CN115378699A - Power grid state topology collaborative false data attack defense method - Google Patents

Power grid state topology collaborative false data attack defense method Download PDF

Info

Publication number
CN115378699A
CN115378699A CN202211000769.4A CN202211000769A CN115378699A CN 115378699 A CN115378699 A CN 115378699A CN 202211000769 A CN202211000769 A CN 202211000769A CN 115378699 A CN115378699 A CN 115378699A
Authority
CN
China
Prior art keywords
data
attack
topology
telemetering
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211000769.4A
Other languages
Chinese (zh)
Inventor
赖昱
刘璐
覃智君
林鸿宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi University
Original Assignee
Guangxi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi University filed Critical Guangxi University
Priority to CN202211000769.4A priority Critical patent/CN115378699A/en
Publication of CN115378699A publication Critical patent/CN115378699A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a power grid state topology collaborative false data attack defense method, which is based on the power grid collaborative false data attack defense of a space-time multi-modal neural network and comprises the following steps: 1. filtering bad data by using a residual error detection method, and performing attack detection and positioning on the data by using a detection model consisting of a graph self-encoder and a residual error neural network; 2. constructing a prediction model based on space-time characteristics, and predicting corresponding telemetering data based on a possible remote signaling set; 3. and (4) inputting the telemetering and remote signaling combination into the detection model by using an N-k search mode, and taking the detected data as a true value. The invention improves the defect that the traditional method is not suitable for the cooperative FDIA scene, the defense strategy has stronger robustness to the condition that the topological structure is tampered, the capability of the power grid for defending the cooperative FDIA is enhanced, and the practical requirement of the industry on the cooperative FDIA defense is met.

Description

Power grid state topology cooperative false data attack defense method
Technical Field
The invention belongs to the technical field of operation safety maintenance of power systems, and particularly relates to a power grid state topology cooperative false data attack defense method.
Background
Currently, the Power System has been developed into a Power information Physical System (CPPS) in which an information System and a Physical System are deeply coupled. The CPPS includes a large number of communication nodes, and the vulnerability of the nodes causes network attack events to frequently occur for the CPPS. Among many types of network attacks, the False Data Injection Attack (FDIA) has attracted a great deal of attention in academia and industry because of its high concealment and destructiveness. FDIA has been developed continuously and has become a cooperative FDIA that simultaneously tamper with system electrical quantities (i.e., telemetry) and topology information (i.e., telemetry). The attack can cause that the system part can not be observed, and the information about the current system operation state mastered by the power grid dispatching center is obviously less than that of an attacker under the large-range FDIA, namely a defense scene under the asymmetric information. In view of this, the construction of the FDIA systematic defense strategy under such asymmetric information is of great significance to the safe operation of the power system.
At present, the systematic defense of the power system FDIA is still a difficult problem worldwide, and although there are dozens of research papers for the problem at home and abroad, the industry has no mature solution for FDIA so far. The existing literature on FDIA defense strategies can find that the research works have two defects: 1. the detection and positioning methods are based on the condition that the system topology is completely observable, namely the Jacobian matrix of the state estimation is known, and the defense scenes with low system observation degree caused by attacks are less researched. 2. Recovery methods also focus mostly on the recovery of telemetry or telemetry data, and there are also few studies based on neither being observable. Therefore, it is necessary to propose a systematic defense strategy capable of alleviating the influence of the cooperative FIDA, and exerting a greater defense effect in coping with the cooperative FDIA under the information asymmetry.
The FDIA defense strategy of the present invention is divided into three phases: detection, localization and recovery. The construction difficulty lies in how to detect data of two different modes of remote measurement and remote signaling under asymmetric information and how to determine the operation condition of an unobservable area. In order to solve the challenges, the invention provides a systematic defense strategy based on multi-mode deep learning, aiming at ensuring the observability and FDIA resisting capability of a power grid and enhancing the stability of the power grid in the operation process under the condition of asymmetric information.
Disclosure of Invention
The invention aims to solve the technical problems that cooperative FDIA measurement data are difficult to detect and the safe operation state is difficult to recover under the condition that a power grid cannot be observed in a large range, and provides a power grid state topology cooperative false data attack defense method.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention relates to a power grid state topology collaborative false data attack defense method, which comprises the following steps:
(1) Using a residual error detection method to filter bad data, then using a detection model to detect the data, and determining the attacked measurement data: detecting network topology and telemetering data by using a residual error detection method, and filtering bad data generated by physical network operation faults, equipment measurement errors and communication system noise in the data to ensure that only real data and false data after being tampered with in cooperation with FDIA are reserved in the system; then the telemetering remote signaling is sent into a detection model together for detection, the attacked bus and branch are identified, and the attacked area is determined;
(2) Constructing a prediction model based on space-time characteristics, and predicting corresponding telemetering data based on a possible remote signaling set: establishing a space-time characteristic prediction model based on a space-time neural network, wherein the space-time characteristic prediction model based on the space-time neural network comprises a historical characteristic processing module and an existing characteristic processing module; predicting corresponding telemetering data according to a historical topological structure by a spatio-temporal feature prediction model based on a spatio-temporal neural network, then sending telemetering telecommands to the detection model for detection, and completing data recovery if the telemetering telecommands pass the detection; if the detection is not passed, the next step is carried out;
(3) Inputting the telemetering and telecommand combination into the prediction model based on the space-time characteristics by using an N-k search mode, and taking detected data as a true value: and (4) inferring a possible topological structure according to historical topological information of the unobservable area, predicting telemetering data corresponding to the possible topological structure, sending the telemetering and telemetering combination into a detection model, and screening out a correct data combination.
The detection model is constructed by using a Graph Auto-Encoder (GAE) and a Residual Neural network (ResNet), and the attack detection process is shown as the following formula:
V=GAE(A,X)
Figure BDA0003807277560000031
in the formula, V is the extracted topological characteristic, A represents an adjacent matrix, X is the node characteristic, and z is telemetering data;
Figure BDA0003807277560000036
representing a feature fusion operation; the detection model outputs a group of {0,1} labels which represent that the corresponding measurement is attacked, and the attacked area of the power grid is determined according to the labels.
The prediction model based on the space-time characteristics is constructed according to the following method:
constructing a spatiotemporal feature prediction model based on a spatiotemporal neural network (Bi-GAE-LSTM) by using GAE and a Long-Short Term Memory neural network (LSTM); the Bi-GAE-LSTM model comprises a historical characteristic processing module and an existing characteristic processing module, and in a power system with n buses and b branches, an attack area comprises n a Bar bus bar and b a A strip branch of
Figure BDA0003807277560000032
Output is as
Figure BDA0003807277560000033
The Bi-GAE-LSTM model is shown by the following formula:
V n =σ(WA p X n )
Figure BDA0003807277560000034
Figure BDA0003807277560000035
in the formula, A t The standard adjacency matrix is a graph convolution kernel and is obtained by a topological structure corresponding to historical measurement data; a. The p A normalized adjacency matrix representing the resulting current topology, relative to the possible topology of the unobservable region; w, W h1 、W h2 Representing a weight matrix; σ represents an activation function; LSTM represents the long-short term memory neural network layer; v n Representing spatial features extracted from existing observables; v h Representing temporal features extracted from historical measurements;
Figure BDA0003807277560000041
representing a feature fusion operation; FC denotes a full connection layer; m represents the final prediction result, i.e. the restored measured data.
The sigma is a ReLU function.
The residual error detection method is used for detecting and filtering bad data generated by physical network operation faults, equipment measurement errors and communication system noise in data based on a two-norm threshold with a given threshold, and the detection following formula is as follows:
||r a ||=||z a -Hx a ||
=||z+a-H(x+c)||
=||z-Hx||<τ
where τ is a constant threshold, r a Is a residual vector, z a For attacked telemetry data, H is the Jacobian matrix of state estimates, x a Is an attacked state variable, and z is normal telemetry data; a is the attack vector, x is the state variable, and c is the vector that causes the state variable error.
The target searched by the N-k searching mode is represented by the following formula:
minΣ|Hc|
s.t.|Hc|=De(A p ,M p )
Figure BDA0003807277560000042
wherein, | Hc | represents the number of measurements for which attacks are detected; de represents a detection model proposed in chapter iii; a. The p Represents one possible topology; m is a group of p Represents according to topology A p The reduction measurement data, the reduction method is according to the formula (4.6);
Figure BDA0003807277560000043
representing a set of possible topological structures, related to the unknown region topology.
The searching process of the N-k searching mode comprises the following steps:
(1) Determining an unknown region, and generating a set of all topological structures of the unknown region;
(2) According to the prediction model provided above, reducing the telemetering data corresponding to each possible topological structure;
(3) Sending each group of topological structures and telemetering data into a detection model for detection to obtain a group of data which safely passes through the detection model;
(4) And taking the safety data as pseudo measurement of an unknown area to finish data recovery.
The historical characteristic module consists of GAE and a long-short term memory neural network.
The existing feature module adopts GAE to extract measurement and topological features of an observable area.
The cooperative FDIA is established according to the following method:
the linear state estimation model is established as follows:
z=Hx+e
in the formula, z is telemetering quantity, H represents a topological Jacobian matrix, x is state quantity, and e is an error in the state quantity, and the error inevitably occurs in the data acquisition process;
constructing an attack vector according to the improved cooperative FDIA principle:
(1) An attacker intercepts the telemetering and remote signaling data, tampers a part of the telemetering and remote signaling data, and sends a tampered version to a dispatching center, wherein the following formula is as follows:
Figure BDA0003807277560000051
Figure BDA0003807277560000052
wherein s represents remote signaling data, b ∈ {0,1} d Indicating a modification to the remote signaling data; z represents telemetry data, a (z) represents a telemetry attack vector; the topology information can be changed after the attack, in order to cover the change of the topology information, an attacker can construct an attack vector according to a forged topology structure, and the construction rule of the telemetering data attack vector conforms to the description of the following formula:
Figure BDA0003807277560000053
a(z)=(H'-H)(H T H) -1 H T z
wherein H' represents the H matrix after topology modification, H represents the H matrix before modification, col (H) is the column space of H, and z a Telemetry data representing topology maintenance attack injection, a (z) representing an attack vector; h T A transposed matrix that is H;
(2) An optimization strategy for constructing the attack vector is provided, and the measurement quantity of the attack needed by the cooperative FDIA for reaching a specific attack range is minimized, so the optimization strategy of the attack vector can be represented by the following formula:
min||c|| 1
s.t.|Hc|≥Q
Figure BDA0003807277560000061
Q=∑ob i -∑n ij
in the formula, | Hc | represents the attacked measured numerical value, and is ensured to be larger than or equal to the preset attack range Q, min | | | c | | calculation through inequality constraint 1 For the objective function to be solved, i.e. the minimum number of attack nodes, hc will gradually decrease to the value closest to Q, ob, during the optimization process i Representing a measure of observability of the node i,
Figure BDA0003807277560000062
indicates the number of measurements, n, adjacent to node i i The measurement number of the node i is represented, and because the measurement of the adjacent node is repeatedly calculated in the calculation process, the repeatedly calculated number sigma n needs to be subtracted when the attack range Q is calculated ij
Compared with the prior art, the invention has the following beneficial effects:
(1) The invention solves the problem that the cooperative FDIA measurement data is difficult to detect.
(2) The invention is not based on very strong scene hypothesis, can be suitable for the problems caused by various FDIA, has wide application range and better industrial practicability.
(3) The invention can recover the power grid data to the maximum extent under the condition that the power grid is not observable in a large range, and enhances the self-healing capability of the power grid.
(4) The method has stronger robustness to the condition that the topological structure is tampered, can enhance the capability of power grid defense for cooperative FDIA, and meets the practical requirements of industry on cooperative FDIA defense.
(5) The method has strong fitting capability on the training set, and can accurately predict the telemetering data of the unknown area.
(6) The detection method of the invention has high detection accuracy: the detection capability is strong, and the cooperative FDIA under different topological structures can be effectively detected.
(7) The prediction method of the invention has higher prediction precision, the predicted value is very close to the actual measured data, and the average relative error is 5%.
(8) The invention uses GAE to obtain the encoder adaptive to the feature extraction task, and avoids the interference of the randomly distributed initial weight on the topological feature extraction. The GAE is trained by using sample data of various topological situations, and appropriate weight can be given to important features, so that the GAE has good adaptability to different topological structures.
(9) The invention uses ResNet as a classifier to realize a deep neural network structure, the performance of the deep neural network structure exceeds that of a general neural network in a classification task, the subsequent detection efficiency can be greatly improved, the workload and the difficulty of false data identification are reduced, and the accuracy of false data judgment is improved.
Drawings
FIG. 1 is a flow chart of a power grid state topology collaborative false data attack defense method according to the invention;
FIG. 2 is a schematic diagram of a graph convolution kernel;
FIG. 3 is a schematic diagram of a residual block;
FIG. 4 is a diagram of a prediction model architecture;
FIG. 5 is a schematic diagram of a long-short term memory neural network;
FIG. 6 is a schematic diagram of an N-k search;
FIG. 7 is a test model training scenario;
FIG. 8 is a graph of predictive model training loss;
FIG. 9 is a graph of cooperative attack detection results;
fig. 10 is a comparison graph of predicted values and actual values.
FIG. 11 is an IEEE-9 node system topology.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, the technical solution of the present invention will be further described in detail.
The invention relates to a power grid state topology cooperative false data attack defense method. The attack is divided into two steps, wherein in the first step, the telemetering and remote signaling of a specific line in the power system is tampered, so that an error Jacobian matrix is used in the power grid state estimation process; and secondly, improving an attack strategy, generating an attack vector through an optimization mode, and modifying telemetering data on the bus and the branch in a large range. And storing the remote measurement and remote signaling after the attack and reserving the data as the data to be detected of the power grid.
The method comprises the following specific steps:
in the power system, the relationship between the measurement value and the state variable is shown in formula (1):
z=Hx+e (1)
wherein: z is the telemetry quantity, H represents the Jacobian matrix of the topology, x is the state quantity, and e is the error in the state quantity.
Assuming that a set of state variables x minimizes the measurement error, the set of state variables is the optimal state quantity, and the dc state estimation model can be solved by equation (2.2):
minJ(x)=[z-Hx] T R -1 [z-Hx] (2)
and estimate the result
Figure BDA0003807277560000081
Is given by formula (3):
Figure BDA0003807277560000082
wherein R is a diagonal element equal to σ i -2 Diagonal matrix of σ i The measurement error of the ith bus is shown.
Figure BDA0003807277560000083
Is the estimated state quantity. H T Is a transpose of H matrix, R -1 Is the inverse matrix of R.
After the estimated state quantity is obtained, an attack vector can be constructed according to the principle of cooperative FDIA, an attacker intercepts telemetering and telesignaling data and tampers a part of the telemetering and telesignaling data, and the tamped version is sent to a dispatching center as shown in the following formula:
Figure BDA0003807277560000084
wherein s represents remote signaling data, b ∈{0,1} d Indicating a modification to the telemetry data; z represents telemetry data and a (z) represents a telemetry attack vector. The topology information can be changed after the attack, in order to cover the change of the topology information, an attacker can construct an attack vector according to a forged topology structure, and the construction rule of the telemetering data attack vector conforms to the description of the following formula:
Figure BDA0003807277560000091
in the formula, H' represents the H matrix after the topology is modified, H represents the H matrix before the topology is modified, and Col (H) is the column space of H. z is a radical of formula a Telemetry data representing topology maintenance attack injection, a (z) representing an attack vector; h T A transposed matrix of H.
And maintaining the telemetering estimated value, the telemetering amount and the state quantity estimated value after the attack, and using the telemetering estimated value, the telemetering amount and the state quantity estimated value as data to be detected by FDIA.
After the cooperative FDIA is established and the attacked telemetering and telesignalling data are generated, defense is carried out through the following steps:
(1) Using a residual error detection method to filter bad data, then using a detection model to detect the data, and determining the attacked measurement data: the network topology and the telemetering data are detected by using a traditional method of a power grid, bad data generated by physical network operation faults, equipment measurement errors and communication system noise in the data are filtered, and only real data and false data after FDIA tampering are reserved in the system. And then the telemetering remote signaling is sent together, and the detection is carried out in a detection model constructed based on GAE and ResNet, so that the attacked bus and branch are identified, and the attacked area is determined. The method comprises the following specific steps:
generally speaking, because of the operation fault of the physical network, the measurement error of the equipment and the noise of the communication system, the telemetering measurement data of the power system always has polluted bad data, in order to reduce the workload and the difficulty of distinguishing false data, the invention firstly utilizes the residual error detection to filter the bad data in the measurement data, and based on the two-norm threshold value of the given threshold value, the bad data generated by the operation fault of the physical network, the measurement error of the equipment and the noise of the communication system in the detection filtering data is detected and filtered, and the detection following formula is as follows:
Figure BDA0003807277560000092
wherein τ is a constant threshold; r is a Is a residual vector, z a Is the attacked telemetry data, and z is the normal telemetry data; a is an attack vector; h is a Jacobian matrix of state estimation; x is the number of a X is the state variable under attack, and c is the vector that causes the state variable error.
However, the spurious measurements generated by the above-mentioned cooperative FDIA strategy can be detected by residual errors, and therefore, an additional detection model is required for detection. The GAE is used in the detection model to extract the topological features, and the GAE is different from a general self-encoder in that the encoder part can extract the non-European space graphic features which cannot be processed by a traditional self-encoder by using a Graph Convolutional Neural network (GCN). As shown in fig. 2, the GCN aggregates the features of neighboring nodes into one place by the graph convolution kernel defined by equation (7).
Figure BDA0003807277560000101
Wherein D = diag (D) 1 ,d 2 ,…,d n ) For a degree matrix corresponding to the system topology, diagonal element d n The number of adjacent nodes representing n nodes.
Figure BDA0003807277560000102
Is an adjacent matrix A and an identity matrix I N And (4) summing. A. The t Is a symmetrically normalized adjacency matrix.
The polymerized features are restored by the graphic decoder defined by equation (8).
X'=ReLU(FC(Z)) (8)
In the formula, X' represents a reconstructed node feature, FC represents a full connection layer, and Z represents an aggregation feature. ReLU is the activation function.
The main purpose of using GAE is to obtain an encoder adapted to the task of feature extraction, and to avoid interference of randomly assigned initial weights on the extraction of topological features. The invention trains GAE by using sample data of various topological situations, can give proper weight to important features, and has better adaptability to different topological structures.
After extracting the topological features using the above topological feature extractor, a classifier that can learn the features and map them to the output is also needed. The present invention uses ResNet as a classifier. ResNet features the design of a residual block, as shown in FIG. 3. ResNet achieves a deep neural network structure through the design of a residual block, and the performance of the ResNet exceeds that of a general neural network in a classification task. The structure of ResNet is represented by the following formula:
Figure BDA0003807277560000103
in the formula, FC is a full connection layer. x is a radical of a fluorine atom L For the feature passed to the Lth residual block, is identical to x L-1 . W is the weight matrix of the convolutional layer, and i is the convolutional layer number. F denotes a residual block function. x is the number of i And W i The input features and the weight matrix of the ith layer are respectively.
The step of the invention can greatly improve the efficiency of subsequent detection, reduce the workload and difficulty of false data identification and further improve the accuracy of false data judgment.
(2) Constructing a prediction model based on space-time characteristics, and recovering the real telemetering of the system: the prediction model comprises a historical characteristic processing module and an existing characteristic processing module, wherein the historical characteristic module consists of GAE and a Long Short-Term Memory neural network (LSTM) and is used for extracting the characteristics of historical measurement data and topology information; the existing feature module adopts GAE to extract the measurement and topological features of the observable area. The model can predict corresponding telemetering data according to the historical topological structure, and then the telemetering and remote signals are sent to the detection model to be detected. If the detection is passed, the data recovery is completed; if the detection is not passed, the process proceeds to step (3). The method comprises the following specific steps:
GAE and LSTM are used to construct a prediction model of spatiotemporal features, bi-GAE-LSTM for short. As shown in fig. 5, the Bi-GAE-LSTM model includes a historical feature processing module and an existing feature processing module, the historical feature module is composed of GAE and LSTM, and extracts features of historical measurement data and topology information; the conventional feature module adopts GCN to extract the measurement and topological features of the observable region. The model may predict the corresponding telemetry data based on a given topology.
As can be seen from fig. 5, the input of LSTM includes the current time feature, the hidden state at the previous time, and the memory state vector at the previous time. And selecting the length of the memory time scale by utilizing the control of the forgetting gate and the candidate gate.
The control mode of the forgetting door is shown as the following formula:
f t =σ(W f ×[h t-1 ,x t ]+b f ) (10)
the input gate is calculated as follows:
i t =σ(W i ×[h t-1 ,x t ]+b i ) (11)
the candidate gate is calculated as follows:
C' t =tanh(W c ×[h t-1 ,x t ]+b c ) (12)
how to retain and forget the feature is calculated as follows:
C t =f t ×C t-1 +i t ×C' t (13)
finally, the output gate is calculated as follows:
Figure BDA0003807277560000121
where σ is an activation function and tanh is a hyperbolic tangent function, which is also used as the activation function. h is t-1 Representing the hidden state at time t-1, i.e. the feature map obtained through the hidden layer. [ h ] of t-1 ,x t ]For a characteristic splicing operation, f t 、i t 、O t Are respectively a heritageForgetting the outputs of the gate, the memory gate and the output gate, C' t Representing candidate memory neurons, C t ,C t-1 The output of the memory neuron is controlled at the time t and the time t-1 respectively; w f 、W i 、W c 、W O Weight matrix, b, for each gate respectively f 、b i 、b c 、b O Error vectors, h, for each gate respectively t And the hidden state at the time t is used as the input of the next time.
Assuming a power system with n buses and b branches, the attack area includes n a Bar bus bar and b a A strip branch, then input is
Figure BDA0003807277560000122
Output is as
Figure BDA0003807277560000123
In this case, the model is shown as follows:
Figure BDA0003807277560000124
in the formula, V n Representing spatial features extracted from existing observables; sigma represents an activation function, and ReLU is selected; a. The p A normalized adjacency matrix representing the resulting current topology, relative to the possible topology of the unobservable region; x n Existing node characteristics; v h Representing temporal features extracted from historical measurements;
Figure BDA0003807277560000131
representing a feature fusion operation; a. The t The standard adjacency matrix is a graph convolution kernel and is obtained by a topological structure corresponding to historical measurement data; x h The historical node characteristics; w represents a weight matrix of the graph convolution layer; w is a group of h1 Weight matrix, W, representing the 1 st hidden layer in LSTM h2 A weight matrix representing the 2 nd hidden layer in the LSTM; LSTM represents the long-short term memory neural network layer; FC denotes a full connection layer; m represents the mostThe final prediction result is the restored measured data.
The topology structure at the moment before the attack occurs is used as a basic topology, and the Bi-GAE-LSTM is used for predicting the telemetering data of the unobservable (attacking) area according to the topology. And then the telemetering data and the remote signaling data are combined and sent into the detection model for detection. Checking the detection result, and if the detection result passes, ending the data recovery; and (4) if the detection shows that the data does not pass, the step (3) is carried out.
(3) And restoring the remote signaling data by using an N-k searching mode based on the prediction model and the detection model. And (4) a possible topological structure is presumed according to historical topological information of the unobservable area, telemetering data corresponding to the possible topological structure is predicted, the telemetering and telemetering combination is sent to a detection model, and a correct data combination is screened out.
And restoring the telecommand data by using an N-k searching mode based on the prediction model and the detection model. And (4) a possible topological structure is presumed according to historical topological information of the unobservable region, and the attack can cause certain branches in the power grid to stop working, so the possible topological structure set comprises topological information of N-1, N-2 to N-k, and k is the maximum of the total number of lines in the unobservable region.
N-k search is to find a combination that can pass through the detection model, and the target of the search can be represented by the following formula:
Figure BDA0003807277560000132
wherein, | Hc | represents the number of measurements for which attack is detected; de represents the detection model proposed by formula (9); a. The p Represents one possible topology; m p Representation according to topology A p The reduced measurement data, the reduction method is according to the formula (13);
Figure BDA0003807277560000133
represents a set of possible topological structures components, related to the unknown area topology.
The specific searching process comprises the following steps:
(1) Determining an unknown region, and generating a set of all topological structures of the unknown region;
(2) According to the prediction model provided above, reducing the telemetering data corresponding to each possible topological structure;
(3) Sending each group of topological structures and telemetering data into a detection model for detection to obtain a group of data which safely passes through the detection model;
(4) And taking the safety data as pseudo measurement of an unknown area to finish data recovery.
It is noted that due to the self-contained positioning function of the GAE-ResNet detection model, the N-k search process can be optimized, and the optimization mode is shown in FIG. 6. If the topological label of the detection model is 0, the system is attacked by the common FDIA, and only the telemetering data needs to be restored at this time. The detection model can also determine the scene of single line topology attack, if the single line topology attack is found, the working state of the line only needs to be reversed; for the cooperative attack area, the search can also be started from the topology of N-1.
Example analysis
The following five parts are explained below: example selection, model training condition, accuracy of detection model, accuracy of prediction model and systematic defense strategy instance.
The invention is tested on the IEEE-9, IEEE-57 and IEEE-118 node test systems, and the effectiveness of the prevention strategy provided by the invention is verified.
Training situation of model
In the IEEE-9 node test system, after about 900 iterations of training, the model tends to converge. The results are shown in FIG. 7. It can be seen from the figure that in the whole training process, the accuracy rate is increased from about 60% to about 94%, the error rate is reduced from 1.4 to 0, and the whole trend shows a normal convergence phenomenon. The accuracy drops significantly after every 100 iterations because the next batch of data is changed for training after 100 iterations. The topological structures of each batch are different, so that the accuracy of the model can greatly fall back, but the fall-back amplitude is reduced along with the increase of the batch of the training set, and the fall-back amplitude is close to 0 after hundreds of iterations, so that the trained model has stronger robustness to the topological structure change. Tests were performed on both the IEEE-57 and IEEE-118 node test systems consistent with the results of the tests in the IEEE-9 node test system.
FIG. 8 shows the loss function of the prediction model, where the loss curve is the training set loss curve of the Bi-GAE-LSTM model on the IEEE-118 node test system, and the loss function is MSELoss (). It can be seen that the model tends to converge after 50 iterations, and the MSE of the training set rapidly decreases from 0.12 to around 0.001. The model has strong fitting capability to the training set, and can accurately predict the telemetering data of the unknown region. Tests were performed on both the IEEE-9 and IEEE-57 node test systems, similar to the results of tests in the IEEE-118 node test system.
Accuracy of the test model
Table 1 shows the detection accuracy index of the 118-node system.
TABLE 1
Figure BDA0003807277560000151
The invention selects a Convolutional Neural Network (CNN) and a dense Neural network (Densely Connected Convolutional Networks, denseNet) as classifiers, and builds the GAE-CNN and the GAE-DenseNet to be compared with the model GAE-ResNet of the invention so as to verify the influence of the model depth on the performance. An 18-layer structure (called ResNet18 for short) was tested for the selection of the main classifier ResNet, and GAE-ResNet18 was used to represent the model of the present invention.
From table 1, it can be seen: GAE-ResNet18 is the best method to detect cooperative FDIA. Compared with the GAE-CNN, the multi-mode detection method is improved by about 10 percent on average in each index compared with a single-mode detection method. Compared with GAE-CNN, the GAE-ResNet18 has greatly improved indexes, which shows that ResNet detection capability is far stronger than CNN. Tests on IEEE-9 and IEEE-57 node test systems are performed, and consistent with the test results in the IEEE-118 node test system, the GAE-ResNet is improved in mode and depth, so that the cooperative FDIA under different topologies can be effectively detected.
Accuracy of prediction model
Table 2 shows the prediction accuracy index of the prediction model.
TABLE 2
Figure BDA0003807277560000161
The present invention uses the GAE-LSTM model without the existing feature model, a double layer LSTM model with random forest and LSTM combined, and a standard LSTM model for comparison.
As can be seen from table 2: the prediction method of the Bi-GAE-LSTM using the historical characteristics and the existing characteristics is superior to the prediction method using only the historical characteristics in prediction accuracy. Mean Square Error (MSE) and Mean Absolute Percentage Error (MAPE) both represent the Error between the predicted result and the correct measurement value, and the closer these indexes are to 0, the stronger the model prediction capability is. As can be seen from Table 2, on the IEEE-118 node test system, MAPE sum of LSTM model MSE is 0.0566 and 2.3411%, respectively, while the Bi-GAE-LSTM model MSE has 0.0024 and 0.2375%, respectively, and the error is obviously reduced. Likewise, in IEEE-57 and IEEE-9 node test systems, the same trend is also presented, with higher prediction accuracy for known historical data and models where existing data is mined more fully. The GAE-LSTM with added topology information has improved prediction accuracy compared with the LSTM using only measured data, and the Bi-GAE-LSTM aggregating historical characteristics and existing characteristics has obviously improved prediction accuracy compared with the GAE-LSTM using only historical characteristics. Therefore, the Bi-GAE-LSTM model is a very effective telemetry data recovery method when the power grid is subjected to cooperative FDIA.
Accuracy of predictive model
In order to illustrate the practical application of the present invention, the IEEE9 node system is taken as an example to show the operation process of the systematic defense strategy. Fig. 10 shows the cooperative attack detection result, and the topology label shows that the topology structure is tampered, so that the attack scene is established as cooperative FDIA, the attacked area is determined as the bus (1, 4, 5) and the branch (1, 2), the attacked area is set as the unobservable area, and data recovery and detection are performed. The label can determine that the branch (1, 2) is a cooperative FDIA attack area, so that the topology subset is composed of the topologies of N-1 and N-2, the determined topology set of the possible disconnection is [ (1), (2), (1, 2) ], the topology set comprises three topologies, and the topology generates corresponding telemetry data and sends the telemetry data into the detection model. The results are shown in table 3:
TABLE 3
Figure BDA0003807277560000171
As can be seen from table 3, the telemetry and telemetry joint recovery strategy can identify the correct topology. In the topology subset (2), the topology tag is zero, and the alarm number of the measurement tag is also zero, which indicates that the set of telemetry and telemetry data corresponding to the subset can be jointly detected. After the topology information of the topology subsets (1) and (1, 2) and corresponding telemetering data are sent to a detection model together for detection, the topology labels alarm, the alarm number of the measurement labels is respectively 3 and 5, and the joint detection cannot be passed. The method can find out the correct telemetric remote signaling combination.
To further illustrate the effectiveness of the present invention, the telemetry data in the correct combination is compared with the actual telemetry data, and the comparison is shown in FIG. 10. The active power of the bus (1, 4, 5) and the branch (1, 2) corresponding to the unobservable region (i.e. the measurement corresponding to the number in fig. 10) is analyzed, and it can be seen that the predicted value is very close to the actual measurement data, and the error is within 10MW on average. If the error divided by the actual value is used as the relative error, the average relative error of the unknown region is within 5%. This demonstrates the higher accuracy of the telemetry data prediction method presented herein in predicting telemetry data. It should be noted that for the telemetry data of the known area, the predicted value and the real measured value have some deviation, but are still close to each other within the error tolerance range, so that the known area can adopt the existing telemetry data or the predicted value in actual use.

Claims (10)

1. A power grid state topology cooperative false data attack defense method is characterized by comprising the following steps:
(1) Using a residual error detection method to filter bad data, then using a detection model to detect the data, and determining the attacked measurement data: detecting network topology and telemetering data by using a residual error detection method, filtering bad data generated by physical network operation faults, equipment measurement errors and communication system noise in the data, and only keeping real data and false data after being tampered with the cooperative FDIA in the system; then the telemetering remote signaling is sent into a detection model together for detection, the attacked bus and branch are identified, and the attacked area is determined;
(2) Constructing a prediction model based on space-time characteristics, and predicting corresponding telemetering data based on a possible remote signaling set: establishing a space-time characteristic prediction model based on a space-time neural network, wherein the space-time characteristic prediction model based on the space-time neural network comprises a historical characteristic processing module and an existing characteristic processing module; predicting corresponding telemetering data according to a historical topological structure by a spatio-temporal feature prediction model based on a spatio-temporal neural network, then sending telemetering telecommands to the detection model for detection, and completing data recovery if the telemetering telecommands pass the detection; if the detection fails, entering the next step;
(3) And (3) inputting the telemetering and remote signaling combination into the prediction model based on the space-time characteristics by using an N-k search mode, and taking detected data as a true value: and (4) a possible topological structure is presumed according to historical topological information of the unobservable area, telemetering data corresponding to the possible topological structure is predicted, the telemetering and telemetering combination is sent to a detection model, and a correct data combination is screened out.
2. The power grid state topology cooperative false data attack defense method according to claim 1, characterized in that the detection model is constructed by using a graph self-encoder and a residual neural network, and the attack detection process is as follows:
V=GAE(A,X)
Figure FDA0003807277550000011
in the formula, V is the extracted topological characteristic, A represents an adjacent matrix, X is the node characteristic, and z is telemetering data;
Figure FDA0003807277550000012
representing a feature fusion operation; the detection model outputs a group of {0,1} labels which represent that the corresponding measurement is attacked, and the attacked area of the power grid is determined according to the labels.
3. The power grid state topology collaborative false data attack defense method according to claim 1, wherein the prediction model based on the space-time characteristics is constructed according to the following method:
constructing a space-time characteristic prediction model based on a space-time neural network, namely Bi-GAE-LSTM, by using GAE and a long-short term memory neural network; the Bi-GAE-LSTM model comprises a historical characteristic processing module and an existing characteristic processing module, and in a power system with n buses and b branches, an attack area comprises n a Bar bus bar and b a A strip branch of
Figure FDA0003807277550000021
Output is as
Figure FDA0003807277550000022
The Bi-GAE-LSTM model is shown by the following formula:
V n =σ(WA p X n )
Figure FDA0003807277550000023
Figure FDA0003807277550000024
in the formula, A t To normalise the abutment momentThe array, namely a graph convolution kernel, is obtained from a topological structure corresponding to the historical measurement data; a. The p Representing a normalized adjacency matrix resulting from the present topology, in relation to the possible topology of the unobservable region; w, W h1 、W h2 Representing a weight matrix; σ represents an activation function; LSTM represents the long-short term memory neural network layer; v n Representing spatial features extracted from existing observables; v h Representing temporal features extracted from historical measurements;
Figure FDA0003807277550000025
representing a feature fusion operation; FC denotes a full connection layer; m represents the final prediction result, i.e. the restored measured data.
4. The grid state topology collaborative false data attack defense method according to claim 3, wherein σ is a ReLU function.
5. The grid state topology cooperative false data attack defense method according to claim 1, wherein the residual error detection method is characterized in that the detection follows the formula:
||r a ||=||z a -Hx a ||
=||z+a-H(x+c)||
=||z-Hx||<τ
where τ is a constant threshold, r a Is a residual vector, z a For attacked telemetry data, H is the Jacobian matrix of state estimates, x a Is an attacked state variable, and z is normal telemetry data; a is the attack vector, x is the state variable, and c is the vector that causes the state variable error.
6. The power grid state topology cooperative false data attack defense method according to claim 1, wherein the target of the N-k search mode search is represented by the following formula:
minΣ|Hc|
s.t.|Hc|=De(A p ,M p )
Figure FDA0003807277550000031
wherein, | Hc | represents the number of measurements for which attack is detected; de represents a detection model proposed in chapter iii; a. The p Represents one possible topology; m is a group of p Representation according to topology A p The reduction measurement data is reduced according to the formula (4.6);
Figure FDA0003807277550000032
representing a set of possible topological structures, related to the unknown region topology.
7. The power grid state topology collaborative false data attack defense method according to claim 1, wherein the search process of the N-k search mode is as follows:
(1) Determining an unknown region, and generating a set of all topological structures of the unknown region;
(2) According to the prediction model provided above, reducing the telemetering data corresponding to each possible topological structure;
(3) Sending each group of topological structures and telemetering data into a detection model for detection to obtain a group of data which safely passes through the detection model;
(4) And taking the safety data as pseudo measurement of an unknown area to finish data recovery.
8. The power grid state topology cooperative false data attack defense method according to claim 1, wherein the historical feature module is composed of GAE and long-short term memory neural network.
9. The power grid state topology cooperative false data attack defense method according to claim 1, wherein the existing feature module adopts GAE to extract measurement and topology features of an observable area.
10. The power grid state topology cooperative false data attack defense method according to claim 1, wherein the cooperative FDIA is established according to the following method:
the linear state estimation model is established as follows:
z=Hx+e
in the formula, z is telemetering quantity, H represents a topological Jacobian matrix, x is state quantity, and e is an error in the state quantity, and the error inevitably occurs in the data acquisition process;
constructing an attack vector according to the improved cooperative FDIA principle:
(1) An attacker intercepts the telemetering and telesignaling data, tampers with a part of the telemetering and telesignaling data, and sends a tampered version to a dispatching center, wherein the formula is as follows:
Figure FDA0003807277550000041
Figure FDA0003807277550000042
wherein s represents remote signaling data, b ∈ {0,1} d Indicating a modification to the remote signaling data; z represents telemetry data, a (z) represents a telemetry attack vector; the topology information can be changed after the attack, in order to cover the change of the topology information, an attacker can construct an attack vector according to a forged topology structure, and the construction rule of the telemetering data attack vector conforms to the description of the following formula:
Figure FDA0003807277550000043
a(z)=(H'-H)(H T H) -1 H T z
wherein H' represents the H matrix after topology modification, H represents the H matrix before modification, col (H) is the column space of H, and z a Telemetry data representing topology maintenance attack injection, a (z) representing an attack vector; h T A transposed matrix that is H;
(2) An optimization strategy for constructing the attack vector is provided, and the measurement quantity of the attack needed by the cooperative FDIA for reaching a specific attack range is minimized, so the optimization strategy of the attack vector can be represented by the following formula:
min||c|| 1
s.t.|Hc|≥Q
Figure FDA0003807277550000044
Q=∑ob i -∑n ij
in the formula, | Hc | represents the attacked measured numerical value, and is ensured to be larger than or equal to the preset attack range Q, min | | | c | | calculation through inequality constraint 1 For the objective function to be solved, i.e. the minimum number of attack nodes, hc will gradually decrease to the value closest to Q, ob, during the optimization process i Representing a measure of observability of the node i,
Figure FDA0003807277550000045
indicates the number of measurements, n, adjacent to node i i The measurement number of the node i is represented, and because the measurement of the adjacent node is repeatedly calculated in the calculation process, the repeatedly calculated number sigma n needs to be subtracted when the attack range Q is calculated ij
CN202211000769.4A 2022-08-19 2022-08-19 Power grid state topology collaborative false data attack defense method Pending CN115378699A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211000769.4A CN115378699A (en) 2022-08-19 2022-08-19 Power grid state topology collaborative false data attack defense method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211000769.4A CN115378699A (en) 2022-08-19 2022-08-19 Power grid state topology collaborative false data attack defense method

Publications (1)

Publication Number Publication Date
CN115378699A true CN115378699A (en) 2022-11-22

Family

ID=84064903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211000769.4A Pending CN115378699A (en) 2022-08-19 2022-08-19 Power grid state topology collaborative false data attack defense method

Country Status (1)

Country Link
CN (1) CN115378699A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232742A (en) * 2023-03-08 2023-06-06 中国信息通信研究院 False data attack detection method and system based on state estimation
CN116886355A (en) * 2023-07-03 2023-10-13 华北电力大学 DDOS and false data injection collaborative attack optimization method of power system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232742A (en) * 2023-03-08 2023-06-06 中国信息通信研究院 False data attack detection method and system based on state estimation
CN116232742B (en) * 2023-03-08 2023-10-24 中国信息通信研究院 False data attack detection method, system, electronic equipment and medium based on state estimation
CN116886355A (en) * 2023-07-03 2023-10-13 华北电力大学 DDOS and false data injection collaborative attack optimization method of power system
CN116886355B (en) * 2023-07-03 2024-01-23 华北电力大学 DDOS and false data injection collaborative attack optimization method of power system

Similar Documents

Publication Publication Date Title
CN111914873B (en) Two-stage cloud server unsupervised anomaly prediction method
CN115378699A (en) Power grid state topology collaborative false data attack defense method
CN111652496B (en) Running risk assessment method and device based on network security situation awareness system
Cao et al. A novel false data injection attack detection model of the cyber-physical power system
CN109308522B (en) GIS fault prediction method based on recurrent neural network
CN110365647B (en) False data injection attack detection method based on PCA and BP neural network
CN111413565B (en) Intelligent power grid fault diagnosis method capable of identifying and measuring tampering attack
CN112287816A (en) Dangerous working area accident automatic detection and alarm method based on deep learning
CN112345858B (en) Power grid fault diagnosis method for measuring false faults caused by tampering attack
CN113904786B (en) False data injection attack identification method based on line topology analysis and tide characteristics
CN108881250B (en) Power communication network security situation prediction method, device, equipment and storage medium
CN111582542B (en) Power load prediction method and system based on anomaly repair
CN111064180B (en) Medium-voltage distribution network topology detection and identification method based on AMI (advanced mechanical arm) power flow matching
CN109768877B (en) Power grid fault diagnosis method based on space optimal coding set and DHNN error correction
CN111783845B (en) Hidden false data injection attack detection method based on local linear embedding and extreme learning machine
CN116205265A (en) Power grid fault diagnosis method and device based on deep neural network
CN113256096B (en) Power grid fault diagnosis method considering false data injection attack
CN108199891A (en) A kind of cps network attack discrimination methods based on artificial neural network multi-angle comprehensive decision
CN110043808B (en) Water supply network leakage monitoring and early warning method based on time series analysis
CN114818817A (en) Weak fault recognition system and method for capacitive voltage transformer
CN118316744A (en) Monitoring method, device, equipment and storage medium for power distribution network
CN115664719A (en) FDIA fusion detection method in smart grid scene
CN114282608B (en) Hidden fault diagnosis and early warning method and system for current transformer
CN113240005B (en) Power system complex network false data detection method based on static network representation
CN115564339A (en) Transformer area abnormal line loss identification method based on Pix2Pix network and deep learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination