CN113079150A - Intrusion detection method for power terminal equipment - Google Patents

Intrusion detection method for power terminal equipment Download PDF

Info

Publication number
CN113079150A
CN113079150A CN202110325387.8A CN202110325387A CN113079150A CN 113079150 A CN113079150 A CN 113079150A CN 202110325387 A CN202110325387 A CN 202110325387A CN 113079150 A CN113079150 A CN 113079150A
Authority
CN
China
Prior art keywords
behavior
metadata
terminal equipment
power terminal
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110325387.8A
Other languages
Chinese (zh)
Other versions
CN113079150B (en
Inventor
武婕
邓彬
周亚胜
黄颖祺
郝蛟
叶振豪
张夕佳
刘岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202110325387.8A priority Critical patent/CN113079150B/en
Publication of CN113079150A publication Critical patent/CN113079150A/en
Application granted granted Critical
Publication of CN113079150B publication Critical patent/CN113079150B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The invention provides an electric power terminal equipment intrusion detection method, which comprises the following steps that S1, network flow data and log files of electric power terminal equipment are obtained; step S2, extracting the network flow data and the behavior metadata in the log file; step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata; step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal. The method effectively reserves the incidence relation of the behavior sequences in the behavior text base, quantifies the behavior sequences by calculating the vector distance, judges whether the electric terminal equipment has the intrusion behavior, and improves the analysis capability of the network attack behavior.

Description

Intrusion detection method for power terminal equipment
Technical Field
The invention relates to the technical field of computers, in particular to an intrusion detection method for power terminal equipment.
Background
In recent years, the application of computer technology in the field of electric power is deepened, and the close combination of the computer technology and the electric power makes the power grid enter an intelligent era. The wide application of the data communication network technology greatly expands the information space boundary of the smart grid and realizes the deep fusion of information flow, control flow and energy flow in the smart grid. However, although the intelligent trend of the power grid improves the use efficiency of the electric energy and the operation efficiency of the power system, a series of hidden dangers are brought to the power system. On one hand, with the improvement of the intelligent level of the power grid, the data volume of the power grid is exponentially increased, and abnormal data and intrusion behaviors are more and more difficult to screen from mass data; on the other hand, with the rise of apt (advanced Persistent attack), network attacks on power systems have the characteristic of large span in time and space, and when intrusion detection is performed on the power systems, only data and behaviors of current time are analyzed, so that attack behaviors cannot be effectively identified.
In recent years, with the continuous maturity of artificial intelligence technology, its powerful data analysis capability and model building capability have proven to be effective in achieving industrial energization in a variety of industries and fields. The method of machine learning and artificial intelligence is directly used in the environment of network security, and a certain effect can be achieved. The verification code is easy to identify due to the fact that the image identification algorithm is increasingly refined, the mass logs can be attacked by more than 85% by analyzing the mass logs through a machine learning method, and various application scenes are not enumerated.
Since the electric power system belongs to the national key infrastructure, the carried service is directly related to the national civilization. The method aims at the safety problem of intrusion detection of the power terminal equipment. The conventional intrusion detection technology generally constructs a feature library and a rule library aiming at known threat behaviors, and realizes threat detection through feature matching. On one hand, the detection means is too dependent on prior knowledge, unknown threats cannot be effectively found, and threat means such as viruses and malicious codes can generate different virus samples through a 'polymorphic' technology, so that the detection means is effectively avoided; on the other hand, the detection method based on the 'blacklist' means needs to complete analysis, rule matching and response of real-time data within a limited time, an attacker continuously and accurately launches network attacks by shielding and shielding attack data and attack characteristics under the condition of big data, from the discovery of system bugs to the utilization of the system bugs for targeted attacks, the attack in a large range can reach a peak quickly, and the reaction time for attack analysis and security defense is extremely short. Under the trend that the data magnitude of the current smart grid is exponentially increased, the missing detection is easily caused on the premise of ensuring the availability of the power terminal equipment.
Therefore, the safety protection of the novel targeted unknown virus is strengthened, and the system safety must be strengthened by adopting an active safety protection method on the basis of the existing boundary safety protection and intrusion detection protection. In order to enhance the capability of preventing targeted attack on malicious software, active security protection technology based on trusted computing technology appears in the prior art. Based on the legal operation process, the illegal operation is killed in a safety monitoring area, and only the legal service in a safety initial state is allowed to operate; and extracting information of each process running in the system under the environment, wherein the information comprises a process name, a process priority, a process loadable execution file and the like, generating a hash value code for the process by a hash calculation method to serve as legal and credible authentication of the process, storing the hash value code in a credible authentication process list, and forming a credible process list in a white list mode. By running the trusted authentication monitoring process with the white list in real time, after the operating process of the system passes trusted authentication every time, the operating process can obtain the authority of the system to execute the operation, and if the hash value code of the trusted computing process is not in the trusted authentication process list, the process cannot obtain the allowed operation authority and cannot be executed, so that the safe and stable operation of the scheduling system is ensured. However, even if the trusted computing technology performs security protection against the above-mentioned illegal processes, the security problem itself is not properly solved. If the malicious program can falsely use the trusted authentication of the hardware driver to be mixed into the white list like the seismic network virus, the protection barrier can still be broken through, and accurate attack can be launched.
Meanwhile, processing systems such as SILK have been developed, and the systems adopt an integration concept, that is, existing Netflow (network monitoring function) tools are integrated together, so that situation awareness of the whole network is provided, and safety analysis of a large-scale network is facilitated. And (3) fusing multi-source and multi-attribute information by using a Support Vector Machine (SVM) as a fusion technology, so as to generate the perception of the situation. However, the perception of the network security situation does not include the perception of the intention of an attacker and the target, so that the defense situation lags behind the attack behavior and falls into a passive state.
Disclosure of Invention
The invention aims to provide an intrusion detection method for power terminal equipment, which solves the technical problem of insufficient behavior relevance in intrusion detection in the existing method.
In one aspect, an intrusion detection method for power terminal equipment is provided, which includes the following steps:
step S1, acquiring network flow data and log files of the power terminal equipment;
step S2, extracting the network flow data and the behavior metadata in the log file;
step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata;
step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal.
Preferably, the step S1 specifically includes:
step S11, bypassing the uplink and downlink flow passing through the power terminal equipment through a shunt, acquiring network flow data of the power terminal equipment, and reading a log file of the power terminal equipment;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the electric power terminal equipment, classifies the network flow data and the log files, and stores the classification results according to a preset format.
Preferably, the step S2 specifically includes:
step S21, analyzing the network flow data and the log data, and generating corresponding behavior metadata according to each protocol of a network layer, a transmission layer and an application layer and each format of the log; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
and step S22, screening the behavior metadata of the power terminal equipment through a preset metadata extraction rule to obtain the behavior metadata related to intrusion detection.
Preferably, the step S22 specifically includes:
generating identifiers of behavior metadata according to an IP address of a network layer, a port number and a protocol type of a transmission layer, and connecting a plurality of behavior metadata to obtain first associated metadata when the identifiers of the behavior metadata meet the same preset identifier requirement; wherein the identifier of the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type;
analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale;
and splicing fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the source address information of the second associated metadata to obtain behavior metadata related to intrusion detection.
Preferably, the step S3 specifically includes:
step S31, acquiring a plurality of behavior metadata related to intrusion detection to form a behavior set;
and step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector.
Preferably, in step S32, the characterizing all samples in the behavior set according to their sequences specifically includes:
generating N in the behavior vector model, wherein N represents that the occurrence of the current behavior is related to the first N-1 behaviors;
generating a feature vector of each behavior in the behavior set;
a behavior vector is generated according to the following formula:
Figure BDA0002994416700000041
wherein D represents a behavior set; { d1,d2,...,di,...,dkI e (1, k) represents the behavior contained in the set, and k represents the number of categories contained in the set D; n represents the association relationship between each behavior in the behavior set and the first n-1 behavior sequences.
Preferably, in step S4, the specific training process of the behavior sequence prediction model includes: setting an initial structure and parameters of a bidirectional LSTM neural network;
inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model;
and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
Preferably, in step S4, the process of obtaining the detection result specifically includes:
inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior;
and comparing the predicted value and the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result.
Preferably, the determining whether the behavior is abnormal by calculating the vector distance thereof specifically includes:
calculating the vector distance of the predicted value and the actual value according to the following formula:
Figure BDA0002994416700000051
wherein, { s }i1,si2,...,sij,...,sinJ ∈ (1, n) represents a behavior vector of the current behavior actual value; { s'i1,s′i2,...,s′ij,...,s′inJ ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and judging that the current behavior belongs to an abnormal behavior when the M is more than or equal to N, wherein the detection result is abnormal; and when M is not more than or equal to N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
Preferably, in step S4, the determining whether the intrusion behavior exists in the power terminal device according to the detection result specifically includes:
when the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior;
and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
In summary, the embodiment of the invention has the following beneficial effects:
aiming at the characteristics that the electric terminal equipment has single function and the behaviors can construct a limited behavior set, the electric terminal equipment corpus is constructed by using the N-gram model processed by natural language, the incidence relation of the behavior sequence in the behavior text base is effectively reserved, the quantization is carried out by calculating the vector distance, and whether the electric terminal equipment has the intrusion behavior or not is judged. The method comprises the steps that for the time sequence characteristics of the behaviors of the power terminal equipment, the context environment when the terminal behaviors respond is fully considered; the bidirectional LSTM in deep learning is adopted to train a forward sequence and a reverse sequence, and the accuracy of the behavior prediction model is effectively improved. The analysis capability of the network attack behavior is improved, and the intrusion behavior of the power terminal equipment is detected.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is within the scope of the present invention for those skilled in the art to obtain other drawings based on the drawings without inventive exercise.
Fig. 1 is a schematic main flow chart of an intrusion detection method for an electric power terminal device according to an embodiment of the present invention.
Fig. 2 is a logic diagram of an intrusion detection method for power terminal equipment according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
Fig. 1 and fig. 2 are schematic diagrams illustrating an embodiment of an intrusion detection method for power terminal equipment according to the present invention. In this embodiment, the method comprises the steps of:
step S1, acquiring network flow data and log files of the power terminal equipment; it can be understood that, reading the log file of the terminal device, in order to accurately describe the behavior of the power terminal device, the behavior information and the context information of the terminal device need to be collected, and the data sources of the terminal device include network traffic, system logs, security logs and application logs; in order to ensure the accuracy of the behavior baseline of the terminal device, the behavior information of the current device behavior within a period of time needs to be collected.
In a specific embodiment, the method specifically includes step S11, bypassing, by a shunt, an uplink and a downlink traffic flowing through the power terminal device, acquiring network traffic data of the power terminal device, and reading a log file of the power terminal device; specifically, a shunt is deployed at the front end of the power terminal equipment, the uplink and downlink flows flowing through the power terminal equipment are bypassed by using a mirror image technology, and meanwhile, a log file of the terminal equipment is read;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the electric power terminal equipment, classifies the network flow data and the log files, and stores the classification results according to a preset format. Specifically, sending the acquired flow data and log files of the terminal equipment to a remote data analyzer; in the data analysis machine, classification and formatted storage are performed.
Step S2, extracting the network flow data and the behavior metadata in the log file; it can be understood that the extraction of the behavior metadata is to obtain metadata in a preset format by associating and screening different protocols of a network layer, a transmission layer and an application layer of data and different formats of logs, and further obtain a data packet corresponding to the device.
In a specific embodiment, the method specifically comprises the following steps: step S21, analyzing the network flow data and the log data, and generating corresponding behavior metadata according to each protocol of a network layer, a transmission layer and an application layer and each format of the log; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
and step S22, screening the behavior metadata of the power terminal equipment through a preset metadata extraction rule to obtain the behavior metadata related to intrusion detection. It can be understood that, identifiers of behavior metadata are generated according to an IP address of a network layer, a port number of a transport layer, and a protocol type, and when the identifiers of a plurality of behavior metadata meet a preset same identifier requirement, the plurality of behavior metadata are connected to obtain first associated metadata; wherein the identifier of the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type; specifically, according to the IP address of the network layer and the port number of the transport layer, protocol type of the TCP/IP protocol, 5 metadata are used to identify a connection: { original address, original port number, destination address, destination port, protocol type }, and when 5 fields of a packet conform to the same identifier, the packet is concatenated.
Analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale; specifically, for the IEC104 protocol used by the power system, the protocol above the transmission layer is parsed, and the following data types are formatted and output: { starting character, length, control field, type identifier, originating address, transfer reason, application service data unit public address, information body, absolute time scale }, 9 metadata in total, and concatenating data packets with the same originating address.
And splicing the fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the originating address information of the second associated metadata to obtain behavior metadata related to intrusion detection, specifically, splicing the fields of the same data packet according to the corresponding relation between the address in the network layer and the originating address in the protocol layer to form a data packet format of 14 metadata.
Step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata; it is understood that the behavior vector can preserve the association relationship between each behavior in the corpus (behavior collection) and the first N-1 behavior sequences thereof according to the statistical features. Aiming at the characteristics that the electric power terminal equipment has single function and the behaviors can construct a limited behavior set, the N-gram model processed by natural language is used for constructing the corpus of the electric power terminal equipment, the corpus can effectively keep the incidence relation of the behavior sequences in the behavior text base, and the relation can be quantitatively expressed by calculating the vector distance.
In the specific embodiment, step S31, obtaining a plurality of behavior metadata related to intrusion detection to form a behavior set; it is understood that the acquired behavior metadata accumulates a certain number of samples to form a behavior set.
And step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector. It can be understood that the behavior set is used as a corpus, and all samples in the behavior set are characterized according to the sequence thereof by using an N-gram model to generate a behavior vector.
Specifically, N in the behavior vector model is generated, namely N in the designated N-gram model is generated, wherein N represents that the occurrence of the current behavior is related to the first N-1 behaviors;
generating a feature vector of each behavior of a behavior set (corpus); assuming the set is D, the behavior contained in the set is used as { D }1,d2,...,di,...,dkJ, i ∈ (1, k), k is the number of species contained in the set D.
Generating a behavior vector according to the incidence relation of the behavior sequences in the corpus, and specifically generating the behavior vector according to the following formula:
Figure BDA0002994416700000091
wherein D represents a behavior set; { d1,d2,...,di,...,dkIs the number of i e (1, k) in the setK represents the number of categories contained in the set D; n represents the association relationship between each behavior in the behavior set and the first n-1 behavior sequences.
Step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal. It can be understood that, for the time sequence characteristics of the behavior of the power terminal equipment, the context environment when the terminal behavior responds is fully considered, and the forward sequence and the reverse sequence are trained by adopting a bidirectional LSTM (Long Short-Term Memory) in deep learning, so that the accuracy of the behavior prediction model is effectively improved.
In a specific embodiment, as shown in fig. 2, a specific training process of the behavior sequence prediction model includes: setting an initial structure and parameters of a bidirectional LSTM neural network; inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model; and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
Specifically, the process of obtaining the detection result specifically includes: inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior; specifically, assume that the current behavior is diThe sequence of its context is { d1,d2,...,di-1,di,di+1,...,dnJ e (1, n); will sequence { d1,d2,...,di-1,di+1,...,dnInputting a behavior sequence prediction model by i belongs to (1, n), and generating a predicted value d 'of the current behavior'i
And comparing the predicted value and the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result. Specifically, the vector distance of the predicted value from the actual value is calculated according to the following formula:
Figure BDA0002994416700000101
wherein, { s }i1,si2,...,sij,...,sinJ ∈ (1, n) represents a behavior vector of the current behavior actual value; { s'i1,s′i2,...,s′ij,...,s′inJ ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and judging that the current behavior belongs to an abnormal behavior when the M is more than or equal to N, wherein the detection result is abnormal; and when M is not more than or equal to N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
When the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior; and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
In summary, the embodiment of the invention has the following beneficial effects:
aiming at the characteristics that the electric terminal equipment has single function and the behaviors can construct a limited behavior set, the electric terminal equipment corpus is constructed by using the N-gram model processed by natural language, the incidence relation of the behavior sequence in the behavior text base is effectively reserved, the quantization is carried out by calculating the vector distance, and whether the electric terminal equipment has the intrusion behavior or not is judged. The method comprises the steps that for the time sequence characteristics of the behaviors of the power terminal equipment, the context environment when the terminal behaviors respond is fully considered; the bidirectional LSTM in deep learning is adopted to train a forward sequence and a reverse sequence, and the accuracy of the behavior prediction model is effectively improved. The analysis capability of the network attack behavior is improved, and the intrusion behavior of the power terminal equipment is detected.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (10)

1. An intrusion detection method for power terminal equipment is characterized by comprising the following steps:
step S1, acquiring network flow data and log files of the power terminal equipment;
step S2, extracting the network flow data and the behavior metadata in the log file;
step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata;
step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal.
2. The method according to claim 1, wherein the step S1 specifically includes:
step S11, bypassing the uplink and downlink flow passing through the power terminal equipment through a shunt, acquiring network flow data of the power terminal equipment, and reading a log file of the power terminal equipment;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the electric power terminal equipment, classifies the network flow data and the log files, and stores the classification results according to a preset format.
3. The method according to claim 2, wherein the step S2 specifically includes:
step S21, analyzing the network flow data and the log data, and generating corresponding behavior metadata according to each protocol of a network layer, a transmission layer and an application layer and each format of the log; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
and step S22, screening the behavior metadata of the power terminal equipment through a preset metadata extraction rule to obtain the behavior metadata related to intrusion detection.
4. The method according to claim 3, wherein the step S22 specifically includes:
generating identifiers of behavior metadata according to an IP address of a network layer, a port number and a protocol type of a transmission layer, and connecting a plurality of behavior metadata to obtain first associated metadata when the identifiers of the behavior metadata meet the same preset identifier requirement; wherein the identifier of the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type;
analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale;
and splicing fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the source address information of the second associated metadata to obtain behavior metadata related to intrusion detection.
5. The method according to claim 4, wherein the step S3 specifically includes:
step S31, acquiring a plurality of behavior metadata related to intrusion detection to form a behavior set;
and step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector.
6. The method according to claim 5, wherein in step S32, the characterizing all samples in the behavior set according to their sequences specifically includes:
generating N in the behavior vector model, wherein N represents that the occurrence of the current behavior is related to the first N-1 behaviors;
generating a feature vector of each behavior in the behavior set;
a behavior vector is generated according to the following formula:
Figure FDA0002994416690000031
wherein D represents a behavior set; { d1,d2,...,di,...,dkI e (1, k) represents the behavior contained in the set, and k represents the number of categories contained in the set D; n represents the association relationship between each behavior in the behavior set and the first n-1 behavior sequences.
7. The method according to claim 6, wherein in step S4, the training process for the behavior sequence prediction model includes:
setting an initial structure and parameters of a bidirectional LSTM neural network;
inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model;
and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
8. The method according to claim 7, wherein in step S4, the process of obtaining the detection result specifically includes:
inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior;
and comparing the predicted value and the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result.
9. The method according to claim 8, wherein the determining whether the behavior is abnormal by calculating the vector distance thereof specifically comprises:
calculating the vector distance of the predicted value and the actual value according to the following formula:
Figure FDA0002994416690000041
wherein, { s }i1,si2,...,sij,...,sinJ ∈ (1, n) represents a behavior vector of the current behavior actual value; { s'i1,s′i2,...,s′ij,...,s′inJ ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and judging that the current behavior belongs to an abnormal behavior when the M is more than or equal to N, wherein the detection result is abnormal; and when M is not more than or equal to N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
10. The method as claimed in claim 9, wherein in step S4, the determining whether the intrusion behavior exists in the power terminal device according to the detection result specifically includes:
when the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior;
and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
CN202110325387.8A 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment Active CN113079150B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110325387.8A CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110325387.8A CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Publications (2)

Publication Number Publication Date
CN113079150A true CN113079150A (en) 2021-07-06
CN113079150B CN113079150B (en) 2022-09-30

Family

ID=76610459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110325387.8A Active CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Country Status (1)

Country Link
CN (1) CN113079150B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794742A (en) * 2021-11-18 2021-12-14 国网浙江浙电招标咨询有限公司 High-precision detection method for FDIA of power system
CN115051833A (en) * 2022-05-12 2022-09-13 中国电子科技集团公司电子科学研究院 Intercommunication network abnormity detection method based on terminal process
CN115801447A (en) * 2023-01-09 2023-03-14 北京安帝科技有限公司 Flow analysis method and device based on industrial safety and electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107465667A (en) * 2017-07-17 2017-12-12 全球能源互联网研究院有限公司 The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis
CN108200005A (en) * 2017-09-14 2018-06-22 国网浙江省电力公司宁波供电公司 Electric power secondary system network flow abnormal detecting method based on unsupervised learning
US20190034558A1 (en) * 2016-10-04 2019-01-31 Sas Institute Inc. Interactive visualizations for a recurrent neural network
CN109787979A (en) * 2019-01-22 2019-05-21 电子科技大学 A kind of detection method of electric power networks event and invasion
CN110933031A (en) * 2019-10-25 2020-03-27 国网吉林省电力有限公司电力科学研究院 Intelligent power grid power distribution terminal unit intrusion detection method based on LSTM
CN111431819A (en) * 2020-03-06 2020-07-17 中国科学院深圳先进技术研究院 Network traffic classification method and device based on serialized protocol flow characteristics
CN111598179A (en) * 2020-05-21 2020-08-28 国网电力科学研究院有限公司 Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN112464996A (en) * 2020-11-09 2021-03-09 中国科学院沈阳自动化研究所 Intelligent power grid intrusion detection method based on LSTM-XGboost

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190034558A1 (en) * 2016-10-04 2019-01-31 Sas Institute Inc. Interactive visualizations for a recurrent neural network
CN107465667A (en) * 2017-07-17 2017-12-12 全球能源互联网研究院有限公司 The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis
CN108200005A (en) * 2017-09-14 2018-06-22 国网浙江省电力公司宁波供电公司 Electric power secondary system network flow abnormal detecting method based on unsupervised learning
CN109787979A (en) * 2019-01-22 2019-05-21 电子科技大学 A kind of detection method of electric power networks event and invasion
CN110933031A (en) * 2019-10-25 2020-03-27 国网吉林省电力有限公司电力科学研究院 Intelligent power grid power distribution terminal unit intrusion detection method based on LSTM
CN111431819A (en) * 2020-03-06 2020-07-17 中国科学院深圳先进技术研究院 Network traffic classification method and device based on serialized protocol flow characteristics
CN111598179A (en) * 2020-05-21 2020-08-28 国网电力科学研究院有限公司 Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN112464996A (en) * 2020-11-09 2021-03-09 中国科学院沈阳自动化研究所 Intelligent power grid intrusion detection method based on LSTM-XGboost

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794742A (en) * 2021-11-18 2021-12-14 国网浙江浙电招标咨询有限公司 High-precision detection method for FDIA of power system
CN115051833A (en) * 2022-05-12 2022-09-13 中国电子科技集团公司电子科学研究院 Intercommunication network abnormity detection method based on terminal process
CN115051833B (en) * 2022-05-12 2023-12-15 中国电子科技集团公司电子科学研究院 Intercommunication network anomaly detection method based on terminal process
CN115801447A (en) * 2023-01-09 2023-03-14 北京安帝科技有限公司 Flow analysis method and device based on industrial safety and electronic equipment
CN115801447B (en) * 2023-01-09 2023-04-21 北京安帝科技有限公司 Industrial safety-based flow analysis method and device and electronic equipment

Also Published As

Publication number Publication date
CN113079150B (en) 2022-09-30

Similar Documents

Publication Publication Date Title
CN113079150B (en) Intrusion detection method for power terminal equipment
US10218740B1 (en) Fuzzy hash of behavioral results
CN107241352B (en) Network security event classification and prediction method and system
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
JP6001689B2 (en) Log analysis apparatus, information processing method, and program
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
RU2680736C1 (en) Malware files in network traffic detection server and method
CN108737336B (en) Block chain-based threat behavior processing method and device, equipment and storage medium
EP3646218A1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN104426906A (en) Identifying malicious devices within a computer network
CN109347853B (en) Deep packet analysis-based anomaly detection method for integrated electronic system
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
US11544575B2 (en) Machine-learning based approach for malware sample clustering
CN113194058B (en) WEB attack detection method, equipment, website application layer firewall and medium
Narang et al. Feature selection for detection of peer-to-peer botnet traffic
Vij et al. Detection of algorithmically generated domain names using LSTM
CN115695031A (en) Host computer sink-loss detection method, device and equipment
CN109474567B (en) DDOS attack tracing method and device, storage medium and electronic equipment
CN115706671A (en) Network security defense method, device and storage medium
Nguyen et al. An approach to detect network attacks applied for network forensics
KR101488271B1 (en) Apparatus and method for ids false positive detection
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
CN113965418B (en) Attack success judgment method and device
Yang et al. Multi-class DRDoS attack detection method based on feature selection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant