CN114362368A - Method and system for monitoring abnormal network flow behaviors of intelligent substation - Google Patents
Method and system for monitoring abnormal network flow behaviors of intelligent substation Download PDFInfo
- Publication number
- CN114362368A CN114362368A CN202111670704.6A CN202111670704A CN114362368A CN 114362368 A CN114362368 A CN 114362368A CN 202111670704 A CN202111670704 A CN 202111670704A CN 114362368 A CN114362368 A CN 114362368A
- Authority
- CN
- China
- Prior art keywords
- message
- application layer
- service
- layer message
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 94
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000006399 behavior Effects 0.000 title claims abstract description 47
- 238000012544 monitoring process Methods 0.000 title claims abstract description 29
- 238000001514 detection method Methods 0.000 claims abstract description 127
- 238000012795 verification Methods 0.000 claims abstract description 28
- 230000008878 coupling Effects 0.000 claims abstract description 23
- 238000010168 coupling process Methods 0.000 claims abstract description 23
- 238000005859 coupling reaction Methods 0.000 claims abstract description 23
- 230000005540 biological transmission Effects 0.000 claims description 61
- 230000008569 process Effects 0.000 claims description 20
- 238000012360 testing method Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 12
- 238000012986 modification Methods 0.000 claims description 11
- 230000004048 modification Effects 0.000 claims description 11
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 10
- 230000005856 abnormality Effects 0.000 claims description 9
- 238000012790 confirmation Methods 0.000 claims description 9
- 230000000903 blocking effect Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 241001214347 Tehran virus Species 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 230000001105 regulatory effect Effects 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 9
- 230000007547 defect Effects 0.000 abstract description 5
- 230000006854 communication Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012937 correction Methods 0.000 description 3
- NAWXUBYGYWOOIX-SFHVURJKSA-N (2s)-2-[[4-[2-(2,4-diaminoquinazolin-6-yl)ethyl]benzoyl]amino]-4-methylidenepentanedioic acid Chemical compound C1=CC2=NC(N)=NC(N)=C2C=C1CCC1=CC=C(C(=O)N[C@@H](CC(=C)C(O)=O)C(O)=O)C=C1 NAWXUBYGYWOOIX-SFHVURJKSA-N 0.000 description 2
- 230000004913 activation Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000036244 malformation Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000009133 cooperative interaction Effects 0.000 description 1
- 230000009849 deactivation Effects 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 230000003094 perturbing effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E60/00—Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/16—Electric power substations
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for monitoring abnormal network flow behaviors of an intelligent substation, wherein a network flow data packet is captured by using a mirror image port of an intelligent substation switch, and an application layer message of the network flow data packet is extracted; secondly, performing field-by-field analysis according to a frame format specified by a protocol to which the message belongs to obtain a specific power service represented by the message; then, single-field out-of-limit detection, multi-field coupling logic detection and integral field abnormity detection are carried out according to the characteristics of the message fields; and finally, establishing a normal behavior model according to the message service characteristics, and realizing the abnormal detection of service execution logic, service verification logic and service time scale logic based on the service model. The method overcomes the defect that the existing intelligent substation network flow abnormity detection method depends on the network layer flow characteristic index and fails to deeply consider the logic characteristic of the power service, and improves the accuracy of the intelligent substation network flow abnormity behavior detection.
Description
Technical Field
The invention relates to the technical field of information security of power systems, in particular to a method and a system for monitoring abnormal network flow behaviors of an intelligent substation.
Background
With the wide application of advanced information communication technology and intelligent electronic equipment in substations, the current substation has gradually developed into a new generation intelligent substation integrating advanced functions such as automatic control, intelligent decision making, cooperative interaction and the like. The information transmission in the communication process of the intelligent substation takes network flow as a carrier, and the normal transmission of flow data is vital to the safe and stable operation of the intelligent substation and the whole power system. A network attacker can achieve the purpose of destroying the safe and stable operation of the intelligent substation by intercepting, stealing and tampering the flow data, so that the abnormal behavior detection of the network flow is a key means for the network safety active defense of the intelligent substation.
However, the existing method for detecting network flow anomaly of the intelligent substation focuses on detection according to specific flow characteristic indexes in a network layer, and cannot reflect specific anomaly conditions. And the application layer message of the flow data contains important power service information, and the characteristics of the attack behavior cannot be comprehensively reflected only according to the flow characteristic indexes of the network layer. Therefore, a new method for monitoring abnormal network flow behavior of an intelligent substation is needed to be invented, so that abnormal detection of a flow data application layer message is realized, and safe and reliable operation of the intelligent substation is guaranteed.
Disclosure of Invention
The invention aims to solve the technical problem that the prior art is not enough, and provides a method and a system for monitoring abnormal network flow behaviors of an intelligent substation, so that the limitation that the conventional detection method cannot detect the abnormal behaviors of power services in an application layer is effectively solved, and the safety and the reliability of flow information transmission in the communication process of the intelligent substation are improved.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a method for monitoring abnormal network flow behaviors of an intelligent substation comprises the following steps:
s1, capturing network flow data of the intelligent substation in real time, and extracting application layer messages;
s2, according to the frame format specified by the protocol of the application layer message extracted in the step S1, analyzing the message in field level;
s3, carrying out single-word segment out-of-limit detection on the analyzed application layer message, and sending an alarm signal if the application layer message is abnormal; otherwise, performing multi-field coupling logic detection on the analyzed application layer message, and if the application layer message is abnormal, sending an alarm signal; otherwise, carrying out integral field abnormity detection on the analyzed application layer message, and sending an alarm signal if abnormity occurs; otherwise, go to step S4;
and S4, performing service execution logic detection, service check logic detection and service time scale logic detection on the analyzed application layer message, and sending an alarm signal if any detection link is abnormal.
The invention extracts and analyzes the network flow data application layer message of the intelligent substation, and performs anomaly detection according to the message, thereby realizing the anomaly detection of single field, multi-field and whole field of the application layer message on the single-frame layer, and overcoming the defect that the existing detection method can only perform simple malformation check on the message format. Meanwhile, the abnormal detection of the service execution logic, the service check logic and the service time scale logic of the application layer message on the multi-frame layer is realized, the limitation that the conventional detection method cannot detect the abnormal behavior of the power service on the application layer is overcome, and the safety and the reliability of the flow data transmission of the intelligent substation are effectively improved.
The specific implementation process of performing single-field out-of-limit detection on the analyzed application layer message comprises the following steps:
1) using formulas
Performing single-word segment out-of-limit detection on the analyzed application layer message, if the formula is not the same as the formulaIf yes, determining that the analyzed application layer message is an abnormal message; otherwise, entering step 2); wherein P is the analyzed application layer message, PWKVariable frame messages, LEN (P), representing power stability control servicesWK) Indicating the actual length of the analyzed application layer message, LEN (P)WK)maxRepresenting the maximum message length specified by the power stability control protocol;
2) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 3); wherein, THE (P)WK) Expressing the theoretical calculation length of the message;
3) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 4); wherein, TYP (P)WK) The type identification field value of the message is represented;
4) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 5); wherein, COT (P)WK) A field value indicating a transmission cause of the message;
5) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, performing multi-field coupling logic detection on the analyzed application layer message; wherein, PWK_GFixed frame message, LEN (P), indicating power stability control serviceWK_G) Indicating the fixed frame message length.
The single-field out-of-limit detection of the invention can carry out threshold-based out-of-limit detection on single fields such as length fields, type identification fields, transmission reason fields and the like of the message. When an attacker constructs or tampers a message, due to the lack of power knowledge, tentative modification or assignment of a single field of the message exists, the value of the single field of the message exceeds the threshold value, and the anomaly cannot be detected only through format check of the message, but can be accurately identified through single field out-of-limit detection. The single-field out-of-limit detection provided by the invention can process the field value out-of-limit message in time and avoid the abnormal message from influencing the normal communication process. A
In step S3, the specific implementation process of performing multi-field coupling logic detection on the analyzed application layer packet includes:
I) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step II); wherein P is the analyzed application layer message, PWKVariable frame packets, FUN (P), representing power stability control trafficWK) Indicating the value of the message control field function code, FCV (P)WK) Representing a message frame count significand value;
II) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, carrying out integral field abnormity detection on the analyzed application layer message; wherein, QU (P)WK) The measurement quality descriptor indicates a measured quality descriptor of the message, the OV indicates an overflow flag of the quality descriptor, and the ER indicates an effective flag of the quality descriptor.
The multi-field coupling logic detection process can realize the abnormal detection of the message control domain function code coupling logic and the measured quality descriptor coupling logic. An attacker can simultaneously tamper a plurality of fields when constructing a malicious message, the simultaneous tampering of the fields can destroy normal coupling logic between the fields, the coupling logic abnormality cannot be identified only through the validity check of the existing message format, and the accurate judgment can be realized through the detection of the multi-field coupling logic. The multi-field coupling logic detection provided by the invention overcomes the defect that the existing detection method can only carry out simple malformation verification aiming at the message format, can effectively prevent the message control domain information from being maliciously tampered, and simultaneously ensures the normal and reliable transmission of the measured data.
In step S3, the specific implementation process of performing the overall field anomaly detection on the analyzed application layer packet includes: judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step II); wherein P is the analyzed application layer message, PWKVariable frame message for representing power stable control service, wherein THEV (P)WK) Representing the theoretical checksum of the message, REA _ V (P), a low byte of the arithmetic sum of one byte of data starting the character to the front of the checksum fieldWK) And representing the actual checksum of the message, which is the last byte of the message.
The integral field abnormity detection of the invention can realize abnormity detection on the integral layer without distinguishing the specific field of the message, the calculation is carried out according to the calculation method of the theoretical checksum of the message, if the obtained result is inconsistent with the checksum field in the message, the checksum error of the message is judged, and an alarm is given. The integral field abnormity detection method provided by the invention overcomes the limitation that the existing detection method only can check the message format, can identify the abnormal message and the abnormal message, and improves the safety and the usability of message transmission.
The specific implementation process of step S4 includes:
judging the specific service of the analyzed application layer message according to the type identifier, the transmission reason, the function type and the information sequence number field of the analyzed application layer message;
if the traffic is one of the services of file transmission, total calling, test mode, monitoring direction locking, remote control execution, remote regulation execution and disturbance data transmission, detecting the execution logic of the service to which the analyzed application layer message belongs, if the traffic is abnormal, sending an alarm signal, and otherwise, judging the current frame traffic data as normal traffic;
if the service is one of remote control verification and fixed value modification service, detecting the verification logic of the service to which the analyzed application layer message belongs, if the service is abnormal, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the service is one of general historical data query and time synchronization service, the time mark logic of the service to which the analyzed application layer message belongs is detected, if the service is abnormal, an alarm signal is sent out, and if the service is not abnormal, the current frame flow data is judged to be normal flow.
The multi-frame message service logic abnormity detection can detect whether the execution logic, the check logic and the time mark logic of various services are correct or not, and overcomes the limitation that the existing intelligent substation network flow abnormity detection method focuses on simple format check of a single-frame message and cannot detect the service logic of specific power services at an application layer. The attack behavior can not be identified only by single-frame messages, but can be accurately identified by multi-frame message service logic analysis provided by the invention.
If the analyzed application layer message belongs to the file transmission service, judging whether the application layer message conforms to the execution logic
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, WJ1To call a directory instruction, WJ2Responding to commands for file directories, WJ3To select a file instruction, WJ4For file ready instructions, WJ5To call a file instruction, WJ6For section ready instructions, WJ7To call a node instruction, WJ8For section data upload instructions, WJ9Sending an acknowledgement command for the last segment, WJ10To acknowledge instructions, WJ11Confirming an instruction for the file;
if the analyzed application layer message belongs to the total calling service, judging that the message belongs to the total calling serviceWhether it conforms to the execution logic ZZ1→ZZ2→ZZ3If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein ZZ1Initiating a general call command, ZZ, for the Master station2For transmitting information commands to substations, ZZ3Is a total call ending instruction;
if the analyzed application layer message belongs to the test mode service, judging whether the application layer message conforms to the execution logic CS1→CS2→CS1→CS2If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein CS1For testing of activate commands, CS2A test end instruction;
if the analyzed application layer message belongs to the monitoring direction blocking service, judging whether the application layer message conforms to the execution logic BS1→BS2→BS1→BS2If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the analyzed application layer message belongs to the remote control execution service, whether the application layer message conforms to the execution logic YK or not is judged1→YK2→YK3→YK4If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the analyzed application layer message belongs to the remote regulation execution service, judging whether the application layer message conforms to the execution logic YT1→YT2→YT3→YT4If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, YT1Setting up commands, YT, for remote regulation2Setting a recalibration command, YT, for remote adjustment3For remotely regulating the execution of instructions, YT4Executing a recalibration instruction for remote adjustment;
if the analyzed application layer message belongs to a disturbance data transmission service, judging whether the application layer message conforms to the execution logic RD1→RD2→RD3→RD4→RD5→RD6If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein RD1Preparing instructions for perturbing data transmissions,RD2Preparing instructions for transmission channels, RD3Preparing the command for flagged state shift transmission, RD4For flagged state-shift transmission commands, RD5For transmitting disturbance value commands, RD6Is a transfer end instruction.
According to the method and the device, the conditions that the instruction is missing, repeated and wrong in the service execution process and the like do not accord with the normal service execution logic can be identified by carrying out abnormity detection on the execution logic of various power services of the intelligent substation. Aiming at the attack of the service execution logic, the features of the format, the field logic, the field threshold value and the like of the attack message are normal, the quantity of the message is small and cannot be reflected on the flow feature of the network layer, and the existing methods of the flow feature analysis of the network layer, the message format check and the like cannot identify the attack behavior.
If the service is one of remote control verification and fixed value modification service, the specific implementation process for detecting the verification logic of the service to which the analyzed application layer message belongs comprises the following steps:
if the analyzed application layer message belongs to the remote control verification service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein the OTP1For remote control of the type of operation of the check command, OTP2For remote control of the type of operation of the check result, COT2The transmission reason of the remote control verification result is shown, and H represents that the numerical value is 16 systems;
if the analyzed application layer message belongs to the fixed value modification service, judging whether the application layer message conforms to the execution logic
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein DZ1Representing constant value check instructions,COT1Indicating the reason for the transmission of the constant check instruction, DZ2Indicating a constant value rewrite instruction. The formula shows that when the transmission reason of the constant value check instruction is 44, namely the constant value check is correct, the constant value rewrite instruction is executed.
According to the method and the device, through carrying out anomaly detection on the verification logic in the power service, the attack behavior aiming at the service verification process can be identified, such as correct service verification but not executed or error service verification still executed. The service check logic abnormity detection overcomes the defects that the existing detection method lacks of considering the abnormity of the service check process and the correlation of the service check and the execution logic, and can accurately identify the condition of illegal execution or illegal execution of the service.
If the service is one of general historical data query and time synchronization service, the specific implementation process for detecting the time scale logic of the service to which the analyzed application layer message belongs comprises the following steps:
if the analyzed application layer message belongs to the universal historical data query service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, PTLSIndicating a generic historical data query service message, T1 (P)TLS) Indicates the start time of the general historical data query, T2 (P)TLS) Representing an end time of the general historical data query;
if the analyzed application layer message belongs to the time synchronization service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, PSJTBIndicating a time synchronized service message, TB1 (P)SJTB) Indicating the time when the time synchronization service sends the message, TB2 (P)SJTB) And the time of the time synchronization service confirmation message is represented, and the delta t represents the maximum time difference between the time synchronization command sending message and the confirmation message.
According to the invention, by carrying out anomaly detection on the time mark logic in the power service of the intelligent substation, whether the query time of the universal historical data query service is normal or not and whether the synchronization process of the time synchronization service is normal or not can be judged. The anomaly detection technology aiming at the time mark logic overcomes the limitation that the existing method can only judge anomalies according to a device clock, realizes active monitoring and defense on time mark type attacks on a flow data application layer message layer, and improves the accuracy and reliability of data query instructions and time mark instruction transmission in network flow data of an intelligent substation.
As an inventive concept, the present invention also provides a computer arrangement comprising a memory, a processor and a computer program stored on the memory; the processor executes the computer program to implement the steps of the method of the present invention.
As an inventive concept, the present invention also provides a computer program product comprising computer programs/instructions; wherein the computer program/instructions, when executed by a processor, performs the steps of the method of the present invention.
Compared with the prior art, the invention has the beneficial effects that:
(1) the method and the device fully consider the abnormal behavior of the network flow data of the intelligent substation in the application layer, carry out abnormal detection aiming at the field characteristics and the service characteristics of the messages of the application layer, and overcome the limitation that the existing abnormal detection method depends on the flow characteristic indexes of the network layer.
(2) The invention aims at the application layer message of the network flow data of the intelligent substation to carry out single-field out-of-limit detection, multi-field coupling logic detection and integral field abnormity detection, and overcomes the defect that the existing abnormity detection method only stays in message format verification.
(3) The method establishes the normal behavior model of the power stability control service, and detects the service execution logic, the service verification logic and the service time scale logic according to the established service model, thereby realizing the judgment of the network flow service abnormity of the intelligent substation and improving the accuracy of the network flow abnormal behavior detection of the intelligent substation.
Drawings
Fig. 1 is a flow chart of detecting abnormal network traffic behavior of an intelligent substation in an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a monitoring system for abnormal network traffic behavior of an intelligent substation in the embodiment of the present invention.
FIG. 3 is a system unit diagram of an anomaly detection module for single-frame message field features in an embodiment of the present invention.
Fig. 4 is a system unit diagram of an anomaly detection module of multi-frame message service logic in the embodiment of the present invention.
Detailed Description
Fig. 1 is a flowchart of a method for detecting abnormal network flow behavior of an intelligent substation, which is provided by an embodiment of the present invention, and the specific implementation steps are as follows:
step S1: capturing network flow data in real time by using a mirror image port of an intelligent substation switch, and extracting an application layer message;
step S2: according to the frame format specified by the protocol to which the application layer message extracted in step S1 belongs, performing field-level analysis on the message, and acquiring a type identifier, a transmission reason, a function type, and an information sequence number field value of the message;
step S3: aiming at the application layer message analyzed in the step S2, establishing an abnormal behavior detection model based on field characteristics, carrying out single-field out-of-limit detection, multi-field coupling logic detection and integral field abnormal detection on the message according to the abnormal behavior detection model, if the abnormal behavior detection model is abnormal, sending an alarm signal, and if the abnormal behavior detection model is not abnormal, entering the step S4;
step S4: and (4) establishing a normal behavior model based on the service characteristics aiming at the application layer message analyzed in the step (S2), carrying out service execution logic detection, service check logic detection and service time scale logic detection on the message according to the normal behavior model, and sending an alarm signal if the message is abnormal.
Further, step S3 includes:
s3-1: and (4) establishing a message single-field out-of-limit abnormity detection model, detecting the application layer message analyzed in the step S2 according to the model, if abnormity occurs, sending an alarm signal, otherwise, entering the step S3-2.
S3-2: and (4) establishing a message multi-field coupling logic anomaly detection model, detecting the application layer message analyzed in the step S2 according to the model, if the anomaly occurs, sending an alarm signal, and if the anomaly does not occur, entering the step S3-3.
S3-3: and (4) establishing a message integral field abnormity detection model, detecting the application layer message analyzed in the step S2 according to the model, if abnormity occurs, sending an alarm signal, otherwise, entering the step S4.
Further, step S3-1 includes:
s3-1-1: aiming at the service flow of the power stability control system captured in real time, a variable frame message length out-of-limit abnormal detection model is established, as shown in a formula (1), whether the message length of an application layer exceeds the maximum length specified by a protocol is detected according to the model, if so, the message length violates the formula (1), the message is determined to be an abnormal message, and if not, the step S3-1-2 is carried out.
Wherein, P is the network traffic data application layer message analyzed in step S2, PWKVariable frame message, LEN (P), representing power stability control serviceWK) Indicating the actual length of the message, LEN (P)WK)maxAnd the maximum message length specified by the power stability control protocol is represented.
S3-1-2: and (3) establishing a variable frame message length consistency abnormity detection model, as shown in a formula (2), calculating whether the length is equal to the actual length according to a model detection message theory, if not, violating the formula (2), judging as an abnormal message, otherwise, entering the step S3-1-3.
Wherein, THE (P)WK) Indicating the theoretical calculated length of the message.
S3-1-3: and (4) establishing an out-of-limit abnormal detection model of the message type identification field value, as shown in a formula (3), detecting whether the message type identification field value is out-of-limit or not according to the model, if so, violating the formula (3), judging as an abnormal message, and otherwise, entering the step S3-1-4.
Wherein, TYP (P)WK) The type identification field value representing the message.
S3-1-4: and (4) establishing an out-of-limit abnormal detection model of the message transmission reason field value, as shown in a formula (4), detecting whether the message transmission reason field value is out of limit according to the model, if so, violating the formula (4), judging as an abnormal message, and otherwise, entering the step S3-1-4.
Wherein, COT (P)WK) A value indicating a transmission cause field of the message.
S3-1-5: and (3) establishing an out-of-limit abnormal detection model of the length of the fixed frame message, as shown in a formula (5), detecting whether the length of the fixed frame message is 5 bytes or not according to the model, if not, violating the formula (5), judging the fixed frame message to be an abnormal message, and otherwise, entering the step S3-2.
Wherein, PWK_GFixed frame message, LEN (P), indicating power stability control serviceWK_G) Indicating the fixed frame message length.
Further, step S3-2 includes:
s3-2-1: aiming at the service flow of the power stability control system captured in real time, a message control domain function code and frame counting effective bit coupling logic abnormity detection model is established, as shown in a formula (6), whether the application layer message control domain function code and the frame counting effective bit logic are normal is detected according to the model, if not, the formula (6) is violated, the abnormal message is determined, and if not, the step S3-2-2 is carried out.
Wherein FUN (P)WK) Indicating the value of the message control field function code, FCV (P)WK) Indicating the message frame count significand value.
S3-2-2: and (3) establishing a flag bit coupling logic abnormity detection model of the measured quality descriptors of the message, as shown in a formula (7), detecting whether the flag bit coupling logic of the measured quality descriptors of the application layer message is normal according to the model, if not, violating the formula (7), judging the message to be abnormal, otherwise, entering the step S3-3.
Wherein, QU (P)WK) The measurement quality descriptor indicates a measured quality descriptor of the message, the OV indicates an overflow flag of the quality descriptor, and the ER indicates an effective flag of the quality descriptor.
Further, step S3-3 includes:
s3-3: and (3) establishing a message check sum abnormity detection model aiming at the service flow of the power stability control system captured in real time, as shown in a formula (8), detecting whether the overall check sum of the application layer message is correct or not according to the model, if not, violating the formula (8), sending an alarm signal, otherwise, entering a step S4.
Wherein, THEV (P)WK) Representing the theoretical checksum of the message, REA _ V (P), a low byte of the arithmetic sum of one byte of data starting the character to the front of the checksum fieldWK) And representing the actual checksum of the message, which is the last byte of the message.
Further, step S4 includes:
s4-1: judging the specific service of the message according to the type identifier, the transmission reason, the function type and the information sequence number field of the application layer message analyzed in the step S2, and entering into a step S4-2 if the specific service is one of file transmission, total calling, test mode, monitoring direction locking, remote control execution and disturbance data transmission service; if the service is remote control verification and fixed value modification service, the step S4-3 is carried out; if the query is a general historical data query, time synchronization service, the process proceeds to step S4-4.
S4-2: and establishing a normal behavior model of the service execution logic, detecting the execution logic of the service to which the application layer message belongs according to the model, if the execution logic is abnormal, sending an alarm signal, and otherwise, judging the frame of flow data as normal flow.
S4-3: and establishing a normal behavior model of the service check logic, detecting the check logic of the service to which the application layer message belongs according to the model, if the check logic is abnormal, sending an alarm signal, and otherwise, judging the frame of flow data as normal flow.
S4-4: and establishing a normal behavior model of the service time mark logic, detecting the time mark logic of the service to which the application layer message belongs according to the model, if the application layer message is abnormal, sending an alarm signal, and otherwise, judging the frame of flow data as normal flow.
Further, step S4-2 includes:
s4-2-1: if the message belongs to the file transmission service, the step S4-2-2 is carried out; if the message belongs to the total calling service, the step S4-2-3 is carried out; if the message belongs to the test mode service, the step S4-2-4 is carried out; if the message belongs to the monitoring direction blocking service, the step S4-2-5 is carried out; if the message belongs to the remote control execution service, the step S4-2-6 is carried out; if the message belongs to the remote regulation execution service, the step S4-2-7 is carried out; if the message belongs to a disturbed data transmission service, the procedure goes to step S4-2-8.
S4-2-2: and establishing a normal behavior model of the file transfer service execution logic, as shown in formula (9). The normal execution logic of the file transmission service is calling directory, file directory response, selecting file, file ready, calling file, section ready, calling section, section data uploading, last section sending confirmation, section confirmation and file confirmation, if the logic is abnormal, namely violating formula (9), an alarm signal is sent, otherwise, the frame flow data is judged as normal flow.
Wherein, WJ1To call a directory instruction, WJ2Responding to commands for file directories, WJ3To select a file instruction, WJ4For file ready instructions, WJ5To call a file instruction, WJ6For section ready instructions, WJ7To call a node instruction, WJ8For section data upload instructions, WJ9Sending an acknowledgement command for the last segment, WJ10To acknowledge instructions, WJ11The instruction is validated for the file.
S4-2-3: and establishing a normal behavior model of the total calling service execution logic, as shown in formula (10). The normal execution logic of the total calling service is that the main station starts the total calling, the substation uploads information and the total calling is finished, if the logic is abnormal, namely a formula (10) is violated, an alarm signal is sent out, otherwise, the frame flow data is judged to be normal flow.
ZZ1→ZZ2→ZZ3 (10)
Wherein ZZ1Initiating a general call command, ZZ, for the Master station2For transmitting information commands to substations, ZZ3Is the total call end instruction.
S4-2-4: the normal behavior model of the test mode service execution logic is built as shown in equation (11). And the normal execution logic of the test mode service is test activation and test termination, if the logic is abnormal, namely the formula (11) is violated, an alarm signal is sent, and otherwise, the frame flow data is judged to be normal flow.
CS1→CS2→CS1→CS2 (11)
Wherein CS1For testing of activate commands, CS2Is a test end instruction.
S4-2-5: the normal behavior model of the monitoring direction blocking service execution logic is built as shown in equation (12). And the normal execution logic of the monitoring direction blocking service is that the monitoring direction blocking is activated and the monitoring direction blocking is deactivated, if a logic exception occurs, namely, the formula (12) is violated, an alarm signal is sent out, and otherwise, the frame flow data is judged to be normal flow.
BS1→BS2→BS1→BS2 (12)
Wherein, BS1For monitoring direction latch activation commands, BS2The direction lock deactivation command is monitored.
S4-2-6: and establishing a normal behavior model of the remote control service execution logic, as shown in formula (13). The normal execution logic of the remote control service is remote control setting, remote control setting and correcting, remote control execution and remote control execution correcting, if the logic is abnormal, namely violating the formula (13), an alarm signal is sent, otherwise, the frame flow data is judged to be normal flow.
YK1→YK2→YK3→YK4 (13)
Wherein, YK1For setting commands for remote control, YK2Setting a recalibration command, YK, for remote control3For remote control of execution of instructions, YK4And executing a back calibration instruction for remote control.
S4-2-7: and establishing a normal behavior model of the remote regulation service execution logic, as shown in formula (14). And the normal execution logic of the remote regulation service is remote regulation setting, remote regulation setting returning correction, remote regulation execution and remote regulation execution returning correction, if the logic is abnormal, namely violating the formula (14), an alarm signal is sent, and if the logic is abnormal, the frame flow data is judged to be normal flow.
YT1→YT2→YT3→YT4 (14)
Wherein, YT1Setting up commands, YT, for remote regulation2Setting a recalibration command, YT, for remote adjustment3For remotely regulating the execution of instructions, YT4And executing a correction instruction for remote regulation.
S4-2-8: and establishing a normal behavior model of the execution logic of the disturbed data transmission service, as shown in formula (15). The normal execution logic of the disturbance data transmission service is disturbance data transmission preparation, transmission channel preparation, marked state displacement transmission, disturbance value transmission and transmission end, if the logic is abnormal, namely violating the formula (15), an alarm signal is sent out, otherwise, the frame of flow data is judged to be normal flow.
RD1→RD2→RD3→RD4→RD5→RD6 (15)
Wherein RD1Preparing the instruction for disturbing the data transmission, RD2Preparing instructions for transmission channels, RD3Preparing the command for flagged state shift transmission, RD4For flagged state-shift transmission commands, RD5For transmitting disturbance value commands, RD6Is a transfer end instruction.
Further, step S4-3 includes:
s4-3-1: if the message belongs to the remote control verification service, the step S4-3-2 is carried out; if the message belongs to the fixed value modification service, the step S4-3-3 is proceeded.
S4-3-2: and establishing a normal behavior model of the remote control service check logic, as shown in formula (16). The remote control verification service consists of two frames of messages of a remote control verification command and a remote control verification result, the operation type (01: min/02: in) of the remote control verification result is determined by the remote control verification command and the transmission reason field of the remote control verification result, if logic abnormity occurs, namely, the mode of violation (16), an alarm signal is sent out, otherwise, the frame of flow data is determined as normal flow.
Wherein the OTP1For remote control of the type of operation of the check command, OTP2For remote control of the type of operation of the check result, COT2And H represents the transmission reason of the remote control verification result, and the value is 16 systems.
S4-3-3: and establishing a normal behavior model of the fixed value modification service check logic, as shown in formula (17). If the fixed value check instruction in the fixed value modification service is wrong, the fixed value rewrite instruction is still executed, namely the fixed value rewrite instruction is violated (17), the fixed value rewrite instruction is judged to be an abnormal message, an alarm signal is sent out, and otherwise, the frame of flow data is judged to be normal flow.
Wherein DZ1Indicating a constant value check instruction, COT1Indicating the reason for the transmission of the constant check instruction, DZ2Indicating a constant value rewrite instruction. The formula shows that when the transmission reason of the constant value check instruction is 44, namely the constant value check is correct, the constant value rewrite instruction is executed.
Further, step S4-4 includes:
s4-4-1: if the message belongs to the general historical data query service, the step S4-4-2 is carried out; if the message belongs to the time synchronization service, the process proceeds to step S4-4-3.
S4-4-2: and establishing a normal behavior model of the general historical data query service time mark logic, as shown in a formula (18). The starting time of the universal historical data query is certainly less than the ending time, if the form (18) is violated, the message is determined to be abnormal, an alarm signal is sent out, otherwise, the frame flow data is determined to be normal flow.
Wherein, PTLSIndicating a generic historical data query service message, T1 (P)TLS) Indicates the start time of the general historical data query, T2 (P)TLS) Indicating the end time of the general historical data query.
S4-4-3: and (3) establishing a normal behavior model of time scale logic of the time synchronization service, detecting the confirmed frame time of the time synchronization command as shown in a formula (19), if the formula (19) is violated, judging the frame time to be an abnormal message, and sending an alarm signal, otherwise, judging the frame flow data to be normal flow.
Wherein, PSJTBIndicating a time synchronized service message, TB1 (P)SJTB) Indicating the time when the time synchronization service sends the message, TB2 (P)SJTB) And the time of the time synchronization service confirmation message is represented, and the delta t represents the maximum time difference between the time synchronization command sending message and the confirmation message.
The method depends on massive intelligent substation network flow data, and obtains the specific service represented by the message by performing field level analysis on the application layer message of the flow data. And then carrying out single-field out-of-limit detection, multi-field coupling logic detection and integral field abnormity detection on the message according to the field characteristics of the message. And finally, establishing a normal behavior model according to the service characteristics of the message, and performing anomaly detection based on the normal behavior model, so that the network flow anomaly behavior of the intelligent substation is accurately monitored, and the safe and reliable transmission of information in the communication process of the intelligent substation is ensured.
Fig. 2 is a schematic structural diagram of a system for monitoring abnormal network traffic behavior of an intelligent substation, which is applicable to execute a method provided in any embodiment of the present invention, and includes: the system comprises a flow data acquisition module 100, an application layer message analysis module 200, a single-frame message field characteristic anomaly detection module 300 and a multi-frame message service logic anomaly detection module 400. All modules of the invention are disposed within the processor.
The traffic data acquisition module 100 is configured to mirror-image collect traffic data and extract an application layer packet of each frame of traffic data.
The application layer message parsing module 200 is configured to perform field-by-field parsing on the extracted application layer message according to a frame format specified by a protocol, so as to obtain a specific service represented by the message.
The field characteristic anomaly detection module 300 of the single-frame message is used for performing anomaly detection on the single-frame message on a field characteristic level.
The multi-frame message service logic anomaly detection module 400 is configured to perform frame-to-frame logic anomaly detection on a message of the same service.
The output end of the flow data obtaining module 100 is connected to the input end of the application layer message parsing module 200, and is configured to input the extracted application layer message.
The output end of the application layer message parsing module 200 is connected to the input end of the single frame message field characteristic anomaly detection module 300, and is used for inputting the application layer message parsing result of the frame of streaming data.
The output end of the anomaly detection module 300 for single-frame message field characteristics is connected to the input end of the multi-frame message service logic anomaly detection module 400, and is used for inputting the application layer message analysis result of the frame of stream data.
As shown in fig. 3, further, the single-frame message field characteristic anomaly detection module 300 includes: a data acquisition unit 301, a first detection unit 302, a second detection unit 303, and a third detection unit 304.
The output end of the data obtaining unit 301 is connected to the input end of the first detecting unit 302, and is used for inputting an application layer message and an analysis result thereof.
The output end of the first detection unit 302 is connected to the input end of the second detection unit 303, and the output end of the second detection unit 303 is connected to the input end of the third detection unit 304.
In one embodiment, the data obtaining unit 301 reads an application layer packet of the power stability control service traffic data and an analysis result thereof, and transmits the read information to the first detecting unit 302, the second detecting unit 303, and the third detecting unit 304.
The first detecting unit 302 is configured to establish a message single-field out-of-limit anomaly detection model, detect an application layer message according to the model, and send an alarm signal if an anomaly occurs.
In one embodiment, the unit detects whether the length of the application layer message exceeds the maximum length specified by the protocol, detects whether the theoretically calculated length of the message is equal to the actual length, detects whether the field value of the message type identifier exceeds the limit, detects whether the field value of the message transmission reason exceeds the limit, detects whether the fixed frame length of the application layer message is 5 bytes, and if the fixed frame length of the application layer message is abnormal, an alarm signal is sent out, and the abnormal result is used as the output end of the single-frame message field characteristic abnormality detection module 300.
The second detecting unit 303 is configured to establish a message multi-field coupling logic anomaly detection model, detect an application layer message according to the model, and send an alarm signal if an anomaly occurs.
In one embodiment, the unit detects whether the function code and frame count valid bit logic of the application layer message control domain are normal, detects whether the flag bit coupling logic of the measured quality descriptor of the application layer message is normal, and if the measured quality descriptor is abnormal, sends out an alarm signal, and uses the abnormal result as the output end of the abnormal detection module 300 of the field characteristic of the single frame message.
The third detecting unit 304 is configured to establish a message whole field anomaly detection model, detect the application layer message according to the model, and send an alarm signal if an anomaly occurs.
In one embodiment, the unit detects whether the overall checksum of the application layer packet is correct, and if an exception occurs, an alarm signal is sent out, and the unit uses the exception result as the output end of the exception detection module 300 for the field feature of the single frame packet.
As shown in fig. 4, further, the multi-frame packet service logic anomaly detection module 400 includes: a data acquisition unit 401, a first detection unit 402, a second detection unit 403, and a third detection unit 404.
The output end of the data obtaining unit 401 is connected to the input end of the first detecting unit 402, and is used for inputting an application layer message and a specific service to which the application layer message belongs.
The output terminal of the first detecting unit 402 is connected to the input terminal of the second detecting unit 403, and the output terminal of the second detecting unit 403 is connected to the input terminal of the third detecting unit 404.
In an embodiment, the data obtaining unit 401 obtains the application layer packet and the specific service to which the application layer packet belongs, and the unit transmits the read information to the first detecting unit 402, the second detecting unit 403, and the third detecting unit 404.
The first detecting unit 402 is configured to detect a service execution logic exception.
In one embodiment, a normal behavior model of the service execution logic is established, the execution logic of the service to which the application layer packet belongs is detected according to the model, if an abnormality occurs, an alarm signal is sent, and the unit uses the abnormal result as the output end of the multi-frame packet service logic abnormality detection module 400.
The second detecting unit 403 is configured to detect that the service check logic is abnormal.
In one embodiment, a normal behavior model of the service check logic is established, the check logic of the service to which the application layer packet belongs is detected according to the model, if an abnormality occurs, an alarm signal is sent, and the unit uses the abnormal result as the output end of the multi-frame packet service logic abnormality detection module 400.
The third detecting unit 404 is configured to detect a service time scale logic exception.
In one embodiment, a normal behavior model of the service time scale logic is established, the time scale logic of the service to which the application layer packet belongs is detected according to the model, if an abnormality occurs, an alarm signal is sent, and the unit uses the abnormal result as the output end of the multi-frame packet service logic abnormality detection module 400.
Claims (10)
1. The method for monitoring the abnormal network flow behavior of the intelligent substation is characterized by comprising the following steps of:
s1, capturing network flow data of the intelligent substation in real time, and extracting application layer messages;
s2, according to the frame format specified by the protocol of the application layer message extracted in the step S1, analyzing the message in field level;
s3, carrying out single-word segment out-of-limit detection on the analyzed application layer message, and sending an alarm signal if the application layer message is abnormal; otherwise, performing multi-field coupling logic detection on the analyzed application layer message, and if the application layer message is abnormal, sending an alarm signal; otherwise, carrying out integral field abnormity detection on the analyzed application layer message, and sending an alarm signal if abnormity occurs; otherwise, go to step S4;
and S4, performing service execution logic detection, service check logic detection and service time scale logic detection on the analyzed application layer message, and sending an alarm signal if any detection link is abnormal.
2. The method for monitoring the abnormal network flow behavior of the intelligent substation according to claim 1, wherein the specific implementation process for performing single-field out-of-limit detection on the analyzed application layer message comprises the following steps:
1) using formulas
Carrying out single-field out-of-limit detection on the analyzed application layer message, and if the formula is not satisfied, judging that the analyzed application layer message is an abnormal message; otherwise, entering step 2); wherein P is the analyzed application layer message, PWKVariable frame messages, LEN (P), representing power stability control servicesWK) Indicating the actual length of the analyzed application layer message, LEN (P)WK)maxRepresenting the maximum message length specified by the power stability control protocol;
2) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 3); wherein, THE (P)WK) Expressing the theoretical calculation length of the message;
3) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 4); wherein,TYP(PWK) The type identification field value of the message is represented;
4) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step 5); wherein, COT (P)WK) A field value indicating a transmission cause of the message;
5) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, performing multi-field coupling logic detection on the analyzed application layer message; wherein, PWK_GFixed frame message, LEN (P), indicating power stability control serviceWK_G) Indicating the fixed frame message length.
3. The method for monitoring the abnormal network flow behavior of the intelligent substation according to claim 1, wherein in step S3, the specific implementation process of performing multi-field coupling logic detection on the analyzed application layer packet includes:
I) judgment formula
FCV(PWK) Whether the) epsilon { (0,0), (3,1), (4,0), (7,0), (10,1), (11,1) } is true or not is judged, and if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step II); wherein P is the analyzed application layer message, PWKVariable frame packets, FUN (P), representing power stability control trafficWK) Indicating the value of the message control field function code, FCV (P)WK) Representing a message frame count significand value;
II) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, the solution isCarrying out integral field abnormity detection on the analyzed application layer message; wherein, QU (P)WK) The measurement quality descriptor indicates a measured quality descriptor of the message, the OV indicates an overflow flag of the quality descriptor, and the ER indicates an effective flag of the quality descriptor.
4. The method for monitoring the abnormal network flow behavior of the intelligent substation according to claim 1, wherein in step S3, the specific implementation process of performing the overall field abnormality detection on the analyzed application layer packet includes:
i) judgment formula
Whether the message is established or not is judged, if not, the analyzed application layer message is judged to be an abnormal message; otherwise, entering step II); wherein P is the analyzed application layer message, PWKVariable frame message for representing power stable control service, wherein THEV (P)WK) Representing the theoretical checksum of the message, REA _ V (P), a low byte of the arithmetic sum of one byte of data starting the character to the front of the checksum fieldWK) And representing the actual checksum of the message, which is the last byte of the message.
5. The method for monitoring the abnormal behavior of the network flow of the intelligent substation according to claim 1, wherein the specific implementation process of the step S4 includes:
judging the specific service of the analyzed application layer message according to the type identifier, the transmission reason, the function type and the information sequence number field of the analyzed application layer message;
if the traffic is one of the services of file transmission, total calling, test mode, monitoring direction locking, remote control execution, remote regulation execution and disturbance data transmission, detecting the execution logic of the service to which the analyzed application layer message belongs, if the traffic is abnormal, sending an alarm signal, and otherwise, judging the current frame traffic data as normal traffic;
if the service is one of remote control verification and fixed value modification service, detecting the verification logic of the service to which the analyzed application layer message belongs, if the service is abnormal, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the service is one of general historical data query and time synchronization service, the time mark logic of the service to which the analyzed application layer message belongs is detected, if the service is abnormal, an alarm signal is sent out, and if the service is not abnormal, the current frame flow data is judged to be normal flow.
6. The method for monitoring abnormal network flow behavior of intelligent substation according to claim 5, wherein if the analyzed application layer message belongs to a file transmission service, whether the application layer message conforms to the execution logic is judged
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, WJ1To call a directory instruction, WJ2Responding to commands for file directories, WJ3To select a file instruction, WJ4For file ready instructions, WJ5To call a file instruction, WJ6For section ready instructions, WJ7To call a node instruction, WJ8For section data upload instructions, WJ9Sending an acknowledgement command for the last segment, WJ10To acknowledge instructions, WJ11Confirming an instruction for the file;
if the analyzed application layer message belongs to the total calling service, judging whether the message conforms to the execution logic ZZ1→ZZ2→ZZ3If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein ZZ1Initiating a general call command, ZZ, for the Master station2For transmitting information commands to substations, ZZ3Is a total call ending instruction;
if the analyzed application layer message belongs to the test mode service, judging whether the application layer message conforms to the execution logic CS1→CS2→CS1→CS2If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein CS1Activating instructions for testing,CS2A test end instruction;
if the analyzed application layer message belongs to the monitoring direction blocking service, judging whether the application layer message conforms to the execution logic BS1→BS2→BS1→BS2If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the analyzed application layer message belongs to the remote control execution service, whether the application layer message conforms to the execution logic YK or not is judged1→YK2→YK3→YK4If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow;
if the analyzed application layer message belongs to the remote regulation execution service, judging whether the application layer message conforms to the execution logic YT1→YT2→YT3→YT4If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, YT1Setting up commands, YT, for remote regulation2Setting a recalibration command, YT, for remote adjustment3For remotely regulating the execution of instructions, YT4Executing a recalibration instruction for remote adjustment;
if the analyzed application layer message belongs to a disturbance data transmission service, judging whether the application layer message conforms to the execution logic RD1→RD2→RD3→RD4→RD5→RD6If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein RD1Preparing the instruction for disturbing the data transmission, RD2Preparing instructions for transmission channels, RD3Preparing the command for flagged state shift transmission, RD4For flagged state-shift transmission commands, RD5For transmitting disturbance value commands, RD6Is a transfer end instruction.
7. The method for monitoring the abnormal network flow behavior of the intelligent substation according to claim 5, wherein if the service is one of remote control verification and fixed value modification service, a specific implementation process for detecting the verification logic of the service to which the analyzed application layer message belongs comprises the following steps:
if it is solvedIf the analyzed application layer message belongs to the remote control check service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein the OTP1For remote control of the type of operation of the check command, OTP2For remote control of the type of operation of the check result, COT2The transmission reason of the remote control verification result is shown, and H represents that the numerical value is 16 systems;
if the analyzed application layer message belongs to the fixed value modification service, judging whether the application layer message conforms to the execution logic
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein DZ1Indicating a constant value check instruction, COT1Indicating the reason for the transmission of the constant check instruction, DZ2Indicating a constant value rewrite instruction. The formula shows that when the transmission reason of the constant value check instruction is 44, namely the constant value check is correct, the constant value rewrite instruction is executed.
8. The method for monitoring the abnormal network flow behavior of the intelligent substation according to claim 5, wherein if the service is one of general historical data query and time synchronization service, a specific implementation process for detecting the time scale logic of the service to which the analyzed application layer message belongs comprises:
if the analyzed application layer message belongs to the universal historical data query service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, PTLSIndicating a generic historical data query service message, T1 (P)TLS) Indicates the start time of the general historical data query, T2 (P)TLS) Representing an end time of the general historical data query;
if the analyzed application layer message belongs to the time synchronization service, judging the formula
If not, sending an alarm signal, otherwise, judging the current frame flow data as normal flow; wherein, PSJTBIndicating a time synchronized service message, TB1 (P)SJTB) Indicating the time when the time synchronization service sends the message, TB2 (P)SJTB) And the time of the time synchronization service confirmation message is represented, and the delta t represents the maximum time difference between the time synchronization command sending message and the confirmation message.
9. A computer system comprising a memory, a processor, and a computer program stored on the memory; characterized in that the processor executes the computer program to carry out the steps of the method according to one of claims 1 to 8.
10. A computer program product comprising a computer program/instructions; characterized in that the computer program/instructions, when executed by a processor, performs the steps of the method according to one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670704.6A CN114362368B (en) | 2021-12-31 | 2021-12-31 | Intelligent substation network flow abnormal behavior monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670704.6A CN114362368B (en) | 2021-12-31 | 2021-12-31 | Intelligent substation network flow abnormal behavior monitoring method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114362368A true CN114362368A (en) | 2022-04-15 |
| CN114362368B CN114362368B (en) | 2024-04-16 |
Family
ID=81106010
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111670704.6A Active CN114362368B (en) | 2021-12-31 | 2021-12-31 | Intelligent substation network flow abnormal behavior monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114362368B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115278684A (en) * | 2022-07-26 | 2022-11-01 | 上海欣诺通信技术股份有限公司 | 5G signaling attack monitoring method and device based on DPI technology |
| CN117118709A (en) * | 2023-08-25 | 2023-11-24 | 国网山东省电力公司泰安供电公司 | Abnormal flow early warning method, system, equipment and medium for electric power system |
| CN117978551A (en) * | 2024-03-29 | 2024-05-03 | 南京鼎研电力科技有限公司 | Interaction abnormal behavior analysis method for transformer substation monitoring network |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5097469A (en) * | 1989-05-19 | 1992-03-17 | Concord Communications, Inc. | Passive monitor for broadcast communication network |
| CN103124105A (en) * | 2012-03-27 | 2013-05-29 | 湖南大学 | Wireless intelligent sensor network system for monitoring states of intelligent substation devices |
| KR101375813B1 (en) * | 2012-09-13 | 2014-03-20 | 한국전력공사 | Active security sensing device and method for intrusion detection and audit of digital substation |
| WO2014090025A1 (en) * | 2012-12-11 | 2014-06-19 | 国网上海市电力公司 | On-line and off-line integrated analysis and testing method for smart substation |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| WO2021063068A1 (en) * | 2019-09-30 | 2021-04-08 | 全球能源互联网研究院有限公司 | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium |
| CN113420099A (en) * | 2021-07-06 | 2021-09-21 | 广州方硅信息技术有限公司 | Buried point data access control method and device, computer equipment and storage medium |
-
2021
- 2021-12-31 CN CN202111670704.6A patent/CN114362368B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5097469A (en) * | 1989-05-19 | 1992-03-17 | Concord Communications, Inc. | Passive monitor for broadcast communication network |
| CN103124105A (en) * | 2012-03-27 | 2013-05-29 | 湖南大学 | Wireless intelligent sensor network system for monitoring states of intelligent substation devices |
| KR101375813B1 (en) * | 2012-09-13 | 2014-03-20 | 한국전력공사 | Active security sensing device and method for intrusion detection and audit of digital substation |
| WO2014090025A1 (en) * | 2012-12-11 | 2014-06-19 | 国网上海市电力公司 | On-line and off-line integrated analysis and testing method for smart substation |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| WO2021063068A1 (en) * | 2019-09-30 | 2021-04-08 | 全球能源互联网研究院有限公司 | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium |
| CN113420099A (en) * | 2021-07-06 | 2021-09-21 | 广州方硅信息技术有限公司 | Buried point data access control method and device, computer equipment and storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115278684A (en) * | 2022-07-26 | 2022-11-01 | 上海欣诺通信技术股份有限公司 | 5G signaling attack monitoring method and device based on DPI technology |
| CN115278684B (en) * | 2022-07-26 | 2024-02-13 | 上海欣诺通信技术股份有限公司 | 5G signaling attack monitoring method and device based on DPI technology |
| CN117118709A (en) * | 2023-08-25 | 2023-11-24 | 国网山东省电力公司泰安供电公司 | Abnormal flow early warning method, system, equipment and medium for electric power system |
| CN117978551A (en) * | 2024-03-29 | 2024-05-03 | 南京鼎研电力科技有限公司 | Interaction abnormal behavior analysis method for transformer substation monitoring network |
| CN117978551B (en) * | 2024-03-29 | 2024-06-04 | 南京鼎研电力科技有限公司 | Interaction abnormal behavior analysis method for transformer substation monitoring network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114362368B (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114362368A (en) | Method and system for monitoring abnormal network flow behaviors of intelligent substation | |
| CN114124478B (en) | Method and system for detecting abnormal industrial control flow of power system | |
| CN105429977A (en) | Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement | |
| CN111245848B (en) | Industrial control intrusion detection method for hierarchical dependency modeling | |
| CN101728869A (en) | Power station automation system data network security monitoring method | |
| CN111478893B (en) | Detection method for slow HTTP attack | |
| CN104038383A (en) | Switch based process level network message analysis method | |
| US20240056463A1 (en) | Method and system to detect abnormal message transactions on a network | |
| CN114938287B (en) | Power network abnormal behavior detection method and device integrating service characteristics | |
| Dong et al. | Research on abnormal detection of ModbusTCP/IP protocol based on one-class SVM | |
| CN114444096B (en) | Network data storage encryption detection system based on data analysis | |
| Ma et al. | BOND: Exploring hidden bottleneck nodes in large-scale wireless sensor networks | |
| Guo et al. | DoS attack detection in identification of FIR systems with binary‐valued observations | |
| CN113778054A (en) | Double-stage detection method for industrial control system attack | |
| CN114825607A (en) | Attack behavior monitoring method and device for relay protection information processing system | |
| CN114745152A (en) | Intrusion detection method and system based on IEC61850GOOSE message operation situation model | |
| KR20220014796A (en) | System and Method for Identifying Compromised Electronic Controller Using Intentionally Induced Error | |
| CN115632800B (en) | Internet of things source data storage method and device based on block chain consensus | |
| CN109450934A (en) | Terminal accesses data exception detection method and system | |
| CN117456707B (en) | Intelligent bus duct temperature and humidity abnormality early warning method and device | |
| CN115277084B (en) | Electronic information unidirectional transmission system and method for signal shielding | |
| US11356277B2 (en) | Automated tamper detection of meter configuration parameters | |
| CN102938765A (en) | Application identification verification method and device | |
| CN116915500B (en) | Security detection method and system for access equipment | |
| CN113965384B (en) | Network security anomaly detection method, device and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |