CN113507430B - Method and system for detecting information physical cooperation attack of power system - Google Patents
Method and system for detecting information physical cooperation attack of power system Download PDFInfo
- Publication number
- CN113507430B CN113507430B CN202110506783.0A CN202110506783A CN113507430B CN 113507430 B CN113507430 B CN 113507430B CN 202110506783 A CN202110506783 A CN 202110506783A CN 113507430 B CN113507430 B CN 113507430B
- Authority
- CN
- China
- Prior art keywords
- attack
- node
- sample
- data
- area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000005259 measurement Methods 0.000 claims abstract description 33
- 238000001514 detection method Methods 0.000 claims abstract description 31
- 239000013598 vector Substances 0.000 claims description 27
- 230000008859 change Effects 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 14
- 239000011159 matrix material Substances 0.000 claims description 13
- 230000004888 barrier function Effects 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000002347 injection Methods 0.000 claims description 5
- 239000007924 injection Substances 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 5
- 230000007547 defect Effects 0.000 abstract description 2
- 230000001364 causal effect Effects 0.000 abstract 1
- 230000001360 synchronised effect Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 11
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 5
- 238000010219 correlation analysis Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000009467 reduction Effects 0.000 description 4
- 230000007480 spreading Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a physical cooperation attack detection method and a physical cooperation attack detection system for electric power system information.A hierarchical topological structure chart of a power grid is established according to measurement data of a synchronous phasor measurement unit, and a target search area is continuously expanded on the basis of a root node to finally determine an attack area; based on historical sample data, calculating the similarity between the sample to be detected and the historical sample, thereby approximately restoring the original data of the sample subjected to the attack; through deep matching of attack behavior characteristics, effective detection of information physical cooperation attack aiming at the power system is achieved. The method deeply analyzes the causal association of the network attack and the physical consequence, realizes the deep matching of attack characteristics, reduces the false alarm rate, and overcomes the defect that the prior method for efficiently detecting the physical cooperative attack of the power information is lack.
Description
Technical Field
The invention relates to the technical field of power systems, in particular to a method and a system for detecting information physical cooperation attack of a power system.
Background
With the continuous promotion of the information construction of the power system, the possibility that the power network is subjected to malicious attack is higher and higher, so that power grid blackout accidents caused by network attack occur in various countries in the world in recent years. From the perspective of an attacker, in order to cause great damage to a power grid, the attacker often causes serious damage to a power system along with physical attack, namely, in a mode of information physical cooperation attack, while starting network attack.
However, a detection method for the power information physical cooperation attack is lacking at present. Most of the existing methods are focused on the detection of network attacks, and the incidence relation between the network attacks and physical consequences is not analyzed. Therefore, an effective detection method for cooperative attack of the power information physical system is urgently needed to be developed, and the safe and stable operation level of the power grid is improved.
Disclosure of Invention
The invention aims to solve the technical problem that the prior art is not enough, and provides a method and a system for detecting the cyber-physical cooperation attack of a power system, so that the physical representation influence of the cyber-attack on the safe operation of the power system is deeply analyzed, and the problem that the cyber-physical cooperation attack of the power system is difficult to detect is effectively solved.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a method for detecting information physical cooperation attack of a power system comprises the following steps:
s1: obtaining phase angle of PMU node, calculating difference value delta theta between phase angle of PMU node at current moment and phase angle of PMU node at last moment, selecting difference value delta theta with maximum phase anglemaxThe PMU node of (1) is used as a root node;
s2: establishing a hierarchical topological structure G of the power grid according to the root node selected in the step S1;
s3: according to the hierarchical topology G and with the maximum difference Delta thetamaxThe root node continuously expands the target search area S and determines an attack area A;
s4: inputting n m-dimensional historical sample data, and determining the historical sample z with the highest similarity to the target detection samplekI.e. consider zkFor the original sample z suspected of being attacked0;
S5: from the original sample z0And calculating the injected malicious data delta z ═ z ' -z ' of the sample z ' to be detected0Checking the attack characteristics of the delta z data, and further determining whether the delta z data is attacked by malicious data;
s6: after the attack is determined, the attack area A is calculatedNode phase angle value theta after disconnection of any lineoutWith true phase angle measurement thetatAnd according to the similarity, positioning the fault line subjected to the attack.
The method firstly analyzes the physical fault spreading mechanism, establishes a hierarchical topological structure of the power grid, and realizes the approximate restoration of the original sample suffering the attack by carrying out the correlation analysis on the target detection sample and the mass normal historical samples. Secondly, the node state change trend before and after the power system is subjected to physical attack is fully considered, and similarity analysis is carried out by utilizing a PMU phase angle measurement value with high real-time performance and high precision and the phase angle change quantity of an original sample subjected to physical attack, so that an actual attack target is determined. And finally, carrying out deep matching on the attack behaviors by utilizing the attack characteristics of the malicious data attack behaviors, such as barrier effect, data consistency, boundary jump characteristic and the like so as to improve the precision of the detection method.
The specific implementation process of step S2 includes:
s2-1: starting from a root node i, taking a node connected with the root node i as a node of a layer 1, and bringing a line connected with the root node and the node of the layer 1 into a topological structure;
s2-2: and repeating the step S2-1 until all nodes and lines of the whole power grid are traversed to form a hierarchical topological structure G of the power grid.
In the step, a hierarchical structure of the whole power grid is established by traversing all nodes and lines of the power grid topological structure. The method has the advantages that the spreading process of the fault element taking the root node as the center can be more intuitively expressed, and meanwhile, a foundation is provided for the expansion of the subsequent target search area S and the determination of the attack area A.
In order to effectively reduce the search space of the elements and significantly reduce the time complexity of the search, so that the whole method is more efficient, in step S3, the specific implementation process of determining the attack area a includes:
s3-1: starting from a root node i, taking a node connected with the root node as a boundary node, and including a line connected with the root node and the boundary node to form an initial structure of a target search area S;
s3-2: recording the phase angle change Delta theta of all boundary nodesΩObtaining the maximum value Delta theta of the phase angle change of the boundary nodesmax;
S3-3: determination of Delta thetamaxWhether the current target search area S is smaller than a set threshold value gamma or not is judged, if so, the expansion of the target search area is stopped, and the current target search area S is the final attack area A; otherwise, the nodes and routes connected to the border node are added to the target search area, and the process returns to step S3-2.
In step S4, original sample z0The specific acquisition process comprises: according to the line and the node corresponding to the attack area A, removing the sample z' to be detected and any historical sample zkMeasuring data belonging to the attack region in the middle to obtain corresponding low-dimensional data samples
And
will be reacted with zrHistorical samples with minimum distance
As an original sample z0Wherein
and zrThe distance calculation formula of (c) is:
and
respectively represent vectors
And i-th dimension data in zr, mNIs in the direction ofMeasurement of
And the total dimension of zr.
According to the invention, the correlation analysis is carried out on the normal measured value sample and the sample suffering from the information physical cooperation attack, so that the original measured sample which can be tampered by malicious data is selected. The attack scene of malicious data tampering under the real condition is fully considered, namely the attack capability of an attacker is considered to be limited, and the launched attack conforms to a local malicious data attack model based on a small amount of network parameter information. By fully mining the abnormal data characteristics of the malicious data samples, the strongly related samples are screened, and the interference of irrelevant samples on the detection process is avoided, so that the effectiveness of the detection method is ensured.
In step S5, the specific implementation process of verifying the attack characteristic of the attack data Δ z includes:
s5-1: calculating the measurement variation of the attack area A
And the measurement variation of the non-attack region
Wherein vectors formed by measuring elements belonging to the attack area and the non-attack area in the sample to be detected are z'AAnd z'NOriginal sample z0The vectors composed of the measuring elements belonging to the attack area and the non-attack area are respectively
And
s5-2: calculating Δ zAAverage value of all elements in etaAAnd Δ zNAverage value of all elements in etaN;
S5-3: if etaA/ηNIf > σ, it is assumed that the measurement in the attack region A is tamperedThe amount of change is much larger than the amount of measurement tampering in a non-attack area, and sigma is a judgment delta zAAnd Δ zNThe threshold value of the great difference between the two values further increases the possibility that the sample to be detected is attacked by malicious data;
the invention deeply analyzes the attack characteristics, reduces the false alarm rate of the attack, can capture the network attack behavior hidden in the normal behavior with high precision, and provides an effective attack monitoring tool for the safe operation of the power grid.
In order to further analyze the attack features deeply and reduce the false alarm rate of the attack, after the step S5-3, the method further includes:
s5-4: verifying a metrology change Δ z in an attack regionAWhether the data consistency principle of malicious data injection is met or not is specifically realized by the following steps:
s5-4-1: inputting the topological structure and the line parameter information of the current determined attack area, and calculating the Jacobian matrix H of the attack areaAAnd calculating the best estimation state of the current power system by using a least square method
S5-4-2: carrying out data consistency check on the measurement sample carrying malicious input data in the attack area, namely checking whether the residual error of the sample to be detected is smaller than a set threshold value tau, if so, determining delta zAThe data consistency principle of malicious data injection is met; the check formula is:
wherein | · | purple sweet2Representing the 2 norm of the vector.
Since the constructed attack data must satisfy the barrier condition of the boundary node in the attack area to ensure that the malicious data injected into the attack area a does not cause the trend of the non-attack area to change, the method further includes, after step S5-4:
s5-5: verification of attack data Δ zAWhether the state change of the boundary node of the attack area meets the 'barrier condition' or not is verified by a formulaThe following were used:
Δθij=0i,j∈Ω
wherein, Delta thetaijIs the phase angle difference between node i and node j; the set omega contains all boundary nodes of the attack area A;
the voltage magnitude before node i is attacked.
According to the step, whether the sample to be detected is a sample attacked by malicious data or not can be determined according to the verification of the attack characteristics of the attack data delta z, namely the measurement tampering characteristics of the attack area and the non-attack area, the data consistency principle of the attack data and the boundary 'barrier condition'. After it is determined that the malicious data attack is suffered, the specific fault line is located through step S6.
The specific implementation process in step S6 includes:
from the original sample z0Extracting a node load vector true value D and a generator output power vector true value P, and calculating a node phase angle value theta after the power grid is attackedout;
Calculating thetaoutWith true phase angle measurement thetatCosine similarity of (d); let the phase angle value theta of the nodeoutThe corresponding coordinate in the rectangular coordinate system is (x)1,x2) True phase angle measurement θtThe coordinates in the rectangular coordinate system are (x'1,x′2) Then the cosine similarity of the two phase angles is:
selecting the minimum value of all cosine similarity degrees, judging whether the minimum value is smaller than a set threshold value, and if so, judging that the line l is a fault line subjected to information physical cooperative attack; otherwise, judging that the line has no fault.
The method fully utilizes the characteristics of strong real-time phase angle variation of the PMU and high phase angle measurement precision of the PMU, and realizes high-precision detection of physical attack in the cooperative attack by comparing the original state reduction suffering from the information physical cooperative attack and the phase angle variation trend.
Nodal phase angle value thetaoutThe calculation formula of (2) is as follows:
θout=X·(KP·P-KD·D)
wherein X is a line reactance matrix, KP is a generator-node connection matrix, and KD is a load-node connection matrix; p and D are each independently from z0The real value of the node load vector and the real value of the generator output power vector are extracted.
The advantage of this step is that the original sample z which is required to be tampered by malicious data is fully utilized0By extracting z0The actual values of the output power of the generator and the node load approximately restore the node phase angle value theta of the current stateoutAnd reliable data support is provided for detecting a line with a fault in the real node phase angle observed value.
The invention also provides a physical cooperation attack detection system for the information of the power system, which comprises computer equipment; the computer device is configured or programmed for performing the steps of the above-described method.
Compared with the prior art, the invention has the beneficial effects that:
(1) the invention provides a physical collaborative attack detection method for power system information, which performs correlation analysis on malicious data attack characteristics and PMU (phasor measurement Unit) phase angle incremental characteristics, realizes collaborative attack monitoring for a power system, and overcomes the defect that the current attack monitoring method does not take physical characterization into consideration.
(2) The invention provides an optimal reduction method of a search area, which carries out the optimal reduction of a target search area through the increment of PMU, effectively reduces the search number of system elements and obviously reduces the time complexity of the whole method.
(3) The invention realizes the deep matching of the attack behavior by utilizing the barrier effect, the data consistency and the boundary jump characteristic of the attack behavior, reduces the false alarm rate and improves the efficiency and the accuracy of the attack detection of the malicious data.
Drawings
FIG. 1 is a flow chart of an implementation of an embodiment of the present invention.
Detailed Description
Fig. 1 is a flowchart of a method for detecting an information physical cooperation attack of an electric power system according to an embodiment of the present invention, which includes the following specific steps:
step S1: obtaining phase angle of PMU node, calculating difference value delta theta with last collection time, selecting difference value delta theta with maximum phase anglemaxThe node of (2) is used as a root node;
step S2: establishing a hierarchical topological structure G of the power grid according to the root node selected in the step S1;
step S3: according to the hierarchical topology G and Delta thetamaxContinuously expanding a target disconnection area S and determining an attack area A by the corresponding root node;
step S4: inputting n m-dimensional historical sample data, and determining the historical sample z with the highest similarity to the target detection samplekI.e. consider zkFor the original sample z suspected of being attacked0;
Step S5: based on the original sample z obtained in step S40Calculating injected malicious data Δ z ═ z' -z0Checking the attack characteristics of the delta z data;
step S6: based on the original sample z obtained in step S40And checking the similarity between the phase angle calculation value after the line is disconnected in the target search area S and the real monitoring value, thereby accurately positioning the fault line.
The invention provides a detection method for the information physical cooperative attack of a power system, which analyzes abnormal data caused by the information physical cooperative attack and physical faults concealed by malicious data and accurately positions a physical attack target line, so that a control center can make a timely coping strategy and avoid the spreading of the faults. The traditional malicious data attack detection method focuses on analyzing abnormal features of measured data after attack, and even if abnormal data after attack can be detected, specific fault lines cannot be positioned in the face of information physical cooperative attack in an actual scene, so that an effective defense strategy cannot be made in time. The detection method provided by the invention firstly analyzes the physical fault spreading mechanism, establishes the hierarchical topological structure of the power grid, and realizes the approximate restoration of the original sample suffering from the attack by performing the correlation analysis on the target detection sample and the massive normal historical samples. Secondly, the node state change trend before and after the power system is subjected to physical attack is fully considered, and similarity analysis is carried out by utilizing a PMU phase angle measurement value with high real-time performance and high precision and the phase angle change quantity of an original sample subjected to physical attack, so that an actual attack target is determined. And finally, carrying out deep matching on the attack behaviors by utilizing the attack characteristics of the malicious data attack behaviors, such as barrier effect, data consistency, boundary jump characteristic and the like so as to improve the precision of the detection method.
Further, step S2 includes:
step S2-1: starting with a root node i, taking a node connected with the node i as a node of a layer 1, and incorporating a line connected with the root node and the node of the layer 1;
step S2-2: and repeating the step S2-1 until all nodes and lines of the whole power grid are traversed, thereby forming the hierarchical topology G.
Further, step S3 includes:
step S3-1: starting from a root node i, taking a node connected with the root node as a boundary node, and including a line connected with the root node and the boundary node to form an initial structure of a target search area S;
step S3-2: recording the phase angle change Delta theta of all boundary nodesΩAnd calculating the maximum value delta theta of the phase angle change of the boundary nodesmax;
Step S3-3: determination of Delta thetamaxWhether it is less than some set threshold value γ, where γ is typically taken to be 5 °; if the search area is smaller than the threshold value gamma, the current search area is an attack area A; if greater than or equal to the threshold gamma, the nodes to be connected to the border nodeThe point and the line are added to the search area S, and the process returns to step S3-2.
In step S3, the area where the faulty element is most affected is the adjacent area according to the fault proximity effect principle. As the electrical distance from the fault region increases, the amount of change in the corresponding PMU phase angle also decreases gradually. Thus, when the amount of phase angle change is less than a certain threshold, the characteristics of the element failure are no longer reflected and therefore are no longer included in the search area. The advantage of step S3 is that the search space of the element can be effectively reduced, and the time complexity of the search is significantly reduced, so that the whole method is more efficient.
Further, step S4 includes:
step S4-1: removing the measurement data belonging to the attack area A aiming at the historical sample zk and the target sample z' to be detected to form a new low-dimensional data sample
And zr;
Step S4-2: computing historical samples
And a target sample zrThe formula of the Euclidean distance is as follows:
wherein
And
representing a vector
And zrI-th dimensional data of (1), mNIs a vector
And zrThe dimension of (a), i.e., the dimension of the non-attack area;
step S4-3: the steps S4-1 and S4-2 are repeated for all the history samples, and the history sample having the smallest distance to the target sample zr is taken as the original sample z0。
In the step, the correlation analysis is carried out on the normal measured value sample and the sample suffering from the information physical cooperation attack, so that the original measured sample which can be tampered by malicious data is selected. The method has the advantages that the malicious data tampering attack scene under the real condition is fully considered, namely the attack capability of an attacker is considered to be limited, and the initiated attack conforms to a local malicious data attack model based on a small amount of network parameter information. In the step, the strong relevant samples are screened by fully mining the abnormal data characteristics of the malicious data samples, so that the interference of irrelevant samples on the detection process is avoided, and the effectiveness of the detection method is ensured.
Further as a preferred embodiment, step S5 includes:
step S5-1: sample z restored according to step S4-20Calculating the measurement change amount in the attack area A, namely:
wherein the vector composed of the measuring elements belonging to the attack area A in the sample to be detected is z'AOriginal sample z0Wherein the vector composed of the measurement elements belonging to the attack region A is
Similarly, the measurement variation in the non-attack region N is:
further, the meaning of Δ z is explained here, if the sample z' to be detected is a normal sample in a safe stateThis is then z1The difference Δ z from z' does not have any regular character; if z is0For raw measurement samples that have been subject to malicious data attacks, z is considered0The difference value Δ z from z' is a certain attack behavior characteristic that the attacker will satisfy when injecting malicious attack data.
Step S5-2: calculating Δ zAThe formula of the average value of all the elements in the formula is as follows:
wherein m isARepresentative vector Δ zAThe number of the elements in the (A) is,
is the vector Δ zAThe ith element of (1);
in the same way,. DELTA.zNThe number of elements contained in (1) is mNCan obtain Δ zNThe average of all elements in (A) is:
step S5-3: judgment of etaAAnd ηNDifference of (d) if ηA/ηNIf the measured tampering amount in the attack area A is more than that in the non-attack area, the measured tampering amount is considered to be more than that in the attack area A (sigma can be 10 generally), so that the possibility that the sample to be detected is attacked by malicious data is further increased;
step S5-4: verifying attack data Δ z in an attack regionAWhether a data consistency principle of malicious data injection is satisfied;
further as a preferred embodiment, step S5-4 includes:
step S5-4-1: inputting the topological structure and the line parameter information of the current determined attack area, and calculating the Jacobian matrix H of the attack areaAAnd calculating the best estimation state of the current power system by using a least square methodState of the art
Step S5-4-2: carrying out data consistency check on the measurement sample carrying malicious input data in the attack area, wherein the calculation formula is as follows:
wherein | · | purple sweet2Representing the 2 norm of the vector. The formula shows that when the residual error of the target detection sample is less than or equal to the set threshold τ, the sample is considered to satisfy the data consistency principle, and bad data detection by the control center can be performed.
Further, the above step S5-4 will be explained: in practical situations, the core unit of the power system energy management system has a state estimation capability, and can calculate the residual error of the system by using a Jacobian matrix of the system according to real-time measurement data collected from the field. And when the system residual error is larger than the set threshold value, the bad data is considered to exist. If an attacker wants to successfully launch the information physical cooperation attack, the tampering of the measured data must meet the principle of data consistency so as to escape the residual error detection, so that if a target detection sample carrying malicious data can meet the requirement of data consistency, the data can be considered as the data suspected to be attacked.
Step S5-5: verification of attack data Δ zAWhether the state change of the boundary node of the attack area meets the 'barrier condition' or not is verified, and delta z is verifiedAWhether the barrier condition of the malicious data attack based on the local information is met or not is determined, and the verification formula is as follows:
Δθij=0i,j∈Ω
wherein, Delta thetaijIs the phase angle difference between node i and node j; the set omega contains the attackAll boundary nodes of the area A;
the voltage amplitude of node i before attack. Namely, calculating the phase angle difference delta theta between any two nodes i and j in the attack regionijAnd whether the voltage amplitude of any boundary node is equal to the obtained voltage observation value or not is judged, so that whether the measurement value of the attack area is attacked by malicious data or not is verified.
Further, step S5-5 is explained: as described above, in consideration of the limited attack capability of the attacker, when the attacker launches the information physical cooperation attack, only a small amount of measured data can be tampered, so that the launched attack is a local attack model established under the incomplete information condition, that is, the non-attack area measured value does not need to be tampered. Therefore, the constructed attack data must satisfy the barrier condition of the boundary node in the attack area, thereby ensuring that the malicious data injected into the attack area a does not cause the trend of the non-attack area to change.
The step S5 performs depth feature matching on the attack data Δ z, that is, if Δ z simultaneously satisfies the boundary jump characteristic, data consistency, and boundary barrier effect of the attack data, it is determined that the injected malicious data is attack data. The steps deeply analyze the attack characteristics, reduce the false alarm rate of the attack, can capture the network attack behaviors hidden in the normal behaviors with high precision, and provide an effective malicious data attack detection tool for the safe operation of the power grid.
Further, step S6 includes:
s6-1: inputting a topological structure of a power grid and a line reactance matrix X;
s6-2: the original sample z obtained from step S40From z0Extracting a node load vector true value D and a generator output power vector true value P; calculating a node phase angle value theta after the power grid is attackedoutThe formula is as follows:
θout=X•(KP•P-KD•D)
wherein KP is generator-node connection matrix, KD is load-node connection matrix;
s6-3: calculating thetaoutWith true phase angle measurement thetatThe cosine similarity epsilon is as follows:
wherein the phase angle thetaoutThe corresponding coordinate in the rectangular coordinate system is (x)1,x2) Phase angle thetatThe corresponding coordinates in the rectangular coordinate system are (x'1,x′2);
S6-4: repeating the steps S6-1 to S6-3 for all lines, selecting the node with the minimum similarity, and if the similarity is less than 0.1, judging that the node is subjected to information physical cooperative attack, wherein the line l is a physical fault line caused by the attack; if the current value is greater than or equal to 0.1, the line l is judged not to be a fault line.
In the step, physical fault simulation is carried out on each line of the original target sample subjected to the information physical cooperation attack, and the accurate positioning of the fault line subjected to the information physical cooperation attack is realized by calculating the similarity between the phase angle quantity under the fault of each line and the collected actual phase angle monitoring value. The method has the advantages that the characteristics of strong real-time phase angle variation of the PMU and high phase angle measurement precision of the PMU are fully utilized, and the high-precision detection of the physical attack in the cooperative attack is realized by comparing the original state reduction suffering from the information physical cooperative attack and the phase angle variation trend.
Claims (10)
1. A method for detecting information physical cooperation attack of a power system is characterized by comprising the following steps:
s1, obtaining phase angle of PMU node, calculating difference value delta theta between the phase angle of PMU node at current moment and the phase angle of PMU node at last moment, and selecting the phase angle with maximum difference value delta thetamaxThe PMU node of (1) is used as a root node;
s2, establishing a hierarchical topological structure G of the power grid according to the root node selected in the step S1;
s3, according to the hierarchical topology G and with the maximum phase angle difference delta thetamaxThe root node continuously expands the target search area S and determines an attack area A;
s4, inputting n m-dimensional historical sample data, and determining the historical sample z with the highest similarity to the target detection samplekI.e. consider zkFor the original sample z suspected of being attacked0;
S5, according to the original sample z0And calculating the injected malicious data delta z ═ z ' -z ' of the sample z ' to be detected0Checking the attack characteristics of the delta z data, and further determining whether the delta z data is attacked by malicious data;
s6, determining the attack, and obtaining the original sample z obtained in the step S40Calculating the node phase angle value theta of any line l in the attack area A after the line is brokenoutWith true phase angle measurement thetatAccording to the similarity, positioning the fault line subjected to the attack;
2. the method for detecting the cyber-physical cooperation attack of the power system according to claim 1, wherein the step S2 is implemented by:
s2-1, starting from a root node i, taking a node connected with the root node i as a node of a layer 1, and bringing a line connected with the root node and the node of the layer 1 into a topological structure;
and S2-2, repeating the step S2-1 until all nodes and lines of the whole power grid are traversed to form a hierarchical topological structure G of the power grid.
3. The method for detecting the physical cooperation attack of the information in the power system according to claim 1, wherein in step S3, the specific implementation process for determining the attack area a includes:
s3-1, starting from the root node i, taking the node connected with the root node as a boundary node, and including the node connected with the boundary node into a line formed by the root node and the boundary node to form an initial structure of a target search area S;
s3-2, recording phase angle changes of all boundary nodesChange of Delta thetaΩObtaining the maximum value Delta theta of the phase angle change of the boundary nodesmax;
S3-3, judging the maximum value delta theta of the phase angle change of the boundary nodemaxAnd if the current target search area is smaller than the set threshold value gamma, stopping expanding the target search area, wherein the current target search area S is the final attack area A, otherwise, adding nodes and lines connected with the boundary nodes into the target search area, and returning to the step S3-2.
4. The method for detecting the cyber-physical cooperative attack of the power system according to claim 1, wherein in step S4, the original sample z is0The specific acquisition process comprises: according to the line and the node corresponding to the attack area A, removing the sample z' to be detected and any historical sample zkMeasuring data belonging to the attack region in the middle to obtain a corresponding low-dimensional data sample zrAnd
will be reacted with zrHistorical samples with minimum distance
As an original sample z0(ii) a Wherein,
and zrThe distance calculation formula of (c) is:
and
respectively represent vectors
And zrI-th dimensional data of (1), mNIs a vector
And zrIs measured.
5. The method for detecting the physical cooperation attack of the information of the electric power system according to claim 1, wherein in the step S5, the specific implementation process of checking the attack features of the attack data Δ z includes:
s5-1, calculating the measurement change of the attack area A
And the measurement variation of the non-attack region
Wherein vectors formed by measuring elements belonging to the attack area and the non-attack area in the sample to be detected are z'AAnd z'NOriginal sample z0The vectors composed of the measuring elements belonging to the attack area and the non-attack area are respectively
And
s5-2, calculating Delta zAAverage value of all elements in etaAAnd Δ zNAverage value of all elements in etaN;
S5-3, q.etaA/ηNIf the measured tampering amount in the attack area A is larger than the measured tampering amount in the non-attack area, the sigma is judged to be delta zAAnd Δ zNThe threshold value of the large difference between the two, thereby further increasing the possibility that the sample to be detected is attacked by malicious data.
6. The method for detecting the cyber-physical cooperation attack according to claim 1, further comprising, after step S5-3:
s5-4, verifying the measurement change quantity delta z in the attack regionAWhether the data consistency principle of malicious data injection is met or not is specifically realized by the following steps:
s5-4-1: inputting the topological structure and the line parameter information of the current determined attack area, and calculating the Jacobian matrix H of the attack areaAAnd calculating the best estimation state of the current power system by using a least square method
S5-4-2: carrying out data consistency check on the measurement sample carrying malicious input data in the attack area, namely checking whether the residual error of the sample to be detected is smaller than the set threshold value tau residual error, if so, delta zAThe data consistency principle of malicious data injection is met; the check formula is:
wherein | · | purple sweet2A 2-norm representative of the vector; z'AThe vector is composed of measurement elements which belong to an attack area in a sample to be detected; gamma is a set threshold value.
7. The method for detecting the cyber-physical cooperation attack according to claim 1, further comprising, after step S5-4:
s5-5, verifying attack data delta zAWhether the state change of the boundary node of the attack area meets the 'barrier condition' or not is judged, and the verification formula is as follows:
Δθij=0 i,j∈Ω
wherein, Delta thetaijBetween node i and node jPhase angle difference; the set omega contains all boundary nodes of the attack area A;
the voltage magnitude before node i is attacked.
8. The method for detecting the cyber-physical cooperation attack according to claim 1, wherein the specific implementation process in the step S6 includes:
from the original sample z0Extracting a node load vector true value D and a generator output power vector true value P, and calculating a node phase angle value theta after the power grid is attackedout;
Calculating thetaoutWith true phase angle measurement thetatCosine similarity of (d); let the phase angle value theta of the nodeoutThe corresponding coordinate in the rectangular coordinate system is (x)1,x2) True phase angle measurement θtThe coordinates in the rectangular coordinate system are (x'1,x′2) Then the cosine similarity of the two phase angles is:
selecting the minimum value of all cosine similarity degrees, judging whether the minimum value is smaller than a set threshold value, and if so, judging that the line l is a fault line subjected to information physical cooperative attack; otherwise, judging that the line has no fault.
9. The method for detecting the cyber-physical cooperative attack of the power system according to claim 8, wherein a node phase angle value θ isoutThe calculation formula of (2) is as follows:
θout=X·(KP·P-KD·D);
wherein X is a line reactance matrix, KP is a generator-node connection matrix, and KD is a load-node connection matrix; p and D are each independently from z0The section extracted fromThe actual value of the point load vector and the actual value of the generator output power vector.
10. A power system information physical cooperation attack detection system is characterized by comprising computer equipment; the computer device is configured or programmed for carrying out the steps of the method according to one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110506783.0A CN113507430B (en) | 2021-05-10 | 2021-05-10 | Method and system for detecting information physical cooperation attack of power system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110506783.0A CN113507430B (en) | 2021-05-10 | 2021-05-10 | Method and system for detecting information physical cooperation attack of power system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113507430A CN113507430A (en) | 2021-10-15 |
| CN113507430B true CN113507430B (en) | 2022-04-22 |
Family
ID=78008433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110506783.0A Active CN113507430B (en) | 2021-05-10 | 2021-05-10 | Method and system for detecting information physical cooperation attack of power system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113507430B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114123495A (en) * | 2021-11-11 | 2022-03-01 | 广东电网有限责任公司广州供电局 | Power grid information physical fusion attack detection method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573510A (en) * | 2015-02-06 | 2015-04-29 | 西南科技大学 | Smart grid malicious data injection attack and detection method |
| CN106713354A (en) * | 2017-01-23 | 2017-05-24 | 全球能源互联网研究院 | Method for evaluating vulnerability node of electric cyber-physical system based on undetectable information attack pre-warning technology |
| CN110705831A (en) * | 2019-09-06 | 2020-01-17 | 华中科技大学 | Power angle instability mode pre-judgment model construction method after power system fault and application thereof |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2557334A (en) * | 2016-12-07 | 2018-06-20 | Reactive Tech Limited | Inertia characteristic |
| US11282149B2 (en) * | 2017-08-14 | 2022-03-22 | LO3 Energy Inc. | Exergy token |
| CN109639736A (en) * | 2019-01-25 | 2019-04-16 | 燕山大学 | A kind of Power system state estimation malicious attack detection and localization method based on OPTICS |
| CN111726323B (en) * | 2019-03-20 | 2021-04-06 | 中国科学院沈阳自动化研究所 | PMU (phasor measurement unit) deployment-based error data injection attack defense method in smart power grid |
-
2021
- 2021-05-10 CN CN202110506783.0A patent/CN113507430B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573510A (en) * | 2015-02-06 | 2015-04-29 | 西南科技大学 | Smart grid malicious data injection attack and detection method |
| CN106713354A (en) * | 2017-01-23 | 2017-05-24 | 全球能源互联网研究院 | Method for evaluating vulnerability node of electric cyber-physical system based on undetectable information attack pre-warning technology |
| CN110705831A (en) * | 2019-09-06 | 2020-01-17 | 华中科技大学 | Power angle instability mode pre-judgment model construction method after power system fault and application thereof |
Non-Patent Citations (3)
| Title |
|---|
| A Double-Layer Cyber Physical Cooperative Emergency Control Strategy Modification Method for Cyber-Attacks Against Power System;Aidong Xu et al.;《APPEEC》;20200923;全文 * |
| Cyber-Attacks in PMU-Based Power Network and Countermeasures;CHUNMING TU et al.;《ACCESS》;20181029;全文 * |
| 电力系统同步相量异常数据检测与修复研究现状与展望;徐飞阳等;《中国电机工程学报》;20120412;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113507430A (en) | 2021-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110942109A (en) | PMU false data injection attack prevention method based on machine learning | |
| Wu et al. | Extreme learning machine-based state reconstruction for automatic attack filtering in cyber physical power system | |
| Mohammadpourfard et al. | A statistical unsupervised method against false data injection attacks: A visualization-based approach | |
| CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| Ruan et al. | An inertia-based data recovery scheme for false data injection attack | |
| CN108053128B (en) | Electric network transient stability rapid evaluation method based on ELM and TF | |
| CN113516357B (en) | Electric power system vulnerable line assessment method and system considering network attack risk | |
| Anwar et al. | A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid | |
| CN104716646B (en) | A kind of node Coupling Degrees method based on Injection Current | |
| CN113191485B (en) | Power information network security detection system and method based on NARX neural network | |
| CN110930265A (en) | Power system false data injection attack detection method based on moving distance to ground | |
| CN113507430B (en) | Method and system for detecting information physical cooperation attack of power system | |
| CN112083275A (en) | Distribution network fault type identification method and system | |
| Lee et al. | Deep learning-based false sensor data detection for battery energy storage systems | |
| CN112804197B (en) | Power network malicious attack detection method and system based on data recovery | |
| Qu et al. | Detection of False Data Injection Attack in Power System Based on Hellinger Distance | |
| CN116886355B (en) | DDOS and false data injection collaborative attack optimization method of power system | |
| CN113361608A (en) | Hidden electricity stealing detection method based on transverse pair bit sum and neural network | |
| Paul et al. | A bagging mlp-based autoencoder for detection of false data injection attack in smart grid | |
| Deng et al. | Real-time detection of false data injection attacks based on load forecasting in smart grid | |
| CN104252685A (en) | Quick robust classification method of preconceived faults for power system transient stability assessment | |
| Jiang et al. | Location of false data injection attacks in power system | |
| CN114928500B (en) | Attack detection method and device for data injection enabled power grid network parameters | |
| CN113886765B (en) | Method and device for detecting error data injection attack | |
| Li et al. | Data-driven false data injection attacks on state estimation in smart grid |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |