CN114493339A - Power grid information safety early warning system based on data feature extraction - Google Patents
Power grid information safety early warning system based on data feature extraction Download PDFInfo
- Publication number
- CN114493339A CN114493339A CN202210139033.9A CN202210139033A CN114493339A CN 114493339 A CN114493339 A CN 114493339A CN 202210139033 A CN202210139033 A CN 202210139033A CN 114493339 A CN114493339 A CN 114493339A
- Authority
- CN
- China
- Prior art keywords
- early warning
- data
- information
- model
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000605 extraction Methods 0.000 title claims abstract description 29
- 238000004458 analytical method Methods 0.000 claims abstract description 38
- 238000003860 storage Methods 0.000 claims abstract description 14
- 238000007405 data analysis Methods 0.000 claims abstract description 11
- 238000004364 calculation method Methods 0.000 claims abstract description 10
- 230000010354 integration Effects 0.000 claims abstract description 10
- 238000011156 evaluation Methods 0.000 claims description 27
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 14
- 238000013210 evaluation model Methods 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 8
- 238000004140 cleaning Methods 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000013075 data extraction Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 11
- 230000008447 perception Effects 0.000 abstract description 6
- 238000001514 detection method Methods 0.000 description 9
- 230000006399 behavior Effects 0.000 description 8
- 238000007726 management method Methods 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012806 monitoring device Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 102100035437 Ceramide transfer protein Human genes 0.000 description 1
- 101710119334 Ceramide transfer protein Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
- G06Q10/06311—Scheduling, planning or task assignment for a person or group
- G06Q10/063114—Status monitoring or status determination for a person or group
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/252—Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Theoretical Computer Science (AREA)
- Strategic Management (AREA)
- General Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Databases & Information Systems (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Health & Medical Sciences (AREA)
- Game Theory and Decision Science (AREA)
- Public Health (AREA)
- Water Supply & Treatment (AREA)
- General Health & Medical Sciences (AREA)
- Primary Health Care (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a power grid information safety early warning system based on data feature extraction, which comprises: the method comprises the following steps: the system comprises a big data acquisition layer, an attack information characteristic extraction storage layer, a data analysis layer and a decision layer; the big data acquisition layer acquires infrastructure operation data, information system operation data and information network operation data in real time and synchronously acquires internal data and external data; the attack information characteristic extraction storage layer is used for extracting the operation characteristics of the current power grid attack information and realizing the extraction and recording of attack characteristic information; the data analysis layer is used for realizing efficient integration, calculation and analysis of collected data; and the decision layer is used for realizing the timely early warning of the information network risk. The invention realizes comprehensive perception of the operation situation of the power information network, real-time early warning of operation risks and timely disposal of early warning events.
Description
Technical Field
The invention relates to the field of power system safety, in particular to a power grid information safety early warning system based on data feature extraction.
Background
At present, new technologies such as internet of things, cloud computing, big data and the like are changing day by day, and we have stepped into the web6.0 era, new concepts such as smart earth, internet +, self media and the like are continuously generated, and information networks realize full coverage, full popularization and full application in various industries in various fields. The problems brought by new development and new application of information networks are: the magnitude of data is rapidly increasing, the types of data are more complex, the sources of data are more diverse, and virus and attack events are more hidden. In order to timely cope with security attacks in a big data environment, effectively restrain various network attacks and really achieve ' magic height one ruler and high one way ', urgent needs to be researched for network security situation perception technology in the big data environment, exerts the advantages of mass storage, parallel computation, high-efficiency query and the like of the big data technology, breaks through the bottleneck ' problems of large equipment limitation, poor data fusion capability, weak data mining level and the like of the traditional situation perception model, constructs a big data-oriented network security situation perception model, establishes a security protection frame matched with the big data environment and realizes high-efficiency acquisition of multi-source data, the method has the advantages of high-speed fusion of mass data, intelligent and effective analysis model, accurate and reliable data mining, rich situation display types and reasonable emergency response decision-making, and meets the requirements of target application of the development and application of information technology of various departments in various fields.
The network and information safety directly concern the safe production and the normal operation of the business of the company power grid, and the company faces increasingly severe internal and external information safety situations, and needs to improve the 'intrinsic safety' level urgently and create a new situation of safety guarantee. With the continuous improvement of the informatization level of a company, higher standards and requirements are provided for an electric power information network, the company needs to change a passive management mode for alarming and first-aid repair after a fault occurs, and an electric power information network active management mode for carrying out risk early warning and intelligent operation and maintenance before the fault occurs is realized, so that the capability of the electric power information network for coping with safety risks is favorably improved, and tiles are added for the construction of an intelligent power grid and even a global energy internet.
Disclosure of Invention
In order to solve the problems, the invention provides a power grid information safety early warning system based on data feature extraction.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a power grid information safety early warning system based on data feature extraction includes: the system comprises a big data acquisition layer, a data analysis layer and a decision layer;
the big data acquisition layer acquires infrastructure operation data, information system operation data and information network operation data in real time and synchronously acquires internal data and external data;
the data analysis layer is used for realizing efficient integration, calculation and analysis of collected data;
and the decision layer is used for realizing the timely early warning of the information network risk.
Optionally, the data analysis layer includes an integration module, a calculation module, and an analysis module, where the integration module is configured to integrate the data of the big data collection layer, that is, perform data extraction, data conversion, and data cleaning, the calculation module is configured to process batch data processing and stream data processing on the integrated data, and the analysis module is configured to analyze the calculated data.
Optionally, the analysis module includes an analysis library module and an early warning model, the analysis library module is used for providing an analysis model, the early warning model realizes active risk early warning management of the electric power information according to the analysis model, and the analysis library module includes a state early warning model, a threshold early warning model, a rapid change early warning model, an evaluation early warning model and a grading early warning model.
Optionally, the early warning model includes a basic framework evaluation model, a real-time reliability model and a historical operation evaluation model, wherein the basic framework evaluation model obtains an information network topology framework through a topology discovery technology, then performs importance evaluation on all infrastructure in the topology framework, and acquires monitoring indexes of the infrastructure; the real-time reliability model monitors the real-time monitoring index of the main page of the information system and monitors the page response and the response duration; the historical operation evaluation model is based on the historical operation condition of the information system and is used for the historical alarm quantity and the historical alarm level.
Optionally, the state early warning model includes hardware, software, basic support resources, and virtual resources, and is configured to detect all information resources once at intervals and determine the state of the information resources.
Optionally, the threshold early warning model is used for making an early warning threshold judgment, and the algorithm is as follows:
wherein, T0maxAnd T0minAre initial values of an upper threshold and a lower threshold respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the above algorithm, the index threshold T of the information resource is at the upper threshold TmaxAnd a lower threshold TminIn the meantime.
Optionally, the fast-changing early warning model is used for early warning abnormal sudden changes, and an algorithm of the fast-changing early warning model is as follows:
wherein S isiRepresenting the load of the ith equipment, and alpha is a fast-changing threshold value configured by a user;
wherein R ismaxAnd RminThe data are respectively the maximum value and the minimum value of historical operating data after data cleaning, A is the average value of the historical data, and L represents the reasonable operating range of the index.
Optionally, the evaluation and early warning model is used to implement evaluation of infrastructure, and the evaluation and early warning algorithm is as follows:
initial score S based on user-defined setting0And obtaining the final evaluation score S of the information resources according to the number m/n/p, the weight alpha and the deduction value f of the information network events at each level, and carrying out risk early warning according to the score.
Optionally, the hierarchical early warning model is used to divide the early warning event into an index level, an infrastructure level and an information network level.
Optionally, the decision layer includes a resource management module, a risk early warning module, and a decision analysis module.
Compared with the prior art, the invention has the technical progress that:
the power grid information safety early warning system based on data feature extraction realizes comprehensive perception of the operation situation of the power information network, real-time early warning of operation risks and timely disposal of early warning events. The security situation of the network is evaluated in real time through all available information, a basis is provided for decision analysis of a network security administrator, and risks and losses caused by unsafe factors are reduced to the minimum. The model has important significance in the aspects of improving the monitoring capability and the emergency response capability of the network, predicting the development trend of network safety and the like, provides powerful guarantee for the information safety of systems such as electric power, communication and the like, and has good application effect.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
In the drawings:
FIG. 1 is a schematic structural diagram of the present invention.
Detailed Description
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
As shown in fig. 1, the invention discloses a power grid information security early warning system based on data feature extraction, which comprises: the system comprises a big data acquisition layer, an attack information characteristic extraction storage layer, a data analysis layer and a decision layer;
the big data acquisition layer acquires infrastructure operation data, information system operation data and information network operation data in real time and synchronously acquires internal data and external data; wherein, the internal data is: the method comprises reputation information and attack information, wherein the reputation information comprises a Uniform Resource Locator (URL), an Internet Protocol (IP) address and a domain name, the attack information comprises an attack source, an attack tool and a vulnerability, and the method mainly comprises the steps of monitoring internal abnormal behaviors, wherein damage caused by the internal abnormal behaviors is a main factor causing safety accidents, an external attacker launches an APT attack, and part of links can contact sensitive data only through internal walking, so that the purpose of stealing or damaging is realized. Sources of threats within an enterprise include malicious insiders who may be ready for departure, long-term slow information disclosure of the insiders, and the like, and internal attacks may also be initiated by partners or third parties with internal access rights. By formulating different scenes, obtaining samples, establishing a normal behavior model, and analyzing the internal network flow or the behavior on the terminal server, the abnormality can be found as early as possible. The internal scenario mainly refers to an access behavior scenario from a "subject" to an "object", where the subject is a person or an application and the object is an application or data. The scenario contains 5W (Who, When, Where, What, How) factors, and the common abnormal scenarios are: logging abnormal behaviors, including behaviors such as abnormal time and frequent logging failures; service violation behaviors including high-frequency service access, service detour and the like; the external threat information of the power grid comprises login abnormal behaviors and service violation behaviors, the login abnormal behaviors comprise abnormal time and frequent login failure behaviors, and the service violation behaviors comprise high-frequency service access and service detour.
The external data is for external attack, mainly through obtaining threat information, rely on professional security analysis team, form the disposition decision of information after the comprehensive analysis to carry out the decision through the security software on network security equipment or the terminal, realize the prevention to the advanced attack, the whole process can be carried out automatically through the equipment. Threat intelligence generally includes reputation intelligence ("bad" URLs, IP addresses, domain names, etc.), attack intelligence (attack source, attack tool, exploit vulnerability, manner of adoption, etc.), and the like. Security early warning announcements, vulnerability announcements, threat announcements, and the like are generally available from security service vendors, CERTs, antivirus vendors, government agencies, and security organizations, all of which are typical security threat intelligence.
The attack information characteristic extraction storage layer is used for extracting the operation characteristics of the current power grid attack information and realizing the extraction and recording of attack characteristic information;
the data analysis layer is used for realizing efficient integration, calculation and analysis of the acquired data;
and the decision layer is used for realizing the timely early warning of the information network risk.
Specifically, the attack information feature extraction storage layer determines a key section by combining the topological structure, the operation state and the historical data of the current power system on the basis of the power grid attack information of the power grid big data storage module, and comprehensively extracts the attack feature information of the current power grid by adopting a method of combining main features, auxiliary features and numerical features, wherein the attack feature information comprises SNMP thread, RPC thread, FTP thread, HTTP thread, TELNET thread and DNS thread.
The attack information characteristic extraction storage layer obtains the attack information characteristics and then stores the attack information characteristics by itself, and if the attack information characteristics are met again, the attack information characteristics can be matched quickly by matching, and then early warning is given quickly.
The data analysis layer comprises an integration module, a calculation module and an analysis module, wherein the integration module is used for integrating data of the big data acquisition layer, namely performing data extraction, data conversion and data cleaning, the calculation module is used for processing batch data processing and streaming data processing on the integrated data, and the analysis module is used for analyzing the calculated data.
The analysis module comprises an analysis base module and an early warning model, the analysis base module is used for providing an analysis model, the early warning model realizes active risk early warning management of electric power information according to the analysis model, and the analysis base module comprises a state early warning model, a threshold early warning model, a quick change early warning model, an evaluation early warning model and a grading early warning model.
The early warning model comprises a basic framework evaluation model, a real-time reliability model and a historical operation evaluation model, wherein the basic framework evaluation model obtains an information network topology framework through a topology discovery technology, then importance evaluation is carried out on all infrastructure in the topology framework, and monitoring indexes of the infrastructure are collected. The infrastructure includes host devices, network devices, security devices, storage devices, databases, middleware, and the like.
The real-time reliability model is based on real-time monitoring indexes of main pages of the information system, whether the pages have response and response duration, and an information system real-time reliability evaluation model is designed. The reliability evaluation of the information system is based on the detection result of the active detection system, the active detection system detects the information system and each main page thereof according to the disclosure of 5 min/time, and the feedback result is whether the target page has response or not and the page response time of the target system;
and the historical operation evaluation model is based on the historical operation condition of the information system and is used for the historical alarm quantity and the historical alarm level.
The state early warning model comprises hardware, software, basic supporting resources, virtual resources and the like, and is a basic component of the power information network. All information resources are detected once every a period of time (generally 30 s-5 min), and the state of the information resources is judged according to whether the relevant resources respond or not, wherein the state mainly comprises the following 3 types:
1) and (3) normal state: responding to each detection information resource;
2) an unconnection state: no response exists in the detection for 3 times continuously, and an alarm needs to be given in time;
3) unstable state: between a normal state and an unconnection state, the condition that the detection is not responded for many times but the unconnection state is not reached needs to be carried out, and risk early warning is needed.
Among them, the hardware may include: PC server, blade machine, mini-machine, industrial personal computer, dedicated server, disk array, tape library, optical disk library, router, switch, load balancer, hub, wireless access device, protocol converter, storage fiber switch, network circuit, data transfer channel interface, firewall, anti-virus gateway device, intrusion monitoring device, intrusion prevention device, traffic monitoring device, vulnerability scanning device, VPN device, network isolation device, other security device, desktop, handheld terminal, notebook, workstation, tablet, dedicated terminal, cloud terminal, printer, digital plotter, copier, fax machine, photocopy machine, scanner, projector, screen device, display, mouse, keyboard, sound box, mobile storage, other external device, memory, CPU, disk, network card, HBA card, USB flash disk drive, USB flash disk drive, USB flash disk drive, UPS battery, ports, logical CPUs, file systems, installation software, critical processes, storage volumes, physical VLANs, links, routing, etc.
The software may include: business systems, databases, operating systems, middleware, cluster software, storage backup software, operation and maintenance management software, tool software, office automation software, mail server software, Web server software, FTP server software, other base software, database replication software, and the like.
The base support resource may include:
VLAN, IP, domain name, firewall strategy, power load, load balancing strategy, account number authority, cabinet space, machine room space, distribution frame port, machine room, material warehouse, office space and the like.
The virtual resources may include: resource group, resource pool, virtual host.
The threshold early warning model is used for judging an early warning threshold, the traditional information resource operation threshold is manually set by unified standards or operation and maintenance personnel by experience, and if the detection index is within the threshold range, the information resource is considered to be in a normal state; and otherwise, if the detection index exceeds the threshold range, the monitored object is considered to accord with the early warning condition, and an early warning event is generated. Along with the dynamic expansion of the information network, the manually set fixed threshold is very easy to be inconsistent with the actual situation, so that the false early warning and the non-early warning are caused. The threshold early warning method is based on big data technology, obtains the normal operation range of the information resource index through effective analysis of historical data, and sets the threshold value in a self-adaptive manner according to the analysis result, and the specific algorithm is as follows:
wherein, T0maxAnd T0minAre initial values of an upper threshold and a lower threshold respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the above algorithm, the index threshold T of the information resource is at the upper threshold TmaxAnd a lower threshold value TminIn the meantime. The upper threshold and the lower threshold are calculated based on an initial threshold set manually and recent running data of information resources, and are ensured to be consistent with actual conditions. Meanwhile, information network management personnel can adjust the threshold value of the information resource index through the weight K so as to make up the deficiency of the system.
The quick change early warning model is used for early warning abnormal sudden changes, and some information network faults can cause abnormal sudden changes of information resource indexes, but the sudden changes are within a normal threshold range, and conventional early warning means are difficult to identify. The quick change early warning comprises 2 modes of transverse early warning and longitudinal early warning, and early warning is carried out by identifying abnormal mutation of information resource indexes. The transverse early warning refers to early warning formed by comparing with similar information resources, and if the index difference between a certain information resource and other information resources in the same environment is too large, early warning is needed. The specific algorithm is as follows:
wherein S isiRepresenting the load of the ith equipment, and alpha is a fast-changing threshold value configured by a user; the algorithm judges whether the equipment needs to be pre-warned or not by calculating the difference between the load of certain equipment and the average value of the load of the whole cluster.
The longitudinal early warning refers to early warning formed by comparing with self historical data, mining and analyzing the historical data mainly based on a big data statistical analysis technology, and applying an analysis result to an information network risk early warning model. The method comprises the steps of cleaning historical operation data of the index, removing abnormal values, carrying out statistical analysis on the historical data, and determining the maximum value, the minimum value and the average value of the historical data to determine the reasonable operation range of the index. The longitudinal early warning algorithm is as follows:
wherein R ismaxAnd RminRespectively historical operating data after data cleaningMaximum and minimum values, a being the average of the historical data and L representing the reasonable operating range of the index.
The evaluation early warning model is used for realizing the evaluation of the infrastructure, and the evaluation of the infrastructure is realized on the basis of the evaluation of the index; analyzing the topological structure of the information network based on the evaluation of the infrastructure to realize the evaluation of the infrastructure of the information network; based on the active detection indexes including whether the system page has response or not and response duration indexes, the reliability evaluation of the information system is realized; and on the basis of the infrastructure evaluation and the reliability evaluation of the information system, the risk evaluation and early warning of the information network are realized. The evaluation and early warning algorithm is as follows:
initial score S based on user-defined setting0And obtaining the final evaluation score S of the information resources according to the number m/n/p, the weight alpha and the deduction value f of the information network events at each level, and carrying out risk early warning according to the score.
The hierarchical early warning model divides the early warning events into an index level, an infrastructure level and an information network level. Wherein the most basic early warning events are index levels; if a plurality of indexes of a certain infrastructure generate early warning, merging related early warning events into an infrastructure level early warning event; if the core node of the information network or a plurality of common nodes have early warning, the related early warning events are merged into one information network level early warning event. The grading strategy of the early warning event can assist management personnel to identify the importance of different early warning events and effectively deal with the different early warning events.
Therefore, the power grid information safety early warning system based on data feature extraction realizes comprehensive perception of the operation situation of the power information network, real-time early warning of operation risks and timely disposal of early warning events. The security situation of the network is evaluated in real time through all available information, a basis is provided for decision analysis of a network security administrator, and risks and losses caused by unsafe factors are reduced to the minimum. The model has important significance in the aspects of improving the monitoring capability and the emergency response capability of the network, predicting the development trend of network security and the like, provides powerful guarantee for the information security of systems such as electric power, communication and the like, and has good application effect
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described above, or equivalents may be substituted for elements thereof. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.
Claims (10)
1. The utility model provides a power grid information safety early warning system based on data characteristic draws which characterized in that includes: the system comprises a big data acquisition layer, an attack information characteristic extraction storage layer, a data analysis layer and a decision layer;
the big data acquisition layer acquires infrastructure operation data, information system operation data and information network operation data in real time and synchronously acquires internal data and external data;
the attack information characteristic extraction storage layer is used for extracting the operation characteristics of the current power grid attack information and realizing the extraction and recording of attack characteristic information;
the data analysis layer is used for realizing efficient integration, calculation and analysis of collected data;
and the decision layer is used for realizing the timely early warning of the information network risk.
2. The power grid information safety early warning system based on data feature extraction as claimed in claim 1, wherein: the data analysis layer comprises an integration module, a calculation module and an analysis module, wherein the integration module is used for integrating data of the big data acquisition layer, namely performing data extraction, data conversion and data cleaning, the calculation module is used for processing batch data processing and stream data processing on the integrated data, and the analysis module is used for analyzing the calculated data.
3. The power grid information safety early warning system based on data feature extraction as claimed in claim 2, wherein: the analysis module comprises an analysis base module and an early warning model, the analysis base module is used for providing an analysis model, the early warning model realizes active risk early warning management of electric power information according to the analysis model, and the analysis base module comprises a state early warning model, a threshold early warning model, a quick change early warning model, an evaluation early warning model and a grading early warning model.
4. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the early warning model comprises a basic framework evaluation model, a real-time reliability model and a historical operation evaluation model, wherein the basic framework evaluation model obtains an information network topology framework through a topology discovery technology, then performs importance evaluation on all infrastructure in the topology framework and acquires monitoring indexes of the infrastructure; the real-time reliability model monitors the real-time monitoring index of the main page of the information system and monitors the page response and the response duration; the historical operation evaluation model is based on the historical operation condition of the information system and is used for the historical alarm quantity and the historical alarm level.
5. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the state early warning model comprises hardware, software, basic supporting resources and virtual resources and is used for detecting all information resources once every a period of time and judging the states of the information resources.
6. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the threshold early warning model is used for judging an early warning threshold, and the algorithm is as follows:
T∈[Tmin,Tmax]
wherein, T0maxAnd T0minAre initial values of an upper threshold and a lower threshold respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the algorithm, the index threshold T of the information resource is the upper threshold TmaxAnd a lower threshold TminIn the meantime.
7. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the quick change early warning model is used for early warning abnormal sudden change, and the algorithm is as follows:
wherein S isiRepresenting the load of the ith equipment, and alpha is a fast-changing threshold value configured by a user;
wherein R ismaxAnd RminThe data are respectively the maximum value and the minimum value of historical operating data after data cleaning, A is the average value of the historical data, and L represents the reasonable operating range of the index.
8. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the evaluation early warning model is used for realizing the evaluation of infrastructure, and the evaluation early warning algorithm is as follows:
initial score S based on user-defined setting0And obtaining the final evaluation score S of the information resources according to the number m/n/p, the weight alpha and the deduction value f of the information network events at each level, and carrying out risk early warning according to the score.
9. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the hierarchical early warning model is used for dividing early warning events into an index level, an infrastructure level and an information network level.
10. The power grid information safety early warning system based on data feature extraction as claimed in claim 6, wherein: the decision layer comprises a resource management module, a risk early warning module and a decision analysis module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210139033.9A CN114493339A (en) | 2022-02-15 | 2022-02-15 | Power grid information safety early warning system based on data feature extraction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210139033.9A CN114493339A (en) | 2022-02-15 | 2022-02-15 | Power grid information safety early warning system based on data feature extraction |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114493339A true CN114493339A (en) | 2022-05-13 |
Family
ID=81481358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210139033.9A Pending CN114493339A (en) | 2022-02-15 | 2022-02-15 | Power grid information safety early warning system based on data feature extraction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114493339A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242502A (en) * | 2022-07-21 | 2022-10-25 | 广东电网有限责任公司 | Power system network security risk evaluation method, device, equipment and medium |
-
2022
- 2022-02-15 CN CN202210139033.9A patent/CN114493339A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242502A (en) * | 2022-07-21 | 2022-10-25 | 广东电网有限责任公司 | Power system network security risk evaluation method, device, equipment and medium |
| CN115242502B (en) * | 2022-07-21 | 2024-03-08 | 广东电网有限责任公司 | Method, device, equipment and medium for evaluating network security risk of power system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
| EP3304823B1 (en) | Method and apparatus for computing cell density based rareness for use in anomaly detection | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| WO2016195985A1 (en) | Network behavior data collection and analytics for anomaly detection | |
| Wang et al. | A centralized HIDS framework for private cloud | |
| KR101761781B1 (en) | Big data processing method for applying integrated management framework for the open source database | |
| Brahmi et al. | Towards a multiagent-based distributed intrusion detection system using data mining approaches | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| CN114493339A (en) | Power grid information safety early warning system based on data feature extraction | |
| Xue et al. | Prediction of computer network security situation based on association rules mining | |
| KR102444922B1 (en) | Apparatus of controlling intelligent access for security situation recognition in smart grid | |
| CN118138310A (en) | Encryption flow identification system based on machine learning | |
| CN112596984B (en) | Data security situation awareness system in business weak isolation environment | |
| Wang et al. | Research of electric power information security protection on cloud security | |
| CN116939589A (en) | Student internet monitoring system based on campus wireless network | |
| Gong et al. | Multi-agent intrusion detection system using feature selection approach | |
| CN115622790A (en) | Cloud service safety protection method | |
| Li et al. | Design and implementation of the campus network monitoring system | |
| Araújo et al. | Virtualization in intrusion detection systems: a study on different approaches for cloud computing environments | |
| CN114493338A (en) | Big data-based power information threat context awareness and defense system | |
| Maasaoui et al. | Network security traffic analysis platform-design and validation | |
| CN110933066A (en) | Monitoring system and method for illegal access of network terminal to local area network | |
| Priya et al. | Network Attack Detection using Machine Learning | |
| Liang et al. | Research and Application of Cybersecurity Situation Awareness for Smart Grid Power Control System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |