CN115296830A - Network collaborative attack modeling and harm quantitative analysis method based on game theory - Google Patents
Network collaborative attack modeling and harm quantitative analysis method based on game theory Download PDFInfo
- Publication number
- CN115296830A CN115296830A CN202210593965.0A CN202210593965A CN115296830A CN 115296830 A CN115296830 A CN 115296830A CN 202210593965 A CN202210593965 A CN 202210593965A CN 115296830 A CN115296830 A CN 115296830A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- data
- power distribution
- active power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004445 quantitative analysis Methods 0.000 title claims abstract description 17
- 230000006378 damage Effects 0.000 title claims description 4
- 238000009826 distribution Methods 0.000 claims abstract description 61
- 230000006399 behavior Effects 0.000 claims abstract description 47
- 230000004044 response Effects 0.000 claims abstract description 19
- 238000004364 calculation method Methods 0.000 claims abstract description 11
- 230000007123 defense Effects 0.000 claims description 41
- 230000002159 abnormal effect Effects 0.000 claims description 23
- 238000005070 sampling Methods 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 14
- 238000012216 screening Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 claims description 8
- 239000011159 matrix material Substances 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 6
- 238000011217 control strategy Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 5
- 238000004140 cleaning Methods 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 4
- 238000007670 refining Methods 0.000 claims description 4
- 238000011002 quantification Methods 0.000 claims description 3
- 239000000470 constituent Substances 0.000 claims 1
- 229910052731 fluorine Inorganic materials 0.000 claims 1
- 125000001153 fluoro group Chemical group F* 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 125000005842 heteroatom Chemical group 0.000 description 2
- 238000007728 cost analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004146 energy storage Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a game theory-based network collaborative attack modeling and hazard quantitative analysis method, which is used for solving the problems of modeling, quantitative calculation and response of network attack behaviors aiming at data services. Firstly, an integrated model of the safety control of the active power distribution network is established, the information physical space of the active power distribution network is described, then network attack is detected, analyzed and quantified, finally, threats existing in the system and the cost for responding the system are evaluated through a game theory, and a response strategy is adjusted in time, so that the purpose of resisting network cooperative attack is achieved. The method has the characteristics of short response time, strong pertinence, high accuracy of the attack model and the like.
Description
Technical Field
The invention relates to a game theory-based network cooperative attack modeling and hazard quantitative analysis method, which is mainly used for solving the problems of network attack modeling and defense strategies for an active power distribution network and belongs to the field of computer security.
Background
The active power distribution network is a power distribution network with distributed energy sources inside and active control and operation capabilities. The distributed energy comprises various distributed power generation, distributed energy storage, electric vehicle charging and replacing facilities and demand response resources, namely controllable loads, which are connected to a power distribution network in various forms. The core of the active power distribution network is the passive consumption to the active guiding and active utilization of distributed renewable energy sources. By the technology, the power distribution network can be changed from a traditional passive power utilization network into an active power distribution network which can be actively regulated according to the actual operation state of the power distribution network and participate in the operation and control of the power distribution network. The active power distribution network has the main characteristics of improvement of response speed, network visibility, network flexibility, high power quality, high power supply reliability and the like. With the continuous popularization and development of computer networks, attacks aiming at active power distribution networks are rampant increasingly, wherein network cooperation attacks are typical attack modes. The network cooperative attack is an evolving attack technology which appears along with the development of network technology and the wide use of network application. Particularly, a network attack platform represented by Botnet appears, and a command and control mechanism of the network attack platform is used as a core foundation of cooperation, so that a more flexible and intelligent cooperation mode can be adopted by widely distributed infected hosts to implement large-scale malicious actions to achieve the purpose of attack. Different from the traditional attack event, the distributed cooperative attack has the characteristics of high efficiency, robustness, concealment and the like, and brings huge challenges to detection and defense technologies, and the existing traditional methods for defending the cooperative attack, such as a firewall, an IDS (intrusion detection system), security vulnerability detection and the like, are single in defense mode and difficult to deal with the challenges of the cooperative attack, so that the method for modeling and quantitative damage analysis of the network cooperative attack becomes very important.
The traditional defense scheme belongs to a passive defense technology, cannot effectively monitor the activity in an active power distribution network, does not have active defense capability, lacks self-adaptive response capability to network attack, and cannot prevent increasingly serious network security threat.
Disclosure of Invention
The technical problem is as follows: the invention aims to provide a game theory-based network collaborative attack modeling and hazard quantitative analysis method to solve the problems of modeling, quantitative calculation and response of network attacks aiming at data services.
According to the method, firstly, the cooperative attack is subjected to integrated modeling, then, the model is subjected to quantitative calculation, and finally, the response strategy is adjusted according to loss evaluation and response cost analysis, so that the purpose of resisting the network cooperative attack is achieved.
The game theory-based network collaborative attack modeling and hazard quantitative analysis method mainly considers three problems: (1) How to construct an integrated model for the safety control of the active power distribution network fusing network attacks. A clear depiction of the complex, dynamic nature of information, physical spatial crossings and dynamic changes in an active power distribution grid system will be revealed. (2) How to establish a network cooperative attack detection, analysis and quantitative calculation method. (3) The response of the system according to nash equilibrium minimizes the impact of attacks on data services in the active power distribution network. Therefore, the network cooperative attack modeling and hazard quantitative analysis method based on the game theory can effectively evaluate the potential influence of the attack on the data service of the active power distribution network when the system is attacked, and then adjust the response strategy according to the loss evaluation and the response cost.
The technical scheme is as follows:
based on the consideration, the invention provides a network cooperative attack modeling and hazard quantitative analysis method based on game theory, which comprises the following steps:
step one, constructing a hybrid integrated model for fusing network attacks aiming at an active power distribution network
Aiming at an active power distribution network system, a hybrid integrated model fused with network attack is constructed by adopting a finite-state machine method; the constructed hybrid integrated model is a network cooperative attack dynamic combination model, the influence of network attack behaviors can be detected and identified by collecting and analyzing network attack data, and the decoupling of the network cooperative attack behaviors is completed by data cleaning and data association;
step two, quantifying risks generated by network attack behaviors
Attack detection is carried out according to extraction of network cooperative attack behavior characteristics in the operation process of the active power distribution network system, and influence generated by corresponding network attack behaviors is calculated so as to comprehensively complete network cooperative attack situation analysis;
step three, responding to network attack behaviors by constructing a security attack and defense game model
A zero-sum dynamic game method is adopted, a safe attack and defense game model is constructed according to the conditions of the refining Bayesian equilibrium for the game of both attack and defense parties, the corresponding network cooperative attack behavior is responded by solving the Nash equilibrium solution of the safe attack and defense game model, the influence of the network cooperative attack behavior on the data service of the active power distribution network system is reduced to the minimum, whether alarm is needed or not is determined according to the obtained Nash equilibrium solution, and the abnormal data fused with the network attack behavior is screened, eliminated and corrected;
step four, screening, eliminating abnormal data fused with network attack behaviors and correcting the abnormal data
And after determining that alarm is needed by the Nash equilibrium solution obtained in the step three, screening, eliminating abnormal data fused with network attack behaviors and correcting by adopting a density-based clustering method.
Preferably, in the step one, the construction method of the hybrid integration model specifically includes the following steps:
step 1.1: data sampling and defining at l L ∈ {1, 2.. Multidata, m } to represent data sampling time intervals of corresponding different states l in the active power distribution network system; entering step 1.2;
step 1.2: taking Δ T as the sampling period of different system parameters and states, { Δ T } 1 ,Δt 2 ,...,Δt n Maximum common factor of the different/synchronous dual-mode hybrid system to obtain the synchronous time within a limited time period
Entering step 1.3;
step 1.3: when a network attack behavior in the active power distribution network system occurs, a fast-changing signal of a signal with a short sampling period and a high sampling frequency is mainly used, and switching is performed by adopting a principle of proximity; entering step 1.4;
step 1.4: the influence brought by the network attack is defined as an uncertain variable delta, and the component with random dynamic change is merged into a discrete-continuous mixed active power distribution network system to form a mixed integrated model merged with the network attack.
Preferably, the hybrid-integration model fused with the network attack is as follows:
wherein x is i (t) represents the continuous system state of a continuous time variable i of the system as a function of time t, S 1 Represents a set of continuous-time variables i; x is the number of j (t) represents the discrete system state of a discrete time variable j of the system as a function of time t, j ∈ S 2 ,S 2 Represents a set of discrete-time variables j; s represents a collection of a continuous time variable i and a discrete time variable j; omega i (t) and ω j (t) denotes the disturbance, Δ, of a continuous, discrete system, respectively i (t) and. DELTA. j (t) respectively representing network attack behavior influence components of continuous and discrete systems; a. The i Coefficient matrix being a continuous system state, B i Coefficient matrices for continuous system disturbances, D i Coefficient matrixes of network attack behavior influence components in the continuous system are respectively; a. The j Coefficient matrix being a discrete system state, B j Coefficient matrices being discrete system disturbances, D j Coefficient matrix of network attack behavior influence component in discrete system.
Preferably, in the second step, quantifying the risk generated by the cyber-attack specifically includes the following steps:
step 2.1: defining the probability of the component element i in the active power distribution network system being attacked by the network attack a as rho ia The influence on the system safety is pi ia Quantitative calculation V for risk that calculation component element i may encounter cyber attack i Comprises the following steps:
step 2.2: v is quantitatively calculated according to the risk obtained in the step 2.1 i Calculating the security risk quantification V that the whole system may encounter:
γ i the component element i of the active power distribution network is represented as [1, n ]]The weight occupied in (c).
Preferably, in the third step, the construction method of the security attack and defense game model and the response of the security attack and defense game model to the network attack behavior are performed as follows:
step 3.1: defining a power distribution network security attack and defense game model G = (P, Z, theta, S), wherein:
P=(P A ,P D ) Representing both parties of attack and defenseSet of participants, P A As an aggressor, P D Is a defense party;
Z={z 0 z 1 ... z N the set used to represent the network security state;
step 3.2: is defined as reaching a safe state z I In time, the probability distributions corresponding to the strategy centralization strategies of the attacking and defending parties are respectively as follows:
wherein:
j =1,2, \8230;, M, k =1,2, \8230;, N, and has
Step 3.3: to reach the safe state z I Summarizing expected gain functions of the attacking party and the defending party;
step 3.4: by using a nonlinear programming method, an optimal control strategy for resisting moderate risk is obtained, and a Nash equilibrium solution is finally obtained
Step 3.5: whether to issue an alarm is selected according to the Nash equalization solution system.
Preferably, in the fourth step, the method of screening, removing and correcting the abnormal data fused with the network attack behavior specifically includes the following steps:
step 4.1: initializing the data set D acquired in the data service and marking all objects as unread, defining the epsilon-neighborhood, N, by Minkowski distance formula ε (x c )=(x c ∈D|dist(x c ,x d ) Epsilon) in which N is ε (x c ) Representing a set of all points in an epsilon-neighborhood, wherein epsilon represents a radius parameter and rho is defined as a minimum object parameter; when the object x c X when the number of data objects in the epsilon-neighborhood is greater than rho c Is a core object;
step 4.2: taking a data set D containing an arbitrary number of data objects p from the data set D c Wherein D is C E.g., D, c =1,2,3, and D c Marking as read;
and 4.2: judging the data object p through the epsilon and rho parameters, if p is a core object, finding out all density reachable data objects of p, and marking the density reachable data objects as read data; if p is not a core object and no object is reachable for p density, marking p as noise data;
step 4.3: in satisfying
Repeating step 4.2 and step 4.3 until all data are marked as read;
step 4.4: taking one core object as a seed, and classifying all density reachable points of the object into one class to form a data object set with a larger range;
step 4.5: the step 4.2 to the step 4.4 are circulated until all the core objects are traversed, and the data which are not classified into one class are left and are abnormal data;
step 4.6: taking the average value of normal data sets of different data types to replace abnormal data to execute normal operation;
step 4.7: the cycle ends.
Has the advantages that: the invention provides a game theory-based network cooperative attack modeling and hazard quantitative analysis method, which is mainly used for solving the response problem of the active power distribution network suffering network cooperative attack. By using the method provided by the invention, an integrated attack model and a game model of a user are established to solve a Nash equilibrium solution of the system, and an optimal response strategy is selected according to the Nash equilibrium solution, so that the influence of network cooperative attack on the power grid data service is reduced to the minimum.
Drawings
Fig. 1 is a structural diagram of a network cooperative attack modeling and hazard quantitative analysis method based on game theory. The method mainly comprises the following steps: the system comprises a hybrid model generator, a risk quantizer, a game model generator, a data filter and a data restorer.
Fig. 2 is a reference architecture diagram. Representing the components involved in the method of the invention.
FIG. 3 is a schematic flow diagram of the method of the present invention.
Detailed Description
For convenience of description, we assume the following application examples:
in recent years, with the rapid development of computer technology, due to the influence of a series of factors such as military affairs and politics, a network attack means for the internet is endless, and a cooperative attack is a typical attack type, and can cause a huge influence on data services of an active power distribution network. And (3) assuming that the data service of the active power distribution network is attacked, evaluating the network security states of the attacking and defending parties and the cost of the attacking and defending parties by using a game method to obtain the optimal strategy of the response system. Firstly, a hybrid switching systematized model is established for an active power distribution network finite state machine method, decoupling of cooperative attack behaviors is completed through data cleaning and data association, a network cooperative attack dynamic combination model is established, decoupling modeling of cooperative attack is completed, attack detection is performed according to extraction of attack behavior characteristics in the system operation process, the influence generated by a certain attack behavior is calculated, and then cost benefits of both attacking parties and defending parties are analyzed by using a game theory method to obtain an optimal response strategy.
The specific embodiment for fig. 1 is:
FIG. 1 mainly shows that a game theory-based network cooperative attack modeling and hazard quantitative analysis method structure is mainly constructed and mainly comprises a hybrid model generator, a risk analyzer, a game model generator, a data screener and a data restorer. The hybrid model generator in the figure is a complex, dynamic property that depicts information, physical space crossings and dynamic changes in an active power distribution grid system; the risk analyzer completes decoupling modeling of cooperative attack from the communication angle, then performs attack detection according to the extraction of attack behavior characteristics in the system operation process, and calculates the influence generated by a certain attack behavior; the game model generator analyzes the cost and the network security state of the two parties when the system detects the attack to obtain game models of the two parties of attack and defense; the data filter is used for screening out core objects from the collected data. The data restorer classifies all the core objects, screens abnormal data, and takes the average value of normal data sets of different data types to replace the abnormal data to execute normal operation. Specific description is given below:
(1) Mixed model generator
The hybrid model generator is used for revealing the complex and dynamic characteristics of information, physical space intersection and dynamic change in the active power distribution network system, and provides a theoretical basis for analyzing the influence of network attack, security defense strategy design, security risk assessment and the like in the active power distribution network system.
The hybrid model generator establishes a hybrid switching systematized model from a method of an active power distribution network finite state machine, detects and identifies the influence of attack behaviors from the acquisition and analysis of the attack data, completes the decoupling of the cooperative attack behaviors through data cleaning and data association, and establishes a network cooperative attack dynamic combination model. The complex and dynamic characteristics of information, physical space crossing and dynamic change in the active power distribution network system are disclosed, and a theoretical basis is provided for analyzing the influence of network attack in the active power distribution network, designing security defense strategies, evaluating security risks and the like.
(2) Risk analyzer
The risk analyzer completes decoupling modeling of the cooperative attack from the communication angle, then performs attack detection according to extraction of attack behavior characteristics in the system operation process, calculates the influence generated by a certain attack behavior, and further comprehensively completes cooperative attack situation analysis.
(3) Game model generator
The game model generator adopts a zero sum dynamic game method, obtains the probability of participants according to public knowledge mastered by the participants and historical behaviors of the participants, determines the next strategy according to the probability, and can be expanded into a power distribution network security attack and defense game model G = (P, Z, theta and S) by refining Bayesian equilibrium and assuming that
And
i =0,1, 2., N is used to represent the utility function of both game parties, i.e. a set of defense strategies is obtained,
and
respectively representing a defense strategy set under an attacker strategy, a strategy set of the attacker under the defense strategy and a strategy set under the mutual influence of the attackers;
representing the set of final defense policies that the attacker makes based on the defender policies as well as other attacker policies.
Is defined in reaching a safe state z I The probability distributions corresponding to the strategy centralization strategies of the attacking and defending parties are respectively
And
then, the expected income functions of the attacking and defending parties are solved, and a Nash equilibrium solution is finally obtained by utilizing a nonlinear programming method
And
and realizing a dynamic comprehensive control strategy for resisting moderate risks.
(4) Data filter
The data filter mainly marks all initialized data unread, defines epsilon-neighborhood, and works as object x c Is called x when the number of data objects in the epsilon-neighborhood of (c) is greater than the minimum object parameter p c For the core object, a data set D containing an arbitrary number of data objects p is taken from the data set D c In which D is c E.g. D, c =1,2,3 \ 8230and c The flag is read. And judging the data p through the epsilon and rho parameters, if p is a core object, finding out all density reachable data objects of p, and marking the density reachable data objects as read data. If p is not a core object and no object is reachable for p density, p is marked as noisy data, thereby screening out different types of data.
(5) Target recognizer
In the process of satisfying
When all data are marked as read, one of the core objects is used as a seed, and all density reachable points of the object are classified into one class, so as to form a data object set with a larger range, which is also called a cluster. And repeating the circulation until all the core objects are traversed, and taking the data which is not classified as one as abnormal data. And removing the identified abnormal data, and replacing the abnormal data with the normal data set of different data types to execute normal operation.
According to the attached figures 1 to 3, the process flow of the method provided by the invention is as follows:
1. mixed model generator
Definition of Δ t l L e {1, 2.. Times, m } represents sampling times for corresponding different states in the active power distribution grid system. Because of the difference of the equipment and the information, the sampling period is different, and the system state which is mixed with the discrete and continuous system in the presentation form can be represented by the following equation:
wherein x is i (t),i∈S 1 Representing a rapidly changing system state, presented as a continuous system state, x j (t),i∈S 2 Representing a slowly changing system state, present as a discrete system state, a i ,B i ,D i Are respectively coefficient matrix, omega i (t) and ω j (t) represents the external perturbations in the continuous and discrete components, respectively.
Taking Δ T as the sampling period of different system parameters and states, { Δ T } 1 ,Δt 2 ,...,Δt n The maximum common factor of the system can obtain the synchronous time within the limited time period in the hetero/synchronous dual-mode hybrid system according to the delta T
When an attack action occurs in the system, a fast-changing signal with short sampling period and high sampling frequency is mainly used, and the switching is carried out by adopting a near principle in order to avoid larger signal mutation. The influence caused by network attack is defined as an uncertain variable delta, and the component with random dynamic change is merged into a discrete-continuous hybrid active power distribution network system to form an integrated system model with the following structure.
Wherein x is i (t),i∈S 1 Representing continuous system state, x j (t),j∈S 2 Representing discrete system states, ω i (t) and ω j (t) is the system disturbance, Δ i (t) and. DELTA. j (t) represents the components in continuous and discrete systems, respectively, which are dynamically varying and random.
2. Risk quantizer
Before quantitative calculation, some conventional industrial safety protection software, industrial firewall and the like need to be installed in the system to monitor and record system abnormity. Defining the probability that a component element i in the active power distribution network system is attacked by a network attack a as rho ia And impact on the safety of the system ia The quantitative calculation that the system element i may encounter the system attack is
Where m indicates that the system may encounter m types of network attacks. Assuming that there are n system elements in the system, the security risk that the entire system may encounter can be quantitatively calculated as
3. Game model generator
Because of uncertainty, the probability of the participants is obtained according to public knowledge mastered by the participants and historical behaviors of the participants, the next strategy is determined according to the probability, and a power distribution network security attack and defense game model G = (P, Z, theta, S) is assumed through refined Bayesian balance, wherein: p = (P) A ,P D ) Representing a set of participants of both parties of attack and defense, P A As an aggressor, P D Is a defense party; z = { Z = 0 z 1 ... z N -a set of states used to represent network security;
i =0,1, 2., N is used to represent the set of policy sets for both attacking and defending parties,
and
respectively used for indicating that the system is to reach a safe state z I In time, the set of all possible strategies of the attacker and the defender can be expanded into
And
i =0,1, 2., N is used to represent the utility function of both parties in the game, which results in:
wherein
And
respectively representing a defense strategy set under an attacker strategy, a strategy set of an attacker under the defense strategy and a strategy set under the mutual influence of the attackers;
representing the set of final defense policies that the attacker makes based on the defender policies as well as other attacker policies.
Since both the attacker and the defender cannot know the characteristics of all the information of the other party, and a simple strategic nash equilibrium solution does not exist, there is a strategic randomness, which is defined to reach the security state z I When the strategy is concentrated, the probability distribution corresponding to the strategy of the attacking and defending party is respectively
And
wherein
j =1,2, \8230;, M, k =1,2, \8230;, N, and has
At this time, if the safety state z is to be reached i Period of attack and defenseThe hope-for-profit function can be summarized as:
with the nonlinear programming method, the optimal control strategy to resist "moderate risk" can be expressed as:
s.t.
wherein c is the maximum system safety factor,
and
respectively, represent the corresponding unit row vectors,
and
respectively representing the expectations of an attacker and a defender under Nash equilibrium, and finally obtaining the Nash equilibrium solution
And
4. data filter
The data filter is mainly used for completely initializing all the initialized dataMarking unread, defining epsilon-neighborhood, N ε (x i )=(x i ∈D|dist(x i ,x j ) Epsilon) in which N is ε (x i ) Represents the set of all points within the epsilon-neighborhood, epsilon represents the radius parameter. When the object x i Is greater than ρ, i.e., N ε (x i ) If | is greater than ρ, then x i Referred to as core objects. In a dataset not all data objects are core objects, but also edge objects and noise objects. Edge objects indicate that the data object is not a core object, but exists in the epsilon-neighborhood of a core object; a noise object indicates that the data object is not a core object and does not exist in the epsilon-neighborhood of any core object. Taking a data set D containing an arbitrary number of data objects p from the data set D i Wherein D is i E D, i =1,2,3, and D i The flag is read. And judging the data p through the epsilon and rho parameters, and if the p is a core object, finding out all density reachable data objects of the p and marking the density reachable data objects as read data. If p is not a core object and no object is reachable for p density, p is marked as noisy data, thereby screening out different types of data.
5. Data restorer
In satisfying
When all data are marked as read, one of the core objects is used as a seed, and all density reachable points of the object are classified into one class, so as to form a data object set with a larger range, which is also called a cluster. And repeating the loop until all the core objects are traversed, and obtaining abnormal data if data which are not classified into one class are left. And removing the identified abnormal data, and replacing the abnormal data with the normal data set of different data types to execute normal operation.
The specific embodiment for fig. 2 and 3 is:
step 1: definition of Δ t l L e {1, 2.. Said, m } represents the sampling time of the corresponding different states in the above system, and the distance is obtainedA system state equation that is a hybrid of a diffuse and continuous system.
Taking Δ T as the sampling period of different system parameters and states, { Δ T } 1 ,Δt 2 ,...,Δt n The maximum common factor of the system can obtain the synchronous time within a limited time period in the hetero/synchronous dual-mode hybrid system
When an attack action occurs in the system, a fast-changing signal of a signal with a short sampling period and a high sampling frequency is mainly used, and a near principle is adopted for switching.
Step 2: the influence caused by network attack is defined as an uncertain variable delta, and the component with random dynamic change is merged into a discrete-continuous hybrid active power distribution network system to form an integrated system model.
And 3, step 3: defining the probability that a component element i in the active power distribution network system is attacked by a network attack a as rho ia And impact on the safety of the system ia Quantitative calculation that the system element i may encounter system attack is
Where m indicates that the system may encounter m types of network attacks.
And 4, step 4: assuming that there are n system elements in the system, the security risk that the system may encounter is quantified as
And 5: through refining Bayesian balance, suppose that a power distribution network security attack and defense game model G = (P, Z, theta, S), wherein: p = (P) A ,P D ) Representing a set of participants of both offensive and defensive parties, P A As an aggressor, P D Is a defense party; z = { Z = 0 z 1 ... z N Is used to represent the set of network security states,
I=01,2, N is used to represent utility functions of both game parties, and a defense strategy set under the strategy of an attacker can be obtained
Policy set of attackers under defense policy
And set of policies under aggressor interaction
And 6: defining the probability distribution corresponding to the strategy centralization strategies of the attacking and defending parties respectively as
And
obtaining expected income functions of both attacking and defending parties, expressing an optimal control strategy for resisting moderate risks and finally obtaining a Nash equilibrium solution
And
an optimal response is achieved.
And 7: initializing a data set D acquired in the data service and marking all objects as unread, and defining p as a minimum object parameter. When the object x c X when the number of data objects in the epsilon-neighborhood is greater than rho c For the core object, a data set D containing an arbitrary number of data objects p is taken from the data set D c And D is c The flag is read.
And 8: and judging the data p through the epsilon and rho parameters, if p is a core object, finding out all density reachable data objects of p, and marking the density reachable data objects as read data. If p is not a core object and no object is reachable for p density, mark p as noisy data and repeat the marking until all data is marked as read.
And step 9: determining a core object, classifying all density reachable points of the object into one class to form a cluster with a larger range, repeatedly iterating until all the core objects are traversed, screening abnormal data, and performing normal operation by taking the average value of normal data sets with different data types to replace the abnormal data.
Claims (6)
1. A network cooperative attack modeling and hazard quantitative analysis method based on game theory is characterized by comprising the following steps:
step one, constructing a hybrid integrated model for fusing network attacks aiming at an active power distribution network
Aiming at an active power distribution network system, a mixed integrated model fused with network attack is constructed by adopting a finite-state machine method; the constructed hybrid integrated model is a network cooperative attack dynamic combination model, the influence of network attack behaviors can be detected and identified by collecting and analyzing network attack data, and the decoupling of the network cooperative attack behaviors is completed by data cleaning and data association;
step two, risk generated by network attack behavior is quantified
Attack detection is carried out according to the extraction of network cooperation attack behavior characteristics in the operation process of the active power distribution network system, and the influence generated by the corresponding network attack behavior is calculated so as to comprehensively complete the analysis of the network cooperation attack situation;
step three, responding to network attack behaviors by constructing a security attack and defense game model
A zero-sum dynamic game method is adopted, a safe attack and defense game model is constructed according to the conditions of the refining Bayesian equilibrium for the game of both attack and defense parties, the corresponding network cooperative attack behavior is responded by solving the Nash equilibrium solution of the safe attack and defense game model, the influence of the network cooperative attack behavior on the data service of the active power distribution network system is reduced to the minimum, whether alarm is needed or not is determined according to the obtained Nash equilibrium solution, and the abnormal data fused with the network attack behavior is screened, eliminated and corrected;
step four, screening, eliminating abnormal data fused with network attack behaviors and correcting
And (4) after determining that alarm is needed by the Nash equilibrium solution obtained in the step three, screening, eliminating abnormal data fused with network attack behaviors and correcting by adopting a density-based clustering method.
2. The game theory-based network collaborative attack modeling and hazard quantitative analysis method according to claim 1, wherein in the first step, the construction mode of the hybrid integrated model specifically comprises the following steps:
step 1.1: data sampling and defining delta t l L ∈ {1, 2.. Multidata, m } to represent data sampling time intervals of corresponding different states l in the active power distribution network system; entering step 1.2;
step 1.2: taking Δ T as the sampling period of different system parameters and states, { Δ T } 1 ,Δt 2 ,...,Δt n Maximum common factor of the different/synchronous dual-mode hybrid system to obtain the synchronous time within a limited time period
Entering step 1.3;
step 1.3: when a network attack behavior in the active power distribution network system occurs, a fast-changing signal of a signal with a short sampling period and a high sampling frequency is mainly used, and a nearby principle is adopted for switching; entering step 1.4;
step 1.4: the influence brought by the network attack is defined as an uncertain variable delta, and the component with random dynamic change is merged into a discrete-continuous hybrid active power distribution network system to form a hybrid integrated model merged with the network attack.
3. The game theory-based network collaborative attack modeling and hazard quantitative analysis method according to claim 1, wherein a hybrid integrated model fused with network attacks is as follows:
wherein x is i (t) represents the continuous system state of a continuous time variable i of the system as a function of time t, S 1 Represents a set of continuous-time variables i; x is a radical of a fluorine atom j (t) represents the discrete system state of the discrete time variable j of the system as a function of time t, j ∈ S 2 ,S 2 Represents a set of discrete-time variables j; s represents a collection of a continuous time variable i and a discrete time variable j; omega i (t) and ω j (t) represents the disturbance, Δ, of a continuous, discrete system, respectively i (t) and. DELTA. j (t) respectively representing network attack behavior influence components of continuous and discrete systems; a. The i Coefficient matrix being a continuous system state, B i Coefficient matrices for continuous system disturbances, D i Coefficient matrixes of network attack behavior influence components in the continuous system are respectively; a. The j Coefficient matrix being a discrete system state, B j Coefficient matrices being discrete system disturbances, D j Coefficient matrix of network attack behavior influence component in discrete system.
4. The game theory-based network collaborative attack modeling and harm quantitative analysis method according to claim 2, wherein in the second step, quantifying risks generated by network attack behaviors specifically comprises the following steps:
step 2.1: defining the probability of the component element i in the active power distribution network system being attacked by the network attack a as rho ia The influence on the system safety is pi ia Calculation of risk quantification V of a possible cyber attack on a constituent element i i Comprises the following steps:
step 2.2: v is quantitatively calculated according to the risk obtained in the step 2.1 i Calculating the security risk quantification calculation V that the whole system may encounter:
γ i the component element i of the active power distribution network is represented as [1, n ]]The weight occupied by (c).
5. The network collaborative attack modeling and hazard quantitative analysis method based on the game theory as claimed in claim 2, characterized in that in the third step, the construction mode of the security attack and defense game model and the response of the security attack and defense game model to the network attack behavior are carried out as follows:
step 3.1: defining a power distribution network security attack and defense game model G = (P, Z, theta, S), wherein:
P=(P A ,P D ) Representing a set of participants of both offensive and defensive parties, P A As an aggressor, P D Is a defense party;
Z={z 0 z 1 ... z N the set used to represent the network security state;
step 3.2: is defined as reaching a safe state z I In time, the probability distribution corresponding to the strategy centralization strategy of the attacking and defending party is respectively as follows:
wherein:
and is provided with
Step 3.3: to reach the safe state z I Summarizing expected gain functions of the attacking party and the defending party;
step 3.4: by using a nonlinear programming method, an optimal control strategy for resisting moderate risk is obtained, and a Nash equilibrium solution is finally obtained
Step 3.5: whether to issue an alarm is selected according to the Nash equalization solution system.
6. The game theory-based network collaborative attack modeling and hazard quantitative analysis method according to claim 2, wherein in the fourth step, a mode of screening, eliminating and correcting abnormal data fused with network attack behaviors specifically comprises the following steps:
step 4.1: data set D acquired in data serviceWith initialization and all objects marked as unread, the epsilon-neighborhood, N, is defined by the Minkowski distance formula ε (x c )=(x c ∈D|dist(x c ,x d ) Epsilon) in which N is ε (x c ) Representing a set of all points in an epsilon-neighborhood, wherein epsilon represents a radius parameter, and rho is defined as a minimum object parameter; when the object x c Is x when the number of data objects in the epsilon-neighborhood of (c) is greater than rho c Is a core object;
step 4.2: taking a data set D containing an arbitrary number of data objects p from the data set D c Wherein D is C E.g., D, c =1,2,3, and D c Marking as read;
step 4.2: judging a data object p through epsilon and rho parameters, if p is a core object, finding out all density reachable data objects of p, and marking the density reachable data objects as read data; if p is not a core object and no object is reachable for p density, marking p as noise data;
step 4.3: in the process of satisfying
Repeating step 4.2 and step 4.3 until all data are marked as read;
step 4.4: taking one core object as a seed, and classifying all density reachable points of the object into one class to form a data object set with a larger range;
step 4.5: the step 4.2 to the step 4.4 are circulated until all the core objects are traversed, and the data which are not classified into one class are abnormal data;
step 4.6: taking the average value of normal data sets of different data types to replace abnormal data to execute normal operation;
step 4.7: the cycle ends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210593965.0A CN115296830B (en) | 2022-05-27 | 2022-05-27 | Network collaborative attack modeling and hazard quantitative analysis method based on game theory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210593965.0A CN115296830B (en) | 2022-05-27 | 2022-05-27 | Network collaborative attack modeling and hazard quantitative analysis method based on game theory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115296830A true CN115296830A (en) | 2022-11-04 |
| CN115296830B CN115296830B (en) | 2024-02-13 |
Family
ID=83819510
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210593965.0A Active CN115296830B (en) | 2022-05-27 | 2022-05-27 | Network collaborative attack modeling and hazard quantitative analysis method based on game theory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115296830B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152345A (en) * | 2013-03-07 | 2013-06-12 | 南京理工大学常熟研究院有限公司 | Network safety optimum attacking and defending decision method for attacking and defending game |
| CN107483486A (en) * | 2017-09-14 | 2017-12-15 | 中国人民解放军信息工程大学 | Cyber-defence strategy choosing method based on random evolution betting model |
| CN108366047A (en) * | 2018-01-08 | 2018-08-03 | 南京邮电大学 | Active power distribution network data safety high efficiency of transmission optimization method and device based on game theory |
| CN108565900A (en) * | 2018-05-14 | 2018-09-21 | 南京邮电大学 | A kind of distributed energy optimizing operation method based on game theory |
| CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
| CN109617863A (en) * | 2018-11-27 | 2019-04-12 | 杭州电子科技大学 | A method of the mobile target based on game theory defends optimal defence policies to choose |
| CN111464501A (en) * | 2020-03-09 | 2020-07-28 | 南京邮电大学 | Data service-oriented adaptive intrusion response gaming method and system thereof |
| US20210112083A1 (en) * | 2019-10-10 | 2021-04-15 | Honeywell International Inc. | Hybrid intrusion detection model for cyber-attacks in avionics internet gateways using edge analytics |
| CN112819300A (en) * | 2021-01-21 | 2021-05-18 | 南京邮电大学 | Power distribution network risk assessment method based on random game network under network attack |
| CN113098908A (en) * | 2021-05-11 | 2021-07-09 | 南方电网科学研究院有限责任公司 | False data injection attack defense method and device based on multi-stage game |
| CN114139156A (en) * | 2021-12-01 | 2022-03-04 | 浙江大学 | Micro-grid information physical system defense method based on game theory |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2271047B1 (en) * | 2009-06-22 | 2017-11-01 | Deutsche Telekom AG | Game theoretic recommendation system and method for security alert dissemination |
| CN108512837A (en) * | 2018-03-16 | 2018-09-07 | 西安电子科技大学 | A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game |
| CN110278198B (en) * | 2019-06-04 | 2021-09-07 | 西安邮电大学 | Security risk assessment method for assets in network based on game theory |
-
2022
- 2022-05-27 CN CN202210593965.0A patent/CN115296830B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152345A (en) * | 2013-03-07 | 2013-06-12 | 南京理工大学常熟研究院有限公司 | Network safety optimum attacking and defending decision method for attacking and defending game |
| CN107483486A (en) * | 2017-09-14 | 2017-12-15 | 中国人民解放军信息工程大学 | Cyber-defence strategy choosing method based on random evolution betting model |
| CN108366047A (en) * | 2018-01-08 | 2018-08-03 | 南京邮电大学 | Active power distribution network data safety high efficiency of transmission optimization method and device based on game theory |
| CN108565900A (en) * | 2018-05-14 | 2018-09-21 | 南京邮电大学 | A kind of distributed energy optimizing operation method based on game theory |
| CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
| CN109617863A (en) * | 2018-11-27 | 2019-04-12 | 杭州电子科技大学 | A method of the mobile target based on game theory defends optimal defence policies to choose |
| US20210112083A1 (en) * | 2019-10-10 | 2021-04-15 | Honeywell International Inc. | Hybrid intrusion detection model for cyber-attacks in avionics internet gateways using edge analytics |
| CN111464501A (en) * | 2020-03-09 | 2020-07-28 | 南京邮电大学 | Data service-oriented adaptive intrusion response gaming method and system thereof |
| WO2021180017A1 (en) * | 2020-03-09 | 2021-09-16 | 南京邮电大学 | Data service-oriented adaptive intrusion response game method and system thereof |
| CN112819300A (en) * | 2021-01-21 | 2021-05-18 | 南京邮电大学 | Power distribution network risk assessment method based on random game network under network attack |
| CN113098908A (en) * | 2021-05-11 | 2021-07-09 | 南方电网科学研究院有限责任公司 | False data injection attack defense method and device based on multi-stage game |
| CN114139156A (en) * | 2021-12-01 | 2022-03-04 | 浙江大学 | Micro-grid information physical system defense method based on game theory |
Non-Patent Citations (6)
| Title |
|---|
| HUI GE,DONG YUE等: "Analysis of cyber physical systems security via networked attacks", 《2017 36TH CHINESE CONTROL CONFERENCE(CCC)》 * |
| HUI GE,ZHENJIANG ZHAO: "Security Analysis of Energy Internet With Robust Control Approaches and Defense Design", 《IEEE ACCESS》 * |
| 孙辰: "信息物理融合的主动配电网分析与风险评估研究", 《中国优秀博硕士学位论文全文数据库(博士) 信息科技辑》, no. 05 * |
| 王卫平;朱卫未;陈文惠;梁??;: "基于网络的入侵检测系统数据包采样策略研究", 中国科学院研究生院学报, no. 04 * |
| 葛辉: "网络攻击下信息物理融合系统的安全控制方法研究", 《中国优秀博硕士学位论文全文数据库(博士) 信息科技辑》, no. 01, pages 47 * |
| 邰伟: "基于博弈论的电网信息物理系统网络攻防策略研究", 《中国优秀硕士学位论文全文数据库 工程科技辑》, no. 06 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115296830B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nguyen et al. | Deep reinforcement learning for cyber security | |
| Miehling et al. | A POMDP approach to the dynamic defense of large-scale cyber networks | |
| EP3211854B1 (en) | Cyber security | |
| Roy et al. | A survey of game theory as applied to network security | |
| Khan | Rule based network intrusion detection using genetic algorithm | |
| Hu et al. | Optimal network defense strategy selection based on incomplete information evolutionary game | |
| CN113094707B (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
| WO2021180017A1 (en) | Data service-oriented adaptive intrusion response game method and system thereof | |
| Bahrololum et al. | Anomaly intrusion detection design using hybrid of unsupervised and supervised neural network | |
| Liu et al. | FlipIt game model-based defense strategy against cyberattacks on SCADA systems considering insider assistance | |
| Badajena et al. | Incorporating hidden Markov model into anomaly detection technique for network intrusion detection | |
| CN115102166A (en) | Active power distribution network dynamic defense performance optimization method based on game theory | |
| Shojafar et al. | Automatic clustering of attacks in intrusion detection systems | |
| Huang et al. | Socialwatch: detection of online service abuse via large-scale social graphs | |
| Qiu et al. | Born this way: A self-organizing evolution scheme with motif for internet of things robustness | |
| Mishra et al. | Optimal configuration of intrusion detection systems | |
| CN116545738A (en) | APT attack processing method, system, electronic equipment and readable storage medium | |
| CN115296830B (en) | Network collaborative attack modeling and hazard quantitative analysis method based on game theory | |
| Zhang et al. | An intrusion detection scheme based on repeated game in smart home | |
| CN114006744B (en) | LSTM-based power monitoring system network security situation prediction method and system | |
| Feng et al. | Sentinel: An Aggregation Function to Secure Decentralized Federated Learning | |
| Wei et al. | Defense strategy of network security based on dynamic classification | |
| Hasan et al. | Predictive cyber defense remediation against advanced persistent threat in cyber-physical systems | |
| Huang et al. | Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection | |
| Samuel | Cyber situation awareness perception model for computer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |