CN111045330B - Attack identification method based on Elman neural network and grid-connected interface device - Google Patents

Attack identification method based on Elman neural network and grid-connected interface device Download PDF

Info

Publication number
CN111045330B
CN111045330B CN201911343070.6A CN201911343070A CN111045330B CN 111045330 B CN111045330 B CN 111045330B CN 201911343070 A CN201911343070 A CN 201911343070A CN 111045330 B CN111045330 B CN 111045330B
Authority
CN
China
Prior art keywords
layer
hidden
module
display
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911343070.6A
Other languages
Chinese (zh)
Other versions
CN111045330A (en
Inventor
李鹏
习伟
匡晓云
徐成斌
何鸿雁
于杨
姚浩
简淦杨
杨祎巍
陈锐
祖连兴
陈远生
占捷文
王乾刚
丁凯
朱小帆
贺生国
黄植炜
肖声远
吕志宁
邓巍
刘威
宁柏锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Research Institute of Southern Power Grid Co Ltd
CYG Sunri Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Research Institute of Southern Power Grid Co Ltd
CYG Sunri Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd, Research Institute of Southern Power Grid Co Ltd, CYG Sunri Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN201911343070.6A priority Critical patent/CN111045330B/en
Publication of CN111045330A publication Critical patent/CN111045330A/en
Application granted granted Critical
Publication of CN111045330B publication Critical patent/CN111045330B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B13/00Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion
    • G05B13/02Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric
    • G05B13/04Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators
    • G05B13/042Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators in which a parameter or coefficient is automatically adjusted to optimise the performance

Abstract

The invention discloses an attack identification method based on an Elman neural network, which comprises the following steps: collecting state data of cooling, heating and power, and collecting characteristic data stream which can represent whether the combined cooling, heating and power supply grid-connected interface device is attacked or not in the state data; inputting the characteristic data stream into an Elman neural network model for real-time detection and outputting a detection classification result, and intercepting the state data and sending an alarm when the characteristic data classified into the network attack class is stored in the classification result; and when the characteristic data streams in the classification result are all classified into normal classes, forwarding the state data to a superior dispatching center. The invention also provides a grid-connected interface device. Compared with the prior art, the safety and the operation reliability of the combined cooling heating and power system are improved.

Description

Attack identification method based on Elman neural network and grid-connected interface device
Technical Field
The invention relates to an electric power device, in particular to an attack identification method based on an Elman neural network and a grid-connected interface device used in a combined cooling heating and power system.
Background
The combined cooling heating and power system is a combined production and supply system which is established on the basis of the concept of energy cascade utilization and takes natural gas as primary energy to generate three kinds of energy, namely cold, heat and electricity. The natural gas is used as fuel, and high-temperature flue gas obtained by burning the natural gas is firstly used for power generation by utilizing equipment such as a small gas turbine, a gas internal combustion engine, a micro-combustion engine and the like, and then is used for heating in winter by utilizing waste heat; cooling in summer by a refrigerator; meanwhile, domestic hot water can be provided, and exhaust heat is fully utilized. The energy utilization rate of the combined cooling heating and power system can reach 80 percent, and a large amount of energy is saved. Compared with the traditional centralized energy supply mode, the combined cooling heating and power system has the advantages of high energy efficiency, cleanness, environmental protection, good safety, peak clipping, valley filling, good economic benefit and the like, can meet the diversified energy supply requirements of terminal users, and is an important development direction of the power industry and the energy industry.
The Combined Cooling, Heating and Power supply, i.e. CCHP (Combined Cooling and Power), means that natural gas is used as a main fuel to drive gas Power generation equipment such as a gas turbine, a micro-combustion engine or an internal combustion engine generator to operate, the generated Power supplies the Power demand of a user, and the waste heat discharged after the system generates Power supplies heat and cold to the user through waste heat recycling equipment. By the method, the primary energy utilization rate of the whole system is greatly improved, and the cascade utilization of energy is realized. The control variable of the cooling, heating and power triple supply system is mainly the gas engine power, and the control strategy is as follows: according to predicted or actually measured cold, heat and electric loads, the power of the combustion engine in optimized operation and the corresponding comprehensive utilization efficiency of the energy in optimized operation are calculated by using a program, and then the system operation state is adjusted by controlling the power of the combustion engine, so that the system tends to the highest state of the comprehensive utilization efficiency of the energy in the whole operation stage. In order to avoid optimization failure caused by load errors or overlarge errors in the calculation process, the comprehensive utilization efficiency of the optimized operation energy calculated by the program is compared with the actually measured comprehensive utilization efficiency of the energy, and if the difference is overlarge and exceeds a set value, the control system needs to be checked and corrected.
With the rising of the concepts of 'energy internet' and 'multi-energy complementation' in recent years, the combined cooling heating and power system technology is increasingly concerned by the energy power boundary at home and abroad, the combined cooling heating and power system technology is rapidly developed in the markets at home and abroad, and the engineering application technology is mature day by day. On one hand, because the energy demand of the terminal user is influenced by comprehensive factors such as seasonal changes, building types, power supply of a power grid and the like, when the combined cooling heating and power system is connected to the grid, the related state data of cold, heat and electricity need to be timely and accurately uploaded to a superior dispatching center through a grid-connected interface device; on the other hand, as the power grid is gradually put to informatization and intellectualization, the industrial power control terminal is more and more threatened by various network malicious attacks, the operation environment of the existing grid-connected interface device is open and is easy to be attacked by various networks, the attacking means can endanger the confidentiality, integrity and availability of information, and as can be seen from a plurality of cases that a large power failure accident is initiated due to network attack or network information security events and the network attack interferes with the normal operation of the power grid, the security of the domestic industrial power control terminal is increasingly prominent in recent years, and the power failure accident caused by the network attack is in an increasing trend in recent years. Therefore, for the grid-connected interface device which needs to be connected to the grid, the active immunity of the grid-connected interface device is urgently needed to be improved, and the network attack is avoided from interfering the normal operation of the power grid and damaging the whole set of combined cooling heating and power system through invading the grid-connected interface device.
Disclosure of Invention
The invention aims to provide an Elman neural network-based attack identification method and a grid-connected interface device, and aims to solve the technical problems that active defense can be realized on unknown attacks, and the safety and the operation reliability of a combined cooling heating and power system are improved.
In order to solve the problems, the invention adopts the following technical scheme: an attack identification method based on an Elman neural network comprises the following steps:
collecting state data of cooling, heating and power, and collecting characteristic data stream which can represent whether a combined cooling, heating and power grid-connected interface device is attacked or not in the state data, wherein the characteristic data stream comprises voltage, current, active power and reactive power data of a public connection point, telemetering and remote adjusting data of the power, cooling and heating capacity of a gas turbine, power information of a combined cooling, heating and power generation unit and power consumption data;
inputting the characteristic data stream into an Elman neural network model for real-time detection and outputting a detection classification result, and intercepting the state data and sending an alarm when the characteristic data classified into a network attack class exists in the classification result; and when the characteristic data streams in the classification result are all classified into normal classes, forwarding the state data to a superior dispatching center.
Furthermore, when the state data is intercepted and an alarm is sent in the second step, the state data is also intercepted and a log record is generated.
Further, before the first step, the Elman neural network model needs to be trained, and the training is implemented by the following method:
firstly, inputting a sample into an Elman neural network model; the samples comprise positive samples and negative samples, and the positive samples are normal data capable of representing whether the combined cooling heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on normal data in the positive sample;
secondly, training the Elman neural network model, comprising the following steps:
(1) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure GDA0002691266970000031
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(2) calculating the probability of making the hidden element activated:
Figure GDA0002691266970000032
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer, and the initialization of the connection weight w is from a random number of normal distribution N (0, 0.01);
(3) calculating the probability of the display element being activated:
Figure GDA0002691266970000033
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Represents a hidden layer, hjRepresents the jth hidden element, Wn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure GDA0002691266970000034
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, calculating the probability of the activation of the hidden element by using the reconstructed apparent element again to obtain a new hidden layer h', namely, multiplying the value of the activated hidden element in the step (2) as an input value by a corresponding connection weight, summing the products, adding the products to the deviation to obtain a result, namely a reconstructed value, namely an original input approximate value, calculating the probability of the activation of the apparent element by using a formula in the step (3), and mapping the reconstructed value of the activated apparent element to the hidden element;
Figure GDA0002691266970000041
wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, which is the value of the reconstructed display element, Wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
△W=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+α△W
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Wherein Δ W represents the difference α between the reconstructed display element and the input value as the learning effectThe rate is 0.01, W is the connection weight before updating, v0Represents the initial layer development, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; the initial display layer is sample data in the sample;
(6) after an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
Further, after the step (7), the Elman neural network model can be checked, any sample data is input into the trained Elman neural network model for model checking, when the output result does not meet the expectation, the steps (2) - (6) are repeated after the connection weight and the offset are modified until the output result meets the expectation, and the expectation is the absolute value of the updated connection weight W.
The invention also discloses a grid-connected interface device, which is characterized in that: the device comprises a measuring module, a control module, an attack detection module, a power supply module, a communication module, a display module, an output module, an input module and a memory; the attack detection module is respectively connected with the input module, the measurement module, the power supply module and the communication module, the measurement module and the attack detection module perform analog-to-digital conversion through the AD conversion module, and the control module is respectively connected with the power supply module, the display module, the input module, the output module, the memory and the communication module;
the measuring module is used for measuring partial state data in the data stream of the combined cooling heating and power system and sending the partial state data to the attack detection module after AD conversion;
the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving the alarm sent by the attack detection module and sending the alarm to the display module for displaying, and the control module also sends an output signal to the output module; the output signals comprise output control common connection point switches, cold and heat power triple supply system cold and heat load equipment switching switches and circuit breaker switch instruction signals;
the attack detection module is used for extracting the state data of the cooling, heating and power of all combined cooling, heating and power supply systems sent by the measurement module, the input module and the communication module, extracting a characteristic data stream which can represent whether the combined cooling, heating and power supply grid-connected interface device is attacked or not from the state data, inputting the characteristic data stream into the Elman neural network model for real-time detection and classification and outputting a classification result; when the classified result has the characteristic data classified into the network attack class, generating an alarm and a log record according to the type of the network attack, sending the alarm and the log record to a control module, and intercepting the state data; when the feature data streams in the classification result are all classified into normal classes, directly sending the state data to the control module, and forwarding the state data to an upper layer by the control module through the communication module;
the power supply module is used for providing working power supply for the device;
the communication module is used for connecting and communicating with the upper layer and the lower layer;
the display module is used for displaying;
the open-in module is used for collecting part of characteristic data in the data stream of the combined cooling heating and power system and sending the part of the characteristic data to the attack detection module;
the opening module is used for sending an opening signal sent by the control module;
the memory is used for storing data.
Further, the control module is also used for sending the alarm and the log record to an upper layer and/or a memory for storage through the communication module.
Further, before the attack detection module inputs the characteristic data stream into the Elman neural network model for real-time detection and classification, the Elman neural network model needs to be trained, and the training is realized by adopting the following method:
firstly, inputting a sample into an Elman neural network model; the samples comprise positive samples and negative samples, and the positive samples are normal data capable of representing whether the combined cooling heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on normal data in the positive sample;
secondly, training the Elman neural network model, comprising the following steps:
(1) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure GDA0002691266970000061
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(2) calculating the probability of making the hidden element activated:
Figure GDA0002691266970000062
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer (input layer, receiving layer) and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer, and the initialization of the connection weight w is from a random number of normal distribution N (0, 0.01);
(3) calculating the probability of the display element being activated:
Figure GDA0002691266970000063
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Represents a hidden layer, hjRepresents the jth hidden element, Wn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure GDA0002691266970000064
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, calculating the probability of the activation of the hidden element by using the reconstructed apparent element again to obtain a new hidden layer h', namely, multiplying the value of the activated hidden element in the step (2) as an input value by a corresponding connection weight, summing the products, adding the products to the deviation to obtain a result, namely a reconstructed value, namely an original input approximate value, calculating the probability of the activation of the apparent element by using a formula in the step (3), and mapping the reconstructed value of the activated apparent element to the hidden element;
Figure GDA0002691266970000071
wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, which is the value of the reconstructed display element, Wn×mIs the weight between the presentation layer and the hidden layer, m is the total number of presentation elements of the presentation layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
△W=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+α△W
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Where Δ W represents the difference between the reconstructed display element and the input value (error feedback), α is the learning efficiency value of 0.01, W is the connection weight before update, and v is the connection weight before update0Represents the initial layer development, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; the initial display layer is sample data in a sample;
(6) after an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
Further, after the step (7), the Elman neural network model is checked, any sample data is input into the trained Elman neural network model for model checking, when the output result does not meet the expectation, the steps (2) - (6) are repeated after the connection weight and the offset are modified until the output result meets the expectation, and the expectation is the absolute value of the updated connection weight W.
Compared with the prior art, the method and the device have the advantages that the cold, heat and electricity related state data are detected and analyzed through the Elman neural network, so that abnormal data subjected to network attack in the state data are found out, corresponding alarm prompts are sent out after classification is carried out according to the characteristics of the network attack, the abnormal data are intercepted, active immunity is realized, an attacker is prevented from further invading a superior dispatching center through a security hole existing in a grid-connected interface device, and the security of a cold-heat-electricity triple-generation system and the reliability of operation are improved.
Drawings
Fig. 1 is a diagram of a system in the prior art.
Fig. 2 is a flow chart of the present invention.
Fig. 3 is a schematic diagram of the Elman neural network model of the present invention.
FIG. 4 is a flow chart of the Elman neural network model training of the present invention.
Fig. 5 is a block diagram showing the configuration of the grid-connected interface device according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
As shown in fig. 1, the combined cooling, heating and power grid-connected system structure includes a combined cooling, heating and power control management unit (control management unit), a combined cooling, heating and power grid-connected interface device (grid-connected interface device), and an upper-level dispatching center, where a solid line is an energy line and a dotted line is a communication line, the grid-connected interface device is a communication bridge connecting an upper-level operation monitoring master station or the upper-level dispatching center, a lower-level control management unit, and other intelligent devices, the control management unit obtains three state data of electricity, cold, and heat of the generator, the refrigerating unit, the heat exchanger, and the domestic hot water, and according to related remote-regulation and start-stop commands sent by the upper-level dispatching center through the grid-connected interface device, the grid-connected interface device receives the state data (such as gas turbine power, generated energy, power quality, heat supply, the method comprises the steps of collecting information quantities such as voltage, current, active power, reactive power, gas turbine power, cold quantity, heat quantity and the like from the lower part (a control system, a temperature monitoring device and a grid connection point) of the gas turbine, receiving related remote signaling data from a lower layer controller, and transmitting information such as gas turbine power, generated energy, electric energy quality, heat supply quantity, cold supply quantity and the like and data such as grid connection point voltage, current, power and the like to the upper part (a micro-grid central controller or a higher-level dispatching center) in real time.
A grid-connected point refers to a point of common connection, more than one user load connection in an electrical power system.
As shown in fig. 2, the invention discloses an attack identification method based on an Elman neural network, which comprises the following steps:
collecting state data of cooling, heating and power, and collecting characteristic data stream (influence factor) which can represent whether a combined cooling, heating and power supply grid-connected interface device is attacked or not in the state data, wherein the characteristic data stream or the influence factor comprises voltage, current, active power and reactive power data of a public connection point, telemetering and remote adjusting data such as gas turbine power, cooling capacity and heating capacity, power information of a combined cooling, heating and power supply power generation unit, power consumption and other data;
inputting the characteristic data stream into an Elman neural network model for real-time detection and outputting a detection classification result; when the characteristic data classified into the network attack category exists in the classification result, intercepting the state data and sending an alarm; when the characteristic data streams in the classification result are all classified into normal classes, forwarding the state data to a superior scheduling center; to enable active defense against the characteristic data.
The attack classification comprises data forgery and tampering such as Dos (denial of service) attack, DDos (distributed denial of service) attack, unauthorized access attack, abnormal detection of an interface end, Trojan attack, electric quantity and the like, electric quantity stealing and the like; the normal class is a normal data class which is attacked by the network;
dos (denial of service) attack-Dos attack refers to the intentional defect of attacking the network protocol implementation or exhausting the resource of the attacked object by brute force means directly, in order to make the target computer or network unable to provide normal service or resource access, and make the target system service system stop responding or even crash.
DDos (distributed denial of service) attacks: the distributed denial of service attack means that a plurality of attackers in different positions simultaneously attack one or a plurality of targets, or one attacker controls a plurality of machines in different positions and uses the machines to attack victims simultaneously. Since the points of attack launch are distributed in different places, this type of attack is known as a distributed denial of service attack, in which there may be multiple attackers.
Unauthorized access attacks: unauthorized access refers to unauthorized use of a network resource or use of a network resource in an unauthorized manner. It mainly has the following forms: impersonation, identity attack, illegal user entering the network system for illegal operation, legal user operating in an unauthorized mode, and the like.
Abnormal detection of the interface end: and the attack mode of illegally detecting device data or implanting virus data on the interface end of the grid-connected interface device is unauthorized without permission.
Trojan attack: i.e. a trojan virus attack. The Trojan horse virus is a malicious code with special functions hidden in a normal program, and is a backdoor program with special functions of destroying and deleting files, sending passwords, recording keyboards, attacking Dos and the like. The intruder performs an illegal operation on the computer infected with the trojan virus by causing the control program to be hosted by the controlled computer.
Data falsification: data falsification refers to an entity (person or system) sending out data information containing identity information of other entities, and impersonating other entities to fraudulently obtain rights and privileges of some legitimate users.
Tampering: tampering refers to the alteration, deletion, delay or change of order of certain portions of a legitimate message, usually to create an unauthorized effect. If the data in the transmission message is modified, the operation executed by the first permission is changed into the operation executed by the second permission.
Electricity stealing: the behavior that the electricity is not measured or is measured less by adopting an illegal means aiming at illegally occupying the electricity and not paying or paying less electricity charges is adopted.
And in the second step, when the state data is intercepted and an alarm is sent out, the data is intercepted, a log record is generated, and the log record is stored.
The log records include attack occurrence time, invasion process information, attack types, and the like.
The alarm is that alarm information is displayed through a display, displayed through an indicator lamp and/or sent to an upper-level dispatching center, and the alarm information comprises attacked data information and an attack type.
The indicator light can be set to be light sources with different colors and the same number as the classification number of the network attacks, so that the corresponding light sources can be displayed when a certain network attack occurs.
After receiving the alarm, the superior dispatching center sends alarm information to all devices on the lower layer, analyzes the attack type, automatically gives an instruction of an emergency countermeasure to the attacked device, and simultaneously reminds related personnel of the alarm information in the forms of flashing an indicator lamp, sending an alarm sound and sending mobile phone information.
The forwarding is to send the state data without the attacked behavior to the superior scheduling center.
As shown in fig. 3, in the second step, the feature data stream is input into the Elman neural network model for real-time detection and the detection and classification result is output by the output layer after the feature data stream passes through the input layer of the Elman neural network model, passes through the supporting layer and the hidden layer, and then is output by the output layer.
Before the first step, the Elman neural network model needs to be trained, and the training is realized by adopting the following mode:
as shown in fig. 4, a sample for the Elman neural network model training is obtained, the sample includes a positive sample and a negative sample, and the positive sample is a normal characteristic data stream capable of representing whether the combined cooling, heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on the normal characteristic data stream in the positive sample; and inputting the positive sample and the negative sample into an Elman neural network model for training to gradually correct the connection weight values of each layer of the Elman neural network and the threshold values of the nodes.
The Elman neural network model training is realized by the following steps:
firstly, inputting a sample into an Elman neural network model;
secondly, training the Elman neural network model, comprising the following steps:
(3) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure GDA0002691266970000111
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(4) calculating the probability of making the hidden element activated:
Figure GDA0002691266970000112
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer (input layer, receiving layer) and the hidden layer (representing the connection between the display layer and the hidden layer, the initialization of the connection weight w is from the random number of normal distribution N (0, 0.01), i.e. 0-0.01), m is the total number of display elements of the display layer, N is the total number of hidden elements of the hidden layer, j is the jth hidden element, c is the number of the hidden element of the hidden layerjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
each node in the neural network accepts an input value and passes the input value to the next layer, and the input node passes the input attribute value directly to the next layer. In a neural network, there is a functional relationship between the inputs and outputs of the hidden layer and output layer nodes, this function is called the activation function;
(3) calculating the probability of the display element being activated:
Figure GDA0002691266970000113
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Representing the hidden layer (activated feature), hjRepresents the jth hidden element, hjWn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure GDA0002691266970000114
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, the reconstructed explicit element is used for calculating the probability of the activation of the implicit element to obtain a new implicit layer h', namely, the value of the activated implicit element in the step (2) is used as an input value to be multiplied by a corresponding connection weight value, the products are summed and then added with the deviation to obtain a result, namely, the reconstructed value, namely, the approximate value of the original input, the formula in the step (3) is used for calculating the probability of the activation of the explicit element, and then the reconstructed activation explicit element value is mapped to the implicit element
Figure GDA0002691266970000121
Wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, which is the value of the reconstructed display element, Wn×mIs the weight between the display layer and the hidden layer (representing the relation between the display layer and the hidden layer), m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
△W=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+α△W
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Where Δ W represents a difference (error feedback) between the reconstructed display element and the input value, α is a learning efficiency value of 0.01, W is a connection weight before update (initialization of W is a random number from a normal distribution N (0, 0.01), i.e., 0-0.01), and v is a random number0After an initial display layer (i.e. sample data in the sample, such as values of input data of combustion engine power, generating capacity, electric energy quality, heating load, cooling supply information, grid-connected point voltage, current, power and the like) is given to a display element, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; p denotes the probability, P (h)0=1|v0) The representation indicates the probability of the hidden element being activated in the initial state; p (h '═ 1| v') represents the probability that a hidden element is activated after reconstruction; p (h)j1| v) denotes the probability that the jth hidden element is activated in the initial state; p (h'j1| v') denotes the probability that the jth hidden element is activated after reconstruction.
(6) After an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
After the step (7), the Elman neural network model can also be checked, any sample data is input into the trained Elman neural network model for model checking, and when the output result does not meet the expectation (namely when the error precision is greater than 0.02), the steps (2) - (6) are repeated after the connection weight and the offset are modified until the output result meets the expectation, wherein the expectation is the absolute value of the updated connection weight W.
Supposing that an attacker carries out Trojan attack on gas turbine power, power supply amount, cooling amount and heating amount data in a characteristic data stream, the combined cooling heating and power supply grid-connected interface device can input the characteristic data into an attack detection module based on an Elman neural network through a measurement module, a communication module and an input module, when the real-time detection and classification are carried out through an Elman neural network model, and the four data are captured to have attacked behaviors, the four data are subjected to attack classification and classified into Trojan attack categories according to the characteristics of the attacking behaviors, and at the moment, when an alarm is given out, the attacked data information in alarm information is as follows: the power, the power supply quantity, the cooling supply quantity and the heating supply quantity data of the gas turbine, and the attack type are as follows: and (5) Trojan attack.
As shown in fig. 5, the present invention further discloses a grid-connected interface device, which includes a measurement module, a control module, an attack detection module, a power module, a communication module, a display module, an output module, an input module, and a memory; the attack detection module is respectively connected with the input module, the measurement module, the power supply module and the communication module, the measurement module and the attack detection module perform analog-to-digital conversion through the AD conversion module, and the control module is respectively connected with the power supply module, the display module, the input module, the output module, the memory and the communication module;
the measuring module is used for measuring partial state data (including voltage, current, active power and reactive power data of a public connection point, telemetering and remote adjusting data such as gas turbine power, cooling capacity and heating capacity, power information of a combined cooling heating and power generation unit, power consumption and the like) in the data stream of the combined cooling heating and power system, and sending the partial state data to the attack detection module after AD conversion;
the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving the alarm sent by the attack detection module and sending the alarm to the display module for displaying, and the control module also sends an output signal to the output module; the output signals comprise instruction signals for outputting and controlling a common connection point switch, a cold-heat-electricity triple supply system cold and heat load equipment switching switch, a breaker switch and the like.
The attack detection module is used for extracting the state data of the cooling, heating and power of all combined cooling, heating and power supply systems sent by the measurement module, the input module and the communication module, extracting a characteristic data stream (influence factor) which can represent whether the combined cooling, heating and power supply grid-connected interface device is attacked or not from the state data, inputting the characteristic data stream into the Elman neural network model for real-time detection and classification and outputting a classification result; when the classified result has the characteristic data classified into the network attack class, generating an alarm and a log record according to the type of the network attack, sending the alarm and the log record to a control module, and intercepting the state data; when the feature data streams in the classification result are all classified into normal classes, directly sending the state data to the control module, and forwarding the state data to an upper layer by the control module through the communication module;
the characteristic data flow or the influence factor comprises voltage, current, active power and reactive power data of a public connection point, telemetering and remote adjusting data such as gas turbine power, cooling capacity and heating capacity, power information of a combined cooling heating and power generation unit, power consumption and other data;
the power supply module is used for providing working power supply for the device;
the communication module is used for connecting and communicating with the upper layer and the lower layer; the system comprises a communication module, lower-layer combined cooling heating and power supply control management unit equipment and an upper-layer scheduling center interactive data in a combined cooling heating and power supply system, and is mainly used for receiving and forwarding partial characteristic data (including telemetering and remote-adjusting data such as gas turbine power, cooling capacity and heating load, power information of a combined cooling heating and power supply power generation unit, environmental meteorological data and power consumption) in a data stream of the lower-layer combined cooling heating and power supply system and instruction information of a higher-layer scheduling center, data such as telecommand, telemetering and power consumption, and commands such as remote control on-off, remote adjustment and start-stop and the like, and then respectively sending the commands to a control module and/or an attack detection module;
the display module is used for displaying. The system comprises a display screen and/or an indicator light, wherein the display screen can realize human-computer interaction; the indicator light is a light source which can display various colors.
The alarm is used for displaying the type of the network attack on a display screen and/or displaying different types of the network attack through light sources with different colors of indicator lights.
The open-in module is used for collecting part of characteristic data in the data stream of the combined cooling heating and power system and sending the part of the characteristic data to the attack detection module; the system comprises an opening module, a switching-on/off module and a switching-on/off module, wherein the opening module is used for receiving the switching-on/off state information of a common connection point switch, a cold-heat-electricity triple supply system cold and heat load equipment switching switch, a circuit breaker switch and the like;
the output module is used for sending output signals sent by the control module, and the output signals comprise instruction signals for outputting control common connection point switches, cold and heat power triple supply system cold and heat load equipment switching switches, breaker switches and the like;
the memory is used for storing data, including state data of cold, heat and electricity supplied by cold, heat and electricity, alarm, log record, control program, electrical parameter information of voltage, current and the like of a public connection point, telemetering and remote adjusting data of power, cold/heat supply and the like of a gas turbine, state information of a public connection point switch, a cold and heat triple supply system load switching switch, a breaker switch and the like, user information and the like.
The control module is also used for sending the alarm and the log record to an upper layer and/or a memory for storage through the communication module.
The log records include attack occurrence time, invasion process information, attack types, and the like.
Before real-time detection and classification of the state data input into the Elman neural network model, the Elman neural network model needs to be trained, and the training is realized by adopting the following method:
as shown in fig. 4, a sample for the Elman neural network model training is obtained, the sample includes a positive sample and a negative sample, and the positive sample is a normal characteristic data stream capable of representing whether the combined cooling, heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on the normal characteristic data stream in the positive sample; and inputting the positive sample and the negative sample into an Elman neural network model for training to gradually correct the connection weight values of each layer of the Elman neural network and the threshold values of the nodes.
The Elman neural network model training is realized by the following steps:
firstly, inputting a sample into an Elman neural network model;
secondly, training the Elman neural network model, comprising the following steps:
(1) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure GDA0002691266970000151
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(2) calculating the probability of making the hidden element activated:
Figure GDA0002691266970000152
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer (input layer, receiving layer) and the hidden layer (representing the connection between the display layer and the hidden layer, the initialization of the connection weight w is from the random number of normal distribution N (0, 0.01), i.e. 0-0.01), m is the total number of display elements of the display layer, N is the total number of hidden elements of the hidden layer, j is the jth hidden element, c is the number of the hidden element of the hidden layerjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
each node in the neural network accepts an input value and passes the input value to the next layer, and the input node passes the input attribute value directly to the next layer. In a neural network, there is a functional relationship between the inputs and outputs of the hidden layer and output layer nodes, this function is called the activation function;
(3) calculating the probability of the display element being activated:
Figure GDA0002691266970000161
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Representing the hidden layer (activated feature), hjRepresents the jth hidden element, Wn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure GDA0002691266970000162
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, the reconstructed explicit element is used for calculating the probability of the activation of the implicit element to obtain a new implicit layer h', namely, the value of the activated implicit element in the step (2) is used as an input value to be multiplied by a corresponding connection weight value, the products are summed and then added with the deviation to obtain a result, namely, the reconstructed value, namely, the approximate value of the original input, the formula in the step (3) is used for calculating the probability of the activation of the explicit element, and then the reconstructed activation explicit element value is mapped to the implicit element
Figure GDA0002691266970000163
Wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, the ith display element is a weightValue of post-construction epoch, Wn×mIs the weight between the display layer and the hidden layer (representing the relation between the display layer and the hidden layer), m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
△W=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+α△W
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Where Δ W represents a difference (error feedback) between the reconstructed display element and the input value, α is a learning efficiency value of 0.01, W is a random number of a connection weight before update (initialization of W is from a normal distribution N (0, 0.01), i.e., 0-0.01), and v is0After an initial display layer (i.e. sample data in the sample, such as values of input data of combustion engine power, generating capacity, electric energy quality, heating load, cooling supply information, grid-connected point voltage, current, power and the like) is given to a display element, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; p denotes the probability, P (h)0=1|v0) The representation indicates the probability of the hidden element being activated in the initial state; p (h '═ 1| v') represents the probability that a hidden element is activated after reconstruction; p (h)j1| v) denotes the probability that the jth hidden element is activated in the initial state; p (h'j1| v') denotes the probability that the jth hidden element is activated after reconstruction.
(6) After an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
After the step (7), the Elman neural network model can be checked, any sample data is input into the trained Elman neural network model for model checking, and when the output result does not meet the expectation (namely the error precision is greater than 0.02), the steps (2) - (6) are repeated after the connection weight and the offset are modified until the output result meets the expectation. The expectation is the absolute value of the updated connection weight W.
The invention detects and classifies the characteristic data stream in the combined cooling heating and power system based on the Elman neural network to find out whether the characteristic data stream has network attack, thereby avoiding an attacker from further invading an upper-level system (a higher-level dispatching center) through a security vulnerability existing in a grid-connected interface device in the combined cooling heating and power system, and improving the information security and the operation reliability of the grid-connected interface device.

Claims (6)

1. An attack identification method based on an Elman neural network is characterized in that: the method comprises the following steps:
collecting state data of cooling, heating and power, and collecting characteristic data stream which can represent whether a combined cooling, heating and power grid-connected interface device is attacked or not in the state data, wherein the characteristic data stream comprises voltage, current, active power and reactive power data of a public connection point, telemetering and remote adjusting data of the power, cooling and heating capacity of a gas turbine, power information of a combined cooling, heating and power generation unit and power consumption data;
inputting the characteristic data stream into an Elman neural network model for real-time detection and outputting a detection classification result, and intercepting the state data and sending an alarm when the characteristic data classified into a network attack class exists in the classification result; when the characteristic data streams in the classification result are all classified into normal classes, forwarding the state data to a superior scheduling center;
before the first step, the Elman neural network model needs to be trained, and the training is realized by adopting the following modes:
firstly, inputting a sample into an Elman neural network model; the samples comprise positive samples and negative samples, and the positive samples are normal data capable of representing whether the combined cooling heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on normal data in the positive sample;
secondly, training the Elman neural network model, comprising the following steps:
(1) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure FDA0002691266960000011
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(2) calculating the probability of making the hidden element activated:
Figure FDA0002691266960000012
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer, and the initialization of the connection weight w is from a random number of normal distribution N (0, 0.01);
(3) calculating the probability of the display element being activated:
Figure FDA0002691266960000021
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Represents a hidden layer, hjRepresents the jth hidden element, Wn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure FDA0002691266960000022
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, calculating the probability of the activation of the hidden element by using the reconstructed apparent element again to obtain a new hidden layer h', namely, multiplying the value of the activated hidden element in the step (2) as an input value by a corresponding connection weight, summing the products, adding the products to the deviation to obtain a result, namely a reconstructed value, namely an original input approximate value, calculating the probability of the activation of the apparent element by using a formula in the step (3), and mapping the reconstructed value of the activated apparent element to the hidden element;
Figure FDA0002691266960000023
wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, which is the value of the reconstructed display element, Wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; connection right between the display layer and the hidden layerThe value is the relation between the explicit layer and the implicit layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
ΔW=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+αΔW
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Wherein Δ W represents a difference between the reconstructed display element and the input value, α is a learning efficiency value of 0.01, W is a connection weight before update, and v is a connection weight before update0For initial development, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; the initial display layer is sample data in a sample;
(6) after an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
2. The Elman neural network-based attack recognition method according to claim 1, wherein: and in the second step, when the state data is intercepted and an alarm is sent out, the state data is also intercepted and a log record is generated.
3. The Elman neural network-based attack recognition method according to claim 1, wherein: and (3) after the step (7), checking the Elman neural network model, inputting any sample data into the trained Elman neural network model for model checking, modifying the connection weight and the offset when the output result does not meet the expectation, and repeating the steps (2) - (6) until the output result meets the expectation, wherein the expectation is the absolute value of the updated connection weight W.
4. A grid-connected interface device is characterized in that: the device comprises a measuring module, a control module, an attack detection module, a power supply module, a communication module, a display module, an output module, an input module and a memory; the attack detection module is respectively connected with the input module, the measurement module, the power supply module and the communication module, the measurement module and the attack detection module perform analog-to-digital conversion through the AD conversion module, and the control module is respectively connected with the power supply module, the display module, the input module, the output module, the memory and the communication module;
the measuring module is used for measuring partial state data in the data stream of the combined cooling heating and power system and sending the partial state data to the attack detection module after AD conversion;
the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving the alarm sent by the attack detection module and sending the alarm to the display module for displaying, and the control module also sends an output signal to the output module; the output signals comprise output control common connection point switches, cold and heat power triple supply system cold and heat load equipment switching switches and circuit breaker switch instruction signals;
the attack detection module is used for extracting the state data of the cooling, heating and power of all combined cooling, heating and power supply systems sent by the measurement module, the input module and the communication module, extracting a characteristic data stream which can represent whether the combined cooling, heating and power supply network-connected interface device is attacked or not from the state data, inputting the characteristic data stream into the Elman neural network model for real-time detection and classification and outputting a classification result, and when the classification result contains characteristic data which is classified into a network attack class, generating an alarm and a log record according to the type of the network attack and then sending the alarm and the log record to the control module, and intercepting the state data; when the feature data streams in the classification result are all classified into normal classes, directly sending the state data to the control module, and forwarding the state data to an upper layer by the control module through the communication module;
the power supply module is used for providing working power supply for the device;
the communication module is used for connecting and communicating with the upper layer and the lower layer;
the display module is used for displaying;
the open-in module is used for collecting part of characteristic data in the data stream of the combined cooling heating and power system and sending the part of the characteristic data to the attack detection module;
the opening module is used for sending an opening signal sent by the control module;
the memory is used for storing data;
before the attack detection module inputs the characteristic data stream into the Elman neural network model for real-time detection and classification, the Elman neural network model needs to be trained, and the training is realized by adopting the following mode:
firstly, inputting a sample into an Elman neural network model; the samples comprise positive samples and negative samples, and the positive samples are normal data capable of representing whether the combined cooling heating and power supply grid-connected interface device is attacked or not; the negative sample is obtained after network attack is carried out on normal data in the positive sample;
secondly, training the Elman neural network model, comprising the following steps:
(1) normalizing each hidden element by a sigmoid activation function into a probability value of the hidden elements being activated:
the sigmoid excitation function is:
Figure FDA0002691266960000041
wherein, the value of the e constant is 2.718, and x represents the value transmitted by the display layer multiplied by the connection weight plus the deviation of the hidden layer; the value transmitted by the display layer is sample data in an input sample, and the connection weight is the connection between neurons;
(2) calculating the probability of making the hidden element activated:
Figure FDA0002691266960000042
wherein, P (h)j=1|v0) Is the probability that the hidden element is activated, hjThe jth activated hidden element, v0Represents the initial layer development, viRepresents the ith primitive displayed as the value of sample data of a training sample in a training database, wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element, and the hidden layer initial offset c is 0; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer, and the initialization of the connection weight w is from a random number of normal distribution N (0, 0.01);
(3) calculating the probability of the display element being activated:
Figure FDA0002691266960000051
wherein: p (v)i=1|h0) Is the probability of activation of the indicator, viRepresents the ith activated display element after reconstruction, h0Represents a hidden layer, hjRepresents the jth hidden element, Wn×mIs the connection weight between the explicit layer and the implicit layer, n is the total number of implicit elements of the implicit layer, i is the ith explicit element, b is the offset of the explicit element, the explicit layer offset is initialized to
Figure FDA0002691266960000052
Wherein p isiRepresenting the proportion of samples with the ith characteristic in an activated state in the training samples, wherein the characteristic is sample data in the samples; the hidden layer represents an activated feature;
(4) then, calculating the probability of the activation of the hidden element by using the reconstructed apparent element again to obtain a new hidden layer h', namely, multiplying the value of the activated hidden element in the step (2) as an input value by a corresponding connection weight, summing the products, adding the products to the deviation to obtain a result, namely a reconstructed value, namely an original input approximate value, calculating the probability of the activation of the apparent element by using a formula in the step (3), and mapping the reconstructed value of the activated apparent element to the hidden element;
Figure FDA0002691266960000053
wherein: p (h'j1| v ') is the probability that the hidden element is activated, h'jRepresents the j-th hidden element activated by the reconstructed display layer, v 'represents the reconstructed display layer, v'iRepresents the ith display element, which is the value of the reconstructed display element, Wn×mIs the connection weight between the display layer and the hidden layer, m is the total number of display elements of the display layer, n is the total number of hidden elements of the hidden layer, j is the jth hidden element, cjIs the offset of the jth hidden element; the connection weight between the display layer and the hidden layer is the relation between the display layer and the hidden layer;
(5) updating the offset weight value, wherein the updating formula is as follows:
ΔW=[P(h0=1|v0)v0 T-P(h′=1|v′)v′T]
Wnew=W+αΔW
bi new=bi+α(vi-v′i)
cj new=cj+α[P(hj=1|v)-P(h′j=1|v′)]
Wherein Δ W represents a difference between the reconstructed display element and the input value, α is a learning efficiency value of 0.01, W is a connection weight before update, and v is a connection weight before update0For initial development, v0 TIs v is0Transpose of h0Mapping the display layer to an activated hidden layer, and v 'is the reconstructed display layer, and then mapping the value of the reconstructed display layer to the hidden layer, and activating the hidden layer to obtain h'; the initial display layer is sample data in a sample;
(6) after an initial display layer is fully trained, determining a connection weight and an offset of the training sample data;
(7) and (5) repeating the steps (1) and (6) until all sample data training is completed, and finally obtaining the trained Elman neural network model.
5. The grid-tied interface device according to claim 4, wherein: the control module is also used for sending the alarm and the log record to an upper layer and/or a memory for storage through the communication module.
6. The grid-tied interface device according to claim 4, wherein: and (3) after the step (7), checking the Elman neural network model, inputting any sample data into the trained Elman neural network model for model checking, modifying the connection weight and the offset when the output result does not meet the expectation, and repeating the steps (2) - (6) until the output result meets the expectation, wherein the expectation is the absolute value of the updated connection weight W.
CN201911343070.6A 2019-12-23 2019-12-23 Attack identification method based on Elman neural network and grid-connected interface device Active CN111045330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911343070.6A CN111045330B (en) 2019-12-23 2019-12-23 Attack identification method based on Elman neural network and grid-connected interface device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911343070.6A CN111045330B (en) 2019-12-23 2019-12-23 Attack identification method based on Elman neural network and grid-connected interface device

Publications (2)

Publication Number Publication Date
CN111045330A CN111045330A (en) 2020-04-21
CN111045330B true CN111045330B (en) 2020-12-29

Family

ID=70238703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911343070.6A Active CN111045330B (en) 2019-12-23 2019-12-23 Attack identification method based on Elman neural network and grid-connected interface device

Country Status (1)

Country Link
CN (1) CN111045330B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113010888B (en) * 2021-03-02 2022-04-19 电子科技大学 Neural network backdoor attack defense method based on key neurons
CN116827689B (en) * 2023-08-29 2023-11-14 成都雨云科技有限公司 Edge computing gateway data processing method based on artificial intelligence and gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102393690A (en) * 2011-09-27 2012-03-28 浙江工业大学 Combined cooling heating and power distributed control system based on internet of things
CN104167763A (en) * 2014-09-04 2014-11-26 华电电力科学研究院 Distributed energy management method and distributed energy management device composed of ground layer, intermediate layer and energy management layer
CN105868629A (en) * 2016-03-29 2016-08-17 全球能源互联网研究院 Security threat situation assessment method suitable for electric power information physical system
CN109117636A (en) * 2018-06-19 2019-01-01 华电电力科学研究院有限公司 A kind of distributed energy resource system information security evaluation method that actual situation combines

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6708083B2 (en) * 2001-06-20 2004-03-16 Frederick L. Orthlieb Low-power home heating or cooling system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102393690A (en) * 2011-09-27 2012-03-28 浙江工业大学 Combined cooling heating and power distributed control system based on internet of things
CN104167763A (en) * 2014-09-04 2014-11-26 华电电力科学研究院 Distributed energy management method and distributed energy management device composed of ground layer, intermediate layer and energy management layer
CN105868629A (en) * 2016-03-29 2016-08-17 全球能源互联网研究院 Security threat situation assessment method suitable for electric power information physical system
CN109117636A (en) * 2018-06-19 2019-01-01 华电电力科学研究院有限公司 A kind of distributed energy resource system information security evaluation method that actual situation combines

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于小生镜和RBF-ELMAN网络的入侵检测方法;周丽娟;《山西大同大学学报(自然科学版)》;20181231;第34卷(第6期);第27-30页 *

Also Published As

Publication number Publication date
CN111045330A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
Lin et al. Cyber attack and defense on industry control systems
Guo et al. Online data validation for distribution operations against cybertampering
JP2018185794A (en) Feature discovery of multiple models and multiple areas for detecting cyber threat in transmission network
Zhang Distributed network security framework of energy internet based on internet of things
CN111131237B (en) Microgrid attack identification method based on BP neural network and grid-connected interface device
Pour et al. A review on cyber security issues and mitigation methods in smart grid systems
CN111045330B (en) Attack identification method based on Elman neural network and grid-connected interface device
WO2006020882A1 (en) Anomaly-based intrusion detection
Chromik et al. Context-aware local Intrusion Detection in SCADA systems: a testbed and two showcases
Dorothy et al. Smart Grid Systems Based Survey on Cyber Security Issues
CN111144472A (en) Attack identification method based on GBDT algorithm and photovoltaic grid-connected interface device
CN111144549A (en) Microgrid attack identification method based on convolutional neural network and microgrid coordination controller
Fursov et al. Smart Grid and wind generators: an overview of cyber threats and vulnerabilities of power supply networks
Sadi et al. Time sequence machine learning-based data intrusion detection for smart voltage source converter-enabled power grid
CN111083151B (en) Attack identification method based on deep belief network and wind power management system
Huang et al. Real‐time distributed economic dispatch scheme of grid‐connected microgrid considering cyberattacks
Li et al. Research on key technologies of active defense for distribution internet of things service security
Hill et al. Using bro with a simulation model to detect cyber-physical attacks in a nuclear reactor
Leao et al. Machine learning-based false data injection attack detection and localization in power grids
CN111127251A (en) Attack identification method based on LSTM neural network and grid-connected interface device
CN110601261B (en) Microgrid controller service logic consistency analysis method based on sensing control logic
Wang et al. Intrusion detection model of SCADA using graphical features
Zhang et al. Key Technologies of Communication Security Detection between Heterogeneous Systems Based on Communication Gateway
CN117217848B (en) Energy storage transaction method, device and storage medium
Coutinho et al. A methodology to extract rules to identify attacks in power system critical infrastructure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant