CN110751570A - Power service message attack identification method and system based on service logic - Google Patents
Power service message attack identification method and system based on service logic Download PDFInfo
- Publication number
- CN110751570A CN110751570A CN201910871501.XA CN201910871501A CN110751570A CN 110751570 A CN110751570 A CN 110751570A CN 201910871501 A CN201910871501 A CN 201910871501A CN 110751570 A CN110751570 A CN 110751570A
- Authority
- CN
- China
- Prior art keywords
- state sequence
- current state
- sequence
- status
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000008569 process Effects 0.000 claims description 13
- 230000000717 retained effect Effects 0.000 claims description 12
- 238000001514 detection method Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 12
- 239000011159 matrix material Substances 0.000 description 12
- 230000006870 function Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000005259 measurement Methods 0.000 description 7
- 238000011160 research Methods 0.000 description 7
- 231100001261 hazardous Toxicity 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 241000272814 Anser sp. Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/06—Electricity, gas or water supply
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a method and a system for identifying electric power service message attack based on service logic, wherein the method comprises the following steps: determining a current state sequence of the power service; respectively determining a dangerous state sequence set and a safe state sequence set corresponding to a current state sequence according to a multipoint signal address sequence of the current state sequence; determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; and when the threat degree of the current state sequence is greater than or equal to a preset safety risk threshold value, determining that the power grid is attacked by the power service message. According to the method, the risk state sequence set and the safety state sequence set of the power service logic are defined, the misuse detection and the abnormity detection method are combined, the threat degree of the power service is evaluated, whether the power grid is attacked by the power service message is determined according to the threat degree, the effective identification of the power service message attack is realized, and the safe and reliable operation of the power service control system is guaranteed.
Description
Technical Field
The invention relates to the technical field of smart grid security, in particular to a method and a system for identifying power service message attack based on service logic.
Background
With the continuous deepening of the coupling of the information space and the physical space of the smart power grid, in recent years, the faults of the physical system of the power grid caused by network attacks are more common, and the normal operation of the power system is seriously influenced. In the end of 2015, an attacker performs malicious switching operation by acquiring the operation authority of a monitoring system server of the transformer substation, so that 80000 users of the Ukrainian power grid have power failure; in 2016, the power supply system was subjected to a significant cyber attack, forcing the power supply system to run offline. In a power grid, various intelligent terminals and devices (herein, collectively referred to as measurement and control terminals) for primary system or equipment parameter measurement and control are used as bridges for communicating an information system and a physical system, and when the intelligent terminals and the devices are attacked by tampering, counterfeiting and replaying power service messages, the normal operation of power primary equipment is directly influenced, such as abnormal disconnection and disconnection of a circuit breaker, fixed value modification and the like, so that power accidents are caused. Therefore, how to effectively identify the power service message attack possibly suffered by the power grid measurement and control terminal becomes a problem to be solved urgently.
At present, network attack identification research aiming at a power grid measurement and control terminal is mainly divided into the following two categories: 1) the network attack recognition system of the traditional information network is directly applied to network attack recognition of a power grid measurement and control terminal, and if some researches recognize attacks by performing abnormal recognition and protocol white lists on non-power service message flow, some researches propose an unknown attack recognition method based on a self-learning communication mode; 2) the network attack recognition of the power grid measurement and control terminal is achieved by means of power proprietary protocol flow characteristics, rules or correlations of different fields of a message, for example, some researches propose that attack recognition is achieved by means of GOOSE message network flow characteristics, some researches propose an attack recognition method based on IEC60870-5-104 protocol flow mode check and validity and correlation check of each field, and some researches propose that network attacks achieved by using IEC 61850 protocol are recognized through the method. The research can effectively identify the network attacks implemented by utilizing the vulnerability of the general network protocol, such as ARP spoofing, ICMP Flood, SYN Flood and the like, and the network attacks partially implemented by utilizing the vulnerability of the electric power proprietary protocols, such as IEC60870-5-104, IEC 61850 and the like, such as GOOSE malformed message attack and the like, but can not effectively identify the electric power service message attack. The electric power service message attack refers to an attack that an attacker falsely operates the electric power primary equipment by tampering, forging and replaying the service message transmitted by the power grid measurement and control terminal, and the attack usually changes the normal service logic.
Disclosure of Invention
The invention provides a method and a system for identifying electric power service message attacks based on service logic, which aim to solve the problem of how to effectively identify the electric power service message attacks so as to determine the safety state of a power grid.
In order to solve the above problem, according to an aspect of the present invention, there is provided a method for identifying a power service packet attack based on service logic, the method including:
acquiring a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determining a control block corresponding to the current state node according to the multipoint signal address sequence, and adding the multipoint signal value sequence to the state sequence of the control block to acquire the current state sequence;
respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence;
determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;
and comparing the threat degree of the current state sequence with a preset safety risk threshold, and determining that the power grid is attacked by the power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold.
Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:
matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;
and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.
Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:
calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;
and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
Preferably, wherein calculating the threat level of the current state sequence according to the first minimum distance and the second minimum distance comprises:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
Preferably, said matching said current state sequence with said set of hazardous state sequences comprises:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceIn (1)All of the rules are set to be in the same order,if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether it is the same as Bi; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.
Preferably, said matching said current state sequence with said set of security state sequences comprises:
step 21, converting the current stateState sequence status _ sequencenow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiAre identical to each otherIf not, returning to the step 22 to continue traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, then Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
Preferably, wherein the method further comprises:
and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
According to another aspect of the present invention, there is provided a power service packet attack recognition system based on service logic, the system including:
a current state sequence determining unit, configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence;
a dangerous state sequence set and safety state sequence set determining unit, configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence;
the threat degree determining unit is used for determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;
and the electric power service message attack identification unit is used for comparing the threat degree of the current state sequence with a preset safety risk threshold value, and determining that the power grid is attacked by the electric power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold value.
Preferably, the determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set by the threat degree determining unit includes:
a dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determine that the threat degree of the current state sequence is 1;
and the safety state sequence set matching module is used for matching the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determining the threat degree of the current state sequence to be 0 if the current state sequence is successfully matched with the safety state sequence set.
Preferably, the determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set by the threat degree determining unit includes:
a first minimum distance and a second minimum distance determination module for calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;
and the threat degree determining module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
Preferably, the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, and includes:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceAll of the rules in (1) are,if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether it is the same as Bi; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining the matching between the current state sequence and the dangerous state sequence set, and directly determining the power of the current state sequenceThe hypochondriac degree is 1; otherwise, go back to step 12 to continue the traversal.
Preferably, the security state sequence set matching module, which matches the current state sequence with the security state sequence set, comprises:
step 21, the current state sequence status _ sequencenow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, then Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiThe first n-n1 items are the same, if yes, the current state sequence is successfully matched with the safety state sequence set, and the threat degree of the current state sequence is directly determinedIs 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
Preferably, the power service packet attack identification unit is further configured to:
and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
The invention provides a method and a system for identifying electric power service message attack based on service logic, which comprises the following steps: determining a current state sequence of the power grid; respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence; determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; and when the threat degree of the current state sequence is greater than or equal to a preset safety risk threshold value, determining that the power grid is attacked by the power service message. According to the method, the risk state sequence set and the safety state sequence set of the power service logic are defined, the misuse detection and the abnormity detection method are combined, the threat degree of the power service is evaluated, whether the power grid is attacked by the power service message is determined according to the threat degree, the effective identification of the power service message attack is realized, the false alarm rate is reduced, and the safe and reliable operation of the power service control system is guaranteed.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
fig. 1 is a flowchart of a method 100 for identifying a power service packet attack based on service logic according to an embodiment of the present invention:
FIG. 2 is a diagram of a state chain data structure according to an embodiment of the present invention;
FIG. 3 is a data structure diagram of a hazardous state sequence and a safe state sequence according to an embodiment of the present invention; and
fig. 4 is a schematic structural diagram of a power service packet attack recognition system 400 based on service logic according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flowchart of a method 100 for identifying a power service packet attack based on service logic according to an embodiment of the present invention. According to the electric power service message attack identification method based on the service logic, provided by the embodiment of the invention, the misuse detection and the abnormity detection method are combined by defining the dangerous state sequence set and the safe state sequence set of the electric power service logic, the threat degree of the electric power service is evaluated, and whether the electric power grid is attacked by the electric power service message or not is determined according to the threat degree, so that the effective identification of the electric power service message attack is realized, the false alarm rate is reduced, and the safe and reliable operation of an electric power work control system is ensured. The method 100 for identifying an attack on an electrical service packet based on service logic provided by the embodiment of the present invention starts from step 101, acquires a multi-point signal value sequence and a multi-point signal address sequence of a current state node from an electrical service packet in step 101, determines a control block corresponding to the current state node according to the multi-point signal address sequence, and adds the multi-point signal value sequence to the state sequence of the control block to acquire the current state sequence.
In the embodiment of the invention, in order to perform security evaluation on the current service logic state, the service logic needs to be saved, so that a data structure using a state chain is proposed to describe the power grid service logic, including the service state and the change process thereof. The state chain data structure of the embodiment of the present invention is shown in fig. 2 and includes the following 7 parts.
(1) Single-point signal value: the Data field in fig. 2 is used to describe the value of a single fcda (functional on structured Data attribute) entry. In the network, a knife switch signal or a voltage or current value of a node of the network can be understood.
(2) Signal address: the pos field in fig. 2 is used to describe the location of an FCDA entry; the name of a logic instance of a disconnecting link or a node can be understood in the power grid; in the actual calculation, the name of a variable is understood to be used to index the variable.
(3) Multi-point signal address sequence: pos _ sequence in fig. 2 (pos ═ pos1,pos2,…,posn)TThe field is used to describe the signal address sequence of each single-point signal on one control block in the embodiment of the present invention.
(4) Multipoint signal value sequence: then status in fig. 2 is (data)1,data2,…,datan)TThe field is used in the present invention to describe the sequence of single point signal values on a control block. In the power network, the positions of a plurality of switches or multipoint voltage and current values can be understood.
(5) And (3) state node: defined as Node ═ time (pos _ sequence). The multi-point signal control device is composed of a multi-point signal address sequence and a multi-point signal value sequence and is used for describing the state of a control block.
(6) And (3) state change: which describes the change in state of a single or multiple single point signals in a control block. In the power grid, one or more switches, one or more voltage and current changes, one or more constant value changes can be understood.
(7) Define status _ sequence as a sequence of states, where status _ value is defined as a sequence of states1,status2,…,statusn) From a finite number of pos _ sSequence identical state nodes are sequentially linked to form the control block state change logic process for describing the control block state change logic process. The logical relationship of the operation of a group of switches and the logical relationship of a group of voltage and current changes can be understood in the power grid.
In the embodiment of the present invention, in order to identify whether the current power grid is attacked by the power service packet, the current service logic needs to be entered first, and on the premise of the data structure based on the state chain, the specific entering process is as follows:
1.1) extracting a state Node from the application layer content of the power service messagenow=(statusn,pos_sequencenow) Wherein statusn=(data1,data2,…,datak)T。
1.2) Node based on statenowMiddle pos _ sequencenowIf the corresponding control block status _ sequence is found (S, pos _ sequence), then pos _ sequence is satisfiednowA sequence of states of a condition, wherein S ═ status1,status2,…,statusn-1)。
1.3) comparison of statusn-1Whether it equals statusnIf equal, the process ends; otherwise, 1.4) is entered.
1.4) will statusnChaining in the status sequence status _ sequence ═ (S, pos _ sequence), the current status sequence status _ sequence is obtainednow=(S′,pos_sequencenow) Wherein S' ═ status1,status2,…,statusn)。
In step 102, a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence are respectively determined according to the multipoint signal address sequence of the current state sequence.
In the embodiment of the present invention, in order to perform security evaluation on the current business logic state, the current business logic state needs to be compared with a known dangerous state sequence or a known safety state sequence, and the current state sequence is compared with the dangerous state sequence and the safety state sequenceAnd moreover, the power service message attack can be quickly and effectively identified. The data structure in the hazardous state sequence and the safe state sequence of the embodiment of the present invention is shown in fig. 3. The set of dangerous and safe state sequences is entered with different rules represented by the structure of the state sequence. The dangerous state sequence set is defined asWherein the content of the first and second substances, all the pos _ sequence is satisfied1A set of illegal state sequences of conditions. The dangerous state sequence set is defined asWherein the content of the first and second substances,all the pos _ sequence is satisfied1A set of legal state sequences of conditions.
In step 103, the threat level of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set.
Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:
matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;
and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.
Preferably, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set and the safe state sequence set comprises:
calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;
and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
Preferably, wherein said calculating a first minimum distance of said current state sequence from said set of hazardous state sequences comprises:
wherein d isblackIs a first minimum distance; the current state sequence is status _ sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn) (ii) a Set of dangerous state sequences asFor theIf it is notThen Otherwisecolumns′Representing the number of columns of the matrix S', Bi(status _ value) represents BiStatus _ value in the State sequence, Bi(status_value)[0,…,columnS′-1]Is represented by BiColumn 0 to column of (status _ value) matrixS′-1 column;to representIn the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x1,x2,…,xn) And B ═ y1,y2,…,yn) Euclidean distance of, then
Preferably, wherein said calculating a second minimum distance of said current state sequence from said set of security state sequences comprises:
wherein d iswhiteIs the second minimum distance; the current state sequence is status _ sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn) (ii) a Set of security state sequencesFor theIf it is notThen Otherwise columns′Denotes the number of columns, W, of the matrix Si(status _ value) denotes WiStatus _ value in the status sequence, then Wi(status_value)[0,…,columnS′-1]Represents WiColumn 0 to column of (status _ value) matrixS′-1 column;to representIn the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x1,x2,…,xn) And B ═ y1,y2,…,yn) Euclidean distance of, then
Preferably, wherein calculating the threat level of the current state sequence according to the first minimum distance and the second minimum distance comprises:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
Preferably, said matching said current state sequence with said set of hazardous state sequences comprises:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceAll of the rules in (1) are,if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether it is the same as Bi; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.
Preferably, said matching said current state sequence with said set of security state sequences comprises:
step 21, the current state sequence status _ sequencenow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, then Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform one-time security state sequence complete matchingPreparing;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
In an embodiment of the present invention, after determining the hazardous safety state sequence set and the safety state sequence set, the step of determining the threat level comprises:
s1, matching the dangerous state sequence set, and if the matching is successful, determining that the threat degree of the current state sequence is 1; otherwise, proceed to S2:
s2, matching the safety state sequence set, and if the matching is successful, determining the threat degree of the current state sequence to be 0; otherwise, proceed to S3:
and S3, determining a first minimum distance and a second minimum distance, and determining the threat degree of the safety state sequence according to the first minimum distance and the second minimum distance.
In step 104, comparing the threat level of the current state sequence with a preset security risk threshold, and determining that the power grid is attacked by the power service packet when the threat level of the current state sequence is greater than or equal to the preset security risk threshold.
Preferably, wherein the method further comprises:
and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
In an embodiment of the invention, the threat level P is based on the current state sequencethreatenAnd judging whether the current power grid is attacked or not. To reduce the false alarm rate of the present invention, a safety risk threshold X is definedsafeWherein X issafeDefault to 0.25. Security risk threshold XsafeThe value of (b) can be set according to actual needs, and is not limited to 0.25 mentioned in the present application. When P is presentthreaten>XsafeWhen, consider the current state sequence status _ sequencenow=(S′,pos_sequencenow) Pos _ sequence in (1)nowThe power grid corresponding to the value is attacked by the power service message; otherwise, the power grid is not attacked by the power service message and is in a safe state.
The following specifically exemplifies embodiments of the present invention
Assuming that the state block attacked by the attacker has three FCDAs, the address information of each FCDA is as follows:
pos1=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.1)″,
pos2=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.2)″,
pos3=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.3)″,
the corresponding control block states are: status1=(0,0,0)T,status2=(0,0,1)T,…,status8=(1,1,1)T. Setting a security risk threshold X for an intrusion detection methodsafeIs 0.25.
When determining that the power grid is attacked by the power service message, the specific implementation method is as follows:
step (1), state chain entry: assume that the entered state sequence is status _ sequence1=(S1Pos _ sequence), where S1=(status1,status2),pos_sequence=(pos1,pos2,pos3)TNow, a state Node is extracted from the application layer messagenow=(status5Pos _ sequence), adding the extracted state node to the logged state sequence, the state sequence is composed of status _ sequence1Becomes status _ sequence2=(S2Pos _ sequence), where S2=(status1,status2,status5)。
Step (2), determining a dangerous state sequence set U of the current state sequenceblacklist/pos_sequence={B1In which B is1={status1,status3,status7U and a set of security state sequenceswhitelist/pos_sequence={W1,W2}。
Step (3), matching the current state sequence with a dangerous state sequence set, and if matching, determining that the threat degree is 1; if no match is found, the procedure goes to step (4). The method comprises the following specific steps:
3.1) status _ sequence2Middle S2Middle latest status5Add to cache State S ″)blacklist/pos_sequence=(status1,status2) In (1), after addition of S ″)blacklist/pos_sequence=(status1,status2,status5)。
3.2) sequentially traversing the rule with the same pos _ sequence in the dangerous state sequence set, then traversing Ublacklist/pos_sequence={B1In which B is1Has 3 states, S ″)blacklist/pos_sequenceWith 3 states, go 3.3).
3.3) mixing B1And S2And comparing, finding out mismatch, continuing to traverse, and turning to 3.4).
3.4)Ublacklist/pos_sequenceAnd (4) ending the traversal, and turning to the step (4).
Step (4), carrying out a dangerous safety state sequence matching mode on the current state sequence, and if the dangerous safety state sequence is matched with the current state sequence, determining that the threat degree is 0; if not, go to step (5). The specific process is as follows:
4.1) sequence status _ sequence of the current State2Middle S2Middle latest status5Add to cache State S ″)whitelist/pos_sequence=(status1,status2) In, the added cache state sequence is S ″)whitelist/pos_sequence=(status1,status2,status5)。
4.2) traverse the rule with the same pos _ sequence in the set of dangerous State sequences, then Uwhitelist/pos_sequence={W1,W2H, first traverse W1={status1,status2,status8In which W is1There are 3 states of the system which are,with 3 states, go 4.3).
4.3)S″whitelist/pos_sequenceAnd W1Performing regular comparison, Swhitelist/pos_sequenceAnd W1And if not, continuing the traversal.
4.4) traverse W2Wherein W is2={status1,status2,status4,status5Has 4 states, S ″)whitelist/pos_sequence=(status1,status2,status5) With 3 states, go 4.5).
4.5) init _ status is 0 (assumed to be 0), 4.6 is turned.
4.6)S″whitelist/pos_sequenceAnd W2Comparison of rules, W2Is not Swhitelist/pos_sequenceAnd (5) subset, ending traversal, and turning to the step (5).
And (5) carrying out similarity matching on the state sequence to obtain threat degree Pthreaten. The method comprises the following specific steps:
5.1) finding the dangerous state sequence set U of the corresponding control block according to pos _ sequenceblacklist/pos_seauence={B1U and a set of security state sequenceswhitelist/pos_sequence={W1,W2}。
5.3) calculating the sequence status _ sequence of the current state2And dangerous state sequence set Ublacklist/pos_sequenceHas a minimum distance of dblack=1。
5.5) calculating the current state sequence status _ sequence and the security state sequence set Uwhitelist/pos_sequenceHas a minimum distance of dwhite=2。
Step (6), comparing the calculated threat degree with a preset safety risk threshold value, Pthreaten>XsafeThen pos _ sequence in the current state sequence status _ sequence is determinedAnd the power grid corresponding to the value is under the attack of the power service message.
Fig. 4 is a schematic structural diagram of a power service packet attack recognition system 400 based on service logic according to an embodiment of the present invention. As shown in fig. 4, an electric power service packet attack recognition system 400 based on service logic provided in an embodiment of the present invention includes: a current state sequence determining unit 401, a dangerous state sequence set and safe state sequence set determining unit 402, a threat degree determining unit 403 and a power service message attack identifying unit 404.
Preferably, the current state sequence determining unit 401 is configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence.
Preferably, the dangerous state sequence set and the safety state sequence set determining unit 402 is configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence.
Preferably, the threat degree determining unit 403 is configured to determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set, and the safe state sequence set.
Preferably, the threat degree determination unit 403 includes: a dangerous state sequence set matching module and a safe state sequence set matching module.
And the dangerous state sequence set matching module is used for matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1.
The safety state sequence set matching module is configured to match the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determine that the threat degree of the current state sequence is 0 if the current state sequence is successfully matched with the safety state sequence set.
Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceAll of the rules in (1) are,if n2 is larger than n-n1and i is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether it is the same as Bi; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.
Preferably, the security state sequence set matching module, which matches the current state sequence with the security state sequence set, comprises:
step 21, the current state sequence status _ sequencenow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, then Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
Preferably, the threat degree determination unit 403 further includes: a first minimum distance and second minimum distance determination module and a threat determination module.
The first and second minimum distance determination modules are configured to calculate a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively.
The threat degree determination module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
Preferably, the first and second minimum distance determination modules calculate the first minimum distance of the current state sequence from the set of dangerous state sequences by:
wherein d isblackIs the first mostA small distance; the current state sequence is status _ sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn) (ii) a Set of dangerous state sequences asFor theIf it is notThen Otherwisecolumns′Denotes the number of columns of matrix S', Bi (status _ value) denotes BiStatus _ value in the State sequence, Bi(status_value)[0,…,columns′-1]Is represented by BiColumn 0 to column of (status _ value) matrixs′-1 column;to representIn the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x1,x2,…,xn) And B ═ y1,y2,…,yn) Euclidean distance of, then
Preferably, the first minimum distance and second minimum distance determining module calculates the second minimum distance between the current state sequence and the set of security state sequences by:
wherein d iswhiteFor the second minimum distance the current state sequence is status _ sequencenow=(S′,pos_sequencenow),S′=(status1,status2,…,statusn) (ii) a (ii) a Set of security state sequencesFor theIf it is notThen Otherwise columnS′Denotes the number of columns, W, of the matrix Si(status _ value) denotes WiStatus _ value in the status sequence, then Wi(status_value)[0,…,columns′-1]Represents WiColumn 0 to column of (status _ value) matrixs′-1 column;to representIn the ith column of the matrix, the function d (a, B) represents the calculation of the row vector a ═ x1,x2,…,xn) And B ═ y1,y2,…,yn) Euclidean distance of, then
Preferably, the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, and includes:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
Preferably, the electric power service packet attack recognition unit 404 is configured to compare the threat level of the current state sequence with a preset security risk threshold, and determine that the power grid is attacked by the electric power service packet when the threat level of the current state sequence is greater than or equal to the preset security risk threshold.
Preferably, the power service packet attack recognition unit 404 is further configured to: and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
The power service message attack recognition system 400 based on service logic according to the embodiment of the present invention corresponds to the power service message attack recognition method 100 based on service logic according to another embodiment of the present invention, and is not described herein again.
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the [ device, component, etc ]" are to be interpreted openly as referring to at least one instance of said device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (14)
1. A method for identifying electric power service message attack based on service logic is characterized by comprising the following steps:
acquiring a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determining a control block corresponding to the current state node according to the multipoint signal address sequence, and adding the multipoint signal value sequence to the state sequence of the control block to acquire the current state sequence;
respectively determining a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence;
determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;
and comparing the threat degree of the current state sequence with a preset safety risk threshold, and determining that the power grid is attacked by the power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold.
2. The method of claim 1, wherein determining the threat level of the current state sequence from the current state sequence, a dangerous state sequence set, and a safe state sequence set comprises:
matching the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determining that the threat degree of the current state sequence is 1;
and if the current state sequence is unsuccessfully matched with the dangerous state sequence set, matching the current state sequence with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, determining that the threat degree of the current state sequence is 0.
3. The method of claim 1 or 2, wherein determining the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set comprises:
calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;
and calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
4. The method of claim 3, wherein computing the threat level of the current state sequence based on the first minimum distance and the second minimum distance comprises:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
5. The method of claim 2, wherein matching the current state sequence with the set of dangerous state sequences comprises:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceAll of the rules in (1) are,if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether or not to react with BiThe same; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.
6. The method of claim 2, wherein matching the current state sequence with the set of security state sequences comprises:
step 21, the current state sequence status _ sequencenow=(S′,pos_sequencenow) middle-S ═ S (status1, status2, …, statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, thenSetting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
7. The method of claim 1, further comprising:
and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
8. A power service message attack recognition system based on service logic is characterized in that the system comprises:
a current state sequence determining unit, configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from an electrical service packet, determine a control block corresponding to the current state node according to the multipoint signal address sequence, add the multipoint signal value sequence to the state sequence of the control block, and obtain the current state sequence;
a dangerous state sequence set and safety state sequence set determining unit, configured to determine a dangerous state sequence set and a safety state sequence set corresponding to the current state sequence according to the multi-point signal address sequence of the current state sequence;
the threat degree determining unit is used for determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;
and the electric power service message attack identification unit is used for comparing the threat degree of the current state sequence with a preset safety risk threshold value, and determining that the power grid is attacked by the electric power service message when the threat degree of the current state sequence is greater than or equal to the preset safety risk threshold value.
9. The system of claim 8, wherein the threat level determination unit determines the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set, and comprises:
a dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence is successfully matched with the dangerous state sequence set, determine that the threat degree of the current state sequence is 1;
and the safety state sequence set matching module is used for matching the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and determining the threat degree of the current state sequence to be 0 if the current state sequence is successfully matched with the safety state sequence set.
10. The system according to claim 8 or 9, wherein the threat level determination unit determines the threat level of the current state sequence from the current state sequence, the dangerous state sequence set, and the safe state sequence set, and comprises:
a first minimum distance and a second minimum distance determination module for calculating a first minimum distance between the current state sequence and the set of dangerous state sequences and a second minimum distance between the current state sequence and the set of safe state sequences, respectively;
and the threat degree determining module is used for calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.
11. The system of claim 10, wherein the threat level determination module calculates the threat level of the current state sequence based on the first minimum distance and the second minimum distance, comprising:
wherein, PthreatenThreat degree of the current state sequence; dblackIs a first minimum distance; dwhiteIs the second minimum distance.
12. The system of claim 10, wherein the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, comprising:
step 11, the current state sequence status _ sequence is processednow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n1 has an initial value of 0, and is added thereto
Step 12, traversing the dangerous state sequence set in sequenceAll of the rules in (1) are,if n2 is larger than n-n1andi is not equal to t, continuously traversing; if n2 is larger than n-n1and i is equal to t, the matching is finished, the traversal is finished, and the security state sequence set matching mode is continuously executed; if n2 < n-n1 is satisfied, entering step 13; otherwise, go to step 14;
Step 14, judgeWhether or not to react with BiThe same; wherein, if the same, willOnly the last entry is retained, thenSetting n1 as n-1, determining that the current state sequence is successfully matched with the dangerous state sequence set, and directly determining that the threat degree of the current state sequence is 1; otherwise, go back to step 12 to continue the traversal.
13. The system of claim 10, wherein the security state sequence set matching module matches the current state sequence to the security state sequence set, comprising:
step 21, the current state sequence status _ sequencenow=(S′,pos_sequencenow) Middle (S) ═ S1,status2,…,statusn) Last multipoint signal value sequence status ofnAdding to a buffer StateWherein n3 has an initial value of 0, and is added thereto
Step 22, traversing the set of security state sequences in a sequenceAll of the rules in (1) are,if n4 > n-n3 and i ≠ e, then go to step 26; if n4 > n-n3 and i ═ e is met, matching failure is indicated, and traversal is finished; if n4 < n-n3 is satisfied, go to step 23; otherwise, go to step 24;
Step 24, judgeWhether or not to be in contact with WiIf the difference is not the same, returning to the step 22 and continuing traversing; otherwise, go to step 25;
step 25, mixingOnly the last entry is retained, then Setting n3 as n-1, setting init _ status as 1, determining that the current state sequence is successfully matched with the security state sequence set, and directly determining that the threat degree of the current state sequence is 0; wherein the initial value of init _ status is 0, which is used to identify whether to perform a security state sequence complete matching;
step 26, if init _ status is 0, go to step 27, otherwise go to step 28;
step 27, init _ status is 0, and judgment is madeWhether or not it is WiIf so, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, continuously traversing other rules in the safety state sequence set, and returning to the step 22;
step 28, judgeWhether or not to be in contact with WiIf the first n-n1 items are the same, determining that the current state sequence is successfully matched with the safety state sequence set, and directly determining that the threat degree of the current state sequence is 0; otherwise, the other rules in the security state sequence set are continuously traversed, and the process returns to step 22.
14. The system of claim 8, wherein the power traffic packet attack identification unit is further configured to:
and if the threat degree of the current state sequence is smaller than a preset safety risk threshold value, determining that the power grid is not attacked by the power service message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910871501.XA CN110751570A (en) | 2019-09-16 | 2019-09-16 | Power service message attack identification method and system based on service logic |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910871501.XA CN110751570A (en) | 2019-09-16 | 2019-09-16 | Power service message attack identification method and system based on service logic |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110751570A true CN110751570A (en) | 2020-02-04 |
Family
ID=69276463
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910871501.XA Pending CN110751570A (en) | 2019-09-16 | 2019-09-16 | Power service message attack identification method and system based on service logic |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110751570A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112615808A (en) * | 2020-10-27 | 2021-04-06 | 国网浙江省电力有限公司绍兴供电公司 | Method, device and equipment for representing white list of process layer messages of intelligent substation |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030236995A1 (en) * | 2002-06-21 | 2003-12-25 | Fretwell Lyman Jefferson | Method and apparatus for facilitating detection of network intrusion |
CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
CN109246027A (en) * | 2018-09-19 | 2019-01-18 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and terminal device of network operation |
CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
CN109787960A (en) * | 2018-12-19 | 2019-05-21 | 中国平安人寿保险股份有限公司 | Abnormal flow data identification method, device, medium and electronic equipment |
-
2019
- 2019-09-16 CN CN201910871501.XA patent/CN110751570A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030236995A1 (en) * | 2002-06-21 | 2003-12-25 | Fretwell Lyman Jefferson | Method and apparatus for facilitating detection of network intrusion |
CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
CN109246027A (en) * | 2018-09-19 | 2019-01-18 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and terminal device of network operation |
CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
CN109787960A (en) * | 2018-12-19 | 2019-05-21 | 中国平安人寿保险股份有限公司 | Abnormal flow data identification method, device, medium and electronic equipment |
Non-Patent Citations (1)
Title |
---|
伊恩泽 等: "Android智能终端二维码安全检测系统的设计与实现", 《电脑知识与技术》, vol. 13, no. 08 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112615808A (en) * | 2020-10-27 | 2021-04-06 | 国网浙江省电力有限公司绍兴供电公司 | Method, device and equipment for representing white list of process layer messages of intelligent substation |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
US9870470B2 (en) | Method and apparatus for detecting a multi-stage event | |
CN108737410B (en) | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association | |
WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
CN104901971B (en) | The method and apparatus that safety analysis is carried out to network behavior | |
Parthasarathy et al. | Bloom filter based intrusion detection for smart grid SCADA | |
Sayegh et al. | SCADA intrusion detection system based on temporal behavior of frequent patterns | |
CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
EP1776823A1 (en) | Anomaly-based intrusion detection | |
CN109274692B (en) | Method and device for identifying malicious nodes of block chain network | |
CN112769833B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
CN112839017B (en) | Network attack detection method and device, equipment and storage medium thereof | |
CN113722748A (en) | Equipment information acquisition method based on block chain and general industrial identification | |
CN103139219B (en) | Based on the attack detection method of the Spanning-Tree Protocol of credible switchboard | |
CN110751570A (en) | Power service message attack identification method and system based on service logic | |
CN113839925A (en) | IPv6 network intrusion detection method and system based on data mining technology | |
CN111935085A (en) | Method and system for detecting and protecting abnormal network behaviors of industrial control network | |
CN109729084B (en) | Network security event detection method based on block chain technology | |
CN112448949A (en) | Computer network monitoring system | |
CN110881016B (en) | Network security threat assessment method and device | |
Schuster et al. | Attack and fault detection in process control communication using unsupervised machine learning | |
CN114205816B (en) | Electric power mobile internet of things information security architecture and application method thereof | |
CN115883169A (en) | Industrial control network attack message response method and response system based on honeypot system | |
CN107800706A (en) | A kind of network attack dynamic monitoring method based on Gaussian distribution model | |
CN113794742A (en) | High-precision detection method for FDIA of power system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |