CN113572771B - Power grid CPS network attack identification method and system - Google Patents
Power grid CPS network attack identification method and system Download PDFInfo
- Publication number
- CN113572771B CN113572771B CN202110841847.2A CN202110841847A CN113572771B CN 113572771 B CN113572771 B CN 113572771B CN 202110841847 A CN202110841847 A CN 202110841847A CN 113572771 B CN113572771 B CN 113572771B
- Authority
- CN
- China
- Prior art keywords
- training
- network attack
- measurement data
- sample
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012549 training Methods 0.000 claims abstract description 147
- 238000005259 measurement Methods 0.000 claims abstract description 90
- 238000012360 testing method Methods 0.000 claims abstract description 56
- 238000005070 sampling Methods 0.000 claims description 17
- 238000003066 decision tree Methods 0.000 claims description 14
- 238000004422 calculation algorithm Methods 0.000 claims description 13
- 238000007477 logistic regression Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 238000007405 data analysis Methods 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 2
- 230000002123 temporal effect Effects 0.000 claims 2
- 238000004088 simulation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 238000007637 random forest analysis Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Supply And Distribution Of Alternating Current (AREA)
Abstract
The invention provides a method and a system for identifying CPS network attack of a power grid, which comprises the following steps of S1, extracting a plurality of samples from pre-trained power grid measurement data, classifying the samples, and forming a sample set by the classified samples; s2, selecting a plurality of accident scene categories from the sample set, and selecting two groups of samples from the categories of each accident scene to obtain a sample training set and a sample testing set; s3, inputting the sample training set into a preset network attack identification model for training to obtain parameters of the network attack identification model; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; and S4, when the comparison results are consistent, identifying the network attack through a preset network attack identification model, and acquiring a network attack identification result. The method can fully mine the data characteristics of the power grid, and effectively improve the identification precision and speed.
Description
Technical Field
The invention relates to the technical field of power grid network attack identification, in particular to a method and a system for identifying a power grid CPS network attack.
Background
With the development of information systems and physical systems, power systems continue to present the features of power information physical systems. As an important carrier of system measurement, communication, calculation and control functions, the information side is a foundation stone for optimizing operation of a power grid, so that the information side receives wide attention of attackers, and a lot of security risks exist. Power systems, as an infrastructure for nationally concerned demographics, have become one of the primary targets for malicious organizations or hostile national attacks. Therefore, attention and vigilance must be paid to the serious impact of network attack and even "power war", and the research on the targeted security defense theory and method is urgently needed.
In an actual system, the number of large-scale attack cases for the system is small, and the probability of generating large-scale faults is extremely low, so that the network attack data of the power CPS (Cyber-Physical Systems) is highly unbalanced. Under the condition, when a machine learning algorithm is used for data mining, due to the fact that the difference between attack data and normal data in quantity is large, the classifier is not enough to pay attention to a few types of samples, effective features cannot be learned, and the identification requirement is difficult to meet.
Disclosure of Invention
The invention aims to provide a method and a system for identifying CPS network attacks of a power grid, and solve the technical problems that a classifier in the existing method has insufficient attention to few types of samples, can not learn effective characteristics, and is difficult to meet identification requirements.
On one hand, the method for identifying the CPS network attack of the power grid comprises the following steps:
the method comprises the following steps that S1, a plurality of samples are extracted from pre-trained power grid measurement data, the extracted samples are classified according to accident scene categories, and the classified samples form a sample set;
s2, selecting a plurality of accident scene categories from the sample set, and selecting two groups of samples from the categories of each accident scene to respectively form a sample training set and a sample testing set;
s3, inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch;
and S4, when the comparison results are consistent, identifying the network attack through a preset network attack identification model, and acquiring a network attack identification result.
Preferably, in step S1, the process of the pre-trained grid measurement data includes:
step S101, acquiring a target data set to be trained, randomly sampling a plurality of accident scenes from the target data set, and selecting a plurality of real-time measurement data as a meta-task data set in the accident scenes;
step S102, randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set;
step S103, randomly selecting one real-time measurement data from each type of accident scene in the support set, forming the selected real-time measurement data from all the accident scenes into a group of training data, inputting the training data into a preset training model for training, and obtaining a first training result;
step S104, extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a second training result;
step S105, calculating the accuracy of a preset training model according to the first training result and the second training result, repeating the step S101 to the step S105, updating the preset training model and a target data set according to the obtained accuracy, and obtaining an updated training model;
and step S106, acquiring the power grid measurement data in the historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data.
Preferably, in step S3, the preset network attack recognition model includes:
and scanning the time characteristics of the sample set by the input sample training set through a sliding window, and sequencing according to the time characteristics of the data in the sample set.
Preferably, in step S3, the preset network attack recognition model further includes:
dividing the sequenced sample training set through a sliding window, and outputting the sample training set as a power grid time sequence feature vector; and the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output.
Preferably, in step S3, the preset network attack recognition model further includes:
multiple base learners connected in parallel to increase the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learner.
Preferably, in step S3, the obtaining of the comparison result specifically includes:
comparing the difference value between the network attack identification model parameter and the test parameter with a preset threshold value, and generating a comparison result as inconsistency when the difference value between the network attack identification model parameter and the test parameter is greater than the preset threshold value; and when the difference value between the network attack identification model parameter and the test parameter is not greater than a preset threshold value, generating a comparison result to be consistent.
On the other hand, a system for identifying the CPS network attack of the power grid is also provided, which is used for realizing the method for identifying the CPS network attack of the power grid, and comprises the following steps:
the system comprises a sample set module, a data analysis module and a data analysis module, wherein the sample set module is used for extracting a plurality of samples from pre-trained power grid measurement data, classifying the extracted samples according to accident scene categories, and forming the classified samples into a sample set; the system is also used for selecting a plurality of accident scene categories from the sample set, and two groups of samples are selected from the categories of each accident scene to respectively form a sample training set and a sample testing set;
the training module is used for inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch;
and the identification module is used for identifying the network attack through a preset network attack identification model when the comparison results are consistent, and acquiring a network attack identification result.
Preferably, also envelope: the power grid measurement data module is used for acquiring a target data set to be trained, randomly sampling a plurality of accident scenes from the target data set, and selecting a plurality of real-time measurement data as a meta-task data set in the accident scenes;
randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set;
randomly selecting one real-time measurement data from each type of accident scene in the support set, forming the selected real-time measurement data from all the accident scenes into a group of training data, inputting the training data into a preset training model for training, and obtaining a first training result;
extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a first training result;
calculating the accuracy of a preset training model according to the first training result and the second training result, repeating iteration, updating the preset training model and a target data set according to the obtained accuracy, and obtaining an updated training model;
and acquiring power grid measurement data in the historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data.
Preferably, the training module is further configured to scan the input sample training set through the sliding window for the time features of the sample set, and sort the input sample training set according to the time features of the data in the sample set; dividing an input sample training set into a power grid time sequence characteristic vector through a sliding window; the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output; the training module also comprises a plurality of base learners connected in parallel and used for increasing the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learner.
Preferably, the training module is further configured to compare a difference between the network attack identification model parameter and the test parameter with a preset threshold, and when the difference between the network attack identification model parameter and the test parameter is greater than the preset threshold, generate a comparison result that is inconsistent; and when the difference value between the network attack identification model parameter and the test parameter is not more than a preset threshold value, generating a comparison result to be consistent.
In summary, the embodiment of the invention has the following beneficial effects:
according to the method and the system for identifying the network attack of the power grid CPS, disclosed by the invention, the network attack identification method of the deep forest is improved through the fusion element learning, and compared with the traditional sampling method in the prior art, the N-way K-shot sampling method is more suitable for the problem of small samples, so that the over-fitting phenomenon is avoided; furthermore, the method is improved on the basis of a deep forest anomaly detection algorithm, a cascaded forest structure is expanded, the characteristics of the power grid data can be fully mined, and the identification precision and speed are effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is within the scope of the present invention for those skilled in the art to obtain other drawings based on the drawings without inventive exercise.
Fig. 1 is a main flow diagram of a method for identifying a CPS network attack on a power grid according to an embodiment of the present invention.
Fig. 2 is a logic diagram of a method for identifying a CPS network attack in a power grid according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a power grid CPS network attack identification system in an embodiment of the present invention.
FIG. 4 is a diagram illustrating a network attack recognition model according to an embodiment of the present invention.
FIG. 5 is a diagram illustrating a network attack recognition model according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
As shown in fig. 1 and fig. 2, schematic diagrams of an embodiment of a method for identifying a CPS network attack of a power grid according to the present invention are provided. In this embodiment, the method comprises the steps of:
the method comprises the following steps that S1, a plurality of samples are extracted from pre-trained power grid measurement data, the extracted samples are classified according to accident scene categories, and the classified samples form a sample set; it can be understood that based on an N-way K-shot method in meta-learning, each time a classification task is constructed, N types of data are extracted from a power grid measurement data training data set, each type of data is composed of K samples, and a data set of a small classification task is formed.
In a specific embodiment, the process of pre-training the grid measurement data includes:
step S101, acquiring a target data set to be trained, randomly sampling a plurality of accident scenes from the target data set, and selecting a plurality of real-time measurement data as a meta-task data set in the accident scenes; the brand new power grid measurement data to be identified are assumed to comprise N accident scenes, such as false data injection, remote tripping instruction attack, single-phase grounding short circuit, steady-state scenes and the like. The target task is to randomly extract K real-time measurement data from N accident scenes for learning, and according to the learning result, the completely new data belonging to N accident scenes can be correctly identified.
Step S102, randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set; specifically, N accident scenes are randomly sampled from a data set, and K real-time measurement data are used as a meta-task data set in each accident scene.
Step S103, randomly selecting one real-time measurement data from each type of accident scene in the support set, forming the selected real-time measurement data from all the accident scenes into a group of training data, inputting the training data into a preset training model for training, and obtaining a first training result; specifically, M real-time measurement data are randomly sampled from each type of real-time measurement data in the meta-task data set to serve as a support set S, and N-M real-time measurement data in other scenes serve as a query set Q.
Step S104, extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a second training result; specifically, an example is randomly selected from each accident scene in the support set S, and the examples together form a group of training data which is input into the model for training.
Step S105, calculating the accuracy of a preset training model according to the first training result and the second training result, repeating the step S101 to the step S105, updating the preset training model and a target data set according to the obtained accuracy, and obtaining an updated training model; specifically, one system fault instance data is extracted from the query set Q, the model is used for judging which kind of scene the data belongs to, the steps are repeated, the accuracy of the task model is finally calculated, actually, the accuracy is the loss of the model determined by the meta-learning parameters on the task, the loss is reversely propagated to the meta-learning parameters through the loss gradient, and the meta-learning parameters are updated, namely, the meta-learning process.
And step S106, acquiring the power grid measurement data in the historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data.
S2, selecting a plurality of accident scene categories from the sample set, and selecting two groups of samples from each accident scene category to respectively form a sample training set and a sample testing set; it can be understood that N accident scenes are selected from the sample set in a gathering mode, K + M real-time measurement data are randomly extracted from each accident scene for learning, the K real-time measurement data serve as a training set, and the M real-time measurement data serve as a testing set.
S3, inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch; it can be understood that a random forest and a Lightgbm-based learner are introduced to improve the richness of the model on the basis of the original Bagging learner; and comparing the identification precision under the single learner with the identification precision under the combined learner, and searching for an optimal combination mode to construct an optimal base learner composition form for improving the cascade structure in the deep forest.
In an embodiment, as shown in fig. 4, the preset network attack recognition model includes: multiple base learners connected in parallel to increase the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learner. As shown in fig. 5, in the data processing process, the input sample training set scans the time characteristics of the sample set through the sliding window, and is sorted according to the time characteristics of the data in the sample set; it can be understood that different sliding windows are used for scanning the original power grid measurement data characteristics, the characteristics are extracted through the sliding windows, the connection between the front and the back of a power grid measurement data sequence is obtained, and the characteristic obtaining capability is improved. In the power grid sample training, the size of a sliding window is determined through experiments, and the initial value of the sliding window is one fourth or one eighth of the characteristic dimension of the power grid measurement data. Dividing and outputting the sequenced sample training set into a power grid time sequence characteristic vector through a sliding window; and the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output. It can be understood that, based on the learner of the Boosting idea, the first-layer input data of the cascade forest is a power grid time sequence feature vector divided by a sliding window, the power grid time sequence feature vector outputs the probability of network attack after passing through each weak learner in the first layer, and the results of each weak learner are spliced to form a vector and then input into the next-layer cascade structure. On the basis of the original Bagging learning device, various base learning devices such as logistic regression, classification and regression decision tree are introduced to increase the diversity of the algorithm. In the Boosting algorithm, adaboost, XGboost and Lightgbm are introduced, and weak classifiers are cascaded by using the characteristic that Adaboost considers the weight of each classifier.
Specifically, the difference between the network attack identification model parameter and the test parameter is compared with a preset threshold value, and when the difference between the network attack identification model parameter and the test parameter is greater than the preset threshold value, a comparison result is generated to be inconsistent; and when the difference value between the network attack identification model parameter and the test parameter is not more than a preset threshold value, generating a comparison result to be consistent. It can be understood that the cascade structure in the original deep forest is improved, the identification precision under a single learner in the cascade structure is compared with the identification precision under a combined learner, an optimal combination mode is searched, the model identification precision under the single learner is firstly compared, and the type of the better learner is analyzed through results; and secondly, randomly combining the learners, and comparing the model identification precision under the combined learner, wherein the measurement indexes of the identification precision are accuracy rate, F1 score and AUC.
And S4, when the comparison results are consistent, identifying the network attack through a preset network attack identification model, and acquiring a network attack identification result. It can be understood that when the identification precision is determined to be consistent with the original model, the improved model, namely the network attack identification model is adopted, the subsequent network attacks are identified, the efficiency can be guaranteed, meanwhile, the attention to a few types of samples is increased, the learning effective features are increased, and the identification requirements are met.
In the embodiment, the method is applied to the cyber-physical combined simulation platform, the relevant transient fault data is obtained from the power cyber-physical combined simulation platform, and automatic simulation is performed under random load level, fault position and attack threat. The test scenarios used in the examples are divided into three categories: 1) A network attack scenario; 2) Single-phase grounding short circuit of the power system; 3) Normal operating conditions. A total of 24 test scenarios were selected:
the protection scheme of the single-phase grounding short-circuit scenes (Q1-Q3) is the two-section protection, and meanwhile, whether the fault disappears is observed by automatic reclosing after the fault occurs for one circle.
The power transmission line maintenance scenes (Q4-Q6) simulate a scene with a maintenance plan for a certain line, so that an operator can remotely send a tripping command in advance to trip off circuit breakers at two ends of the line. In the control log on the information side, a corresponding record and time are left.
For a network attack scenario, two types of attacks are involved: 1) Relay trip command injection; 2) And modifying the action threshold of the relay. Trip command injection attacks are further divided into two categories: 1) Q7 to Q12: and attacking one relay to simulate the false action scene of the relay protection device. 2) Q13 to Q15: and the relays at the two ends of the same line are attacked simultaneously, so that a transmission line maintenance scene is simulated.
False data injection attack (Q16-Q19) sends a command to access an internal register of a relay by embezzlement of the authority of internal personnel, and relevant relay settings are modified, so that when a real fault occurs and relay protection is required to operate correctly, a protection device refuses to operate, and a greater consequence is caused. The scene simulates the mechanical fault scene (Q20-Q23) of the relay protection device in natural fault.
In a steady state scenario (Q24) the load will vary randomly within a certain range (80% -120%), but no attack events, interference operations and control operations will occur.
Each scene takes the system reaching and re-reaching the steady state as the beginning and the end of one simulation in the simulation process. The system collects the synchronous measurement data 200 times per second, the attack time is set to be slightly shorter than the sampling interval of 0.005s, and otherwise, the system can directly judge according to the fault data. This chapter co-simulation resulted in 916 sets of simulation samples, each sample including 39-dimensional two-sided data and a timestamp. The 39-dimensional data includes 9-dimensional physical side measurements, 6-dimensional relay status, and 24-dimensional event logs including relay actions and modification logs for each relay, and service plans, respectively. The physical side synchrophasor data includes discrete phase voltages and phase currents. The log of each event includes data for about 4000 moments, corresponding to a simulation time of about 20 seconds. When N-way K-shot is used for sampling, the optimal identification effect is obtained when N is 20 and K is 21. When the cascade structure is a single learner, the accuracy of the classification and regression decision tree model is 76%, the F1 score is 0.71, and the AUC is 0.74, all of which are better than the accuracy of the logistic regression model of 71%, the F1 score of 0.60, and the AUC value of 0.68. In the cascade structure, when the unified model is a tree model, the overall performance is superior to that of a non-tree model. Compared with a tree model, a non-tree model such as logistic regression is sensitive to data and is seriously influenced by abnormal points, so that the model prediction result is poor, and the robustness is inferior to that of the tree model. (b) The learner based on the Bagging thought is a random forest, the accuracy of the base learner is 85%, the F1 score is 0.80, and the AUC value is 0.82. Boosting-based learners are Adaboost, XGBoost, and Lightgbm. From the analysis of results, compared with Adaboost, the recognition result of the random forest model as the base learner is improved by 4% in accuracy, improved by 0.02 in F1 fraction and improved by 0.02 in AUC value, but is inferior to XGboost and Lightgbm in whole. The possible reasons are that the number of Adaboost classifiers is difficult to set, and the data imbalance can cause the classification precision to be reduced. (c) Among Boosting algorithms, XGboost and Lightgbm show better levels. The AUC values of the XGboost model and the Lightgbm model are the same as 0.90, the Lightgbm obtains the optimal result in two measurement indexes of accuracy and F1 fraction, and the overall result is slightly superior to the XGboost.
When the cascade structure is a combined learner, (a) the overall recognition accuracy of the combined learner is generally superior to that of the single learner. The diversity of the model can enhance the classification capability of the cascade structure, because in the training stage, each base learner outputs the class label to which the data belongs on the basis of the model characteristic of the base learner in the sample space, the respective advantages of different classifiers are fully exerted, a plurality of characteristic information of the sample is comprehensively learned, and the structural difference of the base learners has an addition effect on the whole cascade structure when the characteristic information difference is processed, so that the complementation is formed. (b) The accuracy of the CART and RF combination mode is 0.77 at the lowest, the F1 score is 0.73 at the lowest, and the AUC value is 0.75 at the lowest, which shows that when two base learners are both ensemble learning models, the prediction result is better than the effect of other combinations. The accuracy, F1 score and AUC value of Adaboost, XGboost combination, adaboost, lightgbm combination and XGboost, lightgbm combination are generally due to other combination modes. Wherein the optimal accuracy rate is 0.92, the optimal F1 fraction is 0.89, and the optimal AUC value is 0.91. It is shown that when the model consists of Bagging and Boosting, the effect is better than the combination of two Boosting algorithms. Therefore, the combination of the random forest model and the Lightgbm model is finally selected to improve the deep forest model, and the average accuracy index is 90.8%, the average recall index is 89.0%, and the average AUC score index is 0.912.
The result shows that the method for fusing meta-learning and improving the deep forest can effectively solve the problem of small samples and prevent the model from being over-fitted, and compared with the original network attack identification method, the method can effectively improve the network attack identification precision and speed and meet the actual engineering requirements.
Fig. 3 is a schematic diagram of an embodiment of a power grid CPS network attack identification system according to the present invention. In this embodiment, the system is used to implement the method for identifying CPS network attacks on the power grid, and includes:
the system comprises a sample set module, a data acquisition module and a data analysis module, wherein the sample set module is used for extracting a plurality of samples from pre-trained power grid measurement data, classifying the extracted samples according to accident scene categories, and forming the classified samples into a sample set; the system is also used for selecting a plurality of accident scene categories from the sample set, and two groups of samples are selected from the categories of each accident scene to respectively form a sample training set and a sample testing set;
the training module is used for inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch;
the identification module is used for identifying the network attack through a preset network attack identification model when the comparison results are consistent, and acquiring a network attack identification result;
the power grid measurement data module is used for acquiring a target data set to be trained, randomly sampling a plurality of accident scenes from the target data set, and selecting a plurality of real-time measurement data as a meta-task data set in the accident scenes; randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set; real-time measurement data, namely forming a group of training data by the selected real-time measurement data in all accident scenes, inputting the training data into a preset training model for training to obtain a first training result; extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a second training result; calculating the accuracy of a preset training model according to the first training result and the second training result, repeating iteration, updating the preset training model and a target data set according to the obtained multiple accuracies, and obtaining an updated training model; and acquiring power grid measurement data in the historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data.
In a specific embodiment, the training module is further configured to scan time features of the sample set through a sliding window with the input sample training set, extract the time features with the sliding window, and sort the time features according to the time features of the data in the sample set; dividing an input sample training set into a power grid time sequence characteristic vector through a sliding window; the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output; the training module also comprises a plurality of base learners connected in parallel and used for increasing the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learning device.
More specifically, the training module is further configured to compare a difference between the network attack identification model parameter and the test parameter with a preset threshold, and when the difference between the network attack identification model parameter and the test parameter is greater than the preset threshold, generate a comparison result that is inconsistent; and when the difference value between the network attack identification model parameter and the test parameter is not more than a preset threshold value, generating a comparison result to be consistent.
Regarding the implementation process of the power grid CPS network attack identification system, reference may be made to the process of the power grid CPS network attack identification method, which is not described herein again.
In summary, the embodiment of the invention has the following beneficial effects:
according to the power grid CPS network attack identification method, the network attack identification method of the deep forest is improved through fusion element learning, compared with the traditional sampling method in the prior art, the N-way K-shot sampling method is more suitable for the problem of small samples, and the over-fitting phenomenon is avoided; furthermore, the method is improved on the basis of a deep forest anomaly detection algorithm, a cascaded forest structure is expanded, the characteristics of the power grid data can be fully mined, and the identification precision and speed are effectively improved.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.
Claims (6)
1. A method for identifying a CPS network attack of a power grid is characterized by comprising the following steps:
the method comprises the following steps that S1, a plurality of samples are extracted from pre-trained power grid measurement data, the extracted samples are classified according to accident scene categories, and the classified samples form a sample set;
s2, selecting a plurality of accident scene categories from the sample set, and selecting two groups of samples from the categories of each accident scene to respectively form a sample training set and a sample testing set;
s3, inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch;
s4, when the comparison results are consistent, identifying the network attack through a preset network attack identification model to obtain a network attack identification result;
wherein the pre-trained grid metrology data process comprises:
step S101, a target data set to be trained is obtained, a plurality of accident scenes are randomly sampled from the target data set, and a plurality of real-time measurement data are selected from the accident scenes to serve as a meta-task data set;
step S102, randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set;
step S103, randomly selecting one real-time measurement data from each type of accident scene in the support set, forming the selected real-time measurement data from all the accident scenes into a group of training data, inputting the training data into a preset training model for training, and obtaining a first training result;
step S104, extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a second training result;
step S105, calculating the accuracy of a preset training model according to the first training result and the second training result, repeating the step S101 to the step S105, updating the preset training model and a target data set according to the obtained plurality of accuracies, and obtaining an updated training model;
step S106, acquiring power grid measurement data in a historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data;
and the preset network attack identification model comprises the following steps:
scanning the time characteristics of the sample set by the input sample training set through a sliding window, and sequencing according to the time characteristics of data in the sample set;
dividing the sequenced sample training set through a sliding window, and outputting the sample training set as a power grid time sequence feature vector; the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output;
the network attack identification model is internally provided with a plurality of base learners connected in parallel for increasing the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learning device.
2. The method according to claim 1, wherein in step S3, the obtaining of the comparison result specifically includes:
comparing the difference value between the network attack identification model parameter and the test parameter with a preset threshold value, and generating a comparison result as inconsistency when the difference value between the network attack identification model parameter and the test parameter is greater than the preset threshold value; and when the difference value between the network attack identification model parameter and the test parameter is not more than a preset threshold value, generating a comparison result to be consistent.
3. A power grid CPS network attack recognition system for implementing the method as claimed in any one of claims 1-2, comprising:
the system comprises a sample set module, a data acquisition module and a data analysis module, wherein the sample set module is used for extracting a plurality of samples from pre-trained power grid measurement data, classifying the extracted samples according to accident scene categories, and forming the classified samples into a sample set; the system is also used for selecting a plurality of accident scene categories from the sample set, and two groups of samples are selected from the categories of each accident scene to respectively form a sample training set and a sample testing set;
the training module is used for inputting the sample training set into a preset network attack identification model for training to obtain network attack identification model parameters; inputting the sample test set into a preset test model for training to obtain test parameters; comparing the network attack identification model parameters with the test parameters to obtain a comparison result; wherein the comparison result comprises a match or a mismatch;
and the identification module is used for identifying the network attack through a preset network attack identification model when the comparison result is consistent, and acquiring a network attack identification result.
4. The system of claim 3, further comprising:
the power grid measurement data module is used for acquiring a target data set to be trained, randomly sampling a plurality of accident scenes from the target data set, and selecting a plurality of real-time measurement data as a meta-task data set in the accident scenes;
randomly sampling a plurality of real-time measurement data from each type of real-time measurement data in the meta-task data set as a support set, and taking the rest real-time measurement data of the rest scenes as a query set;
randomly selecting one real-time measurement data from each type of accident scene in the support set, forming the selected real-time measurement data from all the accident scenes into a group of training data, inputting the training data into a preset training model for training, and obtaining a first training result;
extracting real-time measurement data from the query set, and judging the accident scene category to which the real-time measurement data belongs by using a preset training model to obtain a second training result;
calculating the accuracy of a preset training model according to the first training result and the second training result, repeating iteration, updating the preset training model and a target data set according to the obtained accuracy, and obtaining an updated training model;
and acquiring power grid measurement data in a historical record, inputting the updated training model for training, and acquiring pre-trained power grid measurement data.
5. The system of claim 4, wherein the training module is further configured to scan the input training set of samples through a sliding window for temporal features of the sample set, and to rank the input training set of samples according to temporal features of data in the sample set; dividing an input sample training set into a power grid time sequence characteristic vector through a sliding window; the power grid time sequence characteristic vector is processed by each weak learner in the first layer of the cascade forest, the probability of network attack is output, and the results of each weak learner are spliced to form a vector and then output; the training module also comprises a plurality of base learners connected in parallel and used for increasing the diversity of the algorithm; the base learner at least comprises a logistic regression decision tree, a classification and regression decision tree; and weak classifiers which are cascaded according to the weight of each classifier are arranged in the base learning device.
6. The system of claim 5, wherein the training module is further configured to compare the difference between the cyber attack recognition model parameter and the test parameter with a preset threshold, and when the difference between the cyber attack recognition model parameter and the test parameter is greater than the preset threshold, generate a comparison result as inconsistent; and when the difference value between the network attack identification model parameter and the test parameter is not more than a preset threshold value, generating a comparison result to be consistent.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110841847.2A CN113572771B (en) | 2021-07-26 | 2021-07-26 | Power grid CPS network attack identification method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110841847.2A CN113572771B (en) | 2021-07-26 | 2021-07-26 | Power grid CPS network attack identification method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113572771A CN113572771A (en) | 2021-10-29 |
CN113572771B true CN113572771B (en) | 2023-04-07 |
Family
ID=78167215
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110841847.2A Active CN113572771B (en) | 2021-07-26 | 2021-07-26 | Power grid CPS network attack identification method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113572771B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114257517B (en) * | 2021-11-22 | 2022-11-29 | 中国科学院计算技术研究所 | Method for generating training set for detecting state of network node |
CN114978586B (en) * | 2022-04-12 | 2023-07-04 | 东北电力大学 | Power grid attack detection method and system based on attack genes and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019137021A1 (en) * | 2018-01-11 | 2019-07-18 | 华为技术有限公司 | Machine learning model training method and device |
CN110889255A (en) * | 2019-10-31 | 2020-03-17 | 国网湖北省电力有限公司 | Power system transient stability evaluation method based on cascaded deep forest |
CN111327608A (en) * | 2020-02-14 | 2020-06-23 | 中南大学 | Application layer malicious request detection method and system based on cascade deep neural network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656981B (en) * | 2016-10-21 | 2020-04-28 | 东软集团股份有限公司 | Network intrusion detection method and device |
-
2021
- 2021-07-26 CN CN202110841847.2A patent/CN113572771B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019137021A1 (en) * | 2018-01-11 | 2019-07-18 | 华为技术有限公司 | Machine learning model training method and device |
CN110889255A (en) * | 2019-10-31 | 2020-03-17 | 国网湖北省电力有限公司 | Power system transient stability evaluation method based on cascaded deep forest |
CN111327608A (en) * | 2020-02-14 | 2020-06-23 | 中南大学 | Application layer malicious request detection method and system based on cascade deep neural network |
Non-Patent Citations (1)
Title |
---|
小样本纠错的多层入侵检测分类研究;滕少华等;《广东工业大学学报》;20200515(第03期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113572771A (en) | 2021-10-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wang et al. | Detection of power grid disturbances and cyber-attacks based on machine learning | |
CN113572771B (en) | Power grid CPS network attack identification method and system | |
Ganjkhani et al. | Integrated cyber and physical anomaly location and classification in power distribution systems | |
Mo et al. | Sampled value attack detection for busbar differential protection based on a negative selection immune system | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
CN109936113B (en) | Protection action intelligent diagnosis method and system based on random forest algorithm | |
CN105974265A (en) | SVM (support vector machine) classification technology-based power grid fault cause diagnosis method | |
CN109444667A (en) | Power distribution network initial failure classification method and device based on convolutional neural networks | |
CN109687438A (en) | It is a kind of meter and high-speed rail impact load effect under power grid vulnerable line discrimination method | |
CN111999591B (en) | Method for identifying abnormal state of primary equipment of power distribution network | |
Zheng et al. | Real-time transient stability assessment based on deep recurrent neural network | |
CN114091549A (en) | Equipment fault diagnosis method based on deep residual error network | |
Sun et al. | A coordinated cyber attack detection system (CCADS) for multiple substations | |
CN111209535B (en) | Power equipment successive fault risk identification method and system | |
Paul et al. | Knowledge-based fault diagnosis for a distribution system with high pv penetration | |
CN113067798A (en) | ICS intrusion detection method and device, electronic equipment and storage medium | |
Zhou et al. | Can an influence graph driven by outage data determine transmission line upgrades that mitigate cascading blackouts? | |
Firos et al. | Fault detection in power transmission lines using AI model | |
Xue et al. | An efficient and robust case sorting algorithm for transient stability assessment | |
Zheng et al. | Research on hidden danger identification of external damage of high voltage overhead transmission lines | |
Ling et al. | WEB attack source tracing technology based on genetic algorithm | |
Promrat et al. | Fault cause classification on PEA 33 kV distribution system using supervised machine learning compared to artificial neural network | |
Guo et al. | XGBoost based fake data injection attack detection method for power grid | |
Ciapessoni et al. | Contingency screening starting from probabilistic models of hazards and component vulnerabilities | |
Huang et al. | Data-driven fault risk warning method for distribution system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |