CN111049843A - Intelligent substation network abnormal flow analysis method - Google Patents
Intelligent substation network abnormal flow analysis method Download PDFInfo
- Publication number
- CN111049843A CN111049843A CN201911310556.XA CN201911310556A CN111049843A CN 111049843 A CN111049843 A CN 111049843A CN 201911310556 A CN201911310556 A CN 201911310556A CN 111049843 A CN111049843 A CN 111049843A
- Authority
- CN
- China
- Prior art keywords
- network
- address
- data
- intelligent substation
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of power transformation, in particular to an analysis method for abnormal network flow of an intelligent substation, which is characterized in that a real-time capturing system is arranged at a mirror image port of a station control layer switch of the intelligent substation by S1; s2, acquiring network messages in the real-time capturing system and extracting basic information of the messages; s3, establishing a corresponding rule of the IP address and the MAC address based on the substation configuration file; s4, comparing the destination address in the received data packet with the established NAC address, and detecting abnormal flow; s5, detecting abnormal protocols by acquiring real-time network messages and performing protocol matching; s6, judging the rationality and validity of the detection rule by observing whether the network message analysis system outputs the alarm information; the invention can conveniently screen data, reduces a large amount of workload for data analysis, greatly improves the working efficiency and realizes the real-time reporting and alarm output of the abnormal flow information of the transformer substation network.
Description
Technical Field
The invention relates to the technical field of power transformation, in particular to an intelligent substation network abnormal flow analysis method.
Background
The intelligent transformer substation adopts advanced, reliable, integrated and environment-friendly intelligent equipment, takes total station information digitization, communication platform networking and information sharing standardization as basic requirements, automatically completes basic functions of information acquisition, measurement, control, protection, metering, detection and the like, and simultaneously has advanced functions of supporting real-time automatic control, intelligent adjustment, on-line analysis decision, cooperative interaction and the like of a power grid. In recent years, with the development of smart power grids, the construction of smart substations is being popularized in China. The intelligent substation adopts a three-layer two-network structure, and various data interaction among devices is realized through a network. The Ukrainian power grid wide-range event of 12 months and 23 days in 2015 is considered to be the first hacker invasion in the world to cause power grid paralysis, and the event causes wide attention to industrial control safety. Because the propagation and destruction of various abnormal behaviors (malicious attacks, virus programs, illegal accesses and the like) are completed by using a network, monitoring and analyzing network traffic is one of the main means for effectively discovering and defending the abnormal behaviors of the network at present. In a patent document with a patent application number of 201610202100.1, a method for detecting abnormal flow of an intelligent substation network is disclosed, which includes the following steps: (1) configuring a mirror image port of a transformer substation switch, and accessing a transformer substation network through the mirror image port; (2) analyzing the captured message; (3) performing statistical analysis on the accumulated message information according to different source addresses, and judging whether each source address has abnormal flow; (4) carrying out statistical analysis on the accumulated message information according to different source/destination addresses, and judging whether abnormal flow exists between each pair of source/destination addresses; (5) and (3) sending the abnormal information to a remote dispatching system, storing the accumulated message information, returning to the step (2), and performing a new round of abnormal flow detection. The invention provides a real-time and reliable method for identifying the abnormal flow of the transformer substation network, and finally realizes the real-time reporting and alarm output of the abnormal flow information of the transformer substation network.
The patent document is used for realizing the real-time reporting and alarm output of the abnormal flow information of the transformer substation network, so that the invention provides the method suitable for analyzing the abnormal flow of the intelligent transformer substation network. Analysis and pretreatment research of collected data are carried out, and a traffic data set and a communication system traffic characteristic data set in a typical network intrusion mode are provided for analyzing the information security problem of the intelligent substation from the traffic perspective.
Disclosure of Invention
Aiming at the defects of the prior art, the invention discloses an intelligent substation network abnormal flow analysis method, which provides a flow data set in a typical network intrusion mode and a communication system flow characteristic data set for analyzing the intelligent substation information security problem from the flow perspective through analysis and preprocessing research of collected data.
The invention is realized by the following technical scheme:
an intelligent substation network abnormal flow analysis method comprises the following steps:
s1, arranging a real-time capture system at a mirror image port of the intelligent substation station control layer switch;
s2, acquiring network messages in the real-time capturing system and extracting basic information of the messages;
s3, establishing a corresponding rule of the IP address and the MAC address based on the substation configuration file;
s4, comparing the destination address in the received data packet with the established NAC address, and detecting abnormal flow;
s5, detecting abnormal protocols by acquiring real-time network messages and performing protocol matching;
s6 judges the reasonability and validity of the detection rule by observing whether the network message analysis system outputs the alarm information.
Furthermore, the real-time capturing system adopts a time-driven communication mode, and the transmission of the sampling value is carried out at intervals of a fixed time.
Furthermore, the information sent by the real-time capturing system comprises a primary side current analog signal and a primary side voltage signal, the information is collected and converted into a digital signal through a signal collector, and the merging unit merges the digital signal after receiving the digital signal transmitted by taking the optical fiber as a medium and then sends the digital signal to the protection device of the bay level through the Ethernet.
Furthermore, when abnormal flow detection is carried out, data on the bus is analyzed when being monitored, whether the data frame is received or not is determined according to the target physical address obtained by analysis and a preset network card receiving mode, if the data frame is received, an interrupt signal is generated to report to the CPU, and if the data frame is not received, the data frame is discarded.
Furthermore, when abnormal traffic is detected, the network data analyzes the value of the header of each network data packet through a filter to obtain a source IP address and a destination IP address, obtains a source port number and a destination port number by analyzing the header of a transmission layer, and obtains a source MAC address and a destination MAC address of a frame by analyzing the header of a data link layer.
Furthermore, when the network data is analyzed, the data packets sent and received by the specified host are filtered through the IP address of the host by the filtering expression, and the data packets sent and received by the specified host are filtered according to the network MAC address of the host.
Furthermore, the filtering expression completes the flow filtering of the sending and receiving addresses of the specified network, host and protocol and the size of the data packet of the specified size range, and the filtering expression can filter the data packets of a plurality of specified conditions through the combination of relational operators.
The invention has the beneficial effects that:
the invention provides a method for analyzing abnormal network flow of an intelligent substation. The analysis and pretreatment research of the collected data is developed, a flow data set in a typical network intrusion mode and a communication system flow characteristic data set are provided for analyzing the information security problem of the intelligent substation from the flow perspective, data screening can be conveniently carried out, a large amount of workload is reduced for data analysis, the working efficiency is greatly improved, and the real-time reporting and alarm output of the abnormal flow information of the substation network are realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a diagram of the principle steps of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment discloses an analysis method for abnormal network traffic of an intelligent substation as shown in fig. 1, which is characterized by comprising the following steps:
s1, arranging a real-time capture system at a mirror image port of the intelligent substation station control layer switch;
s2, acquiring network messages in the real-time capturing system and extracting basic information of the messages;
s3, establishing a corresponding rule of the IP address and the MAC address based on the substation configuration file;
s4, comparing the destination address in the received data packet with the established NAC address, and detecting abnormal flow;
s5, detecting abnormal protocols by acquiring real-time network messages and performing protocol matching;
s6 judges the reasonability and validity of the detection rule by observing whether the network message analysis system outputs the alarm information.
The real-time acquisition system adopts a time-driven communication mode and sends sampling values at intervals of fixed time. The information sent by the real-time capturing system comprises a current analog signal and a voltage signal on the primary side, the information is collected and converted into a digital signal through a signal collector, and the digital signal transmitted by taking an optical fiber as a medium is merged by a merging unit and then sent to a protective device of the spacer layer through the Ethernet.
The flow data are collected from the industrial control network system of the intelligent transformer substation, the flow collection technology provides data support for intrusion detection analysis, and the intelligent transformer substation plays an irreplaceable role in a network intrusion detection system. In the network, because a network bus is connected with all the hosts, the communication information on the bus can be monitored by all the hosts, the data received by each machine is necessarily sent to the host, and the received data volume is huge.
Therefore, the screening function of screening data toward the user and discarding the useless data is mainly realized by using the difference of MAC addresses, namely, a destination address in a data packet to be received is compared with the MAC address of the user, if the destination address is the same as the MAC address of the user, the data packet is received, and if the destination address is not the same as the MAC address of the user, the data packet is discarded.
In an actual network system, a network card is mainly responsible for data transceiving tasks, when the network card monitors data on a bus, the data is analyzed, whether the data frame is received or not is determined according to a target physical address obtained by analysis and a preset network card receiving mode, if the data frame is received, an interrupt signal is generated to report to a CPU, and if the data frame is not received, the data frame is discarded.
Then the operating system puts the received data frame into a signal stack for other programs to call, which is a main flow of the network card for flow collection.
When abnormal flow detection is carried out, data on the bus is analyzed when being monitored, whether the data frame is received or not is determined according to a target physical address obtained by analysis and a preset network card receiving mode, if the data frame is received, an interrupt signal is generated to report to a CPU, and if the data frame is not received, the data frame is discarded.
When abnormal flow is detected, the network data analyzes the value of the header of each network data packet through a filter to obtain a source IP address and a destination IP address, obtains a source port number and a destination port number through analyzing the header of a transmission layer, and obtains a source MAC address and a destination MAC address of a frame through analyzing the header of a data link layer.
And in the network data analysis, the data packets sent and received by the specified host are filtered through the IP address of the host by the filtering expression, and the data packets sent and received by the specified host are filtered according to the network MAC address of the host.
All newly generated data streams on the network are acquired through the network card hybrid mode, only part of mass data are needed, so that the acquired flow needs to be filtered, effective data is screened out, irrelevant data is discarded, and the working efficiency is further improved. The flow filtering mainly comprises a relevant data filtering mechanism, function grammar and the like, and data screening can be conveniently carried out by the method, so that a large amount of workload is reduced for data analysis, and the working efficiency is greatly improved.
The filtering expression completes the flow filtering of the sending and receiving addresses of the specified network, the host and the protocol and the size of the data packet in the specified size range, and the filtering expression can filter the data packets of a plurality of specified conditions through the combination of relational operators.
The invention provides a method for analyzing abnormal network flow of an intelligent substation. The analysis and pretreatment research of the collected data is developed, a flow data set in a typical network intrusion mode and a communication system flow characteristic data set are provided for analyzing the information security problem of the intelligent substation from the flow perspective, data screening can be conveniently carried out, a large amount of workload is reduced for data analysis, the working efficiency is greatly improved, and the real-time reporting and alarm output of the abnormal flow information of the substation network are realized.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. An intelligent substation network abnormal flow analysis method is characterized by comprising the following steps:
s1, arranging a real-time capture system at a mirror image port of the intelligent substation station control layer switch;
s2, acquiring network messages in the real-time capturing system and extracting basic information of the messages;
s3, establishing a corresponding rule of the IP address and the MAC address based on the substation configuration file;
s4, comparing the destination address in the received data packet with the established NAC address, and detecting abnormal flow;
s5, detecting abnormal protocols by acquiring real-time network messages and performing protocol matching;
s6 judges the reasonability and validity of the detection rule by observing whether the network message analysis system outputs the alarm information.
2. The intelligent substation network abnormal flow analysis method according to claim 1, wherein the real-time capturing system transmits the sampling value at regular intervals in a time-driven communication manner.
3. The intelligent substation network abnormal flow analysis method according to claim 2, wherein the information sent by the real-time capture system includes a current analog signal and a voltage signal of the primary side, the information is collected by the signal collector and converted into a digital signal, the merging unit merges the digital signal after receiving the digital signal transmitted by using the optical fiber as a medium, and then the merged digital signal is sent to the protection device of the bay level through the ethernet.
4. The intelligent substation network abnormal flow analysis method according to claim 1, characterized in that when abnormal flow detection is performed, data on a bus is analyzed when being monitored, then whether the data frame is received or not is determined according to a target physical address obtained by analysis and a preset network card receiving mode, if so, an interrupt signal is generated to report to a CPU, and if not, the data frame is discarded.
5. The intelligent substation network abnormal flow analysis method according to claim 1, characterized in that when abnormal flow is detected, the network data analyzes the value of the header of each network data packet through a filter to obtain a source IP address and a destination IP address, obtains a source port number and a destination port number by analyzing the transmission layer header, and obtains a source MAC address and a destination MAC address of a frame by analyzing the data link layer header.
6. The intelligent substation network abnormal flow analysis method according to claim 5, characterized in that during network data analysis, data packets sent and received by a specified host are filtered through the IP address of the host by a filtering expression, and the data packets sent and received by the specified host are filtered according to the network MAC address of the host.
7. The intelligent substation network abnormal traffic analysis method according to claim 6, wherein the filtering expression completes traffic filtering of sending and receiving addresses of specified networks, hosts and protocols and sizes of data packets in specified size ranges, and the filtering expression can filter data packets of a plurality of specified conditions through combination of relational operators.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911310556.XA CN111049843A (en) | 2019-12-18 | 2019-12-18 | Intelligent substation network abnormal flow analysis method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911310556.XA CN111049843A (en) | 2019-12-18 | 2019-12-18 | Intelligent substation network abnormal flow analysis method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111049843A true CN111049843A (en) | 2020-04-21 |
Family
ID=70237689
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911310556.XA Pending CN111049843A (en) | 2019-12-18 | 2019-12-18 | Intelligent substation network abnormal flow analysis method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111049843A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111343211A (en) * | 2020-05-21 | 2020-06-26 | 四川英得赛克科技有限公司 | Intelligent analysis control method, system, medium and equipment based on network traffic |
CN112202646A (en) * | 2020-12-03 | 2021-01-08 | 观脉科技(北京)有限公司 | Flow analysis method and system |
CN112769867A (en) * | 2021-02-05 | 2021-05-07 | 国网福建省电力有限公司电力科学研究院 | Safety assessment method for transformer substation simulation equipment |
CN113285937A (en) * | 2021-05-17 | 2021-08-20 | 国网山东省电力公司电力科学研究院 | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
CN113542221A (en) * | 2021-06-15 | 2021-10-22 | 四川英得赛克科技有限公司 | Method and system for judging tampering of sensor data of intelligent substation, electronic equipment and storage medium |
CN113555962A (en) * | 2021-07-27 | 2021-10-26 | 国网山西省电力公司临汾供电公司 | Method for quickly capturing and intelligently completing information of substation automation system |
CN113612721A (en) * | 2021-01-05 | 2021-11-05 | 青岛鼎信通讯股份有限公司 | Intelligent message analysis method based on power line carrier communication |
CN114513369A (en) * | 2022-04-18 | 2022-05-17 | 远江盛邦(北京)网络安全科技股份有限公司 | Deep message detection-based internet of things behavior analysis method and system |
CN115913642A (en) * | 2022-10-19 | 2023-04-04 | 云南电网有限责任公司 | Network threat protection method and device for power substation |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104579818A (en) * | 2014-12-01 | 2015-04-29 | 国家电网公司 | Detection method of network anomaly message of intelligent substation |
CN105871847A (en) * | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
-
2019
- 2019-12-18 CN CN201911310556.XA patent/CN111049843A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104579818A (en) * | 2014-12-01 | 2015-04-29 | 国家电网公司 | Detection method of network anomaly message of intelligent substation |
CN105871847A (en) * | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
Non-Patent Citations (4)
Title |
---|
姜海涛;王黎明;周超;郭静;: "智能变电站网络异常分析方法" * |
徐书欣;赵景;: "基于Unix系统的嗅探软件工作机制及实现" * |
李可竞;: "智能变电站二次系统组网" * |
邹澎涛;刘洁;: "Winpcap中的数据过滤方法" * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111343211B (en) * | 2020-05-21 | 2020-10-16 | 四川英得赛克科技有限公司 | Intelligent analysis control method, system, medium and equipment based on network traffic |
CN111343211A (en) * | 2020-05-21 | 2020-06-26 | 四川英得赛克科技有限公司 | Intelligent analysis control method, system, medium and equipment based on network traffic |
CN112202646A (en) * | 2020-12-03 | 2021-01-08 | 观脉科技(北京)有限公司 | Flow analysis method and system |
CN112202646B (en) * | 2020-12-03 | 2021-02-26 | 观脉科技(北京)有限公司 | Flow analysis method and system |
CN113612721A (en) * | 2021-01-05 | 2021-11-05 | 青岛鼎信通讯股份有限公司 | Intelligent message analysis method based on power line carrier communication |
CN112769867A (en) * | 2021-02-05 | 2021-05-07 | 国网福建省电力有限公司电力科学研究院 | Safety assessment method for transformer substation simulation equipment |
CN113285937A (en) * | 2021-05-17 | 2021-08-20 | 国网山东省电力公司电力科学研究院 | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
CN113542221A (en) * | 2021-06-15 | 2021-10-22 | 四川英得赛克科技有限公司 | Method and system for judging tampering of sensor data of intelligent substation, electronic equipment and storage medium |
CN113542221B (en) * | 2021-06-15 | 2023-11-03 | 四川英得赛克科技有限公司 | Method and system for judging falsification of sensor data of intelligent substation, electronic equipment and storage medium |
CN113555962A (en) * | 2021-07-27 | 2021-10-26 | 国网山西省电力公司临汾供电公司 | Method for quickly capturing and intelligently completing information of substation automation system |
CN114513369A (en) * | 2022-04-18 | 2022-05-17 | 远江盛邦(北京)网络安全科技股份有限公司 | Deep message detection-based internet of things behavior analysis method and system |
CN114513369B (en) * | 2022-04-18 | 2022-07-08 | 远江盛邦(北京)网络安全科技股份有限公司 | Deep packet inspection-based internet of things behavior analysis method and system |
CN115913642A (en) * | 2022-10-19 | 2023-04-04 | 云南电网有限责任公司 | Network threat protection method and device for power substation |
CN115913642B (en) * | 2022-10-19 | 2024-09-03 | 云南电网有限责任公司 | Network threat protection method and device for power transformer substation |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111049843A (en) | Intelligent substation network abnormal flow analysis method | |
CN109962903B (en) | Home gateway security monitoring method, device, system and medium | |
CN108063765B (en) | SDN system suitable for solving network security | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
US8001601B2 (en) | Method and apparatus for large-scale automated distributed denial of service attack detection | |
EP3133793A1 (en) | Method for mitigation of cyber attacks on industrial control systems | |
CN101309179B (en) | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis | |
CN104202336A (en) | DDoS attack detection method based on information entropy | |
CN104579818A (en) | Detection method of network anomaly message of intelligent substation | |
CN101505219B (en) | Method and protecting apparatus for defending denial of service attack | |
CN106330602A (en) | Method and system for monitoring cloud computing virtual tenant network | |
CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
KR20140088340A (en) | APPARATUS AND METHOD FOR PROCESSING DDoS IN A OPENFLOW SWITCH | |
CN104683346A (en) | P2P botnet detection device and method based on flow analysis | |
Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
CN106685962A (en) | System and method for defense of reflective DDOS attack flow | |
CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
CN113612647B (en) | Alarm processing method and device | |
CN107733941A (en) | A kind of realization method and system of the data acquisition platform based on big data | |
CN113285937B (en) | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow | |
CN113377051B (en) | Network safety protection equipment based on FPGA | |
CN115242686A (en) | Power secondary equipment network communication fault detection system and method | |
Rinaldi et al. | Softwarization of SCADA: lightweight statistical SDN-agents for anomaly detection | |
JP2008135871A (en) | Network monitoring system, network monitoring method, and network monitoring program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |