CN113765880A - Power system network attack detection method based on space-time correlation - Google Patents

Power system network attack detection method based on space-time correlation Download PDF

Info

Publication number
CN113765880A
CN113765880A CN202110749077.9A CN202110749077A CN113765880A CN 113765880 A CN113765880 A CN 113765880A CN 202110749077 A CN202110749077 A CN 202110749077A CN 113765880 A CN113765880 A CN 113765880A
Authority
CN
China
Prior art keywords
matrix
power system
time
current
correlation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110749077.9A
Other languages
Chinese (zh)
Other versions
CN113765880B (en
Inventor
李坚
胡维昊
黄琦
鹿超群
张光斗
张真源
蔡东升
井实
易建波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202110749077.9A priority Critical patent/CN113765880B/en
Publication of CN113765880A publication Critical patent/CN113765880A/en
Application granted granted Critical
Publication of CN113765880B publication Critical patent/CN113765880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses a power system network attack detection method based on space-time correlation, which comprises the steps of S1, extracting measured data in a power system, and forming a space-time matrix by the measured data; s2, constructing a time correlation function based on the volume Kalman filtering according to historical measurement data, and predicting the state of the power system at the next moment in a position; s3, constructing a Gaussian process regression model to obtain a spatial correlation function of the correlation nodes in the topological structure of the power system; and S4, performing feature extraction on the time correlation function and the space correlation function by adopting a neural network. The detection method provided by the invention is independent of system parameters, has universal applicability, can carry out real-time detection, has higher detection speed, and is different from a detection method based on a model.

Description

Power system network attack detection method based on space-time correlation
Technical Field
The invention belongs to the technical field of power system network attack detection, and particularly relates to a power system network attack detection method based on space-time correlation.
Background
The safety and stability of the electric energy supply are related to the social and economic production and the national safety. With the development of the internet, the power system gradually develops from a traditional physical power transmission network to an intelligent network physical system combining physical power transmission with network computing and communication systems. While the power system is intelligent, its complexity also brings new risks to safe operation. Among many risks, cyber attacks in power systems are not negligible.
The network attack in the power system aims at destroying or influencing the safe and stable operation of the power system, and the availability, integrity or confidentiality of data is destroyed by attacking the power information system, so that the control center cannot send out correct instructions in time to cause the fault of the power system. And the network attack has low cost, wide range, hidden attack behavior and various forms, and is extremely harmful to the safe and stable operation of the power system. In 2015, the Ukrainian power department in 12 months suffers from malicious code attack, and dozens of substations break down; venezuela 3 months in 2019 suffered from network and physical attacks, causing a power outage of the largest scale in history in that country. Many attack events rise to the national level, so that the attention on the network attack research of the power industry reaches a new height.
Among them, False Data Injection Attack (FDIA) is an important class of network Attack, and is also called stealth spoofing Attack, malicious Data Attack, and the like. Among the many types of network attacks, FDIA has proven to be one of the most concealed attacks. An attacker utilizes the traditional bug of bad data detection based on residual error to construct an attack vector, maliciously tampers the electric power measurement value, and injects a false control command to make the system state abnormal uncontrollable and endanger the stable operation of the electric power system. FDIA is directed to modifying stored or transmitted data and may be directed to data storage in data communication infrastructures, control centers, and even to remote terminal units for monitoring and data acquisition.
The FDIA was originally proposed by y.liu et al, and on the premise that an attacker can obtain configuration information of the power system, the FDIA can avoid bad data detection, but the result is limited to state estimation of the DC power flow model; an AC state estimation model is adopted in an actual power system, so a nonlinear FDI attack model is proposed, for example, Rahman et al researches nonlinear attack characteristics when an attacker has complete or incomplete knowledge about the current state of the system; in addition, Zhao et al relaxed the error by introducing the attack vector and proposed a prediction-based FDI attack model; the meaningful and the like construct a nonlinear attack model and maximize the attack effect by two constraint conditions of measuring value attack range and avoidance of bad data detection residual.
Correspondingly, with the research on the behavior of FDIA, timely and effective detection of FDIA also becomes an important ring for ensuring safe and reliable operation of the power system. As the attack vector of FDIA is constructed more and more covertly, the attack effect is also improved in the research, and therefore, it is more important to provide an effective detection method for FDIA. Hu et al adopts a measurement conversion method based on equivalent current to replace the traditional weighted least square state estimation, and combines a maximum weighted residual method to detect and identify error data; when spurious data is injected into the power system, the probability distribution of the measured data changes will deviate from the historical data, and in view of this characteristic, Gu et al detect FDIA by quantifying the dynamic changes of the measured data by referring to the Kullback-Leibler distance (KLD); considering the uncertainty of system nonlinearity and noise statistics, Rousian et al propose a detection method based on an adaptive square root unscented Kalman filter; bin Xie et al establishes a trust model based on graph theory, and compares a bus trust value obtained by calculation and update with a trust threshold value to detect whether malicious attack is received; in recent years, a plurality of detection methods based on a machine learning algorithm exist, but facing a large number of characteristics in a smart grid, the calculation complexity is increased, the attack detection speed is reduced, and Mohammad et al introduces Principal Component Analysis (PCA) to map data to a new space aiming at the dimensionality problem of grid data so as to reduce the dimensionality of measured data, thereby improving the calculation speed; in order to meet the real-time requirement of attack detection, Ding et al also propose an online detection mechanism based on Robust Principal Component Analysis (RPCA) with higher sensitivity; konstantinou et al, based on a data-driven approach, detect outliers based on a Local Outlier Factor (LOF) algorithm based on density, using cross-correlation and autocorrelation between multiple moments; yu et al propose an analysis technique using a combination of wavelet transform and deep neural networks to capture such inconsistencies, taking into account the deviation of temporal correlation caused by malicious data injection state vectors.
The detection method performs unilateral analysis of time or space on the power grid data, and the detection of the FDIA at present lacks correlation analysis of attack data on time and space.
Disclosure of Invention
The present invention is directed to provide a method for detecting network attacks of a power system based on space-time correlation, so as to solve or improve the above-mentioned problems.
In order to achieve the purpose, the invention adopts the technical scheme that:
a power system network attack detection method based on space-time correlation comprises the following steps:
s1, extracting measured data in the power system, and forming a space-time matrix by the measured data;
s2, constructing a time correlation function based on the volume Kalman filtering according to historical measurement data, and predicting the state of the power system at the next moment in a position;
s3, constructing a Gaussian process regression model to obtain a spatial correlation function of the correlation nodes in the topological structure of the power system;
and S4, performing feature extraction on the time correlation function and the space correlation function by adopting a neural network, and classifying the feature extraction into 0 and 1, wherein 0 represents non-attack, and 1 represents attack.
Further, in step S1, the measurement data in the power system are extracted, and the measurement data are formed into a space-time matrix, where the space-time matrix X is:
Figure BDA0003143793650000041
wherein x ism(tn) The measurement data of the m-th measurement position at the nth time is shown, the ith row represents the measurement data of the ith sensor at the nth time, the jth column represents the measurement data of the m sensor at the jth time, and n is larger than m.
Further, in step S2, constructing a time correlation function based on a volume kalman filter according to the historical measurement data, and predicting a state of the power system at a next time in a location includes:
s2.1, calculating volume points with equal weights according to a spherical radial volume criterion:
Figure BDA0003143793650000042
wherein, Pk/kAn estimated bias matrix for the current state at time k;
Figure BDA0003143793650000043
adopting current parameters estimated by CKF for k time;
Figure BDA0003143793650000044
i column of current at time k +1Equal-weight volumetric points; [ E ]]Is a constant matrix; epsiloniIs the ith column matrix [ E]The vector of (a);
s2.2, combining a measurement equation, estimating a current parameter according to the equal weight value volume point of the current:
Figure BDA0003143793650000045
Figure BDA0003143793650000046
wherein the content of the first and second substances,
Figure BDA0003143793650000047
an equal weight volume coefficient matrix of the current in the prediction process;
Figure BDA0003143793650000048
current parameters estimated in the prediction process at the moment k + 1;
s2.3, calculating an estimated deviation matrix of the current in the prediction process:
Figure BDA0003143793650000051
wherein, Pk+1/kAn estimated deviation matrix of the current state quantity at the moment k + 1;
s2.4, calculating an equivalent volume point of voltage measurement according to the estimated deviation matrix in the prediction process:
Figure BDA0003143793650000052
Figure BDA0003143793650000053
wherein the content of the first and second substances,
Figure BDA0003143793650000054
equal weight value volume points for measuring ith row voltage at the moment of k + 1;
s2.5, estimating voltage quantity measurement according to equal-weight volume points of the voltage quantity
Figure BDA0003143793650000055
Figure BDA0003143793650000056
S2.6, comparing the estimated voltage measurement value with the actually measured voltage measurement value, and correcting the gain coefficient:
Figure BDA0003143793650000057
wherein, Pvv.k+1Estimating a deviation matrix for the quantity measurement; pzz.k+1/kMeasuring a total deviation matrix for each quantity; pxz.k+1/kIs a cross covariance matrix; gk+1Is a gain factor;
s2.7, calculating a current estimation deviation matrix according to the gain coefficient:
Figure BDA0003143793650000058
Pk+1/k+1=Gk+1Pzz.k+1/kGk+1 T
wherein the content of the first and second substances,
Figure BDA0003143793650000061
the voltage value measured at the moment k + 1;
Figure BDA0003143793650000062
adopting a current parameter estimated by CKF for the k +1 moment; pk+1/k+1The estimated deviation matrix for the current at time k + 1.
Further, the step S3 is to construct a gaussian process regression model, including:
s3.1, constructing a prediction model of Gaussian process regression:
giving out a training set D { (X, Y) }, and obtaining a new input matrix X by learning the nonlinear mapping relation { f (·) | X → Y } of X to Y in the training set through Gaussian process regression*And predict a new output matrix Y*To obtain Y and Y*Joint gaussian distribution of (a):
Figure BDA0003143793650000063
wherein K (A, B) is a covariance matrix of A and B;
y is obtained by a Bayesian posterior probability formula*The posterior distribution of (1), i.e. the prediction model of gaussian process regression:
Figure BDA0003143793650000064
Figure BDA0003143793650000065
Figure BDA0003143793650000066
wherein the content of the first and second substances,
Figure BDA0003143793650000067
representing the GPR predicted output matrix Y*The mean value of (a); cov (Y)*) Represents Y*The covariance of (a);
s3.2, selecting a Gaussian kernel as a kernel function of Gaussian process regression, solving a hyper-parameter of the kernel function, establishing a log-likelihood function according to a training sample and a conditional probability by adopting a maximum likelihood estimation method, using the log-likelihood function as a target function L, and updating the hyper-parameter by maximizing the target function:
Figure BDA0003143793650000068
wherein θ ═ θ1,θ2...θn]Is a hyper-parameter set;
according to the maximum likelihood estimation method, the target function calculates the partial derivative of the parameter theta:
Figure BDA0003143793650000069
wherein the content of the first and second substances,
Figure BDA00031437936500000610
the partial derivatives are minimized by conjugate gradient method to obtain the optimal solution.
The power system network attack detection method based on the space-time correlation has the following beneficial effects:
according to the method, a measurement data matrix is extracted, time and space correlation analysis is respectively carried out on the measurement data according to a cubature Kalman filtering algorithm and Gaussian process regression to obtain corresponding time and space characteristics, then a neural network is used for carrying out characteristic extraction on the time and space characteristics, the characteristics are classified into 0 and 1, 0 represents that the characteristics are not attacked, and 1 represents that the characteristics are attacked.
The detection method provided by the invention is independent of system parameters, has universal applicability, can carry out real-time detection, has higher detection speed, and is different from a detection method based on a model.
Drawings
Fig. 1 is a schematic diagram of a 39-node system PMU configuration in the present invention (the red dotted area represents the attack region).
FIG. 2 is a flow chart of a cubature Kalman filtering algorithm of the present invention.
FIG. 3 is a flowchart of the GPR algorithm of the present invention.
Fig. 4 is a diagram illustrating a neural network feature extraction structure according to the present invention.
FIG. 5 is a time correlation test chart according to the third embodiment of the present invention.
FIG. 6 is a graph of spatial correlation testing in three embodiments of the present invention.
FIG. 7 is a graph showing the results of the detection in the third embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
According to the first embodiment of the application, the power system network attack detection method based on the space-time correlation comprises the following specific steps:
step S1, extracting measured data in the power system, and forming a space-time matrix by the measured data;
s2, constructing a time correlation function based on volume Kalman filtering according to historical measurement data, and predicting the state of the power system at the next moment in a position;
s3, constructing a Gaussian process regression model to obtain a spatial correlation function of the correlation nodes in the topological structure of the power system;
and step S4, performing feature extraction on the time correlation function and the space correlation function by adopting a neural network, and classifying the feature extraction into 0 and 1, wherein 0 represents that the time correlation function and the space correlation function are not attacked, and 1 represents that the time correlation function and the space correlation function are attacked.
According to the second embodiment of the present application, the first embodiment will be described in detail, which specifically includes:
step S1, extracting a measurement data matrix, which specifically includes:
forming measurement data of m measurement positions at n moments in the power system into an m x n space-time matrix:
Figure BDA0003143793650000081
wherein, the ith row represents the measured data of the ith sensor at n moments, the jth column represents the measured data of the m sensors at the jth moment, and n is more than m.
Step S2, time correlation analysis, which specifically includes:
the measurement data of a certain position in the power system show relevance in time, and a time relevance function based on the volume Kalman filtering is established based on the historical measurement data and is used for predicting the state of the position at the next moment.
The specific cubature Kalman filtering algorithm is as follows:
step S2.1, prediction process:
obtaining volume points with equal weight values according to a spherical radial volume criterion:
Figure BDA0003143793650000091
wherein, Pk/kAn estimated bias matrix for the current state at time k;
Figure BDA0003143793650000092
adopting current parameters estimated by CKF for k time;
Figure BDA0003143793650000093
the ith column of the current at the moment of k +1 is an equal weight volume point; [ E ]]Is a constant matrix; epsiloniIs the ith column matrix [ E]The vector of (2).
S2.2, combining a measurement equation, estimating a current parameter according to the equal-weight volume point of the current:
Figure BDA0003143793650000094
Figure BDA0003143793650000095
wherein the content of the first and second substances,
Figure BDA0003143793650000096
an equal weight volume coefficient matrix of the current in the prediction process;
Figure BDA0003143793650000097
the current parameter estimated during the prediction process at time k +1 is used.
S2.3, calculating an estimated deviation matrix of the current in the prediction process:
Figure BDA0003143793650000098
wherein, Pk+1/kAnd the estimated deviation matrix of the current state quantity at the moment k + 1.
Step S2.4, filtering: according to the estimated deviation matrix P in the prediction processk+1/kCalculating the equivalent volume point of the voltage measurement:
Figure BDA0003143793650000099
Figure BDA0003143793650000101
wherein the content of the first and second substances,
Figure BDA0003143793650000102
and (4) equal weight value capacity points measured for the ith column voltage at the moment k + 1.
Step S2.5, voltage quantity measurement is estimated according to the equal-weight volume points of the voltage quantity:
Figure BDA0003143793650000103
step S2.6, comparing the estimated voltage measurement value with the actually measured voltage measurement value to further correct the gain coefficient:
Figure BDA0003143793650000104
wherein, Pvv.k+1Estimating a deviation matrix for the quantity measurement; pzz.k+1/kMeasuring a total deviation matrix for each quantity; pxz.k+1/kIs a cross covariance matrix; gk+1Is a gain factor.
Step S2.7, calculating a current estimation deviation matrix according to the gain coefficient:
Figure BDA0003143793650000105
Pk+1/k+1=Gk+1Pzz.k+1/kGk+1 T
wherein the content of the first and second substances,
Figure BDA0003143793650000106
the voltage value measured at the moment k + 1;
Figure BDA0003143793650000107
adopting a current parameter estimated by CKF for the k +1 moment; pk+1/k+1The estimated deviation matrix for the current at time k + 1.
Step S3, spatial correlation analysis:
the correlation nodes in the topological structure of the power system have correlation relations based on physical characteristics, and unknown node data can be conjectured through known node data at a certain moment by constructing the correlation relations of the correlation nodes (including supervised nodes and unsupervised nodes) in a Gaussian process regression model research area.
The specific Gaussian Process Regression (GPR) principle is as follows:
s3.1, constructing a GPR prediction model, which specifically comprises the following steps:
giving out a training set D { (X, Y) }, and obtaining a new input matrix X by the GPR through learning a nonlinear mapping relation { f (·) | X → Y } from X to Y in the training set*And predict a new output matrix Y*To obtain Y and Y*A connection ofAnd Gaussian distribution:
Figure BDA0003143793650000111
wherein K (A, B) is a covariance matrix of A and B;
y is obtained by Bayes posterior probability formula*The posterior distribution of (a), the GPR prediction model:
Figure BDA0003143793650000112
Figure BDA0003143793650000113
Figure BDA0003143793650000114
wherein the content of the first and second substances,
Figure BDA0003143793650000115
representing the GPR predicted output matrix Y*Average value of cov (Y)*) Represents Y*The covariance of (a).
Step S3.2, determining a kernel function and a hyper-parameter, which specifically includes:
the smoothness and periodicity of the data can be better mined by selecting a proper kernel function. GPR can perform prior expression on a data set through a kernel function, and the nonlinear relation is mapped to a feature space and converted into a linear relation
The invention selects a Gaussian kernel as a kernel function of a GPR (general purpose processor), establishes a log-likelihood function as a target function L according to a training sample and a conditional probability by adopting a maximum likelihood estimation method for solving a hyper-parameter of the kernel function, and updates the hyper-parameter by maximizing the target function:
Figure BDA0003143793650000116
wherein θ ═ θ1,θ2...θn]Is a hyper-parameter set;
according to the maximum likelihood estimation method, the target function calculates the partial derivative of the parameter theta:
Figure BDA0003143793650000117
wherein the content of the first and second substances,
Figure BDA0003143793650000118
and finally, minimizing the partial derivative by a conjugate gradient method to obtain an optimal solution.
Step S4, extracting space-time characteristic quantity by the neural network:
and (3) performing feature extraction on the time characteristics and the space characteristics by using a neural network, and finally classifying the time characteristics and the space characteristics into 0 and 1, wherein 0 represents non-attack, and 1 represents attack.
According to the third embodiment of the present application, the algorithm of the present invention is verified by specific cases, which specifically include:
step S1, fig. 1 shows a PMU assembly diagram for a 39-node power system, where the dashed area represents the measurement point for spurious data injection. Extracting PMU measurement voltage and current data within 0-10s, wherein the system frequency is 60HZ, and obtaining two 9 x 600 data matrixes.
Step S2, referring to fig. 2, extracting row matrices of the voltage matrix and the current matrix, respectively, and performing time correlation analysis of the volume kalman filter algorithm;
initializing an algorithm;
calculating ith row equal weight value volume point of current at k +1 moment
Figure BDA0003143793650000121
Figure BDA0003143793650000122
Estimating current parameters
Figure BDA0003143793650000123
Figure BDA0003143793650000124
Calculating an estimated deviation matrix P of the current during the prediction processk+1/k
Figure BDA0003143793650000125
Calculating the equal weight volume point of the voltage
Figure BDA0003143793650000126
Figure BDA0003143793650000127
Estimating a voltage parameter
Figure BDA0003143793650000131
Figure BDA0003143793650000132
Comparing the estimated voltage measurement value with the actually measured voltage measurement value to correct the gain coefficient:
Figure BDA0003143793650000133
calculating a current estimate bias matrix P from the gain coefficientsk+1/k+1
Pk+1/k+1=Gk+1Pzz.k+1/kGk+1 T
So as to circulate; and ending when k meets the cycle number.
The time correlation simulation result graph is shown in fig. 5.
Step S3, referring to fig. 3, extracting a row matrix of the current measurement matrix, and performing GPR algorithm analysis on spatial correlation:
selecting a Gaussian kernel function as a kernel function of the GPR, and solving the hyperparameter by using a maximum likelihood estimation method:
Figure BDA0003143793650000134
Figure BDA0003143793650000135
training the obtained prior model by using a learning sample pair, optimizing a hyper-parameter theta, and obtaining an optimal hyper-parameter;
testing the obtained posterior model by using the test sample, and outputting the prediction mean value corresponding to the prediction point
Figure BDA0003143793650000136
And variance cov (Y)*)。
The spatial correlation test result graph is shown in fig. 6.
Step S4, using a neural network to extract the characteristics of the measurement matrix, wherein the structure diagram is shown in FIG. 4; the detection accuracy is shown in fig. 7; it can be seen that the detection method proposed by the present invention has high accuracy.
The detection method provided by the invention is independent of system parameters, has universal applicability, can carry out real-time detection, has higher detection speed, and is different from a detection method based on a model.
While the embodiments of the invention have been described in detail in connection with the accompanying drawings, it is not intended to limit the scope of the invention. Various modifications and changes may be made by those skilled in the art without inventive step within the scope of the appended claims.

Claims (4)

1. A power system network attack detection method based on space-time correlation is characterized by comprising the following steps:
s1, extracting measured data in the power system, and forming a space-time matrix by the measured data;
s2, constructing a time correlation function based on the volume Kalman filtering according to historical measurement data, and predicting the state of the power system at the next moment in a position;
s3, constructing a Gaussian process regression model to obtain a spatial correlation function of the correlation nodes in the topological structure of the power system;
and S4, performing feature extraction on the time correlation function and the space correlation function by adopting a neural network, and classifying the feature extraction into 0 and 1, wherein 0 represents non-attack, and 1 represents attack.
2. The method for detecting the cyber attack of the power system based on the spatio-temporal correlation as claimed in claim 1, wherein the step S1 is to extract the measured data in the power system and form the measured data into a spatio-temporal matrix, and the spatio-temporal matrix X is:
Figure FDA0003143793640000011
wherein x ism(tn) The measurement data of the m-th measurement position at the nth time is shown, the ith row represents the measurement data of the ith sensor at the nth time, the jth column represents the measurement data of the m sensor at the jth time, and n is larger than m.
3. The method for detecting the cyber attack of the power system based on the spatio-temporal correlation according to claim 1, wherein the step S2 is performed by constructing a time correlation function based on a volumetric kalman filter according to the historical measurement data, and predicting the state of the power system at a next moment in a location, including:
s2.1, calculating volume points with equal weights according to a spherical radial volume criterion:
Figure FDA0003143793640000021
wherein, Pk/kAn estimated bias matrix for the current state at time k;
Figure FDA0003143793640000022
adopting current parameters estimated by CKF for k time;
Figure FDA0003143793640000023
the ith column of the current at the moment of k +1 is an equal weight volume point; [ E ]]Is a constant matrix; epsiloniIs the ith column matrix [ E]The vector of (a);
s2.2, combining a measurement equation, estimating a current parameter according to the equal weight value volume point of the current:
Figure FDA0003143793640000024
Figure FDA0003143793640000025
wherein the content of the first and second substances,
Figure FDA0003143793640000026
an equal weight volume coefficient matrix of the current in the prediction process;
Figure FDA0003143793640000027
current parameters estimated in the prediction process at the moment k + 1;
s2.3, calculating an estimated deviation matrix of the current in the prediction process:
Figure FDA0003143793640000028
wherein, Pk+1/kAn estimated deviation matrix of the current state quantity at the moment k + 1;
s2.4, calculating an equivalent volume point of voltage measurement according to the estimated deviation matrix in the prediction process:
Figure FDA0003143793640000029
Figure FDA00031437936400000210
wherein the content of the first and second substances,
Figure FDA00031437936400000211
equal weight value volume points for measuring ith row voltage at the moment of k + 1;
s2.5, estimating voltage quantity measurement according to equal-weight volume points of the voltage quantity
Figure FDA0003143793640000031
Figure FDA0003143793640000032
S2.6, comparing the estimated voltage measurement value with the actually measured voltage measurement value, and correcting the gain coefficient:
Figure FDA0003143793640000033
wherein, Pvv.k+1Estimating a deviation matrix for the quantity measurement; pzz.k+1/kMeasuring a total deviation matrix for each quantity; pxz.k+1/kIs a cross covariance matrix; gk+1Is a gain factor;
s2.7, calculating a current estimation deviation matrix according to the gain coefficient:
Figure FDA0003143793640000034
Pk+1/k+1=Gk+1Pzz.k+1/kGk+1 T
wherein the content of the first and second substances,
Figure FDA0003143793640000035
the voltage value measured at the moment k + 1;
Figure FDA0003143793640000036
adopting a current parameter estimated by CKF for the k +1 moment; pk+1/k+1The estimated deviation matrix for the current at time k + 1.
4. The method for detecting the network attack of the power system based on the spatio-temporal correlation as claimed in claim 1, wherein the step S3 of constructing a gaussian process regression model comprises:
s3.1, constructing a prediction model of Gaussian process regression:
giving out a training set D { (X, Y) }, and obtaining a new input matrix X by learning the nonlinear mapping relation { f (·) | X → Y } of X to Y in the training set through Gaussian process regression*And predict a new output matrix Y*To obtain Y and Y*Joint gaussian distribution of (a):
Figure FDA0003143793640000037
wherein K (A, B) is a covariance matrix of A and B;
y is obtained by a Bayesian posterior probability formula*The posterior distribution of (1), i.e. the prediction model of gaussian process regression:
Figure FDA0003143793640000041
Figure FDA0003143793640000042
Figure FDA0003143793640000043
wherein the content of the first and second substances,
Figure FDA0003143793640000044
representing the GPR predicted output matrix Y*The mean value of (a); cov (Y)*) Represents Y*The covariance of (a);
s3.2, selecting a Gaussian kernel as a kernel function of Gaussian process regression, solving a hyper-parameter of the kernel function, establishing a log-likelihood function according to a training sample and a conditional probability by adopting a maximum likelihood estimation method, using the log-likelihood function as a target function L, and updating the hyper-parameter by maximizing the target function:
Figure FDA0003143793640000045
wherein θ ═ θ1,θ2...θn]Is a hyper-parameter set;
according to the maximum likelihood estimation method, the target function calculates the partial derivative of the parameter theta:
Figure FDA0003143793640000046
wherein the content of the first and second substances,
Figure FDA0003143793640000047
the partial derivatives are minimized by conjugate gradient method to obtain the optimal solution.
CN202110749077.9A 2021-07-01 2021-07-01 Power system network attack detection method based on space-time correlation Active CN113765880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110749077.9A CN113765880B (en) 2021-07-01 2021-07-01 Power system network attack detection method based on space-time correlation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110749077.9A CN113765880B (en) 2021-07-01 2021-07-01 Power system network attack detection method based on space-time correlation

Publications (2)

Publication Number Publication Date
CN113765880A true CN113765880A (en) 2021-12-07
CN113765880B CN113765880B (en) 2022-05-20

Family

ID=78787556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110749077.9A Active CN113765880B (en) 2021-07-01 2021-07-01 Power system network attack detection method based on space-time correlation

Country Status (1)

Country Link
CN (1) CN113765880B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114867022A (en) * 2022-06-07 2022-08-05 电子科技大学 FDI attack detection method in wireless sensor network positioning process
CN115051872A (en) * 2022-06-30 2022-09-13 苏州科技大学 Attack detection method considering attack signal and unknown disturbance based on interconnected CPS
CN116708026A (en) * 2023-08-03 2023-09-05 国网冀北电力有限公司 Method and device for detecting network attack of direct-current micro-grid and estimating global state
CN117014224A (en) * 2023-09-12 2023-11-07 联通(广东)产业互联网有限公司 Network attack defense method and system based on Gaussian process regression

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361678A (en) * 2018-11-05 2019-02-19 浙江工业大学 A kind of intelligent network connection automobile automatic cruising system false data detection method for injection attack
CN111027058A (en) * 2019-11-12 2020-04-17 深圳供电局有限公司 Method for detecting data attack in power system, computer equipment and storage medium
CN111031064A (en) * 2019-12-25 2020-04-17 国网浙江省电力有限公司杭州供电公司 Method for detecting power grid false data injection attack
CN111917569A (en) * 2020-05-25 2020-11-10 杭州电子科技大学 Method for evaluating network attack resistance stability of power system by using missed report attack model
CN112116138A (en) * 2020-09-09 2020-12-22 山东科技大学 Power system prediction state estimation method and system based on data driving

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361678A (en) * 2018-11-05 2019-02-19 浙江工业大学 A kind of intelligent network connection automobile automatic cruising system false data detection method for injection attack
CN111027058A (en) * 2019-11-12 2020-04-17 深圳供电局有限公司 Method for detecting data attack in power system, computer equipment and storage medium
CN111031064A (en) * 2019-12-25 2020-04-17 国网浙江省电力有限公司杭州供电公司 Method for detecting power grid false data injection attack
CN111917569A (en) * 2020-05-25 2020-11-10 杭州电子科技大学 Method for evaluating network attack resistance stability of power system by using missed report attack model
CN112116138A (en) * 2020-09-09 2020-12-22 山东科技大学 Power system prediction state estimation method and system based on data driving

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114867022A (en) * 2022-06-07 2022-08-05 电子科技大学 FDI attack detection method in wireless sensor network positioning process
CN115051872A (en) * 2022-06-30 2022-09-13 苏州科技大学 Attack detection method considering attack signal and unknown disturbance based on interconnected CPS
CN116708026A (en) * 2023-08-03 2023-09-05 国网冀北电力有限公司 Method and device for detecting network attack of direct-current micro-grid and estimating global state
CN116708026B (en) * 2023-08-03 2023-10-24 国网冀北电力有限公司 Method and device for detecting network attack of direct-current micro-grid and estimating global state
CN117014224A (en) * 2023-09-12 2023-11-07 联通(广东)产业互联网有限公司 Network attack defense method and system based on Gaussian process regression
CN117014224B (en) * 2023-09-12 2024-01-30 联通(广东)产业互联网有限公司 Network attack defense method and system based on Gaussian process regression

Also Published As

Publication number Publication date
CN113765880B (en) 2022-05-20

Similar Documents

Publication Publication Date Title
CN113765880B (en) Power system network attack detection method based on space-time correlation
CN112333194B (en) GRU-CNN-based comprehensive energy network security attack detection method
WO2023084279A1 (en) Modeling of adversarial artificial intelligence in blind false data injection against ac state estimation in smart grid security, safety and reliability
CN109936568A (en) A kind of preventing malicious attack sensor data acquisition method based on Recognition with Recurrent Neural Network
Ibor et al. Novel hybrid model for intrusion prediction on cyber physical systems’ communication networks based on bio-inspired deep neural network structure
Ayad et al. Mitigation of false data injection attacks on automatic generation control considering nonlinearities
CN113409166A (en) XGboost model-based method and device for detecting abnormal electricity consumption behavior of user
Mestav et al. Universal data anomaly detection via inverse generative adversary network
Li et al. Graph-based detection for false data injection attacks in power grid
Tian et al. Software trustworthiness evaluation model based on a behaviour trajectory matrix
Xiao et al. Nonlinear polynomial graph filter for anomalous IoT sensor detection and localization
Alpaño et al. Multilayer perceptron with binary weights and activations for intrusion detection of cyber-physical systems
Deng et al. Detecting intelligent load redistribution attack based on power load pattern learning in cyber-physical power systems
CN117407770A (en) High-voltage switch cabinet fault mode classification and prediction method based on neural network
Li et al. Real-time detecting false data injection attacks based on spatial and temporal correlations
Pu et al. Detection mechanism of FDI attack feature based on deep learning
CN114978586B (en) Power grid attack detection method and system based on attack genes and electronic equipment
CN115510978A (en) Industrial control system intrusion detection method and device and electronic equipment
Feng et al. Stochastic games for power grid coordinated defence against coordinated attacks
Wang et al. F-DDIA: A framework for detecting data injection attacks in nonlinear cyber-physical systems
CN115145790A (en) False data injection attack detection method and system for smart power grid
Chen et al. An improved GraphSAGE to detect power system anomaly based on time-neighbor feature
Zhao et al. Abnormal Detection of Industrial Control System Based on LSTM and GSK Algorithm Customized by Taguchi Method
Hu et al. Detection of False Data Injection Attacks in Smart Grids Under Power Fluctuation Uncertainty Based on Deep Learning
CN113537383B (en) Method for detecting abnormal flow of wireless network based on deep migration reinforcement learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant