CN113079150B - Intrusion detection method for power terminal equipment - Google Patents

Intrusion detection method for power terminal equipment Download PDF

Info

Publication number
CN113079150B
CN113079150B CN202110325387.8A CN202110325387A CN113079150B CN 113079150 B CN113079150 B CN 113079150B CN 202110325387 A CN202110325387 A CN 202110325387A CN 113079150 B CN113079150 B CN 113079150B
Authority
CN
China
Prior art keywords
behavior
terminal equipment
metadata
power terminal
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110325387.8A
Other languages
Chinese (zh)
Other versions
CN113079150A (en
Inventor
武婕
邓彬
周亚胜
黄颖祺
郝蛟
叶振豪
张夕佳
刘岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202110325387.8A priority Critical patent/CN113079150B/en
Publication of CN113079150A publication Critical patent/CN113079150A/en
Application granted granted Critical
Publication of CN113079150B publication Critical patent/CN113079150B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The invention provides an electric power terminal equipment intrusion detection method, which comprises the following steps that S1, network flow data and log files of electric power terminal equipment are obtained; step S2, extracting the network flow data and the behavior metadata in the log file; step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata; step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal. The method effectively reserves the incidence relation of the behavior sequences in the behavior text base, quantifies the behavior sequences by calculating the vector distance, judges whether the electric terminal equipment has the intrusion behavior, and improves the analysis capability of the network attack behavior.

Description

Intrusion detection method for power terminal equipment
Technical Field
The invention relates to the technical field of computers, in particular to an intrusion detection method for power terminal equipment.
Background
In recent years, the application of computer technology in the field of electric power is deepened, and the close combination of the computer technology and the electric power makes the power grid enter the intelligent era. The wide application of the data communication network technology greatly expands the information space boundary of the intelligent power grid and realizes the deep fusion of information flow, control flow and energy flow in the intelligent power grid. However, although the intelligent trend of the power grid improves the use efficiency of the electric energy and the operation efficiency of the power system, a series of hidden dangers are brought to the power system. On one hand, with the improvement of the intelligent level of the power grid, the data volume of the power grid is exponentially increased, and abnormal data and intrusion behaviors are more and more difficult to screen from mass data; on the other hand, with the rise of apt (advanced Persistent attack), network attacks on power systems have the characteristic of large span in time and space, and when intrusion detection is performed on the power systems, only data and behaviors of current time are analyzed, so that attack behaviors cannot be effectively identified.
In recent years, with the continuous maturity of artificial intelligence technology, its powerful data analysis capability and model building capability have proven to be effective in achieving industrial energization in a variety of industries and fields. The method of machine learning and artificial intelligence is directly used in the environment of network security, and a certain effect can be achieved. The verification code is easy to identify due to the fact that the image identification algorithm is increasingly refined, the mass logs can be attacked by more than 85% by analyzing the mass logs through a machine learning method, and various application scenes are not enumerated.
Since the electric power system belongs to the national key infrastructure, the carried service is directly related to the national civilization. The method aims at the safety problem of intrusion detection of the power terminal equipment. The conventional intrusion detection technology generally constructs a feature library and a rule library aiming at known threat behaviors, and realizes threat detection through feature matching. On one hand, the detection means is too dependent on prior knowledge, unknown threats cannot be effectively found, and threat means such as viruses and malicious codes can generate different virus samples through a 'polymorphic' technology, so that the detection means is effectively avoided; on the other hand, the detection method based on the 'blacklist' means needs to complete analysis, rule matching and response of real-time data within a limited time, an attacker continuously and accurately launches network attacks by shielding and shielding attack data and attack characteristics under the condition of big data, from the discovery of system bugs to the utilization of the system bugs for targeted attacks, the attack in a large range can reach a peak quickly, and the reaction time for attack analysis and security defense is extremely short. Under the trend that the data magnitude of the current smart grid is exponentially increased, the missing detection is easily caused on the premise of ensuring the availability of the power terminal equipment.
Therefore, the safety protection of the novel targeted unknown virus is strengthened, and the system safety must be strengthened by adopting an active safety protection method on the basis of the existing boundary safety protection and intrusion detection protection. In order to enhance the capability of protecting against targeted attack malicious software, active security protection technology based on trusted computing technology appears in the prior art. Based on the legal operation process, the illegal operation is killed in a safety monitoring area, and only the legal service in a safety initial state is allowed to operate; and extracting information of each process running in the system under the environment, including a process name, a process priority, a process loadable execution file and the like, generating a hash value code for the process by a hash calculation method to serve as legal credible authentication of the process, storing the hash value code in a credible authentication process list, and forming a 'credible process list' in a white list mode. By running the trusted authentication monitoring process with the white list in real time, after the operating process of the system passes trusted authentication every time, the operating process can obtain the authority of the system to execute the operation, and if the hash value code of the trusted computing process is not in the trusted authentication process list, the process cannot obtain the allowed operation authority and cannot be executed, so that the safe and stable operation of the scheduling system is ensured. However, even if the trusted computing technology performs security protection against the above-mentioned illegal processes, the security problem itself is not properly solved.
Meanwhile, processing systems such as SILK have been developed, and the systems adopt an integration concept, that is, existing Netflow (network monitoring function) tools are integrated together, so that situation awareness of the whole network is provided, and safety analysis of a large-scale network is facilitated. And (3) fusing multi-source and multi-attribute information by using a Support Vector Machine (SVM) as a fusion technology, so as to generate the perception of the situation. However, the perception of the network security situation does not include the perception of the intention of an attacker and the target, so that the defense situation lags behind the attack behavior and falls into a passive state.
Disclosure of Invention
The invention aims to provide an intrusion detection method for power terminal equipment, which solves the technical problem of insufficient behavior relevance in intrusion detection in the existing method.
In one aspect, an intrusion detection method for power terminal equipment is provided, which includes the following steps:
step S1, acquiring network flow data and log files of the power terminal equipment;
step S2, extracting the network flow data and the behavior metadata in the log file;
step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata;
step S4, inputting the current behavior vector of the electric terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the electric terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal.
Preferably, the step S1 specifically includes:
step S11, bypassing the uplink and downlink flow passing through the power terminal equipment through a shunt, acquiring the network flow data of the power terminal equipment, and reading the log file of the power terminal equipment;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the power terminal equipment, classifies the network flow data and the log files, and stores the classification result according to a preset format.
Preferably, the step S2 specifically includes:
step S21, analyzing the network flow data and the log data, and generating corresponding behavior metadata according to each protocol of a network layer, a transmission layer and an application layer and each format of the log; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
and step S22, screening the behavior metadata of the power terminal equipment through a preset metadata extraction rule to obtain the behavior metadata related to intrusion detection.
Preferably, the step S22 specifically includes:
generating identifiers of behavior metadata according to an IP address of a network layer, a port number and a protocol type of a transmission layer, and connecting a plurality of behavior metadata to obtain first associated metadata when the identifiers of the behavior metadata meet the same preset identifier requirement; the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type;
analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale;
and splicing fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the source address information of the second associated metadata to obtain behavior metadata related to intrusion detection.
Preferably, the step S3 specifically includes:
step S31, acquiring a plurality of behavior metadata related to intrusion detection to form a behavior set;
and step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector.
Preferably, in step S32, the characterizing all samples in the behavior set according to their sequences specifically includes:
generating N in the behavior vector model, wherein N represents that the occurrence of the current behavior is related to the first N-1 behaviors;
generating a feature vector of each behavior in the behavior set;
a behavior vector is generated according to the following formula:
Figure GDA0003736188350000051
wherein D represents a behavior set; { d 1 ,d 2 ,...,d i ,...,d k I e (1, k) represents the behavior contained in the set, and k represents the number of categories contained in the set D; n represents the association relationship between each behavior in the behavior set and the first n-1 behavior sequences.
Preferably, in step S4, the specific training process of the behavior sequence prediction model includes: setting an initial structure and parameters of a bidirectional LSTM neural network;
inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model;
and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
Preferably, in step S4, the process of obtaining the detection result specifically includes:
inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior;
and comparing the predicted value and the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result.
Preferably, the determining whether the behavior is abnormal by calculating the vector distance thereof specifically includes:
calculating the vector distance of the predicted value and the actual value according to the following formula:
Figure GDA0003736188350000061
wherein, { s } i1 ,s i2 ,...,s ij ,...,s in Denotes currently, j ∈ (1, n)A behavior vector of behavior actual values; { s' i1 ,s′ i2 ,...,s′ ij ,...,s′ in J ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and judging that the current behavior belongs to an abnormal behavior when the M is more than or equal to N, wherein the detection result is abnormal; and when the M is not larger than or equal to the N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
Preferably, in step S4, the determining whether the intrusion behavior exists in the power terminal device according to the detection result specifically includes:
when the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior;
and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
In summary, the embodiment of the invention has the following beneficial effects:
aiming at the characteristics that the electric terminal equipment has single function and the behaviors can construct a limited behavior set, the electric terminal equipment corpus is constructed by using the N-gram model processed by natural language, the incidence relation of the behavior sequence in the behavior text base is effectively reserved, the quantization is carried out by calculating the vector distance, and whether the electric terminal equipment has the intrusion behavior or not is judged. The method comprises the steps that for the time sequence characteristics of the behaviors of the power terminal equipment, the context environment when the terminal behaviors respond is fully considered; the bidirectional LSTM in deep learning is adopted to train a forward sequence and a reverse sequence, and the accuracy of the behavior prediction model is effectively improved. The analysis capability of the network attack behavior is improved, and the intrusion behavior of the power terminal equipment is detected.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is within the scope of the present invention for those skilled in the art to obtain other drawings based on the drawings without inventive exercise.
Fig. 1 is a schematic main flow chart of an intrusion detection method for an electric power terminal device according to an embodiment of the present invention.
Fig. 2 is a logic diagram of an intrusion detection method for power terminal equipment according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
Fig. 1 and fig. 2 are schematic diagrams illustrating an embodiment of an intrusion detection method for power terminal equipment according to the present invention. In this embodiment, the method comprises the steps of:
step S1, acquiring network flow data and log files of the power terminal equipment; it can be understood that, reading the log file of the terminal device, in order to accurately describe the behavior of the power terminal device, the behavior information and the context information of the terminal device need to be collected, and the data sources of the terminal device include network traffic, system logs, security logs and application logs; in order to ensure the accuracy of the behavior baseline of the terminal device, the behavior information of the current device behavior within a period of time needs to be collected.
In a specific embodiment, the method specifically includes step S11, bypassing, by a shunt, an uplink and a downlink traffic flowing through the power terminal device, acquiring network traffic data of the power terminal device, and reading a log file of the power terminal device; specifically, a shunt is deployed at the front end of the power terminal equipment, the uplink and downlink flows flowing through the power terminal equipment are bypassed by using a mirror image technology, and meanwhile, a log file of the terminal equipment is read;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the power terminal equipment, classifies the network flow data and the log files, and stores the classification result according to a preset format. Specifically, sending the acquired flow data and log files of the terminal equipment to a remote data analyzer; in the data analysis machine, classification and formatted storage are performed.
Step S2, extracting the network flow data and the behavior metadata in the log file; it can be understood that the extraction of the behavior metadata is to obtain metadata in a preset format by associating and screening different protocols of a network layer, a transmission layer and an application layer of data and different formats of logs, and further obtain a data packet corresponding to the device.
In a specific embodiment, the method specifically comprises the following steps: step S21, analyzing the network flow data and the log data, and generating corresponding behavior metadata according to each protocol of a network layer, a transmission layer and an application layer and each format of the log; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
and step S22, screening the behavior metadata of the power terminal equipment through a preset metadata extraction rule to obtain the behavior metadata related to intrusion detection. It can be understood that, identifiers of behavior metadata are generated according to an IP address of a network layer, a port number of a transport layer, and a protocol type, and when the identifiers of a plurality of behavior metadata meet a preset same identifier requirement, the plurality of behavior metadata are connected to obtain first associated metadata; wherein the identifier of the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type; specifically, according to the IP address of the network layer and the port number of the transport layer, protocol type of the TCP/IP protocol, 5 metadata are used to identify a connection: { original address, original port number, destination address, destination port, protocol type }, and when 5 fields of a packet conform to the same identifier, the packet is concatenated.
Analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale; specifically, for the IEC104 protocol used by the power system, the protocol above the transmission layer is parsed, and the following data types are formatted and output: { starting character, length, control field, type identifier, originating address, transfer reason, application service data unit public address, information body, absolute time scale }, 9 metadata in total, and concatenating data packets with the same originating address.
And splicing the fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the source address information of the second associated metadata to obtain behavior metadata related to intrusion detection, and specifically splicing the fields of the same data packet according to the corresponding relation between the address in the network layer and the source address in the protocol layer to form a data packet format of 14 metadata.
Step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata; it is understood that the behavior vector can preserve the association relationship between each behavior in the corpus (behavior collection) and the first N-1 behavior sequences thereof according to the statistical features. Aiming at the characteristics that the electric terminal equipment has single function and the behaviors of the electric terminal equipment can construct a limited behavior set, the electric terminal equipment corpus is constructed by using the N-gram model processed by the natural language, the association relation of behavior sequences in a behavior text base can be effectively reserved, and the relation can be quantitatively expressed by calculating vector distance.
In the specific embodiment, step S31, obtaining a plurality of behavior metadata related to intrusion detection to form a behavior set; it is understood that the acquired behavior metadata accumulates a certain number of samples to form a behavior set.
And step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector. It can be understood that the behavior set is used as a corpus, and all samples in the behavior set are characterized according to the sequence thereof by using an N-gram model to generate a behavior vector.
Specifically, N in the behavior vector model is generated, namely N in the designated N-gram model is generated, wherein N represents that the occurrence of the current behavior is related to the first N-1 behaviors;
generating a feature vector of each behavior of a behavior set (corpus); assuming the set is D, the behavior contained in the set is used as { D } 1 ,d 2 ,...,d i ,...,d k J, i ∈ (1, k), k is the number of species contained in the set D.
Generating a behavior vector according to the incidence relation of the behavior sequences in the corpus, and specifically generating the behavior vector according to the following formula:
Figure GDA0003736188350000101
wherein D represents a behavior set; { d 1 ,d 2 ,...,d i ,...,d k I e (1, k) represents the behavior contained in the set, and k represents the number of categories contained in the set D; n represents the association relation between each behavior in the behavior set and the first n-1 behavior sequences.
Step S4, inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the power terminal equipment has an intrusion behavior according to the detection result; wherein the detection result comprises normal or abnormal. It can be understood that, for the time sequence characteristics of the behavior of the power terminal equipment, the context environment when the terminal behavior responds is fully considered, and the forward sequence and the reverse sequence are trained by adopting a bidirectional LSTM (Long Short-Term Memory) in deep learning, so that the accuracy of the behavior prediction model is effectively improved.
In a specific embodiment, as shown in fig. 2, a specific training process of the behavior sequence prediction model includes: setting an initial structure and parameters of a bidirectional LSTM neural network; inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model; and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
Specifically, the process of obtaining the detection result specifically includes: inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior; specifically, assume that the current behavior is d i The sequence of its context is { d 1 ,d 2 ,...,d i-1 ,d i ,d i+1 ,...,d n J e (1, n); will sequence { d 1 ,d 2 ,...,d i-1 ,d i+1 ,...,d n Inputting a behavior sequence prediction model by i belongs to (1, n), and generating a predicted value d 'of the current behavior' i
And comparing the predicted value with the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result. Specifically, the vector distance of the predicted value from the actual value is calculated according to the following formula:
Figure GDA0003736188350000121
wherein, { s } i1 ,s i2 ,...,s ij ,...,s in J ∈ (1, n) represents a behavior vector of the current behavior actual value; { s' i1 ,s′ i2 ,...,s′ ij ,...,s′ in J ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and judging that the current behavior belongs to an abnormal behavior when the M is more than or equal to N, wherein the detection result is abnormal; and when M is not more than or equal to N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
When the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior; and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
In summary, the embodiment of the invention has the following beneficial effects:
aiming at the characteristics that the electric terminal equipment has single function and the behaviors can construct a limited behavior set, the electric terminal equipment corpus is constructed by using the N-gram model processed by natural language, the incidence relation of the behavior sequence in the behavior text base is effectively reserved, the quantization is carried out by calculating the vector distance, and whether the electric terminal equipment has the intrusion behavior or not is judged. The method comprises the steps that for the time sequence characteristics of the behaviors of the power terminal equipment, the context environment when the terminal behaviors respond is fully considered; the bidirectional LSTM in deep learning is adopted to train a forward sequence and a reverse sequence, and the accuracy of the behavior prediction model is effectively improved. The analysis capability of the network attack behavior is improved, and the intrusion behavior of the power terminal equipment is detected.
While the invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not to be limited to the disclosed embodiment, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (7)

1. An intrusion detection method for power terminal equipment is characterized by comprising the following steps:
step S1, acquiring network flow data and log files of the power terminal equipment;
step S2, extracting the network flow data and the behavior metadata in the log file;
analyzing the network flow data and the log file, and generating corresponding behavior metadata according to protocols of a network layer, a transmission layer and an application layer and formats of logs; identifying and integrating all behavior metadata of a certain electric power terminal device to obtain the behavior metadata of the electric power terminal device;
generating identifiers of behavior metadata according to an IP address of a network layer, a port number and a protocol type of a transmission layer, and connecting the behavior metadata to obtain first associated metadata when the identifiers of the behavior metadata meet the same preset identifier requirement; the identification of the behavior metadata comprises an original address, an original port number, a destination address, a destination port and a protocol type;
analyzing the behavior metadata according to a protocol above a transmission layer, identifying and outputting the type of the transmission layer metadata, and connecting the behavior metadata with the same source address to obtain second associated metadata; the transmission layer metadata type comprises a starting character, a length, a control domain, a type identifier, an originating address, a transmission reason, an application service data unit public address, an information body and an absolute time scale;
splicing fields of the same data packet according to the corresponding relation between the address information of the first associated metadata and the source address information of the second associated metadata to obtain behavior metadata related to intrusion detection;
step S3, generating a behavior vector of the power terminal equipment according to the behavior metadata;
step S4, inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model to obtain a detection result, and determining whether the power terminal equipment has an intrusion behavior according to the detection result;
wherein the detection result comprises normal or abnormal;
the specific training process of the behavior sequence prediction model comprises the following steps: setting an initial structure and parameters of a bidirectional LSTM neural network; inputting the behavior vector of the power terminal equipment into a bidirectional LSTM model to generate a behavior sequence prediction model; and packaging and storing the generated sequence prediction model according to a preset format to obtain a pre-trained behavior sequence prediction model.
2. The method according to claim 1, wherein the step S1 specifically includes:
step S11, bypassing the uplink and downlink flow passing through the power terminal equipment through a shunt, acquiring network flow data of the power terminal equipment, and reading a log file of the power terminal equipment;
and step S12, the remote data analysis terminal acquires the flow data and the log files of the electric power terminal equipment, classifies the network flow data and the log files, and stores the classification results according to a preset format.
3. The method according to claim 2, wherein the step S3 specifically includes:
step S31, acquiring a plurality of behavior metadata related to intrusion detection to form a behavior set;
and step S32, inputting the behavior set into a preset behavior vector model, and performing characterization processing on all samples in the behavior set according to the sequence of the samples to generate a behavior vector.
4. The method according to claim 3, wherein in step S32, the characterizing all samples in the behavior set according to their sequences specifically includes:
generating n in the behavior vector model, wherein n represents that the occurrence of the current behavior is related to the first n-1 behaviors;
generating a feature vector of each behavior in the behavior set;
a behavior vector is generated according to the following formula:
Figure FDA0003704497850000031
wherein, { d 1 ,d 2 ,...,d i ,...,d k H, i epsilon (1, k) represents the behaviors contained in the set, and k represents the number of categories contained in the set; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors; { s i1 ,s i2 ,...,s ij ,...,s in J ∈ (1, n) represents a behavior vector of the current behavior actual value; s ij Representing a jth behavior vector in the ith behavior; s is kn Representing the nth behavior vector in the kth behavior.
5. The method according to claim 4, wherein in step S4, the process of obtaining the detection result specifically includes:
inputting the current behavior vector of the power terminal equipment into a pre-trained behavior sequence prediction model, and generating a predicted value of the current behavior according to the context environment of the current behavior;
and comparing the predicted value and the actual value of the current behavior, and judging whether the behavior is abnormal or not by calculating the vector distance between the predicted value and the actual value to obtain a detection result.
6. The method of claim 5, wherein determining whether the behavior is abnormal by calculating the vector distance thereof specifically comprises:
calculating the vector distance of the predicted value and the actual value according to the following formula:
Figure FDA0003704497850000041
wherein, { s } i1 ,s i2 ,...,s ij ,...,s in J ∈ (1, n) represents a behavior vector of the current behavior actual value; { s' i1 ,s′ i2 ,...,s′ ij ,...,s′ in J ∈ (1, n) represents a behavior vector of the current behavior prediction value; n represents the incidence relation between each behavior in the behavior set and the first n-1 behavior sequences; i represents a current behavior sequence; j represents a sequence of behavior vectors;
comparing the vector distance M with a preset detection threshold value N, and when the vector distance M is larger than or equal to N, judging that the current behavior belongs to an abnormal behavior, wherein the detection result is abnormal; and when M is not more than or equal to N, judging that the current behavior belongs to the normal behavior, and judging that the detection result is normal.
7. The method as claimed in claim 6, wherein in step S4, the determining whether the intrusion behavior exists in the power terminal device according to the detection result specifically includes:
when the detection result is abnormal, judging that the corresponding electric power terminal equipment has an intrusion behavior;
and when the detection result is normal, judging that the corresponding electric power terminal equipment has no intrusion behavior.
CN202110325387.8A 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment Active CN113079150B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110325387.8A CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110325387.8A CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Publications (2)

Publication Number Publication Date
CN113079150A CN113079150A (en) 2021-07-06
CN113079150B true CN113079150B (en) 2022-09-30

Family

ID=76610459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110325387.8A Active CN113079150B (en) 2021-03-26 2021-03-26 Intrusion detection method for power terminal equipment

Country Status (1)

Country Link
CN (1) CN113079150B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794742B (en) * 2021-11-18 2022-02-15 国网浙江浙电招标咨询有限公司 High-precision detection method for FDIA of power system
CN115051833B (en) * 2022-05-12 2023-12-15 中国电子科技集团公司电子科学研究院 Intercommunication network anomaly detection method based on terminal process
CN115801447B (en) * 2023-01-09 2023-04-21 北京安帝科技有限公司 Industrial safety-based flow analysis method and device and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431819A (en) * 2020-03-06 2020-07-17 中国科学院深圳先进技术研究院 Network traffic classification method and device based on serialized protocol flow characteristics
CN112464996A (en) * 2020-11-09 2021-03-09 中国科学院沈阳自动化研究所 Intelligent power grid intrusion detection method based on LSTM-XGboost

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10324983B2 (en) * 2016-10-04 2019-06-18 Sas Institute Inc. Interactive visualizations for a recurrent neural network
CN107465667B (en) * 2017-07-17 2019-10-18 全球能源互联网研究院有限公司 The safe synergic monitoring method and device of power grid industry control based on specification deep analysis
CN108200005A (en) * 2017-09-14 2018-06-22 国网浙江省电力公司宁波供电公司 Electric power secondary system network flow abnormal detecting method based on unsupervised learning
CN109787979B (en) * 2019-01-22 2020-03-10 电子科技大学 Method for detecting electric power network event and invasion
CN110933031A (en) * 2019-10-25 2020-03-27 国网吉林省电力有限公司电力科学研究院 Intelligent power grid power distribution terminal unit intrusion detection method based on LSTM
CN111598179B (en) * 2020-05-21 2022-10-04 国网电力科学研究院有限公司 Power monitoring system user abnormal behavior analysis method, storage medium and equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431819A (en) * 2020-03-06 2020-07-17 中国科学院深圳先进技术研究院 Network traffic classification method and device based on serialized protocol flow characteristics
CN112464996A (en) * 2020-11-09 2021-03-09 中国科学院沈阳自动化研究所 Intelligent power grid intrusion detection method based on LSTM-XGboost

Also Published As

Publication number Publication date
CN113079150A (en) 2021-07-06

Similar Documents

Publication Publication Date Title
CN107241352B (en) Network security event classification and prediction method and system
CN113079150B (en) Intrusion detection method for power terminal equipment
US10218740B1 (en) Fuzzy hash of behavioral results
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
RU2680736C1 (en) Malware files in network traffic detection server and method
US20150341389A1 (en) Log analyzing device, information processing method, and program
CN108737336B (en) Block chain-based threat behavior processing method and device, equipment and storage medium
WO2019006412A1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN104426906A (en) Identifying malicious devices within a computer network
CN109347853B (en) Deep packet analysis-based anomaly detection method for integrated electronic system
US11544575B2 (en) Machine-learning based approach for malware sample clustering
CN113194058B (en) WEB attack detection method, equipment, website application layer firewall and medium
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
Vij et al. Detection of algorithmically generated domain names using LSTM
Fallah et al. Android malware detection using network traffic based on sequential deep learning models
Rani et al. A framework for the identification of suspicious packets to detect anti-forensic attacks in the cloud environment
Yusufovna Integrating intrusion detection system and data mining
CN115706671A (en) Network security defense method, device and storage medium
Nguyen et al. An approach to detect network attacks applied for network forensics
KR101488271B1 (en) Apparatus and method for ids false positive detection
Rahmat et al. Network traffic-based hybrid malware detection for smartphone and traditional networked systems
CN113965418B (en) Attack success judgment method and device
Yang et al. Multi-class DRDoS attack detection method based on feature selection
KR20230000376A (en) Security monitoring intrusion detection alarm processing device and method using artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant