CN114006744B - LSTM-based power monitoring system network security situation prediction method and system - Google Patents

LSTM-based power monitoring system network security situation prediction method and system Download PDF

Info

Publication number
CN114006744B
CN114006744B CN202111263080.6A CN202111263080A CN114006744B CN 114006744 B CN114006744 B CN 114006744B CN 202111263080 A CN202111263080 A CN 202111263080A CN 114006744 B CN114006744 B CN 114006744B
Authority
CN
China
Prior art keywords
attack
monitoring system
power monitoring
abnormal behavior
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111263080.6A
Other languages
Chinese (zh)
Other versions
CN114006744A (en
Inventor
王寅生
王绪
王其乐
朱志成
孟凯锋
王栋
高小钧
胡鹏
赵振飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongneng Power Tech Development Co Ltd
Original Assignee
Zhongneng Power Tech Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongneng Power Tech Development Co Ltd filed Critical Zhongneng Power Tech Development Co Ltd
Priority to CN202111263080.6A priority Critical patent/CN114006744B/en
Publication of CN114006744A publication Critical patent/CN114006744A/en
Application granted granted Critical
Publication of CN114006744B publication Critical patent/CN114006744B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a network security situation prediction method and a system of an electric power monitoring system based on LSTM, wherein the method comprises the steps of collecting first abnormal behavior data related to network security in the electric power monitoring system in a first past time period, summarizing the abnormal behavior data, and preprocessing the abnormal behavior data to obtain a first initial data set; and inputting the first initial data set as an input parameter set into the trained long-term and short-term memory recurrent neural network. The method provided by the application is based on the LSTM model to predict the network security situation of the power monitoring system in a future period, the network security situation of the power monitoring system can be predicted to generate threat information in the future period for an administrator, and then the administrator refers to the result of the corresponding network security situation to know the specific possible threat, find the corresponding solution and prevent the threat from happening or eliminate the threat before the threat does not happen.

Description

LSTM-based power monitoring system network security situation prediction method and system
Technical Field
The invention relates to the technical field of network security situation prediction of power monitoring systems, in particular to a network security situation prediction method and system of a power monitoring system based on LSTM.
Background
Electric power is an important infrastructure of the country, and the safety is particularly important in relation to the economy and people's life of the country. And the power monitoring system is used for monitoring and controlling the power production and supply process, and is a supporting system for safe and stable operation of power. The system is based on a business system of computer and network technology, and a communication and data network serving as a basic support protects the power system. The network security situation faced by the power monitoring system is increasingly serious, and once the power monitoring system is subjected to network security attack, a large-area outage event can be caused, so that the enterprise and national security is seriously threatened.
The network security system architecture of the power monitoring system is established, and aims to prevent hackers, viruses and malicious codes from forming malicious damage, attack and illegal operation on the power monitoring system and prevent paralysis of the power monitoring system. The network security system architecture of the power monitoring system can be divided into three aspects of protection, reinforcement and monitoring, and a protection system, a reinforcement system and a monitoring system are formed. The network security situation prediction can play a role in early warning in a monitoring system, and the attack is prevented in advance before the attacker does not launch the attack.
The concept of "situation" is originally derived from military, and is generally used for explaining the comprehensive performance of the state of a wide range of objects under study, which have relatively complex internal structures and are influenced by multiple factors, and most typically is a battlefield situation. The power monitoring system network also has the characteristics, so that the concept of situation is introduced in the analysis of the network security of the power monitoring system, and the aim is to establish a feasible network security situation system of the power monitoring system, so that the overall situation of a large-scale network is comprehensively, intuitively and rapidly known. Under the increasingly complex network security environment, the significance of the network security situation prediction of the power monitoring system is increasingly prominent.
The network security situation of the power monitoring system is predicted, the network security situation is controlled in real time, and the abnormal behavior of a user is analyzed by the security events in the monitoring network, so that post-processing is converted into pre-early warning and preventing. The network security of the power monitoring system is changed from passive to active, and a network manager of the power monitoring system can judge the trend of the state of the network security through predicting the network security situation, so that the network state and the state of the network security under attack can be better understood. Before the network is attacked and lost, the network burial can timely take defending measures, strengthen the security policy of the network security equipment, change the security rules of network security supervision, and really achieve the active defending purpose of hostile movement and I'm movement.
At present, the field of network security situation prediction of the power monitoring system of a power grid company is still in a starting stage, the problem of insufficient network security situation early warning capability exists in the security protection of the power monitoring system, and the method is particularly characterized in that the network security operation data acquisition means of a master station and a station end are insufficient, and supervision and analysis are lacked; the safety compliance of the power monitoring system is too dependent on manual means, and the checking efficiency is low; the safety operation data has low standardization degree and is difficult to directly analyze and process; typical security problems such as cross-region interconnection, illegal network access, illegal mobile medium access and the like lack automatic discovery and control means. Meanwhile, the existing operation management and control system cannot monitor and accurately analyze and early warn the network security situation, and a significant gap exists between the existing operation management and control system and the requirements of all-weather all-dimensional network security situation prediction.
Therefore, a network security situation prediction system of the power monitoring system is established, the omnibearing and all-weather network security situation prediction of each power monitoring system of a company is realized, various network security risks and illegal access events are timely found, the situation early warning of the network security of the power monitoring system is realized, and the urgent requirement of the network security protection of the power monitoring system is met.
Disclosure of Invention
The invention provides a network security situation prediction method and system of an electric power monitoring system based on LSTM.
The invention provides the following scheme:
a network security situation prediction method of an LSTM-based power monitoring system comprises the following steps:
Collecting first abnormal behavior data related to network safety in a power monitoring system in a first past time period, summarizing the abnormal behavior data, and preprocessing the abnormal behavior data to obtain a first initial data set;
And inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network, so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period.
Preferably: the collecting abnormal behavior data related to network safety in the power monitoring system in the first past time period comprises the following steps:
collecting log files of a safety device in the power monitoring system in a first past time period, and extracting the attack behaviors in the log files to obtain the first abnormal behavior data.
Preferably: the preprocessing comprises the step of carrying out data cleaning on the first abnormal behavior data by adopting a clustering method, and removing noise data in the data to obtain the initial data set.
Preferably: collecting second abnormal behavior data related to network safety in the power monitoring system in a second past time period, summarizing the second abnormal behavior data, and preprocessing the second abnormal behavior data to obtain a second initial data set;
Calculating to obtain a security situation value through the second initial data set;
Inputting the second initial data set into the long-term memory recurrent neural network as a training sample parameter set of the long-term memory recurrent neural network; so that the long-term and short-term memory cyclic neural network outputs a training output value;
And carrying out error calculation on the training output value and the safety situation value to obtain an error value, and judging whether the long-short-period memory recurrent neural network training is finished or not according to the comparison result of the error value and the expected value.
Preferably: the security situation value is obtained through calculation of the second initial data set; comprising the following steps:
Collecting log files of a safety device in the power monitoring system in a second past time period, and extracting attack behaviors in the log files to obtain second abnormal behavior data; the preprocessing comprises the steps of adopting a clustering method to carry out data cleaning on the second abnormal behavior data, and removing noise data in the data to obtain the second initial data set;
forming an attack sequence by a plurality of attack behaviors;
And carrying out weight definition and frequency weighted average calculation of event occurrence statistics on the attack sequence to obtain the security situation value.
Preferably: each attack behavior is represented by a first six-tuple (st, info, time, v, dt, pro);
Wherein st and dt are the source and destination nodes of the attack action respectively; info represents description information of the attack action; time is the occurrence time of attack action; v is vulnerability utilized by the attack action; pro is the probability of occurrence of the attack action.
Preferably: if the attack has occurred or has been detected, pro=1, if the attack is a predicted attack, 0+.pro+.1.
Preferably: each attack sequence is represented by a second six-tuple (id a,times,timee,pa,va,proa);
Wherein id a is a unique identifier of the attack sequence; time s represents the start time of the attack sequence; time e is the termination time of the attack sequence; p a is the set of assets involved in the attack sequence; v a is the set of vulnerabilities exploited by the attack sequence; pro a is the frequency of occurrence of the attack sequence.
Preferably: the first past time period and the second past time period are the same time period or different time periods.
An LSTM-based power monitoring system network security posture prediction system, the system comprising:
The first initial data set acquisition unit is used for collecting first abnormal behavior data related to network safety in the power monitoring system in a first past time period, summarizing the abnormal behavior data and preprocessing the abnormal behavior data to obtain a first initial data set;
And the network security situation prediction unit is used for inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the application, the network security situation prediction method and system of the power monitoring system based on the LSTM can be realized, and in one implementation mode, the method can comprise the steps of collecting first abnormal behavior data related to network security in the power monitoring system in a first past time period, summarizing the abnormal behavior data, and preprocessing the abnormal behavior data to obtain a first initial data set; and inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network, so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period. The method provided by the application is based on the LSTM model to predict the network security situation of the power monitoring system in a future period, the network security situation of the power monitoring system can be predicted to generate threat information in the future period for an administrator, and then the administrator refers to the result of the corresponding network security situation to know the specific possible threat, find the corresponding solution and prevent the threat from happening or eliminate the threat before the threat does not happen.
Of course, it is not necessary for any one product to practice the invention to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network security situation prediction method of an LSTM-based power monitoring system provided by an embodiment of the invention;
Fig. 2 is a structural diagram of an LSTM neural network provided in an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the invention, fall within the scope of protection of the invention.
Example 1
Referring to fig. 1, a method for predicting network security situation of an LSTM-based power monitoring system according to an embodiment of the present invention, as shown in fig. 1, may include:
Collecting first abnormal behavior data related to network safety in a power monitoring system in a first past time period, summarizing the abnormal behavior data, and preprocessing the abnormal behavior data to obtain a first initial data set;
And inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network, so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period.
According to the method provided by the embodiment of the application, a first initial data set obtained by processing a plurality of abnormal behavior data sets contained in a collected past time period is used as an input parameter set to be input into a trained long-short-period memory cyclic neural network, the value output by the long-short-period memory cyclic neural network is used as a network security situation prediction result, an administrator refers to the corresponding network security situation result to know a specific possible threat, a corresponding solution is found, and the threat is prevented from happening or eliminated before happening.
Specifically, the collecting abnormal behavior data related to network security in the power monitoring system in the first past time period includes:
collecting log files of a safety device in the power monitoring system in a first past time period, and extracting the attack behaviors in the log files to obtain the first abnormal behavior data.
The preprocessing comprises the step of carrying out data cleaning on the first abnormal behavior data by adopting a clustering method, and removing noise data in the data to obtain the initial data set.
It can be understood that, the method provided by the embodiment of the application adopts the LSTM (Long Short-Term Memory) Long-Term Memory cyclic neural network as a prediction model, and in order to ensure that the training of the Long-Term Memory cyclic neural network model can meet the precision requirement, the embodiment of the application can also provide:
Collecting second abnormal behavior data related to network safety in the power monitoring system in a second past time period, summarizing the second abnormal behavior data, and preprocessing the second abnormal behavior data to obtain a second initial data set;
Calculating to obtain a security situation value through the second initial data set;
Inputting the second initial data set into the long-term memory recurrent neural network as a training sample parameter set of the long-term memory recurrent neural network; so that the long-term and short-term memory cyclic neural network outputs a training output value;
And carrying out error calculation on the training output value and the safety situation value to obtain an error value, and judging whether the long-short-period memory recurrent neural network training is finished or not according to the comparison result of the error value and the expected value.
The security situation value is obtained through calculation of the second initial data set; comprising the following steps:
Collecting log files of a safety device in the power monitoring system in a second past time period, and extracting attack behaviors in the log files to obtain second abnormal behavior data; the preprocessing comprises the steps of adopting a clustering method to carry out data cleaning on the second abnormal behavior data, and removing noise data in the data to obtain the second initial data set;
forming an attack sequence by a plurality of attack behaviors;
And carrying out weight definition and frequency weighted average calculation of event occurrence statistics on the attack sequence to obtain the security situation value.
Each attack behavior is represented by a first six-tuple (st, info, time, v, dt, pro);
Wherein st and dt are the source and destination nodes of the attack action respectively; info represents description information of the attack action; time is the occurrence time of attack action; v is vulnerability utilized by the attack action; pro is the probability of occurrence of the attack action. Specifically, pro=1 if the attack action has occurred or has been detected, and 0+.pro+.1 if the attack action is a predicted attack action.
Each attack sequence is represented by a second six-tuple (id a,times,timee,pa,va,proa);
Wherein id a is a unique identifier of the attack sequence; time s represents the start time of the attack sequence; time e is the termination time of the attack sequence; p a is the set of assets involved in the attack sequence; v a is the set of vulnerabilities exploited by the attack sequence; pro a is the frequency of occurrence of the attack sequence.
The first past time period and the second past time period are the same time period or different time periods. The first past time period and the second past time period may use the same time period or may use different time periods.
According to the method provided by the embodiment of the application, the network security situation of the power monitoring system is predicted, and according to the network security situation prediction principle, the network security situation of the power monitoring system is predicted by three stages: a situation collection stage (obtaining a first initial data set or a second initial data set), a situation calculation stage (obtaining a security situation value), and a situation prediction stage (obtaining a network security situation prediction result of a future time period by adopting a long-period memory cyclic neural network). The situation collection stage has two purposes, and can collect a first initial data set required by situation prediction and a second initial data set required by situation calculation. Of course both initial data sets may share a group. The situation calculation stage is used for acquiring a security situation value, and the security situation value is used for providing comparison data support for whether training is finished or not when the neural network training required by the situation prediction stage is used.
Firstly, collecting situation elements in an initial stage of network security situation prediction, processing security logs of different data sources and the like by utilizing a data fusion technology, and extracting element factors influencing the situation;
Secondly, calculating a situation in an intermediate stage of network security situation prediction, obtaining a situation value by calculating situation elements, and analyzing the current network security situation according to the result;
And finally, predicting the situation of the network security situation in the final stage, analyzing the situation value of the current period to predict the future situation, and helping to make a corresponding decision. The situation prediction link is to monitor network security attack and pre-warn network security risk. Fig. 1 is a flow chart of network security posture prediction for a power monitoring system.
The network security situation prediction of the power monitoring system can be abstracted into a function of a time sequence t according to the procedural of network attack and the nonlinear time sequence of the alarms generated by security equipment, wherein the network security situation value x which is obtained by weighting various alarms and has the characteristic of representing the running condition of the network can be: x=f (t), and this situation value has a nonlinear characteristic.
Thus, the network security posture values can be treated as a time series, so assuming that there is a time series x= { x i|xi e R, i=1, 2, …, L } of network security posture values, it is now desirable to predict the next M posture values from the posture values at the first N times of the series.
(1) Situation collection and initial stage of network security situation prediction: and collecting abnormal behaviors of network safety in the power monitoring system, summarizing abnormal data generated in the network safety, and preprocessing the abnormal data.
(2) Situation calculation and an intermediate stage of network security situation prediction: and carrying out fusion calculation according to the abnormal data collected in the situation collection stage to form a characteristic numerical value.
The massive network security information is integrated into one or more groups of meaningful values through a series of mathematical processing. These values have the characteristic of representing the operating condition of the network, and as the frequency, number, and degree of threat to the network vary, the magnitude of the values will vary characteristically.
(3) Situation prediction, final stage of network security situation prediction: and learning the numerical values generated in the situation calculation stage and the data collected in the initial stage by utilizing an LSTM (Long Short-Term Memory) Long-Term Memory cyclic neural network, and finally predicting future network anomalies and attacks.
LSTM is a cyclic neural network with long-term and short-term memory function, and allows the weight of linear self-connection to be self-regulated and changed at each step through the regulation and control of gates, so that the time sequence can be well processed. The network security situation value is a time sequence with stronger time sequence, and the LSTM can effectively process the network security situation value.
LSTM has powerful gating systems, memory gates, forget gates, and output gates, respectively. The network security situation data can be better processed by selectively recording or forgetting the input information.
Compared with the traditional neural network model that each layer uses different parameters, in the LSTM, each layer uses the same parameters at each moment, so that the LSTM is ensured to execute the same operation on all nodes, and the number of parameters to be learned is reduced.
First, in LSTM, the neural network first constructs 3 gates (i, f, o) to control the traffic of information. Although the gates are constructed in the same manner, the subscripts of the 3 gates formulae W and b are not identical. They have respective physical meanings, and different weights are generated in the network learning process.
it=sigmoid(Wxixt+Whiht-1+bi)
ft=sigmoid(Wxfxt+Whfht-1+bf)
ot=sigmoid(Wxoxt+Whoht-1+bo)
Gates are equipped on a Recurrent Neural Network (RNN) to control information flow, and they are further divided into:
Input gate i t: how much information can flow into the memory cell is controlled (fourth equation C t).
Forget door f t: information in the memory cell controlling how much of the last time can be accumulated in the memory cell at the current time.
Output gate O t: information in the memory cell controlling how much of the current time can flow into the current hidden state h t.
Gates do not provide additional information, but rather serve to limit the amount of information. gates act as filters.
Fig. 2 shows the LSTM neural network developed into a full network structure diagram in time sequence. x is the input element, labeled { x 0,xt,…,xt, … }, where x t represents the input at time t. S represents an implicit unit, and is marked as { s 0,st,…,st, … }, where s t is an implicit layer state at time t, and s t is calculated by using the implicit layer state at the last time and the current time input: s t=f(Uxt+Wst-1). The function f is typically initialized to 0 using a nonlinear function such as tanh or ReLU, the first hidden layer state s. h is the input element, labeled { h 0,ht,…,ht, … } where h t represents the output at time t.
The input space R n is non-linearly transformed to the output space R m by LSTM. Through the analysis, the network security situation values are a time series with strong nonlinearity, and are predicted, namely, M future data are predicted from the previous N data, namely, the nonlinear mapping relation from R n to R m is found out. The invention adopts LSTM to map network safety abnormal data x in the power monitoring system into M values through learning. These M values represent the pre-predictions for M times thereafter.
The principle of training the long-term and short-term memory cyclic neural network comprises the following steps:
The method provided by the application mainly collects the attack data of the network in the power monitoring system through a situation collection stage, then calculates the situation value of the collected data in a situation calculation stage, sends the data into an LSTM (least squares) for training, and finally predicts the attack in a future period of time.
Situation collection phase:
in the stage, log files of other security devices such as a network security monitoring device, a firewall and a network security intrusion detection device in the power monitoring system are collected, attack behaviors in the log files are extracted, and a clustering method is adopted for data cleaning to remove noise data in the data.
The attack behavior is then represented by a six-tuple (st, info, time, v, dt, pro), where st and dt represent the source and destination nodes of the attack behavior, respectively, and by # if the source node (destination node) is unknown or non-existent; info represents description information of the attack action; the time represents the occurrence time of the attack action, if the attack action is already occurred or detected, the time is the time recorded by the protection log, and if the attack action is the predicted future attack action, the predicted time is used for representing; v represents vulnerability exploited by the attack action, if the vulnerability is unknown or non-existent, then replace with #; pro is the probability of occurrence of the attack, pro=1 if the attack has occurred or has been detected, and 0.ltoreq.pro.ltoreq.1 if the attack is a predicted attack.
The plurality of attack behaviors form an attack sequence, wherein the attack sequence is a six-tuple (ida, times, timee, pa, va, proa), and ida is a unique identifier of the attack sequence; time represents the starting time of the attack sequence, namely the occurrence time of the attack sequence starting attack action; timee is the termination time of the attack sequence, that is, the occurrence time of the last attack action of the attack sequence; pa is the set of assets involved in the attack sequence, i.e., the set of source and destination nodes involved in the attack action of the attack sequence; va is the set of vulnerabilities utilized by the attack sequence, i.e., the set of vulnerabilities utilized by the attack action of the attack sequence; proa is the occurrence frequency of the attack sequence, and is derived from the occurrence times of all attack actions of the attack sequence.
And a situation calculation stage:
And extracting the attack sequence collected by the situation into a security situation element set, predicting the security situation element set in a future period from the time dimension, and providing a data base for the prediction of the security situation.
The security posture values are calculated as a frequency weighted average of the weight definitions and event occurrence statistics. The security situation element set obtained by predictive analysis can be verified and applied in an actual network attack and defense scene along with the time, the effect of the network security situation time dimension predictive analysis can be verified, and the purposes and the accuracy of the security element extraction and the time dimension predictive analysis of the next round are further improved.
Situation prediction stage:
In the situation prediction stage, an LSTM model needs to be built, and LSTM comprises forward propagation and backward propagation. In the BP neural network, forward propagation, i.e., computing output from a given input, the entire neural network model is represented by combining the computation of each layer, and the propagation manner is bottom-up, and is therefore called forward propagation. Back propagation, i.e. calculating a loss value from the forward propagation calculation, uses a gradient descent algorithm to train the neuron parameters.
After the LSTM model is built, inputting network safety data of the power monitoring system in a situation collection stage, namely inputting training samples to train to obtain an output value, carrying out error calculation with the safety situation value in a situation calculation stage, reversely updating model parameters, and repeating the process until the self-error is smaller than the expected error. And finally, inputting test verification data to output test results, and verifying the performance of the model.
In summary, the method provided by the application predicts the network security situation of the power monitoring system based on the LSTM model, the network security situation of the power monitoring system can be predicted in a future period, threat information in the future period can be generated for an administrator, then the administrator refers to the result of the corresponding network security situation, knows about the specific possible threat, finds out the corresponding solution, and prevents the threat from happening or eliminates the threat before the threat does not happen.
Example two
Corresponding to the method for predicting the network security situation of the power monitoring system based on the LSTM provided by the first embodiment of the application, the second embodiment of the application also provides a system for predicting the network security situation of the power monitoring system based on the LSTM, which specifically comprises the following steps:
The first initial data set acquisition unit is used for collecting first abnormal behavior data related to network safety in the power monitoring system in a first past time period, summarizing the abnormal behavior data and preprocessing the abnormal behavior data to obtain a first initial data set;
And the network security situation prediction unit is used for inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (4)

1. An LSTM-based power monitoring system network security situation prediction method is characterized by comprising the following steps:
Collecting first abnormal behavior data related to network safety in a power monitoring system in a first past time period, summarizing the abnormal behavior data, and preprocessing the abnormal behavior data to obtain a first initial data set; collecting log files of a safety device in a power monitoring system in a first past time period, and extracting attack behaviors in the log files to obtain first abnormal behavior data;
Inputting the first initial data set as an input parameter set into a trained long-period memory cyclic neural network so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period;
Collecting second abnormal behavior data related to network safety in the power monitoring system in a second past time period, summarizing the second abnormal behavior data, and preprocessing the second abnormal behavior data to obtain a second initial data set;
Calculating to obtain a security situation value through the second initial data set;
Inputting the second initial data set into the long-term memory recurrent neural network as a training sample parameter set of the long-term memory recurrent neural network; so that the long-term and short-term memory cyclic neural network outputs a training output value;
Performing error calculation on the training output value and the safety situation value to obtain an error value, and judging whether the long-period memory cyclic neural network training is finished or not according to a comparison result of the error value and an expected value;
the security situation value is obtained through calculation of the second initial data set; comprising the following steps:
Collecting log files of a safety device in the power monitoring system in a second past time period, and extracting attack behaviors in the log files to obtain second abnormal behavior data; the preprocessing comprises the steps of adopting a clustering method to carry out data cleaning on the second abnormal behavior data, and removing noise data in the data to obtain the second initial data set;
forming an attack sequence by a plurality of attack behaviors;
carrying out weight definition and frequency weighted average calculation of event occurrence statistics on the attack sequence to obtain the security situation value;
Each attack behavior is represented by a first six-tuple (st, info, time, v, dt, pro);
Wherein st and dt are the source and destination nodes of the attack action respectively; info represents description information of the attack action; time is the occurrence time of attack action; v is vulnerability utilized by the attack action; pro is the probability of occurrence of the attack action;
if the attack action has occurred or has been detected, pro=1, if the attack action is a predicted attack action, 0.ltoreq.pro.ltoreq.1;
Each attack sequence is represented by a second six-tuple (id a,times,timee,pa,va,proa);
Wherein id a is a unique identifier of the attack sequence; time s represents the start time of the attack sequence; time e is the termination time of the attack sequence; p a is the set of assets involved in the attack sequence; v a is the set of vulnerabilities exploited by the attack sequence; pro a is the frequency of occurrence of the attack sequence.
2. The LSTM-based power monitoring system network security situation prediction method of claim 1, wherein the preprocessing includes performing data cleaning on the first abnormal behavior data by using a clustering method, and removing noise data in the data to obtain the initial data set.
3. The LSTM based power monitoring system network security posture prediction method of claim 1, wherein the first past time period and the second past time period are the same time period or different time periods.
4. An LSTM-based power monitoring system network security situation prediction system, the system comprising:
The first initial data set acquisition unit is used for collecting first abnormal behavior data related to network safety in the power monitoring system in a first past time period, summarizing the abnormal behavior data and preprocessing the abnormal behavior data to obtain a first initial data set; collecting log files of a safety device in a power monitoring system in a first past time period, and extracting attack behaviors in the log files to obtain first abnormal behavior data;
The network security situation prediction unit is used for inputting the first initial data set as an input parameter set into the trained long-period memory cyclic neural network so that the long-period memory cyclic neural network outputs a network security situation prediction result in a future time period;
Collecting second abnormal behavior data related to network safety in the power monitoring system in a second past time period, summarizing the second abnormal behavior data, and preprocessing the second abnormal behavior data to obtain a second initial data set;
Calculating to obtain a security situation value through the second initial data set;
Inputting the second initial data set into the long-term memory recurrent neural network as a training sample parameter set of the long-term memory recurrent neural network; so that the long-term and short-term memory cyclic neural network outputs a training output value;
Performing error calculation on the training output value and the safety situation value to obtain an error value, and judging whether the long-period memory cyclic neural network training is finished or not according to a comparison result of the error value and an expected value;
the security situation value is obtained through calculation of the second initial data set; comprising the following steps:
Collecting log files of a safety device in the power monitoring system in a second past time period, and extracting attack behaviors in the log files to obtain second abnormal behavior data; the preprocessing comprises the steps of adopting a clustering method to carry out data cleaning on the second abnormal behavior data, and removing noise data in the data to obtain the second initial data set;
forming an attack sequence by a plurality of attack behaviors;
carrying out weight definition and frequency weighted average calculation of event occurrence statistics on the attack sequence to obtain the security situation value;
Each attack behavior is represented by a first six-tuple (st, info, time, v, dt, pro);
Wherein st and dt are the source and destination nodes of the attack action respectively; info represents description information of the attack action; time is the occurrence time of attack action; v is vulnerability utilized by the attack action; pro is the probability of occurrence of the attack action;
if the attack action has occurred or has been detected, pro=1, if the attack action is a predicted attack action, 0.ltoreq.pro.ltoreq.1;
Each attack sequence is represented by a second six-tuple (id a,times,timee,pa,va,proa);
Wherein id a is a unique identifier of the attack sequence; time s represents the start time of the attack sequence;
time e is the termination time of the attack sequence; p a is the set of assets involved in the attack sequence; v a is the set of vulnerabilities exploited by the attack sequence; pro a is the frequency of occurrence of the attack sequence.
CN202111263080.6A 2021-10-28 2021-10-28 LSTM-based power monitoring system network security situation prediction method and system Active CN114006744B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111263080.6A CN114006744B (en) 2021-10-28 2021-10-28 LSTM-based power monitoring system network security situation prediction method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111263080.6A CN114006744B (en) 2021-10-28 2021-10-28 LSTM-based power monitoring system network security situation prediction method and system

Publications (2)

Publication Number Publication Date
CN114006744A CN114006744A (en) 2022-02-01
CN114006744B true CN114006744B (en) 2024-05-28

Family

ID=79924572

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111263080.6A Active CN114006744B (en) 2021-10-28 2021-10-28 LSTM-based power monitoring system network security situation prediction method and system

Country Status (1)

Country Link
CN (1) CN114006744B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827688B (en) * 2023-08-28 2023-11-10 北京安天网络安全技术有限公司 Equipment safety protection method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786369A (en) * 2017-09-26 2018-03-09 广东电网有限责任公司电力调度控制中心 Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology
CN110392048A (en) * 2019-07-04 2019-10-29 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on CE-RBF
CN111585948A (en) * 2020-03-18 2020-08-25 宁波送变电建设有限公司永耀科技分公司 Intelligent network security situation prediction method based on power grid big data
CN111580999A (en) * 2020-04-30 2020-08-25 上海应用技术大学 CPS software reliability prediction system based on long-term and short-term memory network
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation
WO2021047270A1 (en) * 2019-09-09 2021-03-18 中兴通讯股份有限公司 Network traffic prediction method, communication device and storage medium
CN112714130A (en) * 2020-12-30 2021-04-27 南京信息工程大学 Big data-based adaptive network security situation sensing method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786369A (en) * 2017-09-26 2018-03-09 广东电网有限责任公司电力调度控制中心 Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology
CN110392048A (en) * 2019-07-04 2019-10-29 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on CE-RBF
WO2021047270A1 (en) * 2019-09-09 2021-03-18 中兴通讯股份有限公司 Network traffic prediction method, communication device and storage medium
CN111585948A (en) * 2020-03-18 2020-08-25 宁波送变电建设有限公司永耀科技分公司 Intelligent network security situation prediction method based on power grid big data
CN111580999A (en) * 2020-04-30 2020-08-25 上海应用技术大学 CPS software reliability prediction system based on long-term and short-term memory network
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation
CN112714130A (en) * 2020-12-30 2021-04-27 南京信息工程大学 Big data-based adaptive network security situation sensing method

Also Published As

Publication number Publication date
CN114006744A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
Mazini et al. Anomaly network-based intrusion detection system using a reliable hybrid artificial bee colony and AdaBoost algorithms
Wu et al. Big data analysis-based security situational awareness for smart grid
Ye et al. Robustness of the Markov-chain model for cyber-attack detection
Mukkamala et al. Detecting denial of service attacks using support vector machines
Chernov et al. Security incident detection technique for multilevel intelligent control systems on railway transport in Russia
CN115086089B (en) Method and system for network security assessment prediction
Sakhnini et al. A generalizable deep neural network method for detecting attacks in industrial cyber-physical systems
Bode et al. Risk analysis in cyber situation awareness using Bayesian approach
CN116112283A (en) CNN-LSTM-based power system network security situation prediction method and system
CN114006744B (en) LSTM-based power monitoring system network security situation prediction method and system
Kumar et al. IIoT-IDS network using inception CNN model
Bian et al. Network security situational assessment model based on improved AHP_FCE
Fan et al. A hierarchical method for assessing cyber security situation based on ontology and fuzzy cognitive maps
Peng et al. Sensing network security prevention measures of BIM smart operation and maintenance system
Li et al. Research on intrusion detection based on neural network optimized by genetic algorithm
Huang et al. Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection
Zhao Attack-defense game model: Research on dynamic defense mechanism of network security
Lian et al. Critical meter identification and network embedding based attack detection for power systems against false data injection attacks
Azeroual et al. A framework for implementing an ml or dl model to improve intrusion detection systems (ids) in the ntma context, with an example on the dataset (cse-cic-ids2018)
Al-Nafjan et al. Intrusion detection using PCA based modular neural network
Yang et al. Research on security self-defense of power information network based on artificial intelligence
Naik et al. An Approach for Building Intrusion Detection System by Using Data Mining Techniques
Traore et al. Artificial Intelligence for Cyber-Physical Systems Hardening
CN117879970B (en) Network security protection method and system
CN117478365B (en) Energy Internet electricity consumption data soft recovery method, equipment and medium considering attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant