CN113706100B - Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network - Google Patents

Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network Download PDF

Info

Publication number
CN113706100B
CN113706100B CN202110974559.4A CN202110974559A CN113706100B CN 113706100 B CN113706100 B CN 113706100B CN 202110974559 A CN202110974559 A CN 202110974559A CN 113706100 B CN113706100 B CN 113706100B
Authority
CN
China
Prior art keywords
equipment
distribution network
power distribution
online
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110974559.4A
Other languages
Chinese (zh)
Other versions
CN113706100A (en
Inventor
周小明
胡博
李桐
任帅
周振柳
王磊
李广翱
王刚
宋进良
孙茜
陈剑
刘扬
耿洪碧
陈得丰
杨智斌
李欢
佟昊松
何立帅
刘芮彤
孙赫阳
王琛
姜力行
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Liaoning Electric Power Co Ltd, Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202110974559.4A priority Critical patent/CN113706100B/en
Publication of CN113706100A publication Critical patent/CN113706100A/en
Application granted granted Critical
Publication of CN113706100B publication Critical patent/CN113706100B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/06Electricity, gas or water supply
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00022Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment using wireless data transmission
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00028Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment involving the use of Internet protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02BCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO BUILDINGS, e.g. HOUSING, HOUSE APPLIANCES OR RELATED END-USER APPLICATIONS
    • Y02B90/00Enabling technologies or technologies with a potential or indirect contribution to GHG emissions mitigation
    • Y02B90/20Smart grids as enabling technology in buildings sector
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E60/00Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/12Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
    • Y04S40/126Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment using wireless data transmission
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/12Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
    • Y04S40/128Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment involving the use of Internet protocol

Abstract

The real-time detection and identification method and system of the Internet of things terminal equipment of the power distribution network comprise the steps of firstly, establishing a basic information base of the Internet of things terminal equipment of the power distribution network, and registering each Internet of things terminal equipment which enters the network to form a registered terminal equipment base; acquiring network flow of the power distribution network in real time, and extracting characteristic information of terminal equipment by analyzing the network flow in real time to realize detection of the online Internet of things terminal equipment of the power distribution network; and identifying the detected online Internet of things terminal equipment through the similarity of the characteristic information computing equipment, and visually displaying all the online Internet of things terminal equipment in the power distribution network according to the similarity identification value. The method and the system can generate the real-time account of the whole asset of the internet-of-things terminal equipment of the power distribution network, facilitate timely finding out the running abnormality, running fault and illegal equipment risk of the internet-of-things terminal equipment of the power distribution network, improve the running reliability of the internet-of-things terminal equipment of the power distribution network, and enhance the running transparency and safety of the internet-of-things terminal equipment of the power distribution network.

Description

Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
Technical Field
The invention belongs to the field of Internet of things in an electric power distribution network, and particularly relates to a method and a system for real-time detection and identification of Internet of things terminal equipment of a power distribution network.
Background
The internet of things is an intelligent network which is finally constructed and covers everything by utilizing the modes of radio frequency identification, two-dimension codes, infrared sensors, GPS or wireless data communication and the like to be connected with each other on the basis of the internet and accessing the internet in a certain mode. The electric power internet of things is a concrete expression form and application of the internet of things in the electric power industry, and shared data is generated by connecting electric power users and equipment, electric network enterprises and equipment, power generation enterprises and equipment, suppliers and equipment and people and things, so that social services of users, electric networks, power generation, suppliers and governments are provided, the electric networks are used as hubs, the platform and the sharing function are exerted, a larger opportunity is created for development of the whole industry and more market subjects, and value services are provided.
There are a large number of terminal devices of the internet of things in the electric power distribution network. The distribution network internet of things terminal equipment is provided with a processor and is provided with an embedded system, and the reliability and the safety of the operation of the distribution network internet of things terminal equipment are directly related to the overall operation safety and stability of the intelligent power grid. The comprehensive monitoring of the Internet of things terminal devices in the power distribution network is carried out, asset account numbers of all the terminal devices are timely and accurately generated, and the real-time monitoring of the running states of the terminal devices is an important link of the safety production management of the power distribution network.
In the technical field of wide-area network equipment detection and identification, because of the existence of a large number of network equipment of different manufacturers, different types and different models, equipment detection and identification results have different degrees of ambiguity and uncertainty, and the accuracy and reliability of the identification results lack comparative reference and quantitative evaluation. In the electric power distribution network, although the number of the Internet of things terminal devices allowed to access the network is numerous, the manufacturers, the types and the types of the terminal devices are relatively fixed and limited, and the network access management links of the terminal devices are also relatively strict, so that feasible conditions are provided for accurately and quantitatively identifying and comparing and monitoring the Internet of things terminal devices in the distribution network.
Therefore, the invention discloses a real-time detection and identification method and a system for the Internet of things terminal equipment of a power distribution network, which are used for generating real-time account of all assets of the Internet of things terminal equipment of the power distribution network by a comparison and quantification method, enhancing the transparency of the running state of the Internet of things terminal equipment of the power distribution network, and improving the capability of timely finding abnormal running of the Internet of things terminal equipment of the power distribution network.
Disclosure of Invention
Aiming at a large number of terminal devices of the Internet of things existing in an electric power distribution network, the invention provides a method and a system for detecting and identifying the terminal devices of the Internet of things of the distribution network in real time;
The real-time detection and identification method for the internet of things terminal equipment of the power distribution network is characterized by comprising the following steps of:
step 1: establishing a basic information base of the distribution network Internet of things terminal equipment; registering basic information of terminal equipment of the Internet of things allowed to enter the Internet of things in the power distribution network, and storing the basic information into an equipment basic information base;
step 2: establishing a power distribution network registration equipment library; for each terminal equipment of the Internet of things which is used in the distribution network, according to the individual equipment, the registration information of the registration equipment is stored to be a distribution network registration equipment library;
step 3: detecting online terminal equipment in a power distribution network in real time; acquiring a real-time communication network data packet of online terminal equipment in a power distribution network, and detecting characteristic information data of the online terminal equipment;
step 4: and identifying the detected online terminal equipment in the power distribution network, recording the characteristic information data of the detected online terminal equipment, referring to the registration information and the equipment basic information of the registration equipment, calculating the similarity of the online terminal equipment, and identifying the online terminal equipment.
The invention further comprises the following preferable schemes:
in step 1, registering basic information of equipment according to equipment types for terminal equipment of the Internet of things which is allowed to enter the power distribution network for use in the Internet of things;
The basic information of the registered device includes vendor information of the device, device type, device model, software and hardware version, OS version, protocol type, service port, service type feature information item, and each device type is given a unique identifier of the basic information of the device, and the feature information item and the unique identifier of the basic information of the device are stored as a basic information base of the device.
In any stage of operation of the distribution network, for a new type of terminal equipment of the Internet of things allowing network access, basic information of the terminal equipment of the type is established before an individual equipment of the type is connected into the distribution network, and the basic information is added into an equipment basic information base.
In step 2, registration information of each internet of things terminal device used in the connected power distribution network is registered according to the device individuals, wherein the registration information comprises an IP address, a MAC address and basic information corresponding to the device allocated to the device, and a unique identifier is assigned to each device and is stored as a registration device library.
In any stage of operation of the power distribution network, for new terminal equipment of the Internet of things connected into the power distribution network, the registration information of the individual terminal equipment is established and updated to a registration equipment library of the power distribution network in real time.
In step 3, acquiring a real-time communication network data packet of an online terminal device in the power distribution network, and detecting characteristic information data of the online terminal device, wherein the characteristic information data specifically comprises the following contents: step 3.1: collecting real-time network traffic of the operation of the power distribution network, and storing network traffic data into a network traffic library;
step 3.2: analyzing the network flow data packet in the fixed interval time period according to the fixed interval time period, extracting the equipment characteristic information data item contained in the flow data packet, and storing the extracted equipment characteristic information data item into equipment characteristic information data record according to the IP address;
the equipment characteristic information data items comprise IP addresses, MAC addresses extracted corresponding to the IP addresses, manufacturer information, equipment types, equipment models, software and hardware versions, OS versions, protocol types, service ports and service type characteristic information data items;
step 3.3: performing de-duplication operation on the extracted equipment characteristic information data records, detecting the extracted characteristic information data records of the same IP address, if the values of the characteristic information data items of the records are identical, only one record is reserved, and the other repeated records are deleted; if the values of the characteristic information data items are different, the repeated records are temporarily reserved, and then the step 3.4 is carried out to carry out the merging operation;
Step 3.4: and merging the extracted equipment characteristic information data records, wherein the data records with the same IP address and other characteristic information data items with a plurality of different values are merged according to the characteristic information data items, so that each different value becomes a sub-item of the characteristic information data item.
In step 4, the detected characteristic information data of the online terminal equipment is recorded, the similarity of the online equipment is calculated by referring to the equipment registration information and the equipment basic information, and the identification of the online terminal equipment is realized, and the method comprises the following steps:
step 4.1: searching the IP address of the characteristic information data item contained in the detected characteristic information data record of the online terminal equipment in the power distribution network registration equipment library, and marking the online terminal equipment data record with the IP address which does not exist in the registration equipment library as illegal terminal equipment;
step 4.2: for the online terminal equipment data record of the IP address in the register equipment library, calculating the similarity of the online terminal equipment;
step 4.3: and when the similarity of the online equipment is smaller than or equal to a threshold value 0.17, marking the online equipment judgment as a counterfeit equipment, when the similarity of the online equipment is larger than the threshold value 0.17 and smaller than the threshold value 0.30, marking the online equipment judgment as a suspicious equipment, and when the similarity of the online equipment is larger than or equal to the threshold value 0.30, marking the online equipment judgment as a trusted equipment. In step 4.2, calculating the similarity of the online terminal device specifically includes the following:
Step 4.2.1: calculating a characteristic information vector of the online equipment data record;
for the extracted on-line equipment characteristic information data records other characteristic information data items except the IP address, comparing the value of the characteristic information data item of the data record with the corresponding characteristic information data item of the corresponding IP address in the power distribution network registration equipment library, and if the value of the characteristic information data item of the data record is equal to the corresponding characteristic information data item of the corresponding IP address in the power distribution network registration equipment library, setting the corresponding bit value of the extracted on-line equipment characteristic information vector to be 1; if the two are not equal, judging whether the corresponding characteristic data item of the online equipment data record is a substring of the corresponding characteristic information data item of the corresponding IP address in the registration equipment library, and if the corresponding characteristic data item is the substring, setting the corresponding bit value of the extracted online equipment characteristic information vector as the ratio of the substring length to the data item length; if the corresponding characteristic data item of the online equipment data record is a combined value, judging whether each sub item of the combined value is a sub string of the corresponding characteristic information data item of the corresponding IP address in the registration equipment library, and setting the extracted corresponding bit value of the online equipment characteristic information vector as the sum of a plurality of sub string length/data item length ratios; if the extracted online equipment characteristic information vector and the extracted online equipment characteristic information vector are not equal and no word string exists, setting the corresponding bit value of the extracted online equipment characteristic information vector to 0;
Step 4.2.2: calculating an improved Euclidean distance of the online device;
the improved Euclidean distance between an online device and a device in the registered device library having the same corresponding IP address is calculated according to the formula defined below:
in the method, in the process of the application,
d improves euclidean distance for an online device,
x i record the i-th vector value of the characteristic information vector for the online device data,
n is the length of the characteristic information vector of the online equipment data record;
step 4.2.3: calculating on-line device similarity
The similarity between the online device and the device with the same corresponding IP address in the registered device library is calculated according to the following formula:
in the method, in the process of the application,
sim is the on-line device similarity and,
d is the improved euclidean distance for the on-line device.
Step 5: visually displaying real-time detection and identification results of power distribution network on-line equipment;
and (3) displaying the identification result of the online equipment detected in real time in the step (4) in the form of a terminal equipment full-asset account by using a visualization method, wherein the display content comprises values of all characteristic information data items of the equipment, and marking the identified equipment as illegal equipment, counterfeit equipment, suspicious equipment and trusted equipment according to a similarity threshold.
The application also discloses a real-time detection and identification system of the Internet of things terminal equipment of the power distribution network by utilizing the real-time detection and identification method, which comprises a network flow acquisition module, an equipment detection and feature extraction module, an equipment identification module, an equipment visual display module, an equipment basic information base, a registered equipment base, a network flow base, an equipment detection result base and an equipment identification result base;
The equipment basic information base is used for storing basic information of the terminal equipment of the Internet of things which is allowed to enter the power distribution network for use in the Internet of things;
the registration equipment library is used for storing registration information of each terminal equipment of the Internet of things which is connected into the power distribution network;
the network flow acquisition module is used for acquiring real-time network flow data of the power distribution network on the core switch of the power distribution network in a switch port mirroring mode and storing the real-time network flow data into a network flow library;
the device detection and feature extraction module detects online terminal devices for real-time communication in a network from the flow through analyzing the flow data of the real-time network, extracts feature data information of the online terminal devices participating in the communication, and stores the extracted feature data information into a device detection result library;
identifying the equipment in the equipment detection result library by utilizing the equipment basic information library and the registered equipment library, and storing the equipment identification result into the equipment identification result library;
and displaying all the equipment information in the equipment identification result library through the equipment visual display module.
Further, the method comprises the steps of,
the basic information of the internet of things terminal equipment stored in the equipment basic information base comprises an equipment basic information unique identifier, manufacturer information, equipment type, equipment model, software and hardware version, OS version, protocol type, service port and service type.
The individual information of the internet of things terminal equipment stored in the registration equipment library comprises an equipment unique identifier, an IP address, an MAC address, manufacturer information, equipment type, equipment model, software and hardware version, OS version, protocol type, service port and service type.
The beneficial effects of the invention are as follows:
the invention provides a method and a system for real-time detection and identification of an Internet of things terminal device of a power distribution network, wherein the method collects the running real-time network traffic of the power distribution network through a core switch port mirroring method, and detects online devices from the network traffic; in the equipment identification process, the similarity between the online equipment and the registration equipment is calculated according to the detection result, so that the information such as the type and the model of the online terminal equipment can be identified, the real-time account of the whole asset of the internet-of-things terminal equipment of the power distribution network can be generated through a comparison and quantization method, illegal equipment, counterfeit equipment and suspicious equipment which run in real time in the network can be found, and the running reliability and transparency of the power distribution network are further improved.
Drawings
Fig. 1 is a schematic flow chart of a real-time detection and identification method of an internet-of-things terminal device of a power distribution network;
Fig. 2 is a schematic diagram of a detection flow of a terminal device in the real-time detection and identification method of the internet of things terminal device of the power distribution network;
fig. 3 is a schematic diagram of a terminal equipment identification flow in the real-time detection and identification method of the internet of things terminal equipment of the power distribution network;
fig. 4 is a schematic structural diagram of a real-time detection and identification system of an internet-of-things terminal device of a power distribution network.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. The described embodiments of the application are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art without inventive faculty, are within the scope of the application, based on the spirit of the application.
As shown in fig. 1, the method for real-time detection and identification of the internet of things terminal equipment of the power distribution network disclosed by the application comprises the following steps:
step 1: establishing a basic information base of the distribution network Internet of things terminal equipment;
registering basic information of equipment according to equipment types of terminal equipment of the Internet of things which is allowed to enter the Internet of things in the power distribution network for use; the method comprises the steps of providing unique identifiers of equipment basic information for equipment of each type, and storing the unique identifiers of the equipment basic information and the unique identifiers of the equipment basic information into an equipment basic information base.
The unique identifier of the device basic information mainly acts when registering an individual device, and if the individual device belongs to a certain type of device, the corresponding basic information in the device basic information base can be directly selected as the information of the registered device. In databases, a key is typically used to mark the uniqueness of a record, and when multiple data items are required to mark the uniqueness of a record, a unique identifier may be assigned to the record as a key, rather than using multiple data items for marking. This unique identifier may be automatically assigned by the database system and the type may be specified by the user as a numerical value or string. The device basic information unique identifier here is a unique identification key that serves as a basic information record and is used to connect a registered device library and a device basic information library, each registered device belonging to a type of device that has the same device basic information, and when the device basic information is specified for the registered device, the record in the basic information library can be connected through this unique identifier.
In the embodiment of the invention, the MYSQL database table is adopted to store the basic information of the equipment, and the basic information of the equipment of each kind is stored in one record in the table; the same manufacturer allows multiple types of equipment products to be qualified for network access; the same type of product equipment allows a plurality of individual equipment to be connected into a power distribution network for use;
In any stage of operation of the distribution network, for a new type of terminal equipment of the internet of things allowing access to the network, basic information of the type of terminal equipment needs to be established before an individual device of the type joins in the distribution network.
Step 2: establishing a power distribution network registration equipment library;
for each terminal equipment of the Internet of things which is connected into the distribution network, registering information of the registering equipment comprises an IP address which is allocated to the equipment for use and an inherent MAC address of the equipment according to the equipment individuals, and associating the individual equipment with basic information in a basic information base of the terminal equipment of the Internet of things of the distribution network according to the category of the equipment, and assigning a unique identifier of the equipment to each individual equipment for storage to be a registering equipment base. The individual devices are associated with the basic information in the basic information base according to the category of the individual devices, so that the situation that a large amount of the same basic information of the individual devices needs to be input repeatedly when registering the devices is avoided; the identifier assigned by each registration device is also automatically assigned by the database system as the unique key of the device record, the assignment type can be a number or a character string, and the unique key is only used for marking the registration device and is not used for the following;
In the embodiment, a MYSQL database table is adopted to store a registered equipment library, and each piece of equipment information is stored in one record in the table;
admission means that the type of device qualifies for network entry; joining into the distribution network means that the individual devices are physically connected into the distribution network; in any stage of operation of the distribution network, for new terminal equipment of the Internet of things connected into the distribution network, information of individual terminal equipment needs to be registered; terminal equipment which is not registered is not allowed to be connected into the power distribution network for use; the terminal equipment which is used in the distribution network without permission is illegal equipment.
Step 3: detecting online terminal equipment in a power distribution network in real time;
the terminal devices which are connected into the distribution network and run on line can carry out network communication with other devices to generate network data packets which are communicated with each other. By capturing these network packets for real-time communications, device-related information of the online terminal device can be detected.
The illegal equipment is connected into the power distribution network to cause interference or damage to the operation of the power distribution network, the illegal equipment communicates in the power distribution network and also generates network traffic packets, and the illegal equipment connected into the power distribution network can be found by detecting and analyzing the captured network traffic packets;
In consideration of continuity of network traffic generation, in this embodiment, capturing and storing real-time network traffic of a power distribution network are stored and analyzed according to a fixed time interval period, where the fixed time interval period may be set to 3 minutes, 5 minutes, 10 minutes or other time intervals required by a user according to actual application requirements, and a suitable time interval needs to consider the network structure scale of the power distribution network and the scale of real-time network traffic data;
the invention is preferably realized by steps 3.1 to 3.4 as shown in figure 2;
step 3.1: collecting real-time network traffic of the operation of the power distribution network, and storing network traffic data into a network traffic library;
the method comprises the steps of collecting real-time network traffic of power distribution network operation through a network traffic collection module, and storing collected network traffic data into a network traffic library; in this embodiment, the network traffic collection module is specifically configured such that a physical switch is connected to a mirror port of a core switch of the power distribution network to implement real-time traffic collection, and network traffic data is stored in a plurality of traffic packet file formats.
Step 3.2: analyzing the network flow data packet in the fixed interval time period according to the fixed interval time period, extracting the equipment characteristic information data items contained in the flow data packet, and storing the equipment characteristic information data items into equipment characteristic information data records according to IP;
Detecting terminal equipment information through real-time network flow, wherein the terminal equipment information is implemented by taking an IP address contained in an IP data packet as an equipment identification mark; in this embodiment, a MYSQL database table is used to store a device detection result library, where each record in the table includes a device feature information data item extracted by detection, including an IP address extracted by detection, and a feature information data item extracted by corresponding to the IP address, such as a MAC address, vendor information, a device type, a device model, a software and hardware version, an OS version, a protocol type, a service port, a service type, and the like;
in this embodiment, the fixed time interval period is set to 5 minutes, that is, for the collected real-time network traffic, detection analysis is performed on all network traffic packets in each 5 minute unit according to the 5 minute unit, and the subsequent step 4 and step 5 process and display refresh detection recognition results are also performed according to the same fixed time interval period;
in the process of extracting the characteristic information from the network data packet, the characteristic information of the same IP (Internet protocol) can be extracted for multiple times, and the characteristic information corresponding to the same IP address extracted for multiple times can have completely the same or partially different results. In this embodiment, in the implementation process of step 3.2, the feature information data repeatedly extracted from the same IP address are stored in the database table as a plurality of different data records.
Step 3.3: performing de-duplication operation on the extracted equipment characteristic information data record;
for a plurality of extracted characteristic information data records detected by the same IP address, if the values of the characteristic information data items of the records are identical, only one record is required to be reserved, and other repeated records are required to be deleted; if there are different values for these records for some characteristic information data items, these duplicate records will be temporarily retained, requiring a merging operation in step 3.4;
step 3.4: merging the extracted equipment characteristic information data records, wherein the data records with the same IP address and other characteristic information data items with a plurality of different values are merged according to the characteristic information data items, so that each different value becomes a sub-item of the characteristic information data item;
after the processing in step 3.4, for each IP address detected by the network traffic, only one piece of record information is reserved in the device detection result library correspondingly.
Step 4: identifying detected online terminal equipment in the power distribution network;
as shown in figure 3, the detected on-line equipment characteristic information data is recorded, the similarity of the on-line equipment is calculated by referring to the registered equipment information and the equipment basic information, and the identification of the on-line equipment is realized.
Step 4.1: searching the IP address of the characteristic information data item contained in the detected online equipment characteristic information data record in a registered equipment library, and marking the online equipment data record with the IP address which does not exist in the registered equipment library as illegal equipment;
all the terminal devices connected into the distribution network need to be registered, the terminal devices which are not registered and used for networking belong to illegal devices, and the illegal devices use unregistered IP addresses for networking communication; in practice, some network attacks exist, after legal equipment is forced to be off line by using a technical means, the legal equipment is counterfeited, the IP address of the legal equipment is occupied for networking use, and the equipment is called counterfeited equipment; such counterfeit devices, while occupying legitimate IP addresses registered by legitimate devices, may have differences in other device feature information data, for which judgment needs to be made by calculating the similarity of the devices;
step 4.2: for the registered equipment information of the IP address in the registered equipment library, the registered equipment information is related to the basic information of the type of equipment in the basic information library of the internet of things terminal equipment, and the similarity of the online equipment is calculated;
The online equipment similarity refers to the comparison similarity degree of the online equipment and the characteristic information data items of legal equipment with the same IP address in the registered equipment library; it will be clear to those skilled in the art that there are many ways to calculate the similarity, including Manhattan distance, log likelihood similarity, pearson correlation coefficient, etc. However, in order to obtain a better technical effect, the embodiment of the invention preferably adopts the following technical scheme to calculate the similarity of the online terminal equipment.
In this embodiment, each characteristic information data item is defined as a character string type, and the comparison of the same data item value between the online device and the registration device is performed by comparing the character strings;
step 4.2.1: calculating a characteristic information vector of the online equipment data record;
the characteristic information of the online device is stored in a device detection result library, and the characteristic information of the online device is compared with the characteristic information of the corresponding device in a registered device library. The characteristic information of the corresponding equipment in the registration equipment library, the IP address and the MAC address of the characteristic information are stored in the registration equipment library, and other characteristic information are stored in the equipment basic information library. For the online equipment data record and other characteristic information data items except the IP address, comparing the value of the characteristic information data item of the data record with the corresponding basic information data item of the terminal equipment associated with the corresponding IP address in the registration equipment library, and if the value of the characteristic information data item and the corresponding basic information data item are equal, setting the corresponding bit value of the characteristic information vector to be 1; if the two are not equal, judging whether the corresponding characteristic data item of the online equipment data record is a substring of the corresponding characteristic information data item of the equipment basic information base, if so, setting the corresponding bit value of the characteristic information vector as the ratio of the substring length to the data item length; if the corresponding characteristic data item of the online equipment data record is a combined value, judging whether each sub item of the combined value is a sub string of the corresponding characteristic information data item of the corresponding IP address in the registration equipment library, and setting the corresponding bit value of the characteristic information vector as the sum of a plurality of sub string length/data item length ratios; if the two are not equal and no word string exists, setting the corresponding bit value of the characteristic information vector to 0; for a string, for example, "adeeegfbw", its substrings are consecutive strings such as "ader", "egfb" can be found from them. For example, the protocol type value in the basic information base is "SNMP FTP HTTP POP3", and a certain corresponding detected device protocol type in the device detection result base has 2 sub-items "FTP" and "HTTP", which are sub-strings of the protocol type value in the basic information base.
In this embodiment, the other feature information data items except the IP address include 9 items of MAC address, vendor information, device type, device model, software and hardware version, OS version, protocol type, service port, and service type, and the length of the feature information vector is 9 corresponding to one detected online device data record, and one example is that in the 9 feature information data items, the online device is identical to the corresponding registered device except for the protocol type value, service port value, and service type value, and the online device protocol type value is "HTTP", the corresponding registered device protocol type value is "FTP HTTP SMTP", the online device service port value is "8080", the corresponding registered device service port value is "21 8080 25", the corresponding registered device service type value is "WEB", and the generated feature information vector value of the online device is= (1,1,1,1,1,1,4/11, 4/8, 0), where the space character string and the substring length are ignored;
for the above example, in one case, the online device protocol type data item is a combined value, and includes two sub-item values respectively being "HTTP" and "FTP", and corresponding to a registered device protocol type value being "FTP HTTP SMTP", where the two sub-items are respectively sub-strings of the registered device protocol type value, and the corresponding bit value of the feature information vector is set to be more than the sum of the two sub-string length/data item length ratios, and the sum result is 4/11+3/11=7/11;
Step 4.2.2: calculating an improved Euclidean distance of the online device;
the improved Euclidean distance between an online device and a device in the registered device library having the same corresponding IP address is calculated according to the formula defined below:
in the method, in the process of the invention,
d improves euclidean distance for an online device,
x i record the i-th vector value of the characteristic information vector for the online device data,
n is the length of the characteristic information vector of the online equipment data record;
mathematically, the generalized Euclidean distance refers to the true distance between two points in m-dimensional space:
in the method, the definition of Euclidean distance is extended, the online equipment and the corresponding registration equipment are converted into two points in n-dimensional space, n is the length of the characteristic information vector of the online equipment data record, the similarity between the two equipment is calculated by calculating the distance between the two points, and the closer the distance between the two points is, the higher the similarity is;
the method of the invention defines that when on-lineThe corresponding vector value is 1 when the device and the corresponding registered device characteristic information data item values are identical, thus defining all corresponding registered devices at n vector in dimensional space= (1, 1), thus, the reference point vector value x in the Euclidean distance calculation formula of formula (2) j A value of 1, as in equation (1);
in the method, the mass of the Internet of things terminal equipment of the power distribution network is considered, the characteristic information data items among the equipment are slightly different, and the individual equipment is far away, so that the degradation coefficient of the equipment is increased in the generalized Euclidean distance calculation methodThe accuracy of equipment identification is further improved;
in this embodiment, the feature information vector value= (1,1,1,1,1,1,4/11, 4/8, 0) corresponding to the example in step 4.2.1, and the improved euclidean distance between the online device and the corresponding registered device is calculated as 2.01;
step 4.2.3: calculating on-line device similarity
The similarity between the online device and the device with the same corresponding IP address in the registered device library is calculated according to the following formula:
in the method, in the process of the invention,
sim is the on-line device similarity and,
d is the improved Euclidean distance of the online device;
in this embodiment, the improved euclidean distance corresponding to the example in step 4.2.2 is 2.01, and the similarity value between the online device and the corresponding registered device is calculated to be 0.33;
step 5: visually displaying real-time detection and identification results of power distribution network on-line equipment;
and (3) displaying the identification result of the online equipment detected in real time in the step (4) in the form of a terminal equipment full-asset account by using a visualization method, wherein the display content comprises values of all characteristic information data items of the equipment, and marking the identified equipment as illegal equipment, counterfeit equipment, suspicious equipment and trusted equipment according to a similarity threshold.
In the example, the marking of illegal equipment is implemented according to the marking result of the step 4.1; marking counterfeit equipment, suspicious equipment and trusted equipment, determining a relevant threshold value in advance, and marking the equipment state according to a comparison result between the similarity of the online equipment and the threshold value; in the example, according to the operation experience value of the power distribution network, when the similarity of the online equipment is smaller than or equal to a threshold value of 0.17, the online equipment is judged and marked as a fake equipment, when the similarity of the online equipment is larger than the threshold value of 0.17 and smaller than the threshold value of 0.30, the online equipment is judged and marked as a suspicious equipment, and when the similarity of the online equipment is larger than or equal to the threshold value of 0.30, the online equipment is judged and marked as a trusted equipment; the actual threshold value should be appropriately adjusted according to the accuracy of the recognition result in different embodiments;
and (3) repeating the steps 3 to 5 according to a fixed interval time period to realize detection and identification of the online Internet of things terminal equipment in the power distribution network.
As shown in fig. 4, the application also discloses a real-time detection and identification system for the internet of things terminal equipment of the power distribution network by using the real-time detection and identification method, which is characterized by comprising a network flow acquisition module, an equipment detection and feature extraction module, an equipment identification module, an equipment visual display module, an equipment basic information base, a registration equipment base, a network flow base, an equipment detection result base and an equipment identification result base.
The network flow acquisition module is used for acquiring real-time network flow data of the power distribution network on the core switch of the power distribution network in a switch port mirroring mode, in the embodiment, the module is connected with the mirror port of the core switch of the power distribution network in a physical switch mode, and the bypass deployment mode is used for acquiring the network flow data of the power distribution network in a mirroring mode, so that the bypass deployment mode has the advantages of not causing any interference to normal communication of the power distribution network and no need of changing the original network architecture;
the device detection and feature extraction module detects real-time communication Internet of things terminal devices in a network from the flow through analysis of real-time network flow data, extracts feature values of devices participating in communication, and stores device detection results into a device detection result library; in the embodiment, the detection of the terminal equipment from the network traffic is realized by extracting the IP address of the network data packet; the network data packet also contains specific characteristic information data items of the terminal equipment, including characteristic information data items such as manufacturer information, equipment type, equipment model, software and hardware version, OS version, protocol type, service port, service type and the like; extracting the equipment characteristic information data items and storing the equipment characteristic information data items into an equipment detection result library;
The device identification module is used for comparing the device characteristic information in the device detection result library with the device information in the registered device library and the device information in the device basic information library, calculating the similarity between the detected device and the registered device, realizing the identification of the detected device, and storing the device identification result into the device identification result library;
and the equipment visual display module adopts a computer visual technology to display all equipment information in an equipment identification result library in the form of a full-resource ledger, marks the equipment, and marks the identified equipment as illegal equipment, counterfeit equipment, suspicious equipment and trusted equipment according to a similarity threshold.
The equipment basic information base stores basic information of all network-connected Internet of things terminal equipment in the power distribution network according to equipment types; after the Internet of things terminal equipment manufacturer obtains the network access qualification of the power distribution network, providing basic information of various goods products; in this example, the basic information of each kind of product includes characteristic information items such as vendor information, device type, device model, software and hardware version, OS version, protocol type, service port, service type, etc. of the product, each kind of characteristic information item is stored as a record of a database table, and a unique identifier of the basic information of the device is assigned to this kind;
Registering a device library, and storing individual information of all networking Internet of things terminal devices in the power distribution network according to the device individuals; each internet of things equipment terminal connected into the power distribution network needs to register and register characteristic information data of individual equipment, wherein the characteristic information data comprises an IP address distributed to the individual equipment and an inherent MAC address of the individual equipment, the individual equipment is associated with basic information of corresponding product types in an equipment basic information base, and the characteristic information items form equipment individual information; the characteristic information item of each individual device is stored as a record of a database table, and a device unique identifier is assigned to this individual device;
the network flow library stores real-time network flow data acquired by the network flow acquisition module; in the embodiment, the network flow data is stored in a form of a plurality of flow packet files; in this embodiment, in consideration of continuity of real-time network traffic collection and mass properties of data, collected network traffic packet data is stored according to a unit of fixed interval time period (which may be set to 3 minutes, 5 minutes, 10 minutes, etc.), and the device detection and feature extraction module processes network traffic packets within an interval time period every time of cyclic operation;
The device detection result library is used for storing the characteristic information of the device detected and extracted from the real-time network flow data by the device detection and characteristic extraction module; in this embodiment, for each network traffic packet, the detected and extracted feature information data item result includes an IP address, a MAC address, vendor information, a device type, a device model, a software and hardware version, an OS version, a protocol type, a service port, a service type, and the like; wherein the IP address is a key item, cannot be deleted, and other characteristic information data items except the IP address may be different according to different extraction results of the content of each data packet, and all or part of the data items therein may be able to be extracted; in a fixed interval time period, the IP address of the same device may be detected and extracted for multiple times, and the feature information result extracted each time may be identical or different, so that for the same IP address, the extraction result with identical feature information needs to be de-duplicated, only one record is left, and for the same IP address, other feature information values are different, the combination is needed, and feature information in the records of multiple identical IP addresses is combined to form one record; for example, if a device uses both HTTP and TFTP protocols for communication during an interval period, two different results HTTP and TFTP appear in the device corresponding to the characteristic information data item protocol type of the IP address record, where the two records with different protocol type result values need to be combined into one record, and the value of the combined characteristic information data item protocol type of the record includes two sub-items: HTTP and TFTP;
The equipment identification result library is used for storing identification result information of online Internet of things terminal equipment in the power distribution network identified by the equipment identification module;
in the embodiment, a network flow acquisition module in a network switch mode in a real-time detection and identification system of the distribution network internet of things terminal equipment is realized, other modules in the system are realized in a single independent general computer system, and an equipment basic information base, a registered equipment base, a network flow base, an equipment detection result base and an equipment identification result base in the system are stored in a MYSQL database; the network switch for realizing the network flow acquisition module is connected with the computer system for realizing other modules and databases through a network;
when the power distribution network is large in scale and needs to process massive network flow data, the real-time detection and identification system of the Internet of things terminal equipment of the power distribution network can be connected and processed in a distributed mode according to the structure in the embodiment.
The present disclosure may also be a system, method, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for causing a processor to implement aspects of the present disclosure. Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (10)

1. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network is characterized by comprising the following steps of:
step 1: establishing a basic information base of the distribution network Internet of things terminal equipment; registering basic information of terminal equipment of the Internet of things allowed to enter the Internet of things in the power distribution network, and storing the basic information into an equipment basic information base;
step 2: establishing a power distribution network registration equipment library; for each terminal equipment of the Internet of things which is used in the distribution network, according to the individual equipment, the registration information of the registration equipment is stored to be a distribution network registration equipment library;
step 3: detecting online terminal equipment in a power distribution network in real time; acquiring a real-time communication network data packet of online terminal equipment in a power distribution network, and detecting characteristic information data of the online terminal equipment; the method specifically comprises the following steps: collecting real-time network traffic of the operation of the power distribution network, and storing network traffic data into a network traffic library; analyzing the network flow data packet in the fixed interval time period according to the fixed interval time period, extracting the equipment characteristic information data item contained in the flow data packet, and storing the extracted equipment characteristic information data item into equipment characteristic information data record according to the IP address; the equipment characteristic information data items comprise IP addresses, and MAC addresses, manufacturer information, equipment types, equipment models, software and hardware versions, OS versions, protocol types, service ports and service type characteristic information data items which are extracted corresponding to the IP addresses; performing de-duplication operation on the extracted equipment characteristic information data records, detecting the extracted characteristic information data records of the same IP address, if the values of the characteristic information data items of the records are identical, only one record is reserved, and the other repeated records are deleted; if there are differences in the values of the recorded individual characteristic information data items, these duplicate records are temporarily retained and then the step of merging operation is entered; merging the extracted equipment characteristic information data records, wherein the data records with the same IP address and other characteristic information data items with a plurality of different values are merged according to the characteristic information data items, so that each different value becomes a sub-item of the characteristic information data item;
Step 4: identifying detected online terminal equipment in the power distribution network, recording the characteristic information data of the detected online terminal equipment, referring to the registration information and the equipment basic information of the registration equipment, calculating the similarity of the online terminal equipment, and identifying the online terminal equipment; the method specifically comprises the following steps: searching the IP address of the characteristic information data item contained in the detected characteristic information data record of the online terminal equipment in the power distribution network registration equipment library, and marking the online terminal equipment data record with the IP address which does not exist in the registration equipment library as illegal terminal equipment; for the online terminal equipment data record of the IP address in the register equipment library, calculating the similarity of the online terminal equipment; and when the similarity of the online equipment is smaller than or equal to a threshold value 0.17, marking the online equipment judgment as a counterfeit equipment, when the similarity of the online equipment is larger than the threshold value 0.17 and smaller than the threshold value 0.30, marking the online equipment judgment as a suspicious equipment, and when the similarity of the online equipment is larger than or equal to the threshold value 0.30, marking the online equipment judgment as a trusted equipment.
2. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network according to claim 1, wherein the method comprises the following steps of:
In step 1, registering basic information of equipment according to equipment type for the terminal equipment of the Internet of things which is allowed to enter the power distribution network for use in the Internet;
the basic information of the registration device comprises manufacturer information, device type, device model, software and hardware version, OS version, protocol type, service port and service type characteristic information item of the device, and each device type is endowed with a unique identifier of the basic information of the device, and the characteristic information item and the unique identifier of the basic information of the device are stored into a basic information base of the device.
3. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network according to claim 2, wherein the method comprises the following steps of:
in any stage of operation of the power distribution network, for a new type of terminal equipment of the Internet of things allowing access to the network, basic information of the type of terminal equipment is established before an individual of the type of equipment is connected to the power distribution network, and the basic information is added into an equipment basic information base.
4. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network according to claim 1, wherein the method comprises the following steps of:
in step 2, registration information of each internet of things terminal device used in the connected power distribution network is registered according to the device individuals, wherein the registration information comprises an IP address, a MAC address and basic information corresponding to the device allocated to the device, and a unique identifier is assigned to each device and is stored as a registration device library.
5. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network according to claim 4, wherein the method comprises the following steps:
in any stage of operation of the power distribution network, for new terminal equipment of the Internet of things connected into the power distribution network, the registration information of the individual terminal equipment is established and updated to a registration equipment library of the power distribution network in real time.
6. The real-time detection and identification method for the internet of things terminal equipment of the power distribution network according to claim 1, wherein the method comprises the following steps of:
the calculating of the similarity of the online terminal equipment specifically comprises the following steps: calculating characteristic information vectors of online equipment data records, for the extracted characteristic information data of the online equipment, recording other characteristic information data items except the IP address, comparing the value of the characteristic information data item of the data record with the corresponding characteristic information data item of the corresponding IP address in a power distribution network registration equipment library, and if the value of the characteristic information data item of the data record is equal to the corresponding characteristic information data item of the corresponding IP address in the power distribution network registration equipment library, setting the corresponding bit value of the extracted characteristic information vectors of the online equipment as 1; if the two are not equal, judging whether the corresponding characteristic data item of the online equipment data record is a substring of the corresponding characteristic information data item of the corresponding IP address in the registration equipment library, and if the corresponding characteristic data item is the substring, setting the corresponding bit value of the extracted online equipment characteristic information vector as the ratio of the substring length to the data item length; if the corresponding characteristic data item of the online equipment data record is a combined value, judging whether each sub item of the combined value is a sub string of the corresponding characteristic information data item of the corresponding IP address in the registration equipment library, and setting the extracted corresponding bit value of the online equipment characteristic information vector as the sum of a plurality of sub string length/data item length ratios; if the extracted online equipment characteristic information vector and the extracted online equipment characteristic information vector are not equal and no word string exists, setting the corresponding bit value of the extracted online equipment characteristic information vector to 0;
Computing an improved euclidean distance for an online device, comprising: the improved Euclidean distance between an online device and a device in the registered device library having the same corresponding IP address is calculated according to the formula defined below:
in the method, in the process of the invention,
d improves euclidean distance for an online device,
x i record the i-th vector value of the characteristic information vector for the online device data,
n is the length of the characteristic information vector of the online equipment data record;
calculating the similarity of the online devices comprises: the similarity between the online device and the device with the same corresponding IP address in the registered device library is calculated according to the following formula:
in the method, in the process of the invention,
sim is the on-line device similarity and,
d is the improved euclidean distance for the on-line device.
7. The method for real-time detection and identification of an internet of things terminal device of a power distribution network according to claim 1, wherein the method for real-time detection and identification further comprises:
step 5: visually displaying real-time detection and identification results of power distribution network on-line equipment;
and (3) displaying the identification result of the online equipment detected in real time in the step (4) in the form of a terminal equipment full-asset account by using a visualization method, wherein the display content comprises values of all characteristic information data items of the equipment, and marking the identified equipment as illegal equipment, counterfeit equipment, suspicious equipment and trusted equipment according to a similarity threshold.
8. A real-time detection and identification system for internet of things terminal equipment of a power distribution network, which utilizes the real-time detection and identification method according to any one of claims 1-7, the system comprising: the device comprises a network flow acquisition module, a device detection and feature extraction module, a device identification module, a device visual display module, a device basic information base, a registered device base, a network flow base, a device detection result base and a device identification result base; the method is characterized in that:
the equipment basic information base is used for storing basic information of terminal equipment of the Internet of things which is allowed to enter the Internet of things in the power distribution network for use;
the registration equipment library is used for storing registration information of each terminal equipment of the Internet of things which is connected into the power distribution network;
the network flow acquisition module is used for acquiring real-time network flow data of the power distribution network on a core switch of the power distribution network in a switch port mirroring mode and storing the real-time network flow data into a network flow library;
the device detection and feature extraction module detects online terminal devices for real-time communication in a network from the flow through analyzing the flow data of the real-time network, extracts feature data information of the online terminal devices participating in the communication, and stores the extracted feature data information into a device detection result library;
Identifying the equipment in the equipment detection result library by utilizing the equipment basic information library and the registered equipment library, and storing the equipment identification result into the equipment identification result library;
and displaying all the equipment information in the equipment identification result library through the equipment visual display module.
9. The real-time detection and identification system for internet of things terminal equipment of a power distribution network according to claim 8, wherein:
the basic information of the internet of things terminal equipment stored in the equipment basic information base comprises an equipment basic information unique identifier, manufacturer information, equipment type, equipment model, software and hardware version, OS version, protocol type, service port and service type.
10. The real-time detection and identification system of the internet of things terminal equipment of the power distribution network according to claim 9, wherein the system is characterized in that:
the individual information of the internet of things terminal equipment stored in the registration equipment library comprises an equipment unique identifier, an IP address, an MAC address, manufacturer information, equipment type, equipment model, software and hardware version, OS version, protocol type, service port and service type.
CN202110974559.4A 2021-08-24 2021-08-24 Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network Active CN113706100B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110974559.4A CN113706100B (en) 2021-08-24 2021-08-24 Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110974559.4A CN113706100B (en) 2021-08-24 2021-08-24 Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network

Publications (2)

Publication Number Publication Date
CN113706100A CN113706100A (en) 2021-11-26
CN113706100B true CN113706100B (en) 2023-12-05

Family

ID=78654462

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110974559.4A Active CN113706100B (en) 2021-08-24 2021-08-24 Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network

Country Status (1)

Country Link
CN (1) CN113706100B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244727A (en) * 2021-12-15 2022-03-25 国网辽宁省电力有限公司沈阳供电公司 Instant generation method and system for power Internet of things communication panorama
CN114363206A (en) * 2021-12-28 2022-04-15 奇安信科技集团股份有限公司 Terminal asset identification method and device, computing equipment and computer storage medium
CN114979195A (en) * 2022-03-28 2022-08-30 国网浙江省电力有限公司金华供电公司 Internet of things access gateway control method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685249A (en) * 2012-05-30 2012-09-19 江苏南亿迪纳数字科技发展有限公司 Group identification (GID) system with global ubiquitous communication function and terminal identity recognition method thereof
CN109951289A (en) * 2019-01-25 2019-06-28 北京三快在线科技有限公司 A kind of recognition methods, device, equipment and readable storage medium storing program for executing
CN110503549A (en) * 2019-08-30 2019-11-26 中国工商银行股份有限公司 Data processing method, device, system, electronic equipment and medium
CN111401159A (en) * 2020-03-03 2020-07-10 北京三快在线科技有限公司 Hotel authentication management method and system, hotel management system and user terminal
CN111885106A (en) * 2020-06-16 2020-11-03 武汉零感网御网络科技有限公司 Internet of things safety management and control method and system based on terminal equipment characteristic information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685249A (en) * 2012-05-30 2012-09-19 江苏南亿迪纳数字科技发展有限公司 Group identification (GID) system with global ubiquitous communication function and terminal identity recognition method thereof
CN109951289A (en) * 2019-01-25 2019-06-28 北京三快在线科技有限公司 A kind of recognition methods, device, equipment and readable storage medium storing program for executing
CN110503549A (en) * 2019-08-30 2019-11-26 中国工商银行股份有限公司 Data processing method, device, system, electronic equipment and medium
CN111401159A (en) * 2020-03-03 2020-07-10 北京三快在线科技有限公司 Hotel authentication management method and system, hotel management system and user terminal
CN111885106A (en) * 2020-06-16 2020-11-03 武汉零感网御网络科技有限公司 Internet of things safety management and control method and system based on terminal equipment characteristic information

Also Published As

Publication number Publication date
CN113706100A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN113706100B (en) Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
CN107992746B (en) Malicious behavior mining method and device
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
CN111565205A (en) Network attack identification method and device, computer equipment and storage medium
CN109218321A (en) A kind of network inbreak detection method and system
CN111104521A (en) Anti-fraud detection method and detection system based on graph analysis
CN110648172B (en) Identity recognition method and system integrating multiple mobile devices
CN112839014A (en) Method, system, device and medium for establishing model for identifying abnormal visitor
CN107465691A (en) Network attack detection system and detection method based on router log analysis
CN110020161B (en) Data processing method, log processing method and terminal
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
Li et al. Street-Level Landmarks Acquisition Based on SVM Classifiers.
CN112202718A (en) XGboost algorithm-based operating system identification method, storage medium and device
CN114168968A (en) Vulnerability mining method based on Internet of things equipment fingerprints
CN112671614A (en) Associated system connectivity test method, system, device and storage medium
KR20070077517A (en) Profile-based web application intrusion detection system and the method
CN110472410B (en) Method and device for identifying data and data processing method
CN115242436A (en) Malicious traffic detection method and system based on command line characteristics
CN111680286B (en) Refinement method of Internet of things equipment fingerprint library
CN111049839B (en) Abnormity detection method and device, storage medium and electronic equipment
CN110457600B (en) Method, device, storage medium and computer equipment for searching target group
CN113765891A (en) Equipment fingerprint identification method and device
CN112231700A (en) Behavior recognition method and apparatus, storage medium, and electronic device
CN111625807A (en) Equipment type identification method and device
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant