fault detection method based on machine learning technology | |
CN110493180A (en) | A kind of substation network communication flow real-time analysis method | |
Dong et al. | Research on abnormal detection of ModbusTCP/IP protocol based on one-class SVM | |
CN107122884A (en) | The appraisal procedure and device of a kind of electrical power distribution automatization system protecting information safety | |
Panthi | Identification of disturbances in power system and DDoS attacks using machine learning | |
CN107612927A (en) | The safety detection method of electric power scheduling automatization system | |
CN104601567B (en) | A kind of indexing security measure method excavated based on information network security of power system event | |
Tudor et al. | Harnessing the unknown in advanced metering infrastructure traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170517 |