CN112866262A - Power plant safety I area situation perception platform based on neural network - Google Patents

Power plant safety I area situation perception platform based on neural network Download PDF

Info

Publication number
CN112866262A
CN112866262A CN202110095508.4A CN202110095508A CN112866262A CN 112866262 A CN112866262 A CN 112866262A CN 202110095508 A CN202110095508 A CN 202110095508A CN 112866262 A CN112866262 A CN 112866262A
Authority
CN
China
Prior art keywords
data
module
neural network
information
power plant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110095508.4A
Other languages
Chinese (zh)
Other versions
CN112866262B (en
Inventor
李秀君
陈林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongfang Electric Automatic Control Engineering Co ltd
Original Assignee
Dongfang Electric Automatic Control Engineering Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongfang Electric Automatic Control Engineering Co ltd filed Critical Dongfang Electric Automatic Control Engineering Co ltd
Priority to CN202110095508.4A priority Critical patent/CN112866262B/en
Publication of CN112866262A publication Critical patent/CN112866262A/en
Application granted granted Critical
Publication of CN112866262B publication Critical patent/CN112866262B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/06Electricity, gas or water supply
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Abstract

The invention discloses a power plant safety I area situation perception platform based on a neural network, which relates to the technical field of power plant network safety and comprises an operating system, a database module, an Ethernet data acquisition module, a situation perception module, a switching hardware driving module, a hardware switching device, an original control system and a standby control system.

Description

Power plant safety I area situation perception platform based on neural network
Technical Field
The invention relates to the technical field of power plant network security, in particular to a power plant security I area situation perception platform based on a neural network.
Background
At present, under the condition that the requirements of the internet of things and network security are more and more vigorous, an industrial control system is also opened from being closed, and global industrial control security events begin to occur frequently, so that operators of key information infrastructures need to perform detection and evaluation on the security and possible risks of the network at least once every year or entrust a network security service mechanism.
At present, in the aspect of domestic power plants, the application of safety protection products of network security manufacturers in the power plants is mainly limited to an information management hierarchy (MIS) for preventing illegal access of external users to the system. However, along with the increasing application of internet of things products in power plants, a safety solution for the network safety protection of the production and operation equipment of the power plants is urgently needed.
For the network system of the whole power plant, the network system is a complex system, and is divided into three areas, namely a safety area I, a safety area II and a safety area III according to the standard of an equal guarantee 2.0. The definitions and functions of the power plants are divided into the following:
and a safety I area: the zone equipment is field production network equipment and is a real-time zone. The power plant comprises a boiler control system, a motor control system, a steam turbine control system, a DCS system and the like. Meanwhile, compared with a power grid falling degree communication interface, the range is wide, and the power grid falling degree communication interface comprises a power data acquisition and monitoring system, an energy management system, a power distribution automation system, a substation automation system and the like.
The main users of the equipment in the area are a dispatcher and an operation operator, the real-time performance of data transmission is very high and reaches the mS level, and the data is transmitted through a real-time network.
Safety II area: the equipment in the area is a non-control area and belongs to a non-production area. The method is mainly used for monitoring and analyzing data. The system comprises various simulation systems, a dispatching automation system, a fault recording information system, a power plant quotation system and the like. The main users are dispatchers, relay protection personnel, electric power market traders and the like. The collection frequency is in the minute level, and a non-real-time network is used.
Safety zone III: the area equipment is a management information area, namely a set of all power enterprise management service systems except a production control area. The system mainly comprises a scheduling production management system, an administrative telephone network system, an electric power enterprise data network and the like.
The division of the three secure areas is structured by unidirectional data transmission. Namely, data is transmitted from the safety area I to the safety area II in a one-way mode, and data acquired by the safety area II is transmitted to the safety area III in a one-way mode. Compared with the security level, the security I area is larger than the security II area and larger than the security III area, and the information flow direction needs to be ensured to flow from the high-security area to the low-security area. In the whole safety system deployment, a one-way isolation gatekeeper is required to be deployed between the safety areas for realizing the safety design idea and meeting the core requirements of safety partitioning and transverse isolation provided by the equal security 2.0.
For the original field device, the main devices include a field main control system (DPU is its main network communication device, belonging to a real-time device), a DCS core switch, an engineer station and an operator station. On the network communication link, the working principle is that data interaction is carried out between an engineer station and an operator station and a DPU through DCS core exchange. If the information security occurs, illegal operation behaviors can imitate an engineer station and an operator station through a core switch network to issue illegal instructions to the DPU, and meanwhile deceive the engineer station and the operator station to achieve the purpose of attack. Especially for planned and organized network attack behaviors, the damage can also cause the core equipment of the power grid of the power plant to be paralyzed and even cause public safety crisis events.
In view of the above network security problem of the power plant, it is urgently needed to find a security system suitable for the site, and the security system can quickly respond to actions to prevent the occurrence of such security accidents.
Disclosure of Invention
The invention aims to provide a safety system of a power plant safety I area based on a neural network, which is additionally arranged on original field equipment, performs problem processing on a real-time production equipment layer, captures abnormal movement of field communication data in time, performs action processing within a microsecond time level, can achieve the effect of predicting the intention of an attacker, performs prejudgment processing according to the intention of the attacker, and prevents the occurrence of a dangerous event.
The invention is realized by the following technical scheme:
a power plant safety I area situation perception platform based on a neural network comprises an operating system, a database module, an Ethernet data acquisition module, a situation perception module, a switching hardware driving module, a hardware switching device, an original control system and a standby control system,
the Ethernet data acquisition module processes the original captured data of the Ethernet, outputs content data to the situation perception module and transmits the content data to the database module for storage;
the database module is used for completing data management of the whole power plant safety system, realizing PHP and SQL structured query languages, receiving data transmitted by the Ethernet data acquisition module, and caching historical content data mainly based on TCP and UDP protocols;
the situation awareness module receives protocol data and messages of the Ethernet data acquisition module, extracts historical content data cached by the database module, obtains network input data associated with instructions, judges network danger levels after being analyzed by a neural network system, and transmits signals of the network danger levels obtained finally to an operating system, the situation awareness module comprises a neural network algorithm submodule and an algorithm training submodule, the neural network algorithm submodule adopts a three-layer network structure and comprises 2 layers of sensors with Sigmoid functions and 1 layer of linear function sensors; the algorithm training submodule performs network parameter optimization by using the data which is marked by the finished result;
after receiving the signals transmitted by the situation awareness module, the operating system marks danger levels for the signals and transmits the marked signals to the switching hardware driving module, and meanwhile, the operating system provides a basic software platform for the database module, the Ethernet data acquisition module, the situation awareness module and the switching hardware driving module, supports software task scheduling, memory allocation, hardware driving and database access;
after receiving the signal transmitted by the operating system, the switching hardware driving module identifies a high-risk signal mark, and then quickly sends a hardware electric signal to the hardware switching device to drive the hardware switching device to start, so that switching between the original control system and the standby control system is realized;
the original control system and the standby control system are independently operated control systems, are in control connection with host equipment in the power plant and are used for controlling the starting, stopping and operating states of the equipment.
Further, a neural network algorithm sub-module in the situation awareness module adopts a sensor to form a basic unit of the neural network, wherein the sensor with a Sigmoid function takes data obtained from the Ethernet information acquisition module as an input vector to form a vector
Figure 100002_DEST_PATH_IMAGE002
(ii) a Then define the weight vector as
Figure 100002_DEST_PATH_IMAGE004
For characterizing the contribution rate of the sensor output, the output being defined as:
Figure 100002_DEST_PATH_IMAGE006
Figure 100002_DEST_PATH_IMAGE008
(ii) a In the linear function sensor, the output of the sensor with Sigmoid function is used as the input data, and the output is defined as:
Figure 100002_DEST_PATH_IMAGE010
forming a linear function sensor without threshold,
the algorithm training submodule preprocesses data obtained from the Ethernet data acquisition module, extracts relevant information, receives historical data which is stored and marked by the database module, and calculates a result according to a better weight value obtained by a neural network training algorithm.
Furthermore, the relevant information extracted from the ethernet data acquisition module by the algorithm training submodule comprises a function code, a message content byte, time information, quintuple information, a protocol type and instantaneous flow, and input information is constructed.
Further, the expected result output by the neural network algorithm submodule comprises a network security risk level, a flow state, an equipment state, a suspected attack type, forensics log data and a vulnerability type.
Further, the network safety risk level output by the neural network algorithm submodule is the level of the platform for judging the event, and comprises four safety levels of warning, serious warning, danger and serious threat.
Furthermore, the Ethernet data acquisition module processes the Ethernet original captured data according to the compatible network protocol and outputs the content data, the Ethernet data acquisition module comprises a message acquisition submodule, a message protocol analysis submodule and a message content analysis submodule,
the message acquisition submodule acquires information messages according to data sent by a target white list IP address, reads white list information when a program is started, extracts relevant IP data in a white list and stores the data according to a reserved message format;
the message protocol analysis submodule extracts data segment information of a message according to a relevant communication protocol, removes a header and a tail of the message information, only extracts data content information, reversely decrypts the message with encrypted information, and restores original message of the message;
the message content analysis submodule performs content area decomposition on message content information in a target control system, provides information including function codes, message content bytes, time information, quintuple information, protocol types and instantaneous flow information, provides the information for the database module to store, and provides a neural network algorithm material for the situation awareness module.
Furthermore, the database module provides historical collected data, white list data, neural network parameters, log data, vulnerability data, log data and vulnerability data, can realize the operations of increasing, deleting, checking and modifying the historical collected data, the white list data and the neural network parameters, and provides a stable data access interface for the system.
Further, the system also comprises a Web server module, wherein the Web server module is used for displaying the expected result output of the situation awareness module; and simultaneously accepting user instructions.
Further, the host equipment comprises a steam turbine, a motor and a boiler in the power plant.
Compared with the prior art, the invention has the following advantages and beneficial effects:
according to the invention, aiming at the butt joint of a large number of electronic devices, the Internet of things and big data of the existing power plant, the platform can monitor the network flow of the field safety I area of the industrial control equipment in real time, and can analyze the protocol content aiming at different protocols of different equipment, and meanwhile, the platform has the functions of analysis and identification, can carry out the purpose analysis on the specific message content function by adopting a deep learning algorithm, and has self-adaptability to different network equipment. Compared with products which can only be applied to a safety area II and a safety area III in the market at present, the method is a great innovation and has an industry leading characteristic under the condition of the development of the industrial control network safety industry at present.
Secondly, the neural network training algorithm is trained by adopting the existing engineering logic data and combining a method for identifying the safety level by personnel, and the method has the characteristic of real reliability by combining a new product and the traditional experience; meanwhile, the invention replaces the original with Sigmoid function
Figure 300198DEST_PATH_IMAGE006
Wherein
Figure DEST_PATH_IMAGE012
Function, which solves the problem that the assumption space premise of the continuous parameterization assumption in the original perceptron function is not established because the original sgn (y) function is a discontinuous function, and the Sigmoid function (a
Figure DEST_PATH_IMAGE008A
) The range is 0 to 1 and is monotonically increased, and the input value can be mapped into a small range to meet the requirement of continuous parameter hypothesis space.
Thirdly, in the invention, the important reason for successfully introducing the neural network algorithm into the situation awareness prediction module is as follows: the complex diversity of the power plant equipment and the network topological structure can efficiently achieve the purposes of self-adaption environment and self-learning after corresponding deployment training is carried out on the equipment, and can cope with the variable characteristics of field engineering environment application. The above environmental characteristics are important factors that can be achieved by the present invention.
In the invention, the winning kylin operating system is adopted for operation, the system is autonomous and controllable, the application range is professional at present, and the winning kylin operating system belongs to an autonomous product in China from the aspect of software safety and is safer than imported products.
In the invention, the hardware signal is adopted to switch the original DCS system and the standby DCS system, and the system switching is independent of a communication network, thereby being safe and reliable.
Sixth, in the invention, reverse analysis on the engineering content level is carried out on the network message of the safety I area equipment, the intention of an attacker can be predicted, and the intrinsic safety characteristic of the I area equipment can be greatly improved; the product can adapt to content learning of different engineering environments, optimizes internal parameters and can adapt to different power plant environments.
And seventhly, managing the data by adopting an internal database mode, so that self-learning training data and result marks can be generated conveniently, the data can be traced internally, and the method has an auditing function.
And eighthly, the invention adopts a Web page access mode, so that a user can arrange a network cable on site to carry out special line access, and the site deployment is convenient and fast to implement.
The invention adopts the existing engineering logic data and combines the mode of identifying the safety level by personnel to train the neural network training algorithm, and has the characteristic of real credibility by combining new products and traditional experiences.
Drawings
Fig. 1 is a flow chart of each block in embodiment 1.
FIG. 2 is a diagram illustrating a starting procedure of the situation-aware platform according to an embodiment of the present invention.
Fig. 3 is a flow chart of each block in embodiment 2.
Fig. 4 is a diagram of an output model of the Sigmoid function.
FIG. 5 is a schematic diagram of the processing of the perceptron function submodule.
FIG. 6 is a parameter trained feedforward network data model of example 2.
FIG. 7 is a diagram of the neural network training steps in the present invention.
Fig. 8 is a data processing flow chart of the situation awareness module in embodiment 2.
Fig. 9 is a block diagram of the structure of the situation awareness module algorithm in embodiment 2.
Fig. 10 is a schematic diagram of standby control system takeover in embodiment 2.
Fig. 11 is a flowchart of an ethernet information collection module in embodiment 2.
FIG. 12 is a flowchart of the procedure of the database module in example 2.
Fig. 13 is a block diagram of an implementation of the Web server module in embodiment 2.
Fig. 14 is a diagram illustrating a starting procedure of a situation awareness platform of a safety I zone of a power plant in embodiment 2.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1
The embodiment is the most basic implementation mode, and discloses a power plant safety I area situation awareness platform based on a neural network, which belongs to the technical field of power plant network safety and comprises an operating system, a database module, an Ethernet data acquisition module, a situation awareness module, a switching hardware driving module, a hardware switching device, an original control system and a standby control system,
the Ethernet data acquisition module processes the original captured data of the Ethernet, outputs content data to the situation perception module and transmits the content data to the database module for storage;
the database module is used for completing data management of the whole power plant safety system, realizing PHP and SQL structured query languages, receiving data transmitted by the Ethernet data acquisition module, and caching historical content data mainly based on TCP and UDP protocols;
the situation awareness module receives protocol data and messages of the Ethernet data acquisition module, extracts historical content data cached by the database module, obtains network input data associated with instructions, judges network danger levels after being analyzed by a neural network system, and transmits signals of the network danger levels obtained finally to an operating system, the situation awareness module comprises a neural network algorithm submodule and an algorithm training submodule, the neural network algorithm submodule adopts a three-layer network structure and comprises 2 layers of sensors with Sigmoid functions and 1 layer of linear function sensors; the algorithm training submodule performs network parameter optimization by using the data which is marked by the finished result;
after receiving the signals transmitted by the situation awareness module, the operating system marks danger levels for the signals and transmits the marked signals to the switching hardware driving module, and meanwhile, the operating system provides a basic software platform for the database module, the Ethernet data acquisition module, the situation awareness module and the switching hardware driving module, supports software task scheduling, memory allocation, hardware driving and database access;
after receiving the signal transmitted by the operating system, the switching hardware driving module identifies a high-risk signal mark, and then quickly sends a hardware electric signal to the hardware switching device to drive the hardware switching device to start, so that switching between the original control system and the standby control system is realized;
the original control system and the standby control system are independently operated control systems, are in control connection with host equipment in the power plant and are used for controlling the starting, stopping and operating states of the equipment.
In this embodiment, referring to fig. 2, the starting steps of the situation awareness platform for the safety zone I of the power plant,
step 1: powering on equipment related to a safety I area situation awareness platform of the power plant, and converting the power supply of a 220VAC power supply into working voltage required by each sub-component through a power supply circuit;
step 2: the Ethernet data acquisition module, the Loongson chip, the bridge circuit, the memory, the hard disk and the switching device in the platform are ready after being electrified;
step 3: the firmware program starts and loads the kylin operating system to run, and each hardware driving module is loaded;
step 4: the operating system loads the apache network server, the MariaDB database and the Python runtime library and the related software components run;
step 5: initializing a network card drive, initializing a communication drive program of the switching device, and confirming the readiness of related equipment;
step 6: initializing mirror image exchange port data acquisition software of an Ethernet data acquisition module, loading a database correlation identification library and loading a Javascript foreground program module;
step 7: operating system scheduler manager process and associated system flags: defining an initialization database management, a situation awareness module and an Ethernet data acquisition module, switching the priority and the mark of a hardware driving module (the priority is designed according to the sequence of Ethernet data acquisition, situation awareness, hardware driving and a database), initializing a shared memory, and managing the shared memory data through thread tools such as an operating system semaphore, an atomic lock and the like;
step 8: the Ethernet data acquisition module acquires current network data; the situation awareness module analyzes the current network condition through the collected data and the extracted historical data; and the switching hardware driving module, the database module and the like are all started and work normally.
Example 2
The embodiment is a more preferable implementation mode based on embodiment 1, and is a situation awareness platform for a safety I area of a power plant based on a neural network, which belongs to the technical field of network safety of the power plant, and comprises an operating system, a database module, an ethernet data acquisition module, a situation awareness module, a switching hardware driving module, a hardware switching device, an original control system, a standby control system, and a Web server module, referring to fig. 3,
the Ethernet data acquisition module processes the original captured data of the Ethernet, outputs content data to the situation perception module and transmits the content data to the database module for storage;
the database module is used for completing data management of the whole power plant safety system, realizing PHP and SQL structured query languages, receiving data transmitted by the Ethernet data acquisition module, and caching historical content data mainly based on TCP and UDP protocols;
the situation awareness module receives protocol data and messages of the Ethernet data acquisition module, extracts historical content data cached by the database module, obtains network input data associated with instructions, judges network danger levels after being analyzed by a neural network system, and transmits signals of the network danger levels obtained finally to an operating system, the situation awareness module comprises a neural network algorithm submodule and an algorithm training submodule, the neural network algorithm submodule adopts a three-layer network structure and comprises 2 layers of sensors with Sigmoid functions and 1 layer of linear function sensors; the algorithm training submodule performs network parameter optimization by using the data which is marked by the finished result;
after receiving the signals transmitted by the situation awareness module, the operating system marks danger levels for the signals and transmits the marked signals to the switching hardware driving module, and meanwhile, the operating system provides a basic software platform for the database module, the Ethernet data acquisition module, the situation awareness module and the switching hardware driving module, supports software task scheduling, memory allocation, hardware driving and database access;
after receiving the signal transmitted by the operating system, the switching hardware driving module identifies a high-risk signal mark, and then quickly sends a hardware electric signal to the hardware switching device to drive the hardware switching device to start, so that switching between the original control system and the standby control system is realized;
the original control system and the standby control system are independently operated control systems, are in control connection with host equipment in the power plant and are used for controlling the starting, stopping and operating states of the equipment;
the Web server module is used for displaying the expected result output of the situation perception module; and simultaneously accepting user instructions.
Further, the method can be used for preparing a novel materialThe situation awareness module comprises a neural network algorithm submodule and an algorithm training submodule, wherein the neural network algorithm submodule in the situation awareness module adopts a perceptron to form a basic unit of a neural network, the perceptron with a Sigmoid function takes data obtained from the Ethernet information acquisition module as input vectors to form vectors
Figure 997764DEST_PATH_IMAGE002
(ii) a Then define the weight vector as
Figure 511922DEST_PATH_IMAGE004
For characterizing the contribution rate of the sensor output, the output being defined as:
Figure 438290DEST_PATH_IMAGE006
Figure DEST_PATH_IMAGE008AA
the output function here is Sigmoid function, and the mathematical model is:
Figure DEST_PATH_IMAGE008AAA
the output of the function is shown in fig. 4, the range is 0-1, and the function is monotonically increased, the input value can be mapped into a small range, the characteristics of the functions all meet the requirement of "being a continuous parameter assumed space", and finally, a perceptron function submodule with a Sigmoid function is obtained, and the processing mode of the submodule is shown in fig. 5.
In the linear function sensor, the output of the sensor with Sigmoid function is used as the input data, and the output is defined as:
Figure 564247DEST_PATH_IMAGE010
the linear function unit is used for realizing an output basic unit of the neural network and evaluating the actual output of the neural network
Figure DEST_PATH_IMAGE014
And target output
Figure DEST_PATH_IMAGE016
And the error between the sub-modules provides a feedback value for the data training adjustment of the algorithm training sub-module, so that a linear function sensor without a threshold value is formed.
The algorithm training submodule preprocesses data obtained from the Ethernet data acquisition module, extracts relevant information, receives historical data which is stored and marked by the database module, and calculates a result according to a better weight value obtained by a neural network training algorithm.
The neural network algorithm submodule is composed of 2 layers of Sigmoid function sensors and 1 layer of linear function sensors, the nonlinear characteristic in a real network environment is fitted through a multilayer network structure, a neural network hierarchical data structure, a weight data distribution structure and a sensor function are input, and an expected result is output. Referring to fig. 6, a feedforward network data model trained using parameters in this embodiment is shown.
For the neural network algorithm of the situation awareness module, two processes of algorithm training and application exist. The algorithm training refers to training the data acquired by the ethernet data acquisition module and the data marked in the database module for the algorithm parameters of the neural network, converging the calculation result to an expected value through the convergent algorithm design, and finally obtaining a set of usable AI weights through the training algorithm, so that the whole software system can obtain the expected result after inputting the real-time application data, wherein the step of the neural network training of the module is shown in fig. 7.
And the algorithm application means that: and (3) utilizing the AI weight obtained by algorithm training, after the Ethernet data acquisition module inputs real-time acquired data to the situation awareness module, performing prediction calculation by the Ethernet data acquisition module, and finally outputting an expected result, wherein the expected result comprises the network safety hazard level of the power plant, so that the safety state of the network equipment is judged, and the data processing flow of the situation awareness module is shown in FIG. 8.
The reason neural network algorithms can be used here is: the environment of the industrial control field existing in the network message capturing and identifying system is very fixed and single, once the system starts working, the system can stably run for many years, the information presentation regularity of the network information messages is regular, and the network environment and the session structure are very stable. The parsing and classification of the messages is also a very repetitive task. Based on the industrial environment characteristics, a neural network algorithm can be used for the safety system.
Through the neural network algorithm training, software preprocesses data in the Ethernet data acquisition module, extracts relevant information, constructs input data (including function codes, message content bytes, time information, quintuple information, protocol types and instantaneous flow), calculates through a neural network, and outputs expected results (including danger levels, flow states, equipment states, suspected attack types, vulnerability types, evidence obtaining log data and the like), as shown in FIG. 9.
Further, the network security risk level output by the neural network algorithm submodule is the level of the platform for judging the event, and comprises four security levels of warning, serious warning, danger and serious threat, wherein:
(1) and when detecting that the network communication working condition does not accord with the established rule, for example: flow abnormity, abnormal communication fault codes, communication faults of the equipment and the like are regarded as warning, and operation and maintenance personnel are prompted;
(2) and when detecting that the network communication working condition does not accord with the white list rule, for example: abnormal IP, abnormal MAC, etc.; supposing that illegal behaviors exist, the behavior is regarded as a serious warning, and operation and maintenance personnel are prompted;
(3) when detecting that the network communication working condition has a behavior endangering the network equipment; requesting operation and maintenance personnel to perform exception handling, regarding the exception handling as dangerous, combining with approval of a personnel management system under the condition of recording by a joint audit device during handling, and processing by a matched information system under the condition of conforming to the principle of responsibility implementation;
(4) when an imminent critical situation of the set equipment is detected, particularly a planned organized network attack behavior, the critical situation can also cause the core equipment of the power plant power grid to be paralyzed and even cause a public safety crisis event, which is regarded as a 'major threat', and when the switching hardware driving module identifies a 'major threat' mark marked by an operating system, the switching hardware driving module can rapidly drive the hardware switching device to act, and the switching device switches the original control system accessed to the platform to a standby control system and informs field maintenance personnel. Of course, when the platform project is implemented, the platform project is performed in a case where the license of the owner user is required to be obtained and the license conforms to the national relevant standard and the regulatory regulation, and refer to fig. 10.
Further, ethernet communication data among the engineer station, the operator station and the controller in the safety I area of the power plant include TCP and UDP universal ethernet protocol data, and industrial ethernet data is also involved, such as: ethernet protocol data such as Ethercat, Modbus TCP, Profinet, Powerlink, etc. The ethernet data acquisition module processes the ethernet original captured data according to the relevant protocol data and outputs the content data, the ethernet data acquisition module comprises a message acquisition sub-module, a message protocol analysis sub-module and a message content analysis sub-module, the flow of the ethernet information acquisition module is as shown in fig. 11, the flow processing adopts a serial method, the whole input is the ethernet original captured data, the output is the content data, and the implementation language is Python.
The message acquisition submodule acquires information messages according to data sent by a target white list IP address, reads white list information when a program is started, extracts relevant IP data in a white list and stores the data according to a reserved message format;
the message protocol analysis submodule extracts data segment information of the message according to communication protocols such as UDP, TCP, MODBUS TCP and Ethercat, removes a header and a tail of the message information, only extracts data content information, reversely decrypts the message with encrypted information, and restores original message of the message;
the message content analysis submodule performs content area decomposition on message content information in a target control system, provides information including function codes, message content bytes, time information, quintuple information, protocol types and instantaneous flow information, provides the information for the database module to store, and provides a neural network algorithm material for the situation awareness module.
Further, the database module provides historical acquisition data, white list data, neural network parameters, log data, vulnerability data, log data, and vulnerability data. The process flow of the database module is shown in fig. 12, and mainly completes data management of the whole platform, and the implementation language is PHP and SQL structured query language.
The data existing in the whole platform is mainly divided into the following categories:
historical collected data: available data output by the Ethernet data acquisition module can be used for historical inquiry;
white list data: adding the MAC and IP addresses of the equipment in the trusted category;
neural network parameters: AI intelligent training parameters used for calculating situation awareness data;
the database module mainly realizes the operations of increasing, deleting, checking and modifying historical collected data, white list data and neural network parameters, and provides a stable data access interface for a platform.
Log data: an access record for the device;
vulnerability data: a data set of vulnerability queries is provided.
Further, the host equipment comprises a steam turbine, a motor and a boiler in the power plant.
The Web server module is used for finishing the output of the state result of the situation awareness module in the platform and providing a configuration instruction related to the issue of a user. The combined implementation is realized by using Html, css and Javascript languages, namely inputting: data of output in Ethernet data acquisition module, situation perception module, database module, the switching hardware drive module includes: collecting data, historical data, training parameters, log data, flow data, white list information and the like in real time; and (3) outputting: the configuration parameters of each sub-process comprise: training configuration, result marking, white list configuration and other form operations, switching commands and the like.
The implementation block diagram of the Web server module is shown in fig. 13, and the working principle of the Web server module is that after Apache is started, a Web service is provided for a machine, when a user accesses the server, a Web page parsing protocol is executed through a firewall browser, a Web page composed of Html, Css and Javascript is presented to the user in a dynamic form, and meanwhile, the whole platform receives an instruction of the user.
In this embodiment, the starting steps of the situation awareness platform for the safety zone I of the power plant are shown in fig. 14.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.

Claims (9)

1. The utility model provides a safe I district situation perception platform of power plant based on neural network which characterized in that: comprises an operating system, a database module, an Ethernet data acquisition module, a situation perception module, a switching hardware driving module, a hardware switching device, an original control system and a standby control system,
the Ethernet data acquisition module processes the original captured data of the Ethernet, outputs content data to the situation perception module and transmits the content data to the database module for storage;
the database module is used for completing data management of the whole power plant safety system, realizing PHP and SQL structured query languages, receiving data transmitted by the Ethernet data acquisition module, and caching historical content data mainly based on TCP and UDP protocols;
the situation awareness module receives protocol data and messages of the Ethernet data acquisition module, extracts historical content data cached by the database module, obtains network input data associated with instructions, judges network danger levels after being analyzed by a neural network system, and transmits signals of the network danger levels obtained finally to an operating system, the situation awareness module comprises a neural network algorithm submodule and an algorithm training submodule, the neural network algorithm submodule adopts a three-layer network structure and comprises 2 layers of sensors with Sigmoid functions and 1 layer of linear function sensors; the algorithm training submodule performs network parameter optimization by using the data which is marked by the finished result;
after receiving the signals transmitted by the situation awareness module, the operating system marks danger levels for the signals and transmits the marked signals to the switching hardware driving module, and meanwhile, the operating system provides a basic software platform for the database module, the Ethernet data acquisition module, the situation awareness module and the switching hardware driving module, supports software task scheduling, memory allocation, hardware driving and database access;
after receiving the signal transmitted by the operating system, the switching hardware driving module identifies a high-risk signal mark, and then quickly sends a hardware electric signal to the hardware switching device to drive the hardware switching device to start, so that switching between the original control system and the standby control system is realized;
the original control system and the standby control system are independently operated control systems, are in control connection with host equipment in the power plant and are used for controlling the starting, stopping and operating states of the equipment.
2. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 1, wherein: the neural network algorithm sub-module in the situation perception module adopts a perceptron to form a basic unit of the neural network, wherein the perceptron with a Sigmoid function takes data obtained from the Ethernet information acquisition module as an input vector to form a vector
Figure DEST_PATH_IMAGE002
(ii) a Then define the weight vector as
Figure DEST_PATH_IMAGE004
For characterizing the contribution rate of the sensor output, the output being defined as:
Figure DEST_PATH_IMAGE006
Figure DEST_PATH_IMAGE008
(ii) a The output of the sensor with Sigmoid function is used as the output of the linear function sensorFor its input data, the output is defined as:
Figure DEST_PATH_IMAGE010
forming a linear function sensor without threshold,
the algorithm training submodule preprocesses data obtained from the Ethernet data acquisition module, extracts relevant information, receives historical data which is stored and marked by the database module, and calculates a result according to a better weight value obtained by a neural network training algorithm.
3. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 2, wherein: the related information extracted from the Ethernet data acquisition module by the algorithm training submodule comprises a function code, a message content byte, time information, quintuple information, a protocol type and instantaneous flow, and input information is constructed.
4. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 2, wherein: the expected result output by the neural network algorithm submodule comprises a network security risk level, a flow state, an equipment state, a suspected attack type, evidence obtaining log data and a vulnerability type.
5. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 4, wherein: the network safety danger level output by the neural network algorithm submodule is the level of the platform for judging the event, and comprises four safety levels of warning, serious warning, danger and serious threat.
6. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 1, wherein: the Ethernet data acquisition module processes the original captured data of the Ethernet according to a compatible network protocol and outputs content data, the Ethernet data acquisition module comprises a message acquisition submodule, a message protocol analysis submodule and a message content analysis submodule,
the message collection submodule collects information messages according to data sent by a target white list IP address, reads white list information when a program is started, extracts relevant IP data in a white list and stores the data according to a reserved message format;
the message protocol analysis submodule extracts data segment information of the message according to a relevant communication protocol, removes a header and a trailer of the message information, only extracts data content information, reversely decrypts the message with encrypted information, and restores original message of the message;
the message content analysis submodule carries out content area decomposition according to message content information in the target control system, provides information including function codes, message content bytes, time information, quintuple information, protocol types and instantaneous flow information, provides the information for the database module to store, and provides a neural network algorithm material for the situation perception module.
7. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 1, wherein: the database module provides historical collected data, white list data, neural network parameters, log data, vulnerability data, log data and vulnerability data, can realize the operations of increasing, deleting, checking and modifying the historical collected data, the white list data and the neural network parameters, and provides a stable data access interface for the system.
8. The power plant safety zone I situation awareness platform based on the neural network as claimed in any one of claims 1 to 7, wherein: the system also comprises a Web server module, wherein the Web server module is used for displaying the expected result output of the situation awareness module; and simultaneously accepting user instructions.
9. The power plant safety zone I situation awareness platform based on the neural network as claimed in claim 8, wherein: the main machine equipment comprises a steam turbine, a motor and a boiler in a power plant.
CN202110095508.4A 2021-01-25 2021-01-25 Power plant safety I area situation perception platform based on neural network Active CN112866262B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110095508.4A CN112866262B (en) 2021-01-25 2021-01-25 Power plant safety I area situation perception platform based on neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110095508.4A CN112866262B (en) 2021-01-25 2021-01-25 Power plant safety I area situation perception platform based on neural network

Publications (2)

Publication Number Publication Date
CN112866262A true CN112866262A (en) 2021-05-28
CN112866262B CN112866262B (en) 2022-06-14

Family

ID=76008411

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110095508.4A Active CN112866262B (en) 2021-01-25 2021-01-25 Power plant safety I area situation perception platform based on neural network

Country Status (1)

Country Link
CN (1) CN112866262B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742382A (en) * 2021-09-03 2021-12-03 广西电网有限责任公司 Synchronous cache-based power grid monitoring system information trans-regional method
CN114048952A (en) * 2021-10-13 2022-02-15 辽宁科技大学 Iron works safety situation perception method based on edge internet of things technology and neural network
CN114385737A (en) * 2022-03-24 2022-04-22 国能大渡河流域水电开发有限公司 Electric power monitoring data monitoring method and platform based on change data capture

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160358500A1 (en) * 2015-06-08 2016-12-08 REM SAFE Technologies, Inc. Situational awareness analysis and fatigue management system
CN107124394A (en) * 2017-03-10 2017-09-01 北京国电通网络技术有限公司 A kind of powerline network security postures Forecasting Methodology and system
CN108604310A (en) * 2015-12-31 2018-09-28 威拓股份有限公司 Method, controller and the system of distribution system are controlled for using neural network framework
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system
CN109767351A (en) * 2018-12-24 2019-05-17 国网山西省电力公司信息通信分公司 A kind of security postures cognitive method of power information system daily record data
CN110460576A (en) * 2019-07-11 2019-11-15 珠海市鸿瑞信息技术股份有限公司 A kind of multifunctional network Security Situation Awareness Systems
CN111582571A (en) * 2020-04-30 2020-08-25 中国电力科学研究院有限公司 Power grid operation situation sensing method and system with model driving and data driving integrated
US20200349484A1 (en) * 2017-08-09 2020-11-05 Verdigris Technologies, Inc. System and methods for power system forecasting using deep neural networks
CN112100843A (en) * 2020-09-10 2020-12-18 中国电力科学研究院有限公司 Visual analysis method and system for power system safety event simulation verification

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160358500A1 (en) * 2015-06-08 2016-12-08 REM SAFE Technologies, Inc. Situational awareness analysis and fatigue management system
CN108604310A (en) * 2015-12-31 2018-09-28 威拓股份有限公司 Method, controller and the system of distribution system are controlled for using neural network framework
CN107124394A (en) * 2017-03-10 2017-09-01 北京国电通网络技术有限公司 A kind of powerline network security postures Forecasting Methodology and system
US20200349484A1 (en) * 2017-08-09 2020-11-05 Verdigris Technologies, Inc. System and methods for power system forecasting using deep neural networks
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system
CN109767351A (en) * 2018-12-24 2019-05-17 国网山西省电力公司信息通信分公司 A kind of security postures cognitive method of power information system daily record data
CN110460576A (en) * 2019-07-11 2019-11-15 珠海市鸿瑞信息技术股份有限公司 A kind of multifunctional network Security Situation Awareness Systems
CN111582571A (en) * 2020-04-30 2020-08-25 中国电力科学研究院有限公司 Power grid operation situation sensing method and system with model driving and data driving integrated
CN112100843A (en) * 2020-09-10 2020-12-18 中国电力科学研究院有限公司 Visual analysis method and system for power system safety event simulation verification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
于群等: "基于深度学习的电网安全态势感知", 《科学技术与工程》, no. 035, 31 December 2019 (2019-12-31) *
林益波: "网络安全态势感知系统在火力发电厂的应用", 《机电信息》, no. 15, 25 May 2020 (2020-05-25) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742382A (en) * 2021-09-03 2021-12-03 广西电网有限责任公司 Synchronous cache-based power grid monitoring system information trans-regional method
CN114048952A (en) * 2021-10-13 2022-02-15 辽宁科技大学 Iron works safety situation perception method based on edge internet of things technology and neural network
CN114048952B (en) * 2021-10-13 2023-02-17 辽宁科技大学 Iron-making plant safety situation sensing method based on edge internet of things technology and neural network
CN114385737A (en) * 2022-03-24 2022-04-22 国能大渡河流域水电开发有限公司 Electric power monitoring data monitoring method and platform based on change data capture

Also Published As

Publication number Publication date
CN112866262B (en) 2022-06-14

Similar Documents

Publication Publication Date Title
CN112866262B (en) Power plant safety I area situation perception platform based on neural network
US9405900B2 (en) Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
CN113112086B (en) Intelligent production system based on edge calculation and identification analysis
US20190228110A1 (en) System and method for abstracting characteristics of cyber-physical systems
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
Yang et al. iFinger: Intrusion detection in industrial control systems via register-based fingerprinting
CN105320854A (en) Protection against signature matching program manipulation for an automation component
CN102393715A (en) Method and system for monitoring and diagnosing large scale equipment remotely
CN105867347B (en) Cross-space cascading fault detection method based on machine learning technology
Nivethan et al. A SCADA intrusion detection framework that incorporates process semantics
CN112799358A (en) Industrial control safety defense system
CN112737936A (en) Edge computing gateway for equipment pre-maintenance
CN110493180A (en) A kind of substation network communication flow real-time analysis method
CN106973034A (en) System and method for the data of connection object
Flosbach et al. Architecture and prototype implementation for process-aware intrusion detection in electrical grids
Alem et al. A hybrid intrusion detection system in industry 4.0 based on ISA95 standard
Behdadnia et al. Leveraging Deep Learning to Increase the Success Rate of DoS Attacks in PMU-Based Automatic Generation Control Systems
KR102417752B1 (en) System and method for threat detecting based on AI in OT/ICS
CN115765151A (en) Safe operation and maintenance management method and system for secondary power transformation equipment
Peng et al. Research on abnormal detection technology of real-time interaction process in new energy network
Aldossary et al. Securing SCADA systems against cyber-attacks using artificial intelligence
Lai et al. An active security defense strategy for wind farm based on automated decision
Wang et al. Intrusion detection model of SCADA using graphical features
Sen et al. On specification-based cyber-attack detection in smart grids
Cabus et al. Security Considerations for Remote Terminal Units

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant