CN115643059B - Power network malicious attack protection system based on deep learning and control method thereof - Google Patents

Power network malicious attack protection system based on deep learning and control method thereof Download PDF

Info

Publication number
CN115643059B
CN115643059B CN202211240081.3A CN202211240081A CN115643059B CN 115643059 B CN115643059 B CN 115643059B CN 202211240081 A CN202211240081 A CN 202211240081A CN 115643059 B CN115643059 B CN 115643059B
Authority
CN
China
Prior art keywords
data
module
neural network
convolutional neural
training
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211240081.3A
Other languages
Chinese (zh)
Other versions
CN115643059A (en
Inventor
侯波涛
卢宁
刘欣
郭禹伶
郗波
王颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202211240081.3A priority Critical patent/CN115643059B/en
Publication of CN115643059A publication Critical patent/CN115643059A/en
Application granted granted Critical
Publication of CN115643059B publication Critical patent/CN115643059B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a power network malicious attack protection system for deep learning, which comprises a power grid database module, a power grid data processing module and a power grid data processing module, wherein the power grid database module is used for generating a power grid topological structure, and simultaneously collecting power grid data and storing the power grid data in nodes corresponding to the power grid topological structure; the data characteristic generating module is used for generating corresponding data characteristics according to the power grid data and the storage structure; the data characteristic identification module is used for analyzing the data characteristic to be analyzed to obtain an abnormal data characteristic; the training data set module is used for generating a training data set by using the existing data characteristics and training the data characteristic recognition module; the attack behavior early warning module is used for carrying out attack behavior early warning according to the analysis result of the data characteristic identification module; the attack behavior recognition module is used for recognizing the attack behavior corresponding to the attack behavior early warning module according to the analysis result of the data characteristic recognition module.

Description

Power network malicious attack protection system based on deep learning and control method thereof
Technical Field
The invention relates to the technical field of malicious attack prediction of a power system, in particular to a deep learning-based power network malicious attack protection system and a control method thereof.
Background
Deep learning is an artificial neural network with a special structure, of which Convolutional Neural Networks (CNNs) are a common type. With the rapid development of deep learning technology in recent years, deep learning is widely applied to various industrial fields requiring large data amount analysis and identification, and malicious attack identification of a power system is one of the fields. In the prior art, a convolutional neural network is generally used for directly analyzing the operation characteristics of a power grid, so that malicious attack behaviors are identified. Since this identification process is done in dependence on the neural network, the accuracy of its identification is very dependent on the training process of the neural network. However, the training of the neural network is directly dependent on the existing data training set, and the data training set generated according to the existing experience cannot completely summarize the characteristics of the malicious attack behaviors due to the concealment and variability of the malicious attack behaviors, so that the training becomes a bottleneck for improving the recognition accuracy of the malicious attack behaviors.
Disclosure of Invention
The invention aims to solve the technical problem of providing a deep learning-based power network malicious attack protection system and a control method thereof, which can solve the defects of the prior art and improve the recognition accuracy of malicious attack behaviors.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
A deep learning-based power network malicious attack protection system comprises,
the power grid database module is used for generating a power grid topological structure, collecting power grid data and storing the power grid data in nodes corresponding to the power grid topological structure;
the data characteristic generating module is used for generating corresponding data characteristics according to the power grid data and the storage structure;
the data characteristic identification module is used for analyzing the data characteristic to be analyzed to obtain an abnormal data characteristic;
the training data set module is used for generating a training data set by using the existing data characteristics and training the data characteristic recognition module;
the attack behavior early warning module is used for carrying out attack behavior early warning according to the analysis result of the data characteristic identification module;
and the attack behavior recognition module is used for recognizing the attack behavior corresponding to the early warning of the attack behavior early warning module according to the analysis result of the data characteristic recognition module.
Preferably, the data feature recognition module comprises a first convolutional neural network module, a second convolutional neural network module and a comparison module, the first convolutional neural network module and the second convolutional neural network module are arranged in parallel, output results of the first convolutional neural network module and the second convolutional neural network module are input into the comparison module, and the comparison module performs comparison processing on input data to obtain abnormal data features.
Preferably, the training data set module generates a first training data set and a second training data set independently, wherein the first training data set is used for training the first convolutional neural network module, and the second training data set is used for training the second convolutional neural network module.
The control method of the deep learning-based power network malicious attack protection system comprises the following steps:
A. the power grid database module generates a power grid topological structure, and simultaneously collects power grid data and stores the power grid data in nodes corresponding to the power grid topological structure;
B. the data characteristic generating module generates corresponding data characteristics according to the power grid data and the storage structure;
C. the training data set module generates a training data set by using the existing data characteristics and trains the data characteristic recognition module;
D. The data characteristic recognition module analyzes the data characteristic to be analyzed to obtain an abnormal data characteristic;
E. the attack behavior early warning module is used for carrying out attack behavior early warning according to the analysis result of the data characteristic identification module;
F. and the attack behavior recognition module recognizes attack behaviors corresponding to the attack behavior early warning module in early warning according to the analysis result of the data characteristic recognition module.
In the step A, preferably, weight values are set for nodes in the power grid topological structure according to the number of nodes directly connected with the nodes, the weight values are in direct proportion to the number of the connected nodes, and the weight values of the nodes are given to the power grid data stored in the nodes; and inputting a test signal into the node with the largest weight value, and recording the distortion amount of the test signal on different nodes.
Preferably, in step B, the generated data features include feature identification information, data packet information, node position information, data acquisition time information, data weight values, and data association information.
Preferably, the data association information includes first association information and second association information, and the acquisition method is,
summarizing characteristic identification information generated by power grid data stored on a local node into first associated information, and summarizing characteristic identification information generated by power grid data stored on a node directly connected with the local node into first associated information;
The method comprises the steps of presetting a signal distortion variance threshold, grouping all nodes in a network topological structure, calculating the signal distortion variance of each group of nodes, enabling the signal distortion variance of all groups of nodes to be smaller than the preset signal distortion variance threshold through grouping adjustment, keeping the number of groups to be minimum, and counting characteristic identification information generated by power grid data stored in the same group of nodes into second association information.
Preferably, in step C, generating the training data set comprises the steps of,
c11, setting the sample number of the first training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the first training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the first training data set; obtaining feature identification information by reading first associated information of data features counted in a first training data set, counting the data features corresponding to the feature identification information in the first training data set, and repeating the process until the number of samples in the first training data set is larger than the set number of samples;
c23, setting the sample number of the second training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the second training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the second training data set; obtaining feature identification information by reading second associated information of data features counted in a second training data set, counting the data features corresponding to the feature identification information in the second training data set, and repeating the process until the number of samples in the second training data set is larger than the set number of samples; and counting the sample repetition rate of the second training data set and the first training data set, if the repetition rate exceeds 30%, continuously counting new samples into the second training data set according to the process, and deleting the same number of repeated samples until the repetition rate is less than or equal to 30%.
Preferably, in step C, training the data feature recognition module comprises the steps of,
c21, generating a plurality of feature groups by using the first training data set, and establishing a corresponding feature group standard behavior model by using each feature group; generating a plurality of feature groups by using a second training data set, and establishing a corresponding feature group standard behavior model by using each feature group;
c22, training the first convolutional neural network module by using the feature group generated by the first training data set; initializing parameters of a first convolutional neural network module, inputting the feature group into the first convolutional neural network module, outputting a corresponding feature group prediction behavior model by the first convolutional neural network module, comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data according to the feature group prediction behavior model, updating the parameters of the first convolutional neural network module by using the deviation data, and completing training when a loss function is converged within a set threshold;
c23, training the second convolutional neural network module by using the feature group generated by the second training data set; initializing parameters of a second convolutional neural network module, inputting the feature group into the second convolutional neural network module, outputting a corresponding feature group prediction behavior model by the second convolutional neural network module, comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data, updating the parameters of the second convolutional neural network module by using the deviation data, and completing training when the loss function is converged within a set threshold value.
Preferably, in step D, the data feature recognition module analyzes the abnormal data feature comprising the steps of,
d1, continuously inputting data features in a first training data set into a first convolutional neural network module, and continuously inputting data features in a second training data set into a second convolutional neural network module;
d2, after the first convolutional neural network module and the second convolutional neural network module generate stable output results, respectively inputting the same data features to be identified to the first convolutional neural network module and the second convolutional neural network module, and respectively and independently identifying the input data features by the first convolutional neural network module and the second convolutional neural network module to obtain two independent feature group prediction behavior models;
and D3, calculating deviation data of the two feature group prediction behavior models obtained in the step D2 by using a comparison module, and judging whether the input data features to be identified are abnormal data features or not according to calculation results.
Preferably, in step E, when the number of abnormal data features identified by the data feature identification module reaches the early warning threshold, the attack behavior early warning module sends out attack behavior early warning, and after the elimination of the early warning is confirmed by people, the number of the abnormal data features identified by the data feature identification module is cleared, and the next early warning period is entered.
In the step F, preferably, a simulation environment is established in the attack behavior identification module, the abnormal data features identified in the early warning process of the early warning module are input into the simulation environment for simulation operation, and the attack behavior type is judged according to the simulation operation result.
Preferably, the simulated operation of the abnormal data feature includes the steps of,
f1, simplifying a power grid topological structure, combining nodes which are smaller than a set threshold value in weight value deviation and are directly connected, wherein the combined new node weight value is an average value of original node weight values, and establishing a virtual power grid structure in an attack behavior identification module according to the simplified power grid topological structure;
f2, presetting standard power grid data in nodes of a virtual power grid structure, determining injection nodes of the virtual power grid structure in an original power grid topological structure according to node position information in abnormal data characteristics, determining injection nodes of the virtual power grid structure in a simplified power grid topological structure according to a node merging process, and injecting data packet information and data acquisition time information in the abnormal data characteristics into the virtual power grid structure through the injection nodes in the simplified power grid topological structure;
And F3, comparing and searching in an attack behavior database according to the running state of the virtual power grid structure after the abnormal data features are injected, and obtaining attack behavior types.
Preferably, in step F3, if the result is not retrieved, performing data enhancement processing on the data packet information injected on the new node after merging in sequence according to the order of the weight value of the new node after merging from large to small; and after carrying out data enhancement processing on the data packet information injected into each node, carrying out comparison search again until the attack behavior category is searched.
The beneficial effects brought by adopting the technical scheme are as follows:
1. the method changes the mode of directly analyzing and identifying the malicious attack by using the neural network in the prior art, and judges the abnormal data characteristics possibly related to the malicious attack by using the neural network. More importantly, the method and the device do not directly use the neural network to judge the abnormal data characteristics, but use two convolutional neural network modules to respectively and independently use the same data characteristics to generate the characteristic group prediction behavior model, and then judge the abnormal data characteristics through comparing the two characteristic group prediction behavior models (because the independent data characteristics have the characteristics of relatively stability and obvious simplicity compared with the malicious attack behaviors, the accuracy of judging the abnormal data characteristics by using the convolutional neural network modules is far higher than that of judging the malicious attack behaviors). Because the two convolutional neural network modules used in the invention are respectively and independently trained, and simultaneously, two training data sets adopt two completely different dimension generation modes in the generation process, the two convolutional neural network modules are ensured to have good independence after training, and the output results obtained by the two convolutional neural network modules are also independent. Because the two convolutional neural network modules adopt the training process, when the abnormal data characteristics are input, obvious deviation can occur to the output of the two convolutional neural network modules, so that whether the input data characteristics are the abnormal data characteristics or not can be judged by utilizing the deviation. The indirect judgment mode does not directly depend on the output result of a certain convolutional neural network module, so that judgment errors caused by limitation of a training data set are skillfully avoided. The judgment of the malicious attack behavior is carried out by the quantity of the abnormal data sets, so that the method is simple and convenient, and the identification of the malicious attack behavior is carried out by the simulation operation of the characteristics of the abnormal data. The judgment and the identification of the malicious attack are respectively carried out through different modules, when the attack early warning module judges that the malicious attack exists, the early warning is sent out timely, so that human intervention can be performed timely, then the specific identification of the type of the malicious attack is carried out through the attack identification module, and the attack early warning module can continuously monitor the power grid system in the identification process, thereby ensuring the efficient operation of the whole protection system.
2. The generation speed and the feature simulation speed of the training data set can be optimized by carrying out weight assignment on the nodes and the data of the power grid topological structure and carrying out rapid screening on the nodes and the data features by utilizing the weight values, more importantly, when the signal distortion quantity is used for acquiring the logic topological relation of the power grid, the test signal injection nodes can be rapidly and accurately selected, and the significance of the distortion in the signal transmission process on the power grid topological structure performance is improved.
3. The two training data sets respectively use the physical topological relation and the logical topological relation to carry out data acquisition, thereby effectively improving the independence of the two training data sets.
4. By simplifying the topological structure of the power grid, the characteristic simulation speed of abnormal data can be improved.
Drawings
Fig. 1 is a block diagram of one embodiment of the present invention.
In the figure: 1. a power grid database module; 2. a data feature generation module; 3. a data feature recognition module; 31. a first convolutional neural network module; 32. a second convolutional neural network module; 33. a comparison module; 4. a training dataset module; 5. an attack behavior early warning module; 6. and an attack behavior identification module.
Detailed Description
In the following description of embodiments, for purposes of explanation and not limitation, specific details are set forth, such as particular system architectures, techniques, etc. in order to provide a thorough understanding of the embodiments of the application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
One embodiment of the present invention includes that,
the power grid database module 1 is used for generating a power grid topological structure, and simultaneously collecting power grid data and storing the power grid data in nodes corresponding to the power grid topological structure;
the data characteristic generating module 2 is used for generating corresponding data characteristics according to the power grid data and the storage structure;
the data characteristic recognition module 3 is used for analyzing the data characteristic to be analyzed to obtain an abnormal data characteristic;
the data characteristic recognition module 3 comprises a first convolutional neural network module 31, a second convolutional neural network module 32 and a comparison module 33, wherein the first convolutional neural network module 31 and the second convolutional neural network module 32 are arranged in parallel, the output results of the first convolutional neural network module 31 and the second convolutional neural network module 32 are input into the comparison module 33, and the comparison module 33 performs comparison processing on the input data to obtain abnormal data characteristics;
A training data set module 4 for generating a training data set using existing data features and training the data feature recognition module 3;
the training data set module 4 generates a first training data set and a second training data set independently, wherein the first training data set is used for training the first convolutional neural network module 31, and the second training data set is used for training the second convolutional neural network module 32;
the attack behavior early warning module 5 is used for carrying out attack behavior early warning according to the analysis result of the data characteristic recognition module 3;
and the attack behavior recognition module 6 is used for recognizing attack behaviors corresponding to the attack behavior early warning module 5 according to the analysis result of the data characteristic recognition module 3.
A control method of a power network malicious attack protection system based on deep learning comprises the following steps:
A. the power grid database module 1 generates a power grid topological structure, and simultaneously collects power grid data and stores the power grid data in nodes corresponding to the power grid topological structure;
setting weight values for nodes in the power grid topological structure according to the number of nodes directly connected with the nodes, wherein the weight values are in direct proportion to the number of the connected nodes, and giving the weight values of the nodes to the power grid data stored in the nodes; inputting a test signal into a node with the maximum weight value, and recording the distortion amount of the test signal on different nodes;
B. The data characteristic generating module 2 generates corresponding data characteristics according to the power grid data and the storage structure; the generated data features comprise feature identification information, data packet information, node position information, data acquisition time information, data weight values and data association information;
the data association information comprises first association information and second association information, and is obtained by the method,
summarizing characteristic identification information generated by power grid data stored on a local node into first associated information, and summarizing characteristic identification information generated by power grid data stored on a node directly connected with the local node into first associated information;
the method comprises the steps of presetting a signal distortion variance threshold, grouping all nodes in a network topological structure, calculating the signal distortion variance of each group of nodes, enabling the signal distortion variance of all groups of nodes to be smaller than the preset signal distortion variance threshold through grouping adjustment, keeping the number of groups to be minimum, and counting characteristic identification information generated by power grid data stored in the same group of nodes into second association information;
C. the training data set module 4 generates a training data set by using the existing data features and trains the data feature recognition module 3;
Generating the training data set comprises the steps of,
c11, setting the sample number of the first training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the first training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the first training data set; obtaining feature identification information by reading first associated information of data features counted in a first training data set, counting the data features corresponding to the feature identification information in the first training data set, and repeating the process until the number of samples in the first training data set is larger than the set number of samples;
c12, setting the sample number of the second training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the second training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the second training data set; obtaining feature identification information by reading second associated information of data features counted in a second training data set, counting the data features corresponding to the feature identification information in the second training data set, and repeating the process until the number of samples in the second training data set is larger than the set number of samples; counting the sample repetition rate of the second training data set and the first training data set, if the repetition rate exceeds 30%, continuously counting new samples into the second training data set according to the process, and deleting the same number of repeated samples until the repetition rate is less than or equal to 30%;
Training the data feature recognition module 3 comprises the steps of,
c21, generating a plurality of feature groups by using the first training data set, and establishing a corresponding feature group standard behavior model by using each feature group; generating a plurality of feature groups by using a second training data set, and establishing a corresponding feature group standard behavior model by using each feature group;
the feature set standard behavior model includes,
behavior range data, namely extracting node positions stored by power grid data from node position information in data features, extracting node positions related to the data features from data association information in the data features, defining a behavior range comprising all the node positions, and keeping the area of the behavior range to be minimum to obtain behavior range data;
behavior feature data, namely extracting common feature data from data packet information in data features in a behavior range to form behavior feature data;
and the behavior prediction data is formed by sequencing the data features in the behavior range according to the time sequence according to the data acquisition time provided by the data acquisition time information, taking the data features immediately after the data features of the behavior feature data are extracted in time sequence as target data features, and extracting the public feature data in the data packet information of the target data features.
The behavior model comprises three behavior characteristics with different dimensions, and obvious behavior characteristic changes can be generated when abnormal data characteristics appear, so that a basis is established for comparing and identifying the abnormal data characteristics by using a neural network output result.
C22 training the first convolutional neural network module 31 using the feature set generated from the first training dataset; initializing parameters of the first convolutional neural network module 31, inputting the feature group into the first convolutional neural network module 31, outputting a corresponding feature group prediction behavior model by the first convolutional neural network module 31, comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data according to the feature group prediction behavior model, updating the parameters of the first convolutional neural network module 31 by using the deviation data, and completing training when a loss function is converged within a set threshold;
c23 training the second convolutional neural network module 32 using the feature set generated from the second training dataset; initializing parameters of the second convolutional neural network module 32, inputting the feature group into the second convolutional neural network module 32, outputting a corresponding feature group prediction behavior model by the second convolutional neural network module 32, comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data according to the feature group prediction behavior model, updating the parameters of the second convolutional neural network module 32 by using the deviation data, and completing training when the loss function is converged within a set threshold;
D. The data characteristic recognition module 3 analyzes the data characteristic to be analyzed to obtain an abnormal data characteristic;
the analysis of the abnormal data features by the data feature recognition module 3 includes the steps of,
d1, continuously inputting data features in the first training data set into the first convolutional neural network module 31, and continuously inputting data features in the second training data set into the second convolutional neural network module 32;
d2, after the first convolutional neural network module 31 and the second convolutional neural network module 32 generate stable output results, respectively inputting the same data features to be identified to the first convolutional neural network module 31 and the second convolutional neural network module 32, and respectively and independently identifying the input data features by the first convolutional neural network module 31 and the second convolutional neural network module 32 to obtain two independent feature group prediction behavior models;
d3, a comparison module 33 calculates deviation data of the two feature group prediction behavior models obtained in the step D2, and then judges whether the input data features to be identified are abnormal data features or not according to calculation results;
in the step C and the step D, the deviation data calculation method of the feature set prediction behavior model (feature set standard behavior model) is that,
Comparing deviations of the two behavior models from three dimensions of the behavior range data, the behavior feature data and the behavior prediction data respectively, carrying out normalization processing on three groups of deviation data, and averaging the three groups of deviation data after normalization processing to obtain deviation data between the two behavior models; in some special cases, the three sets of deviation data can be weighted according to the actual situation, so that deviation data which is more relevant to the actual situation can be obtained.
In step D3, a deviation data judging threshold value is preset, and when the calculated deviation data exceeds the threshold value, the input data feature to be identified is judged to be an abnormal data feature;
E. the attack behavior early warning module 5 carries out attack behavior early warning according to the analysis result of the data characteristic recognition module 3; when the number of the abnormal data features identified by the data feature identification module 3 reaches an early warning threshold, the attack behavior early warning module 5 sends attack behavior early warning, and after the elimination of the early warning is confirmed by people, the number of the abnormal data features identified by the data feature identification module 3 is cleared, and the next early warning period is entered;
F. the attack behavior recognition module 6 recognizes attack behaviors corresponding to the attack behavior early warning module 5 which gives early warning according to the analysis result of the data characteristic recognition module 3; a simulation environment is established in the attack behavior identification module 6, the abnormal data features identified in the early warning process of the early warning module 5 are input into the simulation environment to perform simulation operation, and the attack behavior category is judged according to the simulation operation result;
The simulated running of the anomalous data feature comprises the steps of,
f1, simplifying a power grid topological structure, combining nodes which are smaller than a set threshold value in weight value deviation and are directly connected, wherein the combined new node weight value is an average value of original node weight values, and establishing a virtual power grid structure in an attack behavior identification module 6 according to the simplified power grid topological structure;
f2, presetting standard power grid data in nodes of a virtual power grid structure, determining injection nodes of the virtual power grid structure in an original power grid topological structure according to node position information in abnormal data characteristics, determining injection nodes of the virtual power grid structure in a simplified power grid topological structure according to a node merging process, and injecting data packet information and data acquisition time information in the abnormal data characteristics into the virtual power grid structure through the injection nodes in the simplified power grid topological structure;
f3, comparing and searching in an attack behavior database according to the running state of the virtual power grid structure after the abnormal data feature is injected to obtain attack behavior types;
if the result is not retrieved, carrying out data enhancement processing on the data packet information injected on the new combined node in sequence according to the sequence from big to small of the weight value of the new combined node; and after carrying out data enhancement processing on the data packet information injected into each node, carrying out comparison search again until the attack behavior category is searched.
The simulation experiment is carried out in a simulation laboratory of an automatic power distribution network test system of the Hebei electric department, and the invention discovers that the rapid and accurate early warning and recognition can be realized on various typical malicious attack behaviors. And then, carrying out a power grid operation monitoring experiment on the power grid in a novel power system power distribution network which is built in Hebei province of Hebei province and is suitable for large-scale access of distributed new energy, and realizing 100% early warning and identification on man-made malicious attacks in a single debugging stage of the power distribution network.
In the description of the present invention, it should be understood that the terms "longitudinal," "transverse," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate or are based on the orientation or positional relationship shown in the drawings, merely to facilitate description of the present invention, and do not indicate or imply that the devices or elements referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus should not be construed as limiting the present invention.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
In various embodiments, the hardware implementation of the technology may directly employ existing smart devices, including, but not limited to, industrial personal computers, PCs, smartphones, handheld standalone machines, floor stand-alone machines, and the like. The input device is preferably a screen keyboard, the data storage and calculation module adopts an existing memory, a calculator and a controller, the internal communication module adopts an existing communication port and protocol, and the remote communication module adopts an existing gprs network, a universal Internet and the like.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The functional units in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. . Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Acces Memory, RAM), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be appropriately increased or decreased according to the requirements of the jurisdiction's jurisdiction and the patent practice, for example, in some jurisdictions, the computer readable medium does not include electrical carrier signals and telecommunication signals according to the jurisdiction and the patent practice.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (9)

1. A power network malicious attack protection system based on deep learning is characterized in that: the system comprises a power grid database module (1) and a power grid management module, wherein the power grid database module is used for generating a power grid topological structure, and collecting power grid data and storing the power grid data in nodes corresponding to the power grid topological structure; the data characteristic generating module (2) is used for generating corresponding data characteristics according to the power grid data and the storage structure; the data characteristic identification module (3) is used for analyzing the data characteristic to be analyzed to obtain an abnormal data characteristic; the data characteristic recognition module (3) comprises a first convolutional neural network module (31), a second convolutional neural network module (32) and a comparison module (33), wherein the first convolutional neural network module (31) and the second convolutional neural network module (32) are arranged in parallel, output results of the first convolutional neural network module (31) and the second convolutional neural network module (32) are input into the comparison module (33), and the comparison module (33) performs comparison processing on the input data to obtain abnormal data characteristics;
The data characteristic recognition module (3) analyzes the abnormal data characteristic and comprises the following steps,
d1, continuously inputting data features in a first training data set into a first convolutional neural network module (31), and continuously inputting data features in a second training data set into a second convolutional neural network module (32);
d2, after the first convolutional neural network module (31) and the second convolutional neural network module (32) generate stable output results, respectively inputting the same data features to be identified to the first convolutional neural network module (31) and the second convolutional neural network module (32), and respectively and independently identifying the input data features by the first convolutional neural network module (31) and the second convolutional neural network module (32) to obtain two independent feature group prediction behavior models;
d3, a comparison module (33) calculates deviation data of the two feature group prediction behavior models obtained in the step D2, and then judges whether the input data features to be identified are abnormal data features or not according to calculation results;
a training data set module (4) for generating a training data set using existing data features and training the data feature recognition module (3);
Generating the training data set comprises the steps of,
c11, setting the sample number of the first training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the first training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the first training data set; obtaining feature identification information by reading first associated information of data features counted in a first training data set, counting the data features corresponding to the feature identification information in the first training data set, and repeating the process until the number of samples in the first training data set is larger than the set number of samples;
c12, setting the sample number of the second training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the second training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the second training data set; obtaining feature identification information by reading second associated information of data features counted in a second training data set, counting the data features corresponding to the feature identification information in the second training data set, and repeating the process until the number of samples in the second training data set is larger than the set number of samples; counting the sample repetition rate of the second training data set and the first training data set, if the repetition rate exceeds 30%, continuously counting new samples into the second training data set according to the process, and deleting the same number of repeated samples until the repetition rate is less than or equal to 30%;
Training the data feature recognition module (3) comprises the steps of,
c21, generating a plurality of feature groups by using the first training data set, and establishing a corresponding feature group standard behavior model by using each feature group; generating a plurality of feature groups by using a second training data set, and establishing a corresponding feature group standard behavior model by using each feature group;
c22 training the first convolutional neural network module (31) using the feature set generated from the first training dataset; initializing parameters of a first convolutional neural network module (31), inputting the characteristic groups into the first convolutional neural network module (31), outputting corresponding characteristic group prediction behavior models by the first convolutional neural network module (31), comparing the characteristic group prediction behavior models with characteristic group standard behavior models to obtain deviation data according to the characteristic group prediction behavior models, updating the parameters of the first convolutional neural network module (31) by using the deviation data, and completing training when a loss function is converged within a set threshold;
c23 training a second convolutional neural network module (32) using the feature set generated from the second training dataset; initializing parameters of a second convolutional neural network module (32), inputting the feature group into the second convolutional neural network module (32), outputting a corresponding feature group prediction behavior model by the second convolutional neural network module (32), comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data, updating the parameters of the second convolutional neural network module (32) by using the deviation data, and completing training when a loss function is converged within a set threshold;
The attack behavior early warning module (5) is used for carrying out attack behavior early warning according to the analysis result of the data characteristic identification module (3); and the attack behavior recognition module (6) is used for recognizing the attack behavior corresponding to the early warning of the attack behavior early warning module (5) according to the analysis result of the data characteristic recognition module (3).
2. The control method of the power network malicious attack protection system based on deep learning is characterized by comprising the following steps of:
A. the power grid database module (1) generates a power grid topological structure, and simultaneously collects power grid data and stores the power grid data in nodes corresponding to the power grid topological structure;
B. the data characteristic generating module (2) generates corresponding data characteristics according to the power grid data and the storage structure;
C. the training data set module (4) generates a training data set by using the existing data characteristics and trains the data characteristic recognition module (3);
generating the training data set comprises the steps of,
c11, setting the sample number of the first training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the first training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the first training data set; obtaining feature identification information by reading first associated information of data features counted in a first training data set, counting the data features corresponding to the feature identification information in the first training data set, and repeating the process until the number of samples in the first training data set is larger than the set number of samples;
C12, setting the sample number of the second training data set, if the data weight value only has one maximum value, calculating the data characteristic with the maximum data weight value into the second training data set, and if the data weight value has a plurality of maximum values, calculating the data characteristic with the maximum data weight value into the second training data set; obtaining feature identification information by reading second associated information of data features counted in a second training data set, counting the data features corresponding to the feature identification information in the second training data set, and repeating the process until the number of samples in the second training data set is larger than the set number of samples; counting the sample repetition rate of the second training data set and the first training data set, if the repetition rate exceeds 30%, continuously counting new samples into the second training data set according to the process, and deleting the same number of repeated samples until the repetition rate is less than or equal to 30%;
in step C, training the data feature recognition module (3) comprises the following steps,
the data characteristic recognition module (3) comprises a first convolutional neural network module (31), a second convolutional neural network module (32) and a comparison module (33), wherein the first convolutional neural network module (31) and the second convolutional neural network module (32) are arranged in parallel, output results of the first convolutional neural network module (31) and the second convolutional neural network module (32) are input into the comparison module (33), and the comparison module (33) performs comparison processing on the input data to obtain abnormal data characteristics;
C21, generating a plurality of feature groups by using the first training data set, and establishing a corresponding feature group standard behavior model by using each feature group; generating a plurality of feature groups by using a second training data set, and establishing a corresponding feature group standard behavior model by using each feature group;
c22 training the first convolutional neural network module (31) using the feature set generated from the first training dataset; initializing parameters of a first convolutional neural network module (31), inputting the characteristic groups into the first convolutional neural network module (31), outputting corresponding characteristic group prediction behavior models by the first convolutional neural network module (31), comparing the characteristic group prediction behavior models with characteristic group standard behavior models to obtain deviation data according to the characteristic group prediction behavior models, updating the parameters of the first convolutional neural network module (31) by using the deviation data, and completing training when a loss function is converged within a set threshold;
c23 training a second convolutional neural network module (32) using the feature set generated from the second training dataset; initializing parameters of a second convolutional neural network module (32), inputting the feature group into the second convolutional neural network module (32), outputting a corresponding feature group prediction behavior model by the second convolutional neural network module (32), comparing the feature group prediction behavior model with a feature group standard behavior model to obtain deviation data, updating the parameters of the second convolutional neural network module (32) by using the deviation data, and completing training when a loss function is converged within a set threshold;
D. The data characteristic recognition module (3) analyzes the data characteristic to be analyzed to obtain an abnormal data characteristic; the data characteristic recognition module (3) analyzes the abnormal data characteristic and comprises the following steps,
d1, continuously inputting data features in a first training data set into a first convolutional neural network module (31), and continuously inputting data features in a second training data set into a second convolutional neural network module (32);
d2, after the first convolutional neural network module (31) and the second convolutional neural network module (32) generate stable output results, respectively inputting the same data features to be identified to the first convolutional neural network module (31) and the second convolutional neural network module (32), and respectively and independently identifying the input data features by the first convolutional neural network module (31) and the second convolutional neural network module (32) to obtain two independent feature group prediction behavior models;
d3, a comparison module (33) calculates deviation data of the two feature group prediction behavior models obtained in the step D2, and then judges whether the input data features to be identified are abnormal data features or not according to calculation results;
E. the attack behavior early warning module (5) carries out attack behavior early warning according to the analysis result of the data characteristic recognition module (3);
F. And the attack behavior recognition module (6) recognizes the attack behavior corresponding to the early warning of the attack behavior early warning module (5) according to the analysis result of the data characteristic recognition module (3).
3. The control method of the deep learning-based power network malicious attack protection system according to claim 2, wherein: in the step A, a weight value is set for the nodes in the power grid topological structure according to the number of the nodes directly connected with the nodes, the weight value is in direct proportion to the number of the connected nodes, and the weight value of the node is given to the power grid data stored in the node; and inputting a test signal into the node with the largest weight value, and recording the distortion amount of the test signal on different nodes.
4. The control method of the deep learning-based power network malicious attack protection system according to claim 3, wherein: in step B, the generated data features include feature identification information, data packet information, node position information, data acquisition time information, data weight values, and data association information.
5. The control method of the deep learning-based power network malicious attack protection system according to claim 4, wherein: the data association information comprises first association information and second association information, and the acquisition method is that,
Summarizing characteristic identification information generated by power grid data stored on a local node into first associated information, and summarizing characteristic identification information generated by power grid data stored on a node directly connected with the local node into first associated information;
the method comprises the steps of presetting a signal distortion variance threshold, grouping all nodes in a network topological structure, calculating the signal distortion variance of each group of nodes, enabling the signal distortion variance of all groups of nodes to be smaller than the preset signal distortion variance threshold through grouping adjustment, keeping the number of groups to be minimum, and counting characteristic identification information generated by power grid data stored in the same group of nodes into second association information.
6. The control method of the deep learning-based power network malicious attack protection system according to claim 5, wherein the control method comprises the following steps: in the step E, when the number of the abnormal data features identified by the data feature identification module (3) reaches an early warning threshold, the attack behavior early warning module (5) sends out attack behavior early warning, and after the early warning is eliminated by human validation, the number of the abnormal data features identified by the data feature identification module (3) is cleared, and the next early warning period is entered.
7. The control method of the deep learning-based power network malicious attack protection system according to claim 6, wherein: in the step F, a simulation environment is established in the attack behavior identification module (6), the abnormal data features identified in the early warning process of the early warning module (5) are input into the simulation environment to perform simulation operation, and the attack behavior type is judged according to the simulation operation result.
8. The control method of the deep learning-based power network malicious attack protection system according to claim 7, wherein: the simulated running of the anomalous data feature comprises the steps of,
f1, simplifying a power grid topological structure, merging nodes which are smaller than a set threshold value in weight value deviation and are directly connected, wherein the merged new node weight value is an average value of original node weight values, and establishing a virtual power grid structure in an attack behavior identification module (6) according to the simplified power grid topological structure;
f2, presetting standard power grid data in nodes of a virtual power grid structure, determining injection nodes of the virtual power grid structure in an original power grid topological structure according to node position information in abnormal data characteristics, determining injection nodes of the virtual power grid structure in a simplified power grid topological structure according to a node merging process, and injecting data packet information and data acquisition time information in the abnormal data characteristics into the virtual power grid structure through the injection nodes in the simplified power grid topological structure;
and F3, comparing and searching in an attack behavior database according to the running state of the virtual power grid structure after the abnormal data features are injected, and obtaining attack behavior types.
9. The control method of the deep learning-based power network malicious attack protection system according to claim 8, wherein: in the step F3, if the result is not searched, carrying out data enhancement processing on the data packet information injected on the new node after combination according to the sequence from big to small of the power grid value of the new node after combination; and after carrying out data enhancement processing on the data packet information injected into each node, carrying out comparison search again until the attack behavior category is searched.
CN202211240081.3A 2022-10-11 2022-10-11 Power network malicious attack protection system based on deep learning and control method thereof Active CN115643059B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211240081.3A CN115643059B (en) 2022-10-11 2022-10-11 Power network malicious attack protection system based on deep learning and control method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211240081.3A CN115643059B (en) 2022-10-11 2022-10-11 Power network malicious attack protection system based on deep learning and control method thereof

Publications (2)

Publication Number Publication Date
CN115643059A CN115643059A (en) 2023-01-24
CN115643059B true CN115643059B (en) 2023-05-23

Family

ID=84945043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211240081.3A Active CN115643059B (en) 2022-10-11 2022-10-11 Power network malicious attack protection system based on deep learning and control method thereof

Country Status (1)

Country Link
CN (1) CN115643059B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112381667A (en) * 2020-11-12 2021-02-19 国网四川省电力公司电力科学研究院 Distribution network electrical topology identification method based on deep learning
CN113762405A (en) * 2021-09-15 2021-12-07 国网河北省电力有限公司电力科学研究院 Power network attack recognition system and recognition method thereof
CN113992350A (en) * 2021-09-24 2022-01-28 杭州意能电力技术有限公司 Smart grid false data injection attack detection system based on deep learning

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11451581B2 (en) * 2019-05-20 2022-09-20 Architecture Technology Corporation Systems and methods for malware detection and mitigation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112381667A (en) * 2020-11-12 2021-02-19 国网四川省电力公司电力科学研究院 Distribution network electrical topology identification method based on deep learning
CN113762405A (en) * 2021-09-15 2021-12-07 国网河北省电力有限公司电力科学研究院 Power network attack recognition system and recognition method thereof
CN113992350A (en) * 2021-09-24 2022-01-28 杭州意能电力技术有限公司 Smart grid false data injection attack detection system based on deep learning

Also Published As

Publication number Publication date
CN115643059A (en) 2023-01-24

Similar Documents

Publication Publication Date Title
CN112910859B (en) Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis
CN111798312A (en) Financial transaction system abnormity identification method based on isolated forest algorithm
CN109100627A (en) A kind of power equipment partial discharges fault diagnostic method based on end-to-end mode
CN105279397A (en) Method for identifying key proteins in protein-protein interaction network
CN112202718B (en) XGboost algorithm-based operating system identification method, storage medium and device
CN107465691A (en) Network attack detection system and detection method based on router log analysis
CN112491891B (en) Network attack detection method based on hybrid deep learning in Internet of things environment
CN107368526A (en) A kind of data processing method and device
CN111368096A (en) Knowledge graph-based information analysis method, device, equipment and storage medium
CN110493262A (en) It is a kind of to improve the network attack detecting method classified and system
CN113762405A (en) Power network attack recognition system and recognition method thereof
CN115409518A (en) User transaction risk early warning method and device
CN111310918A (en) Data processing method and device, computer equipment and storage medium
WO2018036402A1 (en) Method and device for determining key variable in model
CN115102705A (en) Automatic network security detection method based on deep reinforcement learning
CN109740335A (en) The classification method and device of identifying code operation trace
CN112257332B (en) Simulation model evaluation method and device
CN115643059B (en) Power network malicious attack protection system based on deep learning and control method thereof
CN113259388A (en) Network flow abnormity detection method, electronic equipment and readable storage medium
CN110995770B (en) Fuzzy test application effect comparison method
Yin et al. A feature selection method for improved clonal algorithm towards intrusion detection
CN117332054A (en) Form question-answering processing method, device and equipment
CN115412314B (en) Power system network attack prediction system and prediction method thereof
CN114722960A (en) Method and system for detecting incomplete track of event log in business process
CN113448860A (en) Test case analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant