CN111131237A - Microgrid attack identification method based on BP neural network and grid-connected interface device - Google Patents

Abstract

The invention provides a microgrid attack identification method based on a BP neural network, which comprises the steps of collecting photovoltaic data flow; preprocessing the characteristic data; inputting the preprocessed feature data into a BP neural network model for real-time detection and classification and outputting classification results, wherein the classification results comprise a normal class and a network attack class, and the network attack class is classified according to specific features of network attack behaviors, and comprises Dos (denial of service) attack, unauthorized access attack, abnormal detection of an interface end, Trojan virus attack, data forgery and falsification such as electrical quantity and meteorological quantity, and attack types such as electric quantity stealing and the like; judging whether the classification result has a network attack class, if so, adopting a corresponding alarm mechanism to simultaneously generate log records and intercept the characteristic data stream according to the type of the network attack; otherwise, forwarding to the upper layer normally. The invention also provides a grid-connected interface device. Compared with the prior art, the safe and reliable operation of the micro-grid is ensured.

Description

Microgrid attack identification method based on BP neural network and grid-connected interface device

Technical Field

The invention relates to a power grid system, in particular to a microgrid attack identification method based on a BP neural network and a grid-connected interface device.

Background

In order to meet diversified power supply requirements of users at the present stage, improve power utilization reliability and strengthen comprehensive utilization of renewable energy sources such as wind energy and solar energy, a concept of a microgrid is provided. Microgrid: the micro-grid is a small power generation and distribution system consisting of a distributed power supply, an energy storage device, an energy conversion device, a load, a monitoring and protection device and the like. The microgrid integrates an energy storage device, a power electronic device, related loads, monitoring and protecting devices and the like, can operate in an island mode to independently supply power to the loads, and can also operate in a grid-connected mode to realize bidirectional flow of energy.

With the large-scale development and utilization of new energy in domestic and foreign markets, the photovoltaic power generation technology is mature day by day. In recent years, the national support policy for the photovoltaic industry is continuously issued, so that the photovoltaic power generation technology is continuously improved. On one hand, the photovoltaic power generation has small scale and large quantity, and is unstable and intermittent depending on conditions such as environmental climate, so that when a large number of photovoltaic devices are connected into a power grid, the running state information of the photovoltaic devices needs to be timely and accurately acquired, and the running state data of the photovoltaic power generation devices are uploaded to a superior dispatching center through a grid-connected interface device. On the other hand, with the intellectualization and informatization of the power grid, various network attack means emerge endlessly, and the photovoltaic grid-connected interface device relates to an open operating environment and is easily subjected to various attacks, which endanger the confidentiality, integrity and availability of information.

The photovoltaic grid-connected interface device (grid-connected interface device) is an important intelligent device in the microgrid, and is an important bridge for communicating with a lower layer (an inverter and other intelligent devices) and an upper layer (an operation monitoring master station and a scheduling center) besides functions of built-in protection, measurement, automatic control, power quality monitoring and the like. By measuring the running state information of each photovoltaic power generation unit, the running state information is used as an internal electric energy quality monitoring system of the device on one hand, and on the other hand, the running state information needs to be uploaded to the upper layer through the communication module. Therefore, the authenticity and reliability of data acquired by the photovoltaic grid-connected interface device and the safety and stability of the operation of the photovoltaic grid-connected interface device are related to the safe and reliable operation of the whole microgrid system. Under the background of power grid intellectualization and informatization, a photovoltaic grid-connected interface device relates to an open operating environment, various safety risks exist depending on a network information interaction mode, an attacker can analyze a communication protocol in the device or realize eavesdropping attack, Dos attack, sensitive data tampering and the like on the device, and the photovoltaic grid-connected interface device does not have a perfect information safety protection mechanism and an intrusion tolerance function, so that the photovoltaic grid-connected interface device cannot acquire real and effective data; an attacker can also gradually invade the upper-layer control system by taking the photovoltaic grid-connected interface device as a springboard; the attacker can also take the security hole as a breach, and occupy network resources of the attacker or interfere normal communication of the attacker by means of manufacturing a large amount of useless data or repeatedly sending requests and the like. In the conventional grid-connected interface device, a hacker can easily distribute various attacks thereto according to a known security hole. For example, a large amount of useless data can be manufactured to cause network congestion in a grid-connected interface device area, so that the grid-connected interface device area cannot normally communicate with an upper level and a lower level; the defects of repeated connection are processed on a transmission protocol of the grid-connected interface device, and aggressive repeated connection requests are sent out at high frequency repeatedly, so that the grid-connected interface device cannot process other normal requests in time; injecting a trojan into the grid-connected interface device, and using the trojan as a springboard to gradually invade the upper system; according to the defects of a transmission protocol of a grid-connected interface device, transmitting malformed attack data repeatedly, such as the purpose of stealing electric charge by tampering with electricity data, the real-time electric price manipulation, and the environment monitoring system misjudgment caused by tampering with meteorological data, and further causing an upper-layer controller (a photovoltaic operation monitoring master station or a dispatching center) to wrongly distribute a large amount of system resources, thereby directly influencing the safe and stable operation of a power grid. Therefore, it is important to improve the active attack detection and immunity of piconets.

Disclosure of Invention

The invention aims to provide a microgrid attack identification method based on a BP (Back propagation) neural network and a grid-connected interface device, and aims to solve the technical problem of ensuring safe and reliable operation of a microgrid.

In order to solve the problems, the invention adopts the following technical scheme: a microgrid attack identification method based on a BP neural network comprises the following steps:

step one, collecting photovoltaic data flow; the photovoltaic data stream comprises characteristic data capable of representing whether the grid-connected interface device is attacked or not;

secondly, preprocessing the characteristic data;

inputting the preprocessed feature data into a BP neural network model for real-time detection and classification and outputting classification results, wherein the classification results comprise normal classes and network attack classes, and the network attack classes are classified according to specific features of network attack behaviors, including Dos (denial of service) attacks, unauthorized access attacks, abnormal detection of an interface end, Trojan virus attacks, data forgery and falsification of electrical quantities, meteorological quantities and the like, attack types of stealing electrical quantities and the like;

step four, judging whether the classification result has a network attack type, if so, adopting a corresponding alarm mechanism to simultaneously generate log records and intercept the characteristic data stream according to the network attack type; otherwise, forwarding to the upper layer normally.

Further, the fourth step also includes sending alarm information to the upper layer.

Further, in step three, before inputting the preprocessed feature data into the BP neural network model for real-time detection and classification, the BP neural network model needs to be trained, which includes:

(1) initializing parameters of the BP neural network;

(2) and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lA threshold value of each node of the hidden layer; f. of₁Activating a function for sigmoid;

(3) calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs corresponding to normal and various attack classesProbability value of type, and

the sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4) calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value and the actual output of the ith class of the sample are respectively;

(5) judging whether the error is less than or equal to e_err，e_errIf yes, the step (7) is carried out; otherwise, entering a reverse propagation stage, and turning to the step (6);

(6) reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

(7) judging whether all samples are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8) after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

Further, the step (6) of calculating the weight of each layer and the threshold of each layer node reversely by using a gradient descent method specifically includes the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jIs the output layer threshold gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lThe hidden layer threshold gradient, η the learning rate (η ═ 0.01).

The invention also discloses a grid-connected interface device, which comprises a control module, a detection module, a power module, a communication module, a display module, an output module, an input module, an alternating current acquisition module and a memory, wherein the detection module is connected with the detection module through an AD conversion module, the detection module is also connected with the input module, the power module, the communication module and the control module, and the control module is respectively connected with the power module, the display module, the output module, the memory and the communication module, wherein:

the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving partial characteristic data in the photovoltaic data stream sent by the lower layer, sending the partial characteristic data to the detection module for real-time detection and classification, receiving an alarm signal and a log record sent by the detection module, and sending an output signal to the output module;

the communication module is used for connecting and communicating with the upper layer and the lower layer;

the opening module is used for collecting part of characteristic data in the photovoltaic data stream and sending the part of characteristic data to the detection module; (ii) a

The alternating current acquisition module is used for acquiring partial characteristic data in the photovoltaic data stream, and transmitting the partial characteristic data to the detection module after AD conversion;

the display module is used for receiving and displaying;

the memory is used for storing;

the detection module is used for preprocessing all photovoltaic data streams sent by the alternating current acquisition module, the open-in module and the communication module, inputting the preprocessed characteristic data into the BP neural network model for real-time detection and classification and outputting a classification result, judging whether the classification result has a network attack class or not, if so, sending a corresponding alarm signal to the control module according to the type of the network attack, generating a log record, sending the log record to the control module, intercepting the characteristic data streams, and generating an alarm prompt by the control module according to the alarm signal and outputting the alarm prompt to the display module for display; otherwise, the photovoltaic data stream is directly sent to the control module, and the control module forwards the photovoltaic data stream to an upper layer through the communication module;

further, the control module is used for communicating the classification result and the log record to be sent to an upper layer after the alarm prompt is generated.

Further, the detection module inputs the preprocessed feature data into the BP neural network model, and needs to train the BP neural network model before real-time detection and classification, and the method includes:

(1) initializing parameters of the BP neural network;

(2) and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lA threshold value of each node of the hidden layer; f. of₁Activating a function for sigmoid;

(3) calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs a probability value corresponding to normal and various attack types, and has

The sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4) calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value and the actual output of the ith class of the sample are respectively;

(5) judging whether the error is less than or equal to e_err，e_errIf yes, the step (7) is carried out; otherwise, entering a reverse propagation stage, and turning to the step (6);

(6) reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

(7) judging whether all samples are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8) after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

Further, the step (6) of calculating the weight of each layer and the threshold of each layer node reversely by using a gradient descent method specifically includes the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jAs output layer thresholdA gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lThe hidden layer threshold gradient, η the learning rate (η ═ 0.01).

Compared with the prior art, the method adopts a BP neural network model to detect and classify the state data collected by the grid-connected interface device in real time, intercepts the data attacked by the network to realize active immunity, and prevents attackers from further invading the upper layer through the security holes of the grid-connected interface device, thereby ensuring the safe and reliable operation of the microgrid.

Drawings

Fig. 1 is a structure diagram of a photovoltaic power transmission and grid connection system in the prior art.

Fig. 2 is a flow chart of the present invention.

FIG. 3 is a schematic diagram of a BP neural network model in the present invention.

FIG. 4 is a flow chart of BP neural network model training of the present invention.

Fig. 5 is a block diagram showing the configuration of the grid-connected interface device according to the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and examples.

As shown in fig. 1, a photovoltaic power generation grid-connected system structure in a microgrid system in the prior art includes a photovoltaic grid-connected interface device (grid-connected interface device), which is connected to communication bridges of an upper layer (an operation monitoring master station, a scheduling center) and a lower layer (a photovoltaic inverter (inverter) controller, an environment detection instrument, and other intelligent devices). The method comprises the steps of collecting information quantity data such as voltage, current, active power and reactive power for the lower part (an inverter controller, a meteorological monitoring device and a PCC), obtaining environmental meteorological information data of an environmental detection instrument in a communication mode, receiving related remote signaling data from a lower-layer inverter controller, and transmitting related remote adjusting and starting and stopping commands of an upper layer to the lower part. And the upper layer (a photovoltaic operation monitoring main station or a dispatching center) is also used for transmitting environmental weather, power generation and power quality information, and data such as voltage, current and power of a grid-connected point in real time, wherein in the figure 1, a dotted line with an arrow is a communication line, a solid line with an arrow is an information acquisition line, and a solid line is a primary power line.

Pcc (common connection point) in fig. 1: a point of common connection, more than one customer load connection in the power system.

As shown in fig. 2, the invention discloses a microgrid attack identification method based on a BP neural network, which comprises the following steps:

step one, collecting photovoltaic data flow; the photovoltaic data stream comprises characteristic data (influence factors) capable of representing whether the grid-connected interface device is attacked or not, wherein the characteristic data comprises voltage, current, frequency, active power, reactive power, power factor data, remote signaling, remote measurement, power consumption data, remote control on-off, remote regulation and start-stop commands of a public connection point, output power, load power, environmental weather (temperature, light intensity, weather) data and the like of a photovoltaic power generation unit (a photovoltaic array in figure 1);

preprocessing the feature data, wherein the preprocessing comprises digitization, normalization and feature extraction;

the feature extraction is to extract features that can represent the operating state of the photovoltaic grid-connected interface device most, for example, the number of times of a request and an instruction sent to the photovoltaic grid-connected interface device by a certain intelligent device, the number of times of data errors sent to the photovoltaic grid-connected interface device by a certain device, the number of times of data sent to the photovoltaic grid-connected interface device by a certain device under different communication protocols, and the like. By extracting the characteristics which can represent the operation state of the photovoltaic grid-connected interface device most, the complexity of neural network model training can be reduced, and the accuracy of model detection can be improved;

actually acquired data includes both a numeric variable and a character variable (such as a communication protocol type), so that the character variable needs to be digitized;

in the data after the digitization processing, the numerical values of the features have great difference, so that the phenomenon that the small features are covered by the large features is easy to occur, and the rapidity and the accuracy of the neural network training are not facilitated, therefore, the features need to be normalized and mapped into a [0, 1] interval, and the normalization formula is as follows:

y＝(x-min)/(max-min)；

wherein, x and y are characteristic values (i.e. characteristic values) before and after normalization, and max and min are the maximum value and the minimum value of each characteristic.

Inputting the preprocessed feature data into a BP neural network model for real-time detection and classification and outputting classification results, wherein the classification results comprise normal classes and network attack classes, and the network attack classes are classified according to specific features of network attack behaviors, including Dos (denial of service) attacks, unauthorized access attacks, abnormal detection of an interface end, Trojan virus attacks, data forgery and falsification of electrical quantities, meteorological quantities and the like, attack types of stealing electrical quantities and the like; for example, if the pv grid-connected interface device is attacked by Dos, the value (i.e., the number of times) of the characteristic of the request and the command sent by a certain intelligent device to the pv grid-connected interface device is significantly greater than the number of times of the request and the command under normal conditions; if the photovoltaic grid-connected interface device is attacked by data tampering, the value (namely, the number) of the characteristic of the number of errors sent to the photovoltaic grid-connected interface device by a certain intelligent device is obviously greater than the number of errors under normal conditions; the BP neural network model can detect the abnormal characteristic, so that the Dos attack or data tampering attack type is output; the normal class is normal data of which the data is not attacked by the network;

step four, judging whether the classification result has a network attack type, if so, adopting a corresponding alarm mechanism to simultaneously generate log records and intercept the characteristic data stream according to the network attack type; otherwise, forwarding to the upper layer normally.

The alarm mechanism is specifically used for carrying out corresponding alarm prompt according to the type of the network attack, the alarm prompt can be displayed by a display lamp or a display screen, and when the alarm prompt is displayed by the display lamp, the light with different colors is set to correspond to different types of the network attack; if the attack type information is displayed on the display screen, the attack type information is displayed;

the fourth step also comprises sending alarm information to the upper layer; the alarm information is of a type of being attacked by a network, so that the alarm information needs to inform the photovoltaic grid-connected interface device that the photovoltaic grid-connected interface device is attacked and what kind of attack the photovoltaic grid-connected interface device is attacked, so that the upper layer can know the running state of the photovoltaic grid-connected interface device and can conveniently issue a correct instruction; all the system administrator needs to do after receiving the alarm information (through the indicator light or the display interface) is to deal with the attack.

In the third step, the preprocessed feature data is input into the BP neural network model and needs to be trained before real-time detection and classification.

The BP neural network model training is realized by adopting the following method: as shown in fig. 3, the training of the BP neural network consists of two stages, forward propagation and backward propagation; firstly, initializing connection weight values among layers and threshold values of nodes of the layers, and giving expected output. The method comprises the steps of forward propagation, namely inputting training data to an input layer, processing the training data one by one through layers of a hidden layer, then outputting the training data through an output layer, finally calculating an error between actual output and expected output of the output layer at this time, entering a backward propagation stage if the error does not meet an expectation, namely, backward propagation of the error, and distributing the error to all nodes of each layer, wherein the nodes of each layer finish threshold value and correction of a connection weight value according to error self-adaptation until the error meets the expectation. The samples for training the BP neural network comprise positive samples and negative samples, namely, data streams containing attack behaviors are used as the negative samples, and normal data streams are used as the positive samples. And gradually correcting the connection weight value between each layer of the BP neural network and the threshold value of each layer of the node through training.

As shown in fig. 4, the method specifically includes the following steps:

(1): initializing parameters of the BP neural network: the node numbers M, L and J of the input layer, the hidden layer and the output layer of the BP neural network are initialized; setting a network structure as three layers, namely an input layer, a hidden layer and an output layer; random initialization weight omega by Gaussian distribution random function_ml、w_ljThreshold δ of hidden layer, output layer_l、σ_j(ii) a Given training error accuracy e_err(0.02) and a learning rate η (0.01), randomly (randomly) selecting a sample (positive sample or negative sample) from a training sample group and inputting the sample into a BP neural network model, setting an expected output, namely marking the sample with a classification label to tell the model what type should be output for the sample, and using y in the scheme_kWith {0, 1} indicating whether or not it belongs to the kth category, 1 indicates yes, and 0 indicates no. 1, 2., 6, representing a total of 6 classes: normal type, Dos attack, unauthorized access attack, abnormal detection of an interface end, Trojan virus attack and message tampering attack;

(2): and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lFor sections of hidden layersA threshold value of a point; f. of₁Activating a function for sigmoid;

(3): calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs a probability value corresponding to normal and various attack types, and has

The sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4): calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value (expected output) and actual output of the ith class of the sample;

(5): judging whether the error is less than or equal to e_err(e_errIf yes, the step is shifted to step (7); otherwise, entering a reverse propagation stage, and turning to the step (6);

(6): reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

the step (6) of reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method specifically comprises the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jIs the output layer threshold gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lη is the learning rate (η ═ 0.01);

(7): judging whether all samples are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8): after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

When the network is trained, each neuron assigns a weight to the corresponding input, and the weight depends on the importance degree of the corresponding input; each layer is configured with a bias term that introduces non-linearity into the output of the neuron. For the technical scheme, because the problem of multi-classification is solved, the output layer activation function adopts a softmax function, so that the output of the output layer is the probability of normal and various attack types, and the sum of output values is ensured to be 1; then, after each sample is input into the network, the probability of normal and various attack types is finally output through the processing of the input layer, the hidden layer and the output layer. For example, after a certain attacked sample (message tampering attack, negative sample) is input into the network for processing, the final output is a normal type and a Dos attack, and the probabilities of an unauthorized access attack, an abnormal detection at an interface end, a trojan virus attack, and a message tampering attack are respectively: 0.03, 0.02, 0.01, 0.90; and the desired output of the network is: 0.0, 0 and 1, calculating the error between the actual output and the expected output, and if the error meets the requirement (less than or equal to the set error precision of 0.02), then learning the next sample; otherwise, indicating that the weight and the threshold of each layer in the network do not meet the set error requirement, performing back propagation on the error according to the steps in the training process, and updating the weight and the threshold; then, a new round of learning is carried out, and finally, the output probability becomes: 0.015, 0.01, 0.005, 0.015, 0.95; and calculating the error again, and if the error meets the requirement at the moment, outputting the corresponding attack type with the highest probability as the attack type of the sample, namely the sample is the sample attacked by the message tampering. After all samples are trained, the obtained final weight and threshold are the optimal parameter values of the model capable of classifying the training samples as accurately as possible, and the model has certain prediction capability on similar samples (real-time data).

The BP neural network has good adaptivity, self-learning, nonlinear mapping and characteristic induction capabilities, and has great advantages in the aspects of detection speed, detection accuracy, capability of coping with various attack detections and the like compared with the traditional methods such as pattern matching, statistical analysis and the like.

As shown in fig. 5, the present invention further discloses a grid-connected interface device, which includes a control module, a detection module, a power module, a communication module, a display module, an output module, an input module, an ac acquisition module, and a memory, wherein the detection module is connected to the detection module via an AD conversion module (AD), the detection module is further connected to the input module, the power module, the communication module, and the control module is respectively connected to the power module, the display module, the output module, the memory, and the communication module, wherein:

the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving partial characteristic data in the photovoltaic data stream sent by the lower layer, sending the partial characteristic data to the detection module for real-time detection and classification, receiving an alarm signal and a log record sent by the detection module, and sending an output signal to the output module; the output signals comprise instruction signals for outputting a control common connection point switch, a load switching switch of the photovoltaic power generation system, a breaker switch and the like;

the communication module is used for connecting and communicating with the upper layer and the lower layer; the interactive data of the communication module, intelligent equipment such as a lower-layer inverter controller and an environment monitoring instrument in a photovoltaic power generation grid-connected system, an upper-layer photovoltaic operation monitoring main station and a scheduling center are mainly used for receiving and forwarding part of characteristic data (including state information of the intelligent equipment, output power, load power, environmental weather (temperature, light intensity, and) data and the like) in a photovoltaic data stream from a lower layer and instruction information of the upper-layer photovoltaic operation monitoring main station and the scheduling center, and remote signaling, remote measurement, power consumption and the like of the lower layer are mainly used for transmitting remote switching value and protection signals; remote measurement is remote measurement, such as load flow, line current and voltage and the like; the electricity consumption mainly refers to electricity meter data;

the opening module is used for collecting part of characteristic data in the photovoltaic data stream and sending the part of characteristic data to the detection module; the switching-on/off state information of a public connection point switch, a load switching switch of a photovoltaic power generation system, a breaker switch and the like is received by the switching-on/off module;

the alternating current acquisition module is used for acquiring partial characteristic data (including analog quantities such as voltage and current of a public connection point, photovoltaic power generation units in a photovoltaic power generation system and load analog quantities) in the photovoltaic data stream, and transmitting the partial characteristic data to the detection module after AD conversion;

the display module is used for receiving and displaying, and can be a display screen and/or an indicator light, and the display screen can realize human-computer interaction; the indicator light is a light source capable of displaying various colors;

the storage is used for storing photovoltaic data flow, alarm information, classification results, log records, control programs, electrical parameter information such as voltage and current of a public connection point, state information such as a public connection point switch, a cold and hot triple supply system load switching switch and a circuit breaker switch, user information and the like;

the detection module is used for preprocessing all photovoltaic data streams sent by the alternating current acquisition module, the open-in module and the communication module, inputting the preprocessed characteristic data into the BP neural network model for real-time detection and classification and outputting a classification result, judging whether the classification result has a network attack class or not, if so, sending a corresponding alarm signal to the control module according to the type of the network attack, generating a log record, sending the log record to the control module, intercepting the characteristic data streams, and generating an alarm prompt by the control module according to the alarm signal and outputting the alarm prompt to the display module for display; otherwise, the photovoltaic data stream is directly sent to the control module, and the control module forwards the photovoltaic data stream to an upper layer through the communication module;

the alarm signal is of a type of sending network attacks to the control module, the alarm prompt can be displayed by a control indicator lamp or a display screen, and when the control indicator lamp is displayed, light with different colors is set to correspond to different types of network attacks; and if the attack type information is displayed on the display screen, displaying the attack type information.

The control module is also used for communicating the classification result and the log record to be sent to an upper layer after generating the alarm prompt; the alarm information is of a type of being attacked by a network, so that the alarm information needs to inform the photovoltaic grid-connected interface device that the photovoltaic grid-connected interface device is attacked and what kind of attack the photovoltaic grid-connected interface device is attacked, so that the upper layer can know the running state of the photovoltaic grid-connected interface device and can conveniently issue a correct instruction; all the system administrator needs to do after receiving the alarm information (through the indicator light or the display interface) is to deal with the attack.

The classification result comprises a normal class and a network attack class, and the network attack class is classified according to the specific characteristics of network attack behaviors, including Dos (denial of service) attacks, unauthorized access attacks, abnormal detection of an interface end, Trojan virus attacks, data forgery and falsification such as electric quantity and meteorological phenomena, and attack types such as electric quantity stealing and the like; for example, if the pv grid-connected interface device is attacked by Dos, the value (i.e., the number of times) of the characteristic of the request and the command sent by a certain intelligent device to the pv grid-connected interface device is significantly greater than the number of times of the request and the command under normal conditions; if the photovoltaic grid-connected interface device is attacked by data tampering, the value (namely, the number) of the characteristic of error data sent to the photovoltaic grid-connected interface device by a certain intelligent device is obviously greater than the number of errors under normal conditions; the BP neural network model can detect the abnormal characteristic, so that the Dos attack or data tampering attack type is output; the normal class is normal data of which data is not attacked by a network.

The photovoltaic data stream includes characteristic data (influence factors) capable of representing whether the grid-connected interface device is attacked or not, and the characteristic data includes voltage, current, frequency, active power, reactive power, power factor data, remote signaling, remote measurement, power consumption data, remote control switching-on and switching-off, remote regulation and start-stop commands of a public connection point, output power, load power, environmental weather (temperature, light intensity, weather) data and the like of a photovoltaic power generation unit (a photovoltaic array in fig. 1).

Preprocessing the feature data, wherein the preprocessing comprises digitization, normalization and feature extraction;

the feature extraction is to extract features that can represent the operating state of the photovoltaic grid-connected interface device most, for example, the number of times of a request and an instruction sent to the photovoltaic grid-connected interface device by a certain intelligent device, the number of times of data errors sent to the photovoltaic grid-connected interface device by a certain device, the number of times of data sent to the photovoltaic grid-connected interface device by a certain device under different communication protocols, and the like. By extracting the characteristics which can represent the operation state of the photovoltaic grid-connected interface device most, the complexity of neural network model training can be reduced, and the accuracy of model detection can be improved;

actually acquired data includes both a numeric variable and a character variable (such as a communication protocol type), so that the character variable needs to be digitized;

in the data after the digitization processing, the numerical values of the features have great difference, so that the phenomenon that the small features are covered by the large features is easy to occur, and the rapidity and the accuracy of the neural network training are not facilitated, therefore, the features need to be normalized and mapped into a [0, 1] interval, and the normalization formula is as follows:

y＝(x-min)/(max-min)；

wherein, x and y are characteristic values (i.e. characteristic values) before and after normalization, and max and min are the maximum value and the minimum value of each characteristic.

Before the detection module inputs the preprocessed feature data into the BP neural network model for real-time detection and classification, the BP neural network model is trained, and the training is realized by adopting the following method:

as shown in fig. 3, the training of the BP neural network consists of two stages, forward propagation and backward propagation; firstly, initializing connection weight values among layers and threshold values of nodes of the layers, and giving expected output. The method comprises the steps of forward propagation, namely inputting training data to an input layer, processing the training data one by one through layers of a hidden layer, then outputting the training data through an output layer, finally calculating an error between actual output and expected output of the output layer at this time, entering a backward propagation stage if the error does not meet an expectation, namely, backward propagation of the error, and distributing the error to all nodes of each layer, wherein the nodes of each layer finish threshold value and correction of a connection weight value according to error self-adaptation until the error meets the expectation. The samples for training the BP neural network comprise positive samples and negative samples, namely, data streams containing attack behaviors are used as the negative samples, and normal data streams are used as the positive samples. And gradually correcting the connection weight value between each layer of the BP neural network and the threshold value of each layer of the node through training.

As shown in fig. 4, the method specifically includes the following steps:

(1): initializing parameters of the BP neural network: i.e. initializing the BP nerveNode numbers M, L and J of the input layer, hidden layer, and output layer of the network; setting a network structure as three layers, namely an input layer, a hidden layer and an output layer; random initialization weight omega by Gaussian distribution random function_ml、w_ljThreshold δ of hidden layer, output layer_l、σ_j(ii) a Given training error accuracy e_err(0.02) and a learning rate η (0.01), randomly (randomly) selecting a sample (positive sample or negative sample) from a training sample group and inputting the sample into a BP neural network model, setting an expected output, namely marking the sample with a classification label to tell the model what type should be output for the sample, and using y in the scheme_kWith {0, 1} indicating whether or not it belongs to the kth category, 1 indicates yes, and 0 indicates no. 1, 2., 6, representing a total of 6 classes: normal type, Dos attack, unauthorized access attack, abnormal detection of an interface end, Trojan virus attack and message tampering attack;

the sample group comprises a positive sample and a negative sample, wherein the positive sample is formed by normal characteristic data, and the negative sample is generated after the normal characteristic data is subjected to network attack.

(2): and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lA threshold value of each node of the hidden layer; f. of₁Activating a function for sigmoid;

(3): calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs a probability value corresponding to normal and various attack types, and has

The sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4): calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value (expected output) and actual output of the ith class of the sample;

(5): judging whether the error is less than or equal to e_err(e_errIf yes, the step is shifted to step (7); otherwise, entering a reverse propagation stage, and turning to the step (6);

(6): reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

the step (6) adopts a gradient descent method to reversely calculate the weight of each layer and the threshold of each layer node, and specifically adopts the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jIs the output layer threshold gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lη is the learning rate (η ═ 0.01);

(7): judging whether all samples in the sample group are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8): after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

When the network is trained, each neuron assigns a weight to the corresponding input, and the weight depends on the importance degree of the corresponding input; each layer is configured with a bias term that introduces non-linearity into the output of the neuron. For the technical scheme, because the problem of multi-classification is solved, the output layer activation function adopts a softmax function, so that the output of the output layer is the probability of normal and various attack types, and the sum of output values is ensured to be 1; then, after each sample is input into the network, the probability of normal and various attack types is finally output through the processing of the input layer, the hidden layer and the output layer. For example, after a certain attacked sample (message tampering attack, negative sample) is input into the network for processing, the final output is a normal type and a Dos attack, and the probabilities of an unauthorized access attack, an abnormal detection at an interface end, a trojan virus attack, and a message tampering attack are respectively: 0.03, 0.02, 0.01, 0.90; and the desired output of the network is: 0.0, 0 and 1, calculating the error between the actual output and the expected output, and if the error meets the requirement (less than or equal to the set error precision of 0.02), then learning the next sample; otherwise, indicating that the weight and the threshold of each layer in the network do not meet the set error requirement, performing back propagation on the error according to the steps in the training process, and updating the weight and the threshold; then, a new round of learning is carried out, and finally, the output probability becomes: 0.015, 0.01, 0.005, 0.015, 0.95; and calculating the error again, and if the error meets the requirement at the moment, outputting the corresponding attack type with the highest probability as the attack type of the sample, namely the sample is the sample attacked by the message tampering. After all samples are trained, the obtained final weight and threshold are the optimal parameter values of the model capable of classifying the training samples as accurately as possible, and the model has certain prediction capability on similar samples (real-time data).

The invention adopts a BP neural network model to detect and classify the characteristic data in the photovoltaic data flow in real time, thereby being capable of timely knowing whether the data in the characteristic data is attacked by the network or not, intercepting the data to realize active immunity, avoiding the attacker from further invading the upper layer through the security loophole existing in the grid-connected interface device, and further ensuring the safe and reliable operation of the micro-grid.

Claims (8)

1. A microgrid attack identification method based on a BP neural network is characterized in that: the method comprises the following steps:

step one, collecting photovoltaic data flow; the photovoltaic data stream comprises characteristic data which can represent whether the grid-connected interface device is attacked or not;

secondly, preprocessing the characteristic data;

inputting the preprocessed feature data into a BP neural network model for real-time detection and classification and outputting classification results, wherein the classification results comprise normal classes and network attack classes, and the network attack classes are classified according to specific features of network attack behaviors, including Dos (denial of service) attacks, unauthorized access attacks, abnormal detection of an interface end, Trojan virus attacks, data forgery and falsification of electrical quantities, meteorological quantities and the like, attack types of stealing electrical quantities and the like;

step four, judging whether the classification result has a network attack type, if so, adopting a corresponding alarm mechanism to simultaneously generate log records and intercept the characteristic data stream according to the network attack type; otherwise, forwarding to the upper layer normally.

2. The microgrid attack identification method based on the BP neural network as claimed in claim 1, wherein: and step four, sending alarm information to the upper layer.

3. The microgrid attack identification method based on the BP neural network as claimed in claim 1, wherein: in the third step, before inputting the preprocessed feature data into the BP neural network model for real-time detection and classification, the BP neural network model also needs to be trained, which includes:

(1) initializing parameters of the BP neural network;

(2) and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lA threshold value of each node of the hidden layer; f. of₁Activating for sigmoidA function;

(3) calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs a probability value corresponding to normal and various attack types, and has

The sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4) calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value and the actual output of the ith class of the sample are respectively;

(5) judging whether the error is less than or equal to e_err，e_errIf yes, the step (7) is carried out; otherwise, entering a reverse propagation stage, and turning to the step (6);

(6) reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

(7) judging whether all samples are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8) after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

4. The microgrid attack identification method based on the BP neural network is characterized in that: the step (6) of reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method specifically comprises the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jIs the output layer threshold gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lThe hidden layer threshold gradient, η the learning rate (η ═ 0.01).

5. A grid-connected interface device is characterized in that: including control module, detection module, power module, communication module, display module, division module, switching module, exchange collection module, memory, detection module is connected with detection module through AD conversion module, and detection module still with division module, power module, communication module and control module are connected, and control module then is connected with power module, display module, division module, memory and communication module respectively, wherein:

the control module is used for being connected and communicated with the upper layer and the lower layer through the communication module, receiving partial characteristic data in the photovoltaic data stream sent by the lower layer, sending the partial characteristic data to the detection module for real-time detection and classification, receiving an alarm signal and a log record sent by the detection module, and sending an output signal to the output module;

the communication module is used for connecting and communicating with the upper layer and the lower layer;

the opening module is used for collecting part of characteristic data in the photovoltaic data stream and sending the part of characteristic data to the detection module; (ii) a

The alternating current acquisition module is used for acquiring partial characteristic data in the photovoltaic data stream, and transmitting the partial characteristic data to the detection module after AD conversion;

the display module is used for receiving and displaying;

the memory is used for storing;

the detection module is used for preprocessing all photovoltaic data streams sent by the alternating current acquisition module, the open-in module and the communication module, inputting the preprocessed characteristic data into the BP neural network model for real-time detection and classification and outputting a classification result, judging whether the classification result has a network attack class or not, if so, sending a corresponding alarm signal to the control module according to the type of the network attack, generating a log record, sending the log record to the control module, intercepting the characteristic data streams, and generating an alarm prompt by the control module according to the alarm signal and outputting the alarm prompt to the display module for display; otherwise, the photovoltaic data stream is directly sent to the control module, and the control module forwards the photovoltaic data stream to an upper layer through the communication module.

6. The grid-tied interface device according to claim 5, wherein: and the control module is also used for communicating the classification result and the log record to be sent to an upper layer after generating the alarm prompt.

7. The grid-tied interface device according to claim 5, wherein: the detection module inputs the preprocessed feature data into the BP neural network model to carry out real-time detection and classification, and needs to train the BP neural network model, and the method comprises the following steps:

(1) initializing parameters of the BP neural network;

(2) and calculating the output of each node of the hidden layer:

where L is the L-th node of the hidden layer, L is 1,2, …, L); l is the number of hidden layer nodes; m is the mth node of the input layer, M is 1,2, … and M, and M is the number of nodes of the input layer; omega_mlThe connection weight value from the input layer to the hidden layer; x is the number of_mlThe input of the hidden layer specifically refers to an input sample value; delta_lA threshold value of each node of the hidden layer; f. of₁Activating a function for sigmoid;

(3) calculating the output of the output layer:

wherein, w_ljThe connection weight value from the hidden layer to the output layer; j is the jth node of the output layer, J is 1,2, … and J, and J is the number of nodes of the output layer (the number of nodes of the output layer is equal to the number of classifications); sigma_jIs the threshold value of each node of the output layer; f. of₂Activating a function for softmax such that the output a of the output layer_jIs a probability value corresponding to normal and various attack types, and has

The sum of the probabilities that the sample belongs to normal and various attacks is 1;

(4) calculating the error between the actual output and the desired output using a log-likelihood loss function:

wherein K is the classification number (K ═ 6); y is_i、a_iThe label value and the actual output of the ith class of the sample are respectively;

(5) judging whether the error is less than or equal to e_err，e_errIf yes, the step (7) is carried out; otherwise, entering a reverse propagation stage, and turning to the step (6);

(6) reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method, and updating the weight and the threshold;

(7) judging whether all samples are trained, if so, entering the step (8) to finish the training; otherwise, carrying out the next iteration and turning to the step (2);

(8) after training, outputting the connection weight omega between nodes of each layer_ml、w_ljAnd threshold δ of each layer node_l、σ_jAnd obtaining the trained BP neural network model.

8. The grid-tied interface device according to claim 7, wherein: the step (6) of reversely calculating the weight of each layer and the threshold of each layer node by adopting a gradient descent method specifically comprises the following steps:

the calculation and updating of the weight of each layer comprises: firstly, gradient calculation is carried out on weights from a hidden layer to an output layer:

wherein L is a log-likelihood loss function; w is a_ljFor the connection weight between the hidden layer to the output layer, Δ w_ljIs the weight gradient from the hidden layer to the output layer;

and then updating the weight from the hidden layer to the output layer:

w'_lj＝w_lj-ηΔw_lj；

wherein L is a loss function; w'_ljη (η is 0.01) is the learning rate;

and then, performing gradient calculation on the weights from the input layer to the hidden layer:

wherein L is a loss function; omega_mlThe connection weight value from the input layer to the hidden layer; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

then, updating the weights from the input layer to the hidden layer:

ω'_ml＝ω_ml-ηΔω_ml，

wherein, ω is_mlThe connection weight value from the input layer to the hidden layer, η is the learning rate (η ═ 0.01); omega'_mlThe updated connection weight value between the input layer and the hidden layer is obtained; Δ ω_mlIs the weight gradient from the input layer to the hidden layer;

the calculating and updating of the threshold values of the nodes of each layer comprises the following steps:

first, the output layer threshold gradient is calculated:

wherein L is a loss function; sigma_jIs the threshold value of each node of the output layer; delta sigma_jIs the output layer threshold gradient;

and updating the threshold value of the output layer:

σ'_j＝σ_j-ηΔσ_j；

wherein σ_jIs the threshold value of each node of the output layer; sigma'_jIs the updated output layer threshold; delta sigma_jη is learning rate (η ═ 0.01);

then the hidden layer threshold gradient is calculated:

wherein L is a loss function; delta_lA threshold value of each node of the hidden layer; delta delta_lA hidden layer threshold gradient;

then, the hidden layer threshold is updated:

δ'_l＝δ_l-ηΔδ_l；

wherein, delta_lA threshold value of each node of the hidden layer; delta 'of'_lIs the updated hidden layer threshold; delta delta_lThe hidden layer threshold gradient, η the learning rate (η ═ 0.01).

Images