CN110995741B - Polar light attack detection system and method based on power grid switch communication data - Google Patents
Polar light attack detection system and method based on power grid switch communication data Download PDFInfo
- Publication number
- CN110995741B CN110995741B CN201911298074.7A CN201911298074A CN110995741B CN 110995741 B CN110995741 B CN 110995741B CN 201911298074 A CN201911298074 A CN 201911298074A CN 110995741 B CN110995741 B CN 110995741B
- Authority
- CN
- China
- Prior art keywords
- message
- communication data
- data packet
- switch
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 143
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 32
- 239000005441 aurora Substances 0.000 claims abstract description 57
- 238000012544 monitoring process Methods 0.000 claims abstract description 54
- 230000002159 abnormal effect Effects 0.000 claims abstract description 5
- 238000004458 analytical method Methods 0.000 claims description 20
- 230000004044 response Effects 0.000 claims description 15
- 230000009471 action Effects 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 7
- 238000011835 investigation Methods 0.000 claims description 5
- 230000001360 synchronised effect Effects 0.000 description 13
- 230000001681 protective effect Effects 0.000 description 8
- 238000012360 testing method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000000116 mitigating effect Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 230000006378 damage Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001965 increasing effect Effects 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000002411 adverse Effects 0.000 description 2
- 238000009411 base construction Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000011850 initial investigation Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000011056 performance test Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
- 238000004804 winding Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J3/00—Circuit arrangements for ac mains or ac distribution networks
- H02J3/38—Arrangements for parallely feeding a single network by two or more generators, converters or transformers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E40/00—Technologies for an efficient electrical power generation, transmission or distribution
- Y02E40/70—Smart grids as climate change mitigation technology in the energy generation sector
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/12—Monitoring or controlling equipment for energy generation units, e.g. distributed energy generation [DER] or load-side generation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
A system and a method for detecting aurora attack based on power grid switch communication data belong to the technical field of intelligent power grid information and equipment safety. The system comprises a switch device, a communication controller, a switch/hub, a power monitoring system and a packet capturing host device; and the packet grabbing host equipment is used for grabbing the communication data packet between the switch equipment and the power monitoring system and carrying out aurora attack detection. The method comprises the steps of S01, capturing a communication data packet between the switch device and the power monitoring system within the time of no-attack abnormal event; step S02, analyzing the communication data packet in the step S01 to generate a message rule base; step S03, capturing a communication data packet between the switch device and the power monitoring system in real time; and step S04, analyzing the communication data packet in the step S03, matching the analyzed communication data packet with the rule of the message rule base, and sending out extreme light attack warning information when the analyzed communication data packet is not matched with the main rule. The invention adopts a non-invasive detection method, thereby effectively protecting the safety of the three-phase rotating equipment and the stability of the power grid.
Description
Technical Field
The invention belongs to the technical field of intelligent power grid information and equipment safety, and particularly relates to a system and a method for detecting aurora attack based on power grid switch communication data.
Background
Aurora (Aurora) attack is an attack method for destroying three-phase rotating physical equipment of a power grid by quickly switching on and off a power grid switch component. The attack can be carried out in a mode of tampering a switch component communication signal, or a remote-end tampering control system command, or tampering a local running program of the switch component, or carrying out error command injection on the switch component by a near end, and the like, and the switch is rapidly switched on and off at a time interval lower than the response delay of the protection relay. Relays used in electrical networks have a specifically set time delay in operation to prevent triggering protective actions during system transients, thereby causing unnecessary tripping of power components. The delay will result in no protection action being performed within a small time window, and switching the state of the grid switching assembly back and forth within this time window will not trigger the action of the protection relay.
After the switch assembly is switched on and off, three-phase rotating physical equipment (taking a generator as an example, actually comprising a synchronous induction motor) is isolated from a power grid, because the speed regulator acts slowly, the input mechanical power of the generator changes slowly, the supply at the generator end is greater than the demand after the switch assembly is switched off, the frequency of the generator rises, and the frequency difference between the power grid and the generator is caused. After the switch is quickly turned on and off for a certain time, the frequency difference is accumulated to a certain degree, the generator belongs to asynchronous grid connection when the switch is turned on again, the generator can be forcibly adjusted to be synchronous under the action of the frequency of the main grid after the grid connection, the generated torque easily exceeds the mechanical bearing limit of the generator, the generator can generate the rebound and the vibration of internal components, and finally the part of the structure of the generator is loose and falls or is torn and flies away from the whole, so that the physical damage of the generator set is caused. While also potentially damaging loads to which the rotating equipment is connected, such as water pumps and gear boxes. For example: generator Aurora Test (Aurora Generator Test) conducted in idaho state national laboratory in 2007, eventually led to the destruction of a diesel engine worth 40 ten thousand dollar Generator, with the rated capacity of the single-phase winding of the Generator reduced to 30%, identified as severely damaged, unusable and irreparable, and finally disposed of as waste.
The three-phase rotating equipment can be damaged by controlling the switching equipment between the three-phase rotating equipment and the main network, and an attacker can easily control the connecting switches and the relays of each line and the bus after a communication link of a power system is penetrated or a control system is attacked by a network. After the synchronous relay is controlled, the high-speed on-off switch equipment cannot trigger system alarm or relay action, and attack can be carried out secretly until video monitoring or an attendant discovers the abnormal physical state of the rotary equipment. At this time, a plurality of rotating devices may be damaged, huge economic loss is caused, imbalance of supply and demand of the power grid in a short time is caused, stability of the power grid is damaged, and large-scale power failure is caused.
The existing defense methods aiming at the aurora attack can be divided into three categories, namely installing aurora relieving equipment, including adding a reclosing monitoring relay and adding a synchronous relay; secondly, modifying the control logic and the working content of the protective relay, including increasing the action delay of the circuit breaker, monitoring the instruction of the circuit breaker and adopting an island detection algorithm in the relay; and thirdly, logic for improving the protection of the generator comprises the steps of carrying out wide-area synchronous frequency measurement of multiple nodes to monitor the frequency change of the generator and the like.
At present, the most widely used method is to add a synchronous relay as an aurora relieving device, namely, a synchronous relay is added at a grid-connected point of each three-phase rotating device, and the synchronous relay can check the frequency difference between the rotating device and a main grid to prevent asynchronous reclosing and grid connection. The technology company, da, performs multiple operation scene tests on the synchronous relay, including whether the response is safe in typical power system transient state (such as fault, power swing and load switching), and the test shows that the synchronous relay can not make reliable response to aurora attack. Geovis et al questioned this test result in the "latest aurora attack information" of the free tribe grid (Unfettered bloom), which affects all power users including three-phase rotating devices, in 2013, 9, 4, indicating that the aurora mitigation device is directed to asynchronous faults with higher frequency, and the experimental setting used in the test is the north american grid standard voltage frequency of 59-61 Hz. In addition, new equipment needs to be added in the mode of adding the aurora relieving equipment such as a synchronous relay, a reclosing monitoring relay and the like, and according to the principle of aurora attack, each three-phase rotating unit or each grid-connected node needs to be provided with a new relay, so that the defense operation cost is greatly improved. In order to avoid network attack from simultaneously influencing the aurora relieving equipment, the relieving equipment is required to be used off line, a password different from that of a main relay is used, and the relieving equipment is installed in a physically isolated safe place.
Mark Zeller et al propose to change the operation algorithm of the protective relay or the circuit breaker in mythology or reality-aurora attack really forms risk to my generator in 2011 64 th IEEE protective relay engineering conference and in 2009 26 th Western protective relay conference to reduce aurora attack threat by using the prior art, including increasing action delay of the circuit breaker, monitoring the circuit breaker by the protective relay, adopting an island detection algorithm in the relay, and the like. For example, the action delay of the circuit breaker sets the switch control of the circuit breaker to be delayed before the action, so that a time window can be prevented from being provided for the aurora attack. The delay can be realized directly in the program of the protective relay through programming, and also can be realized by installing a simple delay relay in a closed circuit of the circuit breaker, so the operation cost is low. However, in such a defense method, a protection mechanism is arranged in the original protective relay or the original breaker, and when an attacker controls and tampers with the relay working program by attacking the remote control system, the method cannot resist the aurora attack.
In 2015, the united states general electric company disclosed an "aurora vulnerability mitigation technology using UR technology" on general electrical digital energy, and proposed herein that a frequency change rate monitoring element (ROCOF) is used to monitor changes in generator frequency in generator protection, and island detection logic is used to determine whether generator set equipment is in an island state, so as to detect aurora attack. However, this method is effective only when other frequency detection elements in the generator protection relay are not damaged, and may fail when an attacker controls the protection relay using a network attack, or when the generator is damaged.
In addition, all methods proposed at present belong to intrusive detection or defense methods, equipment related to normal operation of an electric power system needs to be changed or added, comprehensive and detailed protection capability test and performance test need to be performed, it is ensured that the original function is not lost after the equipment is changed or added, the original function is not adversely affected, the protection function is provided, an unknown new function is not added, and the stable operation of the electric power system is ensured. The use of the synchronous relay as the aurora attack mitigating device is controversial in solving aurora attack, and although recent research shows that the aurora attack mitigating device does not cause risks to the operation of a power grid under laboratory conditions, the aurora mitigating plan of the U.S. department of defense selects monitoring of the operation condition and the device performance of the aurora mitigating device under actual factory conditions, but only adopts a monitoring mode and does not serve as a part of power grid protection so as to avoid unnecessary influence on the original normal operation of the power grid.
The invention patent application CN201110347686.8 discloses a device and a method for monitoring the on-off state of a power grid by using a 3G communication network, and discloses that the device comprises a network camera arranged beside a 10KV power distribution terminal switch device and connected with an intelligent interrupt controller, wherein the network camera is connected with an intelligent interrupt controller circuit and a wireless router through wireless network signals, and the wireless router is connected with a communication front-end processor and respectively connected with a database, a server, a workstation and a man-machine interface circuit. According to the invention, the video monitoring device is added at the distribution line terminal, the state of the field switching device can be monitored in real time through the background, and the field obvious disconnection point can be seen at the background when the power failure line is operated. However, this method cannot accurately detect the aurora attack.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides the aurora attack detection method based on the power grid switch communication data, which can effectively detect the aurora attack performed by modes of sending an instruction by attacking the far end of an industrial control system, tampering a communication signal at a network layer by permeating a communication link and the like, further alarm, discover the existence of the attack in time, narrow the attack range and reduce the possibility of equipment damage.
The invention is realized by the following technical scheme:
the invention provides a power grid switch communication data-based polar light attack detection system, which comprises a switch device, a communication controller, a switch/concentrator, an electric power monitoring system and a packet capturing host device, wherein the switch device is connected with the communication controller; the communication controller is respectively connected with the switch equipment and the switch/concentrator, and the switch/concentrator is respectively connected with the power monitoring system and the packet capturing host equipment; the packet capturing host equipment runs off line at a physical safety place and is used for capturing communication data packets between the switch equipment and the power monitoring system which are connected to the same switch/concentrator and flow through and carrying out aurora attack detection, and the packet capturing host equipment also sends the communication data packets to the power monitoring system.
The system of the invention does not change or increase the normal operation equipment of the power grid, but adds one packet capturing host equipment and places the packet capturing host equipment at the exchanger/concentrator of the communication node to capture the data packet and carry out the polar light attack detection, thereby preventing the spread of the attack scale and the deepening of the attack degree.
Preferably, the packet capturing host device is in one-way communication with the communication controller, and the communication controller sends a communication data packet to the packet capturing host device.
Preferably, the communication controller and the power monitoring system communicate with each other via the switch/hub via an ethernet Modbus-TCP protocol.
A polar light attack detection method based on power grid switch communication data is applied to a packet capturing host machine device end of the polar light attack detection system based on the power grid switch communication data; the method comprises the following steps:
step S01, capturing a communication data packet between the switch device and the power monitoring system within the time of no attack abnormal event;
step S02, analyzing the communication data packet in the step S01 to generate a message rule base; the message rule base comprises a main rule used for judging the periodicity and the interval of a data packet and a secondary rule used for judging the message length, the request response time interval and the reasonability of equipment authority;
step S03, capturing a communication data packet between the switch device and the power monitoring system in real time;
and step S04, analyzing the communication data packet in the step S03, matching the analyzed communication data packet with the rule of the message rule base, and sending out extreme light attack warning information when the analyzed communication data packet is not matched with the main rule.
The invention selects a non-invasive detection method aiming at the most basic characteristics shown by the aurora attack started by a remote-end tampering instruction, detects the aurora attack and gives an alarm, can prevent the attack scale from spreading and the attack degree from deepening, and effectively protects the safety and the power grid stability of the three-phase rotating equipment.
Preferably, the step S02 specifically includes:
step S21, resolving the communication data packet address and port in step S01;
step S22, analyzing the message header and the message content of the communication data packet in the step S01; the analysis content of the message header comprises a timestamp of the message, the length of the message, identification codes of a message sender and a message receiver and an identifier of the message; the analysis content of the message content comprises a function code, a message operation object and related data;
in the step of S23,
determining the periodicity and the interval of each service message according to the timestamp, the message length, the function code, the message operation object and the related data of the message, and taking the determined periodicity and the determined interval as main rules;
forming a message length query table according to the message length, the function code and the operation object equipment type, and taking the message length query table as a first secondary rule;
forming a message master station action instruction and a slave station response time difference range query table according to the timestamp of the message, the identifier of the message and the function code, and taking the time difference range query table as a second secondary rule;
and forming an equipment authority query table according to the identification codes, the function codes, the operation objects and the related data of the message sender and the message receiver, and taking the equipment authority query table as a third secondary rule.
Preferably, a preliminary suspicious event troubleshooting step is further included between step S03 and step S04:
when at least one of the conditions that hardware equipment illegally accessing communication data exists, identity information of an accessor is illegal, and illegal software accesses the communication data is met, sending aurora attack general warning information to the power monitoring system.
Preferably, the step S04 specifically includes: analyzing the communication data packet in the step S03, matching the communication data packet with a message rule base, and sending important warning information of extreme light attack to the power monitoring system when only the main rule is not matched; when the main rules are not matched and at least one secondary rule is not matched, sending aurora attack serious warning information to the power monitoring system, simultaneously triggering on-site alarm, and informing workers in various modes such as video monitoring and the like.
Preferably, the process of parsing the communication packet in step S03 in step S04 includes:
step S41, resolving the communication data packet address and port in step S03;
step S42, analyzing the message header and the message content of the communication data packet in the step S03; the analysis content of the message header comprises a timestamp of the message, the length of the message, and identification codes of a message sender and a message receiver; the analysis content of the message content comprises a function code, a message operation object and related data.
Preferably, the process of resolving the address and port of the communication packet in step S01 or S03 includes: resolving a source mac address and a target mac address of a communication data packet at a data link layer, and resolving a source IP address and a target IP address of the communication data packet at a network layer; and resolving the source port number and the destination port number of the communication data packet at a transport layer.
Preferably, the communication data packet acquisition between the switch device and the power monitoring system in the steps S01 and S03 is obtained through network packet analysis software wireshark.
The invention has the following beneficial effects:
the invention discloses a system and a method for detecting aurora attack based on power grid switch communication data, which comprises the following steps:
(1) by adopting a non-invasive detection mode, normal operation equipment of the power grid is not changed or increased, and one communication equipment is selected to be added, so that under the condition that the newly added equipment is not attacked and controlled by the outside, the normal operation of the power grid is not changed or influenced, and adverse effects on the stable operation of the power grid caused by equipment change or increase are avoided.
(2) The method is different from a general communication data analysis attack detection method aiming at the aurora attack. The technology is designed aiming at the most basic attack expression of the aurora attack, is not easy to be bypassed by an attacker, ensures the detection effectiveness, and can effectively detect the aurora attack which is carried out in the modes of sending an instruction by a remote end of an industrial control system, tampering a communication signal at a network layer by a penetration communication link and the like.
(3) The technology does not relate to the components of the three-phase rotating equipment, and has a certain physical distance from the attacked equipment, so that in the attack proceeding time, as long as an attacker still starts the attack by tampering communication signals or action instructions, the detection function can still be realized, the detection can not be stopped because the attacked equipment is damaged or the surrounding environment is damaged due to damage, and the stability of the detection and alarm function is guaranteed.
(4) The technology places the detection new device at the exchanger (or concentrator) of the communication node, and determines the placing quantity and the placing position according to the calculation and storage capacity and the channel capacity of the new host device. Compared with the equipment such as a synchronous relay and a reclosing monitoring relay which are additionally arranged at each three-phase rotating unit, the detection cost can be greatly reduced.
Drawings
Fig. 1 is a system block diagram of an aurora attack detection system based on power grid switch communication data according to the present invention;
fig. 2 is a flow chart of an embodiment of an aurora attack detection method based on power grid switch communication data according to the present invention;
FIG. 3 is a structural diagram of a rule base construction in the grid switch communication data-based aurora attack detection method of the present invention;
fig. 4 is a flow chart of a method for detecting an aurora attack based on grid switch communication data according to another embodiment of the present invention.
Detailed Description
The following are specific embodiments of the present invention and are further described with reference to the drawings, but the present invention is not limited to these embodiments.
Referring to fig. 1, the system for detecting an aurora attack based on power grid switch communication data of the present invention includes a switching device, a communication controller, a switch/hub, a power monitoring system, and a packet capturing host device. The switch equipment group is connected with a communication controller CCU through RS485, the communication controller is connected with a switch/concentrator through RJ4, and one switch/concentrator is connected with a plurality of communication controller CCUs and is simultaneously connected with a power monitoring system through RJ 45. And each switch/hub is connected with a packet capturing host, and is used for capturing communication data packets connected between the switching equipment and the power monitoring system flowing through the same switch/hub and carrying out aurora attack detection on the captured communication data packets. And the communication controller and the power monitoring system communicate with each other through an Ethernet Modbus-TCP protocol by means of the switch/hub.
In order to ensure that the packet capturing host equipment is not modified by an attacker and loses the detection function when the aurora attack is started, when the connection is established between the packet capturing host and the electric power monitoring system, the packet capturing host can establish complete one-way connection to the electric power monitoring system, the electric power monitoring system only provides a function of sending a data packet to a port of the packet capturing host, and the packet capturing host does not execute the instruction sent by the electric power monitoring system. In order to ensure that the packet capturing host equipment does not influence the stable operation of the original power system, the communication between the packet capturing host and other communication controller CCUs is one-way communication, and only one function of sending a data packet to a packet capturing host equipment port by the communication controller CCU is provided. In addition, the packet capturing host needs to be operated off-line at a physically secure location.
When the switch is used in the communication system, a communication object of the switch device needs to be added, and a communication data packet is sent to the power monitoring system and also sent to a port of the packet capturing host device, so that the packet capturing host device can capture the data packet. When the transmission data volume is small and the number of the devices is small, the communication system uses the hub, and the hub adopts a broadcasting mode and can send the data packets to all the connection windows, so that the packet capturing host device can directly capture the data packets from the ports.
As shown in fig. 2, the method for detecting an aurora attack based on power grid switch communication data of the present invention is applied to a packet capturing host device side of the system, and includes:
step S01, capturing a communication data packet between the switch device and the power monitoring system within the time of no attack abnormal event;
step S02, analyzing the communication data packet in the step S01 to generate a message rule base; the message rule base comprises a main rule used for judging the periodicity and the interval of a data packet and a secondary rule used for judging the message length, the request response time interval and the reasonability of equipment authority;
step S03, capturing a communication data packet between the switch device and the power monitoring system in real time;
and step S04, analyzing the communication data packet in the step S03, matching the analyzed communication data packet with the rule of the message rule base, and sending out extreme light attack warning information when the analyzed communication data packet is not matched with the main rule.
In step S01, capturing message information for a period of time, and after it is determined that no attack exception occurs in the period of time, using the part of the message information as source information generated by the message rule base in the following steps. The collected related messages belong to message data packets of the Modbus-TCP protocol.
The communication data to be analyzed in the subsequent step comprises command instructions from the power monitoring system to the physical equipment and response information of the physical equipment, and the equipment measurement data of the physical equipment is uploaded and is not used as an analysis statistical object.
Step S02 specifically includes:
step S21, resolving the communication data packet address and port in step S01;
step S22, analyzing the message header and the message content of the communication data packet in the step S01; the analysis content of the message header comprises a timestamp of the message, the length of the message, and identification codes of a message sender and a message receiver; the analysis content of the message content comprises a function code, a message operation object and related data;
step S23, determining periodicity and interval of each service message according to the timestamp, message length, function code, message operation object and related data of the message, and taking the determined periodicity and interval as main rules; forming a message length query table according to the message length, the function code and the operation object equipment type, and taking the message length query table as a first secondary rule; forming a time difference range query table of a message master station action instruction and a slave station response according to the timestamp of the message, the identification codes and the function codes of a message sender and a message receiver, and taking the time difference range query table as a second secondary rule; and forming an equipment authority query table according to the identification codes, the function codes, the operation objects and the related data of the message sender and the message receiver, and taking the equipment authority query table as a third secondary rule.
Fig. 3 shows a message rule base construction structure. In step S21, after capturing the Modbus-TCP protocol data packet, parsing a source mac address and a target mac address of the communication data packet in the data link layer, and parsing a source IP address and a target IP address of the communication data packet in the network layer; and resolving the source port number and the destination port number of the communication data packet at a transport layer.
In step S22, the parsing object is composed of a header MBAP and message content. After analysis, the analysis content of the message header includes the timestamp of the message, the message length, the identification codes of the sender and the receiver of the message, and the identifier of the message. And whether the identifier of the message is 0X0000 is used for judging whether the message is in a Modbus-TCP protocol. The identification codes of the message sender and the message receiver are determined by the unit identifier, so that the existing authorities of the two parties are determined. The analysis content of the message content comprises a function code, a message operation object and related data. The function code determines the function of the message, and the operation object and the related data of the message can be identified by combining the function code.
In step S23, the packet capturing host device runs the message rule base generation program, and constructs a message rule base according to the analysis content. The main rules are the periodicity and the interval of the data packets. Most instructions for normal system operation have periodicity such as data measurement, packet upload, broadcast signal addressing, etc. In addition, certain instructions have intermittence, namely secondary operation cannot be performed in a short time according to normal logic, such as on-off operation of a relay, and if automatic reclosing exists, the relay can be switched on again in a short time after being switched off, and the state is kept or the relay is switched off quickly after being switched on. The state is generally not changed again for a short time thereafter, and there is a gap in the on-off operation command. The specific process is as follows: the method comprises the steps of classifying function codes into a plurality of service functions, counting the time interval of message sending of each service function, randomly extracting a plurality of equipment by each equipment, and counting the time interval of each equipment for executing each service. And setting the periodicity and the interval of each service message as main rules according to the time statistical data. For example, the on-off instruction message for the same target device frequently appears, and the label may have an aurora attack.
The first secondary rule is used for determining the reasonability of the message length. The messages with different functions have different lengths, and the length calculation rule and the message length of the common functions of the switching equipment such as the relay of the power system are written into the rule base. The specific process is as follows: and combining the message length and the function code obtained by deep analysis, counting the message lengths corresponding to different function codes and operation object equipment types, and forming a message length query table serving as a first secondary rule.
The second secondary rule is used to determine request response interval rationality. The Modbus-TCP protocol adopts a master-slave response mode, a master station sends action instructions, a slave station needs to give responses, and the time interval between the requests and the responses has a normal range, which possibly indicates that the problems of execution conflict caused by frequent instruction sending and the like exist when the time interval is not in the normal range. And (4) counting the time difference between the action instruction of the message master station with different functions and the response of the slave station by combining the analyzed time stamp, the analyzed identification code and the analyzed function code to form a time difference range query table serving as a second secondary rule.
The third secondary rule is used to determine the reasonableness of the device rights. And presetting authority ranges owned by different unit identifier devices according to service logics, and updating and determining the authority ranges by combining identification codes, function codes, operation objects and related data of message senders and receivers obtained through analysis to form a device authority query table serving as a third secondary rule.
In step S03, the communication packet generated during the real-time operation is captured.
In step S04, the communication packet is analyzed before the determination of the detection of the aurora attack. The analysis process is as follows: step S41, resolving the communication data packet address and port in step S03; step S42, analyzing the message header and the message content of the communication data packet in the step S03; the analysis content of the message header comprises a timestamp of the message, the length of the message, and identification codes of a message sender and a message receiver; the analysis content of the message content comprises a function code, a message operation object and related data. The parsing process is the same as step S21 and step S22.
The step S04 specifically includes: analyzing the communication data packet in the step S03, matching the communication data packet with a message rule base, and sending important warning information of extreme light attack to the power monitoring system when only the main rule is not matched; and when the main rule is not matched and at least one secondary rule is not matched, sending an aurora attack severity warning message to the power monitoring system. Meanwhile, the alarm is given on site, and workers are informed in various modes such as video monitoring and the like.
As shown in FIG. 4, the method of the present invention further includes a step S03' between the step S03 and the step S04 of preliminary suspicious event screening for preliminary elimination of the target. And sending the aurora attack general warning information to the power monitoring system when at least one of the conditions of existence of hardware equipment illegally accessing the communication data, determination of no visitor identity information and existence of illegal software accessing the communication data is met. Specifically, whether hardware equipment illegally accessing Modbus-TCP transmission content exists is judged by filtering the mac address; determining visitor identity information by addressing the IP address; by determining the port, it is judged whether there is illegal software accessing the communication contents. The preliminary investigation target is not clear and has a narrow investigation range, only can give an alarm to illegal access and illegal application, and has low matching degree with the attack of the aurora attack, so that the preliminary investigation target is only used as a preliminary investigation result. And after the initial investigation, carrying out specific rule base matching judgment to carry out aurora attack detection.
The communication data packet acquisition between the switch device and the power monitoring system in the steps S01 and S03 is obtained through network packet analysis software wireshark. The software can extract the network packet and display the most detailed network packet data as far as possible, including the information of a physical layer, a data link layer, a network layer, a transmission layer and an application layer, and is suitable for a Modbus-TCP protocol. And the wireshark only has the functions of capturing and reading the data packet, can not realize the modification and the sending of the data packet, and ensures that the newly added detection equipment does not influence the normal operation of the power system.
The invention can effectively detect the aurora attack in the modes of sending an instruction by attacking the far end of the industrial control system, tampering a communication signal at a network layer by permeating a communication link and the like, further give an alarm, discover the existence of the attack in time, narrow the range covered by the attack, reduce the possibility of causing equipment damage and prevent the three-phase rotating equipment of the power grid from being damaged.
It will be appreciated by persons skilled in the art that the embodiments of the invention described above and shown in the drawings are given by way of example only and are not limiting of the invention. The objects of the present invention have been fully and effectively accomplished. The functional and structural principles of the present invention have been shown and described in the examples, and any variations or modifications of the embodiments of the present invention may be made without departing from the principles.
Claims (8)
1. A polar light attack detection method based on power grid switch communication data is characterized in that the method is applied to a packet capturing host machine device end of a polar light attack detection system based on power grid switch communication data, and the system comprises a switch device, a communication controller, a switch/concentrator, an electric power monitoring system and a packet capturing host machine device; the communication controller is respectively connected with the switch equipment and the switch/concentrator, and the switch/concentrator is respectively connected with the power monitoring system and the packet capturing host equipment; the packet capturing host equipment runs off line at a physical safety place and is used for capturing a communication data packet between the switching equipment and the power monitoring system which are connected to the same switch/concentrator and flow through and carrying out aurora attack detection, and the packet capturing host equipment also sends the communication data packet to the power monitoring system; the method comprises the following steps:
step S01, capturing a communication data packet between the switch device and the power monitoring system within the time of no attack abnormal event;
step S02, analyzing the communication data packet in the step S01 to generate a message rule base; the message rule base comprises a main rule used for judging the periodicity and the interval of a data packet and a secondary rule used for judging the message length, the request response time interval and the reasonability of equipment authority; the method specifically comprises the following steps:
step S21, resolving the communication data packet address and port in step S01;
step S22, analyzing the message header and the message content of the communication data packet in the step S01; the analysis content of the message header comprises a timestamp of the message, the length of the message, identification codes of a message sender and a message receiver and an identifier of the message; the analysis content of the message content comprises a function code, a message operation object and related data;
in the step of S23,
determining the periodicity and the interval of each service message according to the timestamp, the message length, the function code, the message operation object and the related data of the message, and taking the determined periodicity and the determined interval as main rules;
forming a message length query table according to the message length, the function code and the operation object equipment type, and taking the message length query table as a first secondary rule;
forming a message master station action instruction and a slave station response time difference range query table according to the timestamp of the message, the identifier of the message and the function code, and taking the time difference range query table as a second secondary rule;
forming an equipment authority query table according to the identification codes, the function codes, the operation objects and the related data of the message sender and the message receiver, and taking the equipment authority query table as a third secondary rule;
step S03, capturing a communication data packet between the switch device and the power monitoring system in real time;
and step S04, analyzing the communication data packet in the step S03, matching the analyzed communication data packet with the rule of the message rule base, and sending out extreme light attack warning information when the analyzed communication data packet is not matched with the main rule.
2. The grid switch communication data-based polar light attack detection method according to claim 1, further comprising a preliminary suspicious event investigation step between the step S03 and the step S04:
and sending the aurora attack general warning information to the power monitoring system when at least one of the conditions of existence of hardware equipment illegally accessing the communication data, determination of no visitor identity information and existence of illegal software accessing the communication data is met.
3. The grid switch communication data-based pole light attack detection method according to claim 1, wherein the step S04 specifically includes: analyzing the communication data packet in the step S03, matching the communication data packet with a message rule base, and sending important warning information of extreme light attack to the power monitoring system when only the main rule is not matched; and when the main rule is not matched and at least one secondary rule is not matched, sending an aurora attack severity warning message to the power monitoring system.
4. The grid switch communication data-based pole light attack detection method according to claim 1, wherein the step of parsing the communication data packet in the step S03 in the step S04 comprises:
step S41, resolving the communication data packet address and port in step S03;
step S42, analyzing the message header and the message content of the communication data packet in the step S03; the analysis content of the message header comprises a timestamp of the message, the length of the message, and identification codes of a message sender and a message receiver; the analysis content of the message content comprises a function code, a message operation object and related data.
5. The grid switch communication data-based pole light attack detection method according to claim 1 or 4, wherein the process of resolving the communication data packet address and port in step S01 or S03 comprises: resolving a source mac address and a target mac address of a communication data packet at a data link layer, and resolving a source IP address and a target IP address of the communication data packet at a network layer; and resolving the source port number and the destination port number of the communication data packet at a transport layer.
6. The grid switch communication data-based polar light attack detection method according to claim 1, wherein the communication data packet acquisition between the switch device and the power monitoring system in steps S01 and S03 is obtained through network packet analysis software wireshark.
7. The grid switch communication data-based polar light attack detection method according to claim 1, wherein the packet capturing host device is in one-way communication with the communication controller, and the communication controller sends a communication data packet to the packet capturing host device.
8. The grid switch communication data-based pole light attack detection method according to claim 1, wherein the communication controller and the power monitoring system communicate with each other through an ethernet Modbus-TCP protocol via the switch/hub.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911298074.7A CN110995741B (en) | 2019-12-17 | 2019-12-17 | Polar light attack detection system and method based on power grid switch communication data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911298074.7A CN110995741B (en) | 2019-12-17 | 2019-12-17 | Polar light attack detection system and method based on power grid switch communication data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110995741A CN110995741A (en) | 2020-04-10 |
| CN110995741B true CN110995741B (en) | 2021-04-16 |
Family
ID=70094503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911298074.7A Active CN110995741B (en) | 2019-12-17 | 2019-12-17 | Polar light attack detection system and method based on power grid switch communication data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995741B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073429B (en) * | 2020-09-17 | 2023-02-28 | 华南理工大学广州学院 | Method for preventing MMS (multimedia messaging service) message DoS (denial of service) attack on intelligent electronic equipment of transformer substation |
| CN112532434A (en) * | 2020-11-20 | 2021-03-19 | 中国南方电网有限责任公司超高压输电公司南宁监控中心 | Intelligent monitoring system for network messages of transformer substation |
| CN113612721A (en) * | 2021-01-05 | 2021-11-05 | 青岛鼎信通讯股份有限公司 | Intelligent message analysis method based on power line carrier communication |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010070676A2 (en) * | 2008-12-08 | 2010-06-24 | Tycka Design Private Limited | Intuitive electronic circuit |
| CN104065047A (en) * | 2014-06-16 | 2014-09-24 | 珠海博威智能电网有限公司 | High-voltage circuit control system |
| CN105024885A (en) * | 2015-07-29 | 2015-11-04 | 盛趣信息技术(上海)有限公司 | Anti-plug-in online game system |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
| CN105429963B (en) * | 2015-11-04 | 2019-01-22 | 北京工业大学 | Intrusion detection analysis method based on Modbus/Tcp |
-
2019
- 2019-12-17 CN CN201911298074.7A patent/CN110995741B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010070676A2 (en) * | 2008-12-08 | 2010-06-24 | Tycka Design Private Limited | Intuitive electronic circuit |
| CN104065047A (en) * | 2014-06-16 | 2014-09-24 | 珠海博威智能电网有限公司 | High-voltage circuit control system |
| CN105024885A (en) * | 2015-07-29 | 2015-11-04 | 盛趣信息技术(上海)有限公司 | Anti-plug-in online game system |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110995741A (en) | 2020-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110995741B (en) | Polar light attack detection system and method based on power grid switch communication data | |
| Yang et al. | Cybersecurity test-bed for IEC 61850 based smart substations | |
| Yang et al. | Multidimensional intrusion detection system for IEC 61850-based SCADA networks | |
| EP2721801B1 (en) | Security measures for the smart grid | |
| Zeller | Myth or reality—Does the aurora vulnerability pose a risk to my generator? | |
| CN111556083B (en) | Network attack physical side and information side collaborative source tracing device of power grid information physical system | |
| CN101728869B (en) | Power station automation system data network security monitoring method | |
| CN107819633B (en) | Method for rapidly discovering and processing network fault | |
| CN110417623B (en) | Fault diagnosis method for Ethernet switch of intelligent substation | |
| EP1776823A1 (en) | Anomaly-based intrusion detection | |
| Rajkumar et al. | Cyber attacks on power system automation and protection and impact analysis | |
| CN101136797A (en) | Detection of inside and outside network physical connection, on-off control method and device for using the same | |
| Morris et al. | A retrofit network transaction data logger and intrusion detection system for transmission and distribution substations | |
| CN111917741B (en) | Micro-grid security defense system and method based on Dos and virtual data injection attack | |
| Matoušek et al. | Increasing visibility of iec 104 communication in the smart grid | |
| Mai et al. | IEC 60870-5-104 network characterization of a large-scale operational power grid | |
| Huang et al. | Cyberattack defense with cyber-physical alert and control logic in industrial controllers | |
| Ibtissam et al. | Assessment of protection schemes and their security under denial of service attacks | |
| Zeller | Common questions and answers addressing the aurora vulnerability | |
| Naedele et al. | Network security for substation automation systems | |
| Rajkumar et al. | Exploiting ripple20 to compromise power grid cyber security and impact system operations | |
| Girdhar et al. | Cybersecurity of process bus network in digital substations | |
| KR102145421B1 (en) | Digital substation with smart gateway | |
| CN108900006A (en) | A kind of control method of Intelligent switch cabinet comprehensive safety protective device | |
| CN113285937B (en) | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Luohu District Shenzhen Shennan Road 518000 No. 4020 Guangdong provincial power dispatching center building Applicant after: Shenzhen Power Supply Co.,Ltd. Applicant after: ZHEJIANG University Address before: 310013 No. 866 Tong Road, Xihu District, Zhejiang, Hangzhou, Yuhang Applicant before: ZHEJIANG University Applicant before: Shenzhen Power Supply Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |