CN111193742A - D-S evidence theory-based power communication network anomaly detection method - Google Patents

D-S evidence theory-based power communication network anomaly detection method Download PDF

Info

Publication number
CN111193742A
CN111193742A CN201911410137.3A CN201911410137A CN111193742A CN 111193742 A CN111193742 A CN 111193742A CN 201911410137 A CN201911410137 A CN 201911410137A CN 111193742 A CN111193742 A CN 111193742A
Authority
CN
China
Prior art keywords
network
power communication
communication network
evidence theory
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911410137.3A
Other languages
Chinese (zh)
Inventor
莫穗江
高国华
李瑞德
王�锋
张欣欣
温志坤
黄定威
杨玺
张欣
汤铭华
梁英杰
廖振朝
陈嘉俊
李伟雄
童捷
张天乙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN201911410137.3A priority Critical patent/CN111193742A/en
Publication of CN111193742A publication Critical patent/CN111193742A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/257Belief theory, e.g. Dempster-Shafer

Abstract

The invention relates to the field of power communication networks, in particular to a power communication network anomaly detection method based on a D-S evidence theory. By adopting the method, the accuracy of sensing the network abnormity and the type thereof in the power communication network can be effectively improved, and meanwhile, the real-time detection of the network abnormity can be realized according to the real-time data real-time fusion.

Description

D-S evidence theory-based power communication network anomaly detection method
Technical Field
The invention relates to the field of power communication networks, in particular to a power communication network anomaly detection method based on a D-S evidence theory.
Background
With the advance of research and practice of smart power grids, power grids in the traditional sense are gradually fused with information communication systems and monitoring control systems, the safety of power communication networks is closely connected with the operation safety of the power grids, and the safety of the power communication networks is the central importance of the safety of the power grids.
The electric power communication network system has the characteristics of complexity, dynamics and the like, has certain vulnerability, and brings great pressure and challenge to network safety work due to security risks from the inside and the outside because security incidents such as denial of service attack, network scanning, network deception, virus trojans, information leakage and the like emerge endlessly, so that an electric power communication network abnormity detection technology is needed to accurately identify the abnormal incidents of network safety and determine whether the network is in an abnormal state in real time, and the working personnel can conveniently deal with the abnormal problems in time.
In the existing network anomaly detection method, one method is to comprehensively judge network traffic by a plurality of characteristics on the basis of a D-S evidence theory and introduce a self-adaptive mechanism to ensure the detection accuracy. But the defect of the scheme is that the judgment cannot be carried out by combining the data characteristics of the host computer, and the judgment accuracy can be influenced.
Disclosure of Invention
In order to overcome the problem of low accuracy of network anomaly detection in the prior art, the invention provides the electric power communication network anomaly detection method based on the D-S evidence theory, which can effectively improve the accuracy of sensing network anomalies and types thereof in the electric power communication network and can realize real-time network anomaly detection according to real-time data real-time fusion.
In order to solve the technical problems, the invention adopts the technical scheme that: a power communication network anomaly detection method based on a D-S evidence theory comprises the following steps:
the method comprises the following steps: selecting characteristics influencing network abnormity from network connection state data collected from a power communication network, and performing data preprocessing;
step two: determining BBA (basic probability distribution, each possible probability distribution in the identification framework) in the identification framework in the D _ S evidence theory based on a K-means clustering method (K-means algorithm);
step three: determining the identification frame by using an expert system;
step four: fusion and decision making were performed using Dempster (D _ S evidence theory) composition rules.
Preferably, in the first step, network key information data with a fixed time length is selected from original records of network key information collected in the power communication network; and cleaning the selected key information data, and removing the data records containing the missing values.
Preferably, the key information data includes three pieces of information, which are traffic information, operation information, and alarm information of the network protection device, respectively. The flow information comprises the flow inflow size of each network node and the flow outflow size of the network node; the running information comprises the total number of the services running on each host, the average access amount and the access frequency of each service running on the host; the alarm information of the network protection device comprises an alarm identifier, attack frequency, a source address, a destination address, a source port and a destination port. The flow of the power grid in a normal operation state is stable (except for a specific time interval), if the flow fluctuates abnormally, whether DDOS attack occurs or not can be judged according to the flow information, the total service amount of the host in a normal state is stable, if the flow fluctuates, the host can be used for detecting whether the host is injected into a backdoor or a malicious program or not, the attack type and the attack source can be judged by collecting alarm information, and data support is provided for abnormal detection.
Preferably, in the second step, the calculation process of the clustering intervals and the clustering feature similarity includes:
s1, based on the K-means algorithm, the basic model of the clustering characteristic interval is [ c, r ], c is the clustering center, and r is the clustering radius;
s2: the clustering feature similarity is:
let F1:[c1,r1],F2:[c2,r2]Two focal elements in the frame are identified for the D _ S evidence theory, with the distance between them being:
Figure BDA0002349758810000021
wherein, c1Is the first cluster center; c. C2Is the second cluster center; r is1In the first clusterCluster radius of the heart; r is2The cluster radius of the second cluster center;
s3: the similarity of two clustering characteristic interval models is
Figure BDA0002349758810000022
Wherein λ is>0 is a support coefficient; d (F)1,F2) Is the distance of two focal elements.
Preferably, in the second step, the BBA generation step is as follows:
s2.1: and establishing a clustering interval model of the sample data attribute value.
S2.2: and calculating the distance between the attribute value of the data to be judged and the model interval.
S2.3: and calculating the similarity between the attribute value of the data to be identified and the attribute value of the sample data.
S2.4: and normalizing the similarity to generate BBA.
Preferably, in step three, an identification framework is established according to an expert system; the recognition frame is denoted as Z ═ a1,a2,…,anZ is an identification frame, n is the number of objects in the frame, and a is an event type; any two objects in the frame are mutually exclusive.
Preferably, in the fourth step, the Dempster combination rule is defined as:
Figure BDA0002349758810000031
Figure BDA0002349758810000032
wherein A is a focal element in the identification frame; b is proposition in the recognition frame; m is1And m2Respectively are basic credibility assignment combinations from 2 different information sources under the same frame; k is a conflict coefficient and reflects the degree of evidence conflict;
and finally, network abnormity judgment and related type judgment can be carried out according to the probability numerical value obtained after fusion.
Compared with the prior art, the beneficial effects are:
1. the method realizes the determination of the BBA in the identification frame in the D-S evidence theory by using a K-means-based clustering method. The subjective degree of BBA caused by strong subjective degree and evidence high conflict can be effectively determined by reducing expert experience scoring.
2. The invention comprehensively considers the transmission data of the network, extracts the characteristic attribute influencing the network abnormity from the transmission data, and can better reflect the running state of the network.
3. The method takes the instantaneity of the power communication network into full consideration, uses Dempster combination rules for fusion and decision, and utilizes a large amount of operation data in the previous database to construct a clustering interval model and an identification framework, so that the real-time operation data can be subjected to real-time data fusion, and the judgment of real-time network abnormity is accelerated.
Drawings
FIG. 1 is a schematic flow chart of a method for detecting network anomaly of a power communication network based on a D-S evidence theory according to the invention;
fig. 2 is a power communication hierarchical diagram of a power communication network anomaly detection method based on a D-S evidence theory according to the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent.
The technical scheme of the invention is further described in detail by the following specific embodiments in combination with the attached drawings:
example 1
Fig. 1-2 show an embodiment of a method for detecting network anomaly of a power communication network based on a D-S evidence theory, which includes the following steps:
the method comprises the following steps: setting an identification frame established by an existing knowledge base or expert experience as Z ═ a1,a2,…,anWherein Z is an identification frame, ai(1 ≦ i ≦ n) represents the event type, where any two objects in the frame are mutually exclusive, and n is the number of objects in the frame;
The electric power communication network system has the following selection indexes: and (3) traffic information: the flow of each NETWORK node flows into a large NETWORK _ IN (NI), and the flow of the NETWORK node flows out of a large NETWORK _ OUT (NO); the operation information includes: the total number of SERVICEs running on each host, the average access amount VISIT _ num (vn) and the access frequency VISIT _ freq (vr) of each SERVICE running on the host; the alarm information of the network protection equipment comprises: ATTACK frequency ATTACK _ FREQ (AF);
step two: BBA generation of sample index data.
Selecting test data: for each object (event) in the identification framework, 20 sets of corresponding data (from the power communication network system and the related database) are selected, wherein each set of data comprises the indexes: { NI, NO, SN, VN, VR, AF }, index NI data can be expressed as NI1,NI2,…,NI20And the others are similar.
Generating a clustering characteristic interval model: as shown in the following table:
table 1: characteristic interval model table
Jiao yuan NI NO SN VN VR AF
a1 [c11,r11] [c12,r12] [c13,r13] [c14,r14] [c15,r15] [c16,r16]
a2 [c21,r21] [c22,r22] [c23,r23] [c24,r24] [c25,r25] [c26,r26]
an [cn1,rn1] [cn2,rn2] [cn3,rn3] [cn4,rn4] [cn5,rn5] [cn6,rn6]
The generation process in the above table is to directly operate on 20 groups of data, e.g. [ c ]11,r11]The generation process is as follows:
Figure BDA0002349758810000051
Figure BDA0002349758810000052
and (3) solving the distance between the data to be detected and the characteristic model interval and solving the similarity: selecting test data C { NIt,NOt,SNt,VNt,VRt,AFtSolving the distance between the BBA and the BBA, calculating the similarity, and then carrying out normalization treatment to obtain the BBA value, which can be specifically represented by the following table:
table 2: similarity between test data and interval model
Jiao yuan NI NO SN VN VR AF
a1 s11 s12 s13 s14 s15 s16
a2 s21 s22 s23 s24 s255 s26
an sn1 sn2 sn3 sn4 sn5 sn6
The generation process in the above table is to directly operate on the table 1 data (where the cluster radius of the test data can be 0, and the similarity coefficient can be 1), such as s11The generation process is as follows:
Figure BDA0002349758810000061
Figure BDA0002349758810000062
the normalization was performed to obtain BBA data as follows:
table 3: BBA allocation
Jiao yuan NI NO SN VN VR AF
a1 P11 P12 P13 P14 P15 P16
a2 P21 P22 P23 P24 P255 P26
an Pn1 Pn2 Pn3 Pn4 Pn5 Pn6
The generation process in the above table is to directly perform operation normalization on the table 2 data by taking the following steps (such as P)11):
Figure BDA0002349758810000063
D-S data fusion and decision analysis are carried out: first, the collision factor K is obtained, and then the fusion probability of the frame object is obtained as follows.
The formula according to K in step 4 is:
Figure BDA0002349758810000064
according to the fusion formula in step 4 (here denoted as P (a))1) For example) there are:
Figure BDA0002349758810000065
the probability P (a) of the fused event in each recognition frame is obtained through the steps1),P(a2),…,P(an) And further making judgment on the event type and subsequent relevant decisions.
The beneficial effects of this embodiment:
1. the method realizes the determination of the BBA in the identification frame in the D-S evidence theory by using a K-means-based clustering method. The subjective degree of BBA caused by strong subjective degree and evidence high conflict can be effectively determined by reducing expert experience scoring.
2. The invention comprehensively considers the transmission data of the network, extracts the characteristic attribute influencing the network abnormity from the transmission data, and can better reflect the running state of the network.
3. The method takes the instantaneity of the power communication network into full consideration, uses Dempster combination rules for fusion and decision, and utilizes a large amount of operation data in the previous database to construct a clustering interval model and an identification framework, so that the real-time operation data can be subjected to real-time data fusion, and the judgment of real-time network abnormity is accelerated.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. A method for detecting network abnormality of a power communication network based on a D-S evidence theory is characterized by comprising the following steps:
the method comprises the following steps: selecting characteristics influencing network abnormity from network connection state data collected from a power communication network, and performing data preprocessing;
step two: determining basic probability distribution in an identification frame in a D _ S evidence theory based on a K-means clustering method;
step three: determining the identification frame by using an expert system;
step four: and D-S evidence theory combination rules are used for fusion and decision-making.
2. The method for detecting the network abnormality of the electric power communication network based on the D-S evidence theory as claimed in claim 1, wherein in the step one, network key information data with a fixed time length is selected from original records of network key information collected in the electric power communication network; and cleaning the selected key information data, and removing the data records containing the missing values.
3. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 2, wherein the key information data includes three pieces of information, which are flow information, operation information and alarm information of network protection equipment.
4. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory is characterized in that the traffic information comprises the traffic inflow size of each network node and the network traffic outflow size.
5. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory is characterized in that the operation information comprises the total number of the services operated on each host, the average access amount and the access frequency of each service operated on each host.
6. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 3, wherein the alarm information of the network protection device includes an alarm identifier, an attack frequency, a source address, a destination address, a source port and a destination port.
7. The method for detecting the abnormality of the power communication network based on the D-S evidence theory as claimed in claim 2, wherein in the second step, the calculation process of the clustering intervals and the clustering feature similarity comprises:
s1, based on the K-means algorithm, the basic model of the clustering characteristic interval is [ c, r ], c is the clustering center, and r is the clustering radius;
s2: the clustering feature similarity is:
let F1:[c1,r1],F2:[c2,r2]Two focal elements in the frame are identified for the D _ S evidence theory, with the distance between them being:
Figure FDA0002349758800000021
wherein, c1Is the first cluster center; c. C2Is the second cluster center; r is1The cluster radius of the first cluster center; r is2The cluster radius of the second cluster center;
s3: the similarity of two clustering characteristic interval models is
Figure FDA0002349758800000022
Wherein λ is>0 is a support coefficient; d (F)1,F2) Is the distance of two focal elements.
8. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 7, wherein in the second step, the basic probability distribution is generated as follows:
s2.1: establishing a clustering interval model of sample data attribute values;
s2.2: calculating the distance between the attribute value of the data to be judged and the model interval;
s2.3: calculating the similarity between the attribute value of the data to be identified and the attribute value of the sample data;
s2.4: and normalizing the similarity to generate basic probability distribution.
9. The method for detecting the abnormality of the power communication network based on the D-S evidence theory as claimed in claim 8, wherein in the third step, an identification frame is established according to an expert system; the recognition frame is denoted as Z ═ a1,a2,…,anZ is an identification frame, n is the number of objects in the frame, and a is represented as an event type; any two objects in the frame are mutually exclusive.
10. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 9, wherein in the fourth step, the D-S evidence theory combination rule is defined as:
Figure FDA0002349758800000023
Figure FDA0002349758800000024
wherein A is a focal element in the identification frame; b is proposition in the recognition frame; m is1And m2Respectively are basic credibility assignment combinations from 2 different information sources under the same frame; k is a conflict coefficient and reflects the degree of evidence conflict;
and then, network abnormity judgment and related type judgment can be carried out according to the probability numerical value obtained after fusion.
CN201911410137.3A 2019-12-31 2019-12-31 D-S evidence theory-based power communication network anomaly detection method Pending CN111193742A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911410137.3A CN111193742A (en) 2019-12-31 2019-12-31 D-S evidence theory-based power communication network anomaly detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911410137.3A CN111193742A (en) 2019-12-31 2019-12-31 D-S evidence theory-based power communication network anomaly detection method

Publications (1)

Publication Number Publication Date
CN111193742A true CN111193742A (en) 2020-05-22

Family

ID=70709730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911410137.3A Pending CN111193742A (en) 2019-12-31 2019-12-31 D-S evidence theory-based power communication network anomaly detection method

Country Status (1)

Country Link
CN (1) CN111193742A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355504A (en) * 2008-08-14 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for confirming user behavior
CN101753992A (en) * 2008-12-17 2010-06-23 深圳市先进智能技术研究所 Multi-mode intelligent monitoring system and method
WO2016166725A1 (en) * 2015-04-16 2016-10-20 Telefonaktiebolaget Lm Ericsson (Publ) System and method for sla violation monitoring via multi-level thresholds
CN107273924A (en) * 2017-06-06 2017-10-20 上海电力学院 The Fault Analysis of Power Plants method of multi-data fusion based on fuzzy cluster analysis
CN107644267A (en) * 2017-09-11 2018-01-30 河南科技大学 A kind of green house control Decision fusion method based on D S evidence theories
CN107679558A (en) * 2017-09-19 2018-02-09 电子科技大学 A kind of user trajectory method for measuring similarity based on metric learning
CN108199795A (en) * 2017-12-29 2018-06-22 北京百分点信息科技有限公司 The monitoring method and device of a kind of equipment state
CN109193756A (en) * 2018-09-04 2019-01-11 华南理工大学 A kind of scene decoupling dynamic economic dispatch model solution method of wind power integration system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355504A (en) * 2008-08-14 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for confirming user behavior
CN101753992A (en) * 2008-12-17 2010-06-23 深圳市先进智能技术研究所 Multi-mode intelligent monitoring system and method
WO2016166725A1 (en) * 2015-04-16 2016-10-20 Telefonaktiebolaget Lm Ericsson (Publ) System and method for sla violation monitoring via multi-level thresholds
CN107273924A (en) * 2017-06-06 2017-10-20 上海电力学院 The Fault Analysis of Power Plants method of multi-data fusion based on fuzzy cluster analysis
CN107644267A (en) * 2017-09-11 2018-01-30 河南科技大学 A kind of green house control Decision fusion method based on D S evidence theories
CN107679558A (en) * 2017-09-19 2018-02-09 电子科技大学 A kind of user trajectory method for measuring similarity based on metric learning
CN108199795A (en) * 2017-12-29 2018-06-22 北京百分点信息科技有限公司 The monitoring method and device of a kind of equipment state
CN109193756A (en) * 2018-09-04 2019-01-11 华南理工大学 A kind of scene decoupling dynamic economic dispatch model solution method of wind power integration system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高智勇,董荣光,高建民,王荣喜: "采用聚类特征的基本概率分配生成方法及应用", 《西安交通大学学报》 *

Similar Documents

Publication Publication Date Title
CN110210512B (en) Automatic log anomaly detection method and system
WO2021184630A1 (en) Method for locating pollutant discharge object on basis of knowledge graph, and related device
CN107623697B (en) Network security situation assessment method based on attack and defense random game model
CN111475804B (en) Alarm prediction method and system
Bivens et al. Network-based intrusion detection using neural networks
CN111107072B (en) Authentication graph embedding-based abnormal login behavior detection method and system
CN106790256A (en) For the active machine learning system of dangerous Host Detection
CN113378990B (en) Flow data anomaly detection method based on deep learning
CN110300027A (en) A kind of abnormal login detecting method
CN112600800B (en) Network risk assessment method based on map
CN111309565A (en) Alarm processing method and device, electronic equipment and computer readable storage medium
CN112671767B (en) Security event early warning method and device based on alarm data analysis
CN105376193A (en) Intelligent association analysis method and intelligent association analysis device for security events
Zhou et al. Subtractive aggregation for attributed network anomaly detection
Lijuan et al. A network security evaluation method based on FUZZY and RST
CN117216713A (en) Fault delimiting method, device, electronic equipment and storage medium
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN111193742A (en) D-S evidence theory-based power communication network anomaly detection method
CN105553990A (en) Network security triple anomaly detection method based on decision tree algorithm
CN115277178A (en) Method, device and storage medium for monitoring abnormity based on enterprise network traffic
CN114022022A (en) Industrial network security risk assessment method, device, equipment and storage medium
CN112637118A (en) Flow analysis implementation method based on internal and external network drainage abnormity
CN110689074A (en) Feature selection method based on fuzzy set feature entropy value calculation
KR102470364B1 (en) A method for generating security event traning data and an apparatus for generating security event traning data
Salehi et al. A DOS and network probe attack detection based on HMM using fuzzy inference

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200522