CN113794742A - High-precision detection method for FDIA of power system - Google Patents

High-precision detection method for FDIA of power system Download PDF

Info

Publication number
CN113794742A
CN113794742A CN202111365343.4A CN202111365343A CN113794742A CN 113794742 A CN113794742 A CN 113794742A CN 202111365343 A CN202111365343 A CN 202111365343A CN 113794742 A CN113794742 A CN 113794742A
Authority
CN
China
Prior art keywords
power system
gru
time
cnn
network layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111365343.4A
Other languages
Chinese (zh)
Other versions
CN113794742B (en
Inventor
张莹
顾晔
陈甜妹
徐天天
岑雷扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Zhejiang Zhedian Tendering Consulting Co ltd
Materials Branch of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Zhejiang Zhedian Tendering Consulting Co ltd
Materials Branch of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Zhejiang Zhedian Tendering Consulting Co ltd, Materials Branch of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Zhejiang Zhedian Tendering Consulting Co ltd
Priority to CN202111365343.4A priority Critical patent/CN113794742B/en
Publication of CN113794742A publication Critical patent/CN113794742A/en
Application granted granted Critical
Publication of CN113794742B publication Critical patent/CN113794742B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/06Electricity, gas or water supply
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Economics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Marketing (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Public Health (AREA)
  • Water Supply & Treatment (AREA)
  • Human Resources & Organizations (AREA)
  • Computational Linguistics (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Supply And Distribution Of Alternating Current (AREA)

Abstract

The invention discloses a high-precision detection method for FDIA of a power system, which comprises the following steps: acquiring a historical data packet and historical power monitoring data of a power system; training the GRU by using the training sample set until the loss function value of the GRU is lower than the loss function valve threshold value so as to obtain a trained GRU state prediction model; the power system receives the data packet and detects power monitoring data; obtaining the power system at t by the trained GRU state prediction modeln+1The method comprises the steps that a network layer characteristic estimated value and a power monitoring data estimated value of a data packet received at any moment are estimated; the power system actually receives the data packet and actually detects the data packet to obtain power monitoring data; GRU state prediction model to power system at tn+1Whether or not the moment isJudged by FDIA. In the invention, the GRU is trained by using the network layer characteristics and the power monitoring historical data in the historical data packet, and the trained GRU state prediction model is obviously improved in the accuracy of judging whether the power system is subjected to FDIA.

Description

High-precision detection method for FDIA of power system
Technical Field
The invention relates to a high-precision detection method for FDIA (fully drawn instrument) of an electric power system, belonging to the field of electric power system monitoring methods.
Background
As traditional power systems become intelligent, their risk of information attacks increases, with FDIA (spurious data injection attack) being a common type of information attack to which power systems are subjected. For FDIA detection, in the prior art, a grid state value is analyzed based on a trained GRU prediction model to determine whether an electric power system is subjected to FDIA. However, for some attackers with abundant experience, data in the FDIA is often disguised, which causes that false data is easily misjudged into real data by the GRU prediction model, and causes that the detection accuracy of the FDIA by the trained GRU prediction model is greatly restricted.
Disclosure of Invention
The present invention provides a method for detecting FDIA in an electrical power system with high accuracy, which overcomes the shortcomings of the prior art.
The technical scheme adopted by the invention is as follows:
a high-precision detection method for an FDIA (fully drawn instrument) of a power system comprises the following steps:
step S1: obtaining a time period t of an electric power system1,tn-3]Historical data packets and power monitoring historical data in the system;
step S2: extracting network layer characteristics in the historical data packet by using the CNN, combining the network layer characteristics in the historical data packet with the power monitoring historical data to form a training sample set, and training the GRU by using the training sample set until the loss function value of the GRU is lower than a loss function valve threshold value so as to obtain a trained GRU state prediction model;
step S3: electric power system at tnConstantly receiving data packets and detecting power monitoring data xnExtracting power system at t using CNNnNetwork layer characteristics x in data packets received at a timen’;
Step S4: trained GRU state prediction model utilizing xnAnd xn' obtaining electric Power System at tn+1Estimation of network layer characteristics a of packets received at a timen+1' and power monitoring data estimation an+1
Step S5: electric power system at tn+1Actually receiving data packets at any moment and actually detecting to obtain power monitoring data xn+1Extracting power system at t using CNNn+1Network layer characteristics x in packets actually received at a timen+1’;
Step S6: GRU state prediction model by comparison of an+1' and xn+1', and comparison an+1And xn+1For the power system at tn+1Whether or not the time is FDIA-determined.
The invention has the beneficial effects that:
whether the power monitoring data is abnormal or not is the most intuitive embodiment for judging whether the FDIA occurs or not, and is an important index for judging whether the FDIA occurs or not correspondingly. However, it is worth noting that data in the FDIA is often disguised, and meanwhile, power monitoring data of the power system fluctuates greatly, so that the GRU is trained only by means of power monitoring historical data of the power system, and the trained GRU state prediction model is actually low in stability and accuracy.
When the FDIA occurs, because the power system is in a networking state, the FDIA not only can tamper monitoring data of the power system, but also can affect a data packet received by the power system, so that network layer characteristics in the data packet are abnormally changed. Because the change of the network layer characteristics in the data packet is not the subjective purpose of FDIA, the change is often ignored by an attacker, and therefore the attacker does not actively falsify the network layer characteristics in the data packet. In addition, the network layer features are more stable than the power monitoring data, and even if disguising is required, the disguising difficulty is higher. Therefore, in the invention, the GRU is trained by using the network layer characteristics and the power monitoring historical data in the historical data packet, and the trained GRU state prediction model is obviously improved in the accuracy of judging whether the power system is subjected to FDIA, so that the data disguising effect of an attacker on the FDIA can be effectively reduced, and meanwhile, the stability is greatly improved.
The invention utilizes CNN to match the power monitoring historical data with the network layer characteristics in the historical data packet, trains the GRU state prediction model together, and the trained GRU state prediction model is in t pairsn+1When determining whether the power system is subjected to FDIA at any time, not only t is consideredn+1The power monitoring data of the power system at the moment can be analyzed tn+1The network layer characteristics in the received data packet of the power system at the moment are judged at t by combining two factorsn+1And whether the power monitoring data of the power system and the network layer characteristics in the received data packet are abnormal at the moment is judged.
In step S1 of the present invention, the time period t1,tn-3]Involving the time t1、t2......tn-3All the historical data packets acquired by the power system respectively correspond to the time t1、t2......tn-3All the power monitoring historical data acquired by the power system are x respectively1、x2......xn-3,x1、x2......xn-3Respectively corresponding to time t1、t2......tn-3In step S2, the network layer characteristics corresponding to all the history data packets are x respectively1’、x2’......xn-3', wherein the time tαThe network layer characteristic of the corresponding historical data packet is xα', n-3. gtoreq.alpha.gtoreq.1, the full-link layer of CNN will xα' and xαPerforming matrix merging, and in step S3, the full connection layer of CNN will xnAnd xn' matrix merge, step S4, the full connection layer of CNN will be an+1' and an+1Performing matrix mergingIn step S5, the full connection layer of CNN is xn+1' and xn+1Matrix merging is performed, in step S6, an+1' and an+1Merged matrix contrast xn+1' and xn+1The combined matrix to complete an+1' and xn+1Comparison of' and an+1And xn+1Comparison of (1).
Invention xα’、xn’、xn+1’、an+1' go through multiple convolutions and pooling in CNN to cull out duplicate and invalid dimensions before going to the fully connected layer.
Invention xα、xn、xn+1、an+1Multiple convolutions and pooling in CNN to match x after entering fully connected layers, respectivelyα’、xn’、xn+1’、an+1’。
Invention xα、xn、xn+1、an+1Including node number, time, node voltage amplitude and node voltage phase angle information.
Invention xα’、xn’、xn+1’、an+1' contains TCP connection basic characteristics, TCP connection content characteristics, and time-based network traffic statistics characteristics.
The TCP connection basic characteristics of the invention comprise the number of data bytes, the number of error segments and the number of urgent packets from a source host to a target host, and the TCP connection content characteristics comprise the times of accessing system sensitive files and directories, the times of login attempt failure, the times of accessing control files and the times of outbound connection in an FTP session.
Invention tn-3-tn-4=tn-4-tn-5=tn-5-tn-6=......=t3-t2=t2-t1=tn+1-tnT, T is a fixed value.
In step S3, the power system is still in tn-2Time t andn-1actually receiving data packets at a moment, detecting power monitoring data, and extracting the power system at t by using CNNn-2Time t andn-1network layer characteristics, t, in packets received at a timen-2And tn-1The power monitoring data corresponding to the moment are x respectivelyn-2And xn-1,tn-2And tn-1The network layer characteristics in the data packets corresponding to the time are x respectivelyn-2' and xn-1' in step S4, the GRU state prediction model is obtained as an+1And an+1' use x in the Processn-2、xn-1、xn-2' and xn-1’。
In steps S1 and S2 of the present invention, the power system is in an offline state.
Other features and advantages of the present invention will be disclosed in more detail in the following detailed description of the invention and the accompanying drawings.
Drawings
The invention is further described below with reference to the accompanying drawings:
fig. 1 is a flowchart of a high-precision detection method for FDIA in an electrical power system in embodiment 1 of the present invention.
Detailed Description
The technical solutions of the embodiments of the present invention are explained and illustrated below with reference to the drawings of the embodiments of the present invention, but the following embodiments are only preferred embodiments of the present invention, and not all embodiments. Based on the embodiments in the implementation, other embodiments obtained by those skilled in the art without any creative effort belong to the protection scope of the present invention.
In the following description, the appearances of the indicating orientation or positional relationship such as the terms "inner", "outer", "upper", "lower", "left", "right", etc. are only for convenience in describing the embodiments and for simplicity in description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and are not to be construed as limiting the present invention.
Example 1:
referring to fig. 1, the present embodiment provides a high-precision detection method for an FDIA in an electrical power system, including the following steps:
step S1: obtaining a time period t of an electric power system1,tn-3]Historical data packets and power monitoring historical data in the system;
in particular, time period [ t ]1,tn-3]Involving the time t1、t2......tn-3Wherein, tn-3-tn-4=tn-4-tn-5=tn-5-tn-6=......=t3-t2=t2-t1T, where T is a fixed value, by selecting different T, the training frequency of the subsequent GRU is adjusted, for example, T =0.1s in this embodiment, and correspondingly, the training frequency of the subsequent GRU is 10 Hz;
all historical data packets acquired by the power system respectively correspond to the time t1、t2......tn-3The network layer characteristics corresponding to each historical data packet are x respectively1’、x2’......xn-3', i.e. the power system at time tαThe received historical data packet has a network layer characteristic of xα', alpha is an integer, and n-3 is more than or equal to alpha and more than or equal to 1;
similarly, all the power monitoring historical data acquired by the power system are x respectively1、x2......xn-3,x1、x2......xn-3Respectively corresponding to time t1、t2......tn-3I.e. the power system is at time tαThe detected power monitoring historical data is xα
Step S2: the GRU cannot be trained directly with the history data packet, so all history data packets are feature extracted with CNN (convolutional neural network) to obtain x1’、x2’......xn-3', CNN will x1’、x2’......xn-3' and x1、x2......xn-3Forming a training sample set, and training the GRU by using the training sample set until the loss function value of the GRU is lower than the loss function valve threshold, so that a trained GRU state prediction model can be obtained;
the loss function of the GRU is the prior art, and therefore, the details are not described in this embodiment;
power system obtained by GRU state prediction modelAt time tαNetwork layer characteristic estimated value a in received historical data packetα', while also obtaining the time tαTime-of-flight power monitoring historical data pre-estimation value aα(ii) a In the training process, in order to increase the training accuracy of the GRU state prediction model and balance the overall calculation amount, the data at the fourth time is estimated by using the data at the first three times, for example, x is used in the embodiment1’、x2’、x3' calculation at time t4Network layer characteristic estimated value a in historical data packet received by time-power system4', by comparing the predicted values a4' and actual detection value x4' adjusting the training process; due to x1’、x2’、x3’、x1、x2、x3As the initial training data, therefore, the GRU state prediction model does not calculate a1’、a2’、a3’、a1、a2、a3
In order to reduce the interference of the training process by the network, in steps S1 and S2, the power system is in an offline state;
step S3: corresponding to the training process in step S2:
electric power system at tn-2Constantly receiving data packets and detecting power monitoring data xn-2Extracting power system at t using CNNn-2Network layer characteristics x in data packets received at a timen-2’;
Electric power system at tn-1Constantly receiving data packets and detecting power monitoring data xn-1Extracting power system at t using CNNn-1Network layer characteristics x in data packets received at a timen-1’;
Electric power system at tnConstantly receiving data packets and detecting power monitoring data xnExtracting power system at t using CNNnNetwork layer characteristics x in data packets received at a timen’;
Corresponding to, tn-tn-1=tn-1-tn-2=T;
Step S4: training deviceThe trained GRU state prediction model utilizes xn-2、xn-2’、xn-1、xn-1’、xnAnd xn' calculation of electric power System at tn+1Estimation of network layer characteristics of time of day an+1' and power monitoring data estimation an+1Corresponding to, tn+1-tn=T;
Step S5: electric power system at tn+1Actually receiving data packets at any moment and actually detecting to obtain power monitoring data xn+1Extracting power system at t using CNNn+1Network layer characteristics x in packets actually received at a timen+1’;
Step S6: GRU state prediction model by comparison of an+1' and xn+1', and comparison an+1And xn+1If an+1' and xn+1' the deviation value therebetween exceeds a preset first alarm value, or an+1And xn+1If the deviation value exceeds a preset second warning value, the GRU state prediction model judges that the power system is at tn+1The moment receives FDIA, if an+1' and xn+1' the deviation value therebetween does not exceed a preset first warning value, and an+1And xn+1If the deviation value between the two does not exceed the preset second warning value, the GRU state prediction model judges that the power system is at tn+1The moment is not subjected to FDIA.
If tn-2-tn-3= T, then GRU state prediction model may utilize xn-5、xn-4、xn-3Get the power system at tn-2Estimation of network layer characteristics at time of day an-2', and tn-2Electric power monitoring data pre-estimation value a of electric power system at momentn-2The GRU state prediction model may also utilize xn-4、xn-3、xn-2Get the power system at tn-1Estimation of network layer characteristics at time of day an-1', and tn-1Electric power monitoring data pre-estimation value a of electric power system at momentn-1By comparison of an-1' and xn-1’、an-2' and xn-2’、an-1And xn-1、an-2And xn-2Thereby determining that the power system is at tn-2Time t andn-1whether or not the time is subjected to FDIA.
an+1And xn+1The deviation value therebetween is judged tn+1The occurrence of FDIA in the power system at the moment is most intuitively reflected, and therefore, the occurrence of FDIA is also an important index for judging the occurrence of FDIA.
x1、x2......xn+1、a4、a5......an+1Each containing power-related information, e.g. node number, time, node voltage amplitude and node voltage phase angle information, facilitating comparison between detected and predicted values of power monitoring data, e.g. facilitating x4And a4Make a comparison, and facilitate xn+1And an+1A comparison is made. Corresponding to, x1、x2......xn+1、a1、a2......an+1The number of dimensions of (a) is four.
In other embodiments, x1、x2......xn+1、a4、a5......an+1Other power-related information may also be included to increase the number of dimensions.
x1’、x2’、xn+1’、a4’、a5’......an+1' contains TCP connection basic characteristics, TCP connection content characteristics, and time-based network traffic statistics characteristics. The TCP connection basic characteristics comprise data such as data byte number, error segmentation quantity and urgent packet quantity from a source host to a target host, and the TCP connection content characteristics comprise data such as times of accessing system sensitive files and directories, times of login attempt failure, times of accessing control files and times of outbound connection in an FTP session. Example x1’、x2’、xn+1’、a4’、a5’......an+1' each contain forty one-dimensional features.
Comparative example:
the comparative embodiment provides a method for detecting an FDIA of a power system, which includes the following steps:
step S1': obtaining a time period t of an electric power system1,tn-3]Power monitoring history data within;
time period t1,tn-3]Involving the time t1、t2......tn-3Wherein, tn-3-tn-4=tn-4-tn-5=tn-5-tn-6=......=t3-t2=t2-t1T, where T is a fixed value, by selecting different T, the training frequency of the subsequent GRU is adjusted, for example, T =0.1s in this comparative example, and correspondingly, the training frequency of the subsequent GRU is 10 Hz;
all the power monitoring historical data acquired by the power system are x respectively1、x2......xn-3,x1、x2......xn-3Respectively corresponding to time t1、t2......tn-3
Step S2': training GRUs by taking all acquired power monitoring historical data as a training sample set until the loss function value of the GRUs is lower than a loss function valve threshold, and then obtaining a trained GRU state prediction model;
step S3': electric power system at tn-2Time tn-1Time tnRespectively detecting power monitoring data x at any momentn-2、xn-1、xn
Step S4': trained GRU state prediction model utilizing xn-2、xn-1、xnGet the power system at tn+1Time power monitoring data pre-estimation value an+1
Step S5': electric power system at tn+1Obtaining power monitoring data x by actual detection at any momentn+1
Step S6': GRU state prediction model by comparison of an+1And xn+1Judging that the power system is at tn+1Whether or not the time is subjected to FDIA.
In order to verify the accuracy of the GRU state prediction model obtained in the example and the comparative example in predicting whether the power system is subjected to FDIA, numerical simulation was performed respectively. The power system adopts an IEEE 33 power system, and k false data meeting Gaussian distribution are injected into an attacker in total by a GRU state prediction model during the Nth FDIA detection, so that k/N can represent the attack frequency, namely the attack capability, of the attacker.
In the embodiment, the accuracy of the GRU state prediction model is gradually improved in the process that k/N is gradually increased from 0.1, and when the attack frequency is 1, the accuracy rate reaches 97%. In contrast, in the GRU state prediction model in the comparative example, the accuracy rate is generally increased and then decreased in the process of increasing k/N, and the highest accuracy rate is only 82%, and when the attack capability is 1, the accuracy rate is only 60%.
The results of the specific numerical simulations of the examples are compared in table 1.
TABLE 1
Figure 72415DEST_PATH_IMAGE002
The results of the specific numerical simulations of the comparative examples are compared in table 2.
TABLE 2
Figure 396080DEST_PATH_IMAGE004
Taking node voltage amplitude as an example, the node voltage amplitude has great fluctuation along with time variation, so that the comparison embodiment adopts x only1、x2......xn-3The accuracy and stability of the GRU state prediction model are inevitably large defects when the GRU state prediction model is trained. Also due to the strong fluctuation of the node voltage amplitude, it is very easy for an attacker of the FDIA to disguise the false node voltage amplitude, i.e. as the initial training data x1、x2、x3The data itself may be replaced by an attacker, and therefore may directly result in poor performance of the GRU training. When k/N is large, x1、x2、x3The probability of being replaced is significantly enhanced, which explains why k/N is between 0.5 and 1Increasing within an interval results in a decrease in the accuracy of the GRU state prediction model in the comparative example.
In contrast, the network layer features are more stable than the power monitoring data, so in the embodiment, the network layer features in the historical data packet participate in the training of the GRU, the adverse effect of large fluctuation of the power monitoring historical data on the GRU training can be relieved to a certain extent, and the accuracy and stability of the obtained GRU state prediction model are improved.
When an attacker carries out FDIA on the electric power system, the purpose of the attacker is to tamper the electric power monitoring data, and at the moment, the electric power system is in a networking state, so that the FDIA can affect a data packet received by the electric power system, and network layer characteristics in the data packet are abnormally changed. Since the influence on the data packet is not the purpose of the attacker, the influence is often ignored by the attacker, and the corresponding modification and disguise cannot be performed on the network layer characteristics. Even if the influence of the data packet is noticed, the false network layer characteristics are difficult to disguise due to the stability of the network layer characteristics. That is, x1’、x2’......xn+1' phase x1、x2......xn+1And has higher credibility and authenticity. Therefore, network layer features in the historical data packet participate in training the GRU, and judgment accuracy and stability improvement of the GRU state prediction model for FDIA are very obvious.
GRU State prediction model trained in the example is on pair tn+1When the power system is judged to be FDIA at any time, x is usedn+1And an+1The comparison result of (A) is used as the basis for forward direction discrimination by xn+1' and an+1The comparison result of the' serves as a lateral judgment basis, and the two are matched to play a role in improving the accuracy and stability of the GRU state prediction model.
In an embodiment, during training and actual detection of the GRU state prediction model, the fully connected layer of the CNN functions to combine the power monitoring data with the network layer characteristics.
Specifically, in step S2, the full link layer of CNN will be xα' and xαPerforming matrix merging, and in step S3, the full connection layer of CNN will xnAnd xn' matrix merging, full connectivity layer of CNN will xn-1And xn-1' matrix merging, full connectivity layer of CNN will xn-2And xn-2' matrix merge, step S4, the full connection layer of CNN will be an+1' and an+1Performing matrix merging, and in step S5, the full connection layer of CNN will xn+1' and xn+1Matrix merging is performed, in step S6, an+1' and an+1Merged matrix contrast xn+1' and xn+1The combined matrix to complete an+1' and xn+1Comparison of' and an+1And xn+1Comparison of (1).
Through the combination of the matrixes, the network layer characteristics and the power monitoring data can be compared as a whole, and the relevance of the network layer characteristics and the power monitoring data is effectively enhanced, so that the judgment accuracy of the final GRU state prediction model is enhanced.
As can be seen from the foregoing, example x1’......xn+1' and a4’......an+1' phase x1......xn+1And a4......an+1The dimension number is large, and the interior of the model contains a plurality of repeated dimensions with similar contents and/or invalid dimensions, x, which do not help GRU state prediction model to judge FDIA1’......xn+1' and a4’......an+1The repeated dimensionality and/or the invalid dimensionality can be removed through multiple rolling and pooling in the CNN so as to keep the effective dimensionality which is irrelevant to the content and helpful to FDIA judgment as much as possible, the weight of the dimensionality influencing the FDIA judgment accuracy in the GRU training process is adjusted, then the calculation is carried out on the full connection layer, and x is carried out1’......xn+1' and a4’......an+1The reduction in' dimensionality also reduces the computational load of the fully connected layer.
For the same reason, x1......xn+1And a4......an+1Also in CNN, after a number of convolutions and pooling, it enters the fully connected layer. x is the number of1......xn+1And a4......an+1After eliminating the corresponding repeated dimension and/or invalid dimension, x can be compared with1’......xn+1' and a4’......an+1' matching. With x after multiple convolutions and poolingn+1' and xn+1For example, the effective dimension correlation between the two is small, so that the training efficiency of the GRU state prediction model is improved to the maximum extent, the repeated calculation is avoided, and the calculation amount of the full connection layer is reduced to the maximum extent. CNN is prior art, which is directed to x1’......xn+1’,a4’......an+1’,x1......xn+1And a4......an+1Is run by CNN itself.
In other embodiments, x1......xn+1、a4......an+1、x1’......xn+1' and a4’......an+1The number and type of dimensions of' may vary compared to example 1, in which case x1......xn+1And a4......an+1After the operation processing of the CNN, the dimension information can be differentiated from x after the operation processing of the CNN to the maximum extent1’......xn+1' and a4’......an+1The dimension information of' reduces adverse effects of the repetition of the dimension between the network layer characteristics and the power monitoring data on the calculation amount of the FDIA detection process of the GRU state prediction model and the accuracy of the FDIA detection result.
While the invention has been described with reference to specific embodiments thereof, it will be understood by those skilled in the art that the invention is not limited thereto, and may be embodied in many different forms without departing from the spirit and scope of the invention as set forth in the following claims. Any modification which does not depart from the functional and structural principles of the present invention is intended to be included within the scope of the claims.

Claims (10)

1. A high-precision detection method for an FDIA (fully drawn Power System) is characterized by comprising the following steps:
step S1: obtain power system inTime period t1,tn-3]Historical data packets and power monitoring historical data in the system;
step S2: extracting network layer characteristics in the historical data packet by using the CNN, combining the network layer characteristics in the historical data packet with the power monitoring historical data to form a training sample set, and training the GRU by using the training sample set until the loss function value of the GRU is lower than a loss function valve threshold value so as to obtain a trained GRU state prediction model;
step S3: electric power system at tnConstantly receiving data packets and detecting power monitoring data xnExtracting power system at t using CNNnNetwork layer characteristics x in data packets received at a timen’;
Step S4: trained GRU state prediction model utilizing xnAnd xn' obtaining electric Power System at tn+1Estimation of network layer characteristics a of packets received at a timen+1' and power monitoring data estimation an+1
Step S5: electric power system at tn+1Actually receiving data packets at any moment and actually detecting to obtain power monitoring data xn+1Extracting power system at t using CNNn+1Network layer characteristics x in packets actually received at a timen+1’;
Step S6: GRU state prediction model by comparison of an+1' and xn+1', and comparison an+1And xn+1For the power system at tn+1Whether or not the time is FDIA-determined.
2. The method as claimed in claim 1, wherein in step S1, the time period [ t ] is set as the period of time1,tn-3]Involving the time t1、t2......tn-3All the historical data packets acquired by the power system respectively correspond to the time t1、t2......tn-3All the power monitoring historical data acquired by the power system are x respectively1、x2......xn-3,x1、x2......xn-3Are respectively pairedShould at the moment t1、t2......tn-3In step S2, the network layer characteristics corresponding to all the history data packets are x respectively1’、x2’......xn-3', wherein the time tαThe network layer characteristic of the corresponding historical data packet is xα', n-3. gtoreq.alpha.gtoreq.1, the full-link layer of CNN will xα' and xαPerforming matrix merging, and in step S3, the full connection layer of CNN will xnAnd xn' matrix merge, step S4, the full connection layer of CNN will be an+1' and an+1Performing matrix merging, and in step S5, the full connection layer of CNN will xn+1' and xn+1Matrix merging is performed, in step S6, an+1' and an+1Merged matrix contrast xn+1' and xn+1The combined matrix to complete an+1' and xn+1Comparison of' and an+1And xn+1Comparison of (1).
3. The method as claimed in claim 2, wherein x is the same as xα’、xn’、xn+1’、an+1' go through multiple convolutions and pooling in CNN to cull out duplicate and invalid dimensions before going to the fully connected layer.
4. The method as claimed in claim 3, wherein x is the same as xα、xn、xn+1、an+1Multiple convolutions and pooling in CNN to match x after entering fully connected layers, respectivelyα’、xn’、xn+1’、an+1’。
5. The method as claimed in claim 4, wherein x is the same as xα、xn、xn+1、an+1Including node number, time, node voltage amplitude and node voltage phase angle information.
6. The method as claimed in claim 5, wherein x is the same as xα’、xn’、xn+1’、an+1' contains TCP connection basic characteristics, TCP connection content characteristics, and time-based network traffic statistics characteristics.
7. A high-precision detection method for FDIA of electric power system according to claim 6, wherein the TCP connection basic characteristics include number of bytes of data, number of error segments and number of urgent packets from source host to target host, and the TCP connection content characteristics include number of times of accessing system sensitive files and directories, number of failed login attempts, number of times of accessing control files and number of outbound connections in one FTP session.
8. The method as claimed in claim 2, wherein t is the number of times tn-3-tn-4=tn-4-tn-5=tn-5-tn-6=......=t3-t2=t2-t1=tn+1-tnT, T is a fixed value.
9. The method as claimed in claim 1, wherein in step S3, the power system is further arranged to detect FDIA signal at tn-2Time t andn-1actually receiving data packets at a moment, detecting power monitoring data, and extracting the power system at t by using CNNn-2Time t andn-1network layer characteristics, t, in packets received at a timen-2And tn-1The power monitoring data corresponding to the moment are x respectivelyn-2And xn-1,tn-2And tn-1The network layer characteristics in the data packets corresponding to the time are x respectivelyn-2' and xn-1' in step S4, the GRU state prediction model is obtained as an+1And an+1' use x in the Processn-2、xn-1、xn-2' and xn-1’。
10. The method as claimed in claim 1, wherein in steps S1 and S2, the power system is in an offline state.
CN202111365343.4A 2021-11-18 2021-11-18 High-precision detection method for FDIA of power system Active CN113794742B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111365343.4A CN113794742B (en) 2021-11-18 2021-11-18 High-precision detection method for FDIA of power system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111365343.4A CN113794742B (en) 2021-11-18 2021-11-18 High-precision detection method for FDIA of power system

Publications (2)

Publication Number Publication Date
CN113794742A true CN113794742A (en) 2021-12-14
CN113794742B CN113794742B (en) 2022-02-15

Family

ID=78877347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111365343.4A Active CN113794742B (en) 2021-11-18 2021-11-18 High-precision detection method for FDIA of power system

Country Status (1)

Country Link
CN (1) CN113794742B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115689393A (en) * 2022-12-09 2023-02-03 南京深科博业电气股份有限公司 Real-time dynamic monitoring system and method for power system based on Internet of things

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
CN111353153A (en) * 2020-03-04 2020-06-30 南京邮电大学 GEP-CNN-based power grid malicious data injection detection method
CN111882041A (en) * 2020-07-31 2020-11-03 国网重庆市电力公司电力科学研究院 Power grid attack detection method and device based on improved RNN (neural network)
CN112333194A (en) * 2020-11-09 2021-02-05 国网上海市电力公司 GRU-CNN-based comprehensive energy network security attack detection method
CN113079150A (en) * 2021-03-26 2021-07-06 深圳供电局有限公司 Intrusion detection method for power terminal equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
CN111353153A (en) * 2020-03-04 2020-06-30 南京邮电大学 GEP-CNN-based power grid malicious data injection detection method
CN111882041A (en) * 2020-07-31 2020-11-03 国网重庆市电力公司电力科学研究院 Power grid attack detection method and device based on improved RNN (neural network)
CN112333194A (en) * 2020-11-09 2021-02-05 国网上海市电力公司 GRU-CNN-based comprehensive energy network security attack detection method
CN113079150A (en) * 2021-03-26 2021-07-06 深圳供电局有限公司 Intrusion detection method for power terminal equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李元诚: "基于改进卷积神经网络的电网假数据注入攻击检测方法", 《电力系统自动化》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115689393A (en) * 2022-12-09 2023-02-03 南京深科博业电气股份有限公司 Real-time dynamic monitoring system and method for power system based on Internet of things
CN115689393B (en) * 2022-12-09 2024-03-26 南京深科博业电气股份有限公司 Real-time dynamic monitoring system and method for electric power system based on Internet of things

Also Published As

Publication number Publication date
CN113794742B (en) 2022-02-15

Similar Documents

Publication Publication Date Title
Peng et al. A detection method for anomaly flow in software defined network
CN106209862B (en) A kind of steal-number defence implementation method and device
KR101621019B1 (en) Method for detecting attack suspected anomal event
EP2725512B1 (en) System and method for malware detection using multi-dimensional feature clustering
CN111092862B (en) Method and system for detecting communication traffic abnormality of power grid terminal
CN109729090B (en) Slow denial of service attack detection method based on WEDMS clustering
CN106411934A (en) DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device
Peng et al. Network intrusion detection based on deep learning
CN112261000B (en) LDoS attack detection method based on PSO-K algorithm
CN111970229B (en) CAN bus data anomaly detection method aiming at multiple attack modes
CN110493260A (en) A kind of network flood model attack detection method
CN110519266B (en) Cc attack detection method based on statistical method
CN110768946A (en) Industrial control network intrusion detection system and method based on bloom filter
CN113794742B (en) High-precision detection method for FDIA of power system
KR20210115991A (en) Method and apparatus for detecting network anomaly using analyzing time-series data
CN108366065A (en) Attack detection method and SDN switch
CN115062706A (en) Forest fire monitoring method and device, storage medium and electronic equipment
CN109587145B (en) False data intrusion detection method, device and equipment in power network
CN112422546A (en) Network anomaly detection method based on variable neighborhood algorithm and fuzzy clustering
CN104239785B (en) Intrusion detection data classification method based on cloud model
WO2022033579A1 (en) Federated learning method, device and system
CN112929369B (en) Distributed real-time DDoS attack detection method
CN116707976B (en) Intelligent detection early warning system and method for network security
CN110751570A (en) Power service message attack identification method and system based on service logic
CN107040554B (en) Method for defending CC attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant