CN106874766B - The whitepack detection method that one point data is attacked in electric system - Google Patents
The whitepack detection method that one point data is attacked in electric system Download PDFInfo
- Publication number
- CN106874766B CN106874766B CN201710226609.4A CN201710226609A CN106874766B CN 106874766 B CN106874766 B CN 106874766B CN 201710226609 A CN201710226609 A CN 201710226609A CN 106874766 B CN106874766 B CN 106874766B
- Authority
- CN
- China
- Prior art keywords
- function
- domain
- attack
- codomain
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses the whitepack detection methods that one point data in electric system is attacked, and are directed to only individual data by the behavior of malicious attack.This method under the operation of the control logic relation function of complete set, compares the variation of function value, looks for malicious attack point by obtaining function value after establishing domain of function, defined function program.The present invention is made of electric power system data input module, control logic module, automatic identification module, output module, judgment module, feedback module, it is verified layer by layer by control logic module, automatic identification module this two big modules completion, the position of automatic identification single-point malicious attack.The detection method compensates for the limitation that can not detect certain line sexual assault of bad data recognizer in current power system state estimation.
Description
Technical field
The present invention relates to the whitepack detection sides that one point data in power system security field, especially electric system is attacked
Method.
Background technology
Modern power systems are the complicated coupling network systems being made of physical power system and information communication system.Also
It is to say component malfunction in any system of the two systems or attacked, may all leads to the paralysis of power grid.
The attack of electric system malicious data is most infrastructure attack of greatest concern in the world over the past two years, this is attacked
It hits method and appears in Iranian Stuxnet shakes net virus earliest, Iranian nuclear power station is caused to be shut down.The essence of attack is that camouflage is closed
Method user enters system, influences related data, obtains controller and further results in big face by the systematic influence of electric system
Product power outage, achievees the purpose that attacking system.
It is in line in a certain range that the detection of electric system bad data, which is based on state estimation, this method hypothesis normal data is used,
Property normal distribution, bad data is rejected by least square method.State estimation is the theoretical foundation of entire electric system, supports energy
The application of management system and electric power dispatching system.It is current both domestic and external studies have shown that specific malicious data injection attacks can be with
Break through the bad data detection of Power system state estimation.
The patent of invention that the field is announced has " a kind of intelligent grid malicious data injection attacks that Xinan Science and Technology Univ. applies
And detection method ", this method propose two kinds based on prediction measurement and estimates the detective operators of measurement residuals, to detect and position
Judge malice injection data that may be present in electric system measurement information, and makes and update the data processing accordingly.It is also western
Pacify " intelligent electricity network attack detection based on physics-information fuzzy reasoning " of university of communications's application, this method passes through analysis
Intelligent grid electric power metric data and network traffic judge attack using the method for physics-information fuzzy reasoning,
Staggeredly verify electric power networks and communication network information, detection attack.The main all adoption status algorithm for estimating of these patents, has very
Hardly possible identifies the shortcomings that linear Network Intrusion.
In order to improve the state estimation algorithm of electric system, known to the logical construction of known electric system, data relationship
In the case of, propose the whitepack detection method that one point data is attacked in a kind of electric system.
Invention content
It is an object of the invention to overcome the deficiencies in the prior art, single-point number in a kind of electric system is provided for electric system
According to the whitepack detection method of attack.
The present invention is the whitepack detection method that one point data is attacked in a kind of electric system, mainly defeated by electric power system data
Enter module, control logic module, automatic identification module, output module, judgment module and feedback module composition.Electric system generates
Volume of data as input terminal, data are defeated by control logic module, and control logic module can be according to the function journey set
Sequence judges whether initial data is destroyed, and passes the result to output module, completes first flow.Output module is by
One result that has judged of wheel is defeated to automatic identification module, has another function program set in automatic identification module, thus
The data that module combines the electric system initial data of input and first round diagnostic result to carry out the second wheel automatically judge.This wheel
Identifying and diagnosing enhance the precision for judging whether data are destroyed, last judgment module and feedback module return to result
To input, the cycle of an entire control system is completed.
The advantages of invention:The deficiency for compensating for bad data detection algorithm in Length Factor Method in Power System State, known
It, thus can be right to set correlation function in control logic module and automatic identification module in structure inside electric system
The data of all inputs carry out complete detection, and divide data without screening, and carry out whitepack detection, can detect that single-point is attacked
Hit behavior.
And electric network information safety testing field now mostly uses the state estimation algorithm suitable for nonlinear algorithm, this method contains
Following three step:1) definition of electric system domain of function, codomain and relationship;2) classification of single-point malicious data attack;
3) automatic identifying method.
Step 1: the domain of function being related to this method, codomain, relationship are defined
(1)Power equipment input terminal state acquisition situation:
Assuming that input terminal hasIt is a, be respectively.There is input function, domain is().
(2)Power equipment leading-out terminal state acquisition situation:
Assuming that leading-out terminal hasIt is a, be respectively.There is output function, domain is().
(3)Logical relation function representation is as follows in power system device:
Assuming that in the presence ofA function is respectively
Assuming that function, its domainFor, codomainFor。
Assuming that, its domainFor, codomainFor。
Assuming that, its domainFor, codomainFor。
The domain of these functions?The domain of input function, codomain?The codomain of output function。
Step 2: a point situation discusses to possibility existing for malicious attack below:
(1)Situation 1:It is assumed that… , their domain point
It is not,, their codomain is respectively。
Before by malicious attack, functionCodomainWith domainValue followFortune
Calculate principle, functionCodomainWith domainValue followOperation principle.After attack, if
Their intersectionIt changes, it will be to codomainIt has an impact.
(2)Situation 2:It is assumed that… , their definition
Domain is respectively, , their codomain is respectively。
Before by malicious attack, functionCodomainWith domainValue followFortune
Calculate principle, functionCodomainWith domainValue followOperation principle, functionValue
DomainWith domainValue followOperation principle.After attack, if their intersectionIt changes, it will be to codomain It has an impact.
Step 3: to the automatic identifying method of single-point malicious data attack
It is assumed that malicious attack only attacks the data of input terminal without distorting logic module operation function, then it can pass through setting
Good function program, judges to be which data by malicious attack.
It is assumed that there are two functionsWith, they
Domain is respectivelyWithAssuming that they have jointly
Intersection element,, these elements are neither in functionAlso not in functionDomain in.
Except intersection elementExcept each element be set separately containing only the element and be free of the two domain of function
The function program of interior other elements, ,… And, , … 。
It is assumed that when a data point is only attacked in malicious attack,
1. when the value of two functions all changes, then can accurately judge that the object of malicious attack is exactly。
2. when only functionValue when changing, the range of the point of attack can be reduced,
Judge that the object attacked is functionElement in domain.Comparison function successively,,… The position of the specific point of attack is released in the variation of value.If onlyFunctional value change, then the object of malicious attack is exactlyIf onlyFunction
Value changes, then the object of malicious attack is exactlyAnd so on arrive。
3. when only functionValue when changing, the model of the point of attack can be reduced
It encloses, judges that the object attacked is functionElement in domain.Comparison function successively,, … The position of the specific point of attack is released in the variation of value.If onlyFunctional value change, then the object of malicious attack is exactlyIf onlyFunction
Value changes, then the object of malicious attack is exactlyAnd so on arrive。
It can be with the malicious attack of automatic identification single-point and like clockwork where seat offence point by three above step
Specific location.By the first step look for intersection element can reduce the range of the point of attack and lack define a function, simplify
Function program.
Description of the drawings
Fig. 1 is the system construction drawing of the present invention;
Fig. 2 is the flow chart of the present invention.
Specific implementation mode
The present invention is made into an explanation with embodiment below in conjunction with the accompanying drawings.
Fig. 1 is the system construction drawing of the present invention.Share six big module compositions:Electric power system data input module, control are patrolled
Collect module, automatic identification module, output module, judgment module, feedback module.Wherein control logic module and automatic identification module
It is two nucleus modules in the device, the different functions program set is installed in this two big module, it can be to input
Electric power system data carries out calculating verification.When the data of malicious attack distorted are relatively simple, control module can directly be sentenced
Break and attack position, and result is fed back and is exported.When the data of malicious attack distorted are complex, control module is not enough to sentence
When disconnected, result can be transferred to automatic identification module, the good many kinds of function defined in this module carries out secondary verification.Finally sentence
Disconnected module can two modules of Integrated comparative as a result, judge the specific location of malicious attack, result is fed back into system.
Fig. 2 is the flow chart of the present invention, is included the following steps:
Step 1:Power system of data acquisition acquires such as voltage, electric current, power, load, trend electric power system data;
Step 2:Obtain control logic relation function;
Step 3:Using collected data as the input of function, the domain of function is established;
Step 4:Calculating by control logic relation function to input data records the codomain of function;
Step 5:Establish collection of functions;
Step 6:Search the domain intersection between function concentration function;
Step 7:Functional relation judges, if only influencing the codomain of single function, may determine that malicious attack point only at certain
In the range of one domain of function, it is otherwise transferred to step 8;
Step 8:If the codomain of multiple functions changes, there are many possibilities.
Claims (1)
1. the whitepack detection method of one point data attack in the power system, which is characterized in that this method detects individual data and meets with
Behavior under fire, the method includes following three steps:1)The definition of electric system domain of function, codomain and relationship;
2)The classification of single-point malicious data attack;3)Automatic identifying method;
Step 1)The definition of electric system domain of function, codomain and relationship includes:
(1)Electric system input terminal state acquisition situation:
Input terminal has N number of, is x respectively1,x2,x3,…,xn;There is input function finput(x1,x2,x3,…,xn), domain
For D (x1,x2,x3,…,xn);
(2)Power equipment leading-out terminal state acquisition situation:
Leading-out terminal has N number of, is y respectively1,y2,y3,…,yn;There is output function foutput(y1,y2,y3,…,yn), definition
Domain is R (y1,y2,y3,…,yn);
(3)Logical relation function representation is as follows in power system device:
There are M functions, are f respectively1,f2, …,fm, function f1Domain be D1(x1,x2,x3,…,xt1), codomain R1
(y1,y2,y3,…,yt1);Function f2Domain be D2(x1,x2,x3,…,xt2), codomain R2(y1,y2,y3,…,yt2);Function
fmDomain be Dm(x1,x2,x3,…,xtm), codomain Rm(y1,y2,y3,…,ytm);
The domain D of these functions1,D2,…, DmIt is both contained in the domain D of input function, codomain R1,R2,…, RmWrap
Codomain R contained in output function;
Step 2)Single-point malicious data attack classification include:
(1)Situation 1:fp,fqIt is f1,f2, …,fmMiddle any two relation function, their domain are respectively DpAnd Dq, and
DpAnd DqIntersection nonvoid set, their codomain is R respectivelypAnd Rq;
Before being attacked,
Function fpCodomain RpWith domain DpValue follow Yp=f(Xp) operation principle,
Function fqCodomain RqWith domain DqValue follow Yq=f(Xq) operation principle;
After attack, if their domain DpAnd DqIntersection change, will be to codomain RpAnd RqIt has an impact;
(2)Situation 2:fp,fQ,…,fsIt is f1,f2, …,fmIn any number of relation functions, their domain is respectively Dp、
Dq、…,Ds, and Dp、Dq、…,DsIntersection nonvoid set, their codomain is R respectivelyp、Rq、…,Rs;
Before being attacked,
Function fpCodomain RpWith domain DpValue follow Yp=f(Xp) operation principle,
Function fqCodomain RqWith domain DqValue follow Yq=f(Xq) operation principle ...,
Function fsCodomain RsWith domain DsValue follow Ys=f(Xs) operation principle;
After attack, if their domain Dp, Dq、…,DsIntersection change, will be to codomain Rp,Rq、…,RsIt generates
It influences;
Step 3)Automatic identifying method includes:Operation letter of the data of input terminal without distorting logic module is only attacked in malicious attack
Number, then can be by the function program that sets, which data judgement is by malicious attack;
There are two function f1(x1,x2,x3,…xt,…,xn) and f2(x’1,x’2,x’3,…xt,…,x’n), their domain point
It is not D1(x1,x2,x3,…xt,…,xn) and D2(x’1,x’2,x’3,…xt,…,x’n), their common intersection element is xt,
And define element xk1,xk2,xk3,…xknAnd x 'k1, x’k2, x’k3,…x’km, these elements are neither in f1(x1,x2,x3,…
xt,…,xn) also not in function f2(x’1,x’2,x’3,…xt,…,x’n) domain in;
To remove intersection element XtExcept each element be set separately contain only the element and be free of the two domain of function
The function program f of interior other elements11(x1,xk1), f12(x2,xk2), f13(x3,xk3), …f1n(xn,xkn), and f21(x’1,
x’k1), f22(x2,x’k2),
f23(x’3,x’k3), …f2n(x’n,x’kn);
(1)When a data point is only attacked in malicious attack:When the value of two functions all changes, then can accurately sentence
Breaking, the object of malicious attack be xt;
(2)As only function f1(x1,x2,x3,…xt,…,xn) value when changing, the range of the point of attack can be reduced, sentenced
The object for and being attacked that breaks is function f1The element of domain;Compare f successively11(x1,xk1), f12(x2,xk2), f13(x3,
xk3), …f1n(xn,xkn) value variation, release specific attack position;If only f11(x1,xk1) functional value change, then
The object of malicious attack is x1If only f12(x2,xk2) functional value change, then the object of malicious attack is x2, with this
It is extrapolated to xn;
(3)As only function f2(x’1,x’2,x’3,…xt,…,x’n) value when changing, the model of the point of attack can be reduced
It encloses, judges that the object attacked is function f2The element of domain;Compare f successively21(x1, x’ k1), f22(x2, xk2),
f23(x3, xk3), …f2n(x’ n, x’ kn) value variation, release specific attack position;
If only f21(x1, xk1) functional value change, then malicious objects are x1If only f22(x2,Xk2) functional value
It changes, then malicious objects are x2, and so on arrive xn;
The tool where attack can be navigated to the malicious attack of automatic identification single-point and like clockwork by three above step
Body position;By look for intersection element can reduce the range of the point of attack and lack define a function, simplified function program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710226609.4A CN106874766B (en) | 2017-04-09 | 2017-04-09 | The whitepack detection method that one point data is attacked in electric system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710226609.4A CN106874766B (en) | 2017-04-09 | 2017-04-09 | The whitepack detection method that one point data is attacked in electric system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106874766A CN106874766A (en) | 2017-06-20 |
CN106874766B true CN106874766B (en) | 2018-11-13 |
Family
ID=59161021
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710226609.4A Active CN106874766B (en) | 2017-04-09 | 2017-04-09 | The whitepack detection method that one point data is attacked in electric system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106874766B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103324847B (en) * | 2013-06-17 | 2016-12-28 | 西南交通大学 | Electrical Power System Dynamic bad data detection and identification method |
CN104125112B (en) * | 2014-07-29 | 2017-04-19 | 西安交通大学 | Physical-information fuzzy inference based smart power grid attack detection method |
CN104573510B (en) * | 2015-02-06 | 2017-08-04 | 西南科技大学 | A kind of intelligent grid malicious data injection attacks and detection method |
-
2017
- 2017-04-09 CN CN201710226609.4A patent/CN106874766B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
Also Published As
Publication number | Publication date |
---|---|
CN106874766A (en) | 2017-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105191257B (en) | Method and apparatus for detecting multistage event | |
CN107276805A (en) | A kind of sample predictions method, device and electronic equipment based on IDS Framework | |
CN102662144B (en) | A kind of hardware Trojan horse detection method based on activity-level measured | |
CN108390869B (en) | Vehicle-mounted intelligent gateway device integrating deep learning and command sequence detection method thereof | |
Ustun et al. | Artificial intelligence based intrusion detection system for IEC 61850 sampled values under symmetric and asymmetric faults | |
CN111131237B (en) | Microgrid attack identification method based on BP neural network and grid-connected interface device | |
CN106202886A (en) | Track circuit red band Fault Locating Method based on fuzzy coarse central Yu decision tree | |
CN104125112B (en) | Physical-information fuzzy inference based smart power grid attack detection method | |
Musleh et al. | Detection of false data injection attacks in smart grids: A real-time principle component analysis | |
CN110505134A (en) | A kind of car networking CAN bus data detection method and device | |
CN102854454A (en) | Method for shortening verification time of hardware Trojan in integrated circuit test | |
CN109347853A (en) | The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing | |
Wang et al. | Method for extracting patterns of coordinated network attacks on electric power CPS based on temporal–topological correlation | |
CN103532761A (en) | Survivability evaluating method applicable to attacked wireless sensing network | |
CN109118075A (en) | A kind of electric power industrial control terminal safety monitoring method based on service logic consistency | |
CN110022293A (en) | A kind of electric network information physics emerging system methods of risk assessment | |
CN107247450A (en) | Circuit breaker failure diagnostic method based on Bayesian network | |
Zhu et al. | Intrusion detection against MMS-based measurement attacks at digital substations | |
CN110062009A (en) | A kind of formalization detection method of information physical emerging system defence | |
CN1805234A (en) | Pattern matching based security protection method for relay protection information of electric system in network environment | |
Ren et al. | Research on fault location of process-level communication networks in smart substation based on deep neural networks | |
CN109522755A (en) | Hardware Trojan horse detection method based on probabilistic neural network | |
Yu et al. | TCE-IDS: Time interval conditional entropy-based intrusion detection system for automotive controller area networks | |
CN106597845B (en) | A kind of power transmission network method for diagnosing faults based on multiple-objection optimization | |
Panthi | Identification of disturbances in power system and DDoS attacks using machine learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170620 Assignee: SHANGHAI CLOUD INFORMATION TECHNOLOGY Co.,Ltd. Assignor: SHANGHAI YUNJIAN INFORMATION TECHNOLOGY Co.,Ltd. Contract record no.: X2022310000003 Denomination of invention: White box detection method of single point data attack in power system Granted publication date: 20181113 License type: Common License Record date: 20220120 |
|
EE01 | Entry into force of recordation of patent licensing contract |