CN106874766B - The whitepack detection method that one point data is attacked in electric system - Google Patents

The whitepack detection method that one point data is attacked in electric system Download PDF

Info

Publication number
CN106874766B
CN106874766B CN201710226609.4A CN201710226609A CN106874766B CN 106874766 B CN106874766 B CN 106874766B CN 201710226609 A CN201710226609 A CN 201710226609A CN 106874766 B CN106874766 B CN 106874766B
Authority
CN
China
Prior art keywords
function
domain
attack
codomain
point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710226609.4A
Other languages
Chinese (zh)
Other versions
CN106874766A (en
Inventor
王勇
张璧鸣
刘蔚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yunjian Information Technology Co Ltd
Original Assignee
Shanghai Yunjian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yunjian Information Technology Co Ltd filed Critical Shanghai Yunjian Information Technology Co Ltd
Priority to CN201710226609.4A priority Critical patent/CN106874766B/en
Publication of CN106874766A publication Critical patent/CN106874766A/en
Application granted granted Critical
Publication of CN106874766B publication Critical patent/CN106874766B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses the whitepack detection methods that one point data in electric system is attacked, and are directed to only individual data by the behavior of malicious attack.This method under the operation of the control logic relation function of complete set, compares the variation of function value, looks for malicious attack point by obtaining function value after establishing domain of function, defined function program.The present invention is made of electric power system data input module, control logic module, automatic identification module, output module, judgment module, feedback module, it is verified layer by layer by control logic module, automatic identification module this two big modules completion, the position of automatic identification single-point malicious attack.The detection method compensates for the limitation that can not detect certain line sexual assault of bad data recognizer in current power system state estimation.

Description

The whitepack detection method that one point data is attacked in electric system
Technical field
The present invention relates to the whitepack detection sides that one point data in power system security field, especially electric system is attacked Method.
Background technology
Modern power systems are the complicated coupling network systems being made of physical power system and information communication system.Also It is to say component malfunction in any system of the two systems or attacked, may all leads to the paralysis of power grid.
The attack of electric system malicious data is most infrastructure attack of greatest concern in the world over the past two years, this is attacked It hits method and appears in Iranian Stuxnet shakes net virus earliest, Iranian nuclear power station is caused to be shut down.The essence of attack is that camouflage is closed Method user enters system, influences related data, obtains controller and further results in big face by the systematic influence of electric system Product power outage, achievees the purpose that attacking system.
It is in line in a certain range that the detection of electric system bad data, which is based on state estimation, this method hypothesis normal data is used, Property normal distribution, bad data is rejected by least square method.State estimation is the theoretical foundation of entire electric system, supports energy The application of management system and electric power dispatching system.It is current both domestic and external studies have shown that specific malicious data injection attacks can be with Break through the bad data detection of Power system state estimation.
The patent of invention that the field is announced has " a kind of intelligent grid malicious data injection attacks that Xinan Science and Technology Univ. applies And detection method ", this method propose two kinds based on prediction measurement and estimates the detective operators of measurement residuals, to detect and position Judge malice injection data that may be present in electric system measurement information, and makes and update the data processing accordingly.It is also western Pacify " intelligent electricity network attack detection based on physics-information fuzzy reasoning " of university of communications's application, this method passes through analysis Intelligent grid electric power metric data and network traffic judge attack using the method for physics-information fuzzy reasoning, Staggeredly verify electric power networks and communication network information, detection attack.The main all adoption status algorithm for estimating of these patents, has very Hardly possible identifies the shortcomings that linear Network Intrusion.
In order to improve the state estimation algorithm of electric system, known to the logical construction of known electric system, data relationship In the case of, propose the whitepack detection method that one point data is attacked in a kind of electric system.
Invention content
It is an object of the invention to overcome the deficiencies in the prior art, single-point number in a kind of electric system is provided for electric system According to the whitepack detection method of attack.
The present invention is the whitepack detection method that one point data is attacked in a kind of electric system, mainly defeated by electric power system data Enter module, control logic module, automatic identification module, output module, judgment module and feedback module composition.Electric system generates Volume of data as input terminal, data are defeated by control logic module, and control logic module can be according to the function journey set Sequence judges whether initial data is destroyed, and passes the result to output module, completes first flow.Output module is by One result that has judged of wheel is defeated to automatic identification module, has another function program set in automatic identification module, thus The data that module combines the electric system initial data of input and first round diagnostic result to carry out the second wheel automatically judge.This wheel Identifying and diagnosing enhance the precision for judging whether data are destroyed, last judgment module and feedback module return to result To input, the cycle of an entire control system is completed.
The advantages of invention:The deficiency for compensating for bad data detection algorithm in Length Factor Method in Power System State, known It, thus can be right to set correlation function in control logic module and automatic identification module in structure inside electric system The data of all inputs carry out complete detection, and divide data without screening, and carry out whitepack detection, can detect that single-point is attacked Hit behavior.
And electric network information safety testing field now mostly uses the state estimation algorithm suitable for nonlinear algorithm, this method contains Following three step:1) definition of electric system domain of function, codomain and relationship;2) classification of single-point malicious data attack; 3) automatic identifying method.
Step 1: the domain of function being related to this method, codomain, relationship are defined
(1)Power equipment input terminal state acquisition situation:
Assuming that input terminal hasIt is a, be respectively.There is input function, domain is).
(2)Power equipment leading-out terminal state acquisition situation:
Assuming that leading-out terminal hasIt is a, be respectively.There is output function, domain is).
(3)Logical relation function representation is as follows in power system device:
Assuming that in the presence ofA function is respectively
Assuming that function, its domainFor, codomainFor
Assuming that, its domainFor, codomainFor
Assuming that, its domainFor, codomainFor
The domain of these functions?The domain of input function, codomain?The codomain of output function
Step 2: a point situation discusses to possibility existing for malicious attack below:
(1)Situation 1:It is assumed that, their domain point It is not,, their codomain is respectively
Before by malicious attack, functionCodomainWith domainValue followFortune Calculate principle, functionCodomainWith domainValue followOperation principle.After attack, if Their intersectionIt changes, it will be to codomainIt has an impact.
(2)Situation 2:It is assumed that, their definition Domain is respectively, , their codomain is respectively
Before by malicious attack, functionCodomainWith domainValue followFortune Calculate principle, functionCodomainWith domainValue followOperation principle, functionValue DomainWith domainValue followOperation principle.After attack, if their intersectionIt changes, it will be to codomain It has an impact.
Step 3: to the automatic identifying method of single-point malicious data attack
It is assumed that malicious attack only attacks the data of input terminal without distorting logic module operation function, then it can pass through setting Good function program, judges to be which data by malicious attack.
It is assumed that there are two functionsWith, they Domain is respectivelyWithAssuming that they have jointly Intersection element,, these elements are neither in functionAlso not in functionDomain in.
Except intersection elementExcept each element be set separately containing only the element and be free of the two domain of function The function program of interior other elements, ,And, ,
It is assumed that when a data point is only attacked in malicious attack,
1. when the value of two functions all changes, then can accurately judge that the object of malicious attack is exactly
2. when only functionValue when changing, the range of the point of attack can be reduced, Judge that the object attacked is functionElement in domain.Comparison function successively,,The position of the specific point of attack is released in the variation of value.If onlyFunctional value change, then the object of malicious attack is exactlyIf onlyFunction Value changes, then the object of malicious attack is exactlyAnd so on arrive
3. when only functionValue when changing, the model of the point of attack can be reduced It encloses, judges that the object attacked is functionElement in domain.Comparison function successively,, The position of the specific point of attack is released in the variation of value.If onlyFunctional value change, then the object of malicious attack is exactlyIf onlyFunction Value changes, then the object of malicious attack is exactlyAnd so on arrive
It can be with the malicious attack of automatic identification single-point and like clockwork where seat offence point by three above step Specific location.By the first step look for intersection element can reduce the range of the point of attack and lack define a function, simplify Function program.
Description of the drawings
Fig. 1 is the system construction drawing of the present invention;
Fig. 2 is the flow chart of the present invention.
Specific implementation mode
The present invention is made into an explanation with embodiment below in conjunction with the accompanying drawings.
Fig. 1 is the system construction drawing of the present invention.Share six big module compositions:Electric power system data input module, control are patrolled Collect module, automatic identification module, output module, judgment module, feedback module.Wherein control logic module and automatic identification module It is two nucleus modules in the device, the different functions program set is installed in this two big module, it can be to input Electric power system data carries out calculating verification.When the data of malicious attack distorted are relatively simple, control module can directly be sentenced Break and attack position, and result is fed back and is exported.When the data of malicious attack distorted are complex, control module is not enough to sentence When disconnected, result can be transferred to automatic identification module, the good many kinds of function defined in this module carries out secondary verification.Finally sentence Disconnected module can two modules of Integrated comparative as a result, judge the specific location of malicious attack, result is fed back into system.
Fig. 2 is the flow chart of the present invention, is included the following steps:
Step 1:Power system of data acquisition acquires such as voltage, electric current, power, load, trend electric power system data;
Step 2:Obtain control logic relation function;
Step 3:Using collected data as the input of function, the domain of function is established;
Step 4:Calculating by control logic relation function to input data records the codomain of function;
Step 5:Establish collection of functions;
Step 6:Search the domain intersection between function concentration function;
Step 7:Functional relation judges, if only influencing the codomain of single function, may determine that malicious attack point only at certain In the range of one domain of function, it is otherwise transferred to step 8;
Step 8:If the codomain of multiple functions changes, there are many possibilities.

Claims (1)

1. the whitepack detection method of one point data attack in the power system, which is characterized in that this method detects individual data and meets with Behavior under fire, the method includes following three steps:1)The definition of electric system domain of function, codomain and relationship; 2)The classification of single-point malicious data attack;3)Automatic identifying method;
Step 1)The definition of electric system domain of function, codomain and relationship includes:
(1)Electric system input terminal state acquisition situation:
Input terminal has N number of, is x respectively1,x2,x3,…,xn;There is input function finput(x1,x2,x3,…,xn), domain For D (x1,x2,x3,…,xn);
(2)Power equipment leading-out terminal state acquisition situation:
Leading-out terminal has N number of, is y respectively1,y2,y3,…,yn;There is output function foutput(y1,y2,y3,…,yn), definition Domain is R (y1,y2,y3,…,yn);
(3)Logical relation function representation is as follows in power system device:
There are M functions, are f respectively1,f2, …,fm, function f1Domain be D1(x1,x2,x3,…,xt1), codomain R1 (y1,y2,y3,…,yt1);Function f2Domain be D2(x1,x2,x3,…,xt2), codomain R2(y1,y2,y3,…,yt2);Function fmDomain be Dm(x1,x2,x3,…,xtm), codomain Rm(y1,y2,y3,…,ytm);
The domain D of these functions1,D2,…, DmIt is both contained in the domain D of input function, codomain R1,R2,…, RmWrap Codomain R contained in output function;
Step 2)Single-point malicious data attack classification include:
(1)Situation 1:fp,fqIt is f1,f2, …,fmMiddle any two relation function, their domain are respectively DpAnd Dq, and DpAnd DqIntersection nonvoid set, their codomain is R respectivelypAnd Rq
Before being attacked,
Function fpCodomain RpWith domain DpValue follow Yp=f(Xp) operation principle,
Function fqCodomain RqWith domain DqValue follow Yq=f(Xq) operation principle;
After attack, if their domain DpAnd DqIntersection change, will be to codomain RpAnd RqIt has an impact;
(2)Situation 2:fp,fQ,…,fsIt is f1,f2, …,fmIn any number of relation functions, their domain is respectively Dp、 Dq、…,Ds, and Dp、Dq、…,DsIntersection nonvoid set, their codomain is R respectivelyp、Rq、…,Rs
Before being attacked,
Function fpCodomain RpWith domain DpValue follow Yp=f(Xp) operation principle,
Function fqCodomain RqWith domain DqValue follow Yq=f(Xq) operation principle ...,
Function fsCodomain RsWith domain DsValue follow Ys=f(Xs) operation principle;
After attack, if their domain Dp, Dq、…,DsIntersection change, will be to codomain Rp,Rq、…,RsIt generates It influences;
Step 3)Automatic identifying method includes:Operation letter of the data of input terminal without distorting logic module is only attacked in malicious attack Number, then can be by the function program that sets, which data judgement is by malicious attack;
There are two function f1(x1,x2,x3,…xt,…,xn) and f2(x’1,x’2,x’3,…xt,…,x’n), their domain point It is not D1(x1,x2,x3,…xt,…,xn) and D2(x’1,x’2,x’3,…xt,…,x’n), their common intersection element is xt, And define element xk1,xk2,xk3,…xknAnd x 'k1, x’k2, x’k3,…x’km, these elements are neither in f1(x1,x2,x3,… xt,…,xn) also not in function f2(x’1,x’2,x’3,…xt,…,x’n) domain in;
To remove intersection element XtExcept each element be set separately contain only the element and be free of the two domain of function The function program f of interior other elements11(x1,xk1), f12(x2,xk2), f13(x3,xk3), …f1n(xn,xkn), and f21(x’1, x’k1), f22(x2,x’k2),
f23(x’3,x’k3), …f2n(x’n,x’kn);
(1)When a data point is only attacked in malicious attack:When the value of two functions all changes, then can accurately sentence Breaking, the object of malicious attack be xt
(2)As only function f1(x1,x2,x3,…xt,…,xn) value when changing, the range of the point of attack can be reduced, sentenced The object for and being attacked that breaks is function f1The element of domain;Compare f successively11(x1,xk1), f12(x2,xk2), f13(x3, xk3), …f1n(xn,xkn) value variation, release specific attack position;If only f11(x1,xk1) functional value change, then The object of malicious attack is x1If only f12(x2,xk2) functional value change, then the object of malicious attack is x2, with this It is extrapolated to xn
(3)As only function f2(x’1,x’2,x’3,…xt,…,x’n) value when changing, the model of the point of attack can be reduced It encloses, judges that the object attacked is function f2The element of domain;Compare f successively21(x1, x k1), f22(x2, xk2), f23(x3, xk3), …f2n(x n, x kn) value variation, release specific attack position;
If only f21(x1, xk1) functional value change, then malicious objects are x1If only f22(x2,Xk2) functional value It changes, then malicious objects are x2, and so on arrive xn
The tool where attack can be navigated to the malicious attack of automatic identification single-point and like clockwork by three above step Body position;By look for intersection element can reduce the range of the point of attack and lack define a function, simplified function program.
CN201710226609.4A 2017-04-09 2017-04-09 The whitepack detection method that one point data is attacked in electric system Active CN106874766B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710226609.4A CN106874766B (en) 2017-04-09 2017-04-09 The whitepack detection method that one point data is attacked in electric system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710226609.4A CN106874766B (en) 2017-04-09 2017-04-09 The whitepack detection method that one point data is attacked in electric system

Publications (2)

Publication Number Publication Date
CN106874766A CN106874766A (en) 2017-06-20
CN106874766B true CN106874766B (en) 2018-11-13

Family

ID=59161021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710226609.4A Active CN106874766B (en) 2017-04-09 2017-04-09 The whitepack detection method that one point data is attacked in electric system

Country Status (1)

Country Link
CN (1) CN106874766B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324847B (en) * 2013-06-17 2016-12-28 西南交通大学 Electrical Power System Dynamic bad data detection and identification method
CN104125112B (en) * 2014-07-29 2017-04-19 西安交通大学 Physical-information fuzzy inference based smart power grid attack detection method
CN104573510B (en) * 2015-02-06 2017-08-04 西南科技大学 A kind of intelligent grid malicious data injection attacks and detection method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Also Published As

Publication number Publication date
CN106874766A (en) 2017-06-20

Similar Documents

Publication Publication Date Title
CN105191257B (en) Method and apparatus for detecting multistage event
CN107276805A (en) A kind of sample predictions method, device and electronic equipment based on IDS Framework
CN102662144B (en) A kind of hardware Trojan horse detection method based on activity-level measured
CN108390869B (en) Vehicle-mounted intelligent gateway device integrating deep learning and command sequence detection method thereof
Ustun et al. Artificial intelligence based intrusion detection system for IEC 61850 sampled values under symmetric and asymmetric faults
CN111131237B (en) Microgrid attack identification method based on BP neural network and grid-connected interface device
CN106202886A (en) Track circuit red band Fault Locating Method based on fuzzy coarse central Yu decision tree
CN104125112B (en) Physical-information fuzzy inference based smart power grid attack detection method
Musleh et al. Detection of false data injection attacks in smart grids: A real-time principle component analysis
CN110505134A (en) A kind of car networking CAN bus data detection method and device
CN102854454A (en) Method for shortening verification time of hardware Trojan in integrated circuit test
CN109347853A (en) The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing
Wang et al. Method for extracting patterns of coordinated network attacks on electric power CPS based on temporal–topological correlation
CN103532761A (en) Survivability evaluating method applicable to attacked wireless sensing network
CN109118075A (en) A kind of electric power industrial control terminal safety monitoring method based on service logic consistency
CN110022293A (en) A kind of electric network information physics emerging system methods of risk assessment
CN107247450A (en) Circuit breaker failure diagnostic method based on Bayesian network
Zhu et al. Intrusion detection against MMS-based measurement attacks at digital substations
CN110062009A (en) A kind of formalization detection method of information physical emerging system defence
CN1805234A (en) Pattern matching based security protection method for relay protection information of electric system in network environment
Ren et al. Research on fault location of process-level communication networks in smart substation based on deep neural networks
CN109522755A (en) Hardware Trojan horse detection method based on probabilistic neural network
Yu et al. TCE-IDS: Time interval conditional entropy-based intrusion detection system for automotive controller area networks
CN106597845B (en) A kind of power transmission network method for diagnosing faults based on multiple-objection optimization
Panthi Identification of disturbances in power system and DDoS attacks using machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20170620

Assignee: SHANGHAI CLOUD INFORMATION TECHNOLOGY Co.,Ltd.

Assignor: SHANGHAI YUNJIAN INFORMATION TECHNOLOGY Co.,Ltd.

Contract record no.: X2022310000003

Denomination of invention: White box detection method of single point data attack in power system

Granted publication date: 20181113

License type: Common License

Record date: 20220120

EE01 Entry into force of recordation of patent licensing contract