CN110751570A - Power service message attack identification method and system based on service logic - Google Patents

Abstract

The invention discloses a method and a system for identifying electric power service message attack based on service logic, wherein the method comprises the following steps: determining a current state sequence of the power service; respectively determining a dangerous state sequence set and a safe state sequence set corresponding to a current state sequence according to a multipoint signal address sequence of the current state sequence; determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; and when the threat degree of the current state sequence is greater than or equal to a preset safety risk threshold value, determining that the power grid is attacked by the power service message. According to the method, the risk state sequence set and the safety state sequence set of the power service logic are defined, the misuse detection and the abnormity detection method are combined, the threat degree of the power service is evaluated, whether the power grid is attacked by the power service message is determined according to the threat degree, the effective identification of the power service message attack is realized, and the safe and reliable operation of the power service control system is guaranteed.

Description

Power service message attack identification method and system based on service logic

Technical Field

The invention relates to the technical field of smart grid security, in particular to a method and a system for identifying power service message attack based on service logic.

Background

With the continuous deepening of the coupling of the information space and the physical space of the smart power grid, in recent years, the faults of the physical system of the power grid caused by network attacks are more common, and the normal operation of the power system is seriously influenced. In the end of 2015, an attacker performs malicious switching operation by acquiring the operation authority of a monitoring system server of the transformer substation, so that 80000 users of the Ukrainian power grid have power failure; in 2016, the power supply system was subjected to a significant cyber attack, forcing the power supply system to run offline. In a power grid, various intelligent terminals and devices (herein, collectively referred to as measurement and control terminals) for primary system or equipment parameter measurement and control are used as bridges for communicating an information system and a physical system, and when the intelligent terminals and the devices are attacked by tampering, counterfeiting and replaying power service messages, the normal operation of power primary equipment is directly influenced, such as abnormal disconnection and disconnection of a circuit breaker, fixed value modification and the like, so that power accidents are caused. Therefore, how to effectively identify the power service message attack possibly suffered by the power grid measurement and control terminal becomes a problem to be solved urgently.

At present, network attack identification research aiming at a power grid measurement and control terminal is mainly divided into the following two categories: 1) the network attack recognition system of the traditional information network is directly applied to network attack recognition of a power grid measurement and control terminal, and if some researches recognize attacks by performing abnormal recognition and protocol white lists on non-power service message flow, some researches propose an unknown attack recognition method based on a self-learning communication mode; 2) the network attack recognition of the power grid measurement and control terminal is achieved by means of power proprietary protocol flow characteristics, rules or correlations of different fields of a message, for example, some researches propose that attack recognition is achieved by means of GOOSE message network flow characteristics, some researches propose an attack recognition method based on IEC60870-5-104 protocol flow mode check and validity and correlation check of each field, and some researches propose that network attacks achieved by using IEC 61850 protocol are recognized through the method. The research can effectively identify the network attacks implemented by utilizing the vulnerability of the general network protocol, such as ARP spoofing, ICMP Flood, SYN Flood and the like, and the network attacks partially implemented by utilizing the vulnerability of the electric power proprietary protocols, such as IEC60870-5-104, IEC 61850 and the like, such as GOOSE malformed message attack and the like, but can not effectively identify the electric power service message attack. The electric power service message attack refers to an attack that an attacker falsely operates the electric power primary equipment by tampering, forging and replaying the service message transmitted by the power grid measurement and control terminal, and the attack usually changes the normal service logic.

Disclosure of Invention

The invention provides a method and a system for identifying electric power service message attacks based on service logic, which aim to solve the problem of how to effectively identify the electric power service message attacks so as to determine the safety state of a power grid.

In order to solve the above problem, according to an aspect of the present invention, there is provided a method for identifying a power service packet attack based on service logic, the method including:

acquiring a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determining a control block corresponding to the current state node according to the multipoint signal address sequence, and adding the multipoint signal value sequence to the state sequence of the control block to acquire the current state sequence;

respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence;

determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

and comparing the threat degree of the current state sequence with a preset safety risk threshold, and determining that the power grid is attacked by the power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold.

Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:

matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;

and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.

Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:

calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;

and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

Preferably, wherein calculating the threat level of the current state sequence according to the first minimum distance and the second minimum distance comprises:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

Preferably, said matching said current state sequence with said set of hazardous state sequences comprises:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

In (1)All of the rules are set to be in the same order,

if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixing

The last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether it is the same as Bi; wherein, if the same, will

Only the last entry is retained, then

Setting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.

Preferably, said matching said current state sequence with said set of security state sequences comprises:

step 21, converting the current stateState sequence status _ sequence_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,

if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixing

The last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judge

Whether or not to be in contact with W_iAre identical to each otherIf not, returning to the step 22 to continue traversing; otherwise, go to step 25;

step 25, mixingOnly the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is made

Whether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

Preferably, wherein the method further comprises:

and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

According to another aspect of the present invention, there is provided a power service packet attack recognition system based on service logic, the system including:

a current state sequence determining unit, configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence;

a dangerous state sequence set and safety state sequence set determining unit, configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence;

the threat degree determining unit is used for determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

and the electric power service message attack identification unit is used for comparing the threat degree of the current state sequence with a preset safety risk threshold value, and determining that the power grid is attacked by the electric power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold value.

Preferably, the determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set by the threat degree determining unit includes:

a dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determine that the threat degree of the current state sequence is 1;

and the safety state sequence set matching module is used for matching the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determining the threat degree of the current state sequence to be 0 if the current state sequence is successfully matched with the safety state sequence set.

Preferably, the determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set by the threat degree determining unit includes:

a first minimum distance and a second minimum distance determination module for calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;

and the threat degree determining module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

Preferably, the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, and includes:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

All of the rules in (1) are,

if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixing

The last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether it is the same as Bi; wherein, if the same, will

Only the last entry is retained, then

Setting n1 as n-1, determining the matching between the current state sequence and the dangerous state sequence set, and directly determining the power of the current state sequenceThe hypochondriac degree is 1; otherwise, go back to step 12 to continue the traversal.

Preferably, the security state sequence set matching module, which matches the current state sequence with the security state sequence set, comprises:

step 21, the current state sequence status _ sequence_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequence

All of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixing

The last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judge

Whether or not to be in contact with W_iIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;

step 25, mixingOnly the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is made

Whether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iThe first n-n1 items are the same, if yes, the current state sequence is successfully matched with the safety state sequence set, and the threat degree of the current state sequence is directly determinedIs 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

Preferably, the power service packet attack identification unit is further configured to:

and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

The invention provides a method and a system for identifying electric power service message attack based on service logic, which comprises the following steps: determining a current state sequence of the power grid; respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence; determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; and when the threat degree of the current state sequence is greater than or equal to a preset safety risk threshold value, determining that the power grid is attacked by the power service message. According to the method, the risk state sequence set and the safety state sequence set of the power service logic are defined, the misuse detection and the abnormity detection method are combined, the threat degree of the power service is evaluated, whether the power grid is attacked by the power service message is determined according to the threat degree, the effective identification of the power service message attack is realized, the false alarm rate is reduced, and the safe and reliable operation of the power service control system is guaranteed.

Drawings

A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:

fig. 1 is a flowchart of a method 100 for identifying a power service packet attack based on service logic according to an embodiment of the present invention:

FIG. 2 is a diagram of a state chain data structure according to an embodiment of the present invention;

FIG. 3 is a data structure diagram of a hazardous state sequence and a safe state sequence according to an embodiment of the present invention; and

fig. 4 is a schematic structural diagram of a power service packet attack recognition system 400 based on service logic according to an embodiment of the present invention.

Detailed Description

The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.

Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.

Fig. 1 is a flowchart of a method 100 for identifying a power service packet attack based on service logic according to an embodiment of the present invention. According to the electric power service message attack identification method based on the service logic, provided by the embodiment of the invention, the misuse detection and the abnormity detection method are combined by defining the dangerous state sequence set and the safe state sequence set of the electric power service logic, the threat degree of the electric power service is evaluated, and whether the electric power grid is attacked by the electric power service message or not is determined according to the threat degree, so that the effective identification of the electric power service message attack is realized, the false alarm rate is reduced, and the safe and reliable operation of an electric power work control system is ensured. The method 100 for identifying an attack on an electrical service packet based on service logic provided by the embodiment of the present invention starts from step 101, acquires a multi-point signal value sequence and a multi-point signal address sequence of a current state node from an electrical service packet in step 101, determines a control block corresponding to the current state node according to the multi-point signal address sequence, and adds the multi-point signal value sequence to the state sequence of the control block to acquire the current state sequence.

In the embodiment of the invention, in order to perform security evaluation on the current service logic state, the service logic needs to be saved, so that a data structure using a state chain is proposed to describe the power grid service logic, including the service state and the change process thereof. The state chain data structure of the embodiment of the present invention is shown in fig. 2 and includes the following 7 parts.

(1) Single-point signal value: the Data field in fig. 2 is used to describe the value of a single fcda (functional on structured Data attribute) entry. In the network, a knife switch signal or a voltage or current value of a node of the network can be understood.

(2) Signal address: the pos field in fig. 2 is used to describe the location of an FCDA entry; the name of a logic instance of a disconnecting link or a node can be understood in the power grid; in the actual calculation, the name of a variable is understood to be used to index the variable.

(3) Multi-point signal address sequence: pos _ sequence in fig. 2 (pos ═ pos₁，pos₂，…，pos_n)^TThe field is used to describe the signal address sequence of each single-point signal on one control block in the embodiment of the present invention.

(4) Multipoint signal value sequence: then status in fig. 2 is (data)₁，data₂，…，data_n)^TThe field is used in the present invention to describe the sequence of single point signal values on a control block. In the power network, the positions of a plurality of switches or multipoint voltage and current values can be understood.

(5) And (3) state node: defined as Node ═ time (pos _ sequence). The multi-point signal control device is composed of a multi-point signal address sequence and a multi-point signal value sequence and is used for describing the state of a control block.

(6) And (3) state change: which describes the change in state of a single or multiple single point signals in a control block. In the power grid, one or more switches, one or more voltage and current changes, one or more constant value changes can be understood.

(7) Define status _ sequence as a sequence of states, where status _ value is defined as a sequence of states₁，status₂，…，status_n) From a finite number of pos _ sSequence identical state nodes are sequentially linked to form the control block state change logic process for describing the control block state change logic process. The logical relationship of the operation of a group of switches and the logical relationship of a group of voltage and current changes can be understood in the power grid.

In the embodiment of the present invention, in order to identify whether the current power grid is attacked by the power service packet, the current service logic needs to be entered first, and on the premise of the data structure based on the state chain, the specific entering process is as follows:

1.1) extracting a state Node from the application layer content of the power service message_now＝(status_n，pos_sequence_now) Wherein status_n＝(data₁，data₂，…，data_k)^T。

1.2) Node based on state_nowMiddle pos _ sequence_nowIf the corresponding control block status _ sequence is found (S, pos _ sequence), then pos _ sequence is satisfied_nowA sequence of states of a condition, wherein S ═ status₁，status₂，…，status_n-1)。

1.3) comparison of status_n-1Whether it equals status_nIf equal, the process ends; otherwise, 1.4) is entered.

1.4) will status_nChaining in the status sequence status _ sequence ═ (S, pos _ sequence), the current status sequence status _ sequence is obtained_now＝(S′，pos_sequence_now) Wherein S' ═ status₁，status₂，…，status_n)。

In step 102, a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence are respectively determined according to the multipoint signal address sequence of the current state sequence.

In the embodiment of the present invention, in order to perform security evaluation on the current business logic state, the current business logic state needs to be compared with a known dangerous state sequence or a known safety state sequence, and the current state sequence is compared with the dangerous state sequence and the safety state sequenceAnd moreover, the power service message attack can be quickly and effectively identified. The data structure in the hazardous state sequence and the safe state sequence of the embodiment of the present invention is shown in fig. 3. The set of dangerous and safe state sequences is entered with different rules represented by the structure of the state sequence. The dangerous state sequence set is defined asWherein the content of the first and second substances,

all the pos _ sequence is satisfied₁A set of illegal state sequences of conditions. The dangerous state sequence set is defined as

Wherein the content of the first and second substances,

all the pos _ sequence is satisfied₁A set of legal state sequences of conditions.

In step 103, the threat level of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set.

Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:

matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;

and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.

Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:

calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;

and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

Preferably, wherein said calculating a first minimum distance of said current state sequence from said set of hazardous state sequences comprises:

wherein d is_blackIs a first minimum distance; the current state sequence is status _ sequence_now＝(S′pos_sequence_now)，S′＝(status₁，status₂，…，status_n) (ii) a Set of dangerous state sequences as

For the

If it is not

Then

Otherwise

column_s′Representing the number of columns of the matrix S', B_i(status _ value) represents B_iStatus _ value in the State sequence, B_i(status_value)[0，…，column_S′-1]Is represented by B_iColumn 0 to column of (status _ value) matrix_S′-1 column;

to represent

In the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x₁，x₂，…，x_n) And B ═ y₁，y₂，…，y_n) Euclidean distance of, then

Preferably, wherein said calculating a second minimum distance of said current state sequence from said set of security state sequences comprises:

wherein d is_whiteIs the second minimum distance; the current state sequence is status _ sequence_now＝(S′pos_sequence_now)，S′＝(status₁，status₂，…，status_n) (ii) a Set of security state sequencesFor the

If it is not

Then

Otherwise

column_s′Denotes the number of columns, W, of the matrix S_i(status _ value) denotes W_iStatus _ value in the status sequence, then W_i(status_value)[0，…，column_S′-1]Represents W_iColumn 0 to column of (status _ value) matrix_S′-1 column;to represent

In the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x₁，x₂，…，x_n) And B ═ y₁，y₂，…，y_n) Euclidean distance of, then

Preferably, wherein calculating the threat level of the current state sequence according to the first minimum distance and the second minimum distance comprises:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

Preferably, said matching said current state sequence with said set of hazardous state sequences comprises:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

All of the rules in (1) are,if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixing

The last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether it is the same as Bi; wherein, if the same, will

Only the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.

Preferably, said matching said current state sequence with said set of security state sequences comprises:

step 21, the current state sequence status _ sequence_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequence

All of the rules in (1) are,

if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixingThe last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judgeWhether or not to be in contact with W_iIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;

step 25, mixing

Only the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform one-time security state sequence complete matchingPreparing;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is madeWhether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

In an embodiment of the present invention, after determining the hazardous safety state sequence set and the safety state sequence set, the step of determining the threat level comprises:

s1, matching the dangerous state sequence set, and if the matching is successful, determining that the threat degree of the current state sequence is 1; otherwise, proceed to S2:

s2, matching the safety state sequence set, and if the matching is successful, determining the threat degree of the current state sequence to be 0; otherwise, proceed to S3:

and S3, determining a first minimum distance and a second minimum distance, and determining the threat degree of the safety state sequence according to the first minimum distance and the second minimum distance.

In step 104, comparing the threat level of the current state sequence with a preset security risk threshold, and determining that the power grid is attacked by the power service packet when the threat level of the current state sequence is greater than or equal to the preset security risk threshold.

Preferably, wherein the method further comprises:

and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

In an embodiment of the invention, the threat level P is based on the current state sequence_threatenAnd judging whether the current power grid is attacked or not. To reduce the false alarm rate of the present invention, a safety risk threshold X is defined_safeWherein X is_safeDefault to 0.25. Security risk threshold X_safeThe value of (b) can be set according to actual needs, and is not limited to 0.25 mentioned in the present application. When P is present_threaten＞X_safeWhen, consider the current state sequence status _ sequence_now＝(S′，pos_sequence_now) Pos _ sequence in (1)_nowThe power grid corresponding to the value is attacked by the power service message; otherwise, the power grid is not attacked by the power service message and is in a safe state.

The following specifically exemplifies embodiments of the present invention

Assuming that the state block attacked by the attacker has three FCDAs, the address information of each FCDA is as follows:

pos₁＝″(APPID＝0x0001)-(dataset＝DeviceF001/LLN0$GOOSE1)-(alldata.1)″，

pos₂＝″(APPID＝0x0001)-(dataset＝DeviceF001/LLN0$GOOSE1)-(alldata.2)″，

pos₃＝″(APPID＝0x0001)-(dataset＝DeviceF001/LLN0$GOOSE1)-(alldata.3)″，

the corresponding control block states are: status₁＝(0，0，0)^T，status₂＝(0，0，1)^T，…，status₈＝(1，1，1)^T. Setting a security risk threshold X for an intrusion detection method_safeIs 0.25.

When determining that the power grid is attacked by the power service message, the specific implementation method is as follows:

step (1), state chain entry: assume that the entered state sequence is status _ sequence₁＝(S₁Pos _ sequence), where S₁＝(status₁，status₂)，pos_sequence＝(pos₁，pos₂，pos₃)^TNow, a state Node is extracted from the application layer message_now＝(status₅Pos _ sequence), adding the extracted state node to the logged state sequence, the state sequence is composed of status _ sequence₁Becomes status _ sequence₂＝(S₂Pos _ sequence), where S₂＝(status₁，status₂，status₅)。

Step (2), determining a dangerous state sequence set U of the current state sequence_{blacklist/pos_sequence}＝{B₁In which B is₁＝{status₁，status₃，status₇U and a set of security state sequences_{whitelist/pos_sequence}＝{W₁，W₂}。

Step (3), matching the current state sequence with a dangerous state sequence set, and if matching, determining that the threat degree is 1; if no match is found, the procedure goes to step (4). The method comprises the following specific steps:

3.1) status _ sequence₂Middle S₂Middle latest status₅Add to cache State S ″)_{blacklist/pos_sequence}＝(status₁，status₂) In (1), after addition of S ″)_{blacklist/pos_sequence}＝(status₁，status₂，status₅)。

3.2) sequentially traversing the rule with the same pos _ sequence in the dangerous state sequence set, then traversing U_{blacklist/pos_sequence}＝{B₁In which B is₁Has 3 states, S ″)_{blacklist/pos_sequence}With 3 states, go 3.3).

3.3) mixing B₁And S₂And comparing, finding out mismatch, continuing to traverse, and turning to 3.4).

3.4)U_{blacklist/pos_sequence}And (4) ending the traversal, and turning to the step (4).

Step (4), carrying out a dangerous safety state sequence matching mode on the current state sequence, and if the dangerous safety state sequence is matched with the current state sequence, determining that the threat degree is 0; if not, go to step (5). The specific process is as follows:

4.1) sequence status _ sequence of the current State₂Middle S₂Middle latest status₅Add to cache State S ″)_{whitelist/pos_sequence}＝(status₁，status₂) In, the added cache state sequence is S ″)_{whitelist/pos_sequence}＝(status₁，status₂，status₅)。

4.2) traverse the rule with the same pos _ sequence in the set of dangerous State sequences, then U_{whitelist/pos_sequence}＝{W₁，W₂H, first traverse W₁＝{status₁，status₂，status₈In which W is₁There are 3 states of the system which are,

with 3 states, go 4.3).

4.3)S″_{whitelist/pos_sequence}And W₁Performing regular comparison, S_{whitelist/pos_sequence}And W₁And if not, continuing the traversal.

4.4) traverse W₂Wherein W is₂＝{status₁，status₂，status₄，status₅Has 4 states, S ″)_{whitelist/pos_sequence}＝(status₁，status₂，status₅) With 3 states, go 4.5).

4.5) init _ status is 0 (assumed to be 0), 4.6 is turned.

4.6)S″_{whitelist/pos_sequence}And W₂Comparison of rules, W₂Is not S_{whitelist/pos_sequence}And (5) subset, ending traversal, and turning to the step (5).

And (5) carrying out similarity matching on the state sequence to obtain threat degree P_threaten. The method comprises the following specific steps:

5.1) finding the dangerous state sequence set U of the corresponding control block according to pos _ sequence_{blacklist/pos_seauence}＝{B₁U and a set of security state sequences_{whitelist/pos_sequence}＝{W₁，W₂}。

5.2) for B₁∈U_{blacklist/pos_sequence}Wherein

Then

5.3) calculating the sequence status _ sequence of the current state₂And dangerous state sequence set U_{blacklist/pos_sequence}Has a minimum distance of d_black＝1。

5.4) for W₁∈U_{whitelist/pos_sequence}Wherein

ThenFor W₂∈U_{whitelist/pos_sequence}WhereinThen

5.5) calculating the current state sequence status _ sequence and the security state sequence set U_{whitelist/pos_sequence}Has a minimum distance of d_white＝2。

5.6) calculating the threat degree

And (6) turning to the step.

Step (6), comparing the calculated threat degree with a preset safety risk threshold value, P_threaten＞X_safeThen pos _ sequence in the current state sequence status _ sequence is determinedAnd the power grid corresponding to the value is under the attack of the power service message.

Fig. 4 is a schematic structural diagram of a power service packet attack recognition system 400 based on service logic according to an embodiment of the present invention. As shown in fig. 4, an electric power service packet attack recognition system 400 based on service logic provided in an embodiment of the present invention includes: a current state sequence determining unit 401, a dangerous state sequence set and safe state sequence set determining unit 402, a threat degree determining unit 403 and a power service message attack identifying unit 404.

Preferably, the current state sequence determining unit 401 is configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence.

Preferably, the dangerous state sequence set and the safety state sequence set determining unit 402 is configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence.

Preferably, the threat degree determining unit 403 is configured to determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set, and the safe state sequence set.

Preferably, the threat degree determination unit 403 includes: a dangerous state sequence set matching module and a safe state sequence set matching module.

And the dangerous state sequence set matching module is used for matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1.

The safety state sequence set matching module is configured to match the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determine that the threat degree of the current state sequence is 0 if the current state sequence is successfully matched with the safety state sequence set.

Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

All of the rules in (1) are,

if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixing

The last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether it is the same as Bi; wherein, if the same, will

Only the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.

Preferably, the security state sequence set matching module, which matches the current state sequence with the security state sequence set, comprises:

step 21, the current state sequence status _ sequence_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequence

All of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixing

The last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judge

Whether or not to be in contact with W_iIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;

step 25, mixingOnly the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is made

Whether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

Preferably, the threat degree determination unit 403 further includes: a first minimum distance and second minimum distance determination module and a threat determination module.

The first and second minimum distance determination modules are configured to calculate a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively.

The threat degree determination module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

Preferably, the first and second minimum distance determination modules calculate the first minimum distance of the current state sequence from the set of dangerous state sequences by:

wherein d is_blackIs the first mostA small distance; the current state sequence is status _ sequence_now＝(S′pos_sequence_now)，S′＝(status₁，status₂，…，status_n) (ii) a Set of dangerous state sequences as

For the

If it is not

Then

Otherwise

column_s′Denotes the number of columns of matrix S', Bi (status _ value) denotes B_iStatus _ value in the State sequence, B_i(status_value)[0，…，column_s′-1]Is represented by B_iColumn 0 to column of (status _ value) matrix_s′-1 column;

to represent

In the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x₁，x₂，…，x_n) And B ═ y₁，y₂，…，y_n) Euclidean distance of, then

Preferably, the first minimum distance and second minimum distance determining module calculates the second minimum distance between the current state sequence and the set of security state sequences by:

wherein d is_whiteFor the second minimum distance the current state sequence is status _ sequence_now＝(S′，pos_sequence_now)，S′＝(status₁，status₂，…，status_n) (ii) a (ii) a Set of security state sequences

For the

If it is not

Then

Otherwise

column_S′Denotes the number of columns, W, of the matrix S_i(status _ value) denotes W_iStatus _ value in the status sequence, then W_i(status_value)[0，…，column_s′-1]Represents W_iColumn 0 to column of (status _ value) matrix_s′-1 column;

to represent

In the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x₁，x₂，…，x_n) And B ═ y₁，y₂，…，y_n) Euclidean distance of, then

Preferably, the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, and includes:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

Preferably, the electric power service packet attack recognition unit 404 is configured to compare the threat level of the current state sequence with a preset security risk threshold, and determine that the power grid is attacked by the electric power service packet when the threat level of the current state sequence is greater than or equal to the preset security risk threshold.

Preferably, the power service packet attack recognition unit 404 is further configured to: and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

The power service message attack recognition system 400 based on service logic according to the embodiment of the present invention corresponds to the power service message attack recognition method 100 based on service logic according to another embodiment of the present invention, and is not described herein again.

The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.

Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the [ device, component, etc ]" are to be interpreted openly as referring to at least one instance of said device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (14)

1. A method for identifying electric power service message attack based on service logic is characterized by comprising the following steps:

acquiring a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determining a control block corresponding to the current state node according to the multipoint signal address sequence, and adding the multipoint signal value sequence to the state sequence of the control block to acquire the current state sequence;

respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence;

determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

and comparing the threat degree of the current state sequence with a preset safety risk threshold, and determining that the power grid is attacked by the power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold.

2. The method of claim 1, wherein determining the threat level of the current state sequence from the current state sequence, a dangerous state sequence set, and a safe state sequence set comprises:

matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;

and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.

3. The method of claim 1 or 2, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set comprises:

calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;

and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

4. The method of claim 3, wherein computing the threat level of the current state sequence based on the first minimum distance and the second minimum distance comprises:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

5. The method of claim 2, wherein matching the current state sequence with the set of dangerous state sequences comprises:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

All of the rules in (1) are,if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixing

The last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether or not to react with B_iThe same; wherein, if the same, will

Only the last entry is retained, then

Setting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.

6. The method of claim 2, wherein matching the current state sequence with the set of security state sequences comprises:

step 21, the current state sequence status _ sequence_now＝(S′，pos_sequence_now) middle-S ═ S (status1, status2, …, status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequence

All of the rules in (1) are,

if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixingThe last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judge

Whether or not to be in contact with W_iIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;

step 25, mixing

Only the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is made

Whether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

7. The method of claim 1, further comprising:

and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

8. A power service message attack recognition system based on service logic is characterized in that the system comprises:

a current state sequence determining unit, configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence;

a dangerous state sequence set and safety state sequence set determining unit, configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence;

the threat degree determining unit is used for determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

and the electric power service message attack identification unit is used for comparing the threat degree of the current state sequence with a preset safety risk threshold value, and determining that the power grid is attacked by the electric power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold value.

9. The system of claim 8, wherein the threat level determination unit determines the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set, and comprises:

a dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determine that the threat degree of the current state sequence is 1;

and the safety state sequence set matching module is used for matching the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determining the threat degree of the current state sequence to be 0 if the current state sequence is successfully matched with the safety state sequence set.

10. The system according to claim 8 or 9, wherein the threat level determination unit determines the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set, and comprises:

a first minimum distance and a second minimum distance determination module for calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;

and the threat degree determining module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

11. The system of claim 10, wherein the threat level determination module calculates the threat level of the current state sequence based on the first minimum distance and the second minimum distance, comprising:

wherein, P_threatenThreat degree of the current state sequence; d_blackIs a first minimum distance; d_whiteIs the second minimum distance.

12. The system of claim 10, wherein the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, comprising:

step 11, the current state sequence status _ sequence is processed_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n1 has an initial value of 0, and is added thereto

Step 12, traversing the dangerous state sequence set in sequence

All of the rules in (1) are,

if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;

step 13, mixingThe last n2 entries of (1), then

And n1 is set to n-n2, then

Step 14, judge

Whether or not to react with B_iThe same; wherein, if the same, will

Only the last entry is retained, then

Setting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.

13. The system of claim 10, wherein the security state sequence set matching module matches the current state sequence to the security state sequence set, comprising:

step 21, the current state sequence status _ sequence_now＝(S′，pos_sequence_now) Middle (S) ═ S₁，status₂，…，status_n) Last multipoint signal value sequence status of_nAdding to a buffer State

Wherein n3 has an initial value of 0, and is added thereto

Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,

if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;

step 23, mixing

The last n4 entries of (1), then

And n3 is set to n-n4, then

Step 24, judge

Whether or not to be in contact with W_iIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;

step 25, mixing

Only the last entry is retained, then

Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;

step 26, if init _ status is 0, go to step 27, otherwise go to step 28;

step 27, init _ status is 0, and judgment is made

Whether or not it is W_iIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;

step 28, judge

Whether or not to be in contact with W_iIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.

14. The system of claim 8, wherein the power traffic packet attack identification unit is further configured to:

and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.

Images