CN112565187B - Power grid attack detection method, system, equipment and medium based on logistic regression - Google Patents
Power grid attack detection method, system, equipment and medium based on logistic regression Download PDFInfo
- Publication number
- CN112565187B CN112565187B CN202011210680.1A CN202011210680A CN112565187B CN 112565187 B CN112565187 B CN 112565187B CN 202011210680 A CN202011210680 A CN 202011210680A CN 112565187 B CN112565187 B CN 112565187B
- Authority
- CN
- China
- Prior art keywords
- data
- attack
- node
- preset
- power grid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Complex Calculations (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the field of intrusion detection of information data security of a smart grid, and discloses a method, a system, equipment and a medium for detecting power grid attack based on logistic regression, wherein the method comprises the steps of obtaining data to be detected, wherein the data to be detected is measured value data of each node of the smart grid; inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI; the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI. The attack detection model is based on a two-class model of the logistic regression model, intrusion detection is realized by modeling the measured value data of each node in the power grid, and the attack on the intelligent power grid can be positioned to a specific node, so that the realization is simple.
Description
Technical Field
The invention belongs to the field of intrusion detection of smart grid information data security, and relates to a method, a system, equipment and a medium for detecting power grid attack based on logistic regression.
Background
Modern smart grid systems are typical information physical systems that integrate a physical power transmission system with a network computing and communication infrastructure. While advances in networking technology are sensing, communication and intelligent measurement devices have significantly enhanced the operation and reliability of power systems, their dependence on data communications makes them vulnerable to network attacks.
FDI (False Data Injection ) attacks manipulate power system measurements in a way that mimics the real behavior of the system and remains undiscovered, which misleads the state estimation process and may lead to power outages or even system outages. The existing FDI attack detection method is limited by statistical knowledge assumption, complexity and hardware cost, and most of the current FDI attack detection methods are focused on detecting the existence of FDI attacks, so that important information of exact attack positions cannot be obtained, and targeted defense is difficult to make.
Therefore, from the view point of the safety operation requirement of the modern smart power grid, it is of great significance to find a detection positioning method capable of effectively detecting the existence of the FDI attack and acquiring the specific attack position.
Disclosure of Invention
The invention aims to overcome the defect that in the prior art, FDI attack detection methods are concentrated in detecting the existence of FDI attack, but cannot obtain information such as exact attack positions and the like, so that targeted defense is difficult to make, and provides a power grid attack detection method, system, equipment and medium based on logistic regression.
In order to achieve the purpose, the invention is realized by adopting the following technical scheme:
the invention provides a power grid attack detection method based on logistic regression, which comprises the following steps:
acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid;
inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI;
the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
The power grid attack detection method based on logistic regression is further improved in that:
before the data to be detected is input into a preset attack detection model, filtering measurement value data with residual errors larger than a preset residual error threshold value in the data to be detected based on a preset residual error threshold value.
The attack detection model is established in the following way:
acquiring a topological structure of a smart power grid, transmission line data and historical data of each node;
according to the topological structure of the intelligent power grid, transmission line data and historical data of each node, a sample data set is constructed by simulating FDI attack and is divided into a training set and a testing set;
training a preset logistic regression model through a training set to obtain an initial attack detection model;
and testing the initial attack detection model through a test set, detecting the detection performance of the initial attack detection model according to a test result, and obtaining the attack detection model when the detection performance meets the preset detection requirement.
The historical data comprise the argument and the modulus of the voltage at each historical moment, the topological structure comprises the connection state of the intelligent power grid and the disconnection condition of the line, and the transmission line data comprise the admittance of the line.
The specific method for detecting the detection performance of the initial attack detection model according to the test result comprises the following steps:
and obtaining the accuracy, recall rate and F1 value of the initial attack detection model according to the test result, wherein when the accuracy, recall rate and F1 value are all larger than the preset corresponding threshold, the detection performance meets the preset detection requirement.
And when the preset logistic regression model is trained through the training set, optimizing model parameters of the logistic regression model by adopting a gradient descent method.
In a second aspect of the present invention, a logistic regression-based power grid attack detection system includes:
the data acquisition module is used for acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid; and
the detection module is used for inputting the data to be detected into a preset attack detection model to obtain the attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI;
the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
The power grid attack detection system based on logistic regression is further improved in that:
the error data detection module is used for filtering measurement value data with residual errors larger than a preset residual error threshold value in the data to be detected based on the preset residual error threshold value.
In a third aspect of the present invention, a computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the steps of the logistic regression-based power grid attack detection method are implemented when the processor executes the computer program.
In a fourth aspect of the present invention, a computer readable storage medium stores a computer program which, when executed by a processor, implements the steps of the logistic regression-based grid attack detection method described above.
Compared with the prior art, the invention has the following beneficial effects:
according to the power grid attack detection method based on logistic regression, through the preset attack detection model, the measured value data are detected through the attack detection model, the obtained measured value data of each node of the intelligent power grid are input into the preset attack detection model, the attack probability of each node of the intelligent power grid is obtained, and then the attack condition of each node is determined through the preset probability threshold. The attack detection model is based on a two-class model of a logistic regression model, intrusion detection is realized by modeling measurement value data of each node in the power grid, the attack on the smart power grid can be positioned to a specific node, and compared with the existing FDI attack detection method, the logistic regression-based power grid attack detection method is not limited by statistical knowledge assumption, complexity and hardware cost, and is simple to realize.
Further, error data in the data to be detected are filtered and removed through a preset residual error threshold, the influence of the error data on subsequent detection is prevented, and the accuracy and the reliability of the detection result are improved.
Drawings
FIG. 1 is a flowchart of a power grid attack detection method based on logistic regression according to an embodiment of the present invention;
fig. 2 is a block diagram of a power grid attack detection system based on logistic regression according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the attached drawing figures:
referring to fig. 1, in one embodiment of the present invention, a power grid attack detection method based on logistic regression is provided, which is used to overcome the defect that the existing FDI attack detection technology can only detect the existence of FDI attack and cannot determine the location of the FDI attack position, and by using a trained logistic regression model as a multi-label classifier, the method is used to capture the inconsistency in the trend measurement caused by potential attack, detect the measured value data of each node, and express the problem of detecting the location of the FDI attack as the classification problem of whether each node is attacked by FDI, so as to achieve the purpose of accurately locating the FDI attack position. Specifically, the power grid attack detection method based on logistic regression comprises the following steps.
S1: and acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid.
The real-time monitoring device of the smart power grid is used for obtaining measurement value data of the current moment and the historical moment of the power grid, in the embodiment, each node is divided into only one detection instrument by default, and the detection instrument can be a voltage detection instrument.
S2: inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI; the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
Specifically, in this embodiment, the detection of the measurement value data of each node is mainly performed by using a preset attack detection model, and then, firstly, an attack detection model is established, and after one time of establishment, the attack detection model can continuously perform the detection process without repeated establishment.
In this embodiment, the following method for establishing an attack detection model is provided.
S201: and acquiring the topological structure of the intelligent power grid, transmission line data and historical data of each node.
Specifically, as described in S1, the historical data of each node is obtained by the real-time monitoring device of the smart grid, and the topology structure and transmission line data of the smart grid are obtained by the control device or design data of the energy grid. The historical data comprise the argument and the modulus of the voltage at each historical moment, the topological structure comprises the connection state of the intelligent power grid and the disconnection condition of the line, and the transmission line data comprise the admittance of the line.
S202: and constructing a sample data set by simulating FDI attack according to the topological structure of the intelligent power grid, the transmission line data and the historical data of each node, and dividing the sample data set into a training set and a testing set.
Specifically, the method comprises the following steps.
S211: establishing a state estimation model of the power system:
z=Hx+e (1)
where H is a jacobian matrix obtained from the grid topology information, representing the relationship between the measurement vector z and the state vector x, and e is the measurement noise vector whose value obeys a normal distribution with the expected value 0.
S212: simulating false data injection attack, wherein the attack vector a is as follows:
a=Hc (2)
wherein, c is a non-zero column vector, the traditional error data detection module judges based on residual errors, and the attack vector a of the false data injection attack meets the following conditions:
||z+a-H(x+c)||=||z-Hx+a(-Hc)||=||z-Hx||≤τ (3)
wherein τ is a threshold of the error data detection module, |·| represents a 2-norm operator, and when the attack vector a meets the above formula, the false data injection attack can pass through the standard error data detection module.
Wherein c is a non-zero column vector, the error data detection module determines based on the residual error, the difference between the actual observed value and the estimated value (fitting value), in the residual error exponential statistics, here the difference between the observed value Z and the estimated value Hx of the grid state, compares the L2 norm of the residual error with a threshold τ to check if low quality data exists, as long as the requirement is met
The detector declares that an attack is present.
S213: when the power system is attacked by FDI, a state estimation model of the power system is established:
z+a=Hx+e (4)
the state estimation result at this time is obtainable using the weighted least squares method:
x bad =(H T R -1 H) -1 H T R -1 (z+a)=x+c (5)
s214: and constructing a data set of FDI attack, wherein the input data set is a measured value of each instrument when the data set is attacked, the output data set is the attacked condition of each instrument, the attacked condition is 1, and the unaddressed condition is 0. Specifically, the data set includes two matrices, i.e., an input matrix, in which columns represent meter readings (voltages) of each node, and rows represent how many sets of such data, e.g., 10000 x 18, there are 18 meter readings at 10000 different times, and an output is 10000 x 18 at the same latitude, indicating whether each node is attacked at each time.
S203: and training a preset logistic regression model through a training set to obtain an initial attack detection model.
Specifically, the method comprises the following steps.
S221: in this embodiment, the hypothesis function of the logistic regression model is defined as:
where x is the input of the dataset, θ is the parameter that needs to be found, and represents the probability of the classification result.
S222: using the cross entropy cost function, defined as:
wherein m is the number of training samplesA number; h is a θ (x (i) ) The y value is predicted by using the parameters theta and x; y is the y value in the original training sample, namely the standard answer; the upper corner mark (i) indicates the i-th sample.
S223: solving for the parameter θ that minimizes the cross entropy cost function J (θ) by gradient descent update parameters j :
Will be a parameter theta j Updating theta in S221 to obtain an initial attack detection model.
S204: and testing the initial attack detection model through a test set, detecting the detection performance of the initial attack detection model according to a test result, and obtaining the attack detection model when the detection performance meets the preset detection requirement.
S231: and according to the test results of the initial attack detection model, the positive classes obtained through statistics are judged to be the total number TP of the positive classes, the negative classes are judged to be the number FP of the positive classes, the total number FN of the positive classes are judged to be the total number FN of the negative classes, and the total number TN of the negative classes are judged to be the total number TN of the negative classes.
S232: obtaining precision according to the formula (9):
calculating and obtaining a recall rate recovery according to a formula (10):
calculating according to formula (11) to obtain F1 value F 1 -Score:
S233: and evaluating the detection result according to the accuracy rate, the recall rate and the F1 value, specifically, respectively setting the threshold values of the accuracy rate, the recall rate and the F1 value, and when the accuracy rate, the recall rate and the F1 value are all larger than the corresponding threshold values, enabling the detection performance to meet the preset detection requirement.
Through the establishment process, an attack detection model is obtained, and then measured value data of each node of the intelligent power grid is input into a preset attack detection model to obtain the attack probability of each node of the intelligent power grid; determining the probability threshold value of the attack probability according to the detection requirement, setting the probability threshold value of the attack probability to be smaller, such as 40%, when the detection requirement is higher, and recognizing that when the obtained attack probability of each node of the smart grid is greater than 40%, the current node is attacked by FDI; when the detection requirement is lower, the probability threshold value of the attack probability is set to be larger, for example, 60%, and when the obtained attack probability of each node of the intelligent power grid is determined to be larger than 60%, the current node is attacked by FDI; the probability threshold for the probability of attack is typically set at 50% here.
In summary, according to the power grid attack detection method based on logistic regression, through the preset attack detection model, the measured value data is detected through the attack detection model, the obtained measured value data of each node of the smart grid is input into the preset attack detection model, the attack probability of each node of the smart grid is obtained, and then the attack condition of each node is determined through the preset probability threshold. The attack detection model is based on a two-class model of a logistic regression model, intrusion detection is realized by modeling measurement value data of each node in the power grid and characteristic attribute, wherein the characteristic attribute refers to the change correlation and dependence of each node in the power grid, namely, the measurement value of a single node in the power grid changes while other nodes are not normal, the change of the measurement value of each node accords with physical constraint, the attack on the smart power grid can be positioned to a specific node, and compared with the existing FDI attack detection method, the logistic regression-based power grid attack detection method is not limited by statistical knowledge assumption, complexity and hardware cost and is simple to realize.
The logistic regression model based on linear regression has strong interpretability and confidence in predicting data; the model is simple, the training speed is high, and the probability interpretation on the output variable is good; continuous and discrete arguments may be applicable; a specific threshold value can be set according to actual requirements; when in use, the user needs to pay attention to the fact that the user can only deal with the two classification problems; larger sample sizes are applicable because maximum likelihood estimates perform poorly in smaller sample sizes; since it is based on a linear regression model, it also suffers from multiple co-linearity problems while it is difficult to deal with data imbalance problems. The method overcomes the defects of reasoning and interpretability of the traditional method for detecting the abnormality based on deep learning, improves the interpretability, reasoning and robustness of the model, and has better guarantee on detecting abnormal flow, intrusion detection, positioning and protecting the network security of an industrial intelligent power grid enterprise.
In still another embodiment of the present invention, a method for detecting a power grid attack based on logistic regression is provided, which includes at least the following steps in addition to the whole content of the method for detecting a power grid attack based on logistic regression in the previous embodiment, as compared with the method for detecting a power grid attack based on logistic regression in the previous embodiment.
Before the data to be detected is input into a preset attack detection model, filtering measurement value data with residual errors larger than a preset residual error threshold value in the data to be detected based on a preset residual error threshold value.
The determination of the measured value data is based on the residual, the difference between the actual observed value and the estimated value (fitting value), in the residual exponential statistics, here the difference between the observed value Z and the estimated value Hx of the grid state, the L2 norm of the residual is compared with a threshold τ to check if low quality data is present, as long as the condition is satisfied
The metrology data is filtered.
And filtering and removing error data in the data to be detected through a preset residual error threshold value, preventing the error data from affecting subsequent detection, and improving the accuracy and the reliability of the detection result.
In still another embodiment of the present invention, a logistic regression-based power grid attack detection system is provided, where the logistic regression-based power grid attack detection system can be used to implement the above-mentioned logistic regression-based power grid attack detection method, and specifically, the logistic regression-based power grid attack detection system includes a data acquisition module and a detection module.
The data acquisition module is used for acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid; the detection module is used for inputting the data to be detected into a preset attack detection model to obtain the attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI; the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
Referring to fig. 2, preferably, the logistic regression-based power grid attack detection system further includes an error data detection module, configured to filter, based on a preset residual threshold, measurement value data with a residual greater than the preset residual threshold in the data to be detected. The standard error data detection module is used for estimating the quality of the measured value data and removing low-quality data so as to improve the accuracy of subsequent detection.
In yet another embodiment of the present invention, a terminal device is provided, the terminal device including a processor and a memory, the memory for storing a computer program, the computer program including program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions to implement a corresponding method flow or a corresponding function; the processor of the embodiment of the invention can be used for the operation of the power grid attack detection method based on logistic regression, and comprises the following steps: acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid; inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI; the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
In a further embodiment of the present invention, the present invention also provides a storage medium, in particular, a computer readable storage medium (Memory), which is a Memory device in a terminal device, for storing programs and data. It will be appreciated that the computer readable storage medium herein may include both a built-in storage medium in the terminal device and an extended storage medium supported by the terminal device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.
One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the respective steps of the above-described embodiments with respect to a logistic regression-based grid attack detection method; one or more instructions in a computer-readable storage medium are loaded by a processor and perform the steps of: acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid; inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI; the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (4)
1. The power grid attack detection method based on logistic regression is characterized by comprising the following steps of:
acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid;
inputting data to be detected into a preset attack detection model to obtain attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI;
the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI;
before the data to be detected is input into a preset attack detection model, filtering measurement value data with residual errors larger than a preset residual error threshold value in the data to be detected based on a preset residual error threshold value;
the attack detection model is established in the following way:
acquiring a topological structure of a smart power grid, transmission line data and historical data of each node;
according to the topological structure of the intelligent power grid, transmission line data and historical data of each node, a sample data set is constructed by simulating FDI attack and is divided into a training set and a testing set;
training a preset logistic regression model through a training set to obtain an initial attack detection model;
testing the initial attack detection model through a test set, detecting the detection performance of the initial attack detection model according to a test result, and obtaining the attack detection model when the detection performance meets a preset detection requirement;
the historical data comprise the argument and the modulus of the voltage at each historical moment, the topological structure comprises the connection state of the intelligent power grid and the disconnection condition of the line, and the transmission line data comprise the admittance of the line;
the specific method for detecting the detection performance of the initial attack detection model according to the test result comprises the following steps:
obtaining the accuracy rate, recall rate and F1 value of the initial attack detection model according to the test result, and when the accuracy rate, recall rate and F1 value are all larger than the preset corresponding threshold values, the detection performance meets the preset detection requirement;
and when the preset logistic regression model is trained through the training set, optimizing model parameters of the logistic regression model by adopting a gradient descent method.
2. A logistic regression-based grid attack detection system, comprising:
the data acquisition module is used for acquiring data to be detected, wherein the data to be detected is measured value data of each node of the intelligent power grid; and
the detection module is used for inputting the data to be detected into a preset attack detection model to obtain the attack probability of each node of the intelligent power grid; when the attack probability is larger than a preset probability threshold, the current node is attacked by FDI;
the attack detection model is obtained by training a logistic regression model by adopting a sample data set, wherein the sample data set comprises a plurality of samples, and each sample comprises historical measurement value data of a node and the condition that the node is attacked by FDI;
the attack detection model is established in the following way:
acquiring a topological structure of a smart power grid, transmission line data and historical data of each node;
according to the topological structure of the intelligent power grid, transmission line data and historical data of each node, a sample data set is constructed by simulating FDI attack and is divided into a training set and a testing set;
training a preset logistic regression model through a training set to obtain an initial attack detection model;
testing the initial attack detection model through a test set, detecting the detection performance of the initial attack detection model according to a test result, and obtaining the attack detection model when the detection performance meets a preset detection requirement;
the historical data comprise the argument and the modulus of the voltage at each historical moment, the topological structure comprises the connection state of the intelligent power grid and the disconnection condition of the line, and the transmission line data comprise the admittance of the line;
the error data detection module is used for filtering measurement value data with residual errors larger than a preset residual error threshold value in the data to be detected based on the preset residual error threshold value;
the specific method for detecting the detection performance of the initial attack detection model according to the test result comprises the following steps:
obtaining the accuracy rate, recall rate and F1 value of the initial attack detection model according to the test result, and when the accuracy rate, recall rate and F1 value are all larger than the preset corresponding threshold values, the detection performance meets the preset detection requirement;
and when the preset logistic regression model is trained through the training set, optimizing model parameters of the logistic regression model by adopting a gradient descent method.
3. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the logistic regression-based grid attack detection method according to claim 1 when the computer program is executed.
4. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the logistic regression-based grid attack detection method according to claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011210680.1A CN112565187B (en) | 2020-11-03 | 2020-11-03 | Power grid attack detection method, system, equipment and medium based on logistic regression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011210680.1A CN112565187B (en) | 2020-11-03 | 2020-11-03 | Power grid attack detection method, system, equipment and medium based on logistic regression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112565187A CN112565187A (en) | 2021-03-26 |
| CN112565187B true CN112565187B (en) | 2023-05-09 |
Family
ID=75041607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011210680.1A Active CN112565187B (en) | 2020-11-03 | 2020-11-03 | Power grid attack detection method, system, equipment and medium based on logistic regression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565187B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113285441B (en) * | 2021-04-27 | 2023-03-21 | 西安交通大学 | Smart grid LR attack detection method, system, device and readable storage medium |
| CN113268729B (en) * | 2021-05-01 | 2023-07-28 | 群智未来人工智能科技研究院(无锡)有限公司 | Smart grid attack positioning method based on convolutional neural network |
| CN114510618B (en) * | 2021-12-31 | 2022-12-20 | 安徽郎溪南方水泥有限公司 | Processing method and device based on smart mine |
| CN114978586B (en) * | 2022-04-12 | 2023-07-04 | 东北电力大学 | Power grid attack detection method and system based on attack genes and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108712453A (en) * | 2018-08-30 | 2018-10-26 | 杭州安恒信息技术股份有限公司 | Detection method for injection attack, device and the server of logic-based regression algorithm |
| CN109388943A (en) * | 2018-09-29 | 2019-02-26 | 杭州时趣信息技术有限公司 | A kind of method, apparatus and computer readable storage medium identifying XSS attack |
| CN110276200A (en) * | 2019-06-27 | 2019-09-24 | 南京邮电大学 | A kind of determination method of power information system state transition probability |
| CN110942109A (en) * | 2019-12-17 | 2020-03-31 | 浙江大学 | PMU false data injection attack prevention method based on machine learning |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10671060B2 (en) * | 2017-08-21 | 2020-06-02 | General Electric Company | Data-driven model construction for industrial asset decision boundary classification |
-
2020
- 2020-11-03 CN CN202011210680.1A patent/CN112565187B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108712453A (en) * | 2018-08-30 | 2018-10-26 | 杭州安恒信息技术股份有限公司 | Detection method for injection attack, device and the server of logic-based regression algorithm |
| CN109388943A (en) * | 2018-09-29 | 2019-02-26 | 杭州时趣信息技术有限公司 | A kind of method, apparatus and computer readable storage medium identifying XSS attack |
| CN110276200A (en) * | 2019-06-27 | 2019-09-24 | 南京邮电大学 | A kind of determination method of power information system state transition probability |
| CN110942109A (en) * | 2019-12-17 | 2020-03-31 | 浙江大学 | PMU false data injection attack prevention method based on machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112565187A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112565187B (en) | Power grid attack detection method, system, equipment and medium based on logistic regression | |
| WO2021056724A1 (en) | Anomaly detection method and apparatus, electronic device and storage medium | |
| JP2019061565A (en) | Abnormality diagnostic method and abnormality diagnostic device | |
| CN110166462B (en) | Access control method, system, electronic device and computer storage medium | |
| CN116150676B (en) | Equipment fault diagnosis and identification method and device based on artificial intelligence | |
| US20160369777A1 (en) | System and method for detecting anomaly conditions of sensor attached devices | |
| CN111309539A (en) | Abnormity monitoring method and device and electronic equipment | |
| CN105808923A (en) | Anomaly detection method and device of data sequence | |
| CN111709465A (en) | Intelligent identification method for rough difference of dam safety monitoring data | |
| CN109547455A (en) | Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal | |
| CN113449703A (en) | Quality control method and device for environment online monitoring data, storage medium and equipment | |
| KR20190008515A (en) | Process Monitoring Device and Method using RTC method with improved SAX method | |
| CN113516174A (en) | Call chain abnormality detection method, computer device, and readable storage medium | |
| CN114356734A (en) | Service abnormity detection method and device, equipment and storage medium | |
| CN116167010A (en) | Rapid identification method for abnormal events of power system with intelligent transfer learning capability | |
| CN111626360A (en) | Method, device, equipment and storage medium for detecting fault type of boiler | |
| CN115062779A (en) | Event prediction method and device based on dynamic knowledge graph | |
| CN112882898B (en) | Anomaly detection method, system, device and medium based on big data log analysis | |
| CN114564814A (en) | Dynamic threshold Gaussian kernel density estimation system and method for sparse data | |
| Horvath et al. | Sensor fault diagnosis of inland navigation system using physical model and pattern recognition approach | |
| CN117312769A (en) | BiLSTM-based method for detecting abnormality of time sequence data of Internet of things | |
| CN108761250B (en) | Industrial control equipment voltage and current-based intrusion detection method | |
| CN116723157A (en) | Terminal behavior detection model construction method, device, equipment and storage medium | |
| CN112906824B (en) | Vehicle clustering method, system, device and storage medium | |
| CN115514627A (en) | Fault root cause positioning method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |