CN113886765B - Method and device for detecting error data injection attack - Google Patents
Method and device for detecting error data injection attack Download PDFInfo
- Publication number
- CN113886765B CN113886765B CN202111167739.8A CN202111167739A CN113886765B CN 113886765 B CN113886765 B CN 113886765B CN 202111167739 A CN202111167739 A CN 202111167739A CN 113886765 B CN113886765 B CN 113886765B
- Authority
- CN
- China
- Prior art keywords
- matrix
- row
- measurement data
- data matrix
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002347 injection Methods 0.000 title claims abstract description 79
- 239000007924 injection Substances 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 62
- 239000011159 matrix material Substances 0.000 claims abstract description 177
- 238000005259 measurement Methods 0.000 claims abstract description 134
- 238000001514 detection method Methods 0.000 claims abstract description 59
- 230000008859 change Effects 0.000 claims abstract description 47
- 238000005457 optimization Methods 0.000 claims abstract description 42
- 238000011084 recovery Methods 0.000 claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 16
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 11
- 230000003190 augmentative effect Effects 0.000 claims abstract description 9
- 239000013598 vector Substances 0.000 claims description 35
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 abstract description 16
- 238000013135 deep learning Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000012847 principal component analysis method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Data Mining & Analysis (AREA)
- Economics (AREA)
- Human Resources & Organizations (AREA)
- Software Systems (AREA)
- Strategic Management (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Mathematical Optimization (AREA)
- Computer Security & Cryptography (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Computational Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Business, Economics & Management (AREA)
- Tourism & Hospitality (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Primary Health Care (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Computation (AREA)
- Quality & Reliability (AREA)
- Game Theory and Decision Science (AREA)
- Artificial Intelligence (AREA)
- Development Economics (AREA)
- Public Health (AREA)
- Water Supply & Treatment (AREA)
- General Health & Medical Sciences (AREA)
- Entrepreneurship & Innovation (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Algebra (AREA)
Abstract
The application discloses a detection method and a detection device for error data injection attack, which are applied to a smart grid, wherein the detection method for error data injection attack comprises the following steps: receiving measurement data and forming a measurement data matrix from the received measurement data; calculating a measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row; judging whether each row of the measurement data matrix is attacked or not through variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result so as to obtain a first data matrix; performing low-rank matrix recovery processing and line sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of the matrix, and further obtain a detection result of the error data injection attack. The application can remove the structural false alarm commonly existing in the original low-rank matrix recovery technology and greatly reduce the false alarm rate.
Description
Technical Field
The application relates to the technical field of smart grids, in particular to a method and a device for detecting error data injection attacks.
Background
State estimation (state estimation) is an important component of the power system energy management system (energy management system) in smart grids. The state estimation obtains the internal state of the dynamic system according to the available measurement data estimation. The result of the state estimation is not only the basis for the dispatching by the power grid system dispatcher, but also plays an important role in the power market environment. Therefore, whether the state estimation can be accurately performed greatly affects the smooth operation of the smart grid and the power market.
However, the rise of communication and network technologies not only brings about the intellectualization of the power grid, but also many virtual reality attacks (cyber-physical attacks) and presents a small challenge. The virtual reality attacks at the present stage can be divided into four classes according to the level of their action: virtual layer attacks, network layer attacks, communication layer attacks and physical layer attacks. The error data injection attack is a virtual reality attack which can be performed at four action levels, and can bypass the traditional anomaly detection method based on residual error detection, thereby bringing great threat to the accurate performance of state estimation.
Therefore, for the error data injection attack, in order to ensure the accurate performance of state estimation, a plurality of anomaly detection methods exist:
1) The anomaly detection method based on residual error detection comprises the following steps: the method can detect abnormal phenomena in various power grids from residual errors of measured data, for example: line faults, equipment faults, etc. However, since the error data injection attack does not change the measurement residual, this detection method cannot cope with errors at all. Therefore, the anomaly detection method based on residual error detection cannot distinguish whether the system is attacked by the error data injection or not, and cannot locate the position where the error data injection attack occurs.
2) The anomaly detection method based on the compressed sensing technology comprises the following steps: by means of relatively large system inertia of the power grid system and limited resources of an attacker, the error data injection attack can be identified and positioned by the compressed sensing technology. The anomaly detection method based on the compressed sensing technology can effectively cope with error data attack, and the positioning accuracy of the anomaly detection method is greatly higher than that of the traditional principal component analysis method (principal component analysis). However, the false alarm rate of the anomaly detection method in many application scenes is too high, which makes the application of the anomaly detection method very difficult.
3) Anomaly detection methods based on generatedversaries network (generatedversaries) technology: at present, with the rise of deep learning technology, a few deep learning technologies are also applied to anomaly detection. Among them, the anomaly detection method using the generation countermeasure network technique is outstanding. The detection method can obtain good recognition and positioning effects in the scenes of some error data injection attacks. However, the performance of all engineering approaches based on deep learning techniques is limited by their data sets. At present, a standard data set is lacking in the field of fault data injection attack defense of the smart grid. And their use is hindered to some extent by the lack of fundamental interpretability of deep learning techniques.
Disclosure of Invention
The application provides a detection method and a detection device for error data injection attack, which are used for solving the problem of excessively high false alarm rate in the prior art.
In order to solve the technical problems, the application provides a detection method of error data injection attack, which is applied to a smart grid, and comprises the following steps: receiving measurement data and forming a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid; calculating a measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row; judging whether each row of the measurement data matrix is attacked or not through variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result so as to obtain a first data matrix; performing low-rank matrix recovery processing and line sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of the matrix, and further obtain a detection result of the error data injection attack.
Optionally, determining whether each row of the measurement data matrix is attacked by the variance, and performing a 0 assignment process on the measurement data matrix according to a determination result, thereby obtaining a first data matrix, including: and setting the value of the line which is not attacked in the measurement data matrix to be 0, wherein the value of the attacked line is kept unchanged, so that a first data matrix is obtained.
Optionally, composing the received measurement data into a measurement data matrix, including: and dividing the power flow vectors obtained at different moments of the same measuring node in the measuring data into one row, and dividing the power flow vectors obtained at the same moment of different measuring nodes into one column, thereby forming a measuring data matrix.
Optionally, calculating the measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row, including: calculating the relative change value RF at the ith measurement node at time t i,t The method comprises the following steps:wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing a power flow vector measured and obtained by an ith node at the time t-1; after obtaining the relative change values of all the measuring nodes at all the moments, calculating the variance V of the relative change value of the ith measuring node in the measuring period T i The method comprises the following steps: v (V) i =var([RF i,t ,…,RF i,t+T ])。
Optionally, determining whether each row of the measurement data matrix is attacked by the variance includes: setting a threshold alpha; if variance V i Greater than the threshold value alpha, the sum-of-variances V are determined i The corresponding measuring node is attacked by the error data injection in the period of T; if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not attacked by the erroneous data injection during the T period.
Optionally, performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem, including: the first optimization problem is obtained as follows:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data, Z 0 Is a matrix of power flows that would otherwise not be attacked,
a is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Representing a first data matrix row sparseness penalty, I A I 1,1 Representing the overall sparse penalty of the first data matrix, wherein lambda is a penalty parameter of row sparsity, and mu is an overall sparsity penalty parameter of the first data matrix; p is a preset parameter.
In order to solve the technical problems, the present application provides a detection device for an error data injection attack, which is applied to a smart grid, and comprises: the data receiving module is used for receiving the measurement data and forming a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid; the abnormal measurement node judging module is used for calculating the measurement data matrix to obtain the relative change value of each row at the preset moment and the variance of the relative change value of each row; judging whether each row of the measurement data matrix is attacked or not through variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result so as to obtain a first data matrix; the low-rank matrix recovery module is used for carrying out low-rank matrix recovery processing and line sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of the matrix, and further obtain a detection result of the error data injection attack.
Optionally, the abnormal measurement node distinguishing module is further configured to set a value of an unaddressed line in the measurement data matrix to 0, where the value of the attacked line remains unchanged, so as to obtain the first data matrix.
Optionally, the data receiving module is further configured to divide the power flow vectors obtained at different times of the same measurement node in the measurement data into a row, and divide the power flow vectors obtained at the same time of different measurement nodes into a column, thereby forming a measurement data matrix.
Optionally, the abnormal measurement node distinguishing module is further configured to: calculating the relative change value RF at the ith measurement node at time t i,t The method comprises the following steps:wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing a power flow vector measured and obtained by an ith node at the time t-1; after obtaining the relative change values of all the measuring nodes at all the moments, calculating the variance V of the relative change value of the ith measuring node in the measuring period T i The method comprises the following steps: v (V) i =var([RF i,t ,...,RF i,t+T ])。
Optionally, the abnormal measurement node distinguishing module is further configured to: setting a threshold alpha; if variance V i Greater than threshold alpha, thenDetermining and variance V i The corresponding measuring node is attacked by the error data injection in the period of T; if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not attacked by the erroneous data injection during the T period.
Optionally, the first optimization problem is:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data, Z 0 Is a matrix of power flows that would otherwise not be attacked,
a is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Representing a first data matrix row sparseness penalty, I A I 1,1 Representing the overall sparse penalty of the first data matrix, wherein lambda is a penalty parameter of row sparsity, and mu is an overall sparsity penalty parameter of the first data matrix; p is a preset parameter.
The application provides a detection method and a detection device for error data injection attack, which are applied to a smart grid, comprehensively consider the effectiveness, reliability and interpretability of an anomaly detection method, and provide a little improvement by deeply analyzing the characteristics of the error data attack and larger inertia of a power grid system on the basis of the anomaly detection method based on a compressed sensing technology, greatly reduce the false alarm rate of the original method on the basis of ensuring higher error data injection attack recognition rate, and obtain a reliable and interpretable anomaly detection method with very high attack detection rate and very low false alarm rate in most scenes.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an embodiment of a method for detecting an error data injection attack according to the present application;
FIG. 2 is a schematic diagram of an embodiment of a device for detecting an error data injection attack according to the present application.
Detailed Description
In order to enable those skilled in the art to better understand the technical scheme of the present application, the method and apparatus for detecting the error data injection attack provided by the present application are described in further detail below with reference to the accompanying drawings and the detailed description.
The low rank matrix recovery technique is a general technique for data recovery, which is based on low rank and sparsity of data. In 2011, the university of houston Han Zhu professor team has applied it to the field of fault data injection attack detection in the grid. Although the method far exceeds other error data detection methods at the time, the method still has the problems of low calculation speed, high false alarm rate and the like because the method is not optimized for an application scene in the introduction process.
Based on the above, the application provides a detection method for error data injection attack, which is used for solving the problem that the false alarm rate of the original low-rank matrix recovery technology is too high in a smart grid. Referring to fig. 1, fig. 1 is a flowchart illustrating an embodiment of a method for detecting an error data injection attack according to the present application. In this embodiment, the method for detecting the error data injection attack may include steps S110 to S120, which are specifically as follows:
s110: receiving measurement data and forming a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid.
The power flow vectors obtained at different moments of the same measuring node in the measuring data are divided into one row, and the power flow vectors obtained at the same moment of different measuring nodes are divided into one column, so that a measuring data matrix is formed.
In particular, in most cases, the relationship between the state information of the grid and the measured power flow (power flow) may be approximated as a linear relationship:
z′ 0 =Hθ
wherein z' 0 Is the measured power flow vector, H is the topological matrix of the grid, and θ is the state vector of the grid. Meanwhile, the error data injection attack is also based on the point, and when an attacker knows the topological structure information of the power grid, the attacker can construct a virtual reality attack without changing the measurement residual error:
a=Hc
where a is the attack vector that the attacker generates and c is the spurious state information that the attacker wants to inject. Therefore, when the system is subject to error data injection attack, only the power flow vector z 'polluted by error data can be obtained by measuring the power flow' a :
z′ a =z′ 0 +a=H(θ+c)
When we compose a matrix from the sequential order of the power flow vectors obtained by continuous observation, the recognition and positioning of the error data injection attack becomes a matrix decomposition problem:
Z a =Z 0 +A
wherein Z is a Is the observed power flow matrix (i.e., the measured data matrix), Z 0 Is the power flow matrix that was not otherwise attacked, while a is the error data injection attack matrix. Thus, identifying and locating injected erroneous data may be accomplished by decomposing the observed power flow matrix Z a And obtaining the error data injection attack matrix A.
The power flow matrix Z, which is not attacked, is due to the relatively large inertia of the grid system and the limited resources of the attacker 0 The rank of (a) may be much smaller than its size while the erroneous data injection attack matrix a may be a sparse matrix. These two features enable the problem of matrix decomposition for error data injection attack identification and localization to be performed by low rank matrix recovery (Robust PCA) based on compressed sensing techniques. However, in practical applications, the low rank matrix recovery technique is directly used for error data identification and localizationThe false alarm rate of the detection result is too high, and a large amount of normal data can be marked as abnormal. Thus by looking deep into the characteristics of the erroneous data injection attack, and the structural characteristics of the data that are often misidentified as anomalies, the present embodiment proposes two improvements:
1) Because of the limited resources of the attacker, the attacker can only attack a small part of the measuring nodes, so that only a small part of rows exist non-zero elements in the error data injection attack matrix A, and the rest of rows are zero. Therefore, in the embodiment, line sparse optimization is introduced into the original low-rank matrix recovery technology, so that the attack matrix A' obtained through recognition has the same line sparse characteristic as that in the actual application scene.
2) Data that is often misidentified as anomalous has a larger absolute change value than other data that is not misidentified, but the relative change value is still similar to other data that is not attacked. And the data which is attacked by the error data is injected, and the relative change value and the absolute change value of the data are larger than those of the data which is not attacked. At the same time, the power grid is considered to be a relatively high-inertia system, so that when the power grid is not attacked, the relative change value of the power flow in time should be relatively stable, and the attack can damage the stability. Therefore, the embodiment designs a discriminator by applying the variance of the relative change value of the power flow to remove the measurement node which cannot be attacked under the condition of limited attacker resources but can cause false identification, thereby greatly reducing the false alarm rate of identification.
The whole error data injection attack identification and positioning process can be divided into three parts: 1) A data receiving part, which composes the received measurement data into a corresponding measurement data matrix; 2) An abnormal measurement node discriminating section that uses a variance of a relative change value of the measurement power flow to remove an influence of a measurement node that is unlikely to be attacked under a condition that an attacker resource is limited on a subsequent low-rank matrix recovery; 3) And a low-rank matrix recovery part, which introduces row sparse optimization based on the original low-rank matrix recovery technology, so that the error data injection attack matrix obtained by decomposition has the same property as the actual attack matrix.
S120: and calculating the measurement data matrix to obtain the relative change value of each row at the preset moment and the variance of the relative change value of each row.
In the abnormal measurement node discriminating section, a relative change value RF at the ith measurement node at time t is calculated i,t The method comprises the following steps:
wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing the power flow vector obtained by the measurement of the ith node at time t-1.
After obtaining the relative change values of all the measurement nodes at all the moments, the variance V of the relative change value of the ith measurement node in the measurement period T can be further calculated i The method comprises the following steps:
V i =var([RF i,t ,…,RF i,t+T ])。
s130: judging whether each row of the measurement data matrix is attacked or not through the variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result, so that a first data matrix is obtained.
Alternatively, the value of the row that is not attacked in the measurement data matrix may be set to 0, and the value of the attacked row is kept unchanged, so as to obtain the first data matrix.
By setting a suitable threshold value alpha, the variance V i Can be used as an index for determining whether the corresponding measurement node is subject to an error data injection attack within the T period.
In particular, if the variance V i Greater than the threshold value alpha, the sum-of-variances V are determined i The corresponding measuring node is attacked by the error data injection in the period of T; if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not attacked by the erroneous data injection during the T period.
Furthermore, the threshold α is not set too large in order to ensure that all attacks can be detected. The threshold α may be obtained experimentally.
S140: and carrying out low-rank matrix recovery processing and line sparse optimization on the first data matrix to obtain a first optimization problem.
In the low-rank matrix recovery part, new row sparse punishment is introduced into the original low-rank matrix recovery optimization problem, and a first optimization problem is obtained as follows:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data that is a function of the measurement data,
Z 0 the power flow matrix is not attacked originally, and A is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Represents a first data matrix row sparseness penalty (L p,1 Norms), I A I 1,1 Represents a first data matrix overall sparsity penalty (L 1,1 Norm), λ is a penalty parameter for row sparsity, μ is an overall sparsity penalty parameter for the first data matrix; p is a preset parameter.
S150: and solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of the matrix, and further obtain a detection result of the error data injection attack.
After determining the appropriate parameter p (where p is an integer), the final matrix factorization result may be solved using the method of the augmented lagrangian multiplier (Augmented Lagrange Multipliers) because this optimization problem is a convex optimization problem.
After the parameter p is determined, we first calculate the corresponding lagrangian function:
wherein A is T Is the transpose of matrix a, Y and η are lagrange multipliers,<Y,Z a -Z 0 -A>is the inner product of the matrix, ||Z a -Z 0 -A|| F Is the Frobenius norm.
After determining the corresponding lagrangian function, matrix decomposition may be performed by an iterative method, and since the updating modes of the optimized closed solutions and parameters of different p are not the same, in the process, the embodiment is not written directly, but the closed solutions and updating modes may be obtained by querying in the disclosed data:
meanwhile, the optimization problem of low-rank matrix recovery can be converted into more common peer-to-peer convex optimization problems, and can be solved by using some existing convex optimization technique packages, such as CVX.
The following describes a method for detecting an error data injection attack in combination with experimental data:
according to the embodiment, experiments are carried out on standard IEEE-30-bus and IEEE-57-bus systems, and experimental results show that when p=1, the low-rank matrix recovery technology does not introduce row sparse optimization, and an obvious structural detection error is detected in the detection result besides real attack, and a few detection errors are also generated in partial non-attacked rows. However, when row sparsity optimization is introduced, although structural detection errors are not removed, sporadic detection errors in other non-attacked rows are removed, reducing the false alarm rate to some extent.
For structural detection errors, the abnormal node discriminator can be well solved. Because the abnormal node discriminator solves the factors that the absolute change value is excessively concerned in the original low-rank matrix recovery technology, the abnormal node is removed in advance, which can cause the low-rank matrix recovery technology to generate abnormality but not be attacked. The abnormal node discriminator greatly reduces the false alarm rate. Our experiments compare the effects of different anomaly detection methods based on low rank matrix recovery techniques, as shown in table 1. Where TP is the detection rate of the error data injection attack and FA is the false alarm rate. It can be seen that the MSHVA detection method proposed by us greatly reduces the false alarm rate and improves the anomaly detection rate compared with the original anomaly detection Method (MSRSA) directly using the low-rank matrix recovery technique after the line sparse optimization and the anomaly node discriminator are introduced. And the comprehensive performance is also superior to other mainstream anomaly detection methods (GoDec, LMaFit) based on low-rank matrix recovery.
Table 1 contrast of different detection effects based on low rank matrix recovery technique
In summary, the embodiment provides a detection method for error data injection attack, which is based on an abnormal node discriminator with relatively large inertia characteristics of a power grid, and introduces a low-rank matrix recovery technology with sparse row penalty; compared with other existing technical schemes, the scheme of the embodiment has the advantages of strong interpretability (compared with a deep learning method), high reliability (compared with a deep learning method), high recognition rate and low false alarm rate (compared with the original compressed sensing method) by relying on the structural characteristics of the power grid and the error data injection attack.
For the method for detecting the error data injection attack, the application provides a device for detecting the error data injection attack, which is applied to a smart grid. Referring to fig. 2, fig. 2 is a schematic structural diagram of an embodiment of a detection apparatus for error data injection attack according to the present application. In this embodiment, the detection apparatus for the error data injection attack may include:
a data receiving module 110, configured to receive measurement data and form a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid.
The abnormal measurement node judging module 120 is configured to calculate a measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row; judging whether each row of the measurement data matrix is attacked or not through the variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result, so that a first data matrix is obtained.
The low-rank matrix recovery module 130 is configured to perform low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; and solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of the matrix, and further obtain a detection result of the error data injection attack.
Optionally, the abnormal measurement node determining module 120 is further configured to set a value of an unaddressed line in the measurement data matrix to 0, where the value of the attacked line remains unchanged, so as to obtain the first data matrix.
Optionally, the data receiving module 110 is further configured to divide the power flow vectors obtained at different times of the same measurement node in the measurement data into a row, and divide the power flow vectors obtained at the same time of different measurement nodes into a column, thereby forming a measurement data matrix.
Optionally, the abnormal measurement node discrimination module 120 is further configured to: calculating the relative change value RF at the ith measurement node at time t i,t The method comprises the following steps:wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing a power flow vector measured and obtained by an ith node at the time t-1; after obtaining the relative change values of all the measuring nodes at all the moments, calculating the variance V of the relative change value of the ith measuring node in the measuring period T i The method comprises the following steps: v (V) i =var([RF i,t ,…,RF i,t+T ])。
Optionally, the abnormal measurement node discrimination module 120 is further configured to: setting a threshold alpha; if variance V i Greater than the threshold value alpha, the sum-of-variances V are determined i The corresponding measuring node is attacked by the error data injection in the period of T; if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not misplaced within the T periodError data injection attacks.
Optionally, the first optimization problem is:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data, Z 0 The power flow matrix is not attacked originally, and A is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Representing a first data matrix row sparseness penalty, I A I 1,1 Representing the overall sparse penalty of the first data matrix, wherein lambda is a penalty parameter of row sparsity, and mu is an overall sparsity penalty parameter of the first data matrix; p is a preset parameter.
In summary, the application provides a detection method and a device for error data injection attack, which are applied to a smart grid, and comprehensively consider the effectiveness, reliability and interpretability of an anomaly detection method.
It is to be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application. Further, for convenience of description, only some, but not all, of the structures related to the present application are shown in the drawings. The step numbers used herein are also for convenience of description only, and are not limiting as to the order in which the steps are performed. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms "first," "second," and the like in this disclosure are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The foregoing description is only of embodiments of the present application, and is not intended to limit the scope of the application, and all equivalent structures or equivalent processes using the descriptions and the drawings of the present application or directly or indirectly applied to other related technical fields are included in the scope of the present application.
Claims (8)
1. The method for detecting the error data injection attack is characterized by being applied to a smart grid, and comprises the following steps:
receiving measurement data and forming a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid;
calculating the measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row;
judging whether each row of the measurement data matrix is attacked or not through the variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result so as to obtain a first data matrix;
performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem; solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of a matrix, and further obtain a detection result of the error data injection attack;
wherein the composing the received measurement data into a measurement data matrix includes: dividing power flow vectors obtained at different moments of the same measuring node in the measuring data into a row, and dividing the power flow vectors obtained at the same moment of different measuring nodes into a column, thereby forming the measuring data matrix;
the calculating the measurement data matrix to obtain the relative change value of each row at a preset time and the variance of the relative change value of each row comprises the following steps: calculating the relative change value RF at the ith measurement node at time t i,t The method comprises the following steps:
wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing a power flow vector measured and obtained by an ith node at the time t-1; after obtaining the relative change values of all the measuring nodes at all the moments, calculating the variance V of the relative change value of the ith measuring node in the measuring period T i The method comprises the following steps:
V i =var([RF i,t ,...,RF i,t+T ]),
wherein var (·) is the difference function of the access;
said determining, by said variance, whether each row of said measurement data matrix is attacked, comprising: and judging whether each row of the measurement data matrix is attacked or not according to the numerical comparison relation between the variance and the threshold value.
2. The method for detecting an error data injection attack according to claim 1, wherein said determining whether each row of the measurement data matrix is attacked by the variance and performing a 0 assignment process on the measurement data matrix according to a determination result, thereby obtaining a first data matrix, comprises:
and setting the value of the row which is not attacked in the measurement data matrix to be 0, wherein the value of the attacked row is kept unchanged, so that the first data matrix is obtained.
3. The method for detecting an error data injection attack according to claim 1, wherein said determining whether each row of the measurement data matrix is attacked by the variance includes:
setting a threshold alpha;
if variance V i Greater than the threshold value alpha, the sum-of-variances V are determined i The corresponding measuring node is attacked by the error data injection in the period of T;
if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not attacked by the erroneous data injection during the T period.
4. The method for detecting an error data injection attack according to claim 1, wherein the performing low-rank matrix recovery processing and row sparse optimization on the first data matrix to obtain a first optimization problem includes:
the first optimization problem is obtained as follows:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data that is a function of the measurement data,
Z 0 the power flow matrix is not attacked originally, and A is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Representing a first data matrix row sparseness penalty, I A I 1,1 Representing the overall sparse penalty of the first data matrix, wherein lambda is a penalty parameter of row sparsity, and mu is an overall sparsity penalty parameter of the first data matrix; p is a preset parameter.
5. The device for detecting the error data injection attack is applied to a smart grid, and comprises:
the data receiving module is used for receiving the measurement data and forming a measurement data matrix from the received measurement data; wherein the measurement data comprises a power flow vector obtained from a node measurement of the smart grid;
the abnormal measurement node judging module is used for calculating the measurement data matrix to obtain a relative change value of each row at a preset time and a variance of the relative change value of each row; judging whether each row of the measurement data matrix is attacked or not through the variance, and performing 0 assignment processing on the measurement data matrix according to a judgment result so as to obtain a first data matrix;
the low-rank matrix recovery module is used for carrying out low-rank matrix recovery processing and line sparse optimization on the first data matrix to obtain a first optimization problem; solving the first optimization problem by adopting an augmented Lagrangian multiplier method, so as to obtain a decomposition result of a matrix, and further obtain a detection result of the error data injection attack;
wherein the composing the received measurement data into a measurement data matrix includes: dividing power flow vectors obtained at different moments of the same measuring node in the measuring data into a row, and dividing the power flow vectors obtained at the same moment of different measuring nodes into a column, thereby forming the measuring data matrix;
the calculating the measurement data matrix to obtain the relative change value of each row at a preset time and the variance of the relative change value of each row comprises the following steps: calculating the relative change value RF at the ith measurement node at time t i,t The method comprises the following steps:
wherein Z is i,t Representing a power flow vector measured and obtained by an ith node at the moment t; z is Z i,t-1 Representing a power flow vector measured and obtained by an ith node at the time t-1; after obtaining the relative change values of all the measuring nodes at all the moments, calculating the variance V of the relative change value of the ith measuring node in the measuring period T i The method comprises the following steps:
V i =var([RF i,t ,...,RF i,t+T ]),
wherein var (·) is the difference function of the access;
said determining, by said variance, whether each row of said measurement data matrix is attacked, comprising: and judging whether each row of the measurement data matrix is attacked or not according to the numerical comparison relation between the variance and the threshold value.
6. The apparatus for detecting an erroneous data injection attack according to claim 5, wherein,
the abnormal measurement node judging module is further used for setting the numerical value of an unaddressed row in the measurement data matrix to be 0, and the numerical value of the attacked row is kept unchanged, so that the first data matrix is obtained.
7. The apparatus for detecting an error data injection attack according to claim 5, wherein the abnormal measurement node discrimination module is further configured to:
setting a threshold value alpha:
if variance V i Greater than the threshold value alpha, the sum-of-variances V are determined i The corresponding measuring node is attacked by the error data injection in the period of T;
if variance V i Less than or equal to the threshold value alpha, the sum-of-variances V are determined i The corresponding measurement node is not attacked by the erroneous data injection during the T period.
8. The apparatus for detecting an erroneous data injection attack according to claim 5, wherein,
the first optimization problem is as follows:
s.t.Z a =Z 0 +A;
wherein Z is a Is a matrix of measurement data that is a function of the measurement data,
Z 0 the power flow matrix is not attacked originally, and A is an error data injection attack matrix; z 0 || * Is the kernel norm, ||A T || p,1 Representing a first data matrix row sparseness penalty, I A I 1,1 Representing the overall sparse penalty of the first data matrix, wherein lambda is a penalty parameter of row sparsity, and mu is an overall sparsity penalty parameter of the first data matrix; p is a preset parameter.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111167739.8A CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111167739.8A CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113886765A CN113886765A (en) | 2022-01-04 |
CN113886765B true CN113886765B (en) | 2023-09-29 |
Family
ID=79005397
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111167739.8A Active CN113886765B (en) | 2021-09-30 | 2021-09-30 | Method and device for detecting error data injection attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113886765B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500045A (en) * | 2022-01-26 | 2022-05-13 | 中南大学 | Smart grid false data injection attack detection method and device based on structure sparse matrix separation |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103514259A (en) * | 2013-08-13 | 2014-01-15 | 江苏华大天益电力科技有限公司 | Abnormal data detection and modification method based on numerical value relevance model |
CN107808105A (en) * | 2017-10-18 | 2018-03-16 | 南京邮电大学 | False data detection method based on prediction in a kind of intelligent grid |
GB2558534A (en) * | 2016-11-08 | 2018-07-18 | Univ Durham | Detecting a bad data injection event within an industrial control system |
CN109460571A (en) * | 2018-09-27 | 2019-03-12 | 华南理工大学 | A kind of smart grid data reconstruction method based on matrix low-rank and sparsity |
CN110035090A (en) * | 2019-05-10 | 2019-07-19 | 燕山大学 | A kind of smart grid false data detection method for injection attack |
CN111062610A (en) * | 2019-12-16 | 2020-04-24 | 国电南瑞科技股份有限公司 | Power system state estimation method and system based on information matrix sparse solution |
CN112383046A (en) * | 2020-09-29 | 2021-02-19 | 中国南方电网有限责任公司超高压输电公司 | Voltage amplitude false data injection attack method for alternating current-direct current hybrid system |
CN113297194A (en) * | 2021-06-22 | 2021-08-24 | 华北电力大学 | Method for identifying and cleaning false data of spare capacity of electric vehicle aggregator |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10229092B2 (en) * | 2017-08-14 | 2019-03-12 | City University Of Hong Kong | Systems and methods for robust low-rank matrix approximation |
TWI686772B (en) * | 2019-03-21 | 2020-03-01 | 國立清華大學 | Data restoring method using compressed sensing and computer program product |
-
2021
- 2021-09-30 CN CN202111167739.8A patent/CN113886765B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103514259A (en) * | 2013-08-13 | 2014-01-15 | 江苏华大天益电力科技有限公司 | Abnormal data detection and modification method based on numerical value relevance model |
GB2558534A (en) * | 2016-11-08 | 2018-07-18 | Univ Durham | Detecting a bad data injection event within an industrial control system |
CN107808105A (en) * | 2017-10-18 | 2018-03-16 | 南京邮电大学 | False data detection method based on prediction in a kind of intelligent grid |
CN109460571A (en) * | 2018-09-27 | 2019-03-12 | 华南理工大学 | A kind of smart grid data reconstruction method based on matrix low-rank and sparsity |
CN110035090A (en) * | 2019-05-10 | 2019-07-19 | 燕山大学 | A kind of smart grid false data detection method for injection attack |
CN111062610A (en) * | 2019-12-16 | 2020-04-24 | 国电南瑞科技股份有限公司 | Power system state estimation method and system based on information matrix sparse solution |
CN112383046A (en) * | 2020-09-29 | 2021-02-19 | 中国南方电网有限责任公司超高压输电公司 | Voltage amplitude false data injection attack method for alternating current-direct current hybrid system |
CN113297194A (en) * | 2021-06-22 | 2021-08-24 | 华北电力大学 | Method for identifying and cleaning false data of spare capacity of electric vehicle aggregator |
Non-Patent Citations (2)
Title |
---|
Modelingand performance evaluation of stealthy false data injection attacks on smart grid in the presence of corrupted measurements;AdnanAnwar et.al;《Journal of Computer and System Sciences》;第58-72页 * |
基于非凸矩阵分解的电网欺骗性数据注入攻击检测方法;陈雄欣 等;《现代电力》;第37卷(第3期);第263-269页 * |
Also Published As
Publication number | Publication date |
---|---|
CN113886765A (en) | 2022-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10817394B2 (en) | Anomaly diagnosis method and anomaly diagnosis apparatus | |
Karimipour et al. | Intelligent anomaly detection for large-scale smart grids | |
CN110942109A (en) | PMU false data injection attack prevention method based on machine learning | |
Kesavan et al. | A wavelet‐based damage diagnosis algorithm using principal component analysis | |
Chen et al. | Cyber-physical systems: Dynamic sensor attacks and strong observability | |
CN111723865B (en) | Method, apparatus and medium for evaluating performance of image recognition model and attack method | |
Anwar et al. | A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid | |
CN111783845B (en) | Hidden false data injection attack detection method based on local linear embedding and extreme learning machine | |
CN112165471B (en) | Industrial control system flow abnormity detection method, device, equipment and medium | |
Gautam et al. | Sensors incipient fault detection and isolation using Kalman filter and Kullback–Leibler divergence | |
CN112260989B (en) | Power system and network malicious data attack detection method, system and storage medium | |
CN113886765B (en) | Method and device for detecting error data injection attack | |
CN111680725A (en) | Gas sensor array multi-fault isolation algorithm based on reconstruction contribution | |
CN112084505A (en) | Deep learning model malicious sample detection method, system, device and storage medium | |
Khalafi et al. | Intrusion detection, measurement correction, and attack localization of PMU networks | |
CN110377921A (en) | A kind of failure determination threshold value calculation method based on the more cell spaces of central symmetry | |
CN114666153B (en) | False data injection attack detection method and system based on state estimation residual distribution description | |
Shoukry et al. | Imhotep-SMT: A satisfiability modulo theory solver for secure state estimation | |
CN117034180A (en) | Power communication equipment data anomaly detection method, system and storage medium | |
Perry | Identifying the time of polynomial drift in the mean of autocorrelated processes | |
Mokhtari et al. | Measurement data intrusion detection in industrial control systems based on unsupervised learning | |
Kazeminajafabadi et al. | Optimal detection for Bayesian attack graphs under uncertainty in monitoring and reimaging | |
CN115145790A (en) | False data injection attack detection method and system for smart power grid | |
CN111506045B (en) | Fault diagnosis method based on single-value intelligent set correlation coefficient | |
CN111209567B (en) | Method and device for judging perceptibility of improving robustness of detection model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |