CN112187820B - Power distribution terminal DTU intrusion detection method and system based on machine learning - Google Patents

Power distribution terminal DTU intrusion detection method and system based on machine learning Download PDF

Info

Publication number
CN112187820B
CN112187820B CN202011073339.6A CN202011073339A CN112187820B CN 112187820 B CN112187820 B CN 112187820B CN 202011073339 A CN202011073339 A CN 202011073339A CN 112187820 B CN112187820 B CN 112187820B
Authority
CN
China
Prior art keywords
classifier
dtu
training
power distribution
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011073339.6A
Other languages
Chinese (zh)
Other versions
CN112187820A (en
Inventor
吕志宁
邓巍
宁柏锋
刘威
罗伟峰
徐文渊
冀晓宇
蒋燕
李鹏
习伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
Shenzhen Power Supply Co ltd
Zhejiang University ZJU
Original Assignee
China South Power Grid International Co ltd
Shenzhen Power Supply Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, Shenzhen Power Supply Co ltd, Zhejiang University ZJU filed Critical China South Power Grid International Co ltd
Priority to CN202011073339.6A priority Critical patent/CN112187820B/en
Publication of CN112187820A publication Critical patent/CN112187820A/en
Application granted granted Critical
Publication of CN112187820B publication Critical patent/CN112187820B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • G06F18/2135Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Biology (AREA)
  • Computing Systems (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses a power distribution terminal DTU intrusion detection method and system based on machine learning, which belong to the field of intelligent power grid safety. The method adopts a principal component analysis method to reduce high-dimensional characteristic data, and then utilizes the characteristic after dimensional reduction to establish a model; secondly, double verification is carried out by adopting a least square support vector machine and a neural network algorithm so as to improve the detection accuracy and reduce the false alarm rate; finally, the intrusion detection system framework adopts a modular design, is suitable for intrusion detection in the field of smart power grids, and has good portability and universality.

Description

Power distribution terminal DTU intrusion detection method and system based on machine learning
Technical Field
The invention belongs to the field of intelligent power grid safety, and particularly relates to a power distribution terminal DTU intrusion detection method and system based on machine learning.
Background
The automation and intellectualization of the power distribution network can be used for optimizing the allocation of national energy resources, ensuring the safe and stable operation of an electric power system and promoting the development of the national strategic emerging industry. In recent years, as the combination of an electric power system and a communication network is more and more compact, the security threats from the internet are more complex and diversified, the information security problem of a power distribution network becomes more and more prominent, and especially, the microgrid controller device of a power distribution terminal is frequently attacked by the network, so that the normal production and operation of the electric power system are seriously hindered. An intelligent power Distribution Terminal DTU (Distribution Terminal Unit) is used as a core device in a power Distribution network and is used for monitoring the operation state of a transformer area in real time to ensure that a power Distribution system can operate safely and reliably. With the high-speed development of the intelligent power distribution network, the network environment and the network attack types are more and more complex and changeable, and the vulnerability of the security defense mechanism for the distribution transformer terminal is more and more prominent at present. The intelligent power distribution terminal in the power engineering control system is subjected to intrusion detection, so that network attacks can be timely discovered and processed, the current situation of passive defense of a power distribution network system is changed, and the power utilization safety risk and the economic loss are reduced.
At present, an intrusion detection system mainly detects hacker attacks and network viruses by analyzing network data packets in an industrial control system environment, and triggers an alarm system once an anomaly is detected, and generally consists of three modules, namely a data collection module, a transmission module and a processing module. However, in the field of smart power grids, with the increase of the number of power distribution terminals, more and more data are required to be processed by computers, the traditional intrusion detection system is difficult to meet the requirements, and it is necessary to ensure the safety of a power grid system and improve the response speed and accuracy of the intrusion detection system.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a DTU intrusion detection method and a DTU intrusion detection system based on machine learning, wherein the network flow and related network information of a power distribution terminal are utilized to carry out intrusion detection on the electric power industrial control attack, and an evolutionary algorithm combining a neural network algorithm and a least square support vector machine algorithm is used, so that the defect of local optimization of the traditional neural network algorithm is overcome, and meanwhile, the accuracy of DTU intrusion detection is greatly improved. The system consists of three subsystems of data collection, data transmission and data processing, each submodule in each subsystem has better independence, and the system has better universality and mobility in the field of electric power industrial control.
In order to achieve the purpose, the invention adopts the following technical scheme:
a power distribution terminal DTU intrusion detection method based on machine learning comprises the following steps:
step 1: establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of a power distribution terminal;
step 2: preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
and step 3: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier, wherein the input layer is responsible for receiving the screened final characteristics, the hidden layer is used for processing characteristic values, the hidden layer comprises initial weights, network objective functions and activation functions of the characteristic values, and the output layer is responsible for outputting neural network results;
and 4, step 4: building a least square support vector machine model as a second classifier, mapping the screened final features to a high-dimensional feature space through nonlinear mapping, then constructing an optimal decision function in the high-dimensional feature space based on a structural risk minimization principle, replacing dot product operation in the high-dimensional feature space with a kernel function of an original space, and outputting a result of the least square support vector machine;
and 5: performing ensemble learning on the first classifier and the second classifier to form a strong classifier evolution model; in ensemble learning, firstly, training and verifying a first classifier in an 8-fold cross verification mode by using a training sample set to obtain a classification error rate of the first classifier, and further calculating a weight coefficient of the first classifier in a strong classifier evolution model;
then updating the weight distribution of the training sample set to increase the weight of the sample with wrong prediction in the first classifier and decrease the weight with correct prediction, and then normalizing all weights; training and verifying the second classifier by using the training sample set with the updated weight distribution in an 8-fold cross verification mode to obtain a classification error rate of the second classifier, and further calculating a weight coefficient of the second classifier in a strong classifier evolution model;
finally, forming a trained strong classifier evolution model;
step 6: and (3) acquiring DTU information data of the power distribution terminal in real time through a C/S communication framework of a server-client, extracting features according to the screening result of the step (3), carrying out real-time intrusion detection on the DTU feature data by using a trained strong classifier evolution model, judging whether the DTU of the power distribution terminal is in a normal working state or in an abnormal working state suffering from attack, and giving an alarm if the DTU is in the abnormal working state.
Further, in step 1, if the acquired numerical characteristic variable has a default value, the characteristic is complemented by using a linear difference method, that is, the characteristic is complemented by using a linear difference method
Figure GDA0003799315910000021
In the formula y 0 And x 0 Respectively record the characteristic value of the previous strip of the dataAnd the number of rows of the corresponding feature, y 1 And x 1 The characteristic value and the line number of the corresponding characteristic are recorded for the next piece of the data respectively.
Further, obtaining original feature samples of DTU feature data, performing eigenvalue decomposition on covariance matrixes of the collected original feature samples of the DTU feature data through a principal component analysis method, solving eigenvectors, selecting the first q principal component features as final features according to the magnitude of the eigenvalue, and obtaining a training sample set.
Further, the step 5 specifically includes:
step 5.1: dividing the training sample set into 8 parts in equal proportion; using 7 of the samples for training, 1 sample for testing, the classification error rate e is obtained i (x) (ii) a Go through a round of training to obtain 8 times of prediction output results in total, will
Figure GDA0003799315910000031
The classification error rate as the first classifier is denoted as e NN
Step 5.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN
Figure GDA0003799315910000032
Step 5.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
Figure GDA0003799315910000033
Figure GDA0003799315910000034
wherein N refers to the number of samples; d 2 Representing the updated weight set; w is a 2,i Represents the weight of the updated ith sample data,w 1,i weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is a weight parameter, 0<α<1, the larger alpha, w 2,i The more obvious the updating effect is;
step 5.4: dividing the training sample set after updating weight distribution into 8 parts in equal proportion, using 7 parts of the training samples to train, using 1 part of the testing samples to train and verify the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and marking as e LSSVM
Step 5.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM
Figure GDA0003799315910000041
Step 5.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents the evolution model of the strong classifier, f (x) represents the linear combination of the two classifiers, and alpha NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1, and the system is judged to be abnormal as-1, so as to finally achieve the purpose of classification.
Another objective of the present invention is to provide a power distribution terminal DTU intrusion detection system based on the above method, including:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
Compared with the prior art, the invention has the beneficial effects that:
(1) The invention discloses a power distribution terminal intrusion detection process which comprises the following steps: the method comprises the steps of data collection, preprocessing, feature extraction, establishment of an evolution model combining a neural network algorithm and a least square support vector machine algorithm, a training model and intrusion detection of a power distribution terminal. The neural network is simple in structure and high in operation speed, and the problem that the neural network is easy to fall into a local minimum value exists when an optimized solution is solved at a high speed. Therefore, the quadratic programming problem in the support vector machine is changed into a solution equation set by further adopting a least square support vector machine, so that the great workload is simplified, the calculation speed is high under the condition of large-scale data, and the local optimization can be avoided.
(2) According to the invention, the network information of the power distribution network core device power distribution terminal is collected and the characteristics of the power distribution network core device power distribution terminal are extracted by the high-performance host computer through constructing the C/S communication architecture, and besides, the characteristic dimension is reduced in the characteristic selection by adopting the principal component analysis, so that the method is beneficial to extracting important information and discarding useless information.
(3) The intrusion detection system adopts a frame type design, each submodule has better independence, and the system has better universality and mobility in the field of electric power industrial control.
(4) The machine learning algorithm in the invention uses an evolutionary algorithm combining a neural network algorithm and a least square support vector machine algorithm, and introduces weight distribution in a training data set based on a training result of a first classifier, thereby realizing large weight for a basic classifier with small classification error rate and small weight for a basic classifier with large classification error rate, breaking through the defect of local optimum of the traditional neural network algorithm, and simultaneously greatly improving the accuracy of DTU intrusion detection.
Drawings
FIG. 1 is a block diagram of an intrusion detection system according to the present invention;
FIG. 2 is a flow chart of a method of the present invention;
FIG. 3 is a model cross-validation flow diagram;
fig. 4 is an overall operation block diagram of the intrusion detection system facing the power distribution terminal.
Detailed Description
The invention is further explained below with reference to the figures and examples.
The invention provides a DTU intrusion detection method and a DTU intrusion detection system based on machine learning, as shown in figure 2, the DTU intrusion detection system is composed of three subsystems of data collection, data transmission and data processing, intrusion detection is carried out on power industrial control attacks by utilizing network flow and related network information of a power distribution terminal, and a working flow chart of the intrusion detection system is shown in figure 2.
The specific working method of the system is as follows:
step 1: aiming at the requirements in the application of a power grid system, an intrusion detection system framework based on machine learning is constructed. The method comprises the following specific steps:
step 1.1: and establishing a data collection subsystem with the DTU as a client.
Step 1.2: a data transmission subsystem based on a socket interface technology is established.
Step 1.3: and establishing a data processing subsystem taking a high-performance PC as a server side.
And 2, step: and establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of the power distribution terminal. The method comprises the following specific steps:
step 2.1: respectively creating socket objects of the DTU and the host;
step 2.2: binding a server address to realize communication between the power distribution terminal and the host;
step 2.3: the method comprises the steps that a host periodically collects DTU information data of a power distribution terminal;
step 2.4: recording the collected data as D; for the collected DTU information data of the power distribution terminal, the method comprises the following steps:
send _ byte: the number of bits of data transmitted from the power distribution terminal;
receive _ byte: the number of bits received by the power distribution terminal;
memory _ use: memory occupancy rate;
cpu _ use: the CPU utilization rate;
real _ time: a time stamp;
rcv _ des: a packet destination address;
src _ des: a packet source address;
length: a packet length;
pow _ csp: power consumption;
temp: (ii) temperature;
link _ flag: a connected normal or wrong state;
and (2) land: whether a connection is from/to the same host/port), if there is a default value for the numerical characteristic variable, the characteristic is complemented using a linear difference method, i.e. the connection is from/to the same host/port)
Figure GDA0003799315910000061
In the formula y 0 And x 0 Respectively record the feature value for the previous strip of the data and the number of rows, y, of the corresponding feature 1 And x 1 The feature value and the number of rows for the corresponding feature are recorded for the next piece of data, respectively.
And step 3: and constructing characteristics capable of representing attack characteristics according to the priori knowledge of the electric power industrial control message. The method comprises the following specific steps:
step 3.1: calculating the connection duration of the DTU and the host of the power distribution terminal, wherein t link Indicating the duration of the connection, t, at which data was collected cls Time stamp indicating disconnection, t str A time stamp indicating when the connection is started;
t link =t cls -t str
step 3.2: calculating the average received data byte number of the DTU of the power distribution terminal, wherein d receive_bit Represents t link Number of bits of received data in time, d receive_byte To representThe average number of received bytes in the period of time;
Figure GDA0003799315910000062
step 3.3: calculating the average sending data byte number of the DTU of the power distribution terminal, wherein d send_bit Represents t link Number of bits of data transmitted in time, d send_byte Indicating the average number of transmitted bytes in the period of time;
Figure GDA0003799315910000063
step 3.4: calculating an average network flow of the DTU of the power distribution terminal, wherein d flow Is shown at t link Average network flow of a power distribution terminal DTU within time;
d flow =|d send_byte -d save_byte |
and 4, step 4: and reducing the characteristic dimension of the high latitude of the safety data in the intrusion detection system by using a principal component analysis method. Firstly, eigenvalue decomposition is carried out on a covariance matrix of an acquired DTU data sample, eigenvectors are solved, and the first 3 principal component characteristics are selected according to the magnitude of the eigenvalue value, so that the purpose of reducing data dimensionality is achieved. The principal component characteristics finally obtained are: memory occupancy rate memory _ usage; CPU utilization CPU _ usage, DTU average network traffic d flow
And 5: and building a neural network model by using a library in Python. The neural network model consists of an input layer, a hidden layer and an output layer, wherein the input layer is responsible for receiving and inputting characteristic values of the power distribution terminal after dimensionality reduction: memory _ use, cpu _ use, d flow The output layer is responsible for outputting the neural network result, namely the output of the terminal state tag state _ flag, and the hidden layer comprises the initial weight of each characteristic value, a network target function, an activation function and the like.
Step 5.1: and initializing parameters. Since the number of features in the neural network model is 3, the number of initialized weights is also 3, and random sampling is adoptedThe way of generating the initialization weight, the first time according to the weight of each neuron
Figure GDA0003799315910000075
And offset value b 0 Initialized to a random number close to zero and continuously updated during later training.
Step 5.2: and calculating a neural network activation value. The activation value of the neural network is the output of the first layer:
Figure GDA0003799315910000071
where n denotes the number of iterations and i (i =1,2,3) denotes the number of DTU network feature information, where X 1 Representing the memory occupancy rate memory _ usage; x 2 Denotes CPU _ usage, X, CPU usage 3 Mean network traffic d representing DTU flow
Figure GDA0003799315910000072
Representing the weight of the ith eigenvalue at the nth iteration, b n Representing a neural network bias value.
Step 5.3: an activation function is set. A Logistic function is taken as an activation function, also called a Sigmoid function, and is used for hidden layer neuron output, the value range of the Logistic function is (0,1), any real number can be mapped into a (0,1) interval, the Logistic function is usually used for binary classification, and the derivative function can be represented by the Logistic function. The expression of the Sigmoid function and its derivative function is as follows:
Figure GDA0003799315910000073
Figure GDA0003799315910000074
step 5.4: a loss function is defined. The loss function is used for measuring the deviation between the actual DTU state and the predicted DTU state, and generally, the larger the loss function value is, the larger the error of the neural network model is, and the worse the robustness is, so that the neural network takes the minimum loss function as the optimal target in the training process. In the present invention, the loss function is defined as:
Figure GDA0003799315910000081
step 5.5: and optimizing parameters by adopting a gradient descent method. The weights and bias values in the neural network model are solved, usually in an iterative fashion:
Figure GDA0003799315910000082
Figure GDA0003799315910000083
step 5.6: and judging the state of the power distribution terminal. The output value of the neural network model is a numerical value in the (0,1) interval, when the output value is higher than the threshold value, the state of the power distribution terminal is safe and does not suffer from malicious network attacks, otherwise, the system is abnormal.
Step 6: and building a least square support vector machine model by using Python. The LSSVM maps an input vector to a high-dimensional feature space by realizing selected nonlinear mapping, then constructs an optimal decision function in the feature space based on a structure risk minimization principle, and replaces dot product operation in the high-dimensional feature space with a kernel function of an original space. The method comprises the following specific steps:
step 6.1: and determining a classification surface and an optimal hyperplane equation of the DTU state. The classification surface and the hyperplane satisfy the following conditions:
H:w·x+b=0
Figure GDA0003799315910000084
where i (i =1,2,3) denotes the serial number of DTU network feature information, where X 1 Express memory occupancy memory_usage;X 2 Denotes the CPU usage rate CPU _ usage, X 3 Mean network traffic d representing DTU flow 。w i Represents the weight of the ith feature value, and b represents the offset value of the plane.
Step 6.2: the LSSVM model converts non-equality constraints in the SVM optimization problem into equality constraints, and meanwhile, error variables are introduced into each sample in order to solve the situation that partial special points exist. And if the regular term of the error variable is supposed in the function, the optimization problem of the LSSVM is converted into the following steps:
Figure GDA0003799315910000091
step 6.3: firstly, the LSSVM optimization problem is converted into a Lagrange function of the optimization problem. Wherein alpha is i Represents a correspondence x i Lagrange multiplier.
Figure GDA0003799315910000092
The Lagrange function is then derived for each variable and its derivative is zero:
Figure GDA0003799315910000093
finally, writing the equation set into a block matrix equation form, and solving Lagrange multiplier alpha = [ alpha ] by utilizing a kernel function 12 ,...,α N ] T And b.
Step 6.4: and outputting the state of the power distribution terminal. The output result of the least square support vector machine is a numerical value in the (-1,1) interval, and when the output of the LSSVM model is less than 0, the system is abnormal, otherwise, the system is normal.
And 7: and performing integrated learning on the neural network model and the minimum quadratic support vector machine model by adopting an Adaboost algorithm, thereby forming a strong classifier for judging the state of the DTU of the power distribution terminal.
Step 7.1: as shown in fig. 3. And the model parameters are adjusted through the training results, so that the performance of the model is optimal in the classification of the industrial power control attack, and the intrusion detection of the DTU of the power distribution terminal is realized. The method comprises the following specific steps:
the sample data is divided into 8 parts in equal proportion and recorded as a sample S1, a sample S2, a sample S3, a sample S4, a sample S5, a sample S6, a sample S7 and a sample S8.
Training was performed using 7 samples, and 1 sample was tested. Specifically, firstly, samples S2, S3, S4, S5, S6, S7 and S8 are used for training a classifier model, a sample S1 is used for testing an evolution model, and an output model of the evolution model is marked as H1; training a classifier model by using samples S1, S3, S4, S5, S6, S7 and S8, testing the two models by using a sample S2, and marking an output model as H2; and in the same way, the rest samples (S3, S4, S5, S6, S7 and S8) are used as the test data set, and the rest samples are used as the training data set to obtain output models H3, H4, H5, H6, H7 and H8.
In conclusion, 8 times of prediction output results are obtained through one round of training, and the result is to be obtained
Figure GDA0003799315910000101
The classification error rate as the first classifier is denoted as e NN
And 7.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN
Figure GDA0003799315910000102
Step 7.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
Figure GDA0003799315910000103
Figure GDA0003799315910000104
wherein N refers to the number of samples; d 2 Representing the updated weight set; w is a 2,i Weight, w, representing updated ith sample data 1,i Weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is weight parameter, 0 < alpha < 1, alpha is larger, w is 2,i The more obvious the updating effect is;
step 7.4: dividing the training sample set with updated weight distribution into 8 parts in equal proportion, training 7 parts of the training samples, testing 1 part of the samples, training and verifying the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and recording as e LSSVM
Step 7.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM
Figure GDA0003799315910000105
Step 7.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents a strong classifier evolution model, f (x) represents a linear combination of two classifiers, and alpha NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1 and the system is judged to be abnormal as-1, so as to achieve the purpose of classification finally.
The above classification error rate (weighted error function) is calculated by:
Figure GDA0003799315910000111
Figure GDA0003799315910000112
wherein N refers to the number of samples; g NN (x i ) And G LSSVM (x i ) Respectively representing NN and LSSVM models with respect to a sample x i (x i1 ,x i2 ,x i3 ) An output of (d); y is i A label (normal is 1, abnormal is-1) indicating the actual state of the sample; p (G) NN (x i )≠y i ) And P (G) LSSVM (x i )≠y i ) Representing two models versus sample x i (x i1 ,x i2 ,x i3 ) The probability of a false positive; w is a NNi And w LSSVMi Representing the DTU sample x of the current round i (x i1 ,x i2 ,x i3 ) The weight distribution of the data set, rather than the parameters internal to the classifier.
And 8: a working block diagram of the intrusion detection system facing the DTU is shown in fig. 4, and the specific method is to perform intrusion detection on DT U data by using an evolution model, determine whether a power distribution terminal is in a normal working state or in an abnormal state subject to attack, and send an alarm if the state is abnormal, thereby implementing intrusion detection and active defense for the power distribution terminal.
In one embodiment of the present invention, a machine learning based DTU intrusion detection system for a power distribution terminal is further described. The method comprises the following steps:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
Wherein, the data processing subsystem includes:
the data preprocessing module is used for preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
the first classifier module is configured with a neural network model consisting of an input layer, a hidden layer and an output layer;
a second classifier module configured with a least squares support vector machine model;
the classifier training model is used for respectively training the first classifier module and the second classifier module, and the training process is as follows:
in the training process of a first classifier module, an original training sample set is used as training data, training and verification are carried out on a first classifier in an 8-fold cross verification mode, a first classifier weight coefficient is obtained, and a trained first classifier model file is stored;
then, updating weight distribution of an original training sample set according to the training effect of the first classifier, training and verifying a second classifier by using the updated training sample set as training data in an 8-fold cross verification mode to obtain a weight coefficient of the second classifier, and storing a trained model file of the second classifier;
and the strong classifier evolution model building module is used for loading the trained first classifier model file and the trained second classifier model file and building a strong classifier evolution model according to the weight coefficients of the two classifiers so as to carry out real-time detection on the working state of the DTU of the power distribution terminal.
The DTU intrusion detection system for the power distribution terminal based on the machine learning specifically comprises port identification, data acquisition, transmission, data processing and dimension reduction of the power distribution terminal, construction of a classifier based on a neural network and a least square support vector machine, intrusion behavior detection experiments of the power distribution terminal, and timely alarming when abnormality occurs. The method adopts a principal component analysis method to reduce high-dimensional characteristic data, and then utilizes the characteristic after dimensional reduction to establish a model; secondly, a strong classifier is constructed by adopting a least square support vector machine and a neural network algorithm so as to improve the detection accuracy and reduce the false alarm rate; finally, the intrusion detection system framework adopts a modular design, is suitable for intrusion detection in the field of smart power grids, and has good portability and universality.
The foregoing lists merely illustrate specific embodiments of the invention. It is obvious that the invention is not limited to the above embodiments, but that many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.

Claims (8)

1. A DTU intrusion detection method of a power distribution terminal based on machine learning is characterized by comprising the following steps:
step 1: establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of a power distribution terminal;
step 2: preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
and step 3: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier, wherein the input layer is responsible for receiving the screened final characteristics, the hidden layer is used for processing characteristic values and comprises initial weights, network objective functions and activation functions of the characteristic values, and the output layer is responsible for outputting neural network results;
and 4, step 4: building a least square support vector machine model as a second classifier, mapping the screened final features to a high-dimensional feature space through nonlinear mapping, then constructing an optimal decision function in the high-dimensional feature space based on a structural risk minimization principle, replacing dot product operation in the high-dimensional feature space with a kernel function of an original space, and outputting a result of the least square support vector machine;
and 5: performing ensemble learning on the first classifier and the second classifier to form a strong classifier evolution model; in ensemble learning, firstly, training and verifying a first classifier in an 8-fold cross verification mode by using a training sample set to obtain a classification error rate of the first classifier, and further calculating a weight coefficient of the first classifier in a strong classifier evolution model; then updating the weight distribution of the training sample set to increase the weight of the sample with wrong prediction in the first classifier and decrease the weight with correct prediction, and then normalizing all weights; training and verifying the second classifier by using the training sample set with the updated weight distribution in an 8-fold cross verification mode to obtain a classification error rate of the second classifier, and further calculating a weight coefficient of the second classifier in a strong classifier evolution model; finally, forming a trained strong classifier evolution model;
step 6: acquiring DTU information data of the power distribution terminal in real time through a C/S communication framework of a server-client, extracting features according to the screening result of the step 3, carrying out real-time intrusion detection on the DTU feature data by using a trained strong classifier evolution model, judging whether the DTU of the power distribution terminal is in a normal working state or in an abnormal working state suffering from attack, and giving an alarm if the DTU is in the abnormal working state.
2. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 1 specifically comprises:
step 1.1: respectively creating socket objects of the DTU and the host;
step 1.2: binding a server address to realize communication between the power distribution terminal and the host;
step 1.3: the method comprises the steps that a host periodically collects DTU information data of a power distribution terminal;
if the acquired numerical characteristic variable has a default value, the characteristic is complemented by using a linear difference method, namely
Figure FDA0003799315900000021
In the formula y 0 And x 0 Respectively the previous note of DTU characteristic dataRecording the characteristic values and the number of lines, y, of the corresponding characteristic 1 And x 1 Respectively, the characteristic value of the next record of the DTU characteristic data and the line number of the corresponding characteristic.
3. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 2 specifically comprises:
step 2.1: calculating the connection duration t of the DTU and the host of the power distribution terminal link
t link =t cls -t str
Wherein, t cls Time stamp indicating disconnection, t str A time stamp indicating when the connection is started;
step 2.2: calculating the average received data byte number d of the DTU of the power distribution terminal receive_byte
Figure FDA0003799315900000022
Wherein d is receive_bit Represents t link The number of bits of the received data in time;
step 2.3: calculating the average sending data byte number d of the DTU of the power distribution terminal send_byte
Figure FDA0003799315900000023
Wherein d is send_bit Represents t link The number of bits of the transmitted data in time;
step 2.4: calculating average network flow d of DTU of power distribution terminal flow
d flow =|d send_byte -d receive_byte |
Wherein d is flow Is shown at t link Average network flow of a power distribution terminal DTU within time;
step 2.5: taking the memory occupancy rate, the CPU utilization rate, the destination address of the data packet, the source address of the data packet, the length of the data packet, the power consumption, the temperature, the continuous duration, the number of bytes of average received data, the number of bytes of average sent data and the average network flow as original characteristics; and (3) performing eigenvalue decomposition on the covariance matrix of the acquired DTU characteristic data original characteristic sample by a principal component analysis method, solving an eigenvector, selecting the first q principal component characteristics as final characteristics according to the magnitude of the eigenvector value, and acquiring a training sample set.
4. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 3 specifically comprises:
step 3.1: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier;
step 3.2: initializing parameters of the neural network model, wherein the weight of each neuron is randomly generated to generate initialization weights
Figure FDA0003799315900000031
And an offset value b 0 Initializing the random number; setting an activation function and a loss function;
step 3.3: pre-training a neural network model using a first sample set, first computing a neural network activation value,
Figure FDA0003799315900000032
wherein n represents the number of iterations, X i Representing the ith feature in the training sample set, q is the total number of features in the training sample set,
Figure FDA0003799315900000033
representing the weight of the ith eigenvalue at the nth iteration, b n Representing a neural network bias value; the range of the activation value is (1, -1), when the final output neural network result is higher than the threshold value,the power distribution terminal is in a safe state, otherwise, the power distribution terminal is abnormal;
step 3.4: performing iterative training on the neural network model according to the loss function value, optimizing parameters by adopting a gradient descent method,
Figure FDA0003799315900000034
Figure FDA0003799315900000035
wherein, w n+1 Is the weight at the n +1 th iteration, w n Is the weight at the nth iteration, x represents the feature data vector of a sample, J n (w, b) represents a loss function, i.e. the square of the difference between the predicted value and the actual value,
Figure FDA0003799315900000036
an output value representing the neural network model,
Figure FDA0003799315900000037
representing a predicted value of the terminal state by the activation function; b n+1 Is the neural network bias value at the n +1 th iteration, b n Is the neural network bias value at the nth iteration.
5. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 4 specifically comprises:
step 4.1: building a least square support vector machine model as a second classifier;
step 4.2: determining a classification surface and an optimal hyperplane equation of the DTU state, wherein the classification surface and the optimal hyperplane satisfy the following conditions:
H:w·x+b=0
Figure FDA0003799315900000041
wherein, X i Representing the ith feature in the training sample set, q being the total number of features in the training sample set, w i Representing the weight of the ith characteristic value, b representing the offset value of the plane, x representing the characteristic data vector of a sample, and w representing the hyperplane parameter;
step 4.3: the least square support vector machine model converts non-equality constraint in SVM optimization problem into equality constraint, introduces error variable aiming at each sample, adds regular item of the error variable in function, and converts the optimization problem into:
Figure FDA0003799315900000042
wherein | · | purple sweet 2 Denotes the L2 norm, λ denotes the regularized norm, N denotes the number of samples, e i An error variable representing the sample is determined,
Figure FDA0003799315900000043
representing the geometric spacing of the samples, y i Representing the true value of the ith sample;
step 4.4: pre-training a least square support vector machine model by using a first sample set;
firstly, the optimization problem is firstly converted into Lagrange function, wherein alpha i Represents a correspondence x i The Lagrange multiplier of (a) is,
Figure FDA0003799315900000044
the Lagrange function is then derived for each variable and its derivative is zero:
Figure FDA0003799315900000045
finally, the equation set is written into block momentsIn the form of an array equation, solving Lagrange multiplier alpha = [ alpha ] by using a kernel function 12 ,...,α N ] T And b;
step 4.5: the output result of the least square support vector machine model is a numerical value in the (-1,1) interval, when the final output result of the least square support vector machine is higher than 0, the power distribution terminal is in a safe state, otherwise, the power distribution terminal is abnormal.
6. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 5 specifically comprises:
step 5.1: dividing the training sample set into 8 parts in equal proportion; using 7 of the samples for training, 1 sample for testing, the classification error rate e is obtained i (x) (ii) a Go through a round of training to obtain 8 times of prediction output results in total, will
Figure FDA0003799315900000051
The classification error rate as the first classifier is denoted as e NN
Step 5.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN
Figure FDA0003799315900000052
Step 5.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
Figure FDA0003799315900000053
Figure FDA0003799315900000054
wherein, N refers to the number of samples;D 2 representing the updated weight set; w is a 2,i Weight, w, representing updated ith sample data 1,i Weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is weight parameter, alpha is more than 0 and less than 1, alpha is larger, w is 2,i The more obvious the updating effect is;
step 5.4: dividing the training sample set with updated weight distribution into 8 parts in equal proportion, training 7 parts of the training samples, testing 1 part of the samples, training and verifying the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and recording as e LSSVM
Step 5.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM
Figure FDA0003799315900000061
Step 5.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents the evolution model of the strong classifier, f (x) represents the linear combination of the two classifiers, G NN (x) And G LSSVM (x) Respectively representing the output of the NN model and the output of the LSSVM model; alpha (alpha) ("alpha") NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1, and the system is judged to be abnormal as-1, so as to finally achieve the purpose of classification.
7. A DTU intrusion detection system for a power distribution terminal based on machine learning based on the method of claim 1, comprising:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
8. The DTU intrusion detection system according to claim 7, wherein the data processing subsystem comprises:
the data preprocessing module is used for preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
the first classifier module is configured with a neural network model consisting of an input layer, a hidden layer and an output layer;
a second classifier module configured with a least squares support vector machine model;
the classifier training model is used for respectively training the first classifier module and the second classifier module, and the training process is as follows:
in the training process of a first classifier module, an original training sample set is used as training data, a first classifier is trained and verified in an 8-fold cross validation mode, a first classifier weight coefficient is obtained, and a trained first classifier model file is stored;
then, updating weight distribution of an original training sample set according to the training effect of the first classifier, training and verifying a second classifier by using the updated training sample set as training data in an 8-fold cross verification mode to obtain a weight coefficient of the second classifier, and storing a trained model file of the second classifier;
and the strong classifier evolution model building module is used for loading the trained first classifier model file and the trained second classifier model file and building a strong classifier evolution model according to the weight coefficients of the two classifiers so as to carry out real-time detection on the working state of the DTU of the power distribution terminal.
CN202011073339.6A 2020-10-09 2020-10-09 Power distribution terminal DTU intrusion detection method and system based on machine learning Active CN112187820B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011073339.6A CN112187820B (en) 2020-10-09 2020-10-09 Power distribution terminal DTU intrusion detection method and system based on machine learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011073339.6A CN112187820B (en) 2020-10-09 2020-10-09 Power distribution terminal DTU intrusion detection method and system based on machine learning

Publications (2)

Publication Number Publication Date
CN112187820A CN112187820A (en) 2021-01-05
CN112187820B true CN112187820B (en) 2022-10-21

Family

ID=73948595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011073339.6A Active CN112187820B (en) 2020-10-09 2020-10-09 Power distribution terminal DTU intrusion detection method and system based on machine learning

Country Status (1)

Country Link
CN (1) CN112187820B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113671287B (en) * 2021-08-16 2024-02-02 广东电力通信科技有限公司 Intelligent detection method, system and readable storage medium for power grid automation terminal
CN114114910B (en) * 2021-11-12 2023-10-27 浙江大学 Model-data hybrid drive-based dynamic anomaly detection method for electric power industrial control system
CN114358970A (en) * 2021-12-21 2022-04-15 南京千智电气科技有限公司 Safety monitoring method for source network load storage intelligent control terminal

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108712404A (en) * 2018-05-04 2018-10-26 重庆邮电大学 A kind of Internet of Things intrusion detection method based on machine learning
CN109886232A (en) * 2019-02-28 2019-06-14 燊赛(上海)智能科技有限公司 A kind of power grid image identification system neural network based
WO2020020088A1 (en) * 2018-07-23 2020-01-30 第四范式(北京)技术有限公司 Neural network model training method and system, and prediction method and system
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111353153A (en) * 2020-03-04 2020-06-30 南京邮电大学 GEP-CNN-based power grid malicious data injection detection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108712404A (en) * 2018-05-04 2018-10-26 重庆邮电大学 A kind of Internet of Things intrusion detection method based on machine learning
WO2020020088A1 (en) * 2018-07-23 2020-01-30 第四范式(北京)技术有限公司 Neural network model training method and system, and prediction method and system
CN109886232A (en) * 2019-02-28 2019-06-14 燊赛(上海)智能科技有限公司 A kind of power grid image identification system neural network based
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111353153A (en) * 2020-03-04 2020-06-30 南京邮电大学 GEP-CNN-based power grid malicious data injection detection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
考虑不平衡案例样本的电力变压器故障诊断方法;崔宇等;《高电压技术》;20200131;第46卷(第01期);第33-40页 *
针对电力系统的物联网需求攻击研究进展与发展趋势;吕志宁等;《南方电网技术》;20200120;第14卷(第1期);第24-29页 *

Also Published As

Publication number Publication date
CN112187820A (en) 2021-01-05

Similar Documents

Publication Publication Date Title
CN112187820B (en) Power distribution terminal DTU intrusion detection method and system based on machine learning
CN108520272B (en) Semi-supervised intrusion detection method for improving Cantonese algorithm
CN104601565B (en) A kind of network invasion monitoring sorting technique of intelligent optimization rule
Jongsuebsuk et al. Network intrusion detection with fuzzy genetic algorithm for unknown attacks
Jia et al. Network intrusion detection based on IE-DBN model
CN111598179B (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
Bodström et al. State of the art literature review on network anomaly detection with deep learning
CN111901340A (en) Intrusion detection system and method for energy Internet
CN112418361A (en) Industrial control system anomaly detection method and device based on deep learning
CN114124482A (en) Access flow abnormity detection method and device based on LOF and isolated forest
CN114528547A (en) ICPS (information storage and protection System) unsupervised online attack detection method and device based on community feature selection
CN113067798A (en) ICS intrusion detection method and device, electronic equipment and storage medium
Bebeshko et al. Use of Neural Networks for Predicting Cyberattacks.
Yang et al. Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems
Saheed et al. Autoencoder via DCNN and LSTM models for intrusion detection in industrial control systems of critical infrastructures
Zhang et al. Network Traffic Anomaly Detection Based on ML‐ESN for Power Metering System
Arshed et al. Machine learning with data balancing technique for IoT attack and anomalies detection
Zhang et al. A Step-Based Deep Learning Approach for Network Intrusion Detection.
CN116738354A (en) Method and system for detecting abnormal behavior of electric power Internet of things terminal
Du et al. A Few-Shot Class-Incremental Learning Method for Network Intrusion Detection
CN112651422B (en) Space-time sensing network flow abnormal behavior detection method and electronic device
Xu et al. Cyber Intrusion Detection Based on a Mutative Scale Chaotic Bat Algorithm with Backpropagation Neural Network
Fahad et al. Applying one-class classification techniques to ip flow records for intrusion detection
CN113516180B (en) Method for identifying Z-Wave intelligent equipment
Liu Multivariate Network Intrusion Detection Methods Based on Machine Learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant