CN114825607A - Attack behavior monitoring method and device for relay protection information processing system - Google Patents

Attack behavior monitoring method and device for relay protection information processing system Download PDF

Info

Publication number
CN114825607A
CN114825607A CN202111675512.4A CN202111675512A CN114825607A CN 114825607 A CN114825607 A CN 114825607A CN 202111675512 A CN202111675512 A CN 202111675512A CN 114825607 A CN114825607 A CN 114825607A
Authority
CN
China
Prior art keywords
message
attack
relay protection
value
information processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111675512.4A
Other languages
Chinese (zh)
Other versions
CN114825607B (en
Inventor
刘绚
王文博
张博
宋宇飞
于宗超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202111675512.4A priority Critical patent/CN114825607B/en
Publication of CN114825607A publication Critical patent/CN114825607A/en
Application granted granted Critical
Publication of CN114825607B publication Critical patent/CN114825607B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00002Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by monitoring
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00028Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment involving the use of Internet protocols
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00032Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00032Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for
    • H02J13/00036Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for the elements or equipment being or involving switches, relays or circuit breakers
    • H02J13/0004Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for the elements or equipment being or involving switches, relays or circuit breakers involved in a protection system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种继电保护信息处理系统攻击行为监测方法及装置,对实时捕获的继电保护信息处理系统的流量数据进行应用层报文提取,并按照IEC 60870‑5‑103规约解析。其次对报文进行时钟篡改攻击检测。然后根据规约要求针对报文格式进行畸形报文攻击检测。最后建立各类系统业务的正常行为模型,依据正常行为模型对系统流量数据进行应用层的攻击行为检测。本发明克服了现有继电保护信息处理系统攻击行为检测方法侧重于继电保护装置测量点的数据分析,缺乏针对流量数据应用层报文进行攻击行为检测的不足,提升了继电保护信息处理系统攻击行为检测的精准性。

Figure 202111675512

The invention discloses a method and device for monitoring the attack behavior of a relay protection information processing system. The flow data of the relay protection information processing system captured in real time is extracted from the application layer, and analyzed according to the IEC 60870-5-103 protocol. Secondly, the clock tampering attack detection is performed on the packets. Then perform malformed packet attack detection according to the requirements of the protocol. Finally, the normal behavior model of various system services is established, and the attack behavior detection at the application layer is performed on the system traffic data according to the normal behavior model. The invention overcomes the deficiencies that the existing attack behavior detection method of the relay protection information processing system focuses on the data analysis of the measurement point of the relay protection device and lacks the attack behavior detection for the flow data application layer message, and improves the relay protection information processing. The accuracy of system attack behavior detection.

Figure 202111675512

Description

继电保护信息处理系统攻击行为监测方法及装置Method and device for monitoring attack behavior of relay protection information processing system

技术领域technical field

本发明涉及电力系统信息安全技术领域,特别是一种继电保护信息处理系统攻击行为监测方法及装置。The invention relates to the technical field of power system information security, in particular to a method and device for monitoring attack behavior of a relay protection information processing system.

背景技术Background technique

随着变电站自动化、调度自动化水平的不断提高,电力系统信息化、智能化程度逐步增强。由继电保护装置、安全自动装置和故障录波器组成的继电保护信息处理系统已经成为电力系统的重要组成部分。继电保护信息处理系统能够实时采集继电保护装置的动作信息和运行状态信息,并对保护装置的动作信息进行自动、深入的分析,协助电力调度人员快速判断保护动作行为、进行故障定位、做出决策、处理事故。因此,继电保护信息的可靠传输与正确处理对电力系统的安全稳定运行具有重要意义。With the continuous improvement of the level of substation automation and dispatching automation, the informatization and intelligence of the power system are gradually enhanced. The relay protection information processing system composed of relay protection device, safety automatic device and fault recorder has become an important part of the power system. The relay protection information processing system can collect the action information and operating status information of the relay protection device in real time, and conduct automatic and in-depth analysis of the action information of the protection device, so as to assist the power dispatcher to quickly judge the protection action behavior, perform fault location, and make make decisions and deal with accidents. Therefore, the reliable transmission and correct processing of relay protection information is of great significance to the safe and stable operation of the power system.

继电保护信息处理系统采用IEC 60870-5-103规约进行信息的传输,由于规约的自身设计存在缺乏认证机制、缺乏授权机制、缺乏加密机制的脆弱性,面临着报文的窃取、拦截、篡改等网络攻击。但是现有的继电保护系统网络攻击检测方法侧重于继电保护装置测量点的数据分析,容易出现误报、漏报等问题,同时缺乏针对具体继电保护业务在报文层面进行攻击行为的检测。因此,亟需发明一种新的继电保护信息处理系统攻击行为监测方法,提升检测攻击行为的准确性,增强电力系统的网络安全防御能力。The relay protection information processing system adopts the IEC 60870-5-103 protocol for information transmission. Due to the lack of authentication mechanism, authorization mechanism, and lack of encryption mechanism in the design of the protocol itself, it is faced with theft, interception, and tampering of messages. and other network attacks. However, the existing network attack detection methods of the relay protection system focus on the data analysis of the measurement points of the relay protection device, which are prone to problems such as false positives and false negatives. detection. Therefore, it is urgent to invent a new method for monitoring attack behavior of relay protection information processing system, which can improve the accuracy of detecting attack behavior and enhance the network security defense capability of power system.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是,针对现有技术不足,提供一种继电保护信息处理系统攻击行为监测方法及装置,有效解决现有检测方法不能针对继电保护系统业务在应用层进行攻击行为检测的局限性,提升继电保护信息处理系统的安全性和可靠性。The technical problem to be solved by the present invention is to provide a method and device for monitoring the attack behavior of a relay protection information processing system in view of the deficiencies of the prior art, which effectively solves the problem that the existing detection method cannot perform the attack behavior at the application layer for the business of the relay protection system. The limitation of detection is improved, and the safety and reliability of the relay protection information processing system are improved.

为解决上述技术问题,本发明所采用的技术方案是:一种继电保护信息处理系统攻击行为监测方法,包括以下步骤:In order to solve the above-mentioned technical problems, the technical solution adopted in the present invention is: a method for monitoring the attack behavior of a relay protection information processing system, comprising the following steps:

S1、实时捕获继电保护信息处理系统流量数据包,并提取出当前帧流量数据的应用层报文;S1. Capture the flow data packets of the relay protection information processing system in real time, and extract the application layer message of the current frame flow data;

S2、对所述应用层报文进行字段级解析;S2. Perform field-level parsing on the application layer packet;

S3、对解析后的报文进行时钟篡改攻击检测,若报文的时钟范围、时钟逻辑、时钟同步、时钟延时不符合正常时钟特征,则判定存在时钟篡改攻击,否则进入步骤S4;S3. Perform clock tampering attack detection on the parsed packet. If the clock range, clock logic, clock synchronization, and clock delay of the packet do not conform to normal clock characteristics, it is determined that there is a clock tampering attack, otherwise, go to step S4;

S4、对解析后的报文进行畸形报文攻击检测,若报文的长度字段、类型标识、传送原因、信息序号值与规约要求不符,则判定存在畸形报文攻击,否则进入步骤S5;S4. Perform malformed packet attack detection on the parsed packet. If the length field, type identifier, transmission reason, and information sequence number value of the packet do not meet the requirements of the protocol, it is determined that there is a malformed packet attack, otherwise, go to step S5;

S5、按照解析后的报文所属的业务系统,对解析后的报文进行攻击检测,若解析后的报文不符合正常业务模型,则判定存在业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5. Perform attack detection on the parsed packet according to the service system to which the parsed packet belongs. If the parsed packet does not conform to the normal service model, it is determined that there is a business logic attack; otherwise, the current frame traffic data is determined to be normal flow.

本发明对继电保护信息处理系统流量数据的应用层报文进行解析(按照IEC60870-5-103规约解析报文),并对解析后的报文进行时钟篡改攻击检测、畸形报文攻击检测、业务逻辑攻击检测,有效解决了现有检测方法不能针对继电保护系统业务在应用层进行攻击行为检测的局限性,提升了继电保护信息处理系统的安全性和可靠性。The invention parses the application layer message of the flow data of the relay protection information processing system (the message is parsed according to the IEC60870-5-103 protocol), and performs clock tampering attack detection, malformed message attack detection, and detection on the parsed message. The business logic attack detection effectively solves the limitation that the existing detection methods cannot detect the attack behavior at the application layer for the business of the relay protection system, and improves the security and reliability of the relay protection information processing system.

步骤S3中,对解析后的报文进行时钟篡改攻击检测的具体实现过程包括:In step S3, the specific implementation process of performing clock tampering attack detection on the parsed message includes:

1)判断公式Yt∈[1970,2069]是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤2);其中,

Figure BDA0003451838800000021
Yt表示时标年份,yt表示时标的年份标识字节数值;1) Determine whether the formula Y t ∈ [1970, 2069] holds, if not, it is determined as a clock tampering attack, otherwise, go to step 2); where,
Figure BDA0003451838800000021
Y t represents the year of the time stamp, and y t represents the byte value of the year of the time stamp;

2)判断公式

Figure BDA0003451838800000022
是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤3);其中,
Figure BDA0003451838800000023
表示全称量词“任意”,P为步骤S2解析后的应用层报文,PDS表示IEC60870-5-103对时报文,Ag(P)表示报文ASDU地址高8位的值,F表示16进制的15,H表示数值为16进制;2) Judgment formula
Figure BDA0003451838800000022
Whether it is established, if not, it is determined as a clock tampering attack, otherwise, go to step 3); wherein,
Figure BDA0003451838800000023
Indicates the universal quantifier "any", P is the application-layer packet parsed in step S2, P DS refers to the IEC60870-5-103 synchronization packet, A g (P) refers to the value of the upper 8 bits of the ASDU address of the packet, and F refers to 16 Base 15, H means the value is hexadecimal;

3)判断公式

Figure BDA0003451838800000024
是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤4);其中,PDZ表示IEC 60870-5-103告警、遥信变位、动作事件数据上送报文中的一种,Tjs(P)表示事件子站接收时间,Tsj(P)表示事件实际发生时间;3) Judgment formula
Figure BDA0003451838800000024
Whether it is established, if not, it is determined to be a clock tampering attack, otherwise, go to step 4); wherein, P DZ represents one of the IEC 60870-5-103 alarm, remote signaling, and action event data upload message, T js (P) represents the receiving time of the event substation, and T sj (P) represents the actual occurrence time of the event;

4)检测子站上送历史故障信息时间段与主站召唤故障历史信息时间段是否一致,若两者时间不一致,则判定为时钟篡改攻击,否则进入步骤5);4) Detect whether the time period of the historical fault information sent by the sub-station is consistent with the time period of the main station's calling fault historical information, if the time of the two is inconsistent, it is determined to be a clock tampering attack, otherwise, go to step 5);

5)判断公式

Figure BDA0003451838800000025
是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤S4;其中,
Figure BDA0003451838800000026
PXC表示IEC 60870-5-103主-子站信息传送报文,Tcs(P)表示信息传送时间,Tmax表示最大延迟时间,P1表示继电保护装置动作信息传送报文,P2表示继电保护装置模拟量测量值传送报文,P3表示继电保护装置运行状态传送报文,P4表示继电保护装置定值传送报文。5) Judgment formula
Figure BDA0003451838800000025
Whether it is established, if not, it is determined as a clock tampering attack, otherwise, go to step S4; wherein,
Figure BDA0003451838800000026
P XC represents the IEC 60870-5-103 master-substation information transmission message, T cs (P) represents the information transmission time, T max represents the maximum delay time, P 1 represents the relay protection device action information transmission message, P 2 Represents the relay protection device analog measurement value transmission message, P 3 represents the relay protection device operating state transmission message, and P 4 represents the relay protection device fixed value transmission message.

本发明通过对继电保护信息处理系统流量数据进行时钟篡改攻击检测,能够识别出针对时钟范围、时钟逻辑、时钟同步、时钟延时等时钟特征的攻击行为,克服了现有检测方法侧重于时标的数值分析而不能针对时标逻辑等特征进行异常检测的不足。时钟篡改攻击检测有效避免了各类继电保护装置因时钟异常导致不能正常工作状况的发生,同时也能够防止攻击者恶意扩大信息上送的时间范围而非法获取系统信息,提升了继电保护信息处理系统应对非数值时标篡改攻击的能力。By performing clock tampering attack detection on the traffic data of the relay protection information processing system, the invention can identify the attack behaviors targeting clock features such as clock range, clock logic, clock synchronization, clock delay, etc., and overcomes the existing detection methods that focus on time The numerical analysis of the target can not be used for abnormal detection of features such as time-scale logic. Clock tampering attack detection can effectively avoid the occurrence of various relay protection devices that cannot work normally due to abnormal clocks, and can also prevent attackers from maliciously expanding the time range of information transmission to illegally obtain system information, improving relay protection information. The ability of the processing system to respond to non-numerical timescale tampering attacks.

对解析后的报文进行畸形报文攻击检测的具体实现过程包括:The specific implementation process of detecting malformed packet attacks on the parsed packets includes:

I)判断公式

Figure BDA0003451838800000031
是否成立,若否,则判定为畸形报文攻击,否则进入步骤II);其中,PIEC103表示IEC 60870-5-103报文,Fl(P)表示报文理论长度,Ls(P)表示报文实际长度;I) Judgment formula
Figure BDA0003451838800000031
Whether it is established, if not, it is determined as a malformed packet attack, otherwise, go to step II); wherein, P IEC103 represents the IEC 60870-5-103 message, F l (P) represents the theoretical length of the message, L s (P) Indicates the actual length of the message;

II)判断公式

Figure BDA0003451838800000032
是否成立,若否,则判定为畸形报文攻击,否则进入步骤III);II) Judgment formula
Figure BDA0003451838800000032
Whether it is established, if not, it is determined to be a malformed packet attack, otherwise, go to step III);

III)判断公式

Figure BDA0003451838800000033
是否成立,若否,判定为畸形报文攻击,否则进入步骤IV);其中,Ft(P)表示报文类型标识字段值;III) Judgment formula
Figure BDA0003451838800000033
Whether it is established, if not, it is determined to be a malformed packet attack, otherwise, enter step IV); wherein, F t (P) represents the value of the packet type identification field;

IV)判断公式

Figure BDA0003451838800000034
是否成立,若否,判定为畸形报文攻击,否则进入步骤V);其中,Fc(P)表示报文传送原因字段值;IV) Judgment formula
Figure BDA0003451838800000034
Whether it is established, if not, it is determined to be a malformed packet attack, otherwise, go to step V); wherein, F c (P) represents the value of the message transmission reason field;

V)判断公式

Figure BDA0003451838800000035
是否成立,若否,判定为畸形报文攻击,否则进入步骤S5;Fi(P)表示报文信息序号字段值。V) Judgment formula
Figure BDA0003451838800000035
Whether it is established, if not, it is determined as a malformed packet attack, otherwise, go to step S5; F i (P) represents the value of the packet information sequence number field.

本发明畸形报文攻击检测过程能够在报文格式正确的情况下识别出畸形报文,包括报文长度畸形、报文字段阈值畸形等,克服了现有方法仅能针对报文格式进行合法性校验的局限性。同时,畸形报文攻击检测在报文所属具体业务未执行前发现其畸形之处,从而快速向调度中心反应,重新建立继电保护信息处理系统中该业务的通信过程,并发送正常的业务报文,避免畸形报文在执行后出现异常,进而影响正常业务的执行过程。The malformed packet attack detection process of the present invention can identify malformed packets when the packet format is correct, including packet length malformation, packet field threshold malformation, etc., and overcomes the fact that the existing method can only check the validity of the packet format. Limitations of verification. At the same time, the malformed packet attack detection detects the malformation before the specific service to which the packet belongs is executed, so as to quickly respond to the dispatch center, re-establish the communication process of the service in the relay protection information processing system, and send a normal service report. To avoid abnormality of malformed packets after execution, which affects the execution of normal services.

步骤S5中,当报文为读取子站配置业务时,对解析后的报文进行攻击检测的具体实现过程包括:In step S5, when the message is to read the sub-station configuration service, the specific implementation process of attack detection on the parsed message includes:

判断公式

Figure BDA0003451838800000041
是否成立,若否,则判定存在配置数据恶意拦截攻击,否则,判断公式
Figure BDA0003451838800000042
是否成立,若否,则判定存在数据篡改攻击,否则将当前帧流量数据判定为正常流量;其中,PBT表示继电保护信息处理系统中读取子站配置业务报文,Bn(P)表示子站上送标题数目,Bs表示子站配置的所有标题数目,Bzh(P)表示同一组标题信息的各个条目的组号,Czh表示当前组标题信息的组号。Judgment formula
Figure BDA0003451838800000041
Whether it is established, if not, it is judged that there is a malicious interception attack of configuration data, otherwise, the judgment formula
Figure BDA0003451838800000042
Whether it is true, if not, it is determined that there is a data tampering attack, otherwise the current frame traffic data is determined to be normal traffic; among them, P BT represents the read sub-station configuration service message in the relay protection information processing system, B n (P) Indicates the number of titles sent by the sub-station, B s represents the number of all titles configured by the sub-station, B zh (P) represents the group number of each entry of the same group of header information, and C zh represents the group number of the current group header information.

本发明的读取子站配置业务逻辑攻击行为检测能够实现配置信息是否完整上送、配置信息的条目和组号是否一致的检测。配置信息的完整上送和条目、组号的一致性是保障继电保护装置正常运行的前提,该检测方法克服了现有继电保护信息处理系统攻击行为检测方法侧重于对继电保护装置测量点的数据分析,缺乏针对流量数据应用层报文的业务逻辑进行攻击行为检测的不足,有效避免了配置信息被拦截和篡改的风险。The detection of the attack behavior of the read sub-station configuration business logic of the present invention can realize the detection of whether the configuration information is completely uploaded, and whether the entries of the configuration information and the group number are consistent. The complete upload of configuration information and the consistency of entries and group numbers are the prerequisites to ensure the normal operation of relay protection devices. This detection method overcomes the existing attack behavior detection methods of relay protection information processing systems, which focus on the measurement of relay protection devices. Point-to-point data analysis, lack of attack behavior detection for the business logic of traffic data application layer packets, effectively avoids the risk of configuration information being intercepted and tampered with.

步骤S5中,当报文为保护事件上送业务,对解析后的报文进行攻击检测的具体实现过程包括:In step S5, when the message is a protection event sending service, the specific implementation process of performing attack detection on the parsed message includes:

A)判断公式

Figure BDA0003451838800000043
是否成立,若否,则判定存在双点信息恶意篡改攻击,否则,进入步骤B);其中,PBH表示继电保护信息处理系统中保护事件上送报文,Dpi(P)表示双点信息数值;A) Judgment formula
Figure BDA0003451838800000043
Whether it is established, if not, it is judged that there is a double-point information malicious tampering attack, otherwise, go to step B); wherein, P BH represents the protection event in the relay protection information processing system to send the message, D pi (P) represents the double point information value;

B)检测开关量变位、动作信号、压板状态前后帧报文逻辑是否正确,若开关量变位前一帧为开/合,后一帧仍为开/合;动作信号前一帧为复归/动作,后一帧仍为复归/动作;压板状态前一帧为未投入/投入,后一帧仍为未投入/投入,则判定存在恶意开合攻击,否则进入步骤C);B) Detect whether the logic of the frame message before and after the switch variable displacement, action signal, and platen state is correct. If the previous frame of the switch variable displacement is open/close, the next frame is still open/close; the previous frame of the action signal is reset/action , the next frame is still reset/action; the previous frame of the platen state is not put in/in, and the next frame is still not put in/in, then it is judged that there is a malicious opening and closing attack, otherwise go to step C);

C)判断公式

Figure BDA0003451838800000044
是否成立,若否,则判定存在动作事件非法上送攻击,否则将当前帧流量数据判定为正常流量;其中,Lbh(P)表示保护事件报文类型标识,P5表示告警或开关量变位事件报文,P6表示动作事件报文。C) Judgment formula
Figure BDA0003451838800000044
Whether it is true, if not, it is determined that there is an illegal uploading attack of action events, otherwise, the current frame traffic data is determined to be normal traffic; wherein, L bh (P) represents the type identifier of the protection event message, and P 5 represents the alarm or switch value change. Event message, P 6 represents the action event message.

本发明的保护事件上送业务逻辑攻击行为检测能够实现继电保护信息处理系统中各类保护事件的恶意篡改攻击检测、非法上送攻击检测。保护事件的业务逻辑攻击行为能够高度隐藏在正常的流量数据中,现有的方法仅通过对继电保护装置测量点的数据进行分析,难以检测到该类高能隐身攻击行为。本发明深入融合了流量数据应用层报文中保护事件的上送业务逻辑,从而提升了继电保护信息处理系统攻击行为的准确性。The protection event uploading business logic attack behavior detection of the present invention can realize malicious tampering attack detection and illegal uploading attack detection of various protection events in the relay protection information processing system. The business logic attack behavior of the protection event can be highly hidden in the normal traffic data. The existing method only analyzes the data of the measurement point of the relay protection device, and it is difficult to detect this kind of high-energy stealth attack behavior. The invention deeply integrates the sending business logic of the protection event in the traffic data application layer message, thereby improving the accuracy of the attack behavior of the relay protection information processing system.

步骤S5中,当报文为录波简报上送业务时对解析后的报文进行攻击检测的具体实现过程包括:In step S5, the specific implementation process of performing attack detection on the parsed message when the message is a wave recording brief report sending service includes:

i)判断公式

Figure BDA0003451838800000051
是否成立,若否,则判定存在跳闸相别恶意篡改攻击,否则进入步骤ii);其中,PLB表示继电保护信息处理系统中录波简报业务报文,Gxb(P)表示故障相别,Zxb(P)表示跳闸相别;i) Judgment formula
Figure BDA0003451838800000051
Whether it is established, if not, it is determined that there is a trip phase-specific malicious tampering attack, otherwise, go to step ii); wherein, P LB represents the wave recording briefing service message in the relay protection information processing system, and G xb (P) represents the fault phase , Z xb (P) means tripping phase difference;

ii)判断公式

Figure BDA0003451838800000052
是否成立,若否,则判定存在接地故障标志位数据篡改攻击,否则进入步骤iii);其中,D3表示报文短路接地故障标志位数值,D0表示报文A相短路故障标志位数值,D1表示报文B相故短路障标志位数值,D2表示报文C相短路故障标志位数值;ii) Judgment formula
Figure BDA0003451838800000052
Whether it is true, if not, it is determined that there is a ground fault flag bit data tampering attack, otherwise, go to step iii); wherein, D 3 represents the value of the message short circuit ground fault flag bit, D 0 represents the message A phase short circuit fault flag bit value, D 1 represents the value of the short-circuit fault flag bit of the phase B of the message, and D 2 represents the value of the short-circuit fault flag bit of the phase C of the message;

iii)检测录波简报中的重合闸是否异常,若故障发生后有重合闸,但重合闸时间为0,或者没有重合闸,但重合闸时间不为0,则判定存在重合闸时间篡改攻击,否则将当前帧流量数据判定为正常流量。iii) Detect whether the reclosing in the wave recording briefing is abnormal. If there is a reclosing after the fault occurs, but the reclosing time is 0, or there is no reclosing, but the reclosing time is not 0, it is determined that there is a reclosing time tampering attack, Otherwise, the current frame traffic data is determined as normal traffic.

本发明的录波简报上送业务逻辑攻击行为检测能够判别跳闸相别恶意篡改攻击、接地故障标志位数据篡改攻击以及重合闸时间篡改攻击。跳闸相别、故障标志、重合闸时间等录波简报上送业务的信息须通过对继电保护信息系统流量数据应用层报文的字段级深度解析提取,仅通过报文的格式校验不能识别出该类攻击行为。本发明所提供的攻击行为检测方法克服了现有检测方法不能针对录波简报的时序和上下文逻辑进行检测的局限性,提升了对录波简报数据的完整性、准确性进行防护的能力。The business logic attack behavior detection of the wave recording brief report of the present invention can discriminate the malicious tampering attack of trip phase, ground fault flag bit data tampering attack and reclosing time tampering attack. The information of the wave recording briefing report, such as trip phase, fault flag, reclosing time, etc., must be extracted through the field-level in-depth analysis of the flow data application layer message of the relay protection information system, which cannot be identified only by the format check of the message. such aggression. The attack behavior detection method provided by the present invention overcomes the limitation that the existing detection methods cannot detect the time sequence and context logic of the wave recording briefing, and improves the ability to protect the integrity and accuracy of the wave recording briefing data.

步骤S5中,当报文为定值操作业务时,对解析后的报文进行攻击检测的具体实现过程包括:In step S5, when the message is a fixed-value operation service, the specific implementation process of performing attack detection on the parsed message includes:

判断逻辑Xg1→Xg2→Xg3→Xg4→Xg5→Xg6→Xg7→Xg8是否成立,若否,则判定存在继电保护装置整定值恶意篡改攻击,否则将当前帧流量数据判定为正常流量;其中,Xg1表示召唤装置当前运行定值区号报文,Xg2表示子站上传装置当前运行定值区号报文,Xg3表示主站召唤装置定值报文,Xg4表示子站上传装置定值报文,Xg5表示向子站下装定值报文,Xg6表示响应子站下装定值报文,Xg7表示执行定值修改报文,Xg8子站响应定值修改报文。Determine whether the logic X g1 → X g2 → X g3 → X g4 → X g5 → X g6 → X g7 → X g8 is established, if not, it is determined that there is a malicious tampering attack on the setting value of the relay protection device, otherwise the current frame traffic data It is judged to be normal flow; wherein, X g1 represents the current running fixed value area code message of the calling device, X g2 represents the sub station uploading device current running fixed value area code message, X g3 represents the master station calling device fixed value message, X g4 represents The slave station uploads the device setting value message, X g5 means downloading the setting value message to the slave station, X g6 means responding to the setting value message downloaded by the slave station, X g7 means executing the setting value modification message, X g8 The slave station responds Fixed value modification message.

本发明的定值操作业务逻辑攻击行为检测根据正常的定值修改逻辑能够在定值修改过程中判别出继电保护装置整定值恶意篡改攻击,并对恶意篡改定值的攻击行为进行主动阻断。而现有的继电保护装置测量点数据分析方法只能在定值被篡改后进行检测,不能及时监测和阻断定值的修改。本发明提供的定值操作业务逻辑攻击行为检测方法深入到流量数据的应用层,能够有效防止继电保护装置的整定值被恶意篡改,对继电保护装置的正确动作具有重要意义。The fixed value operation business logic attack behavior detection of the present invention can discriminate the malicious tampering attack of the setting value of the relay protection device in the process of constant value modification according to the normal fixed value modification logic, and actively block the attack behavior of maliciously tampering with the fixed value. . However, the existing data analysis method of the measuring point of the relay protection device can only detect after the fixed value is tampered with, and cannot monitor and block the modification of the fixed value in time. The business logic attack behavior detection method of fixed value operation provided by the present invention penetrates into the application layer of traffic data, can effectively prevent the setting value of the relay protection device from being maliciously tampered with, and is of great significance to the correct action of the relay protection device.

步骤S5中,当报文为总召唤业务时,对解析后的报文进行攻击检测的具体实现过程包括:In step S5, when the packet is a general call service, the specific implementation process of performing attack detection on the parsed packet includes:

判断逻辑Zh1→Zh2→Zh3是否成立,若否,则判定存在非法总召攻击,否则判断公式

Figure BDA0003451838800000061
是否成立,若否,则判定存在非法总召攻击,否则将当前帧流量数据判定为正常流量;其中,Zh1表示主站启动总召唤报文,Zh2表示子站上送信息报文,Zh3表示总召唤结束报文,PZH表示继电保护信息处理系统总召唤业务,Zhn表示子站上送信息数目,Zhs表示子站装置数量,As表示报文ASDU地址,H表示数值为16进制。Judging whether the logic Z h1 →Z h2 →Z h3 is established, if not, it is determined that there is an illegal general call attack, otherwise the judgment formula
Figure BDA0003451838800000061
Whether it is true, if not, it is determined that there is an illegal general call attack, otherwise, the current frame traffic data is determined to be normal traffic; among them, Z h1 indicates that the master station starts a general calling message, Z h2 indicates that the slave station sends an information message, Z h2 indicates that the slave station sends an information message. h3 represents the general call end message, P ZH represents the general call service of the relay protection information processing system, Z hn represents the number of messages sent by the sub-station, Z hs represents the number of sub-station devices, A s represents the message ASDU address, and H represents the value It is hexadecimal.

本发明的总召唤业务逻辑攻击行为检测能够根据总召唤的正常业务逻辑判别出非法总召攻击。非法总召攻击能够将构造的总召唤业务报文通过篡改或注入的方式与正常的总召唤业务报文进行组合,从而进行数据的非法获取。这种攻击行为仅通过对报文字段的合法性检查以及遥测数据的一致性分析不能识别,必须深入到报文的业务逻辑层面进行攻击行为的识别。本发明提供的总召唤业务逻辑攻击行为检测通过对总召唤业务的逻辑、范围进行检测,可以有效识别出针对总召唤业务的攻击行为,防止信息的冗余上送以及残缺上送。The general call business logic attack behavior detection of the present invention can determine the illegal general call attack according to the normal business logic of the general call. The illegal general call attack can combine the constructed general call service message with the normal general call service message by means of tampering or injection, so as to obtain data illegally. This type of attack cannot be identified only by checking the validity of packet fields and analyzing the consistency of telemetry data. The attack must be identified at the service logic level of packets. The general call service logic attack behavior detection provided by the present invention can effectively identify the attack behaviors against the general call service by detecting the logic and scope of the general call service, and prevent redundant and incomplete information from being uploaded.

步骤S5中,当报文为通用文件传输业务,对解析后的报文进行攻击检测的具体实现过程包括:检测文件名称是否只包含目录名和通配符,若含有其他的非法字符,则判定存在非法文件上送攻击,否则判断公式

Figure BDA0003451838800000071
是否成立,若否,则判定存在文件时钟篡改攻击,否则将当前帧流量数据判定为正常流量;其中,PWJ表示继电保护信息处理系统文件列表上传报文,Tlb(P)表示文件列表上传时间,Cq表示文件列表时查询起始时间,Cz表示文件列表时查询终止时间。In step S5, when the message is a general file transfer service, the specific implementation process of attack detection on the parsed message includes: detecting whether the file name only contains the directory name and wildcard characters, and if it contains other illegal characters, it is determined that there is an illegal file. Upload the attack, otherwise the judgment formula
Figure BDA0003451838800000071
Whether it is true, if not, it is determined that there is a file clock tampering attack, otherwise the current frame traffic data is determined to be normal traffic; wherein, P WJ represents the relay protection information processing system file list upload message, T lb (P) represents the file list Upload time, C q represents the start time of the query in the file list, and C z represents the end time of the query in the file list.

本发明的通用文件传输业务逻辑攻击行为检测能够判别出非法文件上送攻击、文件时钟篡改攻击。包含有攻击代码的非法文件一旦上送到主站,会使主站失去控制权限;文件时钟篡改攻击通过对文件上传列表的时间进行篡改,从而非法窃取信息。本发明提供的通用文件传输业务逻辑攻击行为检测克服了现有方法侧重于网络层流量统计分析的局限性,能够有效防止攻击者通过上送恶意文件数据或篡改文件时间导致主站崩溃、文件被窃取情况的发生。The general file transmission business logic attack behavior detection of the present invention can identify illegal file uploading attacks and file clock tampering attacks. Once an illegal file containing attack code is uploaded to the master station, the master station will lose its control authority; file clock tampering attacks tamper with the time of the file upload list, thereby illegally stealing information. The general file transmission business logic attack behavior detection provided by the present invention overcomes the limitation of the prior methods that focus on the statistical analysis of network layer traffic, and can effectively prevent attackers from uploading malicious file data or tampering with the file time, causing the main station to crash and the file to be destroyed. Theft occurs.

一种计算机装置,包括存储器、处理器及存储在存储器上的计算机程序;所述处理器执行所述计算机程序,以实现本发明方法的步骤。A computer device includes a memory, a processor and a computer program stored on the memory; the processor executes the computer program to implement the steps of the method of the present invention.

与现有技术相比,本发明所具有的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:

(1)本发明针对继电保护信息处理系统面临的报文窃取、拦截、篡改等网络攻击风险,提出了流量数据应用层报文的攻击行为检测方法,克服了现有攻击检测方法侧重于继电保护装置测量点数据分析的局限性。(1) The present invention proposes an attack behavior detection method for traffic data application layer packets, which overcomes the existing attack detection methods that focus on the following Limitations of data analysis at measuring points of electrical protection devices.

(2)本发明提出了针对继电保护信息处理系统流量数据应用层报文的时钟篡改攻击与畸形报文攻击检测,克服了IEC 60870-5-103规约缺乏认证机制、缺乏授权机制、缺乏加密机制的不足。(2) The present invention proposes the detection of clock tampering attack and malformed message attack for the flow data application layer message of the relay protection information processing system, which overcomes the lack of authentication mechanism, authorization mechanism, and lack of encryption in IEC 60870-5-103 statute. insufficiency of the mechanism.

(3)本发明根据继电保护信息处理系统的业务特征建立电力业务正常行为模型,对流量数据的应用层报文进行攻击行为检测,实现了对继电保护信息处理系统流量数据在应用层的攻击行为主动防御,提升了业务系统信息传输的安全性。(3) The present invention establishes a normal behavior model of power business according to the business characteristics of the relay protection information processing system, and performs attack behavior detection on the application layer message of the flow data, so as to realize the flow data of the relay protection information processing system in the application layer. Active defense against attacks improves the security of information transmission in business systems.

附图说明Description of drawings

图1是本发明实施例中的继电保护信息处理系统攻击行为监测方法的流程图。FIG. 1 is a flowchart of a method for monitoring an attack behavior of a relay protection information processing system in an embodiment of the present invention.

图2是本发明实施例中继电保护信息处理系统攻击行为监测系统的结构示意图。FIG. 2 is a schematic structural diagram of an attack behavior monitoring system of a relay protection information processing system according to an embodiment of the present invention.

图3是本发明实施例中时钟篡改攻击检测模块的系统单元图。FIG. 3 is a system unit diagram of a clock tampering attack detection module in an embodiment of the present invention.

图4是本发明实施例中畸形报文攻击检测模块的系统单元图。FIG. 4 is a system unit diagram of a malformed packet attack detection module in an embodiment of the present invention.

图5是本发明实施例中业务逻辑攻击检测模块的系统单元图。FIG. 5 is a system unit diagram of a business logic attack detection module in an embodiment of the present invention.

具体实施方式Detailed ways

图1为本发明实施例提供的继电保护信息处理系统攻击行为监测方法的流程图,具体实施步骤如下:1 is a flowchart of a method for monitoring an attack behavior of a relay protection information processing system provided by an embodiment of the present invention, and the specific implementation steps are as follows:

步骤S1:实时捕获继电保护信息处理系统流量数据包,并提取出当前帧流量数据的应用层报文;Step S1: capturing the relay protection information processing system traffic data packets in real time, and extracting the application layer message of the current frame traffic data;

步骤S2:按照IEC 60870-5-103规约对报文进行字段级解析,获取报文长度字段、类型标识、传送原因、信息序号的具体数值以及时钟特征,并确定报文所属系统业务;Step S2: perform field-level analysis on the message according to the IEC 60870-5-103 protocol, obtain the specific value of the message length field, type identifier, transmission reason, information serial number, and clock characteristics, and determine the system service to which the message belongs;

步骤S3:对步骤S2解析后的报文进行时钟篡改攻击检测,如果报文的时钟范围、时钟逻辑、时钟同步、时钟延时不符合正常时钟特征,则判定存在时钟篡改攻击,否则进入步骤S4;Step S3: Perform clock tampering attack detection on the packet parsed in step S2, if the clock range, clock logic, clock synchronization, and clock delay of the packet do not conform to normal clock characteristics, it is determined that there is a clock tampering attack, otherwise, go to step S4 ;

步骤S4:对步骤S2解析后的报文进行畸形报文攻击检测,如果报文的长度字段、类型标识、传送原因、信息序号值与规约要求不符,则判定存在畸形报文攻击,否则进入步骤S5;Step S4: Perform malformed packet attack detection on the packet parsed in step S2. If the length field, type identifier, transmission reason, and information sequence number value of the packet do not meet the requirements of the protocol, it is determined that there is a malformed packet attack, otherwise, go to step S4. S5;

步骤S5:按照报文所属系统业务建立正常行为模型,依据正常行为模型对报文进行攻击检测,如果报文不符合正常业务模型,则判定存在业务逻辑攻击,否则将当前帧流量数据判定为正常流量。Step S5: establish a normal behavior model according to the system service to which the message belongs, and perform attack detection on the message according to the normal behavior model. If the message does not conform to the normal service model, it is determined that there is a business logic attack, otherwise, the current frame traffic data is determined to be normal flow.

进一步的,步骤S3包括:Further, step S3 includes:

S3-1:检测报文时标年份是否在正常范围内,如果时标年份越限,即违反式(1),则判定为时钟篡改攻击,否则进入步骤S3-2。S3-1: Detect whether the time stamp year of the message is within the normal range, if the time stamp year exceeds the limit, that is, violating formula (1), it is determined as a clock tampering attack, otherwise, go to step S3-2.

Yt∈[1970,2069] (1)Y t ∈ [1970,2069] (1)

Figure BDA0003451838800000081
Figure BDA0003451838800000081

其中,Yt表示时标年份,yt表示时标的年份标识字节数值。Among them, Y t represents the year of the time stamp, and y t represents the byte value of the year of the time stamp.

S3-2:检测对时报文是否为广播对时。主站下发广播对时命令,是针对所有的装置进行对时,此时报文的应用服务数据单元公共地址(简称ASDU地址)高8位为FFH,表示对子站内所有装置广播,如果违反式(3),则判定为时钟篡改攻击,否则进入步骤S3-3。S3-2: Detect whether the time synchronization message is broadcast time synchronization. The master station issues a broadcast time synchronization command, which is aimed at all devices. The high 8 bits of the public address of the application service data unit (referred to as ASDU address) in the message at this time are FFH, which means broadcasting to all devices in the slave station. (3), it is determined as a clock tampering attack, otherwise, go to step S3-3.

Figure BDA0003451838800000091
Figure BDA0003451838800000091

其中,

Figure BDA0003451838800000092
表示全称量词“任意”,P为步骤S2解析后的应用层报文,PDS表示IEC60870-5-103对时报文,Ag(P)表示报文ASDU地址高8位的值,F表示16进制的15,H表示数值为16进制。in,
Figure BDA0003451838800000092
Represents the universal quantifier "any", P represents the application layer packet parsed in step S2, P DS represents the IEC60870-5-103 time-synchronized message, A g (P) represents the high 8-bit value of the ASDU address of the message, and F represents 16 Base 15, H means the value is hexadecimal.

S3-3:检测告警、遥信变位、动作事件的实际发生时间与子站接收时间逻辑是否正确。告警、遥信变位、动作事件发生后继电保护装置会记录事件实际发生时间,子站接收到故障信息会有一定的延迟,因此子站接收时间一定大于实际发生时间,如果违反式(4),则判定为时钟篡改攻击,否则进入步骤S3-4。S3-3: Check whether the actual occurrence time of alarm, remote signal displacement, action event and slave station receiving time logic are correct. After the alarm, remote signal displacement, and action events occur, the relay protection device will record the actual occurrence time of the event, and there will be a certain delay in the substation receiving the fault information, so the substation receiving time must be greater than the actual occurrence time. If the violation of formula (4) ), then it is determined as a clock tampering attack, otherwise, go to step S3-4.

Figure BDA0003451838800000093
Figure BDA0003451838800000093

其中,PDZ表示IEC 60870-5-103告警、遥信变位、动作事件数据上送报文中的一种,Tjs(P)表示事件子站接收时间,Tsj(P)表示事件实际发生时间。Among them, P DZ represents one of IEC 60870-5-103 alarm, remote signal displacement, and action event data upload message, T js (P) represents the receiving time of the event substation, and T sj (P) represents the actual event Time of occurrence.

S3-4:检测子站上送历史故障信息时间段与主站召唤故障历史信息时间段是否一致,如果两者时间不一致,则判定为时钟篡改攻击,否则进入步骤S3-5。S3-4: Detect whether the time period of the historical fault information sent by the slave station is consistent with the time period of the historical fault information of the master station's call. If the two times are inconsistent, it is determined as a clock tampering attack, otherwise, go to step S3-5.

S3-5:检测主-子站信息传送是否超时。如果信息传送时间超过规约所要求的最大延迟时间,即违反公式(5),则判定为时钟篡改攻击,否则进入步骤S4。S3-5: Detect whether the master-slave information transmission times out. If the information transmission time exceeds the maximum delay time required by the protocol, that is, the formula (5) is violated, it is determined as a clock tampering attack, otherwise, it goes to step S4.

Figure BDA0003451838800000094
Figure BDA0003451838800000094

Figure BDA0003451838800000095
Figure BDA0003451838800000095

其中,PXC表示IEC 60870-5-103主-子站信息传送报文,Tcs(P)表示信息传送时间,Tmax表示最大延迟时间,P1表示继电保护装置动作信息传送报文,P2表示继电保护装置模拟量测量值传送报文,P3表示继电保护装置运行状态传送报文,P4表示继电保护装置定值传送报文。Among them, P XC represents the IEC 60870-5-103 master-substation information transmission message, T cs (P) represents the information transmission time, T max represents the maximum delay time, P 1 represents the relay protection device action information transmission message, P 2 represents the relay protection device analog measurement value transmission message, P 3 represents the relay protection device operating state transmission message, and P 4 represents the relay protection device fixed value transmission message.

进一步的,步骤S4包括:Further, step S4 includes:

S4-1:针对步骤S2解析后的报文,检测由长度字段计算出的报文理论长度与实际长度是否相等,如果不相等,即违反公式(7),则判定为畸形报文攻击,否则进入步骤S4-2。S4-1: For the packet parsed in step S2, check whether the theoretical length of the packet calculated by the length field is equal to the actual length. If it is not equal, that is, it violates the formula (7), it is determined as a malformed packet attack, otherwise Go to step S4-2.

Figure BDA0003451838800000101
Figure BDA0003451838800000101

其中,PIEC103表示IEC 60870-5-103报文,Fl(P)表示报文理论长度,Ls(P)表示报文实际长度。Among them, P IEC103 represents the IEC 60870-5-103 message, F l (P) represents the theoretical length of the message, and L s (P) represents the actual length of the message.

S4-2:检测报文实际长度是否大于2048字节,如果大于,即违反公式(8),则判定为畸形报文攻击,否则进入步骤S4-3。S4-2: Check whether the actual length of the message is greater than 2048 bytes, and if it is greater than the formula (8), it is determined as a malformed message attack, otherwise, go to step S4-3.

Figure BDA0003451838800000102
Figure BDA0003451838800000102

S4-3:检测报文的类型标识字段值是否有效,如果无效,即违反公式(9)则判定为畸形报文攻击,否则进入步骤S4-4。S4-3: Detecting whether the value of the type identification field of the message is valid, if invalid, that is, violating formula (9), it is determined as a malformed message attack, otherwise, go to step S4-4.

Figure BDA0003451838800000103
Figure BDA0003451838800000103

其中,Ft(P)表示报文类型标识字段值。Among them, F t (P) represents the value of the message type identification field.

S4-4:检测报文的传送原因字段值是否有效,如果无效,即违反公式(10)则判定为畸形报文攻击,否则进入步骤S4-5。S4-4: Detect whether the value of the transmission reason field of the message is valid, if invalid, that is, violating formula (10), it is determined as a malformed message attack, otherwise, go to step S4-5.

Figure BDA0003451838800000104
Figure BDA0003451838800000104

其中,Fc(P)表示报文传送原因字段值。Among them, F c (P) represents the value of the message transmission reason field.

S4-5:检测报文的信息序号字段值是否有效,如果无效,即违反公式(11)则判定为畸形报文攻击,否则进入步骤S5。S4-5: Check whether the value of the information sequence number field of the message is valid, if invalid, that is, violating formula (11), it is determined as a malformed message attack, otherwise, go to step S5.

Figure BDA0003451838800000105
Figure BDA0003451838800000105

其中,Fi(P)表示报文信息序号字段值。Among them, F i (P) represents the value of the serial number field of the message information.

进一步的,步骤S5包括:Further, step S5 includes:

S5-1:针对步骤S2得到的报文所属的业务进行攻击行为的分类检测,如果报文为读取子站配置业务,进入步骤S5-2;如果报文为保护事件上送业务,进入步骤S5-3;如果报文为录波简报上送业务,进入步骤S5-4;如果报文为定值操作业务,进入步骤S5-5;如果报文为总召唤业务,进入步骤S5-6;如果报文为通用文件传输业务,进入步骤S5-7;S5-1: Classify and detect the attack behavior according to the service to which the packet obtained in step S2 belongs. If the packet is a read substation configuration service, go to step S5-2; if the packet is a protection event upload service, go to step S5-1 S5-3; if the message is the wave recording briefing service, go to step S5-4; if the message is the fixed value operation business, go to step S5-5; if the message is the general call service, go to step S5-6; If the message is a general file transfer service, go to step S5-7;

S5-2:根据继电保护信息处理系统技术规范对读取子站配置业务的正常逻辑进行分析,基于正常业务逻辑建立读取子站配置业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在读取子站配置业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-2: Analyze the normal logic of the read sub-station configuration service according to the technical specifications of the relay protection information processing system, establish a normal behavior model of the read sub-station configuration service based on the normal business logic, and perform the relay protection according to the normal behavior model. The traffic data of the service in the information processing system is subjected to attack behavior detection. If the packet does not conform to the normal behavior model, it is determined that there is a logical attack on the read substation configuration service. Otherwise, the current frame traffic data is determined to be normal traffic.

S5-3:根据继电保护信息处理系统技术规范对保护事件上送业务的正常逻辑进行分析,基于正常业务逻辑建立保护事件上送业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在保护事件上送业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-3: Analyze the normal logic of the protection event sending service according to the technical specifications of the relay protection information processing system, establish a normal behavior model of the protection event sending service based on the normal service logic, and process the relay protection information according to the normal behavior model. The traffic data of the service in the system is used for attack behavior detection. If the packet does not conform to the normal behavior model, it is determined that there is a protection event to send the service logic attack, otherwise the current frame traffic data is determined to be normal traffic.

S5-4:根据继电保护信息处理系统技术规范对录波简报上送业务的正常逻辑进行分析,基于正常业务逻辑建立录波简报上送业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在录波简报上送业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-4: Analyze the normal logic of the recording and briefing service according to the technical specifications of the relay protection information processing system, establish a normal behavior model of the recording and briefing service based on the normal business logic, and conduct the relay protection based on the normal behavior model. The traffic data of the service in the information processing system is subjected to attack behavior detection. If the packet does not conform to the normal behavior model, it is determined that there is a logic attack on the recording and briefing report submission service. Otherwise, the current frame traffic data is determined to be normal traffic.

S5-5:根据继电保护信息处理系统技术规范对定值操作业务的正常逻辑进行分析,基于正常业务逻辑建立定值操作业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在定值操作业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-5: Analyze the normal logic of the fixed-value operation business according to the technical specifications of the relay protection information processing system, establish a normal behavior model of the fixed-value operation business based on the normal business logic, and analyze the information in the relay protection information processing system according to the normal behavior model. Attack behavior detection is performed on the traffic data of this service. If the packet does not conform to the normal behavior model, it is determined that there is a fixed-value operation service logic attack, otherwise, the current frame traffic data is determined to be normal traffic.

S5-6:根据继电保护信息处理系统技术规范对总召唤业务的正常逻辑进行分析,基于正常业务逻辑建立总召唤业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在总召唤业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-6: Analyze the normal logic of the general call service according to the technical specifications of the relay protection information processing system, establish a normal behavior model of the general call service based on the normal business logic, and analyze the service in the relay protection information processing system according to the normal behavior model. If the packet does not conform to the normal behavior model, it is determined that there is a general call service logic attack; otherwise, the current frame traffic data is determined to be normal traffic.

S5-7:根据继电保护信息处理系统技术规范对通用文件传输业务的正常逻辑进行分析,基于正常业务逻辑建立通用文件传输业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在通用文件传输业务逻辑攻击,否则将当前帧流量数据判定为正常流量。S5-7: Analyze the normal logic of the general file transmission business according to the technical specifications of the relay protection information processing system, establish the normal behavior model of the general file transmission business based on the normal business logic, and analyze the information in the relay protection information processing system according to the normal behavior model. Attack behavior detection is performed on the traffic data of the service. If the packet does not conform to the normal behavior model, it is determined that there is a general file transfer service logic attack; otherwise, the current frame traffic data is determined to be normal traffic.

进一步的,步骤S5-2包括:Further, step S5-2 includes:

S5-2-1:检测继电保护信息处理系统读取子站配置的各组标题时子站上送标题数目是否完整,如果不完整,即违反公式(12),则判定存在配置数据恶意拦截攻击,否则进入步骤S5-2-2。S5-2-1: Detect whether the number of headers sent by the substation is complete when the relay protection information processing system reads each group of headers configured by the substation. If it is incomplete, that is, it violates the formula (12), it is determined that there is malicious interception of configuration data. Attack, otherwise go to step S5-2-2.

Figure BDA0003451838800000111
Figure BDA0003451838800000111

其中,PBT表示继电保护信息处理系统中读取子站配置业务报文,Bn(P)表示子站上送标题数目,Bs表示子站配置的所有标题数目。Among them, P BT represents the read sub-station configuration service message in the relay protection information processing system, B n (P) represents the number of headers sent by the sub-station, and B s represents the number of all headers configured by the sub-station.

S5-2-2:检测同一组标题信息所有条目的组号是否一致,如果不一致,即违反公式(13),则判定存在数据篡改攻击,否则将当前帧流量数据判定为正常流量。S5-2-2: Detect whether the group numbers of all items of the same group of header information are consistent. If they are inconsistent, that is, violating formula (13), it is determined that there is a data tampering attack. Otherwise, the current frame traffic data is determined to be normal traffic.

Figure BDA0003451838800000121
Figure BDA0003451838800000121

其中,Bzh(P)表示同一组标题信息的各个条目的组号,Czh表示当前组标题信息的组号。Among them, B zh (P) represents the group number of each item of the same group title information, and C zh represents the group number of the current group title information.

进一步的,步骤S5-3包括:Further, step S5-3 includes:

S5-3-1:检测保护事件双点信息上送是否异常,如果双点信息状态不在规定范围内,即违反公式(14),则判定存在双点信息恶意篡改攻击,否则进入步骤S5-3-2。S5-3-1: Check whether the double-point information transmission of the protection event is abnormal. If the double-point information state is not within the specified range, that is, it violates the formula (14), it is determined that there is a double-point information malicious tampering attack, otherwise, go to step S5-3 -2.

Figure BDA0003451838800000122
Figure BDA0003451838800000122

其中,PBH表示继电保护信息处理系统中保护事件上送报文,Dpi(P)表示双点信息数值。Among them, P BH represents the protection event sending message in the relay protection information processing system, and D pi (P) represents the double-point information value.

S5-3-2:检测开关量变位、动作信号、压板状态前后帧报文逻辑是否正确,如果开关量变位前一帧为开/合,后一帧仍为开/合;动作信号前一帧为复归/动作,后一帧仍为复归/动作;压板状态前一帧为未投入/投入,后一帧仍为未投入/投入,则判定存在恶意开合攻击,否则进入步骤S5-3-3。S5-3-2: Check whether the logic of the frame message before and after the switch variable displacement, action signal, and platen state is correct. It is a reset/action, and the next frame is still a reset/action; the previous frame of the platen state is not put in/in, and the next frame is still not put in/in, it is determined that there is a malicious opening and closing attack, otherwise, go to step S5-3- 3.

S5-3-3:检测保护事件上送采用的类型标识是否正确,告警、开关量变位事件只能采用类型标识1上送,动作事件只能采用类型标识2上送,如果违反公式(15),则判定存在动作事件非法上送攻击,否则将当前帧流量数据判定为正常流量。S5-3-3: Check whether the type identifier used for sending protection events is correct. Alarms and switch variable displacement events can only be sent using type identifier 1, and action events can only be sent using type identifier 2. If it violates formula (15) , it is determined that there is an illegal uploading attack of action events, otherwise, the current frame traffic data is determined to be normal traffic.

Figure BDA0003451838800000123
Figure BDA0003451838800000123

其中,Lbh(P)表示保护事件报文类型标识,P5表示告警或开关量变位事件报文,P6表示动作事件报文。Wherein, L bh (P) represents the type identifier of the protection event message, P 5 represents the alarm or switch variable displacement event message, and P 6 represents the action event message.

进一步的,步骤S5-4包括:Further, step S5-4 includes:

S5-4-1:检测录波简报中的故障相别与跳闸相别是否一致,如果不一致,即违反公式(16),则判定存在跳闸相别恶意篡改攻击,否则进入步骤S5-4-2。S5-4-1: Check whether the fault phase and trip phase in the oscillographic briefing report are consistent. If they are inconsistent, that is, in violation of formula (16), it is determined that there is a malicious tampering attack on the trip phase, otherwise, go to step S5-4-2 .

Figure BDA0003451838800000131
Figure BDA0003451838800000131

其中,PLB表示继电保护信息处理系统中录波简报业务报文,Gxb(P)表示故障相别,Zxb(P)表示跳闸相别。Among them, P LB represents the wave recording briefing service message in the relay protection information processing system, G xb (P) represents the fault phase, and Z xb (P) represents the trip phase.

S5-4-2:检测录波简报中的短路接地故障标志位是否正确,如果不正确,即违反公式(17),则判定接地故障标志位数据篡改攻击,否则进入步骤S5-4-3。S5-4-2: Detect whether the short-circuit grounding fault flag in the wave recording briefing is correct, if it is incorrect, that is, violating formula (17), determine the grounding fault flag data tampering attack, otherwise go to step S5-4-3.

Figure BDA0003451838800000132
Figure BDA0003451838800000132

其中,D3表示报文短路接地故障标志位数值,D0表示报文A相短路故障标志位数值,D1表示报文B相故短路障标志位数值,D2表示报文C相短路故障标志位数值。Among them, D 3 represents the value of the short-circuit ground fault flag of the message, D 0 represents the value of the short-circuit fault flag of the phase A of the message, D 1 represents the value of the short-circuit fault flag of the phase B of the message, and D 2 represents the short-circuit fault of the phase C of the message. Flag bit value.

S5-4-3:检测录波简报中的重合闸是否异常。如果故障发生后有重合闸,但重合闸时间为0或者没有重合闸,但重合闸时间不为0,则判定存在重合闸时间篡改攻击,否则将当前帧流量数据判定为正常流量。S5-4-3: Check whether the reclosing in the oscillographic briefing is abnormal. If there is a reclosing after the fault occurs, but the reclosing time is 0 or there is no reclosing, but the reclosing time is not 0, it is determined that there is a reclosing time tampering attack, otherwise the current frame traffic data is determined to be normal traffic.

进一步的,步骤S5-5包括:Further, step S5-5 includes:

S5-5-1:检测继电保护装置定值修改逻辑是否正确,如果逻辑错误,即违反公式(18),则判定存在继电保护装置整定值恶意篡改攻击,否则将当前帧流量数据判定为正常流量。S5-5-1: Check whether the setting value modification logic of the relay protection device is correct. If the logic is wrong, that is, it violates the formula (18), it is determined that there is a malicious tampering attack on the setting value of the relay protection device. Otherwise, the current frame traffic data is determined as normal flow.

Xg1→Xg2→Xg3→Xg4→Xg5→Xg6→Xg7→Xg8(18)X g1 →X g2 →X g3 →X g4 →X g5 →X g6 →X g7 →X g8 (18)

其中,Xg1表示召唤装置当前运行定值区号报文,Xg2表示子站上传装置当前运行定值区号报文,Xg3表示主站召唤装置定值报文,Xg4表示子站上传装置定值报文,Xg5表示向子站下装定值报文,Xg6表示响应子站下装定值报文,Xg7表示执行定值修改报文,Xg8子站响应定值修改报文。Among them, X g1 represents the current running fixed value area code message of the calling device, X g2 represents the sub station uploading device current running fixed value area code message, X g3 represents the master station calling device fixed value message, X g4 represents the slave station uploading device fixed value message value message, X g5 means downloading the setting value message to the substation, X g6 means responding to the substation downloading the setting value message, X g7 means executing the setting value modifying message, X g8 substation responding to the setting value modifying message .

进一步的,步骤S5-6包括:Further, step S5-6 includes:

S5-6-1:检测总召唤的业务流程是否异常,如果实际总召唤业务流程与正常流程不符,即违反公式(19),则判定存在非法总召攻击,否则进入步骤S5-6-2。S5-6-1: Detect whether the general calling business process is abnormal. If the actual general calling business process is inconsistent with the normal process, that is, violating formula (19), it is determined that there is an illegal general calling attack, otherwise, go to step S5-6-2.

Zh1→Zh2→Zh3 (19)Z h1 →Z h2 →Z h3 (19)

其中,Zh1表示主站启动总召唤报文,Zh2表示子站上送信息报文,Zh3表示总召唤结束报文。Among them, Z h1 indicates that the master station starts the general call message, Z h2 indicates that the slave station sends an information message, and Z h3 indicates the general call end message.

S5-6-2:检测子站上送信息的数目是否正确。子站收到主站的总召唤命令后根据报文中ASDU地址回复指定信息,当ASDU地址不等于零时回答特定装置的开关量信息;当ASDU地址等于零时回答子站各装置的通信状态以及各装置的运行状态。如果违反公式(20),则判定存在非法总召攻击,否则将当前帧流量数据判定为正常流量。S5-6-2: Check whether the number of messages sent by the slave station is correct. After receiving the general call command from the master station, the slave station will reply the specified information according to the ASDU address in the message. When the ASDU address is not equal to zero, it will answer the switch information of the specific device; when the ASDU address is equal to zero, it will answer the communication status of each device in the slave station and The operating status of the device. If the formula (20) is violated, it is determined that there is an illegal general call attack; otherwise, the current frame traffic data is determined to be normal traffic.

Figure BDA0003451838800000141
Figure BDA0003451838800000141

其中,PZH表示继电保护信息处理系统总召唤业务,Zhn表示子站上送信息数目,Zhs表示子站装置数量,As表示报文ASDU地址,H表示数值为16进制。Among them, P ZH represents the general call service of the relay protection information processing system, Z hn represents the number of information sent by the sub-station, Z hs represents the number of sub-station devices, A s represents the message ASDU address, and H represents the value in hexadecimal.

进一步的,步骤S5-7包括:Further, step S5-7 includes:

S5-7-1:检测文件名称是否只包含目录名和通配符(*和?),如果含有其他的非法字符则判定存在非法文件上送攻击,否则进入步骤S5-7-2。S5-7-1: Check whether the file name only contains the directory name and wildcard characters (* and ?). If it contains other illegal characters, it is determined that there is an illegal file upload attack, otherwise, go to step S5-7-2.

S5-7-2:检测文件列表上传是否在查询时间范围内。主站召唤文件列表时会给出查询起始时间和终止时间,子站上传的文件列表需要在该时间范围内,如果超出,即违反公式(21),则判定存在文件时钟篡改攻击,否则将当前帧流量数据判定为正常流量。S5-7-2: Detect whether the file list upload is within the query time range. When the master station calls the file list, the query start time and end time will be given. The file list uploaded by the slave station needs to be within this time range. If it exceeds, that is, it violates the formula (21), it is determined that there is a file clock tampering attack, otherwise it will be tampered with. The current frame traffic data is determined as normal traffic.

Figure BDA0003451838800000142
Figure BDA0003451838800000142

其中,PWJ表示继电保护信息处理系统文件列表上传报文,Tlb(P)表示文件列表上传时间,Cq表示文件列表时查询起始时间,Cz表示文件列表时查询终止时间。Among them, P WJ represents the file list upload message of the relay protection information processing system, T lb (P) represents the file list upload time, C q represents the file list query start time, and C z represents the file list query end time.

本发明依托海量继电保护信息处理系统流量数据,通过提取流量数据的应用层报文并按照IEC 60870-5-103规约进行报文解析,获取报文特征字段的具体数值以及报文所属系统业务。其次根据报文特征字段的具体数值进行时钟篡改攻击检测与畸形报文攻击检测。最后根据报文所属具体系统业务建立正常业务模型,并依据正常业务模型进行业务逻辑攻击检测,实现了继电保护信息处理系统攻击行为的全面监测,确保电力系统的安全、可靠运行。The present invention relies on massive relay protection information processing system traffic data, extracts the application layer message of the traffic data and parses the message according to the IEC 60870-5-103 protocol, and obtains the specific value of the message feature field and the system service to which the message belongs. . Secondly, the clock tampering attack detection and the malformed packet attack detection are performed according to the specific value of the packet characteristic field. Finally, a normal business model is established according to the specific system business to which the message belongs, and business logic attack detection is carried out according to the normal business model, which realizes the comprehensive monitoring of the attack behavior of the relay protection information processing system and ensures the safe and reliable operation of the power system.

图2为本发明实施例提供的继电保护信息处理系统攻击行为监测系统的结构示意图,该系统适用于执行本发明任意实施例提供的方法,包括:流量数据获取模块100,应用层报文解析模块200,时钟篡改攻击检测模块300,畸形报文攻击检测模块400,业务逻辑攻击检测模块500。FIG. 2 is a schematic structural diagram of an attack behavior monitoring system of a relay protection information processing system provided by an embodiment of the present invention. The system is suitable for executing the method provided by any embodiment of the present invention, and includes: a flow data acquisition module 100, an application layer packet parsing Module 200 , a clock tampering attack detection module 300 , a malformed packet attack detection module 400 , and a business logic attack detection module 500 .

所述的流量数据获取模块100,用于采集继电保护信息处理系统流量数据,并提取出应用层报文。The flow data acquisition module 100 is used for collecting the flow data of the relay protection information processing system, and extracting the application layer message.

所述的应用层报文解析模块200,用于按照IEC 60870-5-103规约对应用层报文进行字段级解析,获取报文表示的具体继电保护业务。The application layer message parsing module 200 is configured to perform field-level parsing on the application layer message according to the IEC 60870-5-103 protocol, and obtain the specific relay protection service represented by the message.

所述的时钟篡改攻击检测模块300,用于对报文的时钟范围、时钟逻辑、时钟同步、时钟延时进行检测,判定是否存在时钟篡改攻击。The clock tampering attack detection module 300 is used to detect the clock range, clock logic, clock synchronization, and clock delay of the message, and determine whether there is a clock tampering attack.

所述的畸形报文攻击检测模块400,用于按照规约要求对报文格式进行校验,判定是否存在畸形报文攻击。The malformed packet attack detection module 400 is configured to verify the packet format according to the requirements of the protocol, and determine whether there is a malformed packet attack.

所述的业务逻辑攻击检测模块500,用于对报文所属系统业务建立正常行为模型,并依据正常行为模型进行检测,判定是否存在业务逻辑攻击。The business logic attack detection module 500 is used to establish a normal behavior model for the system business to which the message belongs, and to perform detection according to the normal behavior model to determine whether there is a business logic attack.

所述流量数据获取模块100输出端与所述应用层报文解析模块200输入端相连,用于输入所提取的应用层报文。The output end of the traffic data acquisition module 100 is connected to the input end of the application layer message parsing module 200 for inputting the extracted application layer message.

所述应用层报文解析模块200输出端与时钟篡改攻击检测模块300输入端相连,用于输入应用层报文及其解析结果。The output end of the application layer message parsing module 200 is connected to the input end of the clock tampering attack detection module 300 for inputting the application layer message and its analysis result.

所述时钟篡改攻击检测模块300的输出端与所述的畸形报文攻击检测模块400输入端相连,用于输入应用层报文及其解析结果。The output end of the clock tampering attack detection module 300 is connected to the input end of the malformed packet attack detection module 400, and is used for inputting application layer packets and their parsing results.

所述畸形报文攻击检测模块400的输出端与所述的业务逻辑攻击检测模块500输入端相连,用于输入应用层报文及其解析结果。The output end of the malformed packet attack detection module 400 is connected to the input end of the business logic attack detection module 500, and is used for inputting application layer packets and their parsing results.

如图3,进一步的,时钟篡改攻击检测模块300包括:数据获取单元301,第一检测单元302,第二检测单元303,第三检测单元304,第四检测单元305,第五检测单元306。3 , further, the clock tampering attack detection module 300 includes: a data acquisition unit 301 , a first detection unit 302 , a second detection unit 303 , a third detection unit 304 , a fourth detection unit 305 , and a fifth detection unit 306 .

所述数据获取单元301的输出端与所述第一检测单元302输入端相连,用于输入应用层报文及其解析结果。The output end of the data acquisition unit 301 is connected to the input end of the first detection unit 302, and is used for inputting the application layer message and its parsing result.

所述第一检测单元302的输出端与第二检测单元303的输入端相连,所述第二检测单元303的输出端与第三检测单元304的输入端相连,所述第三检测单元304的输出端与第四检测单元305的输入端相连,所述第四检测单元305的输出端与第五检测单元306的输入端相连。The output terminal of the first detection unit 302 is connected to the input terminal of the second detection unit 303, the output terminal of the second detection unit 303 is connected to the input terminal of the third detection unit 304, and the output terminal of the third detection unit 304 is connected. The output terminal is connected to the input terminal of the fourth detection unit 305 , and the output terminal of the fourth detection unit 305 is connected to the input terminal of the fifth detection unit 306 .

在一个实施例中,数据获取单元301,读取流量数据的应用层报文及其解析结果,该单元将所读取信息传递给第一检测单元302、第二检测单元303、第三检测单元304、第四检测单元305,第五检测单元306。In one embodiment, the data acquisition unit 301 reads the application layer message of the traffic data and its parsing result, and transmits the read information to the first detection unit 302, the second detection unit 303, and the third detection unit 304 , a fourth detection unit 305 , and a fifth detection unit 306 .

所述第一检测单元302,用于检测报文时标年份是否在正常范围内,如果时标年份越限,则判定为时钟篡改攻击。The first detection unit 302 is configured to detect whether the time stamp year of the message is within a normal range, and if the time stamp year exceeds the limit, it is determined as a clock tampering attack.

所述第二检测单元303,用于检测对时报文是否为广播对时,若否,则判定为时钟篡改攻击。The second detection unit 303 is configured to detect whether the time synchronization message is broadcast time synchronization, and if not, it is determined as a clock tampering attack.

所述第三检测单元304,用于检测告警、遥信变位、动作事件数据上送实际发生时间与子站接收时间逻辑是否正确,若否,则判定为时钟篡改攻击。The third detection unit 304 is used to detect whether the logic of alarm, remote signal displacement, action event data uploading and substation receiving time is correct, if not, it is determined as a clock tampering attack.

所述第四检测单元305,用于检测子站上送历史故障信息时间段与主站召唤故障历史信息时间段是否一致,若否,则判定为时钟篡改攻击。The fourth detection unit 305 is configured to detect whether the time period of the historical fault information sent by the slave station is consistent with the time period of the historical fault information of the master station calling, and if not, it is determined as a clock tampering attack.

所述第五检测单元306,用于主-子站信息传送是否超时,若是,则判定为时钟篡改攻击。The fifth detection unit 306 is used for whether the master-slave information transmission times out, and if so, it is determined as a clock tampering attack.

如图4,进一步的,所述畸形报文攻击检测模块400包括:数据获取单元401,报文长度字段检测单元402,报文长度阈值检测单元403,类型标识字段检测单元404,传送原因字段检测单元405,信息序号字段检测单元406。4, further, the malformed packet attack detection module 400 includes: a data acquisition unit 401, a packet length field detection unit 402, a packet length threshold detection unit 403, a type identification field detection unit 404, and a transmission reason field detection unit 404. Unit 405, information serial number field detection unit 406.

所述数据获取单元401的输出端与所述报文长度字段检测单元402输入端相连,用于输入应用层报文及其解析结果。The output end of the data acquisition unit 401 is connected to the input end of the message length field detection unit 402 for inputting the application layer message and its parsing result.

所述报文长度字段检测单元402的输出端与报文长度阈值检测单元403的输入端相连,所述报文长度阈值检测单元403的输出端与类型标识字段检测单元404的输入端相连,所述类型标识字段检测单元404的输出端与传送原因字段检测单元405的输入端相连,所述传送原因字段检测单元405的输出端与信息序号字段检测单元406的输入端相连。The output end of the message length field detection unit 402 is connected with the input end of the message length threshold detection unit 403, and the output end of the message length threshold detection unit 403 is connected with the input end of the type identification field detection unit 404, so The output terminal of the type identification field detection unit 404 is connected to the input terminal of the transmission reason field detection unit 405 , and the output terminal of the transmission reason field detection unit 405 is connected to the input terminal of the information serial number field detection unit 406 .

在一个实施例中,数据获取单元401,读取流量数据应用层报文及其解析结果,该单元将所读取信息传递给报文长度字段检测单元402、报文长度阈值检测单元403、类型标识字段检测单元404、传送原因字段检测单元405,信息序号字段检测单元406。In one embodiment, the data acquisition unit 401 reads the traffic data application layer packet and its parsing result, and transmits the read information to the packet length field detection unit 402, the packet length threshold detection unit 403, the type The identification field detection unit 404 , the transmission reason field detection unit 405 , and the information sequence number field detection unit 406 .

所述报文长度字段检测单元402,用于检测由长度字段计算出的报文理论长度与实际长度是否相等,如果不相等,则判定为畸形报文攻击。The message length field detection unit 402 is configured to detect whether the theoretical length of the message calculated by the length field is equal to the actual length, and if not, it is determined as a malformed message attack.

所述报文长度阈值检测单元403,用于检测报文实际长度是否大于2048字节,如果大于,则判定为畸形报文攻击。The packet length threshold detection unit 403 is configured to detect whether the actual length of the packet is greater than 2048 bytes, and if it is greater than 2048 bytes, it is determined as a malformed packet attack.

所述类型标识字段检测单元404,用于检测报文的类型标识字段值是否有效,如果无效,则判定为畸形报文攻击。The type identification field detection unit 404 is configured to detect whether the value of the type identification field of the message is valid, and if it is invalid, it is determined as a malformed message attack.

所述传送原因字段检测单元405,用于检测报文的传送原因字段值是否有效,如果无效,则判定为畸形报文攻击。The transmission reason field detection unit 405 is configured to detect whether the transmission reason field value of the message is valid, and if it is invalid, it is determined as a malformed message attack.

所述信息序号字段检测单元406,用于检测报文的信息序号字段值是否有效,如果无效,则判定为畸形报文攻击。The information sequence number field detection unit 406 is configured to detect whether the value of the information sequence number field of the message is valid, and if it is invalid, it is determined as a malformed message attack.

如图5,进一步的,所述业务逻辑攻击检测模块500包括:数据获取单元501,读取子站配置业务检测单元502,保护事件上送业务检测单元503,录波简报上送业务检测单元504,定制操作业务检测单元505,总召唤业务检测单元506,通用文件传输业务检测单元507。5, further, the business logic attack detection module 500 includes: a data acquisition unit 501, a read sub-station configuration service detection unit 502, a protection event upload service detection unit 503, and a wave recording briefing report upload service detection unit 504 , a custom operation service detection unit 505 , a general call service detection unit 506 , and a general file transfer service detection unit 507 .

所述数据获取单元501的输出端与所述读取子站配置业务检测单元502输入端相连,用于输入报文所属继电保护业务。The output end of the data acquisition unit 501 is connected to the input end of the reading substation configuration service detection unit 502, and is used for inputting the relay protection service to which the message belongs.

所述读取子站配置业务检测单元502的输出端与保护事件上送业务检测单元503的输入端相连,所述保护事件上送业务检测单元503的输出端与录波简报上送业务检测单元504的输入端相连,所述录波简报上送业务检测单元504的输出端与定制操作业务检测单元505的输入端相连,所述定制操作业务检测单元505的输出端与总召唤业务检测单元506的输入端相连,所述总召唤业务检测单元506的输出端与通用文件传输业务检测单元507的输入端相连。The output end of the read sub-station configuration service detection unit 502 is connected to the input end of the protection event upload service detection unit 503, and the output end of the protection event upload service detection unit 503 is connected to the wave recording brief report upload service detection unit. The input end of 504 is connected, the output end of the recording and briefing service detection unit 504 is connected with the input end of the customized operation service detection unit 505, and the output end of the customized operation service detection unit 505 is connected with the general call service detection unit 506. The input end of the general call service detection unit 506 is connected to the input end of the general file transfer service detection unit 507 .

在一个实施例中,数据获取单元501,获取报文所属具体继电保护业务,该单元将读取信息传递给读取子站配置业务检测单元502、保护事件上送业务检测单元503、录波简报上送业务检测单元504、定制操作业务检测单元505、总召唤业务检测单元506、通用文件传输业务检测单元507。In one embodiment, the data acquisition unit 501 acquires the specific relay protection service to which the message belongs, and the unit transmits the read information to the read sub-station configuration service detection unit 502, the protection event upload service detection unit 503, and the wave recorder. A briefing service detection unit 504 , a customized operation service detection unit 505 , a general call service detection unit 506 , and a general file transfer service detection unit 507 .

所述读取子站配置业务检测单元502,用于检测继电保护信息处理系统中读取子站配置业务中是否存在攻击行为。The reading sub-station configuration service detection unit 502 is configured to detect whether there is an attack in the reading sub-station configuration service in the relay protection information processing system.

在一个实施例中,建立读取子站配置业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在读取子站配置业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model for reading the configuration service of the substation is established, and attack behavior detection is performed on the traffic data of the service in the relay protection information processing system according to the normal behavior model. If the message does not conform to the normal behavior model, then It is determined that there is a business logic attack in the configuration of the reading substation, and the unit takes the detection result as an output of the business logic attack detection module 500 .

所述保护事件上送业务检测单元503,用于检测保护事件上送业务中是否存在攻击行为。The protection event sending service detection unit 503 is configured to detect whether there is an attack in the protection event sending service.

在一个实施例中,建立保护事件上送业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在保护事件上送业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model of the protection event uploading service is established, and the traffic data of the service in the relay protection information processing system is subjected to attack behavior detection according to the normal behavior model, and if the message does not conform to the normal behavior model, it is determined that If there is a protection event to send a business logic attack, the unit takes the detection result as an output of the business logic attack detection module 500 .

所述录波简报上送业务检测单元504,用于检测录波简报上送业务中是否存在攻击行为。The recording and briefing report sending service detection unit 504 is configured to detect whether there is an attack in the recording and briefing report sending service.

在一个实施例中,建立录波简报上送业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在录波简报上送业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model of the recording and briefing service is established, and attack behavior is detected on the traffic data of the service in the relay protection information processing system according to the normal behavior model. If the message does not conform to the normal behavior model, then It is determined that there is a business logic attack on the recording brief report, and the unit takes the detection result as the output end of the business logic attack detection module 500 .

所述定制操作业务检测单元505,用于检测定值操作业务中是否存在攻击行为。The customized operation service detection unit 505 is configured to detect whether there is an attack behavior in the fixed-value operation service.

在一个实施例中,建立定值操作业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在定制操作业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model of the fixed-value operation service is established, and the traffic data of the service in the relay protection information processing system is subjected to attack behavior detection according to the normal behavior model. If the packet does not conform to the normal behavior model, it is determined that there is To customize the operation of business logic attack, the unit takes the detection result as the output of the business logic attack detection module 500 .

所述总召唤业务检测单元506,用于检测总召唤业务中是否存在攻击行为。The general call service detection unit 506 is configured to detect whether there is an attack behavior in the general call service.

在一个实施例中,建立总召唤业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在总召唤业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model of the general calling service is established, and the traffic data of the service in the relay protection information processing system is subjected to attack behavior detection according to the normal behavior model. If the message does not conform to the normal behavior model, it is determined that there is a general Summons a business logic attack, the unit takes the detection result as an output of the business logic attack detection module 500 .

所述通用文件传输业务检测单元507,用于检测通用文件传输业务中是否存在攻击行为。The general file transfer service detection unit 507 is configured to detect whether there is an attack behavior in the general file transfer service.

在一个实施例中,建立通用文件传输业务的正常行为模型,依据正常行为模型对继电保护信息处理系统中该业务的流量数据进行攻击行为检测,如果报文不符合正常行为模型,则判定存在通用文件传输业务逻辑攻击,该单元将检测结果作为业务逻辑攻击检测模块500的输出端。In one embodiment, a normal behavior model of a general file transmission service is established, and according to the normal behavior model, the traffic data of the service in the relay protection information processing system is subjected to attack behavior detection, and if the message does not conform to the normal behavior model, it is determined that there is For general file transfer business logic attack, the unit takes the detection result as the output of the business logic attack detection module 500 .

Claims (10)

1. A method for monitoring attack behaviors of a relay protection information processing system is characterized by comprising the following steps:
s1, capturing a relay protection information processing system flow data packet in real time, and extracting an application layer message of current frame flow data;
s2, performing field level analysis on the application layer message;
s3, performing clock tampering attack detection on the analyzed message, if the clock range, clock logic, clock synchronization and clock delay of the message do not accord with normal clock characteristics, judging that clock tampering attack exists, otherwise, entering S4;
s4, carrying out abnormal message attack detection on the analyzed message, if the length field, the type identification, the transmission reason, the information sequence number value and the protocol requirement of the message are not in accordance, judging that abnormal message attack exists, otherwise, entering the step S5;
and S5, according to the service system to which the analyzed message belongs, carrying out attack detection on the analyzed message, if the analyzed message does not conform to the normal service model, judging that service logic attack exists, otherwise, judging that the current frame flow data is normal flow.
2. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S3, the specific implementation process of performing the clock tamper attack detection on the analyzed message includes:
1) judgment formula Y t ∈[1970,2069]Whether the clock is true or not is judged, if not, the clock is judged to be attacked by tampering, otherwise, the step 2) is carried out; wherein,
Figure FDA0003451838790000011
Y t year, y, of the time scale t A year identification byte value representing a time stamp;
2) judgment formula
Figure FDA0003451838790000012
If true, it is determined as clock tamperingChanging attack, otherwise, entering step 3); wherein,
Figure FDA0003451838790000013
indicating a full-scale word "optional", P being the application layer message parsed in step S2, P DS Representing IEC60870-5-103 time tick messages, A g (P) represents the high 8-bit value of the ASDU address of the message, F represents the 15 of the 16-system, and H represents the value of the 16-system;
3) judgment formula
Figure FDA0003451838790000014
Whether the clock is true or not is judged, if not, the clock is judged to be attacked by tampering, otherwise, the step 4) is carried out; wherein, P DZ Represents one of IEC60870-5-103 alarm, remote signaling deflection and action event data uploading message, T js (P) represents the event substation reception time, T sj (P) represents an actual occurrence time of the event;
4) detecting whether the time period for sending the historical fault information by the substation is consistent with the time period for calling the fault historical information by the main station, if the time periods are not consistent, determining that the clock is tampered and attacked, and if not, entering the step 5);
5) judgment formula
Figure FDA0003451838790000021
Whether the clock is true or not is judged, if not, the clock is judged to be clock tampering attack, and if not, the step S4 is carried out; wherein,
Figure FDA0003451838790000022
P XC indicating IEC60870-5-103 main-substation information transfer message, T cs (P) denotes an information transfer time, T max Denotes the maximum delay time, P 1 Message, P, indicating relay protection device action information transfer 2 Message, P, representing the transmission of analog measurement values of a relay protection device 3 Transmitting messages, P, indicating the operating state of the protective relaying device 4 And indicating the relay protection device to transmit a message according to the fixed value.
3. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein the specific implementation process for performing the malformed message attack detection on the analyzed message comprises:
I) judgment formula
Figure FDA0003451838790000023
Whether the abnormal message attack is established or not is judged, if not, the abnormal message attack is judged, and if not, the step II) is carried out; wherein, P IEC103 Representing IEC60870-5-103 message, F l (P) represents the theoretical length of the message, L s (P) representing the actual length of the message;
II) judgment formula
Figure FDA0003451838790000024
Whether the abnormal message attack is established or not is judged, if not, the abnormal message attack is judged, and if not, the step III) is carried out;
III) judgment formula
Figure FDA0003451838790000025
Whether the abnormal message attack is established or not is judged, if not, the abnormal message attack is judged, and if not, the step IV is carried out); wherein, F t (P) indicating a message type identification field value;
IV) judgment formula
Figure FDA0003451838790000026
Whether the abnormal message attack is established or not is judged, if not, the abnormal message attack is judged, and if not, the step V) is carried out; wherein, F c (P) a value representing a message transmission reason field;
v) judgment formula
Figure FDA0003451838790000027
If not, determining that the malformed message is attacked, otherwise, entering step S5; f i (P) represents a message information sequence number field value.
4. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, when the message configures a service for the reading substation, the specific implementation process of performing attack detection on the analyzed message includes:
judgment formula
Figure FDA0003451838790000031
Whether the configuration data are established or not is judged, if not, the configuration data malicious interception attack exists, otherwise, a formula is judged
Figure FDA0003451838790000032
If not, judging that data tampering attack exists, otherwise, judging that the current frame traffic data is normal traffic; wherein, P BT Indicating a reading substation configuration service message in a relay protection information processing system, B n (P) number of titles sent on substation, B s Number of all titles, B, representing the configuration of the substation zh (P) group number, C, of each entry representing the same group of header information zh A group number indicating the current group header information.
5. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, when the packet is a protection event upload service, the specific implementation process of performing attack detection on the analyzed packet includes:
A) judgment formula
Figure FDA0003451838790000033
If the two-point information is true, if not, judging that the two-point information malicious tampering attack exists, otherwise, entering the step B); wherein, P BH Presentation of protection events in a relay protection information processing system, D pi (P) represents a two-point information value;
B) detecting whether the switching value displacement, the action signal and the message logic of the front frame and the rear frame of the pressing plate state are correct or not, and if the front frame of the switching value displacement is opened/closed, the rear frame is still opened/closed; the former frame of the action signal is reset/action, and the latter frame is still reset/action; if the former frame of the pressing plate state is not input/input and the latter frame is still not input/input, judging that malicious opening and closing attack exists, otherwise, entering the step C);
C) judgment formula
Figure FDA0003451838790000034
If not, judging that the illegal uploading attack of the action event exists, otherwise, judging the current frame flow data as normal flow; wherein L is bh (P) indicates protection event message type identification, P 5 Message indicating an alarm or a switching value change event, P 6 Representing an action event message.
6. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, the specific implementation process of performing attack detection on the analyzed message when the message is a wave recording presentation reporting service includes:
i) judgment formula
Figure FDA0003451838790000035
If not, judging that the tripping phase malicious tampering attack exists, otherwise, entering a step ii); wherein, P LB Presentation of a message of a wave recording presentation service in a relay protection information processing system, G xb (P) represents the phase of failure, Z xb (P) indicates the phase of trip;
ii) judgment formula
Figure FDA0003451838790000041
Whether the ground fault flag bit data are true or not is judged, if not, the ground fault flag bit data tampering attack is judged, and if not, the step iii) is carried out; wherein D is 3 Indicating the value of the flag bit of the message short-circuit earth fault, D 0 Indicating the value of the flag bit of the short-circuit fault of the A phase of the message, D 1 Indicating the value of the short-circuit fault flag bit of the B-phase of the message, D 2 Representing the value of the flag bit of the short circuit fault of the C phase of the message;
and iii) detecting whether the reclosure in the recording brief report is abnormal, if the reclosure exists after the fault occurs and the reclosure time is 0 or the reclosure does not exist and is not 0, judging that tampering attack of the reclosure time exists, and otherwise, judging the current frame flow data to be normal flow.
7. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, when the packet is a fixed value operation service, the specific implementation process of performing attack detection on the analyzed packet includes:
judgment logic X g1 →X g2 →X g3 →X g4 →X g5 →X g6 →X g7 →X g8 Whether the current frame flow data are normal flow is judged, if not, whether malicious tampering attack of the relay protection device setting value exists is judged, and otherwise, the current frame flow data are judged to be normal flow; wherein, X g1 Message, X, indicating the current running fixed-value area code of the calling device g2 Message, X, indicating the current running fixed-value area code of the substation uploading device g3 Message, X, indicating the fixed value of the calling device of the Master station g4 Message, X, indicating the fixed value of the uploading device of the substation g5 Presentation substation downloading of definite value message, X g6 Message, X, indicating the value of the response substation g7 Indicating execution of a constant value modification message, X g8 The substation responds to the fixed value modification message.
8. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, when the packet is a total call service, the specific implementation process of performing attack detection on the analyzed packet includes:
logic of judgement Z h1 →Z h2 →Z h3 If not, judging that the illegal general calling attack exists, otherwise, judging a formula
Figure FDA0003451838790000042
If not, judging that the illegal general calling attack exists, otherwise, judging that the current frame traffic data is normal traffic; wherein Z is h1 Indicating the master station initiating a total call message, Z h2 Presentation substation uploadingInformation message, Z h3 Indicating a total call completion message, P ZH Z representing the total call service of the relay protection information processing system hn Indicating the number of messages sent on the substation, Z hs Indicating the number of devices in the substation, A s Indicating the address of the message ASDU and H indicating the value is 16.
9. The method for monitoring the attack behavior of the relay protection information processing system according to claim 1, wherein in step S5, when the packet is a general file transfer service, the specific implementation process of performing attack detection on the analyzed packet includes:
detecting whether the file name only contains a directory name and a wildcard character, if so, judging that the illegal file uploading attack exists, otherwise, judging a formula
Figure FDA0003451838790000051
If not, judging that the file clock tampering attack exists, otherwise, judging that the current frame traffic data is normal traffic;
wherein, P WJ Representing relay protection information processing system file list upload message, T lb (P) represents a file list upload time, C q Query start time, C, when representing a list of files z The query termination time when representing the list of files.
10. A computer apparatus comprising a memory, a processor and a computer program stored on the memory; characterized in that the processor executes the computer program to carry out the steps of the method according to one of claims 1 to 9.
CN202111675512.4A 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system Active CN114825607B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111675512.4A CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111675512.4A CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Publications (2)

Publication Number Publication Date
CN114825607A true CN114825607A (en) 2022-07-29
CN114825607B CN114825607B (en) 2024-11-26

Family

ID=82527096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111675512.4A Active CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Country Status (1)

Country Link
CN (1) CN114825607B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913784A (en) * 2023-01-05 2023-04-04 阿里巴巴(中国)有限公司 Network attack defense system, method and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080208680A1 (en) * 2006-06-06 2008-08-28 Ergonotech Inc DriveOn Pay(TM) as WiMAX-compatible Menu-Driven Dashtop Mobile Payment Platform
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN210578609U (en) * 2019-10-25 2020-05-19 国网湖北省电力有限公司电力科学研究院 Ethernet photoelectric digital signal detection device based on real-time clock

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080208680A1 (en) * 2006-06-06 2008-08-28 Ergonotech Inc DriveOn Pay(TM) as WiMAX-compatible Menu-Driven Dashtop Mobile Payment Platform
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN210578609U (en) * 2019-10-25 2020-05-19 国网湖北省电力有限公司电力科学研究院 Ethernet photoelectric digital signal detection device based on real-time clock

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王晓芳;周有庆;袁旭龙;黄肇;: "基于时钟状态估计的电力系统广域冗余对时模型", 电力系统保护与控制, no. 01, 1 January 2009 (2009-01-01) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913784A (en) * 2023-01-05 2023-04-04 阿里巴巴(中国)有限公司 Network attack defense system, method and device and electronic equipment
CN115913784B (en) * 2023-01-05 2023-08-08 阿里巴巴(中国)有限公司 Network attack defense system, method and device and electronic equipment

Also Published As

Publication number Publication date
CN114825607B (en) 2024-11-26

Similar Documents

Publication Publication Date Title
Kwon et al. IEEE 1815.1-based power system security with bidirectional RNN-based network anomalous attack detection for cyber-physical system
CN114124478B (en) Method and system for abnormal detection of industrial control flow in electric power system
CN114362368B (en) Intelligent substation network flow abnormal behavior monitoring method and system
CN104242465B (en) A B/S-based substation remote monitoring system and method
CN107241224A (en) The network risks monitoring method and system of a kind of transformer station
CN106302535A (en) Attack simulation method and device for power system and attack simulation equipment
CN112149120A (en) Transparent transmission type double-channel electric power Internet of things safety detection system
CN106302540A (en) Communications network security detecting system based on substation information safety and method
CN115147956A (en) Data processing method and device, electronic equipment and storage medium
CN111711627A (en) Industrial Internet data security monitoring method and system based on block chain
CN114825607A (en) Attack behavior monitoring method and device for relay protection information processing system
CN114938287B (en) A method and device for detecting abnormal behavior of electric power network by integrating service characteristics
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
CN108206826B (en) A Lightweight Intrusion Detection Method for Integrated Electronic Systems
CN114745152B (en) Intrusion detection method and system based on IEC61850 GOOSE message operation situation model
CN117560196A (en) Intelligent substation secondary system testing system and method
CN115695000A (en) Automatic safety monitoring system of measurement
CN113645241B (en) Intrusion detection method, device and equipment for industrial control proprietary protocol
KR102160537B1 (en) Digital substation with smart gateway
CN112217944B (en) Online ticket processing method, device, equipment and storage medium
CN108924129A (en) One kind being based on computer network instrument system of defense and intrusion prevention method
Xiang et al. Network intrusion detection method for secondary system of intelligent substation based on semantic enhancement
CN112565269A (en) Server back door flow detection method and device, electronic equipment and storage medium
Qiu et al. Research on vehicle network intrusion detection technology based on dynamic data set
Pryshchepa et al. Modern IT problems and ways to solve them

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant