CN113408117A - Method and system for evaluating network attack destructive power degree of power monitoring system - Google Patents

Method and system for evaluating network attack destructive power degree of power monitoring system Download PDF

Info

Publication number
CN113408117A
CN113408117A CN202110635379.3A CN202110635379A CN113408117A CN 113408117 A CN113408117 A CN 113408117A CN 202110635379 A CN202110635379 A CN 202110635379A CN 113408117 A CN113408117 A CN 113408117A
Authority
CN
China
Prior art keywords
network attack
behavior
determining
layer
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110635379.3A
Other languages
Chinese (zh)
Inventor
张一驰
何剑
周勤勇
屠竞哲
安学民
李苏宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI filed Critical State Grid Corp of China SGCC
Priority to CN202110635379.3A priority Critical patent/CN113408117A/en
Publication of CN113408117A publication Critical patent/CN113408117A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2113/00Details relating to the application field
    • G06F2113/04Power grid distribution networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2119/00Details relating to the type or aim of the analysis or the optimisation
    • G06F2119/02Reliability analysis or reliability optimisation; Failure analysis, e.g. worst case scenario performance, failure mode and effects analysis [FMEA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Evolutionary Computation (AREA)
  • Geometry (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for evaluating the network attack destructive power degree of a power monitoring system, and belongs to the technical field of evaluation and analysis of network attack consequences of the power monitoring system. The method comprises the following steps: determining a network attack behavior path aiming at the power monitoring system, determining a network attack behavior difficulty coefficient according to the network attack behavior path, and determining the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient; determining the load loss amount of the power system caused by the network attack behavior; and determining the influence probability of the network attack behavior, and determining the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack. According to the invention, under the conditions of specific attacker skill, attack cost and specific power monitoring system configuration, comprehensive evaluation of the destructive power of the network attack event associated with the operation consequence of the primary power system is realized.

Description

Method and system for evaluating network attack destructive power degree of power monitoring system
Technical Field
The invention relates to the technical field of evaluation and analysis of network attack consequences of a power monitoring system, in particular to a method and a system for evaluating the network attack destructive power degree of the power monitoring system.
Background
According to the principle of information security risk analysis, three elements of assets, threats and vulnerabilities are involved in the information security risk analysis, and each element has respective attributes as follows:
(1) the property of the asset is asset value, and the asset value is determined through asset identification;
(2) the attribute of the threat can be a threat subject, an influence object, an appearance frequency, a motivation and the like, and the frequency of the threat appearance is determined through threat identification;
(3) the attribute of vulnerability is the severity of asset vulnerability, and the extent of vulnerability is determined by vulnerability identification.
The principle of developing risk analysis comprehensively considering the incidence relation among the three elements is as follows: determining the possibility of an attack event according to the frequency of threat occurrence and the severity of the vulnerability; determining the loss caused by the attack event according to the asset value and the severity of the vulnerability; and finally, determining the security risk degree of the attack event according to the possibility of the attack event and the loss consequence.
By taking the idea of information security risk assessment as reference and combining with the characteristic analysis of the power secondary system, the security risk degree can be regarded as the destructive power degree of the network attack behavior of the power system, and the higher the security risk degree of the attack event is, the larger the destructive power is.
The destructive influence factors of the power system network attack mainly include the following two aspects:
(1) probability of an attack event. The probability of an attack event occurring is determined based on the attacker's skill (i.e., the attack threat) and its difficulty in exploiting the vulnerability. Event occurrence is a necessary condition for generating destructive power, and only possible attack events can affect the power system. Meanwhile, the probability and the destructive power of the event are in a positive incidence relation, and for a specific attack result, the larger the occurrence probability of the event is, the larger the destructive power of the event can be considered.
(2) The consequences of an attack event. The more severe the loss caused by an information security event, the greater the security risk of the event. The final purpose of the network attack of the power system is to destroy the normal operation of the primary power system, and finally cause the influence of power failure. In other words, the higher the asset value of the power system network attack target, the greater the impact, that is, the greater the load of the power outage, the higher the impact degree of the attack event, and the stronger the destructive power thereof.
At present, the related research aiming at the network attack destructive power evaluation and analysis of the power monitoring system is mainly reflected in the aspects related to the operation of the primary power system, namely, a simple estimation method is usually adopted for the operation influence of the primary power system caused by a network attack event, and an evaluation method combined with the simulation analysis result of the primary power system is lacked, so that the stringency and the accuracy of the destructive power evaluation result are insufficient. Therefore, how to accurately take the influence of the attack event on the operation of the primary power system into account when carrying out network attack destructive power evaluation is of great significance for accurately evaluating the network attack destructive power degree of the power monitoring system.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method for evaluating a network attack destructive power degree of a power monitoring system, comprising:
determining a network attack behavior path aiming at the power monitoring system, determining a network attack behavior difficulty coefficient according to the network attack behavior path, and determining the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient;
determining the load loss amount of the power system caused by the network attack behavior;
and determining the influence probability of the network attack behavior, and determining the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack.
Optionally, determining the difficulty coefficient of the network attack behavior includes:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
Optionally, the hierarchical structure model establishes a target layer by taking the difficulty coefficient of the network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
Optionally, the determining of the success probability of the network attack includes: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
Optionally, the load loss is obtained through simulation calculation according to the power system fault.
The invention also provides a system for evaluating the network attack destructive power degree of the power monitoring system, which comprises the following steps:
the probability calculation unit is used for determining a network attack behavior path aiming at the power monitoring system, determining a network attack behavior difficulty coefficient according to the network attack behavior path, and determining the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient;
the fault simulation unit is used for determining the load loss of the power system caused by the network attack behavior;
and the evaluation unit is used for determining the influence probability of the network attack behavior and determining the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack.
Optionally, determining the difficulty coefficient of the network attack behavior includes:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
Optionally, the hierarchical structure model establishes a target layer by taking the difficulty coefficient of the network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
Optionally, the determining of the success probability of the network attack includes: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
Optionally, the load loss is obtained through simulation calculation according to the power system fault.
According to the method, under the conditions of specific attacker skill, attack cost and specific power monitoring system configuration, the network attack event probability and the power primary system operation influence of the power monitoring system are considered, the comprehensive evaluation of the network attack event destructive power of the associated power primary system operation consequences is realized, and a technical reference is provided for accurately evaluating the network attack destructive power degree of the power monitoring system.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a diagram of a hierarchy model of the method of the present invention;
FIG. 3 is a diagram of a hierarchical model of a substation monitoring system according to the method of the present invention;
FIG. 4 is a block diagram of an IEEE 39 node system embodying the present invention;
FIG. 5 is a system frequency variation graph of an attack scenario of the method of the present invention;
FIG. 6 is a frequency variation graph of a system in an attack scenario II according to the method of the present invention;
fig. 7 is a schematic diagram of the system of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention provides a method for evaluating the network attack destructive power degree of a power monitoring system, as shown in figure 1, comprising the following steps:
firstly, calculating the probability of the network attack event under a specific attack cost based on the network attack path flow and the behavior difficulty.
And then, analyzing the influence of the network attack event on the operation control of the primary power equipment, and carrying out simulation calculation analysis on the primary power system fault under the network attack background to obtain the load loss caused by the attack event.
And finally, quantitatively evaluating the destructive power of the network attack event based on the attack event probability and the load loss amount of the primary power system and considering the triggering probability of the attack influence.
(1) And solving the comprehensive difficulty coefficient of the network attack behavior as follows:
the method combines the characteristics of a network attack scene and a distributed system vulnerability assessment method, considers that an analytic hierarchy process and an approximate ideal solution ordering process are adopted to realize the quantitative analysis of the attack behavior difficulty, and comprises the following specific steps:
1) constructing a hierarchical structure model for comprehensive difficulty evaluation of network attack behaviors;
the hierarchical structure model for the comprehensive difficulty evaluation of the network attack behavior is composed of four levels, namely a target layer, a criterion layer, an index layer and a behavior layer, as shown in fig. 2, wherein the calculated comprehensive difficulty coefficient of the attack behavior is a target and is independently used as an element of the target layer; attacker skills and important configuration items of an attack object closely related to the comprehensive difficulty system are reference criteria for determining the difficulty coefficient, and form criteria layer elements together; specific index items required to be obtained when the skill of an attacker and the configuration condition of an attack object are evaluated, such as specific skill mastered by the attacker and specific configuration conditions of the attack object, are developed, so that index layer elements are formed together, and a basis is provided for quantitative analysis criterion layer elements; each attack behavior forms the bottom behavior layer element and aims to explain the attack difficulty relation between each attack behavior and the index layer element.
The model constructs the overall relation between the network attack behaviors and various factors related to the network attack behaviors, and finally obtains the comprehensive difficulty coefficient indexes of the behaviors through layered one-by-one analysis.
2) Constructing a judgment matrix;
according to the comparison condition of the mutual importance degree of different factors of the criterion layer, the expert scoring opinion is solicited, and a judgment matrix A (m +1 order) of the criterion layer to the target layer is constructed according to the expert scoring opinion, wherein AijIndicating the degree of importance of the index i relative to the index j. Similarly, constructing judgment matrixes B0(n order), B1(p order), B2(q order), … … and Bm (r order) of the index layer for the skill of the attacker and the configuration items 1-m of the attack object in the criterion layer.
3) Solving and judging the maximum eigenvector of the matrix and checking consistency;
the maximum eigenvalues and eigenvectors W of the judgment matrixes A, B0, B1, B2, … … and Bm are respectively obtainedA、WB0、WB1、WB2、……、WBm. Since the judgment matrix is a judgment given according to expert experienceThis is where inconsistencies are unavoidable, but inconsistencies need to be within a certain range to be acceptable. The consistency check is a method for inspecting and judging the degree of inconsistency. The consistency check index CI is defined as follows:
Figure BDA0003102143220000071
wherein n is the order of the judgment matrix, λmaxIs the maximum eigenvalue, and when identical, CI is 0. When the random consensus is inconsistent, generally, the larger n is, the worse the consistency is, so that an average random consensus index RI and a random consensus ratio CR are introduced:
Figure BDA0003102143220000072
Figure BDA0003102143220000073
the average random consistency index RI is obtained by randomly constructing n-order positive and inverse matrix, and when a sufficiently large subsample is taken, the maximum eigenvalue average value lambda is obtainedaveAnd then calculating to obtain RI, wherein each order corresponds to an RI value. The introduction of RI overcomes the defect that the consistency check index CI is increased along with the increase of the matrix order to a certain extent. When consistency judgment is carried out, if the random consistency ratio CR is less than 0.1, inconsistency is considered to be acceptable; if CR is greater than or equal to 0.1, the inconsistency is considered unacceptable, and the judgment matrix needs to be modified.
4) Calculating a weight vector of the index layer element relative to the target layer element;
the weight vector of the index layer elements to the target layer elements is:
W=[WB0,WB1,WB2,……,WBm]×WA (4)
5) constructing a decision matrix of the behavior layer elements to the index layer elements;
for s rowsConstructing a decision matrix C ═ C (C) for the t index layer elementsij) Where t is n + p + q + r, i is 1, 2, … …, s, j is 1, 2, … …, t, cijAssigning a value to the difficulty of breaking the jth index for the ith behavior, wherein the greater the difficulty is, the cijThe larger the value.
Normalizing the decision matrix to form a normalized matrix D, wherein:
Figure BDA0003102143220000074
6) constructing a weighted standardized decision matrix;
weighted normalized decision matrix Zij=Wj×DijWherein W isjIs the jth element of W.
7) Calculating a comprehensive attack difficulty coefficient of each behavior;
calculating a positive ideal solution Z + and a negative ideal solution Z-according to an approximate ideal solution sorting method, wherein:
Figure BDA0003102143220000081
the distance between each behavior attack difficulty coefficient and the positive and negative ideal solutions is as follows:
Figure BDA0003102143220000082
calculating ideal solution closeness, and calculating to obtain an attack comprehensive difficulty coefficient of each behavior by combining the difficulty average value in the decision matrix:
Figure BDA0003102143220000083
wherein the content of the first and second substances,
Figure BDA0003102143220000084
8) and solving the attack success probability of the attack path as follows:
referring to a reliability calculation method, defining a success probability function of a certain attack behavior as follows:
Figure BDA0003102143220000085
wherein C is the equivalent attack cost that an attacker can pay, C is the equivalent attack cost required by the implementation of the attack behavior, and the larger p (C) is, the higher the probability of success of the behavior is represented.
Combining with the attack path diagram analysis, when the number n of the attack behaviors contained in a certain path is more than or equal to 2, the probability of completing the whole process of the certain attack path is as follows:
Figure BDA0003102143220000086
(2) solving the load loss caused by the attack event as follows:
analyzing the influence of the network attack event on the operation control of the primary power equipment, and carrying out simulation calculation analysis on the primary power system fault under the network attack background to obtain the load loss L caused by the attack event.
(3) Solving the network attack destructive power evaluation factor as follows:
considering that a primary system fault caused by relevant attacks such as relay protection belongs to a hidden fault, the influence triggering probability of the attacks needs to be considered. Based on the attack event probability P and the primary power system load loss L, and considering the trigger probability of attack influence, a network attack destructive power evaluation factor calculation formula is set as follows:
A=r×P×L (11)
wherein, A represents a network attack destructive power evaluation factor; r is influence trigger probability (recessive fault 0 is less than or equal to r is less than or equal to 1, and non-recessive fault r is 1); p is the success probability of the secondary system attack; and L is the load loss of the primary system.
Taking a certain typical substation monitoring system adopting the IEC 61850 standard as an example, based on network attack path analysis, the vulnerability threats of the key devices related to 6 attack paths under specific configuration conditions are evaluated, and the attack behaviors included in the combed 6 attack paths are shown in Table 1:
TABLE 1
Figure BDA0003102143220000091
The functions of the equipment are marked in the table, the equipment corresponds to the logic nodes in the IEC 61850 standard, the equipment is an attack object, the function of the equipment is actually attacked, the attack behavior numbers included in the attack path are shown on the right, and a hierarchical structure model for comprehensive difficulty evaluation of the network attack behavior of the substation monitoring system is constructed as shown in fig. 3.
And (3) comparing the mutual importance degrees of the elements by adopting a reciprocal 1-9 scaling method, constructing a judgment matrix A of the criterion layer to the target layer and judgment matrices B0-B4 of the index layer to the criterion layer, calculating the maximum eigenvalue and the corresponding eigenvector, and carrying out consistency check.
When a judgment matrix is constructed, the importance degrees among all elements are compared fully, and reasonable assignment is carried out according to a measurement result, taking the judgment matrix A as an example, the evaluation matrix A assigns values to the comparison condition of the importance degrees among 5 indexes such as attacker skills, network environment, target objects and the like by fully soliciting expert opinions, for example, A11The attacker skill index and the self-measure value are 1 (the diagonal elements of the matrix are the index and the self-measure value are both 1), A12Assuming that the degree of importance of the attacker skill relative to the network environment is about 3 times that of the network environment when the target layer elements are evaluated, a is12The value is 3; similarly, the assignment of the remaining matrix elements is done according to the rules described above. In addition, in order to avoid serious inconsistency in the measurement process, consistency check needs to be performed on the judgment matrix.
The calculation results are as follows:
Figure BDA0003102143220000101
λAmax=5.0723
Figure BDA0003102143220000102
Figure BDA0003102143220000103
λB0max=2.0
Figure BDA0003102143220000104
Figure BDA0003102143220000105
λB1max=2.0
Figure BDA0003102143220000106
Figure BDA0003102143220000107
λB2max=3.0092
Figure BDA0003102143220000108
Figure BDA0003102143220000109
λB3max=3.0183
Figure BDA00031021432200001010
Figure BDA00031021432200001011
λB4max=3.0183
Figure BDA00031021432200001012
the consistency test is performed on the matrix, and according to the statistical calculation result, the RI value is shown in table 2:
TABLE 2
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
RI 0 0 0.58 0.90 1.12 1.24 1.32 1.41 1.45 1.49 1.52 1.54 1.56 1.58 1.59 1.59 1.61 1.61 1.62 1.63
The results of the consistency check are shown in table 3, and the judgment matrices all pass the consistency check.
TABLE 3
Figure BDA00031021432200001013
Figure BDA0003102143220000111
The weight vector of the calculated index layer elements to the target layer elements is:
W=[0.0693 0.2079 0.0785 0.0393 0.1435 0.0790 0.2608 0.0099 0.0113 0.0260 0.0091 0.0238 0.0416]T
the decision matrix of behavior layer elements to index layer elements is constructed as follows:
Figure BDA0003102143220000112
the decision matrix is normalized to form a normalized matrix as follows:
Figure BDA0003102143220000113
the weighted normalized decision matrix is calculated as follows:
Figure BDA0003102143220000114
the positive ideal solution Z + and the negative ideal solution Z-are respectively:
Z+=[0.0423 0.1085 0.0419 0.0187 0.0487 0.0276 0.1284 0.0047 0.0049 0.0122 0.0040 0.0103 0.0149]
Z-=[0.0106 0.0310 0.0105 0.0070 0.0348 0.0215 0.0482 0.0009 0.0014 0.0061 0.0020 0.0051 0.0085]
the distance between each behavior attack difficulty coefficient and the positive and negative ideal solutions is as follows:
d+=[0.0871 0.0905 0.1120 0.0520 0.0976 0.0384 0.1010 0.0864 0.1088 0.0762 0.0606]
d-=[0.0405 0.0387 0.0164 0.0913 0.0278 0.0996 0.0344 0.0391 0.0207 0.0473 0.0686]
calculating ideal solution closeness, and calculating to obtain an attack comprehensive difficulty coefficient of each behavior by combining the difficulty average value in the decision matrix as follows:
DI=[1.5141 1.2450 0.4215 3.0864 1.1072 4.7171 1.1132 1.4616 0.5891 1.6505 2.5722]
the attack success probability of each attack path is calculated (assuming that the attack cost c is 1), as shown in table 4:
TABLE 4
Figure BDA0003102143220000121
Further, an IEEE 39 node standard system is taken as an example, a power grid structure is shown in fig. 4, simulation analysis of system faults caused by network attacks is developed, a low-frequency load shedding action round of a power grid in a certain region of China is configured as a reference, and the configuration is shown in table 5:
TABLE 5
Figure BDA0003102143220000122
Consider the following two types of attack scenarios:
(1) an attack scenario I: an attacker invades the master dispatching station, remotely controls the governed transformer stations by utilizing the function of the telemechanical workstation, maliciously issues control instructions or modifies relay protection setting values, and causes the two transformer stations to stop operating simultaneously.
Assuming that two substations corresponding to nodes 37# and 38# are shut down at the same time, since the two substations are both generator set step-up transformers, the active power loss of the feed-in system caused by the shutdown is about 1370 MW. The frequency of the system bus is reduced to 48.4Hz as a result of the outage of the substation, the low-frequency load shedding action is triggered to cut off the load to reach 1500MW in total, then the frequency of the bus is gradually restored to be close to the rated value, and the frequency of the system changes as shown in FIG. 5.
The attack scenario corresponds to the network attack paths 3 and 4 of the transformer substation monitoring system, the success probability of the path attack is 0.1520 and 0.1172, and if the trigger probability of one-time equipment false tripping caused by the constant value tampering of the relay protection device is 0.8, the evaluation factor of the network attack destructive power under 2 paths is shown in table 6:
TABLE 6
Path numbering Probability of attack success P Load loss L Influence trigger probability r Factor A for evaluating destructive power
3 0.1520 1500 1 228
4 0.1172 1500 0.8 140.6
(2) An attack scenario two: an attacker invades a transformer substation monitoring system and maliciously issues a control instruction or modifies a relay protection fixed value, so that one transformer substation is shut down.
Assuming that the substation corresponding to the node # 38 is shut down, which causes the loss of active power fed into the system to be about 830MW, and the shutdown of the substation causes the bus frequency of the system to be reduced to 48.8Hz, a low-frequency load shedding action is triggered to cut off the load for a total of 738MW, and then the bus frequency gradually recovers to be close to the rated value, and the system frequency changes as shown in fig. 6.
The attack scenarios correspond to network attack paths 1, 2, 5 and 6 of the substation monitoring system, and the success probabilities of the path attacks are 0.3204, 0.1771, 0.2363 and 0.1751 respectively. Similarly, assuming that the triggering probability of causing the primary equipment to trip by mistake after the relay protection device is tampered with the fixed value is 0.8, the evaluation factors of the network attack destructive power under 4 paths are shown in table 7:
TABLE 7
Path numbering Probability of attack success P Load loss L Influence trigger probability r Factor A for evaluating destructive power
1 0.3204 738 1 236.5
2 0.1771 738 1 130.7
5 0.2363 738 0.8 139.5
6 0.1751 738 0.8 103.4
Statistics is performed on the destructive power of the network attack scene of the substation monitoring system in this case, as shown in table 8:
TABLE 8
Figure BDA0003102143220000131
Figure BDA0003102143220000141
As can be seen from table 8, in the overall comparison, the attack path success probability corresponding to shutdown caused by intrusion of the substation monitoring host is highest, and although the load shedding influence caused by shutdown of a single substation is small, comprehensive analysis shows that the path destructive power evaluation factor is the largest; the success probability of the attack path corresponding to the simultaneous shutdown of the two substations is low due to the remote instruction issued by the dispatching master station, the load shedding influence is large, and the evaluation factor of the path destructive power is known by comprehensive analysis; the attack path success probability corresponding to the outage of a single transformer substation caused by the intrusion of the protection device is centered, the load shedding influence is small, the influence triggering probability is smaller than 1, and the comprehensive analysis shows that the path destructive power evaluation factor is minimum. The above is an implementation case for realizing quantitative evaluation of the influence of the destructive power of the network attack by adopting the method.
The present invention further provides a system 200 for evaluating the network attack destructive power degree of a power monitoring system, as shown in fig. 7, including:
the probability calculation unit 201 determines a network attack behavior path for the power monitoring system, determines a network attack behavior difficulty coefficient according to the network attack behavior path, and determines the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient;
the fault simulation unit 202 is used for determining the load loss of the power system caused by the network attack behavior;
and the evaluation unit 203 determines the influence probability of the network attack behavior, and determines the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack.
The determining of the network attack behavior difficulty coefficient comprises the following steps:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
The hierarchical structure model establishes a target layer by taking the difficulty coefficient of network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
The determination of the success probability of the network attack comprises the following steps: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
And the load loss is obtained by simulation calculation according to the fault of the power system.
According to the method, under the conditions of specific attacker skill, attack cost and specific power monitoring system configuration, the network attack event probability and the power primary system operation influence of the power monitoring system are considered, the comprehensive evaluation of the network attack event destructive power of the associated power primary system operation consequences is realized, and a technical reference is provided for accurately evaluating the network attack destructive power degree of the power monitoring system.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A method of assessing a power monitoring system network attack vulnerability level, the method comprising:
determining a network attack behavior path aiming at the power monitoring system, determining a network attack behavior difficulty coefficient according to the network attack behavior path, and determining the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient;
determining the load loss amount of the power system caused by the network attack behavior;
and determining the influence probability of the network attack behavior, and determining the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack.
2. The method of claim 1, wherein determining a network attack behavior difficulty coefficient comprises:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
3. The method of claim 2, wherein the hierarchical structure model establishes a target layer with a difficulty coefficient of network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
4. The method of claim 1, the determination of the probability of success of the cyber attack comprising: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
5. The method of claim 1, wherein the load loss is calculated from power system fault simulation.
6. A system for assessing a level of network attack vulnerability of a power monitoring system, the system comprising:
the probability calculation unit is used for determining a network attack behavior path aiming at the power monitoring system, determining a network attack behavior difficulty coefficient according to the network attack behavior path, and determining the success probability of network attack under a specific attack cost according to the network attack behavior difficulty coefficient;
the fault simulation unit is used for determining the load loss of the power system caused by the network attack behavior;
and the evaluation unit is used for determining the influence probability of the network attack behavior and determining the network attack destructive power degree of the power monitoring system according to the load loss amount, the success probability and the influence probability of the network attack.
7. The system of claim 6, the determining a network attack behavior difficulty coefficient, comprising:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
8. The system of claim 7, wherein the hierarchical model establishes a target layer with a difficulty coefficient of network attack behavior as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
9. The system of claim 6, the determination of the probability of success of the cyber attack comprising: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
10. The system of claim 6, wherein the load loss is calculated from power system fault simulation.
CN202110635379.3A 2021-06-04 2021-06-04 Method and system for evaluating network attack destructive power degree of power monitoring system Pending CN113408117A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110635379.3A CN113408117A (en) 2021-06-04 2021-06-04 Method and system for evaluating network attack destructive power degree of power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110635379.3A CN113408117A (en) 2021-06-04 2021-06-04 Method and system for evaluating network attack destructive power degree of power monitoring system

Publications (1)

Publication Number Publication Date
CN113408117A true CN113408117A (en) 2021-09-17

Family

ID=77676906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110635379.3A Pending CN113408117A (en) 2021-06-04 2021-06-04 Method and system for evaluating network attack destructive power degree of power monitoring system

Country Status (1)

Country Link
CN (1) CN113408117A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114662328A (en) * 2022-03-30 2022-06-24 国网浙江省电力有限公司经济技术研究院 Power system resilience assessment method considering network attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114662328A (en) * 2022-03-30 2022-06-24 国网浙江省电力有限公司经济技术研究院 Power system resilience assessment method considering network attack
CN114662328B (en) * 2022-03-30 2024-04-26 国网浙江省电力有限公司经济技术研究院 Power system restoring force evaluation method considering network attack

Similar Documents

Publication Publication Date Title
Radanliev et al. Economic impact of IoT cyber risk-analysing past and present to predict the future developments in IoT risk analysis and IoT cyber insurance
CN108833416B (en) SCADA system information security risk assessment method and system
Ibne Hossain et al. Modeling and assessing cyber resilience of smart grid using Bayesian network-based approach: a system of systems problem
Xiang et al. A game-theoretic study of load redistribution attack and defense in power systems
Mousavian et al. Real-time data reassurance in electrical power systems based on artificial neural networks
Anwar et al. Anomaly detection in electric network database of smart grid: Graph matching approach
CN113408114A (en) Method and system for evaluating vulnerability threat degree of power monitoring system equipment
CN111404915B (en) Power grid information physical security risk detection method based on three-layer model
Nakarmi et al. Critical component analysis in cascading failures for power grids using community structures in interaction graphs
Dai et al. Exploring risk flow attack graph for security risk assessment
CN111756687B (en) Defense measure configuration method and system for coping with network attack
Nakarmi et al. Analyzing power grids’ cascading failures and critical components using interaction graphs
Li et al. [Retracted] Security and Privacy Risk Assessment of Energy Big Data in Cloud Environment
Radanliev et al. Analysing IoT cyber risk for estimating IoT cyber insurance
Cassottana et al. Resilience analysis of cyber‐physical systems: A review of models and methods
CN113408117A (en) Method and system for evaluating network attack destructive power degree of power monitoring system
Řehák et al. Criteria risk analysis of facilities for electricity generation and transmission
CN113159638B (en) Intelligent substation layered health degree index evaluation method and device
Cheng et al. Quantitative risk analysis method of information security-Combining fuzzy comprehensive analysis with information entropy
Zhao et al. Risk-Based Contingency Screening Method Considering Cyber-Attacks on Substations
CN111415102B (en) Electric power monitoring system toughness evaluation method based on entropy method
Li Research on network information security service model based on user requirements under artificial intelligence technology
CN114666115A (en) Integrated risk attack tree generation method and device, electronic equipment and storage medium
Ma Research on network vulnerability assessment based on attack graph and security metrics
CN102708041A (en) Method for calculating minimal software believability test case number

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination