CN115766217A - Communication service topology authentication system and method for power grid safety and stability control system - Google Patents
Communication service topology authentication system and method for power grid safety and stability control system Download PDFInfo
- Publication number
- CN115766217A CN115766217A CN202211426764.8A CN202211426764A CN115766217A CN 115766217 A CN115766217 A CN 115766217A CN 202211426764 A CN202211426764 A CN 202211426764A CN 115766217 A CN115766217 A CN 115766217A
- Authority
- CN
- China
- Prior art keywords
- connection
- stability control
- topology
- item
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012795 verification Methods 0.000 claims abstract description 73
- 230000002159 abnormal effect Effects 0.000 claims description 34
- 238000012790 confirmation Methods 0.000 claims description 30
- 238000012217 deletion Methods 0.000 claims description 25
- 230000037430 deletion Effects 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 23
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000012858 packaging process Methods 0.000 claims description 2
- 238000012856 packing Methods 0.000 claims description 2
- 230000010485 coping Effects 0.000 abstract description 3
- 230000003993 interaction Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a communication service topology authentication system and a method for a power grid safety and stability control system, which comprises the steps of acquiring and issuing connection configuration, and acquiring service communication configuration and issuing the service communication configuration by each stability control station in a connection item form; connection verification, each site confirms the connection application, verifies the closure of the received topological connection item and issues the connection item passing the closure verification; topology consensus, wherein each station agrees on topology information passing the closed verification; and topology management, namely, the stability control terminal stores complete service topology information in a distributed manner and realizes updating and query. The station confirms the validity of the connection application on the basis of the stored topology. The method combines the service topology of the power grid safety and stability control system with the block chain, realizes the communication authentication of the power grid safety and stability control terminal based on the block chain and the service topology, improves the capability of the power grid safety and stability control system for coping with identity and message forgery attacks with lower resource overhead, and ensures the service communication safety of the system.
Description
Technical Field
The invention belongs to the technical field of intelligent power grid information security, relates to a system and a method for authenticating communication service topology of a power grid security and stability control system, and particularly relates to a system and a method for authenticating communication service topology of a power grid security and stability control system based on a block chain.
Background
The safety and stability control system is used as a second defense line of the power system and bears important responsibility for ensuring safe and reliable operation of the power grid. Under the scenes of wide terminal interconnection, new energy distribution access and the like, the requirements of a power grid on the reliability and the flexibility of a safety and stability control system are higher and higher, the communication service requirements of the safety and stability control system are correspondingly increased, and a new test is provided for the communication safety of the safety and stability control terminal. At present, the security and stability control of a power grid excessively depends on a physical security guarantee system, once a malicious attacker accesses an intranet to interact with legal equipment, the security and stability of the power grid are seriously threatened to operate, and therefore, the establishment of an interaction authentication and trust mechanism between stable control stations is urgent and necessary.
The traditional terminal identity authentication method mainly comprises three modes of a digital certificate authentication mechanism based on physical unique characteristics, a symmetric shared key and PKI. However, the above methods all have risk of centralization of authentication, and the research of related schemes focuses on authentication and communication of equipment entities, so that the additional overhead is large, and the requirements of low consumption and quick response of terminal authentication of a stability control system are difficult to meet. Most of the existing identity authentication methods based on the block chain use an improved digital certificate identity authentication mechanism, and replace the traditional CA with the block chain, but the communication and authentication overhead is large. A lightweight identity authentication method aiming at power grid safety and stability control needs to be provided.
The communication service topology information of the power stability control system covers the connection configuration and the service data flow direction information of the nodes in the whole system, and has great significance in the safety work of the stability control service. With the enhancement of the flexibility of the power grid, the information interaction requirement between the regional safety and stability control systems is continuously improved, the whole service safety regulation and control is completed by using information such as service topology and the like, and the realization of tracing the service operation information and the state information is a predictable development direction. However, no relevant scheme for a stability control system exists at present, and the power stability control system lacks the sensing and application capability of the whole communication service topology.
In summary, the problems of the prior art are as follows:
(1) The traditional PKI-based authentication system constructed under the background of security and stability control with complex environment and limited resources generates higher space-time cost, influences normal service communication between security and stability control terminals, and has the risk of paralysis of the authentication system caused by the fact that an authentication center receives an attack.
(2) The existing authentication scheme based on the block chain solves the problem of authentication centralization, but generally has the limitations of high resource consumption, long response time and the like, and is difficult to be directly applied to a power grid stability control system.
(3) The existing power stability control system lacks the perception and application capability of the whole service topology. With the enhancement of the flexibility of the power grid, the information interaction requirement between the regional safety and stability control systems is continuously improved, the whole service safety regulation and control is completed by using information such as service topology and the like, and the realization of tracing the service operation information and the state information is a predictable development direction.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a communication service topology authentication system and method of a power grid safety and stability control system based on a block chain.
The technical scheme adopted by the system of the invention is as follows: a communication service topology authentication system of a power grid safety and stability control system comprises a safety and stability control terminal and a service topology authentication chain;
the safety and stability control terminal is used for executing connection configuration acquisition and release, closed verification, topology consensus and topology management, broadcasting configuration information and authentication application to other safety and stability control terminals in the system and maintaining a service topology authentication chain together; the system comprises a connection configuration acquisition and release module, a closed verification module, a topology consensus module and a topology management module;
the service topology authentication chain is formed by linking a plurality of blocks; all blocks are generated and stored uniformly by all safety and stability control terminals based on service topology closed verification logic consensus; the block structure comprises a block head and a block body, wherein the block head comprises a block number, a timestamp, a parent block hash value and a local block Mercker tree root, and the block body stores detailed connection item contents; the connection item structure comprises the relationship between the stations of both communication parties, the IP, communication address and port information and a connection configuration deletion mark of the stations;
the connection configuration acquisition and release module is used for obtaining configuration related to communication from a security and stability control terminal fixed value area and broadcasting newly added, modified and deleted items of service topology configuration or connection application to a security and stability control system node network according to a fixed format for subsequent verification of the node network, and comprises the following sub-modules: a configuration acquisition submodule and a configuration release submodule; the configuration acquisition submodule is used for reading information required by the authentication system from system configuration of the safety and stability control terminal when the device is started, and packaging the configuration information into a fixed connection item format; the configuration issuing sub-module is used for broadcasting and issuing the packaged connection items to the whole network;
the connection verification module is used for receiving the configuration or application information which is acquired by the connection configuration and issued by the issuing module by other safety and stability control terminals in the node network, verifying all the configurations and issuing verification results or receiving connection applications; the method comprises the following sub-modules: the connection confirmation submodule, the closure verification submodule and the abnormal behavior processing submodule;
the connection confirmation submodule is used for receiving connection configuration and comparing the connection configuration with the existing trusted service topology; if the items with consistent contents exist and the connection item deletion identification is invalid, the connection is confirmed to be successful; if the item with consistent content exists and the connection identifier is valid, or the item without consistent content and the connection identifier is invalid, sending the item to the closed verification submodule; judging the abnormal behavior to be abnormal under other conditions, recording the abnormal type and sending the abnormal type to the abnormal behavior processing submodule;
the closed verification sub-module is used for classifying and matching the connection configuration broadcasted by each safety and stability control terminal within a period of time, searching for a connection item describing the same pair of connection relationships, and broadcasting confirmation information of a complete connection item when confirming that the connection configurations issued by the two connection parties do not conflict; submitting the field conflict and other exceptions to the exception behavior processing submodule when the exceptions such as the field conflict and the like occur;
the abnormal behavior processing submodule is used for receiving abnormal items and abnormal types from the connection confirmation submodule and the closing verification submodule and carrying out corresponding processing according to the identity identification information and the abnormal types in the abnormal items;
the topology consensus module is used for completing the topology information consensus based on the PBFT mechanism between the safety and stability control terminals, and locally verifying and storing new block data; the method comprises the following sub-modules: a block proposal submodule and a consensus confirmation submodule; the block proposal sub-module is used for collecting confirmation messages of the node network to the closed items, adding the confirmation messages into a sequence to be packed when the confirmation number of a certain item exceeds a threshold value, further packing the items into a block structure when the number of the items in the sequence to be packed reaches the block capacity upper limit or the time interval from the last block distribution exceeds the threshold value, and distributing the block structure to the node network so as to start PBFT consensus; the consensus confirmation submodule is used for receiving the host node block proposal, exchanging consensus information with other nodes and finishing the PBFT core consensus process;
the topology management module is used for storing the service topology information of the new block to the service topology authentication chain and updating the corresponding index, and respectively providing an inquiry interface and an updating interface of the service topology authentication chain for the connection verification module and the topology consensus module; the method comprises the following sub-modules: a topology updating submodule and a topology inquiring submodule; the topology updating submodule is used for extracting service topology connection items from the new block and correspondingly modifying the block chain account file and the index file to realize the updating of the service topology; and the topology query submodule is used for querying the latest state of the corresponding connection in the service topology according to the input key value.
The method adopts the technical scheme that: a communication service topology authentication method for a power grid safety and stability control system comprises the following steps:
s1: the safety and stability control terminal acquires the relevant configuration of the service connection between the stations from the system configuration information, and broadcasts the configuration to the node network of the power grid safety and stability control system according to a fixed format so as to carry out subsequent verification on the node network;
s2: the security and stability control terminal receives configuration or application information issued by other security and stability control terminals in the node network, verifies all the configurations and broadcasts a verification result or abnormal behavior information;
s3: the safety and stability control terminal starts consensus according to the obtained verification result, exchanges information based on a PBFT consensus algorithm according to configuration items confirmed to be closed, and sends the information to the main node for sequencing to generate a block proposal to obtain a confirmed block;
s4: and the safety and stability control terminal stores the service topology information in the block which is identified by the common identification, completes the corresponding index updating task according to the difference of the configuration types, and provides an inquiry and updating interface of the service topology state for the connection verification module and the topology identification module respectively.
The block chain technology is adopted to realize the communication authentication between the safety and stability control terminals in the power system, the decentralized credible interaction characteristic of the block chain greatly improves the authentication security between the safety and stability control terminals of the power grid, and meanwhile, the problem of authentication centralization is effectively avoided. The invention combines the service topology information (the whole connection structure of the stability control system and the service flow direction) between the terminals with the authentication, has low authentication resource consumption and quick response, improves the capability of the power grid safety and stability control system for coping with network malicious attacks with smaller space-time overhead, and ensures the service communication safety between the system terminals. The invention can effectively resist DoS attack and reduce the influence of the DoS attack on the whole system. In addition, the invention can prevent the illegal service connection of the malicious equipment in the intranet.
Drawings
FIG. 1 is a schematic diagram of a system according to an embodiment of the present invention;
in the figure: 10. and the connection configuration acquisition and release module. 101. And configuring an acquisition submodule. 102. And configuring a publishing submodule. 20. And connecting the verification module. 201. And connecting and confirming the submodule. 202. And closing the verification submodule. 203. And an abnormal behavior processing submodule. 30. And a topology consensus module. 301. And a block proposal submodule. 302. And a consensus confirmation submodule. 40. And a topology management module. 401. And a topology updating submodule. 402. A topology query submodule;
FIG. 2 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, the communication service topology authentication system of the power grid security and stability control system provided by the present invention includes a security and stability control terminal (security control terminal for short) and a service topology authentication chain;
the service topology authentication chain of the embodiment is formed by linking a plurality of blocks. The block structure comprises a block head and a block body, wherein the block head comprises a block number, a timestamp, a parent block hash value and a local block Mercker tree root, and the block body stores the content of a detailed connection item.
The connection item structure of this embodiment includes the relationship between stations of stations where both communication parties are located, the IP, communication address and port information of both communication parties, and in addition, the connection item structure has a connection configuration deletion flag to distinguish between newly added items and deleted items.
The safety and stability control terminal of the embodiment comprises: the system comprises a connection configuration acquisition and release module 10, a closure verification module 20, a topology consensus module 30 and a topology management module 40.
The connection configuration acquiring and issuing module 10 of this embodiment is configured to obtain a configuration related to communication from a security and stability control terminal fixed value area, and broadcast a new addition, modification, and deletion item of a service topology configuration or a connection application to a node network of a stability control system according to a fixed format for subsequent verification by the node network, and includes the following sub-modules: a configuration acquisition sub-module 101 and a configuration release sub-module 102.
The connection verification module 20 of this embodiment is configured to receive configuration or application information issued by the connection configuration acquisition and issuing module by other security and stability control terminals in the network, verify all configurations, and issue a verification result or receive a connection application, and includes the following sub-modules: a connection confirmation sub-module 201, a closure verification sub-module 202 and an abnormal behavior processing sub-module 203.
The topology consensus module 30 of this embodiment is configured to complete topology information consensus based on a PBFT mechanism between terminals, and locally verify and store new block data, and includes the following sub-modules: a block proposal sub-module 301 and a consensus confirmation sub-module 302.
The topology management module 40 of this embodiment is configured to store the new block service topology information in the service topology authentication chain and update the corresponding index, and provide an update and query interface of the service topology authentication chain for other modules, and includes the following sub-modules: a topology update sub-module 401 and a topology query sub-module 402.
The configuration acquisition sub-module 101 of this embodiment is configured to read information required by the authentication system from the system configuration of the security and stability control terminal when the device is started, and encapsulate the configuration information into a connection item format.
The configuration publishing sub-module 102 of this embodiment is configured to broadcast and publish the encapsulated connection item to the whole network.
The connection confirmation submodule 201 of the present embodiment is configured to receive a connection configuration and compare the connection configuration with an existing trusted service topology. If the items with consistent contents exist and the connection item deletion identification is invalid, the connection is confirmed to be successful; if the item with the consistent content exists and the connection identifier is valid, or the item without the consistent content and the connection identifier is invalid, sending the item to the closed verification sub-module; judging the abnormal behavior to be abnormal under other conditions, recording the abnormal type and sending the abnormal type to the abnormal behavior processing submodule;
the closure verification sub-module 202 of this embodiment is configured to classify and match connection configurations broadcasted by each terminal within a period of time, find a connection item describing the same pair of connection relationships, and broadcast confirmation information for a complete connection item when confirming that the connection configurations issued by both connection parties do not conflict; and submitting the abnormal behavior processing submodule to the abnormal behavior processing submodule when an abnormality such as field conflict occurs.
The abnormal behavior processing sub-module 203 of this embodiment is configured to receive the abnormal item and the abnormal type from the connection confirmation sub-module and the closure verification sub-module, and perform corresponding processing according to the identity information and the abnormal type in the abnormal item.
The block proposal sub-module 301 of this embodiment is configured to collect acknowledgement messages for closed items on the network, add the acknowledgement messages to the sequence to be packed when the acknowledgement number of a certain item exceeds a threshold, and further pack the items into a block structure and distribute the block structure to the node network when the number of the items in the sequence to be packed reaches the block capacity upper limit or the time interval from the last block distribution exceeds the threshold, so as to start the PBFT consensus.
The consensus confirming sub-module 302 of this embodiment is configured to receive the host node block proposal, exchange consensus information with other nodes, and complete the PBFT core consensus process.
The topology updating submodule 401 in this embodiment is configured to extract a service topology connection item from the new block, and modify the block chain account file and the index file accordingly, so as to implement updating of the service topology.
The topology query submodule 402 of this embodiment is configured to query, in the service topology, a latest state of a corresponding connection according to an input key value.
Referring to fig. 2, the method for authenticating topology of communication service of power grid safety and stability control system provided by the present invention includes the following steps:
s1: the safety and stability control terminal acquires the relevant configuration of the inter-station service connection from the system configuration information, and broadcasts the configuration to the node network of the power grid safety and stability control system according to a fixed format for subsequent verification by the node network;
in this embodiment, the specific implementation of step S1 includes the following sub-steps:
s101: before the equipment is put into use, security control operation and maintenance personnel preset connection configuration information of the safety and stability control terminal and store the connection configuration information in a fixed value area and a configuration file of the safety and stability control terminal;
in this embodiment, the connection configuration information includes an IP address of the security and stability control terminal in the dispatch data network, a communication address in the regional security and stability control system, an inter-station relationship type with the opposite end of the communication service (0 when the opposite end is a peer device, and 1 when the opposite end is a peer device, an IP address and a communication address of the opposite end of each communication service, and a corresponding connection port number.
S102: the security and stability control terminal starts to operate, and information required by the authentication system is read from the connection configuration information of the security and stability control terminal;
s103: packaging the connection configuration information in the step S102 into a format of a connection item according to a data packaging process;
s104: broadcasting the corresponding connection item to the authentication network according to the configuration change;
in this embodiment, when the configuration changes, three different items, namely, a new item, a deleted item and a modified item, are issued according to the difference of deletion marks in the connection item structure; when new added items are issued, original connecting items with invalid deletion identifications are directly issued; when the deletion item is issued, the deletion identification of the original connection item is set to be valid and issued; when the modified item is released, the deleted item of the original connection item is released first, and then the new added item is released in a short time according to the changed configuration.
S105: and after the transmission is finished or the configuration is not changed, broadcasting the existing configuration as the connection authentication application information.
S2: the security and stability control terminal receives configuration or application information issued by other security and stability control terminals in the node network, verifies all the configurations and broadcasts a verification result or abnormal behavior information;
in this embodiment, the specific implementation of step S2 includes the following sub-steps:
s201: after receiving the connection configuration broadcast, the security and stability control terminal enters step S4, compares the connection configuration broadcast with the existing trusted service topology, and waits for a return result;
if the returned result shows that the items with consistent contents exist and the connection item deletion identification is invalid, the step S202 is entered;
if the returned result shows that the item with consistent content already exists and the connection identifier is valid, or the item with consistent content does not exist and the connection identifier is invalid, the step S203 is executed;
if the return result is the other condition, judging that the condition is abnormal, recording the abnormal type and entering the step S204;
s202: the item is an effective connection application, records related information and succeeds in connection authentication;
s203: the safety and stability control terminal performs closing verification on the item; if the closing verification is passed, the safety and stability control terminal broadcasts a confirmation message and enters the step S3; if a conflict or timeout occurs, go to step S204;
in this embodiment, the security and stability control terminal performs closure verification on the item, adds a timestamp after receiving the connection item in step S201, and adds the timestamp to the buffer area; the safety and stability control terminal traverses the connection items in the buffer area, and for the items of which the difference between the joining time and the current time is greater than an overtime threshold value, the closed verification fails, and the abnormal type is verification overtime; for the item which is not overtime, combining the IP of the item to form a key value, and adding the item into the corresponding position of the key value in the verification set; traversing the verification set, and not processing the items which do not form the connection item combination, namely the items which are not closed; matching fields such as inter-station relation, communication address and the like of a set containing a group of connection items; when the field conflict occurs, the field conflict is eliminated from the buffer, the closure verification fails, and the abnormal type is conflict; and when the matching is successful, complementing the port information of the two to form a complete connection item, judging that the closure verification is passed, and clearing the group of connection items from the buffer area.
S204: and processing abnormal behaviors for items with field conflict, format error, verification overtime and invalid deletion.
In the embodiment, abnormal behavior processing is performed, and for items with wrong formats, overtime verification and invalid deletion, information such as abnormal types and abnormal occurrence time is reported locally; for the items conflicting with the ledger or the closed verification logic in steps S201 and S203, the exception type, content and exception occurrence time are reported locally, while the exception items are broadcast including identification information and exception occurrence time.
S3: the safety and stability control terminal starts consensus according to the obtained verification result, exchanges information based on a PBFT consensus algorithm according to configuration items confirmed to be closed, and sends the information to the main node for sequencing to generate a block proposal to obtain a confirmed block;
the specific implementation of the step S3 includes the following substeps:
s301: each safety and stability control terminal alternately acts as a master node according to a time slice polling mechanism, and the step S302 is executed when the current safety and stability control terminal is the master node; otherwise, go to step S303;
s302: the security and stability control terminal collects the confirmation of items passing the closed verification issued on the node network, and adds the items into the sequence to be packed when the number of the confirmations of a certain item exceeds a threshold value; when the number of items in the sequence to be packed reaches the upper limit of the capacity of a single block or the time interval from the last block to be distributed exceeds a threshold value, the items in the sequence to be packed form a block structure and are distributed to a node network so as to start a three-stage consensus process of the PBFT consensus mechanism;
s303: the safety and stability control terminal receives the block proposal sent by the current main node, exchanges PBFT consensus process information with other nodes in the node network, completes the PBFT core consensus process, acquires a new block reaching the consensus and enters the step S4.
S4: and the safety and stability control terminal stores the service topology information in the block which is identified by the common identification, completes the corresponding index updating task according to the difference of the configuration types, and provides an inquiry and updating interface of the service topology state for the connection verification module and the topology identification module respectively.
In this embodiment, the specific implementation of step S4 includes the following sub-steps:
s401: judging the operation to be performed, entering step S402 when the topology information needs to be updated, and entering step S403 when the topology information needs to be inquired;
s402: performing a topology updating process, extracting service topology connection items from the new block and correspondingly modifying the block chain account file and the index file;
and updating the topology, namely adding the received blocks into the account book file to realize complete storage of the service topology and the information thereof, and executing the following steps for each item in the blocks: extracting the identity identification field to form an index key; if the deletion mark in the item is effective, the value corresponding to the index key of the item is emptied in the latest state index database, so that the connection is deleted; if the deletion mark in the item is invalid, calculating the storage position of the item in the account book file and updating the position in the latest state index, thereby realizing the new addition or modification of the original connection state;
s403: based on the state index, the latest state of the corresponding connection is queried according to the input key value in the service topology, and the result is returned and returned to step 201.
The system provided by the embodiment combines service topology information between terminals with block chain-based authentication, so that the authentication resource consumption is low, the response is rapid, the capability of the power grid security and stability control system for coping with network malicious attacks is improved with small space-time overhead, and the service communication security between the system terminals is ensured.
In the embodiment, each connection relation in the service topology is represented by a connection item, and the blockchain ledger stores the connection item. The communication service of the safety and stability control system is limited and definite, the number of nodes in an authentication system is within 100, the number of neighbor nodes of each node is generally not more than 10, and the number of topology change times in the life cycle of the node is generally less than 10. The number of connection items that the system needs to store in the life cycle of a terminal is less than 5000 items. The average value of the block sizes in the block chain account book of the system is 150 bytes, so that the storage space occupation of the block chain account book is lower than 0.8M in the life cycle of a terminal, and the low resource consumption requirement of a safe and stable control terminal is met.
The system does not pay attention to the authentication by using the traditional cryptography algorithm, and the consumption of computing resources is low. During the test, the node continuously completes the topology modification operation, and the statistical results of the memory occupation and the CPU consumption result show that under the condition that the node network processes 10 connection items per second, the dynamic memory occupation is maintained at 9MB, and the CPU occupation rate is averagely 1.5 percentage points. Considering that the authentication and service topology change frequency in the actual operation of the safety and stability control system is lower, the average consumption of the system authentication is lower than the calculation resource consumption of the test, so from the calculation resource perspective, the service performance of the safety and stability control system cannot be influenced during the actual application of the authentication scheme provided by the invention.
It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A communication service topology authentication system of a power grid safety and stability control system is characterized in that: the system comprises a safety and stability control terminal and a service topology authentication chain;
the safety and stability control terminal is used for executing connection configuration acquisition and release, closed verification, topology consensus and topology management, broadcasting configuration information and authentication application to other safety and stability control terminals in the system and maintaining a service topology authentication chain together; the system comprises a connection configuration acquisition and release module, a closed verification module, a topology consensus module and a topology management module;
the service topology authentication chain is formed by linking a plurality of blocks; all blocks are generated and stored uniformly by all safety and stability control terminals based on service topology closed verification logic consensus; the block structure comprises a block head and a block body, wherein the block head comprises a block number, a timestamp, a parent block hash value and a local block Mercker tree root, and the block body stores detailed connection item contents; the connection item structure comprises the relationship between stations of the stations where both communication parties are located, the IP, communication address and port information of the stations, and a connection configuration deletion mark;
the connection configuration acquisition and release module is used for obtaining configuration related to communication from a security and stability control terminal fixed value area and broadcasting newly added, modified and deleted items of service topology configuration or connection application to a security and stability control system node network according to a fixed format for subsequent verification of the node network, and comprises the following sub-modules: a configuration acquisition submodule and a configuration release submodule; the configuration acquisition submodule is used for reading information required by the authentication system from system configuration of the safety and stability control terminal when the device is started, and packaging the configuration information into a fixed connection item format; the configuration issuing sub-module is used for broadcasting and issuing the packaged connection items to the whole network;
the connection verification module is used for receiving the configuration or application information which is acquired by the connection configuration and issued by the issuing module by other safety and stability control terminals in the node network, verifying all the configurations and issuing verification results or receiving connection applications; the method comprises the following sub-modules: the connection confirmation submodule, the closure verification submodule and the abnormal behavior processing submodule;
the connection confirmation submodule is used for receiving connection configuration and comparing the connection configuration with the existing trusted service topology; if the items with consistent contents exist and the connection item deletion identification is invalid, the connection is confirmed to be successful; if the item with consistent content exists and the connection identifier is valid, or the item without consistent content and the connection identifier is invalid, sending the item to the closed verification submodule; judging the abnormal behavior to be abnormal under other conditions, recording the abnormal type and sending the abnormal type to the abnormal behavior processing submodule;
the closed verification sub-module is used for classifying and matching the connection configuration broadcasted by each safety and stability control terminal within a period of time, searching for a connection item describing the same pair of connection relationships, and broadcasting confirmation information of a complete connection item when confirming that the connection configurations issued by the two connection parties do not conflict; submitting the field conflict and other exceptions to the exception behavior processing submodule when the exceptions such as the field conflict and the like occur;
the abnormal behavior processing sub-module is used for receiving the abnormal items and the abnormal types from the connection confirmation sub-module and the closed verification sub-module and correspondingly processing the abnormal items and the abnormal types according to the identity identification information in the abnormal items;
the topology consensus module is used for completing the topology information consensus based on the PBFT mechanism between the safety and stability control terminals, and locally verifying and storing new block data; contains the following sub-modules: a block proposal submodule and a consensus confirmation submodule; the block proposal sub-module is used for collecting confirmation messages of the node network to the closed items, adding the confirmation messages into a sequence to be packed when the confirmation number of a certain item exceeds a threshold value, further packing the items into a block structure when the number of the items in the sequence to be packed reaches the block capacity upper limit or the time interval from the last block distribution exceeds the threshold value, and distributing the block structure to the node network so as to start PBFT consensus; the consensus confirmation submodule is used for receiving the host node block proposal, exchanging consensus information with other nodes and finishing the PBFT core consensus process;
the topology management module is used for storing the service topology information of the new block to the service topology authentication chain and updating the corresponding index, and respectively providing an inquiry interface and an updating interface of the service topology authentication chain for the connection verification module and the topology consensus module; the method comprises the following sub-modules: a topology updating submodule and a topology inquiring submodule; the topology updating submodule is used for extracting service topology connection items from the new block and correspondingly modifying the block chain account file and the index file to realize the updating of the service topology; and the topology query submodule is used for querying the latest state of the corresponding connection according to the input key value in the service topology.
2. A communication service topology authentication method for a power grid safety and stability control system is characterized by comprising the following steps:
s1: the safety and stability control terminal acquires the relevant configuration of the service connection between the stations from the system configuration information, and broadcasts the configuration to the node network of the power grid safety and stability control system according to a fixed format so as to carry out subsequent verification on the node network;
s2: the security and stability control terminal receives configuration or application information issued by other security and stability control terminals in the node network, verifies all the configurations and broadcasts a verification result or abnormal behavior information;
s3: the safety and stability control terminal starts consensus according to the obtained verification result, exchanges information based on a PBFT consensus algorithm according to configuration items confirmed to be closed, and sends the information to the main node for sequencing to generate a block proposal to obtain a confirmed block;
s4: and the safety and stability control terminal stores the service topology information in the block which is identified by the common identification, completes the corresponding index updating task according to the difference of the configuration types, and provides an inquiry and updating interface of the service topology state for the connection verification module and the topology identification module respectively.
3. The power grid safety and stability control system communication service topology authentication method according to claim 2, wherein the step S1 is implemented by the following steps:
s101: presetting connection configuration information of the safety and stability control terminal, and storing the connection configuration information in a fixed value area and a configuration file of the safety and stability control terminal;
s102: the security and stability control terminal starts to operate, and information required by the authentication system is read from the connection configuration information of the security and stability control terminal;
s103: packaging the connection configuration information into a format of a connection item according to a data packaging process;
s104: broadcasting the corresponding connection item to the authentication network according to the configuration change;
s105: and after the transmission is finished or the configuration is not changed, broadcasting the existing configuration as the connection authentication application information.
4. The method according to claim 3, wherein the connection configuration information in step S101 includes an IP address of the security and stability control terminal in the dispatch data network and a communication address in the regional security and stability control system, an inter-station relationship type with a communication service peer, an IP address and a communication address of each communication service peer, and a corresponding connection port number.
5. The power grid safety and stability control system communication service topology authentication method according to claim 3, wherein: in step S104, when the configuration changes, three different items of newly added, deleted and modified items are issued according to different deletion marks in the connection item structure; when new added items are issued, original connecting items with invalid deletion identifications are directly issued; when the deletion item is issued, the deletion identification of the original connection item is set to be valid and issued; when the modified item is issued, the deleted item of the original connection item is issued first, and then the new added item is issued in a short time according to the changed configuration.
6. The communication service topology authentication method for the power grid safety and stability control system according to claim 2, wherein the step S2 is implemented by the following steps:
s201: after receiving the connection configuration broadcast, the security and stability control terminal enters step S4, compares the connection configuration broadcast with the existing trusted service topology, and waits for a return result;
if the returned result shows that the items with consistent contents exist and the connection item deletion identification is invalid, the step S202 is entered;
if the returned result shows that the item with consistent content exists and the connection identifier is valid, or the item without consistent content and the connection identifier is invalid, the step S203 is executed;
if the return result is the other condition, judging that the condition is abnormal, recording the abnormal type and entering the step S204;
s202: the item is an effective connection application, records related information and succeeds in connection authentication;
s203: the safety and stability control terminal performs closing verification on the item; if the closing verification is passed, the safety and stability control terminal broadcasts a confirmation message and enters the step S3; if a conflict or timeout occurs, go to step S204;
s204: and processing abnormal behaviors for items with field conflict, format error, verification overtime and invalid deletion.
7. The power grid safety and stability control system communication service topology authentication method according to claim 6, wherein: the security and stability control terminal performs closure verification on the item in step S203, adds a timestamp after receiving the connection item from step S201, and adds the timestamp to a buffer area; the safety and stability control terminal traverses the connection items in the buffer area, and for the items of which the difference between the joining time and the current time is greater than an overtime threshold value, the closed verification fails, and the abnormal type is verification overtime; for the item which is not overtime, combining the IP of the item to form a key value, and adding the item into the corresponding position of the key value in the verification set; traversing the verification set, and not processing the items which do not form the connection item combination, namely the items which are not closed; for the set containing a group of connection items, matching the inter-station relation and the communication address; when the field conflict occurs, the field conflict is eliminated from the buffer, the closure verification fails, and the abnormal type is conflict; and when the matching is successful, complementing the port information of the two to form a complete connection item, judging that the closure verification is passed, and clearing the group of connection items from the buffer area.
8. The power grid safety and stability control system communication service topology authentication method according to claim 6, wherein: processing abnormal behaviors in step S204, and locally reporting abnormal types and abnormal occurrence time information of items with wrong formats, overtime verification and invalid deletion; for the items conflicting with the ledger or the closed verification logic in steps S201 and S203, the exception type, content and exception occurrence time are reported locally, while the exception items are broadcast including identification information and exception occurrence time.
9. The communication service topology authentication method for the power grid safety and stability control system according to claim 2, wherein the step S3 is implemented by the following steps:
s301: each safety and stability control terminal alternately acts as a main node according to a time slice polling mechanism, and the step S302 is executed when the current safety and stability control terminal is the main node; otherwise, go to step S303;
s302: the security and stability control terminal collects the confirmation of items passing the closed verification issued on the node network, and adds the items into the sequence to be packaged when the confirmation number of a certain item exceeds a threshold value; when the number of items in the sequence to be packed reaches the upper limit of the capacity of a single block or the time interval from the last block to be distributed exceeds a threshold value, the items in the sequence to be packed form a block structure and are distributed to a node network so as to start a three-stage consensus process of the PBFT consensus mechanism;
s303: the safety and stability control terminal receives the block proposal sent by the current main node, exchanges PBFT consensus process information with other nodes in the node network, completes the PBFT core consensus process, acquires a new block which achieves consensus, and enters step S4.
10. The method for authenticating the communication service topology of the power grid safety and stability control system according to any one of claims 2 to 9, wherein the step S4 is implemented by the following steps:
s401: judging the operation to be performed, entering step S402 when the topology information needs to be updated, and entering step S403 when the topology information needs to be inquired;
s402: performing a topology updating process, extracting service topology connection items from the new block and correspondingly modifying the block chain account file and the index file;
and updating the topology, namely adding the received blocks into an account book file to realize complete storage of the service topology and information thereof, and executing the following steps for each item in the blocks: extracting the identity identification field of the user to form an index key; if the deletion mark in the item is valid, the value corresponding to the index key of the item is emptied in the latest state index database to delete the connection; if the deletion mark in the item is invalid, calculating the storage position of the item in the account book file and updating the position in the latest state index, thereby realizing the new addition or modification of the original connection state;
s403: based on the state index, the latest state of the corresponding connection is queried according to the input key value in the service topology, and the result is returned and returned to step 201.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211426764.8A CN115766217B (en) | 2022-11-15 | 2022-11-15 | Communication service topology authentication system and method for power grid safety and stability control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211426764.8A CN115766217B (en) | 2022-11-15 | 2022-11-15 | Communication service topology authentication system and method for power grid safety and stability control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115766217A true CN115766217A (en) | 2023-03-07 |
| CN115766217B CN115766217B (en) | 2024-04-30 |
Family
ID=85371111
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211426764.8A Active CN115766217B (en) | 2022-11-15 | 2022-11-15 | Communication service topology authentication system and method for power grid safety and stability control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766217B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138596A (en) * | 2019-04-13 | 2019-08-16 | 山东公链信息科技有限公司 | A kind of block chain common recognition method based on handover network topology mode |
| GB2577751A (en) * | 2018-10-05 | 2020-04-08 | Dragon Infosec Ltd | A consensus method and framework for a blockchain system |
| WO2020113545A1 (en) * | 2018-12-07 | 2020-06-11 | 北京大学深圳研究生院 | Method for generating and managing multimodal identified network on the basis of consortium blockchain voting consensus algorithm |
| WO2022027530A1 (en) * | 2020-08-05 | 2022-02-10 | 西安电子科技大学 | Blockchain-based high-performance tamper-proof database construction method |
-
2022
- 2022-11-15 CN CN202211426764.8A patent/CN115766217B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2577751A (en) * | 2018-10-05 | 2020-04-08 | Dragon Infosec Ltd | A consensus method and framework for a blockchain system |
| WO2020113545A1 (en) * | 2018-12-07 | 2020-06-11 | 北京大学深圳研究生院 | Method for generating and managing multimodal identified network on the basis of consortium blockchain voting consensus algorithm |
| CN110138596A (en) * | 2019-04-13 | 2019-08-16 | 山东公链信息科技有限公司 | A kind of block chain common recognition method based on handover network topology mode |
| WO2022027530A1 (en) * | 2020-08-05 | 2022-02-10 | 西安电子科技大学 | Blockchain-based high-performance tamper-proof database construction method |
Non-Patent Citations (1)
| Title |
|---|
| 杨晗竹;完颜绍澎;胡光宇;于佳;: "基于区块链的电力泛在业务接入网关的研究", 广东电力, no. 08, 25 August 2020 (2020-08-25) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115766217B (en) | 2024-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110245956B (en) | Asynchronous multi-chain based block chain transaction confirmation method and system | |
| CN111654465A (en) | Power service cross-domain credible authentication system and method based on block chain | |
| US20230316273A1 (en) | Data processing method and apparatus, computer device, and storage medium | |
| CN110958111A (en) | Electric power mobile terminal identity authentication mechanism based on block chain | |
| CN113079215B (en) | Block chain-based wireless security access method for power distribution Internet of things | |
| CN112511350B (en) | Alliance chain multi-level consensus method, device and storage medium | |
| CN112214544A (en) | Ubiquitous power Internet of things edge data safe storage method based on permission block chain | |
| CN115115458A (en) | Energy trading system and method of near-zero carbon emission park based on block chain | |
| CN114925391A (en) | Method and device for monitoring circulation of private information, electronic equipment and storage medium | |
| Na et al. | A derivative PBFT blockchain consensus algorithm with dual primary nodes based on separation of powers-DPNPBFT | |
| Zhang et al. | A master-slave chain architecture model for cross-domain trusted and authentication of power services | |
| CN112488834A (en) | Node management method and device, electronic equipment and readable storage medium | |
| CN111865983A (en) | Block chain-based data security tracing method | |
| CN115766217B (en) | Communication service topology authentication system and method for power grid safety and stability control system | |
| CN116467026A (en) | Cloud desktop data secure sharing and tracing method and system based on blockchain | |
| CN115934832A (en) | Metering test detection data credible sharing method based on block chain | |
| CN116204904A (en) | Data processing method and device for loosely coupled blockchain middleware | |
| CN115392927A (en) | Data tracing system and data tracing method based on block chain | |
| CN114331441A (en) | Data tracing and circulating method and system based on network trust | |
| CN116846888A (en) | Consensus processing method, device, equipment and storage medium of block chain network | |
| CN114374506A (en) | Security tracing and sharing supervision method for power data under master-slave alliance link | |
| Zhang et al. | Enhanced multiset consensus protocol based on PBFT for logistics information traceability | |
| CN117082106B (en) | Multi-level data networking method, system, device and equipment oriented to government cloud environment | |
| CN113886487B (en) | Message transmission method, system, medium, equipment and mobile terminal | |
| CN113094373B (en) | Resource directory management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |