CN116032553A - False data injection attack detection method, detection terminal and storage medium - Google Patents

False data injection attack detection method, detection terminal and storage medium Download PDF

Info

Publication number
CN116032553A
CN116032553A CN202211599533.7A CN202211599533A CN116032553A CN 116032553 A CN116032553 A CN 116032553A CN 202211599533 A CN202211599533 A CN 202211599533A CN 116032553 A CN116032553 A CN 116032553A
Authority
CN
China
Prior art keywords
detected
power system
equipment
attack detection
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211599533.7A
Other languages
Chinese (zh)
Inventor
王峥
李振斌
朱逸筱
张江镛
卢志刚
陈亮
李树鹏
于光耀
刘亚丽
刘云
崇志强
马世乾
王天昊
郝懿乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qinhuangdao Yingdian Technology Development Co ltd
Yanshan University
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
Original Assignee
Qinhuangdao Yingdian Technology Development Co ltd
Yanshan University
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qinhuangdao Yingdian Technology Development Co ltd, Yanshan University, State Grid Tianjin Electric Power Co Ltd, Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd filed Critical Qinhuangdao Yingdian Technology Development Co ltd
Priority to CN202211599533.7A priority Critical patent/CN116032553A/en
Publication of CN116032553A publication Critical patent/CN116032553A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention provides a false data injection attack detection method, a detection terminal and a storage medium, wherein the method comprises the following steps: establishing a power system state estimation model, and determining the contribution degree of each device in the power system based on the power system state estimation model; and selecting part of equipment in the power system as equipment to be detected according to the contribution degree of each equipment, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters. According to the invention, part of equipment in the power system is selected to construct attack detection parameters for attack detection, FDIA attack can be effectively detected, and the capability of the power CPS for resisting malicious network attack is improved.

Description

False data injection attack detection method, detection terminal and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method for detecting a false data injection attack, a detection terminal, and a storage medium.
Background
With the promotion of smart grid construction, a large number of sensing devices, communication devices, computing devices and electrical devices are interconnected through two entity networks of the communication network and the power network, so that a multidimensional heterogeneous complex system with real-time sensing, dynamic control and information service fusion capability is formed, namely a power information physical fusion system (Cyber Physical System, CPS).
The power CPS can be divided into an information layer, a power layer and a communication network existing inside and outside the double layers, and the optimal operation of the whole system is realized under the mutual cooperative work of sensing, computing, communication, physical equipment and the like. The dependence on the network and the communication system to transmit the measurement data and the control instruction increases the possibility of the power CPS to be attacked, brings a series of problems related to network security such as seismovirus, trojan horse, doS attack, phishing mail and the like, and the network attack becomes a challenge and threat which cannot be ignored in the safe and stable operation of the power CPS.
False data injection attacks (false data injection attack, FDIA) can utilize bad data in the energy management system to detect loopholes, and malicious tampering of the state estimation result seriously jeopardizes the safe and reliable operation of the power system. Meanwhile, the distribution network has the characteristics of complex network topology structure, low measurement redundancy and the like, and has larger potential network attack threat. Therefore, the defense and identification of the FDIA become a new challenge for guaranteeing the safety and toughness of the power system information and economic operation.
In the prior art, the power CPS cannot effectively detect the FDIS, lacks the capability of resisting malicious network attacks, and has the threat of large-scale power failure of a power system.
Disclosure of Invention
The embodiment of the invention provides a false data injection attack detection method, a detection terminal and a storage medium, which are used for solving the problems that in the prior art, power CPS cannot effectively detect FDIS attack and the capability of resisting malicious network attack is lacking.
In a first aspect, an embodiment of the present invention provides a method for detecting a false data injection attack, including:
establishing a power system state estimation model, and determining the contribution degree of each device in the power system based on the power system state estimation model;
and selecting part of equipment in the power system as equipment to be detected according to the contribution degree of each equipment, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters.
In a second aspect, an embodiment of the present invention provides a detection terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the false data injection attack detection method provided above in the first aspect or any one of the possible implementations of the first aspect when the computer program is executed.
In a third aspect, embodiments of the present invention provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the false data injection attack detection method provided above in the first aspect or any one of the possible implementations of the first aspect.
The embodiment of the invention provides a false data injection attack detection method, a detection terminal and a storage medium, wherein the method comprises the following steps: establishing a power system state estimation model, and determining the contribution degree of each device in the power system based on the power system state estimation model; and selecting part of equipment in the power system as equipment to be detected according to the contribution degree of each equipment, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters. Based on the principle of FDIA, the FDIA may not be detected efficiently when all devices are detected. Therefore, in the embodiment of the invention, part of equipment in the power system is selected to construct attack detection parameters for attack detection, FDIA attack can be effectively detected, and the capability of the power CPS for resisting malicious network attack is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for detecting a false data injection attack according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for detecting a false data injection attack according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a device for detecting a false data injection attack according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a detection terminal according to an embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the following description will be made by way of specific embodiments with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of an implementation of a method for detecting a false data injection attack according to an embodiment of the present invention is shown, and details are as follows:
s101: establishing a power system state estimation model, and determining the contribution degree of each device in the power system based on the power system state estimation model;
s102: and selecting part of equipment in the power system as equipment to be detected according to the contribution degree of each equipment, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters.
The FDIA attacks the power system through the malicious tampering state estimation result, and if all the devices in the power system are detected, detection failure may be caused. Therefore, in the embodiment of the invention, partial equipment is selected for detection, the original construction logic of the FDIA is destroyed, the detection accuracy is improved, the FDIA attack can be effectively detected, and the capability of the power CPS for resisting the malicious network attack is improved. In consideration of uncertainty of random selection, the equipment to be detected is selected according to the contribution degree of each equipment, so that the relation between the reaction state estimation and the measurement data can be well matched with reality, and the detection accuracy is higher.
In one possible implementation, the power system state estimation model may be:
z=H(x)+e
wherein x= (x) 1 ,x 2 ,…x m ) T For an m-dimensional system state variable, z= (z) 1 ,z 2 ,…z m ) T For the system measurement vector, e= (e 1 ,e 2 ,…e m ) T Is the measurement error and e conforms to a gaussian distribution.
The embodiment of the invention adopts the nonlinear relation H (x) to improve the state estimation and the power flow calculation, so that the calculation and the estimation result are more accurate and more in line with the actual power system.
Specifically, the calculation formula of H (x) related to active/reactive power flow is specifically as follows:
Figure BDA0003994681800000041
h Q (x)=V i ∑V j (-g ij sin(θ ij )-b ij cos(θ ij ))+V i 2 ∑b ij
Figure BDA0003994681800000042
Figure BDA0003994681800000043
wherein g ij B is the line conductance between nodes i and j ij Is the wire susceptance between nodes i and j; θ ij Is the phase angle difference between nodes i and j.
In one possible implementation, S101 may include:
s1011: solving a power system state estimation model by adopting a least square method to obtain a measurement jacobian matrix;
s1012: determining a hat matrix according to the measured jacobian matrix;
s1013: and determining the contribution degree of each device in the power system according to the cap matrix.
In one possible implementation, S1013 may include:
1. normalizing the cap matrix to obtain a normalized cap matrix;
2. taking the elements of the diagonal line of the normalized cap matrix as the contribution degree of each device in the power system; wherein, the elements of the diagonal line of the normalized hat matrix respectively correspond to each device in the power system.
The hat matrix (hat matrix) refers to a projection matrix, is a symmetric matrix, has a special role in residual analysis, and diagonal elements of the hat matrix can reflect the importance degree of each device, so that the hat matrix is introduced to determine the contribution degree of each device.
Specifically, the cap matrix may be normalized, and the closer the diagonal element of the normalized cap matrix is to 1, the more important the corresponding device is to be explained, and the more sensitive the measured value of the device is to attack, the more important the measured value of the device should be paid attention to.
In one possible implementation, the calculation formula of the hat matrix K may be:
K=H(H T R -1 H) -1 H T R -1
wherein R is a standard measurement error, and H is a jacobian matrix.
Further, the least square method is adopted to solve the power system state estimation model, so that the solving problem can be converted into an optimization problem of an objective function:
minJ(x)=[z-Hx] T W[z-Hx]
wherein W is a diagonal matrix,
Figure BDA0003994681800000051
Figure BDA0003994681800000052
is the covariance of the ith measurement error.
To obtain the minimum value of J (x), the objective function is derived, and the other derivative is 0, and then:
Figure BDA0003994681800000053
h is a jacobian matrix, the order is m multiplied by n, and R is a standard measurement error.
Figure BDA0003994681800000054
In one possible implementation, referring to fig. 2, S102 may include:
s1021: according to the contribution degree of each device, selecting part of devices in the system to form a plurality of device combinations to be detected; wherein, for each equipment combination to be detected, the equipment combination to be detected comprises part of equipment in the power system;
s1022: setting the initial value of k to 1;
s1023: according to the kth equipment combination to be detected, determining attack detection parameters corresponding to the kth equipment combination to be detected;
s1024: if the attack detection parameter corresponding to the kth equipment combination to be detected is smaller than the preset residual error, k++; if k is not greater than the preset value, jumping to the step of determining attack detection parameters corresponding to the kth to-be-detected combination according to the kth to-be-detected combination, and continuing to execute the step of determining attack detection parameters corresponding to the kth to-be-detected combination; if k is larger than the preset value, determining that the power system is not attacked;
s1025: if the attack detection parameter corresponding to the kth equipment combination to be detected is not less than the preset residual error, determining that the power system is attacked;
the preset value is the total number of equipment combinations to be detected.
Because the application selects part of devices for detection, the loss of part of attack points can be caused. In the embodiment of the invention, a plurality of equipment combinations to be detected, namely a plurality of equipment calling schemes are arranged, so that the problem that a single scheme cannot contain all attack points is avoided.
For example, a first equipment combination to be detected is adopted for detection, if the attack detection parameter is smaller than the preset residual error, the attack is not detected, a second equipment combination to be detected is adopted for detection, and so on. If the attack detection parameter corresponding to a certain equipment combination to be detected is not smaller than the preset residual error, indicating that an attack exists, jumping out of the circulation, and stopping detection. If all the equipment combinations to be detected are detected, and the corresponding attack detection parameters are smaller than the preset residual errors, determining that the power system is not attacked.
In one possible embodiment, the total number of combinations of devices to be detected may be 5; s1021 may include:
1. selecting a-name equipment with contribution ranking top to form a first equipment combination to be detected;
2. removing the equipment with contribution degree ranking of 1,6,11 … 1+5n (1+5n is less than or equal to a) in the first equipment combination to be detected, and adding equipment with ranking of from a+1 to a+n-1 to form a second equipment combination to be detected;
3. removing the equipment with contribution degree ranking of 2,7,12 … < 2+5n (2+5n is less than or equal to a) in the second equipment combination to be detected, and adding equipment with ranking from a+n to a+2n-1 to form a third equipment combination to be detected;
4. removing the equipment with contribution degree ranking of 3,8,13 … < 3+ > 5n (3+5n is less than or equal to a) in the third equipment combination to be detected, and adding equipment with ranking from a+2n to a+3n < -1 > to form a fourth equipment combination to be detected;
5. removing the equipment with contribution degree ranking 4,9,13 … 4+5n (4+5n is less than or equal to a) in the fourth equipment combination to be detected, and adding equipment with ranking from a+3n to a+4n-1 to form a fifth equipment combination to be detected;
where a is a preset number, n=5.
a is a preset number, and can be the number of the minimum equipment for ensuring the stable operation of the power system, and the preset number corresponding to different power systems is different.
The greater the contribution, the more important the description device. Therefore, the first device to be detected in the embodiment of the invention selects the devices with contribution degrees ranked by a, ensures that important devices can be detected, and meanwhile, the number of the devices is not too large so as not to influence the detection speed. The second equipment combination to be detected is used for replacing and increasing and decreasing part of equipment on the basis of the first equipment combination to be detected, so that all equipment is covered as much as possible on the premise of guaranteeing the requirement of equipment calling scheme on the contribution of measurement data, all possible FDIA attack points are included, and the accuracy and the efficiency of detection are improved. The method of determining the combination of devices to be detected includes, but is not limited to.
The preset residual is a residual detection threshold, different systems and different residual calculations correspond to different preset residual, and a user can set according to actual application requirements.
It should be noted that, when the number of devices in the power system is not large, the total number of the device combinations to be detected may also be smaller than 5, which may be specifically set according to the actual application requirement.
In one possible implementation, before S102, the method may further include:
s103: based on the jacobian matrix, solving by adopting a Gaussian-Newton method to obtain a state estimation value of the power system.
In one possible implementation, S102 may include:
s1026: forming a device selection matrix according to each device to be detected; if the equipment is selected, the value in the equipment selection matrix corresponding to the equipment is 1;
s1027: and determining attack detection parameters of the power system according to the equipment selection matrix, the state estimation value of the power system and the jacobian matrix.
In one possible implementation, the calculation formula of the attack detection parameter s (k) may be:
Figure BDA0003994681800000081
wherein D (k) is a matrix selected for the equipment corresponding to the kth equipment combination to be detected, z (k) is a vector of measured values corresponding to the kth equipment combination to be detected, H is a jacobian matrix,
Figure BDA0003994681800000082
for the state estimation value of the power system, I m And c (k) is a change value of state estimation before and after the kth device to be detected is combined and attacked.
Because the state estimation has bad data detection capability, random measurement errors and small signals in the system are eliminated, and residual errors can be used for detecting bad data, and the model is as follows:
Figure BDA0003994681800000083
after knowing the network topology of part or the whole system, constructing FDIA according to topology information, tampering measured value z bad =z+a, the tampered data can still avoid residual detection, the specific principle is as follows:
a=Hc
wherein a is an attack vector, and c is a change value of state estimation before and after attack.
The state after being attacked is estimated as:
Figure BDA0003994681800000084
based on the above, the residual is:
Figure BDA0003994681800000085
the formula shows that the FDIA has ingenious structure, the residual error value is kept unchanged before and after attack, and residual error detection can be perfectly avoided, so that detection failure is caused. If an attacker injects bad data into the measurement, the bad data detection will not detect the FDIA.
Based on the above, in the embodiment of the present invention, the residual detection is optimized, and the attack detection parameter s (k) is configured for bad data detection. When s (k) =r,
Figure BDA0003994681800000086
is the residual generated by the selected device, and (I m -D (k)) Hc (k) is a value other than the residual error, representing information obtained from the device. Normally, the system is not attacked, and the term is zero. When a grid is attacked, a large change occurs. s (k) can amplify tampered data characteristics, the detection efficiency is higher, the FDIA attack can be effectively detected through attack detection parameters, and the detection efficiency is stable.
The calculation formula of s (k) shows that in the embodiment of the invention, the matrix, the state estimation value of the power system and the jacobian matrix are selected by combining the equipment to determine the attack detection parameters of the power system. Therefore, the embodiment of the invention also needs to obtain the state estimation value of the power system. Solution formula based on jacobian matrix, f (x) =h T (x)R -1 [z-h(x)]=0, and then solved using gaussian-newton method.
The specific calculation process is as follows:
f (x) is at x=x 0 Processing the Taylor series expansion:
Figure BDA0003994681800000091
Figure BDA0003994681800000092
solving by adopting an iterative algorithm, and updating the following steps:
Figure BDA0003994681800000093
Figure BDA0003994681800000094
Figure BDA0003994681800000095
the state estimation value is calculated by the above formula.
Furthermore, if the requirement on the detection accuracy is not high, in order to improve the detection rate and avoid repeated iteration to occupy the detection time, the state estimation value can also be directly calculated by the jacobian matrix according to the following formula.
Figure BDA0003994681800000096
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
The following are device embodiments of the invention, for details not described in detail therein, reference may be made to the corresponding method embodiments described above.
Fig. 3 is a schematic structural diagram of a false data injection attack detection device according to an embodiment of the present invention, and for convenience of explanation, only a portion related to the embodiment of the present invention is shown, which is described in detail below:
as shown in fig. 3, the dummy data injection attack detection apparatus includes:
a model building module 21, configured to build a power system state estimation model, and determine a contribution degree of each device in the power system based on the power system state estimation model;
the detection output module 22 is configured to select a part of devices in the power system as devices to be detected according to the contribution degree of each device, determine attack detection parameters of the power system, and determine whether the power system is attacked according to the attack detection parameters.
In one possible implementation, the modeling module 21 may include:
the first matrix calculation unit is used for solving the power system state estimation model by adopting a least square method to obtain a measurement jacobian matrix;
the second matrix calculation unit is used for determining a hat matrix according to the measured jacobian matrix;
and the contribution degree calculation unit is used for determining the contribution degree of each device in the power system according to the cap matrix.
In one possible embodiment, the contribution calculating unit may include:
the normalization subunit is used for normalizing the cap matrix to obtain a normalized cap matrix;
the contribution degree output subunit is used for taking the elements of the diagonal line of the normalized cap matrix as the contribution degree of each device in the power system; wherein, the elements of the diagonal line of the normalized hat matrix respectively correspond to each device in the power system.
In one possible implementation, the detection output module 22 may include:
the multi-scheme output unit is used for respectively selecting part of the devices in the system to form a plurality of device combinations to be detected according to the contribution degree of each device; wherein, for each equipment combination to be detected, the equipment combination to be detected comprises part of equipment in the power system;
an initialization unit for setting an initial value of k to 1;
the first parameter determining unit is used for determining attack detection parameters corresponding to the kth equipment combination to be detected according to the kth equipment combination to be detected;
the first judging unit is used for judging whether the attack detection parameter corresponding to the kth equipment combination to be detected is less than the preset residual error or not; if k is not greater than the preset value, jumping to the step of determining attack detection parameters corresponding to the kth to-be-detected combination according to the kth to-be-detected combination, and continuing to execute the step of determining attack detection parameters corresponding to the kth to-be-detected combination; if k is larger than the preset value, determining that the power system is not attacked;
the second judging unit is used for determining that the power system is attacked if the attack detection parameter corresponding to the kth equipment to be detected combination is not smaller than the preset residual error;
the preset value is the total number of equipment combinations to be detected.
In one possible embodiment, the total number of combinations of devices to be detected is 5; the multi-scheme output unit may include:
a first scheme determining subunit, configured to select a-name devices with contribution rank top to form a first device combination to be detected;
a second scheme determining subunit, configured to remove devices with contribution degrees ranking of 1,6,11 … 1+5n (1+5n is less than or equal to a) in the first to-be-detected device combination, and add devices with ranks from a+1 to a+n-1 to form a second to-be-detected device combination;
the third scheme determining subunit is used for removing the equipment with contribution degree ranking of 2,7,12 … 2+5n (2+5n is less than or equal to a) in the second equipment combination to be detected, adding the equipment with ranking from a+n to a+2n-1 to form a third equipment combination to be detected;
the fourth scheme determining subunit is configured to remove devices with contribution degrees ranking of 3,8,13 … 3+5n (3+5n is less than or equal to a) in the third device to be detected combination, and add devices with ranks from a+2n to a+3n-1 to form a fourth device to be detected combination;
a fifth scheme determining subunit, configured to remove devices with contribution degree ranking 4,9,13 … 4+5n (4+5n is less than or equal to a) from the fourth to-be-detected device combination, and add devices with ranks from a+3n to a+4n-1 to form a fifth to-be-detected device combination;
where a is a preset number, n=5.
In one possible embodiment, the apparatus may further include:
and the state estimation value solving module is used for solving by adopting a Gaussian-Newton method based on the jacobian matrix to obtain the state estimation value of the power system.
In one possible implementation, the detection output module 22 may include:
a third matrix calculation unit, configured to form a device selection matrix according to each device to be detected; if the equipment is selected, the value in the equipment selection matrix corresponding to the equipment is 1;
and the second parameter determining unit is used for determining attack detection parameters of the power system according to the equipment selection matrix, the state estimation value of the power system and the jacobian matrix.
In one possible implementation, the calculation formula of the attack detection parameter s (k) may be:
Figure BDA0003994681800000121
wherein D (k) is a matrix selected for the equipment corresponding to the kth equipment combination to be detected, z (k) is a vector of measured values corresponding to the kth equipment combination to be detected, H is a jacobian matrix,
Figure BDA0003994681800000122
for the state estimation value of the power system, I m And c (k) is a change value of state estimation before and after the kth device to be detected is combined and attacked.
Fig. 4 is a schematic diagram of a detection terminal according to an embodiment of the present invention. As shown in fig. 4, the detection terminal 3 of this embodiment includes: a processor 30 and a memory 31. The memory 31 is used for storing the computer program 32, and the processor 30 is used for calling and running the computer program 32 stored in the memory 31, and executing the steps in the above-described respective embodiments of the false data injection attack detection method, for example, steps S101 to S102 shown in fig. 1. Alternatively, the processor 30 is configured to invoke and run the computer program 32 stored in the memory 31 to implement the functions of the modules/units in the above-described device embodiments, such as the functions of the modules 21 to 22 shown in fig. 3.
By way of example, the computer program 32 may be partitioned into one or more modules/units that are stored in the memory 31 and executed by the processor 30 to complete the present invention. One or more of the modules/units may be a series of computer program instruction segments capable of performing a specific function for describing the execution of the computer program 32 in the detection terminal 3. For example, the computer program 32 may be split into modules/units 21 to 22 shown in fig. 3.
The detection terminal 3 may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The detection terminal 3 may include, but is not limited to, a processor 30, a memory 31. It will be appreciated by those skilled in the art that fig. 4 is merely an example of the detection terminal 3 and does not constitute a limitation of the detection terminal 3, and may include more or less components than illustrated, or may combine certain components, or different components, e.g., the terminal may further include an input-output device, a network access device, a bus, etc.
The processor 30 may be a central processing unit (Central Processing Unit, CPU), other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 31 may be an internal storage unit of the detection terminal 3, for example, a hard disk or a memory of the detection terminal 3. The memory 31 may be an external storage device of the detection terminal 3, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the detection terminal 3. Further, the memory 31 may also include both an internal storage unit and an external storage device of the detection terminal 3. The memory 31 is used to store computer programs and other programs and data required by the terminal. The memory 31 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal and method may be implemented in other manners. For example, the apparatus/terminal embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.

Claims (10)

1. A method for false data injection attack detection, comprising:
establishing a power system state estimation model, and determining the contribution degree of each device in the power system based on the power system state estimation model;
and selecting part of the devices in the power system as devices to be detected according to the contribution degree of each device, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters.
2. The method for detecting a false data injection attack according to claim 1, wherein determining the contribution degree of each device in the power system based on the power system state estimation model includes:
solving the power system state estimation model by adopting a least square method to obtain a measurement jacobian matrix;
determining a hat matrix according to the measuring jacobian matrix;
and determining the contribution degree of each device in the power system according to the cap matrix.
3. The false data injection attack detection method according to claim 2, wherein the determining the contribution degree of each device in the power system according to the cap matrix includes:
normalizing the cap matrix to obtain a normalized cap matrix;
taking the elements of the diagonal of the normalized hat matrix as the contribution degree of each device in the power system; wherein, the elements of the diagonal of the normalized hat matrix respectively correspond to each device in the power system.
4. A false data injection attack detection method according to claim 2 or 3, wherein selecting a part of devices in the power system as devices to be detected according to the contribution degree of each device, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters, includes:
according to the contribution degree of each device, selecting part of devices in the system to form a plurality of device combinations to be detected; wherein, for each equipment combination to be detected, the equipment combination to be detected comprises part of equipment in the power system;
setting the initial value of k to 1;
according to the kth equipment combination to be detected, determining attack detection parameters corresponding to the kth equipment combination to be detected;
if the attack detection parameter corresponding to the kth equipment combination to be detected is smaller than the preset residual error, k++; if k is not greater than the preset value, jumping to the step of determining attack detection parameters corresponding to the kth to-be-detected combination according to the kth to-be-detected combination, and continuing to execute the step of determining attack detection parameters corresponding to the kth to-be-detected combination; if k is larger than the preset value, determining that the power system is not attacked;
if the attack detection parameters corresponding to the kth equipment to be detected combination are not smaller than the preset residual errors, determining that the power system is attacked;
the preset value is the total number of the equipment combinations to be detected.
5. The false data injection attack detection method according to claim 4, wherein the total number of combinations of devices to be detected is 5; according to the contribution degree of each device, selecting part of devices in the system to form a plurality of device combinations to be detected, including:
selecting a-name equipment with contribution ranking top to form a first equipment combination to be detected;
removing the equipment with contribution degree ranking of 1,6,11 … 1+5n (1+5n is less than or equal to a) in the first equipment combination to be detected, and adding equipment with ranking of a+1 to a+n-1 to form a second equipment combination to be detected;
removing the equipment with contribution degree ranking of 2,7,12 … 2+5n (2+5n is less than or equal to a) in the second equipment combination to be detected, and adding equipment with ranking from a+n to a+2n-1 to form a third equipment combination to be detected;
removing the equipment with contribution degree ranking of 3,8,13 … 3+5n (3+5n is less than or equal to a) in the third equipment combination to be detected, and adding equipment with ranking of from a+2n to a+3n-1 to form a fourth equipment combination to be detected;
removing the equipment with contribution degree ranking 4,9,13 … 4+5n (4+5n is less than or equal to a) in the fourth equipment combination to be detected, and adding equipment with ranking from a+3n to a+4n-1 to form a fifth equipment combination to be detected;
where a is a preset number, n=5.
6. The method for detecting false data injection attacks according to claim 4, wherein before selecting a part of devices in the power system as devices to be detected according to contribution degrees of the respective devices, determining attack detection parameters of the power system, and determining whether the power system is attacked according to the attack detection parameters, the method further comprises:
and solving by adopting a Gaussian-Newton method based on the jacobian matrix to obtain a state estimation value of the power system.
7. The method for detecting false data injection attack according to claim 6, wherein selecting a part of devices in the power system as devices to be detected according to the contribution degree of each device, determining attack detection parameters of the power system, includes:
forming a device selection matrix according to each device to be detected; if the equipment is selected, the value in the equipment selection matrix corresponding to the equipment is 1;
and determining attack detection parameters of the power system according to the equipment selection matrix, the state estimation value of the power system and the jacobian matrix.
8. The false data injection attack detection method according to claim 7, wherein the attack detection parameter s (k) is calculated by the formula:
Figure FDA0003994681790000031
wherein D (k) is a matrix selected for the equipment corresponding to the kth equipment combination to be detected, z (k) is a vector of measured values corresponding to the kth equipment combination to be detected, H is the jacobian matrix,
Figure FDA0003994681790000032
for the state estimation of the power system, I m And c (k) is a change value of state estimation before and after the kth device to be detected is combined and attacked.
9. A control terminal comprising a processor and a memory, the memory for storing a computer program, the processor for invoking and running the computer program stored in the memory, performing the steps of the false data injection attack detection method according to any of claims 1 to 8.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the false data injection attack detection method according to any of the preceding claims 1 to 8.
CN202211599533.7A 2022-12-12 2022-12-12 False data injection attack detection method, detection terminal and storage medium Pending CN116032553A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211599533.7A CN116032553A (en) 2022-12-12 2022-12-12 False data injection attack detection method, detection terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211599533.7A CN116032553A (en) 2022-12-12 2022-12-12 False data injection attack detection method, detection terminal and storage medium

Publications (1)

Publication Number Publication Date
CN116032553A true CN116032553A (en) 2023-04-28

Family

ID=86078576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211599533.7A Pending CN116032553A (en) 2022-12-12 2022-12-12 False data injection attack detection method, detection terminal and storage medium

Country Status (1)

Country Link
CN (1) CN116032553A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827624A (en) * 2023-06-26 2023-09-29 华北电力大学 False data attack method aiming at SCADA system network structure A type error

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827624A (en) * 2023-06-26 2023-09-29 华北电力大学 False data attack method aiming at SCADA system network structure A type error
CN116827624B (en) * 2023-06-26 2024-04-16 华北电力大学 False data attack method aiming at SCADA system network structure A type error

Similar Documents

Publication Publication Date Title
US11818169B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
US10248910B2 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
US11799900B2 (en) Detecting and mitigating golden ticket attacks within a domain
US20210359980A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US20170324768A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
CN116032553A (en) False data injection attack detection method, detection terminal and storage medium
CN106789837A (en) Network anomalous behaviors detection method and detection means
CN105791286A (en) Abnormity detection and processing method of cloud virtual environment
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
CN115221017A (en) Method, system, equipment and storage medium for self-checking of server temperature sensor
CN107231383A (en) The detection method and device of CC attacks
Wang et al. EtherFuzz: mutation fuzzing smart contracts for TOD vulnerability detection
CN113225331A (en) Method, system and device for detecting host intrusion safety based on graph neural network
Akter et al. A Noble Security Analysis of Various Distributed Systems
CN113079153B (en) Network attack type prediction method and device and storage medium
CN115189863A (en) E-commerce transaction information management system based on block chain network architecture
CN101854341B (en) Pattern matching method and device for data streams
CN113704750A (en) Network attack detection method and device of distributed power generation system and terminal equipment
CN113452783A (en) Digital PAAS open platform system of block chain cloud architecture and implementation method
Li Security and Risk Analysis of Financial Industry Based on the Internet of Things
CN113810342A (en) Intrusion detection method, device, equipment and medium
CN109150871A (en) Safety detection method, device, electronic equipment and computer readable storage medium
EP3721364A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US20230419221A1 (en) Simulating models of relative risk forecasting in a network system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination