CN113765720A - Service interaction feature extraction method based on electric power communication network flow - Google Patents
Service interaction feature extraction method based on electric power communication network flow Download PDFInfo
- Publication number
- CN113765720A CN113765720A CN202111064654.7A CN202111064654A CN113765720A CN 113765720 A CN113765720 A CN 113765720A CN 202111064654 A CN202111064654 A CN 202111064654A CN 113765720 A CN113765720 A CN 113765720A
- Authority
- CN
- China
- Prior art keywords
- service
- data
- packet
- data packets
- communication network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000003993 interaction Effects 0.000 title claims abstract description 51
- 238000004891 communication Methods 0.000 title claims abstract description 50
- 238000000605 extraction Methods 0.000 title claims abstract description 22
- 238000000034 method Methods 0.000 claims abstract description 51
- 230000002159 abnormal effect Effects 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 26
- 238000004364 calculation method Methods 0.000 claims abstract description 25
- 238000001514 detection method Methods 0.000 claims abstract description 6
- 230000008569 process Effects 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 16
- 230000002452 interceptive effect Effects 0.000 claims description 15
- 238000005065 mining Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 abstract description 7
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000000737 periodic effect Effects 0.000 abstract description 5
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses a service interaction feature extraction method based on electric power communication network flow, which comprises the steps of collecting the flow of an electric power communication network and constructing original data; analyzing the original data to obtain meta-information below a transmission layer; counting the characteristics of the meta information to realize abnormal detection and alarm; and sequentially carrying out service initialization and feature calculation so as to extract and obtain the final service interaction feature. The method integrates the three parts of acquisition, analysis and feature calculation, increases the reverse feedback between the acquisition and the analysis, can completely extract the periodic interaction features of stable services at any node and any time period in the power communication network in real time, ensures that the same service generates a consistent service feature set, is beneficial to understanding service interaction logic, is convenient for monitoring and managing the service operation state, and has high reliability and good practicability.
Description
Technical Field
The invention belongs to the technical field of power grid data mining, and particularly relates to a service interaction feature extraction method based on power communication network flow.
Background
With the development of economic technology and the improvement of living standard of people, electric energy becomes essential secondary energy in production and life of people, and brings endless convenience to production and life of people. Therefore, ensuring stable and reliable supply of electric energy is one of the most important tasks of the power system.
The power communication network can realize information interaction between the power control system and the physical equipment; the power communication network is mainly used for carrying power industry control system services. Within a power communication network, traffic has its own inherent properties, mainly expressed as stability, periodicity and finiteness. The same service comprises stable service logic and is embodied in a similar data interaction process. Therefore, by mining the service interaction characteristics, the power grid personnel can be helped to understand the service internal logic more clearly.
With the continuous development of industrial informatization, the power industry and advanced information communication and computing technologies have achieved deep fusion, and the power communication network has achieved the acquisition and transmission of mass data. The increase in data volume presents challenges to data management and network optimization. At present, operation and maintenance personnel cannot realize service analysis in a manual mode, and need to abstract service interaction characteristics by utilizing data mining. In addition, for the encrypted transmission method adopted to solve the industrial internet security problem, researchers cannot use the data packet payload to describe the service characteristics.
Disclosure of Invention
The invention aims to provide a service interaction feature extraction method based on power communication network flow, which can completely and real-timely extract periodic interaction features of stable service at any node and any time interval in a power communication network, and has high reliability and good practicability.
The invention provides a service interaction feature extraction method based on electric power communication network flow, which comprises the following steps:
s1, collecting the flow of a power communication network and constructing original data;
s2, analyzing the original data acquired in the step S1 to obtain meta-information below a transmission layer; counting the characteristics of the meta information to realize abnormal detection and alarm;
and S3, sequentially carrying out service initialization and feature calculation on the meta information acquired in the step S2, and thus extracting and obtaining the final service interaction feature.
Step S1, collecting the flow of the power communication network, specifically copying and collecting the flow data of the power communication network in real time by a mirror image collection technology; and an abnormal response node is added in the acquisition process, and an alarm is given when the acquisition is abnormal.
The method is characterized in that an abnormal response node is added in the acquisition process, and an alarm is given out when the acquisition is abnormal, and the method specifically comprises the following steps:
firstly, counting the number of data packets in unit time and the average time interval between the data packets;
then, judging whether the acquisition abnormity occurs or not;
and finally, when the abnormal acquisition is judged to occur, the abnormal response node immediately stops the acquisition process, releases the acquired cache data and automatically resumes the acquisition after a set time.
Analyzing the original data obtained in the step S1 in the step S2 to obtain meta information below a transport layer, specifically analyzing the original data obtained in the step S1 by using packet granularity; meanwhile, only the packet meta-information below the transport layer is parsed.
The analyzing the data packet meta-information below the transport layer specifically analyzes the following data packet meta-information: the packet's timestamp, packet header length, number of payload bytes, source IP address, destination IP address, source port, destination port, transport protocol, packet FIN, SYN, PSH, RST, ACK, CWR, URG, ECE configuration identification, and initialization window size.
The characteristic of the statistical meta-information described in step S2 is to analyze and obtain the meta-information of the data packets, and calculate the number of the data packets in unit time, the average time interval between the data packets, and the statistical characteristic of the number of the service types.
The step S2 of implementing anomaly detection and alarm specifically includes adopting the following rules to determine whether an acquisition anomaly occurs and alarm:
the average value of the number of the data packets is mu when the statistics is carried out in a stable statepacketVariance is
Packet time interval average of muIOTVariance is
Mean value of number of services is muserviceVariance is
R1, if the number of the data packets in the current time period is less than mupacket-3σpacketAnd the average time interval between data packets is (mu)IOT-3σIOT,μIOT+3σIOT) If the flow rate is abnormal, judging that the flow rate is abnormal for mining, and alarming;
r2, if the current time interval service number is (mu)service-3σservice,μservice+3σservice) The number of the data packets is (mu)packet-3σpacket,μpacket) Interval and average interval time between data packets is greater than muIOT+3σIOTIf so, judging the abnormality of network fluctuation caused by network congestion and giving an alarm;
r3, if the current time interval service number is (mu)service,μservice+3σservice) The number of the data packets is more than mupacketAnd the average interval time between data packets is less than muIOT-3σIOTIf so, judging that the network fluctuation is abnormal due to the newly added nodes in the communication network topology, and giving an alarm.
The service initialization of step S3 specifically includes the following steps:
A. setting the extraction period duration and the minimum data packet number;
B. and initializing the service by adopting the following rules:
aiming at PMU and fault filtering service, carrying out service initialization through set extraction period duration;
aiming at the stable control, electric energy acquisition and confidence protection services, carrying out service initialization through the set minimum data packet number;
and aiming at the telemechanical service, carrying out service initialization through interactive integrity.
The feature calculation in step S3 specifically includes the following steps:
a. processing the first data in the information set:
if the first data is response data, deleting the response data until the first data is request data;
b. dividing the processed data into forward data and backward data according to the transmission direction;
c. respectively calculating the number of data packets, the number of bytes of the data packets, a time interval of the data packets, configuration information and a transmission rate aiming at the forward data and the backward data; the number of the data packets is used for representing a service interaction mode; the number of bytes of the data packet is used for representing the information amount of the service load; the data packet time interval is used for representing the service interaction frequency; the configuration information is used for representing the type of the service load; the transmission rate is used to indicate the bandwidth occupied by the traffic.
The calculation of the number of the data packets, the number of bytes of the data packets, the time interval of the data packets, the configuration information and the transmission rate, specifically, the calculation of the number of the data packets and the configuration information, which are all realized by adopting accumulation calculation and counting the configuration identifiers of the data packets in a cycle reading period; and aiming at the number of bytes of the data packet, the time interval of the data packet and the transmission rate, five statistics of the total amount, the maximum value, the minimum value, the mean value and the variance are added to measure the stability of the interactive process.
The feature calculation specifically comprises the following steps:
when the feature calculation is carried out, releasing a corresponding memory space for the information set which is subjected to the calculation;
releasing abnormal data occupying memory time longer than the least common multiple of all service periods;
and setting the upper limit of the duration of the extraction period to limit the service data cached at one time in the period.
The method for extracting the service interaction characteristics based on the power communication network flow integrates the three parts of acquisition, analysis and characteristic calculation, increases the reverse feedback between the acquisition and the analysis, can completely extract the periodic interaction characteristics of stable service at any node and any time period in the power communication network in real time, ensures that the same service generates a consistent service characteristic set, is beneficial to understanding the service interaction logic, is convenient for monitoring and managing the service operation state, and has high reliability and good practicability.
Drawings
FIG. 1 is a schematic process flow diagram of the process of the present invention.
Fig. 2 is a schematic view of the electric power communication network flow mirror image acquisition in the method of the present invention.
Fig. 3 is a schematic diagram of a result of extracting traffic characteristics of a first area of the power communication network in the method of the present invention.
Fig. 4 is a schematic diagram of a statistical result of the traffic characteristics of the first area of the power communication network in the method of the present invention.
Fig. 5 is a schematic diagram of a service feature extraction result of a power communication network PMU in the method of the present invention.
Fig. 6 is a schematic diagram of a power communication network trust protection service feature extraction result in the method of the present invention.
Fig. 7 is a schematic diagram of a result of extracting telemechanical service features of the power communication network in the method of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the method of the present invention: the invention provides a service interaction feature extraction method based on electric power communication network flow, which comprises the following steps:
s1, collecting the flow of a power communication network and constructing original data; specifically, the method comprises the steps of copying and collecting flow data of the power communication network in real time through a mirror image collection technology (as shown in fig. 2); an abnormal response node is added in the acquisition process, and an alarm is given when the acquisition is abnormal;
in addition, an abnormal response node is added in the acquisition process, and an alarm is given out when the acquisition is abnormal, and the method specifically comprises the following steps:
firstly, counting the number of data packets in unit time and the average time interval between the data packets;
then, judging whether the acquisition abnormity occurs or not;
finally, when the abnormal acquisition is judged to occur, the abnormal response node immediately stops the acquisition process, releases the acquired cache data and automatically resumes the acquisition after a set time;
the network flow mirror image acquisition technology is a mature application type technology, but the situation of flow missing acquisition still exists in the acquisition process, and the flow change caused by network fluctuation cannot be sensed, and the method adds an abnormal response node on the mirror image acquisition technology to solve the problem of unstable interaction characteristic results caused by network abnormality or missing acquisition, wherein the node can respond to the alarm information sent out in the abnormal judgment process of S2;
s2, analyzing the original data acquired in the step S1 to obtain meta-information below a transmission layer; counting the characteristics of the meta information to realize abnormal detection and alarm; the IEC protocol data in the power system is transmitted by adopting a TCP/IP mode, although the payload of the data packet is transmitted by adopting a plaintext at present, a data encryption technology is introduced in the future due to safety considerations, so that the method does not analyze the content of the payload, and only analyzes the meta-information of the data packet below a transmission layer, specifically analyzes the meta-information of the data packet below a transmission layer: the method comprises the steps of packet time stamp, packet header length, byte number of load, source IP address, destination IP address, source port, destination port, transmission protocol, configuration identification of data packets FIN, SYN, PSH, RST, ACK, CWR, URG and ECE, and initialization window size;
analyzing and obtaining data packet meta-information, and calculating the number of data packets in unit time, the average time interval between the data packets and the statistical characteristics of the number of the service types; in addition, only one group of variables is set for caching the characteristics, and the storage space occupancy rate is reduced by iteratively updating and recording the statistics in the previous time period;
in addition, the following rules are adopted to judge whether the abnormal collection occurs and give an alarm: the average value of the number of the data packets is mu when the statistics is carried out in a stable statepacketVariance is
Packet time interval average of muIOTVariance is
Mean value of number of services is muserviceVariance is
R1, if the number of the data packets in the current time period is less than mupacket-3σpacketAnd the average time interval between data packets is (mu)IOT-3σIOT,μIOT+3σIOT) If the flow rate is abnormal, judging that the flow rate is abnormal for mining, and alarming;
r2, if the current time interval service number is (mu)service-3σservice,μservice+3σservice) The number of the data packets is (mu)packet-3σpacket,μpacket) Interval and average interval time between data packets is greater than muIOT+3σIOTIf so, judging the abnormality of network fluctuation caused by network congestion and giving an alarm;
r3, if the current time interval service number is (mu)service,μservice+3σservice) The number of the data packets is more than mupacketAnd the average interval time between data packets is less than muIOT-3σIOTJudging that the network fluctuation is abnormal due to the newly added nodes in the communication network topology, and giving an alarm;
s3, sequentially carrying out service initialization and feature calculation on the meta information acquired in the step S2, and thus extracting and obtaining final service interaction features; the method specifically comprises the following steps:
A. setting the extraction period duration and the minimum data packet number; although the service in the power system has periodic characteristics, the periods of different services are different, and the interaction period of the same service is different among different devices, the method defines the number of minimum data packets and the interaction integrity as the service initialization judgment standard through the user-defined period;
B. adopting the following rules to initialize the service;
aiming at PMU and fault filtering service, carrying out service initialization through set extraction period duration;
aiming at the stable control, electric energy acquisition and confidence protection services, carrying out service initialization through the set minimum data packet number;
initializing the service through interactive integrity aiming at the telemechanical service;
in specific implementation, the feature calculation comprises the following steps:
a. processing the first data in the information set:
if the first data is response data, deleting the response data until the first data is request data;
b. dividing the processed data into forward data and backward data according to the transmission direction;
c. respectively calculating the number of data packets, the number of bytes of the data packets, a time interval of the data packets, configuration information and a transmission rate aiming at the forward data and the backward data; the number of the data packets is used for representing a service interaction mode; the number of bytes of the data packet is used for representing the information amount of the service load; the data packet time interval is used for representing the service interaction frequency; the configuration information is used for representing the type of the service load; the transmission rate is used for expressing the bandwidth occupied by the service;
the number of the data packets and the configuration information are calculated by accumulation, and the calculation is realized by the configuration identifier counting of the data packets in a cycle reading period; aiming at the number of bytes of a data packet, the time interval and the transmission rate of the data packet, five statistics of total amount, maximum value, minimum value, mean value and variance are increased to measure the stability of the interaction process;
meanwhile, the feature calculation comprises the following steps:
when the feature calculation is carried out, releasing a corresponding memory space for the information set which is subjected to the calculation;
releasing abnormal data occupying memory time longer than the least common multiple of all service periods;
and setting the upper limit of the duration of the extraction period to limit the service data cached at one time in the period.
The process of the invention is further illustrated below with reference to specific examples:
in embodiment 1, a result of extracting multi-class service interaction features in an actual power communication network is shown, and the inherent stability of the flow of the power communication network in a real scene is analyzed for anomaly detection and judgment; the embodiment 2 shows the interactive characteristics of PMU service, which is used for representing the characteristic result extracted from the time plane; the interactive characteristics of the trust-preserving service are shown in the embodiment 3, and the service is used for representing the characteristic result extracted from the spatial level; the interactive features of the telemechanical service are shown in example 4, and the service is used to represent the sign results extracted from the complete level of the service.
Example 1: the embodiment refers to fig. 3 (in the figure, a source IP and a destination IP are hidden for security) based on the result of the service interaction feature extracted from the traffic of a region in the power communication network; wherein the predefined period is 1 minute, and the predefined minimum number of packets is 1000. The first zone flow contains plural types of services such as PMU, telemechanical, and the like, the interaction characteristics of the same service among different devices are different, and the services among the same devices have consistency and stability, fig. 4 is a normalized graph of the service type, the number of data packets, and the time interval in unit time of the first zone flow, wherein the unit time contains the maximum value of the service number 9, the minimum value 5, the mode number and the median 7; the average value of the number of the data packets in unit time is 4030, and the standard deviation is 51; the mean value of the packet time intervals in unit time is 7376.57 milliseconds, the standard deviation is 273 milliseconds, and the standard deviation between the number of packets and the time intervals is much smaller than the mean value, so that the traffic per minute in a region contains the number of the service types, and the number of packets and the packet time intervals have stability, so that whether the traffic in the current period is abnormal or not can be judged according to the statistical value.
Example 2: this embodiment extracts the PMU service interaction feature in the power communication network, and refers to fig. 5 (in the figure, the source IP and the destination IP are hidden for security), where the predefined period is 1 minute, and the predefined minimum number of packets is 1000. The PMU service interaction period is short, the frequency is high, a plurality of service interaction processes are included in the predefined period, and the number of the data packets is larger than the predefined minimum number of the data packets, so that the PMU service realizes the extraction of service interaction characteristics through the predefined period. Three characteristics of the number of bytes of the data packet, the time interval of the data packet and the service transmission rate are average statistical values in a predefined period, and it can be seen that each dimension characteristic of PMU forward/return data has stability, wherein the fluctuation of the forward data is greater than that of the return data, which indicates that the stability of the return data is better.
Example 3: the present embodiment extracts the interactive features of the trust protection service in the power communication network, and refers to fig. 6 (in the figure, the source IP and the destination IP are hidden for security), where the predefined period is 1 minute and the predefined minimum number of packets is 1000. As the sum of the number of the forward/backward data packets is less than 1000 in the predefined period and the data amount is not enough to represent the service interaction feature, the service meta-information is continuously cached, when the total data packet is greater than 1000, the service is initialized and the service interaction feature is calculated, and as a result, the average time length of the data transmission of the service for 1000 is 97.9 seconds, and the service interaction feature counted according to the minimum number of the data packets also has stability, as shown in table 1 below:
TABLE 1 Interactive characteristics schematic Table
Example 4: the present embodiment extracts the interactive features of telemechanical services in the power communication network, and refers to fig. 7 (in the figure, the source IP and the destination IP are hidden for security), where the predefined period is 1 minute, and the predefined minimum number of packets is 1000. The telecontrol service has complete interactive logic, so the feature extraction process is not limited by a predefined period and the minimum number of data packets, and the extraction result shows that the service period is 5 minutes, the average value of the number of forward packets in the complete interactive period is 43.8, the standard deviation is 1.19, the number of return packets is 29.5, the standard deviation is 1.44, and the standard deviation is far smaller than the average value, so that the number of the forward/return data packets in the complete interactive period has stability. Similarly, the statistics of the number of bytes of the data packet, the transmission rate, the time interval and the configuration information are shown in the following table 2:
TABLE 2 Interactive characteristics schematic Table
The embodiment shows that the method can completely and real-timely extract the periodic interaction characteristics of any node in the power communication network and stable service in any time period, and has high reliability and good practicability.
Claims (10)
1. A service interaction feature extraction method based on electric power communication network flow comprises the following steps:
s1, collecting the flow of a power communication network and constructing original data;
s2, analyzing the original data obtained in the step S1 to obtain meta-information below a transmission layer; counting the characteristics of the meta information to realize abnormal detection and alarm;
and S3, sequentially carrying out service initialization and feature calculation on the meta information acquired in the step S2, and thus extracting and obtaining the final service interaction feature.
2. The method for extracting service interaction features based on power communication network traffic as claimed in claim 1, wherein the step S1 is to collect the traffic of the power communication network, specifically to copy and collect the traffic data of the power communication network in real time by using a mirror image collection technique; an abnormal response node is added in the acquisition process, and an alarm is given when the acquisition is abnormal; the method is characterized in that an abnormal response node is added in the acquisition process, and an alarm is given out when the acquisition is abnormal, and the method specifically comprises the following steps:
firstly, counting the number of data packets in unit time and the average time interval between the data packets;
then, judging whether the acquisition abnormity occurs or not;
and finally, when the abnormal acquisition is judged to occur, the abnormal response node immediately stops the acquisition process, releases the acquired cache data and automatically resumes the acquisition after a set time.
3. The method according to claim 2, wherein the step S2 is configured to parse the raw data obtained in the step S1 to obtain meta information below a transport layer, specifically, parse the raw data obtained in the step S1 by packet granularity; meanwhile, only the packet meta-information below the transport layer is parsed.
4. The method for extracting service interaction features based on power communication network traffic as claimed in claim 3, wherein the parsing of the packet meta-information below the transport layer is specifically parsing of the packet meta-information below: the packet's timestamp, packet header length, number of payload bytes, source IP address, destination IP address, source port, destination port, transport protocol, packet FIN, SYN, PSH, RST, ACK, CWR, URG, ECE configuration identification, and initialization window size.
5. The method for extracting service interaction features based on power communication network traffic as claimed in claim 4, wherein the features of the statistical meta-information in step S2 are specifically to analyze and obtain the meta-information of the data packets, and calculate the number of data packets in a unit time, the average time interval between data packets, and the statistical features of the number of service types.
6. The method for extracting service interaction features based on power communication network traffic as claimed in claim 5, wherein the step S2 is implemented to detect and alarm the exception, specifically, the following rules are adopted to determine whether the collection exception occurs and alarm:
the average value of the number of the data packets is mu when the statistics is carried out in a stable statepacketVariance is
Packet time interval average of muIOTVariance is
Mean value of number of services is muserviceVariance is
R1, if the number of the data packets in the current time period is less than mupacket-3σpacketAnd the average time interval between data packets is (mu)IOT-3σIOT,μIOT+3σIOT) If the flow rate is abnormal, judging that the flow rate is abnormal for mining, and alarming;
r2, if the current time interval service number is (mu)service-3σservice,μservice+3σservice) The number of the data packets is (mu)packet-3σpacket,μpacket) Interval and average interval time between data packets is greater than muIOT+3σIOTThen it is determined to belong toThe network fluctuation is abnormal due to network congestion and an alarm is given;
r3, if the current time interval service number is (mu)service,μservice+3σservice) The number of the data packets is more than mupacketAnd the average interval time between data packets is less than muIOT-3σIOTIf so, judging that the network fluctuation is abnormal due to the newly added nodes in the communication network topology, and giving an alarm.
7. The method for extracting service interaction features based on power communication network traffic as claimed in claim 6, wherein the service initialization in step S3 specifically includes the following steps:
A. setting the extraction period duration and the minimum data packet number;
B. and initializing the service by adopting the following rules:
aiming at PMU and fault filtering service, carrying out service initialization through set extraction period duration;
aiming at the stable control, electric energy acquisition and confidence protection services, carrying out service initialization through the set minimum data packet number;
and aiming at the telemechanical service, carrying out service initialization through interactive integrity.
8. The method for extracting service interaction features based on power communication network traffic as claimed in claim 7, wherein the feature calculation in step S3 specifically includes the following steps:
a. processing the first data in the information set:
if the first data is response data, deleting the response data until the first data is request data;
b. dividing the processed data into forward data and backward data according to the transmission direction;
c. respectively calculating the number of data packets, the number of bytes of the data packets, a time interval of the data packets, configuration information and a transmission rate aiming at the forward data and the backward data; the number of the data packets is used for representing a service interaction mode; the number of bytes of the data packet is used for representing the information amount of the service load; the data packet time interval is used for representing the service interaction frequency; the configuration information is used for representing the type of the service load; the transmission rate is used to indicate the bandwidth occupied by the traffic.
9. The method for extracting service interaction features based on power communication network traffic as claimed in claim 8, wherein the calculation of the number of data packets, the number of bytes of data packets, the time interval of data packets, the configuration information and the transmission rate, specifically the calculation of the number of data packets and the configuration information, is implemented by accumulating calculation and counting configuration identifiers of data packets in a cycle reading period; and aiming at the number of bytes of the data packet, the time interval of the data packet and the transmission rate, five statistics of the total amount, the maximum value, the minimum value, the mean value and the variance are added to measure the stability of the interactive process.
10. The method for extracting service interaction features based on power communication network traffic as claimed in claim 9, wherein the feature calculation specifically further comprises the following steps:
when the feature calculation is carried out, releasing a corresponding memory space for the information set which is subjected to the calculation;
releasing abnormal data occupying memory time longer than the least common multiple of all service periods;
and setting the upper limit of the duration of the extraction period to limit the service data cached at one time in the period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111064654.7A CN113765720B (en) | 2021-09-09 | 2021-09-09 | Service interaction feature extraction method based on power communication network flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111064654.7A CN113765720B (en) | 2021-09-09 | 2021-09-09 | Service interaction feature extraction method based on power communication network flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113765720A true CN113765720A (en) | 2021-12-07 |
| CN113765720B CN113765720B (en) | 2023-10-24 |
Family
ID=78794934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111064654.7A Active CN113765720B (en) | 2021-09-09 | 2021-09-09 | Service interaction feature extraction method based on power communication network flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765720B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101500017A (en) * | 2008-01-28 | 2009-08-05 | 饶翔 | Method for providing service based on flow and system thereof |
| CN102420701A (en) * | 2011-11-28 | 2012-04-18 | 北京邮电大学 | Method for extracting internet service flow characteristics |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| CN110417612A (en) * | 2019-06-11 | 2019-11-05 | 北京全路通信信号研究设计院集团有限公司 | A kind of Network Traffic Monitoring System and method based on network element |
| CN112134871A (en) * | 2020-09-16 | 2020-12-25 | 天津大学 | Abnormal flow detection device and method for energy internet information support network |
| CN113162820A (en) * | 2021-03-04 | 2021-07-23 | 睿石网云(杭州)科技有限公司 | Method for performing evidence-obtaining analysis on performance fault of application system |
-
2021
- 2021-09-09 CN CN202111064654.7A patent/CN113765720B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101500017A (en) * | 2008-01-28 | 2009-08-05 | 饶翔 | Method for providing service based on flow and system thereof |
| CN102420701A (en) * | 2011-11-28 | 2012-04-18 | 北京邮电大学 | Method for extracting internet service flow characteristics |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| CN110417612A (en) * | 2019-06-11 | 2019-11-05 | 北京全路通信信号研究设计院集团有限公司 | A kind of Network Traffic Monitoring System and method based on network element |
| CN112134871A (en) * | 2020-09-16 | 2020-12-25 | 天津大学 | Abnormal flow detection device and method for energy internet information support network |
| CN113162820A (en) * | 2021-03-04 | 2021-07-23 | 睿石网云(杭州)科技有限公司 | Method for performing evidence-obtaining analysis on performance fault of application system |
Non-Patent Citations (2)
| Title |
|---|
| 曾彬;张大方;黎文伟;谢高岗;张广兴;: "面向网络行为特征分析的网络监测系统设计及实现" * |
| 潘成胜;刘勇;石怀峰;杨力;: "SDN架构下的空间信息网络业务识别技术" * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113765720B (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110401642A (en) | A kind of acquisition of industry control flow and protocol analysis method | |
| US10404732B2 (en) | System and method for automated network monitoring and detection of network anomalies | |
| Gogoi et al. | Packet and flow based network intrusion dataset | |
| EP4277207A2 (en) | Network telemetry collection with packet metadata filtering | |
| US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| CN105429977A (en) | Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement | |
| CN103532940A (en) | Network security detection method and device | |
| US20210194894A1 (en) | Packet metadata capture in a software-defined network | |
| CN105337951A (en) | Method and device carrying out path backtracking for system attack | |
| WO2022151680A1 (en) | Automata-based internet of things device flow anomaly detection method and apparatus | |
| KR20210115991A (en) | Method and apparatus for detecting network anomaly using analyzing time-series data | |
| CN106375295B (en) | Data store monitoring method | |
| CN110929896A (en) | Security analysis method and device for system equipment | |
| CN112153020A (en) | Industrial control flow analysis method and device | |
| Cho et al. | Aguri: An aggregation-based traffic profiler | |
| CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
| CN106372171B (en) | Monitor supervision platform real-time data processing method | |
| CN113765720B (en) | Service interaction feature extraction method based on power communication network flow | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| EP3576365B1 (en) | Data processing device and method | |
| Evangelou et al. | Predictability of netflow data | |
| CN113938306B (en) | Trusted authentication method and system based on data cleaning rule | |
| CN114244727A (en) | Instant generation method and system for power Internet of things communication panorama | |
| CN101459546A (en) | Recognition method and apparatus for peer-to-peer node flow | |
| Ramaki et al. | Enhancement intrusion detection using alert correlation in co-operative intrusion detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |