CN114938385A - Power physical network security situation sensing method, device, equipment and medium - Google Patents
Power physical network security situation sensing method, device, equipment and medium Download PDFInfo
- Publication number
- CN114938385A CN114938385A CN202210475954.2A CN202210475954A CN114938385A CN 114938385 A CN114938385 A CN 114938385A CN 202210475954 A CN202210475954 A CN 202210475954A CN 114938385 A CN114938385 A CN 114938385A
- Authority
- CN
- China
- Prior art keywords
- main body
- communication
- observation
- data packet
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004891 communication Methods 0.000 claims abstract description 146
- 239000011159 matrix material Substances 0.000 claims abstract description 84
- 239000013598 vector Substances 0.000 claims abstract description 75
- 230000008447 perception Effects 0.000 claims abstract description 38
- 238000013507 mapping Methods 0.000 claims abstract description 21
- 238000013135 deep learning Methods 0.000 claims abstract description 18
- 230000001174 ascending effect Effects 0.000 claims abstract description 12
- 230000002159 abnormal effect Effects 0.000 claims description 33
- 238000012549 training Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 13
- 238000012360 testing method Methods 0.000 claims description 13
- 239000003795 chemical substances by application Substances 0.000 claims description 10
- 238000012163 sequencing technique Methods 0.000 claims description 10
- 229910002056 binary alloy Inorganic materials 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 230000011218 segmentation Effects 0.000 claims description 4
- 230000000630 rising effect Effects 0.000 claims description 3
- 125000004122 cyclic group Chemical group 0.000 claims description 2
- 239000000126 substance Substances 0.000 claims description 2
- 238000013136 deep learning model Methods 0.000 abstract description 6
- 238000012544 monitoring process Methods 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000010801 machine learning Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000013178 mathematical model Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E60/00—Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a method, a device, equipment and a medium for sensing the security situation of a power physical network. The method comprises the following steps: acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body; mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning; selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm. According to the technical scheme of the embodiment of the invention, the monitoring of the global security situation of the power Internet of things can be realized by using the local observation information of part of nodes through a deep learning model.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a method, a device, equipment and a medium for sensing the security situation of a power physical network.
Background
The electric power internet of things is a product combining an electric power technology, the internet of things and advanced technologies such as big data, artificial intelligence and cloud computing, and the electric power internet of things deeply integrates information technologies such as information acquisition, data processing and intelligent control into an electric power physical system to realize interconnection of people and objects. One end of the power internet of things is connected with a power energy source, the other end of the power internet of things is connected with important practical fields such as finance and traffic, the important role of guaranteeing the safety of information and data of power energy users is played, the safe and stable operation of a power grid is maintained, and the influence on the normal operation of the economic society is huge.
In the prior art, the power internet of things is used as a product of deep combination of the internet and industry, and data bias, loss, explosion and other problems caused by network attack can directly reach a first-line physical layer of a power grid, so that social economy and national security are greatly lost. Therefore, an active defense method for dealing with network security threats of the power internet of things needs to be established by applying the advanced technology of the internet of things to realize comprehensive perception, accurate prediction and intelligent decision.
However, the time-varying nonlinearity, random uncertainty and local observability of the power internet of things make it difficult for the traditional machine learning method to comprehensively reflect the steady-state and transient-state characteristics of the power internet of things system in a new state, and improve the difficulties of power grid planning design, operation maintenance and protection control.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for sensing the security situation of a power physical network, which are used for solving the problem that the security situation of the power Internet of things is difficult to sense comprehensively by using a traditional machine learning method, and monitoring the global security situation of the power Internet of things by using local observation information of partial nodes through a deep learning model.
According to an aspect of the invention, a method for sensing the security situation of a power physical network is provided, which comprises the following steps:
acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body;
mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning;
selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue;
and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm.
Optionally, the obtaining the communication matrix of the current observation subject includes:
collecting all communication data packets of the current observation subject in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication body vector, and the communication body vector points to a receiving source end from a transmitting source;
classifying the communication data packet according to the communication body vector to obtain a grouped data packet;
converting each grouped data packet into a binary system, and sequencing each grouped data packet according to a time sequence to form an ordered data packet set;
and converting the ordered data packet set into a communication matrix with determined rows and columns.
Optionally, the converting the ordered data packet set into a communication matrix with determined rows and columns includes:
acquiring the number of rows and columns of a communication matrix; the row and column number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and according to the number of rows and columns of the communication matrix, carrying out screening and segmentation processing on the ordered data packet set of the current observation main body to generate the communication matrix.
Optionally, before using a situation awareness model based on deep learning and mapping the communication matrix into a situation awareness vector, the method further includes:
acquiring the number of rows and columns of a communication matrix, and creating an AlexNet model according to the number of rows and columns of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a test set;
training the AlexNet model by using the training set until the loss function of the AlexNet model in the test set reaches a first threshold value, and obtaining a situation perception model.
Optionally, the loss function of the AlexNet model includes:
wherein, F is a loss function,
TP is the correct number of model predictions, FP is the number of the labels of the other classes which are predicted by mistake, and FN is the number of the labels of the other classes which are predicted by mistake.
Optionally, the selecting a new observation subject in the gradient ascending direction of the situation awareness vector and adding the new observation subject into the observation queue includes:
selecting an alternative label with an abnormal weight value larger than a second threshold value according to the situation perception vector;
calculating the abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting the abnormal main body corresponding to the maximum value of the abnormal gradient as a new observation main body, and adding the new observation main body into the observation queue.
According to another aspect of the present invention, there is provided a cyber-physical network security situation awareness apparatus, including:
the information acquisition module is used for acquiring a current observation main body from an observation queue and acquiring a communication matrix of the current observation main body;
the vector mapping module is used for mapping the communication matrix into a situation perception vector by using a situation perception model based on deep learning;
the queue updating module is used for selecting a new observation main body in the gradient ascending direction of the situation perception vector and adding the new observation main body into the observation queue;
and the cyclic execution module is used for executing the operation of returning and executing the current observation main body obtained from the observation queue and the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm.
Optionally, the information obtaining module includes:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication body vector, and the communication body vector points to a receiving source end from a transmitting source;
a classification unit, configured to perform classification on the communication data packet according to the communication subject vector, so as to obtain a packet data packet;
the sequencing unit is used for converting each grouped data packet into a binary system and sequencing each grouped data packet according to the time sequence to form an ordered data packet set;
and the conversion unit is used for converting the ordered data packet set into a communication matrix with determined rows and columns.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform a method for cyber-physical network security posture awareness according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the method for security situation awareness of a cyber-physical network according to any one of the embodiments of the present invention when the computer instructions are executed.
According to the technical scheme of the embodiment of the invention, the communication matrix of the current observation main body is obtained by obtaining the current observation main body from the observation queue; mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning; selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm, so that the problem that the traditional machine learning method is difficult to comprehensively perceive the safety situation of the power internet of things is solved, and the beneficial effect of monitoring the overall safety situation of the power internet of things by using local observation information of partial nodes through a deep learning model is achieved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for sensing a security situation of a power physical network according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a security situation awareness apparatus for a power physical network according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device implementing the method for sensing the security situation of the cyber-physical network according to the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a security situation awareness method for a cyber-physical network according to an embodiment of the present invention, where the embodiment is applicable to a situation of security situation awareness for the cyber-physical network, and the method can be implemented by a cyber-physical network security situation awareness apparatus, which can be implemented in hardware and/or software, and can be configured in an electronic device. As shown in fig. 1, the method includes:
s110, acquiring a current observation main body from the observation queue, and acquiring a communication matrix of the current observation main body.
In the embodiment, a single node perception range in the power internet of things is used as a cut-in visual angle, the local observability of the power internet of things is fully utilized, the state of a whole node is predicted according to the state of a part of nodes, namely, a global accident occurrence point is positioned by observing the local nodes, and finally, hidden dangers are intelligently decided and eliminated, so that the stable and safe operation of the power internet of things is guaranteed.
In this embodiment, n nodes may be randomly selected as an initial observation subject in the power internet of things, and added to an observation queue [ s ═ s 1 ,s 2 ,…,s n ]In (1). The randomly initialized observation subject will serve as the seed subject for detecting the source of the incident. And taking out a node from the head of the observation queue as a current observation main body, and collecting all data packets passing through the node in a time period through a man-in-the-middle agent network built at the node. Then, by classifying the data packets, redundant data packets are filtered out. And finally, the data packet is segmented, screened and filled according to a certain rule, converted into bit stream data with the same length, and the direction vector from the data source to the receiving source is combined with the bit stream data of the data packet to generate a communication matrix of the current observation subject in the period.
Optionally, the obtaining the communication matrix of the current observation subject includes: collecting all communication data packets of the current observation subject in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication body vector, and the communication body vector points to a receiving source end from a transmitting source; classifying the communication data packet according to the communication body vector to obtain a grouped data packet; converting each grouped data packet into a binary system, and sequencing each grouped data packet according to time sequence to form an ordered data packet set; and converting the ordered data packet set into a communication matrix with determined row and column.
In the embodiment, a man-in-the-middle agent network is built at each node of the power internet of things, and all communication data packets at each node are collected through the man-in-the-middle agent network. The man-in-the-middle agent network has no communication certificate, so that the acquired communication data packet cannot be analyzed, but the data flow of the communication data packet and the communication body of the communication data packet can be recorded. Illustratively, when the time period is T, the set of communication data packets of the node i collected by the man-in-the-middle proxy network is DataPacket T Then the communication body vector for each group of data flow in the communication data packet is
Where k is the identity of the source from which the data was sent and j is the identity of the source from which it was received.
Due to the DataPacket T The communication packets in (1) are chaotic and may be normalized to form structured groups of bit stream data in order to provide a basis for information processing in subsequent processing. Specifically, the broker network bases its communication body vector from the sending source to the receiving source
And classifying all communication data packets of the current observation main body i in the time period T to obtain grouped data packets. Illustratively, assuming that there are currently n principals communicating with the current observation principal i, the current observation principal i is passed to the communication principal j, j ∈ [1, n ∈ ]]Is recorded as a collection of communication data packets
Wherein, the first and the second end of the pipe are connected with each other,
is a vector with a communication subject
A corresponding packet of data is sent to the mobile station,
converting each vector in each packet into binary, and making the communication main body vector
And
the corresponding packet data set is DP ═ DataPacket i1 ,…,DataPacket ij ,DataPacket 1i ,…,DataPacket ji Get it pressedAnd sequencing the elements in the set DP according to the time sequence to generate an ordered data packet set DP ', and converting the set DP' into a communication matrix determined by rows and columns.
Optionally, the converting the ordered data packet set into a communication matrix with determined rows and columns includes: acquiring the number of rows and columns of a communication matrix; the row and column number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number; and according to the number of rows and columns of the communication matrix, carrying out screening and segmentation processing on the ordered data packet set of the current observation subject to generate the communication matrix.
In this embodiment, the broker network counts all ordered data packet sets DP 'in the period 1-T' o ,o∈[1,T]The upper quartile of the data packet number value is the row number rows of the communication matrix, and the upper quartile of the data packet length value is the column number columns of the communication matrix. When the ordered data packet set DP 'is converted into a communication matrix, the number of rows and columns of the communication matrix may be obtained first, and then rows of data packet vectors in the ordered data packet set DP' may be randomly selected. If the number of rows of the set DP' is greater than rows, discarding the rest elements; if the number of row sets is less than rows, then use [0 ]]Columns vector is complemented into rows. Meanwhile, all elements with the length larger than columns in the selected data packet vector are cut off, and the [0 ] th column-1 th column is reserved]If the length is less than columns, complement by 0, thereby converting the ordered set DP' with different lengths and variable element numbers into a communication matrix COM with determined rows and columns rows×columns . Wherein, the upper quartile is the value at the 75 th% position after all values are arranged from small to large.
In the embodiment, the situation awareness model obtains the global ability of point-to-surface and local peeking through the collection and processing of observation data of a single node in the power internet of things. From a local view, communication data of a single node in the power internet of things are processed by a low-load and high-timeliness method, and an information processing basis is provided for follow-up.
And S120, mapping the communication matrix into a situation perception vector by using a situation perception model based on deep learning.
In this embodiment, the deep learning technology can understand and predict the development trend of each factor that can cause the system situation change in a specific time and space, that is, has the situation awareness capability. Therefore, a deep learning technology is introduced into the power internet of things, and the safety situation in the network structure and the operation state is comprehensively analyzed based on the scene requirement of situation perception under the power internet of things. On one hand, high-dimensional complex data of the power internet of things can be mined and feature extraction can be carried out, on the other hand, the problems that training data of a traditional machine learning method in practical application is insufficient, generalization capability is poor and the like can be solved, therefore, the operation and maintenance and control capability of the power internet of things is improved, and accurate prediction and intelligent decision making are carried out when safety threats in the field of the power internet of things are dealt with.
In this embodiment, a mapping mathematical model, that is, a transformation model in which communication data and a situation awareness gradient are directly mapped, may be first constructed, a deep learning target may be determined, and the transformation model may be calculated by using a deep learning algorithm to generate the situation awareness model. The high-dimensionality matrix is converted into the weight vector with the corresponding direction by using the convolutional neural network, and the technical goal of point and surface situation perception is realized without the participation of experts.
Optionally, before using a situation awareness model based on deep learning and mapping the communication matrix into a situation awareness vector, the method further includes: acquiring the number of rows and columns of a communication matrix, and establishing an AlexNet model according to the number of rows and columns of the communication matrix; acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a test set; and training the AlexNet model by using the training set until the loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation perception model.
In this embodiment, to generate the situation awareness model, a mapping mathematical model may be constructed first, and a deep learning target may be determined. Namely, a mathematical model AlexNet (COM) is constructed rows×columns ) Pos is a one-dimensional array of 0, 1, with a length of rows. Then, according to the communication matrix sizerows × columns creates an AlexNet convolutional neural network model, constructs its 5-layer convolutional pooling network and initializes it. Next, a training set, a test set, may be constructed to train the model parameters. The process of generating the communication matrix can be repeated p times, and the communication matrix set data is generated as { COM ═ COM 1 ,COM 2 ,…,COM p Finding s abnormal subjects (u) nearest to the subject i from the marked historical training model data set 1 ,u 2 ,…,u s And an exception weight label of the exception body and the body i. Wherein, label us ∈[0,1]A value greater than 0.5 indicates that the subject u s There is an abnormality in communication with the subject i, and the larger the value is, the more likely the subject is abnormal. And if the data set of the history training model is not marked, manually marking the label. Repeating the process of forming the communication matrix set by k times to obtain a Data set Data ═ Data 1 ,data 2 ,…,data k Corresponding to a corresponding abnormal weight Label set Label ═ Label } Label 1 ,Lable 2 ,…,Lable k It is treated according to the following 2: 8 proportion is randomly divided into a test set and a training set and recorded as Data test &Label test And Data train &Label train . And training model parameters of the AlexNet model by using the training set until a loss function of the AlexNet model in the testing set reaches a first threshold value, such as 0.9, obtaining a situation perception model, and realizing mapping from the communication matrix to a perception direction.
Optionally, the loss function of the AlexNet model includes:
wherein F is a loss function,
TP is the correct number of model predictions, FP is the number of the labels of the other classes which are predicted by mistake, and FN is the number of the labels of the other classes which are predicted by mistake.
In this embodiment, local observation information acquired by a single node is converted into an instructive situation awareness vector, so that local monitoring of a global situation becomes possible. The point-to-point communication matrix and the communication vector are converted into the weight value of the moving direction of the high-dimensional matrix by utilizing the computing capability of the deep learning model, and the situation perception vector is formed by the multi-dimensional weight values to guide the perception direction.
S130, selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue.
In this embodiment, in order to find another observation subject close to the source of the security accident from the current observation subject, the observation points are connected to form an observation line, the gradient of the multi-dimensional situation awareness vector of the current observation subject can be calculated, the moving direction of the observation subject is determined according to the gradient rising direction, and a new observation subject is determined.
Optionally, the selecting a new observation subject in the gradient ascending direction of the situation awareness vector and adding the new observation subject into the observation queue includes: selecting an alternative label with an abnormal weight value larger than a second threshold value according to the situation perception vector; calculating the abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body; and selecting the abnormal main body corresponding to the maximum value of the abnormal gradient as a new observation main body, and adding the new observation main body into the observation queue.
In this embodiment, the current observation subject s is obtained i Situation awareness vector of
And then, detecting the observation path by adopting a breadth-first method, and gradually approaching a safety accident source. Selecting
Candidate labels with medium abnormal weight value larger than a second threshold value, for example 0.5, and searching for the subject s corresponding to each candidate label q ,s q+1 ,…,s q+i Wherein i is the number of subjects with label larger than 0.5, and q belongs to n. Will be the main body s q ,s q+1 ,…,s q+i As the abnormality subject, the abnormality degree Σ | pos is calculated q According to s q →s i The trend of the degree of abnormality change is,separately calculating abnormal subjects s q To the current observation subject s i Abnormal gradient of
And selecting the abnormal body s 'with the highest abnormal gradient, and adding the abnormal body s' serving as a new observation body into the tail part of the observation queue.
And S140, returning to execute the operation of acquiring the current observation subject from the observation queue and acquiring the communication matrix of the current observation subject until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm.
In this embodiment, after a new observation main body is added to the observation queue, a node is continuously taken out from the head of the observation queue as a current observation main body, and a communication matrix of the node in a time period is obtained by collecting and processing a data packet through a man-in-the-middle proxy network built at the current observation main body. And detecting the local perception gradient direction of the current observation main body through a deep learning model, gradually positioning to a local maximum value point representing a suspected safety accident explosion point by moving the observation point to the gradient ascending direction, and sending a warning.
In the embodiment, the observation points are connected into the observation line by moving the local situation observed by the nodes in the power internet of things along the gradient rising direction of the nodes, so that the functions of finding the safety accident source in the power internet of things and giving an alarm through a small number of observation points are realized. The fixed local observation points are changed into a dynamic form, so that a large amount of resources are saved, and the monitoring on the global security situation of the power internet of things is realized.
According to the technical scheme of the embodiment of the invention, the communication matrix of the current observation main body is obtained by obtaining the current observation main body from the observation queue; mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning; selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm, so that the problem that the traditional machine learning method is difficult to comprehensively perceive the safety situation of the power internet of things is solved, and the beneficial effect of monitoring the overall safety situation of the power internet of things by using local observation information of partial nodes through a deep learning model is achieved.
Example two
Fig. 2 is a schematic structural diagram of a device for sensing a security situation of a cyber-physical network according to a second embodiment of the present invention. As shown in fig. 2, the apparatus includes: an information acquisition module 210, a vector mapping module 220, a queue update module 230, and a loop execution module 240.
An information obtaining module 210, configured to obtain a current observation subject from an observation queue, and obtain a communication matrix of the current observation subject;
a vector mapping module 220, configured to perform mapping the communication matrix into a situational awareness vector using a deep learning-based situational awareness model;
a queue updating module 230, configured to select a new observation subject in a gradient ascending direction of the situation awareness vector, and add the new observation subject to the observation queue;
and the circular execution module 240 is configured to execute the operation of returning to execute the operation of acquiring the current observation subject from the observation queue and acquiring the communication matrix of the current observation subject until a security accident occurrence point is located according to the situation awareness vector, and issue an alarm.
Optionally, the information obtaining module includes:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication body vector, and the communication body vector points to a receiving source end from a transmitting source;
a classification unit, configured to perform classification on the communication data packet according to the communication subject vector, so as to obtain a packet data packet;
the sequencing unit is used for converting each grouped data packet into a binary system and sequencing each grouped data packet according to the time sequence to form an ordered data packet set;
and the conversion unit is used for converting the ordered data packet set into a communication matrix with determined rows and columns.
Optionally, the conversion unit is configured to perform obtaining of the number of rows and columns of the communication matrix; the row and column number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and according to the number of rows and columns of the communication matrix, carrying out screening and segmentation processing on the ordered data packet set of the current observation main body to generate the communication matrix.
Optionally, the method further includes: a model training module to perform a communication matrix mapping before mapping the communication matrix to a situational awareness vector using a deep learning-based situational awareness model,
acquiring the number of rows and columns of a communication matrix, and creating an AlexNet model according to the number of rows and columns of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a test set;
and training the AlexNet model by using the training set until the loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation perception model.
Optionally, the loss function of the AlexNet model includes:
wherein F is a loss function,
TP is the correct number of model predictions, FP is the number of the labels of the other classes which are predicted by mistake, and FN is the number of the labels of the other classes which are predicted by mistake.
Optionally, the queue updating module 230 is configured to perform:
selecting an alternative label with an abnormal weight value larger than a second threshold value according to the situation perception vector;
calculating the abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting the abnormal main body corresponding to the maximum value of the abnormal gradient as a new observation main body, and adding the new observation main body into the observation queue.
The security situation awareness device for the power physical network, provided by the embodiment of the invention, can execute the security situation awareness method for the power physical network, provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
FIG. 3 illustrates a schematic diagram of an electronic device 10 that may be used to implement an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM)12, a Random Access Memory (RAM)13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM)12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the cyber-physical security posture awareness method.
In some embodiments, the cyber-physical security posture awareness method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the above described cyber-physical security posture sensing method may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the cyber-physical network security posture awareness method in any other suitable manner (e.g., by way of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A power physical network security situation awareness method is characterized by comprising the following steps:
acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body;
mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning;
selecting a new observation subject in the gradient ascending direction of the situation perception vector, and adding the new observation subject into the observation queue;
and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm.
2. The method of claim 1, wherein the obtaining the communication matrix of the current observation subject comprises:
collecting all communication data packets of the current observation main body in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a transmitting source;
classifying the communication data packet according to the communication main body vector to obtain a grouped data packet;
converting each grouped data packet into a binary system, and sequencing each grouped data packet according to a time sequence to form an ordered data packet set;
and converting the ordered data packet set into a communication matrix with determined rows and columns.
3. The method of claim 2, wherein converting the ordered set of packets into a row-column determined communication matrix comprises:
acquiring the number of rows and columns of a communication matrix; the row and column number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and according to the number of rows and columns of the communication matrix, carrying out screening and segmentation processing on the ordered data packet set of the current observation main body to generate the communication matrix.
4. The method according to claim 1, before mapping the communication matrix to a situational awareness vector using a deep learning-based situational awareness model, further comprising:
acquiring the number of rows and columns of a communication matrix, and creating an AlexNet model according to the number of rows and columns of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a test set;
and training the AlexNet model by using the training set until the loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation perception model.
5. The method of claim 4, wherein the loss function of the AlexNet model comprises:
wherein F is a loss function,
TP is the correct number of model predictions, FP is the number of the labels of the other classes which are predicted by mistake, and FN is the number of the labels of the other classes which are predicted by mistake.
6. The method according to claim 1, wherein the selecting a new observation subject in the ascending direction of the gradient of the situational awareness vector and adding the new observation subject to the observation queue comprises:
selecting an alternative label with an abnormal weight value larger than a second threshold value according to the situation perception vector;
calculating the abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting the abnormal main body corresponding to the maximum value of the abnormal gradient as a new observation main body, and adding the new observation main body into the observation queue.
7. A device for sensing the security situation of a power physical network is characterized by comprising:
the information acquisition module is used for acquiring a current observation main body from an observation queue and acquiring a communication matrix of the current observation main body;
the vector mapping module is used for mapping the communication matrix into a situation perception vector by using a situation perception model based on deep learning;
the queue updating module is used for selecting a new observation main body in the gradient rising direction of the situation awareness vector and adding the new observation main body into the observation queue;
and the cyclic execution module is used for executing the operation of returning and executing the current observation main body obtained from the observation queue and the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation perception vector, and sending an alarm.
8. The apparatus of claim 7, wherein the information obtaining module comprises:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a transmitting source;
a classification unit, configured to perform classification on the communication data packet according to the communication subject vector to obtain a packet data packet;
the sequencing unit is used for converting each grouped data packet into a binary system and sequencing each grouped data packet according to the time sequence to form an ordered data packet set;
and the conversion unit is used for converting the ordered data packet set into a communication matrix with determined rows and columns.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform a method for power physical grid security posture awareness as claimed in any one of claims 1-6.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement a cyber-physical network security posture sensing method as claimed in any one of claims 1-6 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210475954.2A CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210475954.2A CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114938385A true CN114938385A (en) | 2022-08-23 |
| CN114938385B CN114938385B (en) | 2023-10-24 |
Family
ID=82865198
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210475954.2A Active CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114938385B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106953862A (en) * | 2017-03-23 | 2017-07-14 | 国家电网公司 | The cognitive method and device and sensor model training method and device of network safety situation |
| WO2019161076A1 (en) * | 2018-02-19 | 2019-08-22 | Digital Global Systems, Inc. | Systems, methods, and devices for unmanned vehicle detection and threat management |
| CN110728457A (en) * | 2019-10-17 | 2020-01-24 | 广西电网有限责任公司电力科学研究院 | Operation risk situation perception method considering multi-level weak links of power distribution network |
| CN111582571A (en) * | 2020-04-30 | 2020-08-25 | 中国电力科学研究院有限公司 | Power grid operation situation sensing method and system with model driving and data driving integrated |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
-
2022
- 2022-04-29 CN CN202210475954.2A patent/CN114938385B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106953862A (en) * | 2017-03-23 | 2017-07-14 | 国家电网公司 | The cognitive method and device and sensor model training method and device of network safety situation |
| WO2019161076A1 (en) * | 2018-02-19 | 2019-08-22 | Digital Global Systems, Inc. | Systems, methods, and devices for unmanned vehicle detection and threat management |
| CN110728457A (en) * | 2019-10-17 | 2020-01-24 | 广西电网有限责任公司电力科学研究院 | Operation risk situation perception method considering multi-level weak links of power distribution network |
| CN111582571A (en) * | 2020-04-30 | 2020-08-25 | 中国电力科学研究院有限公司 | Power grid operation situation sensing method and system with model driving and data driving integrated |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114938385B (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112862005B (en) | Video classification method, device, electronic equipment and storage medium | |
| CN114358106A (en) | System anomaly detection method and device, computer program product and electronic equipment | |
| CN112560985A (en) | Neural network searching method and device and electronic equipment | |
| CN104461821A (en) | Virtual machine monitoring and warning method and system | |
| CN112766421A (en) | Face clustering method and device based on structure perception | |
| CN112668773A (en) | Method and device for predicting warehousing traffic and electronic equipment | |
| CN116451848A (en) | Satellite telemetry data prediction method and device based on space-time attention mechanism | |
| Reia et al. | Conway's game of life is a near-critical metastable state in the multiverse of cellular automata | |
| CN116489038A (en) | Network traffic prediction method, device, equipment and medium | |
| CN115293149A (en) | Entity relationship identification method, device, equipment and storage medium | |
| CN105930255A (en) | Method and apparatus for predicting health degree of system | |
| CN113657468A (en) | Pre-training model generation method and device, electronic equipment and storage medium | |
| CN114938385B (en) | Electric power physical network security situation awareness method, device, equipment and medium | |
| CN115563507A (en) | Generation method, device and equipment for renewable energy power generation scene | |
| CN116363751A (en) | Climbing action recognition method, device and equipment for electric power tower climbing operation and storage medium | |
| CN116522750A (en) | Tile temperature prediction and abnormality determination method, device, equipment and medium | |
| CN116155541A (en) | Automatic machine learning platform and method for network security application | |
| Trois et al. | Exploring textures in traffic matrices to classify data center communications | |
| CN115589339A (en) | Network attack type identification method, device, equipment and storage medium | |
| CN113449778B (en) | Model training method for quantum data classification and quantum data classification method | |
| CN115203873A (en) | Topological relation construction method, device, equipment and medium applied to power distribution network | |
| CN114254650A (en) | Information processing method, device, equipment and medium | |
| CN114120180A (en) | Method, device, equipment and medium for generating time sequence nomination | |
| CN114708117A (en) | Electricity safety inspection rating method, device and equipment integrating priori knowledge | |
| CN113612777A (en) | Training method, traffic classification method, device, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |