CN110334507A - A kind of method, apparatus and electronic equipment detecting network system safety - Google Patents
A kind of method, apparatus and electronic equipment detecting network system safety Download PDFInfo
- Publication number
- CN110334507A CN110334507A CN201910530425.6A CN201910530425A CN110334507A CN 110334507 A CN110334507 A CN 110334507A CN 201910530425 A CN201910530425 A CN 201910530425A CN 110334507 A CN110334507 A CN 110334507A
- Authority
- CN
- China
- Prior art keywords
- network system
- state
- control instruction
- measurement data
- current measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000005259 measurement Methods 0.000 claims abstract description 112
- 238000004088 simulation Methods 0.000 claims abstract description 45
- 238000001514 detection method Methods 0.000 claims abstract description 17
- 238000012360 testing method Methods 0.000 claims abstract description 16
- 230000007257 malfunction Effects 0.000 claims description 52
- 239000013598 vector Substances 0.000 claims description 42
- 230000007704 transition Effects 0.000 claims description 21
- 238000006243 chemical reaction Methods 0.000 claims description 15
- 230000005611 electricity Effects 0.000 claims description 14
- 238000011084 recovery Methods 0.000 claims description 9
- 230000008439 repair process Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 238000009434 installation Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 6
- 238000009826 distribution Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009885 systemic effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Economics (AREA)
- Health & Medical Sciences (AREA)
- Public Health (AREA)
- Water Supply & Treatment (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention discloses a kind of method, apparatus and electronic equipment for detecting network system safety, is related to Internet of Things field of information security technology, is able to detect network system to the repellence of advanced concealed attack.The method of the detection network system safety includes: to carry out simulation attack to the network system for test according to predetermined attack strategy;The simulation attack is realized by altering normal measurement data and the normal control instruction of the network system;Whether the state for judging the network system after simulation is attacked is precarious position, if so, determining that the network system is dangerous.The present invention is suitable for the safety detection of various network systems.
Description
Technical field
The present invention relates to Internet of Things field of information security technology more particularly to a kind of sides for detecting network system safety
Method, device and electronic equipment.
Background technique
Industrial control system (referred to as " industrial control system ", Industrial Control Systems, ICS) has been widely used
In numerous key areas (such as electric power, water conservancy, manufacture, the energy, traffic, finance, military project) of national critical infrastructures.In early days
Industrial control system because of features such as its independence, closure, extraneous malicious attacker is difficult to intrude into inside industrial control system.So
And with the rapid development of information technology, industrial control system is constantly merged with Internet technology, industrial control system can be sufficiently sharp
It is convenient with internet and information technology bring.At the same time, as cyberspace security situation is increasingly serious, Industry Control system
System is exposed to the visual field of the public more and more, provides more invasion chances to extraneous malicious attacker, gives Industry Control
System brings serious information security hidden danger.
Smart electric grid system is a kind of typical industrial control system.Power supply chain is generally divided into 3 subsystems: hair
Electricity, transmission of electricity and distribution.From power station to there is high voltage transmission line main power distribution station, high pressure converted is again low by power distribution station
Pressure carries out power supply to ordinary user.Assuming that attacker in man-machine interface (Human Machine Interface, HMI) and
Programmable logic controller (PLC) (Programmable Logic Controller, PLC) or remote-terminal unit (Remote
Terminal Unit, RTU) between communication line on carry out go-between (Man-In-The-Middle, MITM) attack, can be with
Eavesdropping or data interception stream, and can be injected, delete, delayed data packet, it might even be possible to adapter tube HMI refers to issue false control
It enables, to achieve the purpose that damage physical equipment.Art of attack and defense for network system is always what industrial control field was paid close attention to
Focus.
If network system is constantly in normal operating condition, attacker can not be implanted into the malicious instructions being not present originally
Lead to systemic breakdown, while " reading " can not also be instructed and distort into " writing " instruction, because the implantation of such malicious instructions and distorting
It is easy to be detected by existing intruding detection system, cannot achieve the purpose of concealed attack.Attacker can do be only
Normal metric data or the key variables value of normal control order in grid are distorted, and the variable-value after distorting
It still needs to belong in the normal value set of system permission, only could effectively hide the inspection of intruding detection system in this way
It surveys.It is carried out currently, being able to detect network system not yet and whether can hide by distorting measured data values and control instruction
The method of the advanced concealed attack of attack.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method, apparatus and electronic equipment for detecting network system safety,
Network system is able to detect to the repellence of advanced concealed attack, risk and loophole existing for network system is explored, is further
It designs network system safety prevention measure and basis is provided.
In a first aspect, the embodiment of the present invention provides a kind of method for detecting network system safety, comprising:
Simulation attack is carried out to the network system for test according to predetermined attack strategy;The simulation attack is by altering
The normal measurement data and normal control of the network system instruct to realize;
Whether the state for judging the network system after simulation is attacked is precarious position;The precarious position is to preset
The network system do not allow occur state;
If the network system state is precarious position after simulation attack, it is determined that the network system is dangerous.
With reference to first aspect, in the first embodiment of first aspect, it is described according to predetermined attack strategy to being used for
The network system of test carries out simulation attack, comprising:
Identify the state of presently described network system;
If identifying, the network system is in normal condition, monitors and intercepts and captures the network system remote terminal list
The first voltage and current measurement data that member is sent to man-machine interface, it is that the first voltage and current measurement data, which are distorted,
Two voltage and current measurement data are sent to the man-machine interface;The second voltage and current measurement data are the power grid system
Voltage and current measurement data of the system under non-normal working;
The first control instruction that the man-machine interface is sent to the remote-terminal unit is intercepted and captured, first control is referred to
Order, which is distorted, is sent to the remote-terminal unit for the second control instruction;First control instruction is for controlling the power grid system
System is entered malfunction and is repaired with the failure to the second voltage and current measurement data reaction, and second control refers to
It enables and is converted to precarious position from normal condition for controlling the network system;The malfunction is passes through institute after fault restoration
The state of normal condition can be returned by stating network system.
The first embodiment with reference to first aspect, in second of embodiment of first aspect, by described
One control instruction is distorted to be sent to after the remote-terminal unit for the second control instruction, further includes:
Identify the state of presently described network system;
If identifying, the state of the network system is malfunction, monitors and intercepts and captures the network system medium-long range end
The tertiary voltage and current measurement data that end unit is sent to man-machine interface, the tertiary voltage and current measurement data are distorted
The man-machine interface is sent to for the 4th voltage and current measurement data;The 4th voltage and current measurement data are for characterizing institute
The failure for stating second voltage and current measurement data reaction is in the fault recovery stage;
Intercepting and capturing the third control instruction that the man-machine interface is sent to the remote-terminal unit and being distorted is the 4th
4th control instruction is sent to the remote-terminal unit by control instruction;The third control instruction is for controlling institute
It states network system to restore from malfunction to normal condition, the 4th control instruction is for controlling the network system from failure
State is converted to precarious position.
With reference to first aspect the first or second of embodiment, in the third embodiment of first aspect,
Before carrying out simulation attack to the network system for test according to predetermined attack strategy, further includes:
Obtain the crucial operable state duration set of the network system;
Define the state control instruction value that state control is carried out to the crucial operable state amount;
Define current time quantity of state parameter value and previous moment quantity of state parameter value and state control in the network system
Calculated relationship between instruction value processed;
Construct the normal condition vector set, fault state vector collection and precarious position vector set of the network system;
It determines that the network system converts required state control instruction value between different conditions, obtains the power grid system
The state transition graph of system;
Wherein, second control instruction, the 4th control instruction are obtained according to the state transition graph.
With reference to first aspect the first or second of embodiment are led in the 4th kind of embodiment of first aspect
Man-in-the-middle attack is crossed to refer to the voltage and current measurement data or control transmitted between the remote-terminal unit and man-machine interface
Order is distorted.
Second aspect, the embodiment of the present invention provide a kind of device for detecting network system safety, comprising:
Simulation attack module, for carrying out simulation attack to the network system for test according to predetermined attack strategy;Institute
Simulation attack is stated by altering normal measurement data and the normal control instruction of the network system to realize;
Judgment module, for judging whether the state of the network system after simulation is attacked is precarious position;The danger
State is that the preset network system does not allow the state occurred;
Determining module, for when the judgment result of the judgment module is yes, determining that the network system is dangerous.
In conjunction with second aspect, in the first embodiment of second aspect, module is attacked in the simulation, comprising:
State recognition of system and record sub module for identification and record the state of presently described network system;
Measurement data distorts submodule, for identifying institute in the state recognition of system and record sub module the last time
When stating network system and being in normal condition, monitors and intercept and capture what the network system remote terminal unit was sent to man-machine interface
First voltage and current measurement data distort the first voltage and current measurement data for second voltage and current measurement number
According to being sent to the man-machine interface;The second voltage and current measurement data are that the network system is under non-normal working
Voltage and current measurement data;
Submodule is altered in instruction, refers to for intercepting and capturing the first control that the man-machine interface is sent to the remote-terminal unit
It enables, first control instruction is distorted and is sent to the remote-terminal unit for the second control instruction;First control refers to
Enable for control the network system enter malfunction with to the second voltage and current measurement data reaction failure into
Row is repaired, and second control instruction is converted to precarious position from normal condition for controlling the network system;The failure
State is that the state of normal condition can be returned by network system described after fault restoration.
In conjunction with the first embodiment of second aspect, in second of embodiment of second aspect, the measurement number
According to submodule is distorted, it is also used to identify at the network system in the state recognition of system and record sub module the last time
When malfunction, tertiary voltage and electricity that the network system remote terminal unit is sent to man-machine interface are monitored and intercepted and captured
Flow measurement data, the tertiary voltage and current measurement data are distorted be sent to for the 4th voltage and current measurement data it is described
Man-machine interface;The 4th voltage and current measurement data are used to characterize the failure of the second voltage and current measurement data reaction
In the fault recovery stage;
Described instruction alters submodule, is also used to intercept and capture the third that the man-machine interface is sent to the remote-terminal unit
Control instruction is simultaneously distorted as the 4th control instruction, and the 4th control instruction is sent to the remote-terminal unit;Institute
It states third control instruction to restore from malfunction to normal condition for controlling the network system, the 4th control instruction is used
Precarious position is converted to from malfunction in controlling the network system.
In conjunction with the first or second of embodiment of second aspect, in the third embodiment of second aspect, institute
State device further include:
Quantity of state obtains module, for obtaining the crucial operable state duration set of the network system;
First definition module, for defining the state control instruction for carrying out state control to the crucial operable state amount
Value;
Second definition module, for defining current time quantity of state parameter value and previous moment state in the network system
Measure the calculated relationship between parameter value and state control instruction value;
State vector collection constructs module, for constructing normal condition vector set, the fault state vector of the network system
Collection and precarious position vector set;
State transition graph obtains module, for determining that the network system converts required state control between different conditions
Instruction value processed obtains the state transition graph of the network system;
Wherein, described instruction alters the state transition graph that submodule is obtained according to state transition graph acquisition module
Generate second control instruction, the 4th control instruction.
In conjunction with the first or second of embodiment of second aspect, in the 4th kind of embodiment of second aspect, institute
State simulation attack module, further includes: the go-between being implanted between the network system remote terminal unit and man-machine interface
Attack submodule;
The measurement data distorts submodule, soft with specific reference to the man-in-the-middle attack of man-in-the-middle attack submodule carrying
The voltage and current measurement data that part sends the remote-terminal unit to man-machine interface is altered;
Described instruction alters submodule, with specific reference to the man-in-the-middle attack software pair of man-in-the-middle attack submodule carrying
The first control instruction that the man-machine interface is sent to the remote-terminal unit is altered.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits
Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting
On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold
Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory
The program answered, the method for executing detection network system safety described in aforementioned any embodiment.
A kind of method, apparatus and electronic equipment detecting network system safety provided in an embodiment of the present invention, according to pre-
Determine attack strategies and simulation attack is carried out to the network system for test, judges that the state of the network system after simulation is attacked is
No is precarious position;The precarious position is that the preset network system does not allow the state occurred;If simulation attack
The network system state is precarious position afterwards, it is determined that the network system is dangerous.The simulation attack is by altering
The normal measurement data and normal control for stating network system instruct to realize, the present invention can targetedly detect power grid system
System is directed to the safety of such attack, finds network system loophole in time, and it is anti-to facilitate the more powerful power grid security of subsequent design
Protection mechanism.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow chart of embodiment of the method one for detecting network system safety provided by the invention;
Fig. 2 is a kind of implementation method flow figure of step 102 in Fig. 1;
Fig. 3 is another implementation method flow figure of step 102 in Fig. 1;
Fig. 4 is a kind of flow chart of embodiment of the method two for detecting network system safety provided by the invention;
Fig. 5 is network system state transition graph provided by the invention;
Fig. 6 is the network system schematic diagram provided in an embodiment of the present invention with Liang Tiao power supply line;
Fig. 7 is provided in an embodiment of the present invention for network system condition conversion figure shown in Fig. 6;
Fig. 8 is a kind of structural schematic diagram for the Installation practice one for detecting network system safety of the present invention;
Fig. 9 is a kind of structural schematic diagram for the Installation practice two for detecting network system safety of the present invention;
Figure 10 is a kind of structural schematic diagram for the Installation practice three for detecting network system safety of the present invention;
Figure 11 is a kind of structural schematic diagram for the Installation practice four for detecting network system safety of the present invention;
Figure 12 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The method, apparatus and electronic equipment of detection network system safety a kind of to the embodiment of the present invention with reference to the accompanying drawing
It is described in detail.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of flow chart of embodiment of the method one for detecting network system safety provided by the invention, such as Fig. 1 institute
Show, the method for the present embodiment may include:
Step 101 carries out simulation attack to the network system for test according to predetermined attack strategy;
Wherein, the simulation attack is by the normal measurement data for altering the network system and normal control instruction come real
It is existing.
In the present embodiment, transmitted by predetermined attack software between network system remote terminal unit and man-machine interface
Measurement data or control instruction value altered, to realize to the simulation attack of the advanced concealment of network system.
Whether step 102, the state for judging the network system after simulation is attacked are precarious positions;If so, executing step
Rapid 103.
In the present invention, the state of network system is defined as normal condition, malfunction and three kinds of precarious position, wherein
Malfunction is that the state of normal condition can be returned by network system described after fault restoration, and precarious position is to preset
The network system do not allow occur state, precarious position be attacker wish the system mode reached, once there is this
Kind state, system suffer from massive losses, such as large area blackout is a kind of precarious position.
Step 103 determines that the network system is dangerous.
The present embodiment is instructed by the normal measurement data and normal control of altering the network system come to test electricity consumption
The problem of net system carries out simulation attack, can find network system in time, such as after the completion of network system design, can be used
Method provided in an embodiment of the present invention is tested to verify its safety.
Fig. 2 be Fig. 1 in step 102 a kind of implementation method flow figure, as shown in Fig. 2, according to predetermined attack strategy to
May include: in the method that the network system of test carries out simulation attack
The state of step 201, the presently described network system of identification, if identifying, the network system is in normal condition,
Then continue to execute step 202.
The first voltage that the network system remote terminal unit is sent to man-machine interface is monitored and intercepted and captured to step 202
And current measurement data, the first voltage and current measurement data are distorted and are sent to for second voltage and current measurement data
The man-machine interface.
Wherein, RTU is sent normal to HMI when first voltage and current measurement data are in normal condition for network system
Measurement data, and the second voltage and current measurement data after distorting are to characterize the network system to be under non-normal working
Voltage and current measurement data.Then, the system manager at HMI sentences according to the second voltage and current measurement data that receive
Determine system fault conditions, the first control instruction for being directed to this kind of fault condition can be sent, to RTU by HMI then to control electricity
Net system carries out fault restoration.First control instruction enters malfunction to described for controlling the network system
The failure of two voltage and current measurement data reaction is repaired.Preferably, can by man-in-the-middle attack to RTU and HMI it
Between the voltage and current measurement data transmitted distorted.
Step 203 intercepts and captures the first control instruction that the man-machine interface is sent to the remote-terminal unit, by described the
One control instruction, which is distorted, is sent to the remote-terminal unit for the second control instruction.
Wherein, second control instruction is converted to precarious position from normal condition for controlling the network system.
It in the present embodiment, is distorted by the instruction of normal control from HMI to RTU that send as malice control instruction, RTU is being received
To after the second control instruction, state control can be carried out according to partial status amount of the control instruction to network system, thus by electric
Net system is converted to precarious position by normal condition, realizes the advanced concealed attack to test network system.
Fig. 3 be Fig. 1 in step 102 another implementation method flow figure, Fig. 3 on the basis of Fig. 2, step 203 it
Afterwards, can with the following steps are included:
The state of step 204, the presently described network system of identification;If identifying, the state of the network system is failure shape
State then performs the next step rapid 205.
The tertiary voltage that the network system remote terminal unit is sent to man-machine interface is monitored and intercepted and captured to step 205
And current measurement data, the tertiary voltage and current measurement data are distorted and are sent to for the 4th voltage and current measurement data
The man-machine interface.
Wherein, the 4th voltage and current measurement data be used for characterize the second voltage and current measurement data reaction
Failure is in the fault recovery stage.In the present embodiment, if the attack of step 202-203 fails, i.e., network system is according to the first control
System instruction is converted to malfunction, then distorts again to RTU to the HMI tertiary voltage sent and current measurement data, with
So that system manager is mistakenly considered system and carrying out fault recovery, after waiting system managers to think that fault restoration is completed, will lead to
It crosses HMI and sends third control instruction to RTU, so that network system is restored again from malfunction to normal operating condition, it is described
Third control instruction is restored from malfunction to normal condition for controlling the network system.
Step 206 is intercepted and captured third control instruction that the man-machine interface is sent to the remote-terminal unit and is usurped
It is changed to the 4th control instruction, the 4th control instruction is sent to the remote-terminal unit.
Wherein, the 4th control instruction is converted to precarious position from malfunction for controlling the network system.
The present embodiment, after primary attack failure, if network system enters malfunction by normal condition, again by
Distort the measurement data and control instruction value transmitted between RTU and HMI, can attempt to by network system from malfunction convert to
Precarious position realizes second of advanced concealed attack to test network system.
Preferably, in Fig. 2 and embodiment illustrated in fig. 3, HM I can be referred to the control that RTU is transmitted by man-in-the-middle attack
Order is distorted, the state transition graph converted between different conditions when distorting according to the network system being previously obtained (or shape
State conversion and the set of correspondences of control instruction) control instruction after distorting is selected, and control instruction and former control after distorting
Need to meet preset relation between system instruction, the preset relation will be described in detail below with specific embodiment.
Fig. 4 is a kind of flow chart of embodiment of the method two for detecting network system safety provided by the invention, such as Fig. 4 institute
Show, the method for the present embodiment may include:
Step 401, the crucial operable state duration set for obtaining the network system;
In the present embodiment, the crucial operable state duration set for obtaining the network system is denoted as { x1, x2..., xN}.Shape
State amount is being embodied between transmission line and substation, between transmission line different location, different transmission lines in network system
Line switching, control instruction can be sent to RTU by HMI, control certain opens by system manager according to specific scene
The disconnection and closure of pass, to realize the specific function of network system.Since switching value only disconnects and is closed two states,
X is set in the present embodimenti∈ { -1,1 } (i=1,2 ..., N), wherein 1 indicates that switch is in closed state, -1 is indicated at switch
In off-state, N indicates the number of all operable state amounts.
Step 402, definition carry out the state control instruction value of state control to the crucial operable state amount;
In the present embodiment, the operation that system manager can carry out the crucial operable state amount is defined, by state
Control instruction value is denoted as variable a ∈ { -1,0,1 }.A=-1 indicates that controlling corresponding operable state amount " disconnecting switch " operation refers to
It enables, a=1 indicates to control corresponding operable state amount " closure switch " operational order, and a=0 indicates to control corresponding operable state
" remaining stationary " operation is measured, without sending any control instruction when a=0.Multiple quantity of states are carried out with the control of operation control simultaneously
System instruction then can be by operation vector a=[a1, a2... aN] indicate, wherein ai∈ { -1,0,1 } (i ∈ { 1,2 ..., N }) expression pair
The control operation of i-th of quantity of state.
Step 403 defines current time quantity of state parameter value and previous moment quantity of state parameter value in the network system
Calculated relationship between state control instruction value;
In the present embodiment, the rule change of quantity of state in network system is defined: when single status amount is current in network system
The value at quarterValue depending on its previous momentThe operation that the quantity of state is carried out with Systems OperatorI.e.Wherein operatorIt is expressed as follows computation rule: ifOr -1, thenIf
Then
Normal condition vector set, fault state vector collection and the precarious position vector of step 404, the building network system
Collection;
In the present embodiment, the possibility value of all quantity of states in network system normal course of operation is defined, is constituted normal
State vector setWherein,It indicates in l kind normal condition
Under, the vector that each quantity of state is constituted, i.e.,
The possibility value of all quantity of states in network system failure process is defined, fault state vector set is constitutedWhereinIndicate each quantity of state structure under kth kind malfunction
At vector, i.e.,
The possibility value that network system is in all quantity of states in dangerous process is defined, precarious position vector set is constitutedWhereinIndicate each quantity of state under m kind precarious position
The vector of composition, i.e.,
Step 405 determines that the network system converts required state control instruction value between different conditions, obtains institute
State the state transition graph of network system;
In the present embodiment, the state transition graph of network system as shown in figure 5, network system can be converted from normal condition to
Malfunction is converted from malfunction and is converted respectively to normal condition, from normal condition and malfunction to precarious position, Fig. 5
In,For system fromCorresponding normal condition is transformed intoIt is corresponding
Malfunction needed for state control instruction,For system fromCorresponding malfunction turns
It changes toState control instruction needed for corresponding normal condition,For system fromCorresponding malfunction is transformed intoNeeded for corresponding precarious position
State control instruction,For system fromCorresponding normal condition is transformed intoState control instruction needed for corresponding precarious position.
The state of step 406, the presently described network system of identification, if identifying, the network system is in normal condition,
Then continue to execute step 407.Alternatively, further, the network system is in malfunction if identifying, jumps and execute step
Rapid 410.
Step 407 is monitored and intercepts and captures in the network system RTU to the HMI first voltage sent and current measurement data,
The first voltage and current measurement data are distorted and are sent to HMI for second voltage and current measurement data.
In the present embodiment, the process of step 407 is similar with the step 202 of above method embodiment, and details are not described herein again.
Step 408 intercepts and captures the first control instruction that HMI is sent to RTU, and first control instruction is distorted as the second control
System instruction is sent to RTU.
In the present embodiment, system manager is according to the HMI second voltage received and current measurement data, by HMI to RTU
Send the first control instructionCertain line switchings are disconnected or be closed, network system is made to enter the fault restoration stage.This
When, intercept and capture the first control instructionAnd distorted into the second control instruction of maliceSo that system is directly entered danger
Dangerous state.Wherein, the first control instruction and the second control instruction should meet preset relation:(| a | indicating will
Each element of vector a takes absolute value) andThe i.e. described preset relation are as follows: the control instruction after distorting is corresponding
Vector is not equal to former control instruction and corresponds to vector, but the element absolute value in two vectors at same position is equal.
The state of step 409, the presently described network system of identification;
In this step, if the state for identifying the network system is malfunction, rapid 410 are performed the next step;If knowing
Not Chu the network system state be precarious position, then jump out simulation attack process, execute step 412.
Step 410 is monitored and intercepts and captures in the network system RTU to the HMI tertiary voltage sent and current measurement data,
The tertiary voltage and current measurement data are distorted and are sent to HMI for the 4th voltage and current measurement data.
In this step, monitors and intercept and capture in the network system RTU to the HMI tertiary voltage sent and current measurement number
According to the tertiary voltage and current measurement data are distorted as the 4th voltage and current measurement data, second voltage and electricity are simulated
Flow measurement data correspond to the fault recovery stage electric current and voltage change situation, wait system managers think fault restoration complete with
Afterwards, HMI will send third control instruction to RTUSo that network system is restored from malfunction again to normal operation shape
State.
Step 411 is intercepted and captured the third control instruction that sends to RTU of HMI and is distorted as the 4th control instruction, will described in
4th control instruction is sent to RTU.
In this step, by third control instructionDistort into the 4th control instruction of maliceThird control refers to
Preset relation must be met between the 4th control instruction by enabling:AndSo that the network system
Enter precarious position from malfunction.
Whether step 412, the state for judging the network system are precarious positions;If so, thening follow the steps 413.
Step 413 determines that the network system is dangerous.
In the present embodiment, if judging, the state of the network system is safe condition, it is determined that the network system needle
It is safe for distorting the attack pattern of measured data values and control instruction.It is if judging the state of the network system
Malfunction then searches failure cause, to determine that failure is the normal failure of network system itself or due to step 406-411
Simulation attack caused by.
The present embodiment, by obtaining the operable state duration set of network system key, then defining system manager can
With the operation carried out to quantity of state, the rule change of quantity of state in network system is defined, defines network system normal course of operation
In all quantity of states possibility value, constitute normal condition vector set, define network system failure process in all shapes
The possibility value of state amount constitutes fault state vector set, defines network system and is in all quantity of states in dangerous process
Possible value constitutes precarious position vector set, defines the state transition graph of network system, distort finally by man-in-the-middle attack
The voltage and current measurement value that RTU is sent to HMI makes system manager be mistakenly considered the certain parts of network system and breaks down, is being
During the administrator that unites sends troubleshooting and fault recovery control instruction by HMI, HMI hair is distorted by man-in-the-middle attack
Control instruction out makes system enter precarious position from normal or malfunction, so that simulation is to the advanced hidden of network system
Attack is covered, method provided in this embodiment can detecte network system to characterized by distorting measured data values and control instruction
The phylactic power defensive power of advanced hidden attack, is conducive to us and analyzes the fragility of the network system, find the electricity in time
Make where the loophole of net system and in advance corresponding defensive measure.
A specific embodiment is used below, and the technical solution of embodiment of the method shown in Fig. 4 is described in detail.
Fig. 6 show the network system with Liang Tiao power supply line.This Liang Tiao power supply line is by the same power transformation
Station is powered, above five line switchings being controlled by RTU01~RTU05 of a No.1 route and connection electric wire form, under
Four line switchings and connection electric wire that No. two routes in one, face are controlled by RTU08~RTU11 form, and each RTU may be implemented
Power supply line's specific position connects or disconnects.Under normal circumstances, RTU01~RTU05 and RTU08~RTU11 is in normally closed
State, RTU07 are in normally open.When a failure in Liang Tiao power supply line, then faulty line and substation are disconnected
Between connection (even No.1 route breaks down, and disconnects RTU01, if No. two routes break down, disconnects RTU11), simultaneously
RTU07 is connected, is powered using regular link for faulty line, to execute certain necessary failure recovery operations, until therefore
Barrier excludes, and the connection being then again switched between former faulty line and substation simultaneously switches off RTU07, makes entire network system
Restore normal condition.
It is that power grid to be tested implements method provided in an embodiment of the present invention with Fig. 6, comprising the following steps:
1) the operable state duration set of network system key is obtained, be in this network system RTU01, RTU07,
RTU11 }, system manager can send control instruction to these three RTU by HMI and control the connection or break that corresponding line switchs
It opens, realizes the conversion between system different conditions.
2) operation that system manager can carry out the crucial operable state amount is defined, by state control instruction value
It is denoted as variable a ∈ { -1,0,1 }.A=-1 indicates to control corresponding operable state amount " disconnecting switch " operational order, a=1 expression
Corresponding operable state amount " closure switch " operational order is controlled, a=0 indicates to control corresponding operable state amount " remaining stationary "
Operation, without sending any control instruction when a=0.The control instruction that multiple quantity of states are carried out with operation control simultaneously then can be by
Operate vector a=[a1, a2... aN] indicate, wherein ai∈ { -1,0,1 } (i ∈ { 1,2 ..., N }) is indicated to i-th quantity of state
Operation.
3) rule change of quantity of state in network system is defined: the value at single status amount current time in network system
Value depending on its previous momentThe operation that the quantity of state is carried out with Systems OperatorI.e.Its
Middle operatorIt is expressed as follows computation rule: ifOr -1, thenIfThen
4) the possibility value for defining all quantity of states in network system normal course of operation constitutes the normal shape of the system
State vector set is { [1, -1,1] }, indicates that RTU01 and RTU11 is in connection status, RTU07 is in an off state.Define power grid
The possibility value of all quantity of states during the system failure, constitute the fault state vector collection be [- 1,1,1], [1,1 ,-
1] }, [- 1,1,1] indicates No.1 line fault above, therefore disconnects RTU01 and connect RTU07, and [1,1, -1] indicates following two
Number line fault, therefore disconnect RTU11 and connect RTU07.It defines network system and is in all quantity of states in dangerous process
Possible value, the precarious position vector set for constituting this system be combined into [- 1, -1, -1], [- 1, -1,1], [- 1,1, -1], [1, -
1, -1], [1,1,1] }, this is the set being made of the state in addition to normal condition and malfunction, most of precarious position
It will cause a wide range of power outages accident.
5) state transition graph of network system is defined.As shown in fig. 7, normal condition can turn via specific control instruction
Change malfunction or precarious position into, for example normal condition [1, -1,1] is converted into failure shape by control instruction [- 1,1,0]
State [- 1,1,1], normal condition [1, -1,1] are converted into precarious position [- 1, -1, -1] by control instruction [- 1,0, -1], i.e., and two
Route powers off on a large scale;Malfunction can also be converted to normal condition or dangerous shape via specific control instruction
State, such as malfunction [- 1,1,1] can be converted normal condition [1, -1,1] by control instruction [1, -1,0], can also be through
It crosses control instruction [0, -1,1] and is converted into precarious position [- 1, -1,1], is i.e. No.1 route powers off on a large scale.System operated normally
Cheng Zhong, system only can mutually be converted between normal condition and malfunction, if system is by malicious attack, it is likely that transfer
To precarious position.
6) line voltage distribution, the current measurement value that HMI is sent to by RTU are distorted by man-in-the-middle attack means, such as by one
The normal voltage value of number route, current value is distorted is 0, and system manager then thinks No.1 line failure;
7) system manager sends specific control instruction [- 1,1,0] to RTU by HMI, it is intended that disconnects RTU01, closure
RTU07 makes system enter malfunction and carries out fault restoration.At this point, distorting above-metioned instruction value by man-in-the-middle attack, become
[- 1, -1,0] is sent to RTU, then system will enter precarious position [- 1, -1,1], such No.1 route occurs a wide range of disconnected
Electricity;
If 8) realize advanced concealed attack not successfully in previous step, network system is disconnected according to control instruction [- 1,1,0]
RTU01 is closed RTU07, into malfunction, then intercepts and captures the electric current and voltage survey that RTU is sent on the No.1 route of HMI again
The Current Voltage value of intercepting and capturing is modeled as characterizing the number of the electric current of the line fault Restoration stage and voltage change situation by magnitude
According to, wait system managers think fault restoration complete after, control instruction [1, -1,0] will be sent by HMI, makes network system
It is restored to normal condition, at this point, intercepting and capturing and distorting control instruction [1, -1,0] again, it is made to become [- 1, -1,0], then
System will be converted into precarious position [- 1, -1,1] from malfunction [- 1,1,1], and a wide range of power-off occurs in No.1 route at this time.
Corresponding to the method for detection network system safety provided in an embodiment of the present invention, the embodiment of the present invention also provides one
The device of kind detection network system safety, Fig. 8 are a kind of Installation practice one for detecting network system safety of the present invention
Structural schematic diagram, as shown in figure 8, the device of the present embodiment may include:
Simulation attack module 11, for carrying out simulation attack to the network system for test according to predetermined attack strategy;
The simulation attack is realized by altering normal measurement data and the normal control instruction of the network system;
Judgment module 12, for judging whether the state of the network system after simulation is attacked is precarious position;The danger
Dangerous state is that the preset network system does not allow the state occurred;
Determining module 13 is when being, to determine that the network system is dangerous for the judging result in judgment module 12.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
Fig. 9 is a kind of structural schematic diagram for the Installation practice two for detecting network system safety of the present invention, such as Fig. 9 institute
Show, on the basis of the device of the present embodiment apparatus structure shown in Fig. 8, further, simulation attack module 12, comprising:
State recognition of system and record sub module 121 for identification and record the state of presently described network system;
Measurement data distorts submodule 122, for identifying in state recognition of system and 121 the last time of record sub module
When the network system is in normal condition, monitors and intercept and capture the network system remote terminal unit to man-machine interface transmission
First voltage and current measurement data, the first voltage and current measurement data are distorted as second voltage and current measurement
Data are sent to the man-machine interface;The second voltage and current measurement data are that the network system is in non-normal working
Under voltage and current measurement data;
Instruction alter submodule 123, for measurement data distort submodule 122 to man-machine interface send second voltage and
After current measurement data, the first control instruction that the man-machine interface is sent to the remote-terminal unit is monitored and intercepts and captures, it will
First control instruction, which is distorted, is sent to the remote-terminal unit for the second control instruction;First control instruction is used for
Control the network system enter malfunction with to the second voltage and current measurement data reaction failure repair,
Second control instruction is converted to precarious position from normal condition for controlling the network system;The malfunction is logical
The state of normal condition can be returned by crossing the network system after fault restoration.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1 and Fig. 2, realize former
Reason is similar with technical effect, and details are not described herein again.
In an alternative embodiment, the measurement data in Fig. 9 distorts submodule 122, is also used to know in the system mode
When not identifying that the network system is in malfunction with record sub module the last time, monitors and intercept and capture the network system
The tertiary voltage and current measurement data that remote terminal unit is sent to man-machine interface, by the tertiary voltage and current measurement
Data tampering is that the 4th voltage and current measurement data is sent to the man-machine interface;The 4th voltage and current measurement data are used
The fault recovery stage is in the failure for characterizing the second voltage and current measurement data reaction;Submodule 123 is altered in instruction,
Be also used to measurement data distort submodule 122 to man-machine interface send the 4th voltage and current measurement data after, monitor simultaneously cut
It obtains the third control instruction that the man-machine interface is sent to the remote-terminal unit and is distorted as the 4th control instruction, general
4th control instruction is sent to the remote-terminal unit;The third control instruction for control the network system from
Malfunction is restored to normal condition, and the 4th control instruction is converted to danger from malfunction for controlling the network system
Dangerous state.
Figure 10 is a kind of structural schematic diagram for the Installation practice three for detecting network system safety of the present invention, such as Figure 10 institute
Show, on the basis of the device of the present embodiment apparatus structure shown in Fig. 9, further, further includes:
Quantity of state obtains module 14, for obtaining the crucial operable state duration set of the network system;
First definition module 15, for define to the quantity of state obtain module 14 obtain crucial operable state amount into
The state control instruction value of row state control;
Second definition module 16, for defining current time quantity of state parameter value and previous moment shape in the network system
Calculated relationship between state amount parameter value and state control instruction value;
State vector collection constructs module 17, and the calculated relationship for being defined according to the second definition module 16 is calculated, structure
Build the normal condition vector set, fault state vector collection and precarious position vector set of the network system;
State transition graph obtains module 18, for determining what the network system was constructed in state vector collection building module 17
Required state control instruction value is converted between state vector in different conditions vector set, obtains the state of the network system
Transition diagram;
Wherein, submodule 123 is altered in instruction, obtains the state that module 18 obtains with specific reference to state transition graph and converts
Figure generates second control instruction, the 4th control instruction.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 4, realization principle and skill
Art effect is similar, and details are not described herein again.
Figure 11 is a kind of structural schematic diagram for the Installation practice four for detecting network system safety of the present invention, such as Figure 11 institute
Show, on the basis of the device of the present embodiment apparatus structure shown in Fig. 9, further, simulation attack module 12, further includes: plant
Enter the man-in-the-middle attack submodule 124 between the network system remote terminal unit and man-machine interface;Wherein, number is measured
According to distorting submodule 121, the man-in-the-middle attack software carried with specific reference to man-in-the-middle attack submodule 124 is to the remote terminal
The voltage and current measurement data that unit is sent to man-machine interface is altered;Submodule 123 is altered in instruction, with specific reference to centre
People attacks first that the man-in-the-middle attack software that submodule 124 carries sends the man-machine interface to the remote-terminal unit
Control instruction is altered.
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment
It sets.
Figure 12 is the structural schematic diagram of electronic equipment one embodiment of the present invention, be may be implemented real shown in Fig. 1-4 of the present invention
The process of example is applied, as shown in figure 4, above-mentioned electronic equipment may include: shell 21, processor 22, memory 23,24 and of circuit board
Power circuit 25, wherein circuit board 24 is placed in the space interior that shell 21 surrounds, and processor 22 and memory 23 are arranged in electricity
On road plate 24;Power circuit 25, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 23 can for storing
Execute program code;Processor 22 is run by reading the executable program code stored in memory 23 and executable program
The corresponding program of code, the method for executing detection network system safety described in aforementioned any embodiment.Processor 22
Specific implementation procedure and processor 22 to above-mentioned steps by operation executable program code come the step of further execution,
It may refer to the description of Fig. 1-4 illustrated embodiment of the present invention, details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (10)
1. a kind of method for detecting network system safety characterized by comprising
Simulation attack is carried out to the network system for test according to predetermined attack strategy;The simulation attack is described by altering
The normal measurement data and normal control of network system instruct to realize;
Whether the state for judging the network system after simulation is attacked is precarious position;The precarious position is preset institute
Stating network system not allows the state occurred;
If the network system state is precarious position after simulation attack, it is determined that the network system is dangerous.
2. the method for detection network system safety according to claim 1, which is characterized in that described according to predetermined attack
Strategy carries out simulation attack to the network system for test, comprising:
Identify the state of presently described network system;
If identifying, the network system is in normal condition, monitor and intercept and capture the network system remote terminal unit to
The first voltage and current measurement data that man-machine interface is sent distort the first voltage and current measurement data for the second electricity
Pressure and current measurement data are sent to the man-machine interface;The second voltage and current measurement data are at the network system
Voltage and current measurement data under non-normal working;
The first control instruction that the man-machine interface is sent to the remote-terminal unit is intercepted and captured, first control instruction is usurped
It is changed to the second control instruction and is sent to the remote-terminal unit;First control instruction for control the network system into
Enter malfunction to repair with the failure to the second voltage and current measurement data reaction, second control instruction is used
Precarious position is converted to from normal condition in controlling the network system;The malfunction is to pass through electricity described after fault restoration
Net system can return the state of normal condition.
3. the method for detection network system safety according to claim 2, which is characterized in that controlled by described first
Instruction is distorted to be sent to after the remote-terminal unit for the second control instruction, further includes:
Identify the state of presently described network system;
If the state for identifying the network system is malfunction, monitors and intercept and capture the network system remote terminal list
The tertiary voltage and current measurement data that member is sent to man-machine interface, it is that the tertiary voltage and current measurement data, which are distorted,
Four voltage and current measurement data are sent to the man-machine interface;The 4th voltage and current measurement data are for characterizing described the
The failure of two voltage and current measurement data reaction is in the fault recovery stage;
It intercepts and captures the third control instruction that the man-machine interface is sent to the remote-terminal unit and is distorted as the 4th control
Instruction, is sent to the remote-terminal unit for the 4th control instruction;The third control instruction is for controlling the electricity
Net system is restored from malfunction to normal condition, and the 4th control instruction is for controlling the network system from malfunction
Be converted to precarious position.
4. the method for detection network system safety according to claim 2 or 3, which is characterized in that attacked according to predetermined
It hits before strategy carries out simulation attack to the network system for test, further includes:
Obtain the crucial operable state duration set of the network system;
Define the state control instruction value that state control is carried out to the crucial operable state amount;
Current time quantity of state parameter value in the network system is defined to refer to previous moment quantity of state parameter value and state control
Enable the calculated relationship between value;
Construct the normal condition vector set, fault state vector collection and precarious position vector set of the network system;
It determines that the network system converts required state control instruction value between different conditions, obtains the network system
State transition graph;
Wherein, second control instruction, the 4th control instruction are obtained according to the state transition graph.
5. the method for detection network system safety according to claim 2 or 3, which is characterized in that attacked by go-between
It hits and the voltage and current measurement data or control instruction transmitted between the remote-terminal unit and man-machine interface is distorted.
6. a kind of device for detecting network system safety characterized by comprising
Simulation attack module, for carrying out simulation attack to the network system for test according to predetermined attack strategy;The mould
Quasi- attack is realized by altering normal measurement data and the normal control instruction of the network system;
Judgment module, for judging whether the state of the network system after simulation is attacked is precarious position;The precarious position
The state occurred is not allowed for the preset network system;
Determining module, for when the judgment result of the judgment module is yes, determining that the network system is dangerous.
7. the device of detection network system safety according to claim 6, which is characterized in that mould is attacked in the simulation
Block, comprising:
State recognition of system and record sub module for identification and record the state of presently described network system;
Measurement data distorts submodule, for identifying the electricity in the state recognition of system and record sub module the last time
When net system is in normal condition, monitors and intercept and capture the network system remote terminal unit is sent to man-machine interface first
Voltage and current measurement data distorts the first voltage and current measurement data for second voltage and current measurement data hair
Give the man-machine interface;The second voltage and current measurement data are that the network system is in the electricity under non-normal working
Pressure and current measurement data;
Submodule is altered in instruction, the first control instruction sent for intercepting and capturing the man-machine interface to the remote-terminal unit,
First control instruction is distorted and is sent to the remote-terminal unit for the second control instruction;First control instruction is used
Enter malfunction in the control network system to repair with the failure to the second voltage and current measurement data reaction
Multiple, second control instruction is converted to precarious position from normal condition for controlling the network system;The malfunction
For the state that can return normal condition by network system described after fault restoration.
8. the device of detection network system safety according to claim 7, which is characterized in that the measurement data is distorted
Submodule is also used to identify that the network system is in failure in the state recognition of system and record sub module the last time
When state, monitors and intercept and capture tertiary voltage and current measurement that the network system remote terminal unit is sent to man-machine interface
The tertiary voltage and current measurement data are distorted and are sent to the human-machine interface for the 4th voltage and current measurement data by data
Mouthful;The 4th voltage and current measurement data are used to characterize the second voltage and the failure of current measurement data reaction is in event
Hinder Restoration stage;
Described instruction alters submodule, is also used to intercept and capture the third control that the man-machine interface is sent to the remote-terminal unit
It instructs and is distorted as the 4th control instruction, the 4th control instruction is sent to the remote-terminal unit;Described
Three control instructions are restored from malfunction to normal condition for controlling the network system, and the 4th control instruction is for controlling
It makes the network system and is converted to precarious position from malfunction.
9. the device of detection network system safety according to claim 7 or 8, which is characterized in that further include:
Quantity of state obtains module, for obtaining the crucial operable state duration set of the network system;
First definition module, for defining the state control instruction value for carrying out state control to the crucial operable state amount;
Second definition module is joined for defining current time quantity of state parameter value and previous moment quantity of state in the network system
Calculated relationship between numerical value and state control instruction value;
State vector collection constructs module, for construct the normal condition vector set of the network system, fault state vector collection and
Precarious position vector set;
State transition graph obtains module, refers to for determining that the network system converts required state control between different conditions
Value is enabled, the state transition graph of the network system is obtained;
Wherein, described instruction is altered submodule and is generated according to the state transition graph that state transition graph acquisition module obtains
Second control instruction, the 4th control instruction.
10. the device of detection network system safety according to claim 7 or 8, which is characterized in that the simulation attack
Module, further includes: the man-in-the-middle attack submodule being implanted between the network system remote terminal unit and man-machine interface;
The measurement data distorts submodule, with specific reference to the man-in-the-middle attack software pair of man-in-the-middle attack submodule carrying
The voltage and current measurement data that the remote-terminal unit is sent to man-machine interface is altered;
Described instruction alters submodule, with specific reference to the man-in-the-middle attack submodule carrying man-in-the-middle attack software to described
The first control instruction that man-machine interface is sent to the remote-terminal unit is altered.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910530425.6A CN110334507A (en) | 2019-06-18 | 2019-06-18 | A kind of method, apparatus and electronic equipment detecting network system safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910530425.6A CN110334507A (en) | 2019-06-18 | 2019-06-18 | A kind of method, apparatus and electronic equipment detecting network system safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110334507A true CN110334507A (en) | 2019-10-15 |
Family
ID=68142540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910530425.6A Pending CN110334507A (en) | 2019-06-18 | 2019-06-18 | A kind of method, apparatus and electronic equipment detecting network system safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110334507A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112634604A (en) * | 2020-11-16 | 2021-04-09 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN115118477A (en) * | 2022-06-22 | 2022-09-27 | 四川数字经济产业发展研究院 | Smart grid state recovery method and system based on deep reinforcement learning |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8433768B1 (en) * | 2004-10-14 | 2013-04-30 | Lockheed Martin Corporation | Embedded model interaction within attack projection framework of information system |
| CN104638724A (en) * | 2015-01-30 | 2015-05-20 | 广东亿纬赛恩斯新能源系统有限公司 | CAN (Controller Area Network) communication-based battery management system |
| CN105049403A (en) * | 2015-05-20 | 2015-11-11 | 广东电网有限责任公司电力科学研究院 | Power distribution network control system safety protection method and system |
| CN105429133A (en) * | 2015-12-07 | 2016-03-23 | 国网智能电网研究院 | Information network attack-oriented vulnerability node evaluation method for power grid |
| CN107360133A (en) * | 2017-06-08 | 2017-11-17 | 全球能源互联网研究院 | A kind of network attack emulation mode and system towards electric network information physical system |
| CN107612927A (en) * | 2017-10-13 | 2018-01-19 | 中国电力科学研究院 | The safety detection method of electric power scheduling automatization system |
-
2019
- 2019-06-18 CN CN201910530425.6A patent/CN110334507A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8433768B1 (en) * | 2004-10-14 | 2013-04-30 | Lockheed Martin Corporation | Embedded model interaction within attack projection framework of information system |
| CN104638724A (en) * | 2015-01-30 | 2015-05-20 | 广东亿纬赛恩斯新能源系统有限公司 | CAN (Controller Area Network) communication-based battery management system |
| CN105049403A (en) * | 2015-05-20 | 2015-11-11 | 广东电网有限责任公司电力科学研究院 | Power distribution network control system safety protection method and system |
| CN105429133A (en) * | 2015-12-07 | 2016-03-23 | 国网智能电网研究院 | Information network attack-oriented vulnerability node evaluation method for power grid |
| CN107360133A (en) * | 2017-06-08 | 2017-11-17 | 全球能源互联网研究院 | A kind of network attack emulation mode and system towards electric network information physical system |
| CN107612927A (en) * | 2017-10-13 | 2018-01-19 | 中国电力科学研究院 | The safety detection method of electric power scheduling automatization system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112634604A (en) * | 2020-11-16 | 2021-04-09 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN112634604B (en) * | 2020-11-16 | 2022-07-01 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN115118477A (en) * | 2022-06-22 | 2022-09-27 | 四川数字经济产业发展研究院 | Smart grid state recovery method and system based on deep reinforcement learning |
| CN115118477B (en) * | 2022-06-22 | 2024-05-24 | 四川数字经济产业发展研究院 | Smart grid state recovery method and system based on deep reinforcement learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Liu et al. | Intruders in the grid | |
| Pei et al. | PMU placement protection against coordinated false data injection attacks in smart grid | |
| CN104573510B (en) | A kind of intelligent grid malicious data injection attacks and detection method | |
| Wei et al. | Greenbench: A benchmark for observing power grid vulnerability under data-centric threats | |
| Shekari et al. | RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the Power Grid. | |
| Xie et al. | Physical and cybersecurity in a smart grid environment | |
| CN110334507A (en) | A kind of method, apparatus and electronic equipment detecting network system safety | |
| Khan et al. | The cyberphysical power system resilience testbed: Architecture and applications | |
| CN109660550B (en) | System and method for security defense of embedded terminal | |
| CN109031980A (en) | A kind of emulation test method and system of the valve control device based on FPGA | |
| CN107563227A (en) | The terminal device that anti-data are stolen secret information | |
| Wang et al. | Deducing cascading failures caused by cyberattacks based on attack gains and cost principle in cyber-physical power systems | |
| CN107171830A (en) | Power information physical hardware is in ring security simulation test platform | |
| Chen et al. | Reliability assessment of distribution network considering cyber attacks | |
| Chawla et al. | Denial-of-service resilient frameworks for synchrophasor-based wide area monitoring systems | |
| CN105391066B (en) | A kind of intelligent grid the simulative running system | |
| CN108964020A (en) | A kind of physical isolation type lightning-protection system and physical isolation type lightening arresting method | |
| CN106054115A (en) | Safety authentication function testing method and system of charge-control electric energy meter | |
| CN106529824A (en) | Method for analyzing functional damage degrees of secondary equipment and secondary system of intelligent substation | |
| CN103955200B (en) | Movable mould test method for self-healing control function of power distribution network | |
| CN109031981A (en) | A kind of emulation test method and system of the valve control device based on FPGA | |
| CN113326204A (en) | Transformer substation system testing method and device, terminal equipment and storage medium | |
| Chukwuka et al. | Bad data injection attack propagation in cyber-physical power delivery systems | |
| CN110601261B (en) | Microgrid controller service logic consistency analysis method based on sensing control logic | |
| CN111029914B (en) | Active first-aid repair system based on ubiquitous Internet of things construction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191015 |
|
| RJ01 | Rejection of invention patent application after publication |