CN112866189A - Attack modeling analysis method based on power terminal attack behavior characteristics - Google Patents

Attack modeling analysis method based on power terminal attack behavior characteristics Download PDF

Info

Publication number
CN112866189A
CN112866189A CN202011471855.4A CN202011471855A CN112866189A CN 112866189 A CN112866189 A CN 112866189A CN 202011471855 A CN202011471855 A CN 202011471855A CN 112866189 A CN112866189 A CN 112866189A
Authority
CN
China
Prior art keywords
address
attack
fixed
calculating
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011471855.4A
Other languages
Chinese (zh)
Inventor
许爱东
李立浧
蒋屹新
张宇南
徐文渊
冀晓宇
温家昌
李鹏
习伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
Zhejiang University ZJU
Original Assignee
China South Power Grid International Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, Zhejiang University ZJU filed Critical China South Power Grid International Co ltd
Priority to CN202011471855.4A priority Critical patent/CN112866189A/en
Publication of CN112866189A publication Critical patent/CN112866189A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Economics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Water Supply & Treatment (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Public Health (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an attack modeling analysis method based on power terminal attack behavior characteristics, which combines power industrial control attack samples to carry out data preprocessing and characteristic extraction, and uses a K-means algorithm to carry out circular cross validation to realize classification of power industrial control system attacks. The invention can detect the existing denial of service attack, utilization type attack, information collection attack, false message type attack, etc. in the power system.

Description

Attack modeling analysis method based on power terminal attack behavior characteristics
Technical Field
The invention belongs to the field of terminal security of a power system, and particularly relates to an attack modeling analysis method based on attack behavior characteristics of a power terminal.
Background
China has the largest power system in the world, the power is the national pillar energy and economic life line, and people can not drive all the daily life, so that the safe, reliable and stable operation of the power system is very important. However, in recent years, attack events for power systems frequently occur, and power network security issues are more and more prominent.
And the power system can not operate safely and reliably. A large number of power terminal devices exist in the smart grid system, such as a DTU, an FTU, an RTU, a smart meter and the like. The power terminal equipment generally works in an open environment and has certain computing capacity and a wireless communication function, so that the power terminal equipment is easily attacked by an attacker, and the safety of the smart grid is threatened.
However, most of the traditional power system terminal protection strategies are based on network messages of the power system terminals for protection, and with the development of smart grids and diversification of attack means, the traditional protection strategies cannot play a good protection role, for example, many APT attacks cannot be perceived on a network layer, and the attacks are largely destroyed by gradually invading the terminals and the workstations of the power system and finally entering a main station, so that great economic loss is caused. Therefore, it is urgently needed to provide a comprehensive power terminal security protection strategy to effectively ensure the safe and reliable operation of the power terminal.
Disclosure of Invention
In order to monitor the potential safety hazard and fault problems of the power terminal, the invention provides an attack modeling analysis method based on attack behavior characteristics of the power terminal, which is used for enhancing the safety and reliability of the power terminal. According to the method, a typical power terminal attack sample is collected, data preprocessing and feature extraction are carried out on the attack sample data, a classifier is used for training the collected data, and a power terminal attack sample classification model is constructed.
The invention is realized by adopting the following technical scheme:
the method combines an electric power industrial control attack sample to carry out data preprocessing, feature extraction and cyclic cross validation by using a K-means algorithm, thereby realizing the classification of the electric power industrial control system attack.
In the above technical solution, further, the method specifically includes the following steps:
1) and collecting attack samples of the power engineering system.
2) And (4) carrying out data cleaning on the abnormal message and the vulnerability attack sample.
3) It is placed in a typical challenge sample.
4) And preprocessing the sample data and filling missing values.
5) Extracting data flow characteristics of the electric power industrial control message;
6) and performing cycle cross validation on the attack samples by using a K-means algorithm to classify.
7) And outputting a classification result.
Further, the step 4) is specifically:
step 4.1: collecting basic characteristics of TCP connection of the electric power industrial control message; including some basic properties of the connection, such as: the method comprises the following steps of (1) connecting duration, protocol type, network service type of a target host, marking quantity of connection state, message transmission byte size from a source host to the target host, message transmission byte size from the target host to the source host, the number of error segments and the number of urgent packets;
step 4.2: acquiring content characteristics of TCP connection of the electric power industrial control message; the method comprises the following steps: the number of times of accessing sensitive files and directories, the number of times of failed login attempts, whether login is successful, whether a 'root shell' command is obtained, whether a 'su shell' command appears, the number of times of user access, the number of times of file creation operations, the number of times of using shell commands, the number of times of accessing control files, and the number of times of outbound connections in one FTP session;
step 4.3: and missing value filling is carried out on the basic characteristics of TCP connection and the content characteristics of TCP connection of the collected electric power industrial control message:
if the default feature is a category quantity, the feature is complemented by using average value estimation, namely, the missing value is replaced by the feature value with the largest feature quantity. If the default value feature is a numerical variable, a linear difference method is used for completing the feature, and the calculation formula is as follows:
Figure BDA0002834193600000021
in the formula, y0And x0The characteristic value and the number of lines, y, of the corresponding characteristic are recorded for the previous strip of the data, respectively1And x1The characteristic value and the line number of the corresponding characteristic are recorded for the next piece of the data respectively.
The step 5) is specifically as follows:
step 5.1: calculating the number of messages from the fixed source IP address to the fixed destination IP address;
step 5.2: calculating the average connection duration from the fixed source IP address to the fixed destination IP address;
step 5.3: calculating the average number of bytes of data from a source host to a target host in the fixed source IP address to the fixed destination IP address;
step 5.4: calculating the average data byte number from the target host to the source host in the fixed source IP address to the fixed destination IP address;
step 5.5: calculating the average connection time of the fixed protocol type;
step 5.6: calculating the message quantity from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.7: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average source host to the target host under different protocols;
step 5.8: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average target host to the source host under different protocols;
step 5.9: calculating the number of error segments from the fixed source IP address to the fixed destination IP address;
step 5.10: calculating the number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.11: calculating the average number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.12: calculating the average failure times of login attempts from a fixed source IP address to a fixed destination IP address;
step 5.13: calculating the login times of a non-guest user from a fixed source IP address to a fixed destination IP address;
step 5.14: calculating the login times of non-guest users under different target host service types;
step 5.15: and calculating the successful login times of the user under different target host service types from the fixed source IP address to the fixed destination IP address.
The step 6) is specifically as follows:
step 6.1: randomly selecting some messages from a typical power attack sample set with p (p is 15 obtained in the step 5 as described above) data stream features extracted in the step 5 as the centers μ of the initial k clusters12,…,μk(where k is 5).
Step 6.2: calculate each sample xiCluster labeling:
Figure BDA0002834193600000031
wherein, | | xij| | is the euclidean distance; and the Euclidean distance | | xijThe formula of | is
Figure BDA0002834193600000032
Step 6.3: after all samples obtain cluster labels, updating the center of each cluster:
Figure BDA0002834193600000033
(Cjj-th cluster), n is the total number of messages in the sample set.
Step 6.4: repeat steps 6.2 and 6.3 until the minimum squared error E is minimal:
Figure BDA0002834193600000041
step 6.5: output cluster partitioning C ═ C1,C2,C3,C4,...Ck}。
The invention has the beneficial effects that:
the invention can detect the existing denial of service attack, utilization type attack, information collection attack, false message type attack and the like of the power system terminal. The invention provides an attack classification model based on the attack behavior characteristics of a power terminal, which is high in accuracy after training.
Drawings
FIG. 1 is a system diagram of an analysis method according to the present invention.
Detailed Description
The invention is further described with reference to the accompanying drawings and the embodiments.
Fig. 1 is a system block diagram of the attack modeling technology based on the attack behavior characteristics of the power terminal according to the present invention.
The method specifically comprises the following steps:
step 1: and collecting attack samples of the power engineering system.
Step 2: and (4) carrying out data cleaning on the abnormal message and the vulnerability attack sample.
And step 3: it is placed in a typical challenge sample.
And 4, step 4: and preprocessing the sample data and filling missing values.
4.1: collecting basic characteristics of TCP connection of the electric power industrial control message;
4.2: acquiring content characteristics of TCP connection of the electric power industrial control message;
4.3: for the collected TCP connection basic characteristics (including some connection basic attributes such as connection duration, protocol type, network service type of a target host, connection state marking quantity, message transmission byte size from a source host to the target host, message transmission byte size from the target host to the source host, number of error segments and number of urgent packets) of the industrial power control message and the content characteristics (including the times of accessing sensitive files and directories, the times of failure login attempts, whether login is successful, whether a 'shell' command is obtained, whether a 'Suot shell' command appears, user access times, the times of file creation operations, the times of using shell commands, the times of accessing control files and the times of outbound connection in an FTP session)
If the default feature is a category quantity, the feature is complemented by using average value estimation, namely, the missing value is replaced by the feature value with the largest feature quantity. If the default value feature is a numerical variable, a linear difference method is used for completing the feature, and the calculation formula is as follows:
Figure BDA0002834193600000051
in the formula, y0And x0The characteristic value and the number of lines, y, of the corresponding characteristic are recorded for the previous strip of the data, respectively1And x1The characteristic value and the line number of the corresponding characteristic are recorded for the next piece of the data respectively.
And 5: extracting message data flow characteristics of the electric power industrial control data message;
5.1: calculating the number of messages from the fixed source IP address to the fixed destination IP address;
5.2: calculating the average connection duration from the fixed source IP address to the fixed destination IP address;
5.3: calculating the average number of bytes of data from a source host to a target host in the fixed source IP address to the fixed destination IP address;
5.4: calculating the average data byte number from the target host to the source host in the fixed source IP address to the fixed destination IP address;
5.5: calculating the average connection time of the fixed protocol type;
5.6: calculating the message quantity from the fixed source IP address to the fixed destination IP address under different protocols;
5.7: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average source host to the target host under different protocols;
5.8: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average target host to the source host under different protocols;
5.9: calculating the number of error segments from the fixed source IP address to the fixed destination IP address;
5.10: calculating the number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
5.11: calculating the average number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
5.12: calculating the average failure times of login attempts from a fixed source IP address to a fixed destination IP address;
5.13: calculating the login times of a non-guest user from a fixed source IP address to a fixed destination IP address;
5.14: calculating the login times of non-guest users under different target host service types;
5.15: and calculating the successful login times of the user under different target host service types from the fixed source IP address to the fixed destination IP address.
Step 6: and classifying the attack samples by using a K-means algorithm.
6.1: randomly selecting some messages from the typical power attack sample set with the p (p ═ 15) numerical attribute characteristic as the center mu of the initial k clusters12,…,μk(where k may be 5);
6.2: calculate each sample xiCluster labeling:
Figure BDA0002834193600000052
wherein, | | xij| | is the euclidean distance; and the Euclidean distance | | xijThe formula of | is
Figure BDA0002834193600000053
6.3: after all samples obtain cluster labels, updating the center of each cluster:
Figure BDA0002834193600000061
(Cjj-th cluster), n is the total number of messages in the sample set.
6.4: repeat steps 6.2 and 6.3 until the minimum squared error E is minimal:
Figure BDA0002834193600000062
6.5: output cluster partitioning C ═ C1,C2,C3,C4,C5}。
And 7: and outputting a classification result.

Claims (4)

1. An attack modeling analysis method based on attack behavior characteristics of a power terminal is characterized by comprising the following steps: the method comprises the steps of conducting data preprocessing and feature extraction on collected attack sample data by collecting typical power terminal attack samples, training the collected data by using a classifier, and constructing a power terminal attack sample classification model for analysis; the method specifically comprises the following steps:
1) collecting an attack sample of the power engineering system;
2) carrying out data cleaning on the abnormal message and the vulnerability attack sample;
3) placing it into a typical attack sample;
4) preprocessing sample data, and filling missing values;
5) extracting data flow characteristics of the electric power industrial control message;
6) performing cyclic cross validation on the attack samples by using a K-means algorithm to classify;
7) and outputting a classification result.
2. The attack modeling analysis method based on the attack behavior characteristics of the power terminal according to claim 1, wherein the step 4) is specifically as follows:
step 4.1: collecting basic characteristics of TCP connection of the electric power industrial control message; the method comprises the steps of connecting duration, protocol type, network service type of a target host, marking quantity of connection state, message transmission byte size from a source host to the target host, message transmission byte size from the target host to the source host, the number of error segments and the number of urgent packets;
step 4.2: acquiring content characteristics of TCP connection of the electric power industrial control message; the method comprises the steps of accessing sensitive files and directories, the times of failed login attempts, whether login is successful, whether a 'root shell' command is obtained, whether a 'su shell' command appears, the times of user access, the times of file creation operation, the times of using shell commands, the times of accessing control files and the times of outbound connection in an FTP session;
step 4.3: and missing value filling is carried out on the basic characteristics of TCP connection and the content characteristics of TCP connection of the collected electric power industrial control message:
if the missing value features are category quantities, the features are completed by using average value estimation, namely, the missing values are replaced by the feature values with the largest feature quantity; if the missing value feature is a numerical variable, a linear difference method is used for completing the feature, and the calculation formula is as follows:
Figure FDA0002834193590000011
in the formula, y0And x0Respectively recording the characteristic value of the previous strip of the data and the line number of the corresponding characteristic,y1And x1The characteristic value and the line number of the corresponding characteristic are recorded for the next piece of the data respectively.
3. The attack modeling analysis method based on the attack behavior characteristics of the power terminal according to claim 1, wherein the step 5) is specifically as follows:
step 5.1: calculating the number of messages from the fixed source IP address to the fixed destination IP address;
step 5.2: calculating the average connection duration from the fixed source IP address to the fixed destination IP address;
step 5.3: calculating the average number of bytes of data from a source host to a target host in the fixed source IP address to the fixed destination IP address;
step 5.4: calculating the average data byte number from the target host to the source host in the fixed source IP address to the fixed destination IP address;
step 5.5: calculating the average connection time of the fixed protocol type;
step 5.6: calculating the message quantity from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.7: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average source host to the target host under different protocols;
step 5.8: calculating the number of data bytes from the fixed source IP address to the fixed destination IP address from the average target host to the source host under different protocols;
step 5.9: calculating the number of error segments from the fixed source IP address to the fixed destination IP address;
step 5.10: calculating the number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.11: calculating the average number of error segments from the fixed source IP address to the fixed destination IP address under different protocols;
step 5.12: calculating the average failure times of login attempts from a fixed source IP address to a fixed destination IP address;
step 5.13: calculating the login times of a non-guest user from a fixed source IP address to a fixed destination IP address;
step 5.14: calculating the login times of non-guest users under different target host service types;
step 5.15: and calculating the successful login times of the user under different target host service types from the fixed source IP address to the fixed destination IP address.
4. The attack modeling analysis method based on the attack behavior characteristics of the power terminal according to claim 1, wherein the step 6) specifically comprises:
step 6.1: randomly selecting some messages from a typical power attack sample set with the p numerical flow characteristics extracted in the step 5 as the center mu of the initial k clusters12,…,μk
Step 6.2: calculate each sample xiCluster tag of (a):
Figure FDA0002834193590000021
wherein, | | xij| | is the euclidean distance; and the Euclidean distance | | xijThe formula of | is
Figure FDA0002834193590000022
Step 6.3: after all samples obtain cluster labels, updating the center of each cluster:
Figure FDA0002834193590000031
wherein C isjFor the jth cluster, n is the total number of the messages in the sample set;
step 6.4: repeat steps 6.2 and 6.3 until the minimum squared error E is minimal:
Figure FDA0002834193590000032
step 6.5: output cluster partitioning C ═ C1,C2,C3,C4,...Ck}。
CN202011471855.4A 2020-12-14 2020-12-14 Attack modeling analysis method based on power terminal attack behavior characteristics Pending CN112866189A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011471855.4A CN112866189A (en) 2020-12-14 2020-12-14 Attack modeling analysis method based on power terminal attack behavior characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011471855.4A CN112866189A (en) 2020-12-14 2020-12-14 Attack modeling analysis method based on power terminal attack behavior characteristics

Publications (1)

Publication Number Publication Date
CN112866189A true CN112866189A (en) 2021-05-28

Family

ID=75997222

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011471855.4A Pending CN112866189A (en) 2020-12-14 2020-12-14 Attack modeling analysis method based on power terminal attack behavior characteristics

Country Status (1)

Country Link
CN (1) CN112866189A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277079A (en) * 2022-06-22 2022-11-01 国网河南省电力公司信息通信公司 Method and system for monitoring information attack of power terminal
CN116781429A (en) * 2023-08-24 2023-09-19 国网冀北电力有限公司 Method, device and equipment for detecting invisible attack of power system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446635A (en) * 2018-10-23 2019-03-08 中国电力科学研究院有限公司 A kind of electric power industry control attack classification and system based on machine learning

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446635A (en) * 2018-10-23 2019-03-08 中国电力科学研究院有限公司 A kind of electric power industry control attack classification and system based on machine learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
张蕾等: "基于Spark Streaming的僵尸主机检测算法", 《计算机应用研究》 *
贾凡等: "基于K-means聚类特征消减的网络异常检测", 《清华大学学报(自然科学版)》 *
陈霖等: "基于动态增量聚类分析的电力信息网络攻击模式识别算法", 《南方电网技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277079A (en) * 2022-06-22 2022-11-01 国网河南省电力公司信息通信公司 Method and system for monitoring information attack of power terminal
CN115277079B (en) * 2022-06-22 2023-11-24 国网河南省电力公司信息通信公司 Power terminal information attack monitoring method and system
CN116781429A (en) * 2023-08-24 2023-09-19 国网冀北电力有限公司 Method, device and equipment for detecting invisible attack of power system
CN116781429B (en) * 2023-08-24 2023-10-31 国网冀北电力有限公司 Method, device and equipment for detecting invisible attack of power system

Similar Documents

Publication Publication Date Title
CN109120464B (en) Remote online management and control device for configuration information of secondary equipment of intelligent substation
CN111277578B (en) Encrypted flow analysis feature extraction method, system, storage medium and security device
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN103532940B (en) network security detection method and device
CN109167796A (en) A kind of deep-packet detection platform based on industrial SCADA system
US20060034305A1 (en) Anomaly-based intrusion detection
CN108092836A (en) The monitoring method and device of a kind of server
CN111404914A (en) Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN112866189A (en) Attack modeling analysis method based on power terminal attack behavior characteristics
CN102546274A (en) Alarm monitoring method and alarm monitoring equipment in communication service
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN113037567B (en) Simulation method of network attack behavior simulation system for power grid enterprise
CN107220557A (en) A kind of detection method and system of the sensitive data behavior of user's unauthorized access
CN111144472A (en) Attack identification method based on GBDT algorithm and photovoltaic grid-connected interface device
CN112512073A (en) Internet of things equipment anomaly detection method based on fingerprint identification technology
CN114449018A (en) Automatic log file uploading method and system for power acquisition terminal
CN111327468A (en) Operation method and system for edge computing platform of power system
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
CN111800292A (en) Early warning method and device based on historical flow, computer equipment and storage medium
CN108055166A (en) A kind of the state machine extraction system and its extracting method of the application layer protocol of nesting
CN110365659A (en) A kind of building method of network invasion monitoring data set under small sample scene
CN115333915B (en) Heterogeneous host-oriented network management and control system
CN116991743A (en) Industrial control equipment black box fuzzy test method based on protocol reverse
CN114745152B (en) Intrusion detection method and system based on IEC61850GOOSE message running situation model
CN111565377B (en) Security monitoring method and device applied to Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210528

WD01 Invention patent application deemed withdrawn after publication