CN115208619A - Novel APT attack detection method for power system based on STSA-transformer algorithm - Google Patents

Novel APT attack detection method for power system based on STSA-transformer algorithm Download PDF

Info

Publication number
CN115208619A
CN115208619A CN202210568249.7A CN202210568249A CN115208619A CN 115208619 A CN115208619 A CN 115208619A CN 202210568249 A CN202210568249 A CN 202210568249A CN 115208619 A CN115208619 A CN 115208619A
Authority
CN
China
Prior art keywords
data
power system
attention
result
stsa
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210568249.7A
Other languages
Chinese (zh)
Inventor
李元诚
原洁璇
王庆乐
支妍力
曾萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Jiangxi Electric Power Co ltd
State Grid Jiangxi Electric Power Co ltd Ji'an Power Supply Branch
North China Electric Power University
Original Assignee
State Grid Jiangxi Electric Power Co ltd
State Grid Jiangxi Electric Power Co ltd Ji'an Power Supply Branch
North China Electric Power University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Jiangxi Electric Power Co ltd, State Grid Jiangxi Electric Power Co ltd Ji'an Power Supply Branch, North China Electric Power University filed Critical State Grid Jiangxi Electric Power Co ltd
Priority to CN202210568249.7A priority Critical patent/CN115208619A/en
Publication of CN115208619A publication Critical patent/CN115208619A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a novel power system APT attack detection method based on an STSA-transformer algorithm and an electronic device, wherein through the combination of the STSA-transformer algorithm and a new step of normalization operation PowerNorm, the historical record of network flow is memorized, a sequence length in a wider range is captured, the expenditure of network computing resources in the detection process is reduced, the operation efficiency of a neural network is improved, the detection capability on time series data is better, and the capability of APT attack detection in the novel power system is enhanced.

Description

Novel power system APT attack detection method based on STSA-transformer algorithm
Technical Field
The invention belongs to the technical field of electrical information, and particularly relates to an APT attack detection method for a novel power system.
Background
The characteristics of the novel power system under the 'double-carbon' target comprise high-permeability renewable energy sources, high-proportion power electronic equipment, high-growth power load, high-proportion electrification level, deep fusion of novel digital and intelligent technologies, flexible, efficient and wide energy configuration, and open inclusion of safety and multi-system polymorphic interconnection interaction. These features increase the uncertainty, openness, and complexity of the new power system, which brings new challenges to the safe and stable operation of the power system.
In recent years, many network security events aiming at a power system occur, attackers mostly cause the breakdown of the power system by initiating an Advanced Persistent Threat (APT) attack, and the APT attack becomes the most important novel Threat in the power grid at present and causes huge loss. Compared with other attack forms, the APT has the characteristics of strong pertinence, latency, long-term entanglement and the like, the attack process is more concealed, the power system is attacked and infiltrated in a targeted and continuous manner by utilizing a complex attack means, and only a small amount of attack behaviors mixed in normal activities are generated under a long time span. Thus, traditional passive defense methods, which are based on detection and isolation, typically fail for APT. The dual-height and dual-random characteristics of the novel power system increase the attack area of the system, so that the novel power system is more susceptible to APT attack than a traditional power grid. Therefore, it is important to provide a new method for detecting APT attacks of a new power system.
Disclosure of Invention
The invention aims to provide an APT attack detection method based on an STSA-transformer algorithm, which can effectively detect APT attacks with long latency, high harm degree and high detection difficulty in a novel power system. Compared with the prior art, the invention aims to find a detection method sensitive to long-time sequence data, which can capture an APT attack sequence in a wider range, thereby improving the effect of APT attack detection.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows:
a novel APT attack detection method of a power system based on STSA-transformer algorithm is characterized in that,
based on the basic characteristics of a novel power system, namely high-proportion new energy, high-growth load and high-proportion power electronic equipment, simulating network attack suffered by the power system, collecting network flow data from data acquisition equipment on an information side, and sorting the data to be used as input of the next step;
preprocessing the network flow data;
a soft thresholding self-attention machine (STSA) mechanism is provided, which captures the correlation between time series data and eliminates partial redundant information;
according to the soft thresholding self-attention mechanism, calculating input by using a transform coding layer normalized by PowerNorm, and finally classifying and outputting results through a softmax layer;
initializing parameters, classifying and outputting results according to the softmax layer to build a model, training the model, and updating weights by using a gradient descent method to serve as input of the next step;
detecting APT attack of the novel power system by using the trained model, and if the detection result is normal, carrying out normal operation on the flow; if the detection result is the attack category, an alarm prompt needs to be sent to the system.
On the basis of the scheme, the preprocessing comprises discrete feature digitization and feature value normalization.
On the basis of the scheme, based on the basic characteristics of novel high-proportion new energy, high-growth load and high-proportion power electronic equipment of the power system, network attack suffered by the power system is simulated, network flow data are collected from data acquisition equipment on an information side and are sorted, and the data are specifically input as the next step:
knowing the basic structure composition of the novel power system and analyzing the basic characteristics of the novel power system;
the method comprises the steps of simulating network attack on a novel power system, collecting network flow data in a long time range at information side equipment, dividing the data according to different stages, and sorting the data into data sets.
On the basis of the above scheme, preprocessing the network traffic data, where the preprocessing including discrete feature digitization and feature value normalization specifically includes:
carrying out binary one-hot coding on discrete data in the data, and converting the discrete data into numerical data;
all feature vectors are normalized, and the formula is as follows:
Figure BDA0003659172330000031
wherein X max And X min Respectively representing the maximum value and the minimum value of the value range of the original characteristic value, X representing the original characteristic value, X n Representing the eigenvalues after normalization.
On the basis of the above scheme, a soft thresholding self-attention-machine mechanism (STSA) is proposed, which captures correlation between time series data and eliminates part of redundant information, specifically including:
the feature vector of the data set is subjected to position coding, and the position information of the data is stored, wherein the formula is as follows:
PE(pos,2i)=sin(pos/10000 2i/dmodel )
PE(pos,2i+1)=cos(pos/10000 2i/dmodel )
where pos is the position in the sequence, d model The dimension of the eigenvector that encodes the position information, i denotes the ith element of the position information encoded eigenvector, the odd bits in the encoded vector are encoded with cos,even bits are coded in sin;
adding the feature vector of the original data and the result of the position coding, and inputting the result into a self-attention layer;
initializing three weight matrixes, multiplying the three weight matrixes by an input vector to obtain three matrixes Q, K and V, and performing multi-head self-attention calculation by using the three matrixes, wherein the calculation formula is as follows:
Figure BDA0003659172330000032
q, K and V are three matrixes needing weight updating, and d is the dimension of the characteristic vector;
inputting the obtained attention result into a neural network module, wherein the module comprises a global average pooling layer and two full-connection layers, and finally outputting the result through a sigmoid function, and multiplying the result by the result of the global average pooling layer to obtain the threshold of each piece of sample data;
according to the threshold, a soft threshold algorithm calculation formula is utilized to perform soft threshold operation on the attention result, the important part of attention is reserved, the unimportant part is omitted, and the redundant part is eliminated:
Figure BDA0003659172330000041
on the basis of the scheme, according to the soft thresholding self-attention mechanism, a transform coding layer normalized by PowerNorm is used for calculating input, and finally, the step of classifying and outputting results through a softmax layer specifically comprises the following steps:
inputting the calculated soft threshold self-attention result into a part of a transform coder except for multi-head self-attention, wherein the result mainly comprises a residual error network, a normalization function and a feedforward neural network, and finally classifying and outputting the result through a softmax function, wherein the normalization operation replaces an LN layer in the traditional transform with a new normalization operation Powenorm, and the original operation of forcing zero mean and unit variance is changed into the operation of forcing quadratic mean, and the calculation formula is as follows:
Figure BDA0003659172330000042
Figure BDA0003659172330000043
Figure BDA0003659172330000044
wherein X i For each batch of feature vectors, B is the batch size, and the remaining variables are the results after X and Y normalization, respectively.
On the basis of the scheme, initializing parameters, classifying and outputting results through a softmax layer according to the results to build a model, training the model, updating the weight by using a gradient descent method, and specifically comprising the following steps of as input of the next step:
according to a soft thresholding self-attention machine (STSA), the correlation between time series data is captured, and part of redundant information is eliminated;
according to the soft thresholding self-attention machine mechanism, input is calculated by using a transform coding layer normalized by PowerNorm, and finally an algorithm model is built by a method of classifying and outputting results through a softmax layer;
initializing parameters, and setting parameter values such as the number of multi-head self-attention heads, the number of encoder layers, the input and output dimensions of a full-connection layer, an activation function, a training batch, the number of iterations and the like;
dividing data into a training set and a test set, inputting the training set and the test set into a built model, selecting a classified cross entropy loss function by the loss function, updating the weight by a time sequence-based back propagation algorithm according to a weight updating rule, and accelerating the optimization of the neural network by a gradient descent algorithm.
On the basis of the scheme, the trained model is used for detecting the APT attack of the novel power system, and if the detection result is normal, the flow can be normally operated; if the detection result is the attack category, the specific steps of sending an alarm prompt to the system include:
testing the trained model on a test set, and if the accuracy of the trained neural network can meet the expected requirement, determining the neural network as the trained neural network;
if the detection result of the data set is normal, the flow can be normally operated; if the detection result of the data set is attack, an alarm prompt needs to be sent out.
On the basis of the above scheme, there is also provided an electronic device, including:
a memory for storing a computer program;
and the processor is used for realizing the novel power system APT attack detection method based on the STSA-transformer algorithm in any scheme when the computer program is executed.
The invention has the beneficial effects that:
according to the invention, by combining the STSA-transformer algorithm with a new step of normalization operation PowerNorm, the historical record of network flow is memorized, the sequence length in a larger range is captured, the overhead of network computing resources in the detection process is reduced, the operation efficiency of a neural network is improved, the detection capability on time series data is better, and the capability of APT attack detection in a novel power system is enhanced.
Drawings
The invention has the following drawings:
FIG. 1 is a flow chart of the method of the present invention.
Fig. 2 internal structure of the transform encoder network.
FIG. 3 is a schematic drawing of the attention mechanism of STSA.
Detailed Description
The present invention is described in further detail below with reference to fig. 1-3.
The invention provides a novel power system APT attack detection method based on an STSA-transformer algorithm, and the flow of the method is as shown in figure 1:
step 1: based on the basic characteristics of a novel power system, namely high-proportion new energy, high-growth load and high-proportion power electronic equipment, simulating network attack suffered by the power system, collecting network flow data from data acquisition equipment on an information side, and sorting the data to be used as input of the next step;
step 2: preprocessing collected flow data, wherein the preprocessing comprises discrete feature numeralization and feature value normalization;
and step 3: a soft thresholding self-attention mechanism (STSA) is proposed, which captures the correlation between time series data and eliminates part of redundant information;
and 4, step 4: according to the soft thresholding self-attention mechanism mentioned in the step 3, calculating the input by using a transform coding layer normalized by PowerNorm, and finally classifying and outputting the result by a softmax layer;
and 5: initializing parameters, building a model according to the modules mentioned in the step 3 and the step 4, training the model, and updating the weight by using a gradient descent method;
step 6: detecting APT attack of the novel power system by using the trained model, and if the detection result is normal, carrying out normal operation on the flow; if the detection result is the attack category, an alarm prompt needs to be sent to the system;
the step 1 specifically comprises:
step 1.1: knowing the basic structure composition of the novel power system and analyzing the basic characteristics of the novel power system;
step 1.2: carrying out simulated network attack on the novel power system, collecting network flow data in a long time range at information side equipment, dividing the data according to different stages, and sorting the data into data sets;
the step 2 specifically comprises:
step 2.1: carrying out binary one-hot encoding on discrete data in the data, and converting the discrete data into numerical data;
step 2.2: all feature vectors are normalized, and the formula is as follows:
Figure BDA0003659172330000071
wherein X max And X min Respectively representing the maximum value and the minimum value of the original characteristic value range, X representing the original characteristic value, X n Representing the feature values after normalization;
the step 3 specifically comprises:
step 3.1: the method comprises the following steps of carrying out position coding on a feature vector of a data set, storing position information of data, enabling a neural network to learn more time sequence characteristics, and improving the detection effect on APT attack, wherein relative position coding is used, and a formula is as follows:
PE(pos,2i)=sin(pos/10000 2i/dmodel )
PE(pos,2i+1)=cos(pos/10000 2i/dmodel )
where pos is the position in the sequence, dmodel is the dimension of the position information encoded eigenvector, i represents the ith element of the position information encoded eigenvector, the odd bits in the encoded vector are encoded in cos, and the even bits are encoded in sin;
step 3.2: adding the feature vector of the original data and the result of the position coding, and inputting the result into a self-attention layer;
step 3.3: initializing three weight matrixes, multiplying the three weight matrixes by an input vector to obtain three matrixes Q, K and V, and performing multi-head self-attention calculation by using the three matrixes, wherein the calculation formula is as follows:
Figure BDA0003659172330000072
q, K and V are three matrixes needing weight updating, and d is the dimension of the characteristic vector;
step 3.4: inputting the obtained attention result into a neural network module, wherein the module comprises a global average pooling layer and two full-connection layers, and finally outputting the result through a sigmoid function, and multiplying the result by the result of the global average pooling layer to obtain the threshold of each piece of sample data;
step 3.5: according to the threshold value obtained in the step 3.4, a soft threshold value algorithm calculation formula is utilized to perform soft threshold value operation on the attention result, important parts of attention are reserved, unimportant parts are omitted, redundant parts are eliminated, and the next calculation is convenient to perform;
Figure BDA0003659172330000081
the step 4 specifically includes:
step 4.1: inputting the calculated soft threshold self-attention result into a part of a transform coder except for multi-head self-attention, wherein the part mainly comprises a residual error network, a normalization and a feedforward neural network, and finally classifying and outputting the result through a softmax function, wherein the normalization operation replaces an LN layer in the traditional transform with a new normalization operation Powenorm, and the original operation of forcing zero mean and unit variance is changed into the operation of forcing quadratic mean, and the operation shows small-order-magnitude fluctuation, thereby showing a good effect on data processing, and the calculation formula is as follows:
Figure BDA0003659172330000082
Figure BDA0003659172330000083
Figure BDA0003659172330000084
wherein X i For each batch of feature vectors, B is the batch size, and the remaining variables are the results after X and Y normalization, respectively.
The step 5 specifically comprises:
step 5.1: building an algorithm model according to the methods provided in the step 3 and the step 4;
step 5.2: initializing parameters, and setting parameter values such as the number of multi-head self-attention heads, the number of encoder layers, the input and output dimensions of a full-connection layer, an activation function, a training batch, the number of iterations and the like;
step 5.3: dividing data into a training set and a test set, inputting the training set and the test set into a built model, selecting a classified cross entropy loss function by the loss function, updating the weight by a time sequence-based back propagation algorithm according to a weight updating rule, and accelerating the optimization of a neural network by a gradient descent algorithm;
the step 6 specifically comprises:
step 6.1: and testing the trained model on a test set, and if the accuracy of the trained neural network can meet the expected requirement, determining the neural network as the trained neural network.
Step 6.2: if the detection result of the data set is normal, the flow can be normally operated; if the detection result of the data set is attack, an alarm prompt needs to be sent out.
The present invention also provides an electronic device comprising:
a memory for storing a computer program;
and the processor is used for realizing the above steps when the computer program is executed, and the method is a novel power system APT attack detection method based on the STSA-transformer algorithm.
Referring to fig. 2, a transformer encoder network internal structure is provided.
Process 1: the method comprises the following steps of carrying out position coding on a feature vector of a data set, storing position information of data, enabling a neural network to learn more time sequence characteristics, and improving the detection effect on APT attack, wherein relative position coding is used, and a formula is as follows:
PE(pos,2i)=sin(pos/10000 2i/dmodel )
PE(pos,2i+1)=cos(pos/10000 2i/dmodel )
wherein p isos is the position in the sequence, d model Dimension of a position information coding feature vector, i represents the ith element of the position information coding feature vector, odd number bits in the coding vector are coded by cos, even number bits are coded by sin; adding the feature vector of the original data and the result of the position coding, and inputting the result into a multi-head attention layer;
and (2) a process: initializing three weight matrixes, multiplying the three weight matrixes by an input vector to obtain three matrixes Q, K and V, and performing multi-head self-attention calculation by using the three matrixes, wherein the calculation formula is as follows:
Figure BDA0003659172330000101
q, K and V are three matrixes needing weight updating, and d is the dimension of the characteristic vector; the purpose of multi-head attention is to construct attention vectors of a plurality of subspaces, and finally, the attention values are spliced, so that information of different aspects between sequences can be learned.
And 3, process: the calculated result of the multi-head self-attention is input into a summation and normalization layer, the summation mainly utilizes the principle of a residual error network, the output result of the network is added with the input result, the purpose is to optimize the loss in the operation process of a deep neural network, the purpose of normalization is to preprocess data, and the calculation of the subsequent process is convenient, the normalization operation replaces an LN layer in the traditional transformer with a new normalization operation Powenorm, the original operation of forcing a zero mean value and a unit variance is changed into the operation of forcing a quadratic mean value, the operation shows the fluctuation with smaller order of magnitude, and the calculation formula shows a better effect on the data processing, and the calculation formula is as follows:
Figure BDA0003659172330000102
Figure BDA0003659172330000103
Figure BDA0003659172330000104
wherein X i For each batch of feature vectors, B is the batch size, and the remaining variables are the results after X and Y normalization, respectively.
And 4, process 4: and inputting the result into a fully-connected neural network, wherein the number of output layers is the number of categories of the classification task, and finally, outputting the result into the probability value of each category through a softmax layer to obtain the final classification result.
As in fig. 3, a soft thresholding self-attention mechanism (STSA) is provided.
Process 1: inputting the calculated multi-head attention vector into a soft threshold neural network, wherein the module comprises a global average pooling layer and two full-connection layers, the middle layers are connected through a Relu activation function layer, and finally, a result is output through a sigmoid function, the result is used as a coefficient of a subsequent soft threshold process and is multiplied by the result of the global average pooling layer to obtain the threshold of each sample datum;
and (2) a process: according to the threshold value obtained in the process 1, a soft threshold value algorithm calculation formula is utilized to perform soft threshold value operation on the attention result, important parts of attention are reserved, unimportant parts are omitted, redundant parts are eliminated, the next calculation is convenient to perform, and the soft threshold value operation calculation formula is as follows;
Figure BDA0003659172330000111
wherein, T is a threshold value of each sample data, and x is a calculated attention vector.
The above embodiments are only for illustrating the present invention and are not meant to be limiting, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the present invention, so that all equivalent technical solutions also belong to the scope of the present invention, and the scope of the present invention should be defined by the claims.
Those not described in detail in this specification are within the skill of the art.

Claims (9)

1. A novel power system APT attack detection method based on STSA-transformer algorithm is characterized in that,
based on the basic characteristics of a novel power system, such as high-proportion new energy, high-growth load and high-proportion power electronic equipment, simulating network attack suffered by the power system, collecting network flow data from data acquisition equipment on an information side, and sorting the data to be used as input of the next step;
preprocessing the network flow data;
a soft thresholding self-attention machine (STSA) mechanism is provided, which captures the correlation between time series data and eliminates partial redundant information;
according to the soft thresholding self-attention mechanism, calculating input by using a transform coding layer normalized by PowerNorm, and finally classifying and outputting results through a softmax layer;
initializing parameters, classifying and outputting results according to the softmax layer to build a model, training the model, and updating weights by using a gradient descent method to serve as input of the next step;
detecting APT attack of the novel power system by using the trained model, and if the detection result is normal, carrying out normal operation on the flow; if the detection result is the attack category, an alarm prompt needs to be sent out to the system.
2. The novel power system APT attack detection method based on the STSA-transformer algorithm in claim 1, wherein the preprocessing comprises discrete eigenvalue quantization and eigenvalue normalization.
3. The method according to claim 1, wherein based on the basic features of the new power system, the new energy with a high proportion, the high incremental load, and the high proportion of power electronic devices, the method for detecting the APT attack of the power system simulates a network attack suffered by the power system, collects network traffic data from a data acquisition device on an information side, and collates the collected network traffic data, and the method specifically includes, as inputs of a next step:
knowing the basic structure composition of the novel power system and analyzing the basic characteristics of the novel power system;
the method comprises the steps of simulating network attack on a novel power system, collecting network flow data in a long time range at information side equipment, dividing the data according to different stages, and sorting the data into data sets.
4. The method according to claim 2, wherein the preprocessing the network traffic data, the preprocessing including discrete eigenvalue quantization and eigenvalue normalization, specifically includes:
carrying out binary one-hot encoding on discrete data in the data, and converting the discrete data into numerical data;
all feature vectors are normalized, and the formula is as follows:
Figure FDA0003659172320000021
wherein, X max And X min Respectively representing the maximum value and the minimum value on the value range of the original characteristic value, X representing the original characteristic value, and Xn representing the characteristic value after normalization.
5. The method according to claim 1, wherein the step of providing a soft thresholding self-attention machine (STSA) mechanism for capturing correlation between time series data and eliminating partial redundant information includes:
the feature vector of the data set is subjected to position coding, and the position information of the data is stored, wherein the formula is as follows:
PE(pos,2i)=sin(pos/10000 2i/dmodel )
PE(pos,2i+1)=cos(pos/10000 2i/dmodel )
where pos is the position in the sequence, d model Dimension of a position information coding feature vector, i represents the ith element of the position information coding feature vector, odd number bits in the coding vector are coded by cos, even number bits are coded by sin;
adding the feature vector of the original data and the result of the position coding, and inputting the result into a self-attention layer;
initializing three weight matrixes, multiplying the three weight matrixes by an input vector to obtain three matrixes Q, K and V, and performing multi-head self-attention calculation by using the three matrixes, wherein the calculation formula is as follows:
Figure FDA0003659172320000031
q, K and V are three matrixes needing weight updating, and d is the dimension of the characteristic vector;
inputting the obtained attention result into a neural network module, wherein the module comprises a global average pooling layer and two full-connection layers, and finally outputting the result through a sigmoid function, and multiplying the result by the result of the global average pooling layer to obtain the threshold of each piece of sample data;
according to the threshold value, a soft threshold algorithm calculation formula is utilized to perform soft threshold operation on the attention result, so that the important part of attention is reserved, the unimportant part is omitted, and the redundant part is eliminated:
Figure FDA0003659172320000032
6. the method as claimed in claim 1, wherein the method for detecting the APT attack of the power system based on the STSA-fransformer algorithm includes, according to the soft thresholding self-attention mechanism, computing an input by using a PowerNorm normalized fransformer coding layer, and finally classifying and outputting a result by a softmax layer, the method including:
inputting the calculated soft threshold self-attention result into a part of a transform coder except for multi-head self-attention, wherein the result mainly comprises a residual error network, a normalization function and a feedforward neural network, and finally classifying and outputting the result through a softmax function, wherein the normalization operation replaces an LN layer in the traditional transform with a new normalization operation Powenorm, and the original operation of forcing zero mean and unit variance is changed into the operation of forcing quadratic mean, and the calculation formula is as follows:
Figure FDA0003659172320000033
Figure FDA0003659172320000034
Figure FDA0003659172320000035
where Xi is the feature vector of each batch, B is the batch size, and the remaining variables are the results after X and Y normalization, respectively.
7. The method as claimed in claim 1, wherein the method for detecting APT attack on power system based on STSA-transformer algorithm includes initializing parameters, building a model according to the results classified and output by softmax layer, training the model, updating weights by gradient descent method, and specifically includes:
according to a soft thresholding self-attention machine (STSA), the correlation between time series data is captured, and part of redundant information is eliminated;
according to the soft thresholding self-attention machine mechanism, input is calculated by using a transform coding layer normalized by PowerNorm, and finally an algorithm model is built by a method of classifying and outputting results through a softmax layer;
initializing parameters, and setting parameter values such as the number of multi-head self-attention heads, the number of encoder layers, the input and output dimensions of a full-connection layer, an activation function, a training batch, the number of iterations and the like;
dividing data into a training set and a test set, inputting the training set and the test set into a built model, selecting a classified cross entropy loss function by the loss function, updating the weight by a time sequence-based back propagation algorithm according to a weight updating rule, and accelerating the optimization of the neural network by a gradient descent algorithm.
8. The method for detecting the APT attack of the novel power system based on the STSA-transformer algorithm as claimed in claim 1, wherein the trained model is used to detect the APT attack of the novel power system, and if the detection result is normal, the flow can be operated normally; if the detection result is an attack category, the step of sending an alarm prompt to the system specifically comprises the following steps: testing the trained model on a test set, and if the accuracy of the trained neural network can meet the expected requirement, determining the neural network as the trained neural network;
if the detection result of the data set is normal, the flow can be normally operated; if the detection result of the data set is attack, an alarm prompt needs to be sent out.
9. An electronic device, comprising:
a memory for storing a computer program;
processor for implementing, when executing said computer program, the new method for detecting an APT attack on an electrical power system based on an STSA-transformer algorithm according to any one of claims 1 to 8.
CN202210568249.7A 2022-05-24 2022-05-24 Novel APT attack detection method for power system based on STSA-transformer algorithm Withdrawn CN115208619A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210568249.7A CN115208619A (en) 2022-05-24 2022-05-24 Novel APT attack detection method for power system based on STSA-transformer algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210568249.7A CN115208619A (en) 2022-05-24 2022-05-24 Novel APT attack detection method for power system based on STSA-transformer algorithm

Publications (1)

Publication Number Publication Date
CN115208619A true CN115208619A (en) 2022-10-18

Family

ID=83576129

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210568249.7A Withdrawn CN115208619A (en) 2022-05-24 2022-05-24 Novel APT attack detection method for power system based on STSA-transformer algorithm

Country Status (1)

Country Link
CN (1) CN115208619A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116192421A (en) * 2022-11-28 2023-05-30 北京交通大学 APT attack detection method based on traceability graph and self-attention mechanism

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116192421A (en) * 2022-11-28 2023-05-30 北京交通大学 APT attack detection method based on traceability graph and self-attention mechanism
CN116192421B (en) * 2022-11-28 2024-04-30 北京交通大学 APT attack detection method based on traceability graph and self-attention mechanism

Similar Documents

Publication Publication Date Title
CN110298663B (en) Fraud transaction detection method based on sequence wide and deep learning
CN110287983B (en) Single-classifier anomaly detection method based on maximum correlation entropy deep neural network
CN111585948B (en) Intelligent network security situation prediction method based on power grid big data
CN111783442A (en) Intrusion detection method, device, server and storage medium
CN111967343A (en) Detection method based on simple neural network and extreme gradient lifting model fusion
CN112087442B (en) Time sequence related network intrusion detection method based on attention mechanism
CN111242351A (en) Tropical cyclone track prediction method based on self-encoder and GRU neural network
CN113470316B (en) Debris flow monitoring and early warning method based on self-coding single classification model
CN115659254A (en) Power quality disturbance analysis method for power distribution network with bimodal feature fusion
CN113705094A (en) Ship fuel oil pipeline fault prediction method based on PSO-GRU
CN115208619A (en) Novel APT attack detection method for power system based on STSA-transformer algorithm
CN115051834B (en) Novel power system APT attack detection method based on STSA-transformer algorithm
CN116827685B (en) Dynamic defense strategy method of micro-service system based on deep reinforcement learning
CN113962371A (en) Image identification method and system based on brain-like computing platform
CN117375983A (en) Power grid false data injection identification method based on improved CNN-LSTM
CN115396198B (en) Power grid intrusion detection system and method based on CNN architecture and parameter parallel optimization
CN117278313A (en) Security detection method and system for computer network structure optimization
CN116647391A (en) Network intrusion detection method and system based on parallel self-encoder and weight discarding
CN116488325A (en) Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium
CN111967577B (en) Energy Internet scene generation method based on variation self-encoder
Lu et al. An Ensemble Learning-Based Cyber-Attacks Detection Method of Cyber-Physical Power Systems
JP2020091813A (en) Learning method for neural network, computer program and computer device
Shi et al. A Novel Approach to Detect Electricity Theft Based on Conv-Attentional Transformer
CN116524409A (en) Weak supervision video anomaly detection method based on self-guided encoder
CN118094346A (en) Conformer-based series fault arc detection method and Conformer-based series fault arc detection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20221018