CN113886765A - Method and device for detecting error data injection attack - Google Patents
Method and device for detecting error data injection attack Download PDFInfo
- Publication number
- CN113886765A CN113886765A CN202111167739.8A CN202111167739A CN113886765A CN 113886765 A CN113886765 A CN 113886765A CN 202111167739 A CN202111167739 A CN 202111167739A CN 113886765 A CN113886765 A CN 113886765A
- Authority
- CN
- China
- Prior art keywords
- matrix
- data
- measurement
- row
- variance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002347 injection Methods 0.000 title claims abstract description 80
- 239000007924 injection Substances 0.000 title claims abstract description 80
- 238000000034 method Methods 0.000 title claims abstract description 61
- 239000011159 matrix material Substances 0.000 claims abstract description 169
- 238000005259 measurement Methods 0.000 claims abstract description 120
- 238000001514 detection method Methods 0.000 claims abstract description 55
- 230000008859 change Effects 0.000 claims abstract description 43
- 238000005457 optimization Methods 0.000 claims abstract description 42
- 238000011084 recovery Methods 0.000 claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 18
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 11
- 230000003190 augmentative effect Effects 0.000 claims abstract description 9
- 239000013598 vector Substances 0.000 claims description 35
- 230000002159 abnormal effect Effects 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 19
- 238000013135 deep learning Methods 0.000 description 7
- 239000000243 solution Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 235000017166 Bambusa arundinacea Nutrition 0.000 description 1
- 235000017491 Bambusa tulda Nutrition 0.000 description 1
- 241001330002 Bambuseae Species 0.000 description 1
- 235000015334 Phyllostachys viridis Nutrition 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 239000011425 bamboo Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012407 engineering method Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- JCCNYMKQOSZNPW-UHFFFAOYSA-N loratadine Chemical compound C1CN(C(=O)OCC)CCC1=C1C2=NC=CC=C2CCC2=CC(Cl)=CC=C21 JCCNYMKQOSZNPW-UHFFFAOYSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000012847 principal component analysis method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Economics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Analysis (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Marketing (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Health & Medical Sciences (AREA)
- Computational Mathematics (AREA)
- Game Theory and Decision Science (AREA)
- General Health & Medical Sciences (AREA)
- Entrepreneurship & Innovation (AREA)
- Computer Hardware Design (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Databases & Information Systems (AREA)
- Algebra (AREA)
- Computing Systems (AREA)
- Public Health (AREA)
- Water Supply & Treatment (AREA)
- Development Economics (AREA)
- Primary Health Care (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
Abstract
The application discloses a method and a device for detecting error data injection attack, which are applied to a smart grid, wherein the method for detecting the error data injection attack comprises the following steps: receiving measurement data, and forming a measurement data matrix by the received measurement data; calculating the measurement data matrix to obtain the relative change value of each row at a preset moment and the variance of the relative change value of each row; judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to a judgment result to obtain a first data matrix; performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack. The method and the device can remove the ubiquitous structural false alarm in the original low-rank matrix recovery technology, and greatly reduce the false alarm rate.
Description
Technical Field
The application relates to the technical field of smart power grids, in particular to a method and a device for detecting error data injection attacks.
Background
State estimation is an important component of the energy management system (energy management system) of the power system in the smart grid. State estimation the internal state of the dynamic system is estimated from the available measurement data. The result of the state estimation is not only the basis for the dispatching of the power grid system dispatcher, but also plays an important role in the power market environment. Therefore, whether the state estimation can be accurately performed or not greatly influences the smooth operation of the smart grid and the power market.
However, not only the intelligence of the power grid is brought about by the rise of communication and network technologies, but also many virtual-reality attacks (cyber-physical attacks) come with the rise of communication and network technologies, and bring about not little challenge. The virtual reality attacks at the present stage can be classified into four categories according to the difference of the action levels: virtual layer attacks, network layer attacks, communication layer attacks, and physical layer attacks. The error data injection attack is a virtual reality attack which can be carried out on four action levels, and the method can also bypass the traditional abnormal detection method based on residual detection, thereby bringing great threat to the accurate state estimation.
Therefore, for the attack of injecting error data, in order to guarantee the accurate state estimation, many anomaly detection methods exist:
1) the anomaly detection method based on residual detection comprises the following steps: it can detect various abnormal phenomena in the power grid from the residual error of the measured data, such as: line faults, equipment faults, etc. However, this detection method is completely unable to cope with errors, since the error data injection attack does not change the measurement residual. Therefore, the anomaly detection method based on residual error detection cannot distinguish whether the system is attacked by error data injection or not, and cannot locate the position where the error data injection attack occurs.
2) The anomaly detection method based on the compressed sensing technology comprises the following steps: depending on the relatively large system inertia of the power grid system and the limited resources of an attacker, the error data injection attack can be identified and positioned by the compressed sensing technology. The anomaly detection method based on the compressive sensing technology can effectively cope with error data attacks, and greatly exceeds the traditional principal component analysis method (principal component analysis) in the positioning precision. However, the false alarm rate of the anomaly detection method is too high in many application scenes, and great difficulty is caused in application of the anomaly detection method.
3) An anomaly detection method based on a generation countermeasure network (generational ad versal network) technology comprises the following steps: at present, with the development of deep learning techniques, many deep learning techniques are also applied to anomaly detection. The abnormality detection method using the technique of generating a countermeasure network is superior. The detection method can achieve good identification and positioning effects in some scenes of error data injection attacks. However, the performance of all engineering methods based on deep learning techniques is limited to their data set. At present, a standard data set is lacked in the field of attack defense through error data injection of the smart grid. Meanwhile, the deep learning technology lacks fundamental interpretability, and the application of the deep learning technology is also hindered to a certain extent.
Disclosure of Invention
The application provides a method and a device for detecting error data injection attack, which aim to solve the problem of overhigh false alarm rate in the prior art.
In order to solve the technical problem, the application provides a method for detecting the error data injection attack, which is applied to a smart grid, and the method for detecting the error data injection attack comprises the following steps: receiving measurement data, and forming a measurement data matrix by the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid; calculating the measurement data matrix to obtain the relative change value of each row at a preset moment and the variance of the relative change value of each row; judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to a judgment result to obtain a first data matrix; performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
Optionally, judging whether each row of the measured data matrix is attacked through the variance, and performing 0 assignment processing on the measured data matrix according to the judgment result, thereby obtaining a first data matrix, including: and setting the numerical value of the row which is not attacked in the measurement data matrix to be 0, and keeping the numerical value of the row which is attacked unchanged, thereby obtaining the first data matrix.
Optionally, forming the received measurement data into a measurement data matrix, including: and dividing power flow vectors obtained at different moments of the same measuring node in the measured data into a row, and dividing power flow vectors obtained at the same moment of different measuring nodes into a column, thereby forming a measured data matrix.
Optionally, the measured data is matrixedThe line calculation, obtaining the relative change value of each line at the preset time and the variance of the relative change value of each line, includes: calculating the relative change value RF at the ith measurement node at the time ti,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at the time t-1; after the relative change values of all the measurement nodes at all the moments are obtained, the variance V of the relative change values of the ith measurement node in the measurement time period T is calculatediComprises the following steps: vi=var([RFi,t,…,RFi,t+T])。
Optionally, the determining whether each row of the measurement data matrix is attacked by the variance includes: setting a threshold value alpha; if the variance ViIf the sum of the variance V is greater than the threshold value alpha, the sum of the variance V and the variance V is determinediThe corresponding measuring node is attacked by error data injection in the T period; if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
Optionally, performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem, including: the first optimization problem is obtained as follows:
s.t.Za=Z0+A;
wherein Z isaIs a measurement data matrix, Z0Is the power flow matrix that was not attacked,
a is an error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty, | | A | | luminance1,1Representing the overall sparsity penalty of the first data matrix, lambda is the penalty parameter of row sparsity, mu is the integer sparsity of the first data matrixA penalty parameter; p is a preset parameter.
In order to solve the above technical problem, the present application provides a detection apparatus for an error data injection attack, which is applied to a smart grid, and includes: the data receiving module is used for receiving the measurement data and forming a measurement data matrix by the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid; the abnormal measurement node judgment module is used for calculating the measurement data matrix to obtain the relative change value of each line at the preset moment and the variance of the relative change value of each line; judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to a judgment result to obtain a first data matrix; the low-rank matrix recovery module is used for performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
Optionally, the abnormal measurement node determining module is further configured to set a numerical value of an unapproved row in the measurement data matrix to 0, and keep the numerical value of the attacked row unchanged, thereby obtaining the first data matrix.
Optionally, the data receiving module is further configured to divide power flow vectors obtained at different times of the same measurement node in the measurement data into a row, and divide power flow vectors obtained at the same time of different measurement nodes into a column, so as to form a measurement data matrix.
Optionally, the abnormal measurement node discrimination module is further configured to: calculating the relative change value RF at the ith measurement node at the time ti,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at the time t-1; obtaining all the measurement nodesAfter the relative change values at all the time, calculating the variance V of the relative change values of the ith measuring node in the measuring time period TiComprises the following steps: vi=var([RFi,t,...,RFi,t+T])。
Optionally, the abnormal measurement node discrimination module is further configured to: setting a threshold value alpha; if the variance ViIf the sum of the variance V is greater than the threshold value alpha, the sum of the variance V and the variance V is determinediThe corresponding measuring node is attacked by error data injection in the T period; if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
Optionally, the first optimization problem is:
s.t.Za=Z0+A;
wherein Z isaIs a measurement data matrix, Z0Is the power flow matrix that was not attacked,
a is an error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty, | | A | | luminance1,1Representing the overall sparsity penalty of the first data matrix, wherein lambda is a penalty parameter for row sparsity, and mu is an integral sparsity penalty parameter of the first data matrix; p is a preset parameter.
The application provides a method and a device for detecting error data injection attack, which are applied to a smart grid, comprehensively considers the effectiveness, reliability and interpretability of an abnormal detection method, provides a little improvement by deeply analyzing the characteristics of the error data attack and the larger inertia of a power grid system on the basis of the abnormal detection method based on a compressed sensing technology, greatly reduces the false alarm rate of the original method on the basis of ensuring the higher identification rate of the error data injection attack, obtains a reliable and interpretable abnormal detection method which obtains higher attack detection rate and extremely low false alarm rate in most scenes.
Drawings
In order to more clearly illustrate the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic flowchart illustrating an embodiment of a method for detecting an error data injection attack according to the present application;
fig. 2 is a schematic structural diagram of an embodiment of the detection apparatus for error data injection attack according to the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present application, the following describes in detail the method and apparatus for detecting an error data injection attack provided by the present application with reference to the accompanying drawings and the detailed description.
The low rank matrix recovery technique is a general technique for data recovery, which recovers data based on the low rank and sparsity of the data. In 2011, the korean bamboo professor team at houston university has applied it to the field of false data injection attack detection in the power grid. Although the method is far superior to other error data detection methods at that time, the problems of low calculation speed, high false alarm rate and the like still exist because the method is not optimized for application scenes in the introduction process.
Based on the above, the application provides a detection method for error data injection attack, which is important for solving the problem that the false alarm rate of the original low-rank matrix recovery technology is too high in a smart grid. Referring to fig. 1, fig. 1 is a schematic flowchart illustrating an embodiment of a method for detecting an error data injection attack according to the present application. In this embodiment, the method for detecting an error data injection attack may include steps S110 to S120, where the steps are specifically as follows:
s110: receiving measurement data, and forming a measurement data matrix by the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid.
The power flow vectors obtained at different moments of the same measuring node in the measured data are divided into a row, and the power flow vectors obtained at the same moment of different measuring nodes are divided into a column, so that a measured data matrix is formed.
Specifically, in most cases, the relationship between the state information of the grid and the measured power flow (power flow) can be approximated as a linear relationship:
z′0=Hθ
wherein z'0Is the measured power flow vector, H is the topology matrix of the grid, and θ is the state vector of the grid. Meanwhile, the error data injection attack also depends on the point, and after attackers know the topological structure information of the power grid, the attackers can construct a virtual reality attack without changing the measurement residual error:
a=Hc
where a is the attack vector generated by the attacker and c is the spurious state information that the attacker wants to inject. Therefore, when the system is attacked by error data injection, only the power flow vector z 'polluted by the error data can be obtained by measuring the power flow'a:
z′a=z′0+a=H(θ+c)
When power flow vectors obtained by continuous observation form a matrix according to the chronological order, the identification and positioning of error data injection attack become a matrix decomposition problem:
Za=Z0+A
wherein ZaIs an observed power flow matrix (i.e., a measurement data matrix), Z0Is the power flow matrix that was not attacked and a is the error data injection attack matrix. Thus, identifying and locating injected error data may be accomplished by decomposing the observed power flow matrix ZaAnd obtaining error data to be injected into an attack matrix A for processing.
Due to the relatively large inertia of the grid system and the limited resources of the attacker, the power flow matrix Z that is not attacked0Rank of in comparison to itThe size will be much smaller, while the error data injection attack matrix a will be a sparse matrix. These two features enable the matrix decomposition problem of error data injection attack identification and localization to be performed by low rank matrix recovery (Robust PCA) based on compressed sensing techniques. However, in practical applications, the low-rank matrix recovery technique is directly used for identifying and locating the error data, so that the false alarm rate of the detection result is too high, and a large amount of normal data can be identified as abnormal. Thus, by looking deeply at the characteristics of erroneous data injection attacks, as well as the structural characteristics of data that is often erroneously identified as anomalous, the present embodiment proposes two improvements:
1) due to the limited resources of the attacker, the attacker can only attack a small part of the measurement nodes, so that only a small part of rows have non-zero elements and most of the rest rows are zero in the error data injection attack matrix A. Therefore, row sparse optimization is introduced into the original low-rank matrix recovery technology, so that the identified attack matrix a' has the same row sparse characteristic as that in the actual application scene.
2) Data that is often misidentified as an anomaly has a greater absolute change than other data that is not misidentified, but the relative change is still similar to other data that is not attacked. The data attacked by the error data injection has larger relative change value and larger absolute change value compared with the data not attacked. Meanwhile, considering that the power grid is a system with relatively large inertia, the relative change value of the power flow in time should be relatively stable when the power grid is not attacked, and the attack can destroy the stability. Therefore, the embodiment designs a discriminator by using the variance of the relative change value of the power flow to remove the measurement node which is unlikely to be attacked under the condition of limited resource of an attacker but can cause false identification, thereby greatly reducing the false alarm rate of identification.
The whole error data injection attack identification and positioning process can be divided into three parts: 1) the data receiving part forms the received measurement data into a corresponding measurement data matrix; 2) an abnormal measurement node judgment part which uses the variance of the relative change value of the measurement power flow to remove the influence of the measurement node which cannot be attacked under the condition of limited attacker resources on the recovery of the subsequent low-rank matrix; 3) and a low-rank matrix recovery part, which introduces row sparse optimization on the basis of the original low-rank matrix recovery technology, so that the decomposed error data injection attack matrix has the same property as the actual attack matrix.
S120: and calculating the measurement data matrix to obtain the relative change value of each row at a preset moment and the variance of the relative change value of each row.
In the abnormal measurement node discriminating section, a relative change value RF at the ith measurement node at time t is calculatedi,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at time t-1.
After the relative change values of all the measurement nodes at all times are obtained, the variance V of the relative change values of the ith measurement node in the measurement period T can be further calculatediComprises the following steps:
Vi=var([RFi,t,…,RFi,t+T])。
s130: and judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to the judgment result to obtain a first data matrix.
Alternatively, the value of the row which is not attacked in the measurement data matrix may be set to 0, and the value of the row which is attacked is kept unchanged, so as to obtain the first data matrix.
By setting a suitable threshold α, the variance ViCan be used as an index for judging whether the corresponding measuring node is subjected to error data injection attack in the T period.
In particular, if the variance ViIf the sum of the variance V is greater than the threshold value alpha, the sum of the variance V and the variance V is determinediThe corresponding measuring node is attacked by error data injection in the T period; if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
Furthermore, the threshold α should not be set too large in order to ensure that all attacks can be detected. The threshold value α can be obtained by experiment.
S140: and performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem.
In a low-rank matrix recovery part, introducing a new row sparse penalty into an original low-rank matrix recovery optimization problem to obtain a first optimization problem:
s.t.Za=Z0+A;
wherein Z isaIs a matrix of measured data that is,
Z0is the original power flow matrix which is not attacked, A is the error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty (L)p,1Norm), | a | luminance1,1Representing the first data matrix overall sparsity penalty (L)1,1Norm), λ is a row sparsity penalty parameter, μ is an integer sparsity penalty parameter of the first data matrix; p is a preset parameter.
S150: and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
After determining the appropriate parameter p (where p is an integer), since this optimization problem is a convex optimization problem, the final matrix decomposition result can be obtained by using the method of Augmented Lagrange Multipliers (Augmented Lagrange Multipliers).
After determining the parameter p, we first compute the corresponding lagrangian function:
wherein A isTIs the transpose of matrix a, Y and η are lagrange multipliers,<Y,Za-Z0-A>is the inner product of the matrix, | Za-Z0-A||FIs the Frobenius norm.
After the corresponding lagrangian function is determined, matrix decomposition can be performed through an iterative method, because the optimized closed solutions of different p and the updating modes of the parameters are different, the method is not directly written in the process, but the closed solutions and the updating modes can be obtained by inquiring in public data:
meanwhile, the optimization problem of low-rank matrix recovery can also be converted into more common equal convex optimization problems, and some existing convex optimization technology packages can be used for solving, such as CVX.
The following description is provided with reference to experimental data to describe a method for detecting error data injection attack:
in the embodiment, experiments are carried out on standard IEEE-30-bus and IEEE-57-bus systems, and it can be known from experimental results that when p is 1, the low rank matrix recovery technology does not introduce row sparse optimization, and in the inspection result at this time, besides real attack, an obvious structural detection error is detected, and a lot of detection errors also occur in partial non-attacked rows. However, when row sparse optimization is introduced, although structural detection errors are not removed, accidental detection errors in other non-attacked rows are removed, and the false alarm rate is reduced to a certain extent.
For structural detection errors, the abnormal node discriminator can well solve the problems. Because the abnormal node discriminator solves the problem that absolute change values are too much concerned in the original low-rank matrix recovery technology, nodes which are abnormal but not attacked in the low-rank matrix recovery technology are removed in advance. The abnormal node discriminator greatly reduces the false alarm rate. We compared the effect of different anomaly detection methods based on low rank matrix recovery techniques, as shown in table 1. Where TP is the detection rate of erroneous data injection attacks and FA is the false alarm rate. It can be seen that the MSHVA detection method provided by the inventor greatly reduces the false alarm rate and improves the abnormal detection rate compared with the original abnormal detection Method (MSRSA) which directly uses the low-rank matrix recovery technology after introducing the line sparse optimization and the abnormal node discriminator. And the comprehensive performance of the method is superior to other mainstream low-rank matrix recovery-based anomaly detection methods (GoDec, LMaFit) at present.
TABLE 1 comparison of different detection effects based on low rank matrix recovery technique
In summary, the embodiment provides a detection method for error data injection attack, which further introduces a low-rank matrix recovery technique with row sparse penalty based on an abnormal node discriminator of a relatively large inertia characteristic of a power grid; compared with other existing technical schemes, the scheme of the embodiment relies on the structural characteristics of the power grid and the error data injection attack, and has the advantages of strong interpretability (compared with a method based on deep learning), high reliability (compared with a method based on deep learning), high recognition rate and low false alarm rate (compared with an original method based on compressed sensing).
In order to provide the detection method of the error data injection attack, the application provides a detection device of the error data injection attack, and the detection device is applied to a smart grid. Referring to fig. 2, fig. 2 is a schematic structural diagram of an embodiment of a detection apparatus for an error data injection attack according to the present application. In this embodiment, the apparatus for detecting an error data injection attack may include:
the data receiving module 110 is configured to receive measurement data and form a measurement data matrix from the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid.
The abnormal measurement node discrimination module 120 is configured to calculate a measurement data matrix, and obtain a relative change value of each row at a preset time and a variance of the relative change value of each row; and judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to the judgment result to obtain a first data matrix.
The low-rank matrix recovery module 130 is configured to perform low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
Optionally, the abnormal measurement node determining module 120 is further configured to set the value of the non-attacked row in the measurement data matrix to 0, and keep the value of the attacked row unchanged, so as to obtain the first data matrix.
Optionally, the data receiving module 110 is further configured to divide the power flow vectors obtained at different times of the same measurement node in the measurement data into a row, and divide the power flow vectors obtained at the same time of different measurement nodes into a column, so as to form a measurement data matrix.
Optionally, the abnormal measurement node discrimination module 120 is further configured to: calculating the relative change value RF at the ith measurement node at the time ti,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at the time t-1; after the relative change values of all the measurement nodes at all the moments are obtained, the variance V of the relative change values of the ith measurement node in the measurement time period T is calculatediComprises the following steps: vi=var([RFi,t,…,RFi,t+T])。
Optionally, the abnormal measurement node discrimination module 120 is further configured to: setting a threshold value alpha; if the variance ViIf the sum of the variance V is greater than the threshold value alpha, the sum of the variance V and the variance V is determinediThe corresponding measuring node is attacked by error data injection in the T period; if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
Optionally, the first optimization problem is:
s.t.Za=Z0+A;
wherein Z isaIs a measurement data matrix, Z0Is the original power flow matrix which is not attacked, A is the error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty, | | A | | luminance1,1Representing the overall sparsity penalty of the first data matrix, wherein lambda is a penalty parameter for row sparsity, and mu is an integral sparsity penalty parameter of the first data matrix; p is a preset parameter.
In summary, the application provides a method and a device for detecting error data injection attacks, which are applied to a smart grid, the application comprehensively considers the effectiveness, reliability and interpretability of an anomaly detection method, and provides a little improvement by deeply analyzing the characteristics of error data attacks and the larger inertia of a grid system on the basis of the anomaly detection method based on a compressed sensing technology, so that the false alarm rate of the original method is greatly reduced on the basis of ensuring the higher identification rate of the error data injection attacks, and the reliable and interpretable anomaly detection method which has high attack detection rate and extremely low false alarm rate in most scenes is obtained.
It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. In addition, for convenience of description, only a part of structures related to the present application, not all of the structures, are shown in the drawings. The step numbers used herein are also for convenience of description only and are not intended as limitations on the order in which the steps are performed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second", etc. in this application are used to distinguish between different objects and not to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The above description is only for the purpose of illustrating embodiments of the present application and is not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application or are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.
Claims (12)
1. The method for detecting the error data injection attack is applied to a smart grid and comprises the following steps:
receiving measurement data, and forming a measurement data matrix by the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid;
calculating the measurement data matrix to obtain the relative change value of each row at a preset moment and the variance of the relative change value of each row;
judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to a judgment result to obtain a first data matrix;
performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
2. The method according to claim 1, wherein the determining whether each row of the measured data matrix is attacked or not by the variance and performing a 0 assignment process on the measured data matrix according to a determination result to obtain a first data matrix comprises:
and setting the numerical value of the row which is not attacked in the measurement data matrix to be 0, and keeping the numerical value of the row which is attacked unchanged, thereby obtaining the first data matrix.
3. The method according to claim 2, wherein the step of forming the received measurement data into a measurement data matrix comprises:
and dividing power flow vectors obtained at different moments of the same measuring node in the measuring data into a row, and dividing power flow vectors obtained at the same moments of different measuring nodes into a column, thereby forming the measuring data matrix.
4. The method according to claim 3, wherein the calculating the measurement data matrix to obtain the relative variation value of each row at a preset time and the variance of the relative variation value of each row comprises:
calculating the relative change value RF at the ith measurement node at the time ti,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at the time t-1;
after the relative change values of all the measurement nodes at all the moments are obtained, the variance V of the relative change values of the ith measurement node in the measurement time period T is calculatediComprises the following steps:
Vi=var([RFi,t,...,RFi,t+T])。
5. the method for detecting an error data injection attack according to claim 4, wherein the determining whether each row of the measurement data matrix is attacked by the variance comprises:
setting a threshold value alpha;
if the variance ViIf the sum of the variance V is greater than the threshold value alpha, the sum of the variance V and the variance V is determinediThe corresponding measuring node is attacked by error data injection in the T period;
if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
6. The method according to claim 1, wherein the performing low rank matrix recovery processing and row sparsity optimization on the first data matrix to obtain a first optimization problem comprises:
obtaining the first optimization problem as follows:
s.t.Za=Z0+A;
wherein Z isaIs a matrix of measured data that is,
Z0is the original power flow matrix which is not attacked, A is the error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty, | | A | | luminance1,1Representing the overall sparsity penalty of the first data matrix, wherein lambda is a penalty parameter for row sparsity, and mu is an integral sparsity penalty parameter of the first data matrix; p is a preset parameter.
7. The detection device for the error data injection attack is applied to a smart grid and comprises the following components:
the data receiving module is used for receiving the measurement data and forming a measurement data matrix by the received measurement data; wherein the measurement data comprises power flow vectors obtained from node measurements of the smart grid;
the abnormal measurement node judgment module is used for calculating the measurement data matrix to obtain the relative change value of each line at a preset moment and the variance of the relative change value of each line; judging whether each row of the measured data matrix is attacked or not through the variance, and performing 0 assignment processing on the measured data matrix according to a judgment result to obtain a first data matrix;
the low-rank matrix recovery module is used for performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrange multiplier method so as to obtain a decomposition result of the matrix and further obtain a detection result of the error data injection attack.
8. The apparatus for detecting an error data injection attack according to claim 7,
the abnormal measurement node distinguishing module is further configured to set a numerical value of an unapproved row in the measurement data matrix to 0, and keep the numerical value of the attacked row unchanged, thereby obtaining the first data matrix.
9. The apparatus for detecting an error data injection attack according to claim 8,
the data receiving module is further configured to divide power flow vectors obtained at different times of the same measurement node in the measurement data into a row, and divide power flow vectors obtained at the same time of different measurement nodes into a column, so as to form the measurement data matrix.
10. The apparatus for detecting an injection attack of erroneous data according to claim 9, wherein the abnormal measurement node discrimination module is further configured to:
calculating the relative change value RF at the ith measurement node at the time ti,tComprises the following steps:
wherein Z isi,tRepresenting the power flow vector measured by the ith node at the time t; zi,t-1Representing the power flow vector measured by the ith node at the time t-1;
after the relative change values of all the measurement nodes at all the moments are obtained, the variance V of the relative change values of the ith measurement node in the measurement time period T is calculatediComprises the following steps:
Vi=var([RFi,t,...,RFi,t+T])。
11. the apparatus for detecting an injection attack of error data as claimed in claim 10, wherein the abnormal measurement node discrimination module is further configured to:
setting a threshold value alpha;
if the variance ViIf the sum of the variance and the threshold value alpha is larger than the threshold value alpha, the sum of the variance and the threshold value alpha is determinedViThe corresponding measuring node is attacked by error data injection in the T period;
if the variance ViLess than or equal to the threshold value alpha, the sum variance V is determinediThe corresponding measurement node is not attacked by the error data injection within the T period.
12. The apparatus for detecting an error data injection attack according to claim 7,
the first optimization problem is as follows:
s.t.Za=Z0+A;
wherein Z isaIs a matrix of measured data that is,
Z0is the original power flow matrix which is not attacked, A is the error data injection attack matrix; i Z0||*Is the nuclear norm, | | AT||p,1Representing a first data matrix row sparsity penalty, | | A | | luminance1,1Representing the overall sparsity penalty of the first data matrix, wherein lambda is a penalty parameter for row sparsity, and mu is an integral sparsity penalty parameter of the first data matrix; p is a preset parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111167739.8A CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111167739.8A CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113886765A true CN113886765A (en) | 2022-01-04 |
| CN113886765B CN113886765B (en) | 2023-09-29 |
Family
ID=79005397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111167739.8A Active CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886765B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500045A (en) * | 2022-01-26 | 2022-05-13 | 中南大学 | Smart grid false data injection attack detection method and device based on structure sparse matrix separation |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514259A (en) * | 2013-08-13 | 2014-01-15 | 江苏华大天益电力科技有限公司 | Abnormal data detection and modification method based on numerical value relevance model |
| CN107808105A (en) * | 2017-10-18 | 2018-03-16 | 南京邮电大学 | False data detection method based on prediction in a kind of intelligent grid |
| GB2558534A (en) * | 2016-11-08 | 2018-07-18 | Univ Durham | Detecting a bad data injection event within an industrial control system |
| US20190050372A1 (en) * | 2017-08-14 | 2019-02-14 | City University Of Hong Kong | Systems and methods for robust low-rank matrix approximation |
| CN109460571A (en) * | 2018-09-27 | 2019-03-12 | 华南理工大学 | A kind of smart grid data reconstruction method based on matrix low-rank and sparsity |
| CN110035090A (en) * | 2019-05-10 | 2019-07-19 | 燕山大学 | A kind of smart grid false data detection method for injection attack |
| CN111062610A (en) * | 2019-12-16 | 2020-04-24 | 国电南瑞科技股份有限公司 | Power system state estimation method and system based on information matrix sparse solution |
| US20200302581A1 (en) * | 2019-03-21 | 2020-09-24 | National Tsing Hua University | Data restoring method using compressed sensing and computer program product |
| CN112383046A (en) * | 2020-09-29 | 2021-02-19 | 中国南方电网有限责任公司超高压输电公司 | Voltage amplitude false data injection attack method for alternating current-direct current hybrid system |
| CN113297194A (en) * | 2021-06-22 | 2021-08-24 | 华北电力大学 | Method for identifying and cleaning false data of spare capacity of electric vehicle aggregator |
-
2021
- 2021-09-30 CN CN202111167739.8A patent/CN113886765B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514259A (en) * | 2013-08-13 | 2014-01-15 | 江苏华大天益电力科技有限公司 | Abnormal data detection and modification method based on numerical value relevance model |
| GB2558534A (en) * | 2016-11-08 | 2018-07-18 | Univ Durham | Detecting a bad data injection event within an industrial control system |
| US20190050372A1 (en) * | 2017-08-14 | 2019-02-14 | City University Of Hong Kong | Systems and methods for robust low-rank matrix approximation |
| CN107808105A (en) * | 2017-10-18 | 2018-03-16 | 南京邮电大学 | False data detection method based on prediction in a kind of intelligent grid |
| CN109460571A (en) * | 2018-09-27 | 2019-03-12 | 华南理工大学 | A kind of smart grid data reconstruction method based on matrix low-rank and sparsity |
| US20200302581A1 (en) * | 2019-03-21 | 2020-09-24 | National Tsing Hua University | Data restoring method using compressed sensing and computer program product |
| CN110035090A (en) * | 2019-05-10 | 2019-07-19 | 燕山大学 | A kind of smart grid false data detection method for injection attack |
| CN111062610A (en) * | 2019-12-16 | 2020-04-24 | 国电南瑞科技股份有限公司 | Power system state estimation method and system based on information matrix sparse solution |
| CN112383046A (en) * | 2020-09-29 | 2021-02-19 | 中国南方电网有限责任公司超高压输电公司 | Voltage amplitude false data injection attack method for alternating current-direct current hybrid system |
| CN113297194A (en) * | 2021-06-22 | 2021-08-24 | 华北电力大学 | Method for identifying and cleaning false data of spare capacity of electric vehicle aggregator |
Non-Patent Citations (2)
| Title |
|---|
| ADNANANWAR ET.AL: "Modelingand performance evaluation of stealthy false data injection attacks on smart grid in the presence of corrupted measurements", 《JOURNAL OF COMPUTER AND SYSTEM SCIENCES》, pages 58 - 72 * |
| 陈雄欣 等: "基于非凸矩阵分解的电网欺骗性数据注入攻击检测方法", 《现代电力》, vol. 37, no. 3, pages 263 - 269 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500045A (en) * | 2022-01-26 | 2022-05-13 | 中南大学 | Smart grid false data injection attack detection method and device based on structure sparse matrix separation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113886765B (en) | 2023-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Locational detection of the false data injection attack in a smart grid: A multilabel classification approach | |
| US10817394B2 (en) | Anomaly diagnosis method and anomaly diagnosis apparatus | |
| CN110942109A (en) | PMU false data injection attack prevention method based on machine learning | |
| Anwar et al. | A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid | |
| CN111783845B (en) | Hidden false data injection attack detection method based on local linear embedding and extreme learning machine | |
| CN112165471B (en) | Industrial control system flow abnormity detection method, device, equipment and medium | |
| Gautam et al. | Sensors incipient fault detection and isolation using Kalman filter and Kullback–Leibler divergence | |
| CN112260989B (en) | Power system and network malicious data attack detection method, system and storage medium | |
| CN117034180B (en) | Power communication equipment data anomaly detection method, system and storage medium | |
| Khalafi et al. | Intrusion detection, measurement correction, and attack localization of PMU networks | |
| CN113886765B (en) | Method and device for detecting error data injection attack | |
| Mahapatra et al. | Online bad data outlier detection in PMU measurements using PCA feature-driven ANN classifier | |
| Perry | Identifying the time of polynomial drift in the mean of autocorrelated processes | |
| Mechtri et al. | Intrusion detection using principal component analysis | |
| CN116962093A (en) | Information transmission security monitoring method and system based on cloud computing | |
| Xue | Research on network security intrusion detection with an extreme learning machine algorithm | |
| Mokhtari et al. | Measurement data intrusion detection in industrial control systems based on unsupervised learning | |
| Nugraha et al. | Malware Detection Using Decision Tree Algorithm Based on Memory Features Engineering | |
| He et al. | Vehicle Anomaly Detection by Attention-Enhanced Temporal Convolutional Network | |
| Chen et al. | A data preparation method for machine-learning-based power system cyber-attack detection | |
| Li et al. | Improved Wasserstein generative adversarial networks defense method against data integrity attack on smart grid | |
| Raghuvamsi et al. | Temporal Convolutional Network-based Locational Detection of False Data Injection Attacks in Power System State Estimation | |
| CN112269987B (en) | Intelligent model information leakage degree evaluation method, system, medium and equipment | |
| Dai et al. | False Data Injection Attack Detection Based on Local Linear Embedding and Extreme Learning Machine | |
| CN117319008A (en) | Network attack detection method and equipment for power system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |