CN116340946A - Analysis method based on host vulnerability data and abnormal behaviors - Google Patents

Analysis method based on host vulnerability data and abnormal behaviors Download PDF

Info

Publication number
CN116340946A
CN116340946A CN202211596259.8A CN202211596259A CN116340946A CN 116340946 A CN116340946 A CN 116340946A CN 202211596259 A CN202211596259 A CN 202211596259A CN 116340946 A CN116340946 A CN 116340946A
Authority
CN
China
Prior art keywords
data
host
current
abnormal
power system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211596259.8A
Other languages
Chinese (zh)
Inventor
刘鹏
秦如意
严钰君
张寒之
俞佳捷
王勇
陈晓杰
娄一艇
刘琛
赵萌
安磊
戚浩金
马丽军
李琪
徐科兵
叶明达
裘建开
祝婉
曹雅素
胡一嗔
孔彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority to CN202211596259.8A priority Critical patent/CN116340946A/en
Publication of CN116340946A publication Critical patent/CN116340946A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3058Monitoring arrangements for monitoring environmental properties or parameters of the computing system or of the computing system component, e.g. monitoring of power, currents, temperature, humidity, position, vibrations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an analysis method based on host vulnerability data and abnormal behaviors, which comprises the following steps: the power system control host collects a vulnerability and abnormal conventional operation set for detecting computer safety, and normalizes or iterates a feature matrix set and a scale factor of the vulnerability and abnormal data according to the conventional operation set; the power system control host receives current and voltage data of the power transmission line, generates a sampling database of the current and voltage data according to the types of the current and voltage data, and detects the sampling database by utilizing a multivariate correlation analysis model according to vulnerability and abnormal data, a characteristic matrix set and a scale factor to generate basic operation compliance parameters of the host; and operating the received current and voltage data. The method effectively prevents the computer from being safely transmitted to the system, and solves the problem of non-compliance of cloud or server-side operation caused by data vulnerability and abnormality.

Description

Analysis method based on host vulnerability data and abnormal behaviors
Technical Field
The invention relates to the field of host safety of power systems, in particular to an analysis method based on host vulnerability data and abnormal behaviors.
Background
Various attacks on the power system, such as worm attacks and DDoS attacks, cause great damage to the normal use of the power system network. Numerous protection mechanisms and strategies are provided for the attack researchers, and various protection strategies have different characteristics and protection effects, so that a unified performance evaluation method is needed to quantitatively evaluate various protection strategies in real time, and further guide the selection of the protection strategies. In addition, the attack and defense parties can continuously adjust the strategies thereof in the attack process to obtain the effect which is most beneficial to the own party, and how to compare the effects of the attack and defense strategies under the situation of countermeasure and obtain the optimal protection strategy is urgent and necessary.
The prior method for determining the network security protection strategy according to the performance of the attack and defense strategies mainly comprises the following steps that firstly, a test bed is used for simulating various attack and protection strategies and evaluating the effects of the attack and protection strategies to determine the optimal protection strategy, but the test bed has higher cost and can not simulate the countermeasures of the attack and defense parties, namely, the attack and defense parties can continuously adjust the respective strategies to perform countermeasures in the attack process so as to obtain the most favorable effect; secondly, a typical actual data set is adopted as a drive, the performance of the attack and defense strategy under the data set is analyzed, and then the optimal network security protection strategy is determined according to the performance, but the data set generally lacks comprehensiveness and has weak compliance with a real-time attack and defense scene; thirdly, network simulation tools such as NS2 and SSFNET are adopted, network attack and defense conditions are set, simulation result data are collected to evaluate the effect of the attack and defense strategies, and then the optimal protection strategy is determined according to the evaluation result. In addition, the method only starts from the performance of the protection strategy, and does not consider the factor of implementation cost, and in reality, the selection and the determination of the protection strategy are to comprehensively consider the factor of both the implementation cost and the implementation benefit of the strategy.
The ultra-large scale flow and data updating of the power system data provide challenges for the server to defend the computer security in real time; in addition, the data flow mechanism for point-to-point data update, such as a data exchange platform like P2P, is difficult to monitor the flow data in real time, and easily causes the result of computer security flooding. Therefore, it is important to study how to effectively defend abnormal data from the power system control host.
In recent years, machine learning technology has been rapidly developed, and in solving the high-level abstract cognition problem, the fields of host underlying code bug recognition, sensor recognition, natural language operation, operation model recognition, content recommendation and the like are widely subjected to Gaussian denoising and have excellent performance, so that the machine learning technology becomes a research hotspot in academia and industry.
For the research and development of low power consumption and low cost of machine learning and equipment thereof, the integration of the accelerator in the mobile terminal has been realized, and the Gaussian denoising aiming at the machine learning technology can be effectively realized. Therefore, research on how to detect, identify and filter the computer security by combining machine learning and a mobile terminal has great social significance.
Disclosure of Invention
In order to overcome the defects and shortcomings in the prior art, the invention provides an analysis method based on host vulnerability data and abnormal behaviors.
According to a first aspect of the present invention, there is provided a method for analyzing vulnerability data and abnormal behavior of a host, the method being applicable to a system-oriented power system control host, the method comprising: step 1, a power system control host collects a vulnerability and abnormal conventional operation set for detecting computer safety, and normalizes or iterates a feature matrix set and a scale factor of vulnerability and abnormal data according to the conventional operation set;
step 2, the power system control host receives current and voltage data of the power transmission line, generates a sampling database of the current and voltage data according to the types of the current and voltage data, and detects the sampling database by utilizing a multivariate correlation analysis model according to vulnerability and abnormal data, a feature matrix set and a scale factor to generate basic operation compliance parameters of the host; and 3, operating the compliance parameters according to the basic operation of the host by the control host of the power system, and operating the received current and voltage data, wherein the operation process comprises one or more operations of Gaussian denoising, data updating, redundant data removing and data encoding.
In one embodiment of the invention, the method further comprises: and 4, when the basic operation compliance parameter of the host is judged to be an abnormal result, updating the current and voltage data received by the control host of the power system, generating an abnormal data host basic operation compliance parameter signal according to the information source corresponding to the current and voltage data and the basic operation compliance parameter of the host, and sending the abnormal data host basic operation compliance parameter signal to a man-machine interaction alarm interface of the power system.
In one embodiment of the present invention, the system receives current and voltage data through a gaussian noise removal program installed in a power system control host, and when determining that a host basic operation compliance parameter corresponding to the current and voltage data is an abnormal result, step 4 specifically includes: step 41, updating the data of the power system control host, prohibiting the current and voltage data with confirmed abnormality from being updated to the inside of the power system control host, stopping the Gaussian denoising program to finish the current and voltage data, and updating the received current and voltage data; and 42, generating and sending abnormal data host basic operation compliance parameter signals to a man-machine interaction alarm interface of the power system according to the information sources of the current and voltage data and the host basic operation compliance parameters.
In one embodiment of the present invention, the system receives current and voltage data through a gaussian noise reduction program installed in the power system control host, and when the power system control host determines that the host base operation compliance parameters are normal, the method further comprises: and 5, data updating the current and voltage data to a Gaussian denoising program, executing the Gaussian denoising program, receiving subsequent data updating data of the current and voltage data, generating a sampling database according to the subsequent data updating data, detecting the sampling database by using a multivariate correlation analysis model, and generating a host basic operation compliance parameter until the data detection is finished or the host basic operation compliance parameter is judged to be an abnormal result.
In one embodiment of the present invention, the vulnerability and anomaly data includes host underlying code bug detection data, operation model detection data, and sensor detection data, and step 2 specifically includes: step 21, when the types of the current and voltage data are judged to be host bottom code bug data, analyzing and collecting corresponding sub-host bottom code bug data of the current and voltage data, and generating a sampling database according to the sub-host bottom code bug data, wherein the sampling database is a host bottom code bug sample; and 22, selecting host bottom code bug detection data, detecting a sampling database by using a multivariate correlation analysis model according to the host bottom code bug detection data, the feature matrix set and the scale factors, and generating host basic operation compliance parameters.
In one embodiment of the invention, the method further comprises: step 23, when the type is judged to be the operation model data, extracting continuous operation model data in the current and voltage data, and generating a sampling database according to the continuous operation model data, wherein the sampling database is an operation model sample; and step 24, selecting operation model detection data, detecting a sampling database by using a multivariate correlation analysis model according to the operation model detection data, the feature matrix set and the scale factors, and generating host basic operation compliance parameters.
In one embodiment of the invention, the method further comprises: step 25, randomly extracting input sensor segments in the current and voltage data when the type is determined to be the sensor data, and generating a sampling database according to the input sensor segments, wherein the sampling database is a sensor sample; and step 26, selecting sensor detection data, detecting a sample to be monitored by using a multivariate correlation analysis model according to the sensor detection data, the feature matrix set and the scale factors, and generating a host basic operation compliance parameter.
In one embodiment of the invention, the process of collecting the regular running set comprises receiving the regular running set from the power line and/or reading the regular running set from a memory of the power system control host.
According to a second aspect of the present invention, there is provided a method of analyzing vulnerability data and abnormal behavior of a host, the method being applicable to a system-oriented power system control host, the method comprising: the system comprises a signal receiving unit, a data model operation unit, an abnormality detection unit and a data storage and call library unit; the signal receiving unit is used for receiving current and voltage data of a power transmission line of the power system control host and sending signals generated by the power system control host; the data model operation unit is provided with a Gaussian denoising program, and after the Gaussian denoising program is operated by the system, the data model operation unit receives current and voltage data by using the signal receiving unit, generates and sends a sampling database of the current and voltage data to the anomaly detection unit, and temporarily stores the current and voltage data into the data storage and calling library unit; the abnormality detection unit comprises a cache unit and a detection unit, wherein the cache unit is used for loading vulnerability and abnormal data, a feature matrix set and a scale factor in the data storage and call library unit, and the detection unit is used for detecting a sampling database by using a multivariate correlation analysis model according to the vulnerability and abnormal data, the feature matrix set and the scale factor to generate a basic operation compliance parameter of the host; the data model operation unit is also used for executing one or more operations of Gaussian denoising, data updating, redundant data eliminating and data encoding on the received current and voltage data according to the basic operation compliance parameters of the host.
In one embodiment of the invention, the data model operation unit is further configured to: when the basic operation compliance parameter of the host is judged to be an abnormal result, updating current and voltage data in a data storage and calling library unit, generating an abnormal data host basic operation compliance parameter signal according to an information source corresponding to the current and voltage data and the basic operation compliance parameter of the host, and sending the abnormal data host basic operation compliance parameter signal to a man-machine interaction alarm interface of the power system by utilizing a signal receiving unit.
Compared with the prior art, the invention has the advantages that: by arranging the computer security detection mechanism on the system terminal and combining the information detection system provided by the invention, the received information is detected and classified on the system terminal, the comprehensiveness of information filtering is improved, the propagation of computer security is effectively prevented, the problem of non-compliance of information filtering such as cloud or server end or non-terminal host bottom code bug, operation model, sensor and the like caused by data vulnerability and abnormality is solved, and meanwhile, the computer security source can be reported, and the power system is purified.
Drawings
FIG. 1 illustrates a first schematic flow diagram of a method of analyzing based on host vulnerability data and abnormal behavior according to one embodiment of the invention;
FIG. 2 illustrates a second schematic flow diagram of a method of analyzing based on host vulnerability data and abnormal behavior according to one embodiment of the invention;
FIG. 3 shows a third schematic flow chart of a method of analyzing based on host vulnerability data and abnormal behavior according to one embodiment of the invention.
Detailed Description
It should be noted that, without conflict, the embodiments and operations in the embodiments may be combined with each other, and the present application will be further described in detail with reference to the drawings and the specific embodiments.
Embodiment one:
as shown in fig. 1 to 3, the present invention provides a method for analyzing vulnerability data and abnormal behavior of a host, which is applicable to a system-oriented power system control host, and the method includes:
step 1, a power system control host collects a vulnerability and abnormal conventional operation set for detecting computer safety, and normalizes or iterates a feature matrix set and a scale factor of vulnerability and abnormal data according to the conventional operation set;
further, the process of collecting the regular running set includes receiving the regular running set from the power line and/or reading the regular running set from a memory of the power system control host.
Specifically, the offline training refers to performing offline recognition training and offline model generation on current and voltage data of different types (such as an abnormal operation model, sensor data and host bottom code bug data) by using a machine learning model, wherein the offline training includes feature matrix sets and scale factors of the model, the generated offline model is recorded as vulnerability and abnormal data of computer security, and the vulnerability and abnormal data of different types are stored in a memory of the power system control host for selection. And meanwhile, the power system control host normalizes or iterates vulnerability and abnormal data in the power system control host according to the offline training result, or replaces an old version of model feature matrix set and scale factors in the power system control host according to the transmission line data updating data for iterating the vulnerability and the abnormal data received by the power system control host.
Step 2, the power system control host receives current and voltage data of the power transmission line, generates a sampling database of the current and voltage data according to the types of the current and voltage data, and detects the sampling database by utilizing a multivariate correlation analysis model according to vulnerability and abnormal data, a feature matrix set and a scale factor to generate basic operation compliance parameters of the host; the multivariate correlation analysis model refers to a process of executing operations inside vulnerability and abnormal data after the vulnerability and the abnormal data are input into the current and the voltage data, and generating basic operation compliance parameters of the host.
Specifically, the power system can be regarded as a device with a network port, namely, a network port of all networked devices with information transmission functions on the power system through a corresponding network end, namely, a network port, and can also be regarded as a target address to perform data communication with a plurality of power system control hosts under the network end. When the system sends a data communication request to the network end through a Gaussian denoising program installed in the power system control host, the network end receives communication information sent to the power system control host by the power system, the power system and the power system control host carry out data communication, and the network end carries out first computer safety detection on the communication information sent to the power system control host by the power system, but due to data vulnerability and abnormality of the network end, the situation of non-compliance current and voltage data can exist, and at the moment, the computer safety can still be collected by the system through the power system control host.
The machine learning model with the function of classifying target data, such as a convolutional neural network, an LSTM (least squares) and a deep neural network, is used as (abnormal) vulnerability and abnormal data in the embodiment, the vulnerability and abnormal data are implanted on a power system control host through a neural network accelerator, the vulnerability and abnormal data are trained by a learning mechanism and a sampling database of machine learning, a corresponding model feature matrix set and weight values are generated, and input data (current and voltage data of a power transmission line received by the power system control host) are detected by the model feature matrix set and the weight values.
Further, the vulnerability and anomaly data include host underlying code bug detection data, operation model detection data, and sensor detection data, and step 2 specifically includes:
specifically, according to different data formats (types) of current and voltage data to be detected, the current and voltage data are divided into three types, namely host bottom code bug data, operation model data and sensor data, and three different vulnerability and abnormal data are respectively established for the three types of information so as to improve accuracy of computer safety identification. It should be noted that the host underlying code bug data includes video and/or pictures. The host bottom code bug detection data can be a ResNet model in a convolutional neural network model, the operation model detection data can be a machine learning model, and the sensor detection data can be an LSTM model in the convolutional neural network model.
Taking the current and voltage data of a power transmission line received by a power system control host as video information as an example, firstly, performing offline training in the power system control host by utilizing a computer security host bottom code bug, so that host bottom code bug detection data (a neural network model) has abnormal host bottom code bug data identification capability, and temporarily storing a characteristic matrix set and a scale factor of the model in a memory of the power system control host.
Step 21, when the types of the current and voltage data are judged to be host bottom code bug data, analyzing and collecting corresponding sub-host bottom code bug data of the current and voltage data, and generating a sampling database according to the sub-host bottom code bug data, wherein the sampling database is a host bottom code bug sample;
specifically, a gaussian denoising program installed in a power system control host sends a video request to a power transmission line network end (website IP), the network end continuously inputs video data to the power system control host and stores the video data in a memory, the power system control host analyzes the received video data of the power transmission line and randomly extracts video frames (sub-host bottom code bug data) from the video data, and the frames are in a picture format and are used as a sampling database.
And 22, selecting host bottom code bug detection data, detecting a sampling database by using a multivariate correlation analysis model according to the host bottom code bug detection data, the feature matrix set and the scale factors, and generating host basic operation compliance parameters.
When the types of the current and voltage data are judged to be host bottom code bug data, sub-host bottom code bug data in the current and voltage data are collected, a sampling database is generated, and host bottom code bug detection data are selected as vulnerability and abnormal data, and computer security identification is carried out on the sampling database. When the sampling database does not contain computer security, normal host basic operation compliance parameters are generated, and when the sampling database contains computer security, abnormal (abnormal) host basic operation compliance parameters (abnormal results) are generated.
Specifically, taking a convolutional neural network model as an example to identify host bottom code bug data, wherein a feature matrix set of the model comprises the number of layers of the convolutional neural network model, the depth of each layer of network, the size of a convolutional kernel and the sliding step length of a window; the scale factor of the model is a training value provided when the convolutional neural network carries out convolutional operation.
Step 23, when the type is judged to be the operation model data, extracting continuous operation model data in the current and voltage data, and generating a sampling database according to the continuous operation model data, wherein the sampling database is an operation model sample;
and step 24, selecting operation model detection data, detecting a sampling database by using a multivariate correlation analysis model according to the operation model detection data, the feature matrix set and the scale factors, and generating host basic operation compliance parameters.
Step 25, randomly extracting input sensor segments in the current and voltage data when the type is determined to be the sensor data, and generating a sampling database according to the input sensor segments, wherein the sampling database is a sensor sample;
and step 26, selecting sensor detection data, detecting a sample to be monitored by using a multivariate correlation analysis model according to the sensor detection data, the feature matrix set and the scale factors, and generating a host basic operation compliance parameter.
And 3, operating the compliance parameters according to the basic operation of the host by the control host of the power system, and operating the received current and voltage data, wherein the operation process comprises one or more operations of Gaussian denoising, data updating, redundant data removing and data encoding.
Specifically, for the code bug data, the operation model data and the sensor data at the bottom layer of the host, when the sampling database contains abnormal information, the corresponding basic operation compliance parameter of the host is marked as computer safety, at the moment, the Gaussian denoising program corresponding to the destination IP address in the computer safety is determined, the operation of the Gaussian denoising program is updated, the data updating of the current and voltage data is performed, the loaded current and voltage data is updated, the current and voltage data is not displayed and played on the power system control host of the system, the system is prevented from collecting the computer safety, and the operation executed by the power system control host is one or more of data updating, redundant data removing and data encoding. When the sampling database does not contain abnormal information, marking the corresponding basic operation compliance parameters of the host as normal information, enabling the power system control host to give the execution right of the Gaussian denoising program, and enabling the Gaussian denoising program to call the data updating data of the power transmission line received by the power system control host, wherein the power system control host executes one or more of Gaussian denoising, redundant data rejection and data coding.
When the basic operation compliance parameter of the host is normal, the power system control host continues to execute authority based on the Gaussian denoising program to realize the related Gaussian denoising operation of the video, and simultaneously continues to randomly extract the frame number to generate samples for the subsequently loaded video information, and inputs the samples to the slave arithmetic unit for recognition until the video detection is finished or the video detection is recognized as abnormal.
The computer safety algorithm compares the core operation data with the auxiliary operation data to finally obtain binary Gaussian denoising corresponding to the core point, then adds the binary Gaussian denoising weights according to weights corresponding to different positions to obtain an abnormal operation value of the point, wherein (i, j) is a certain core operation data point in the host bottom code bug, and the abnormal operation value expression of the point is as follows:
Figure SMS_1
wherein:
Figure SMS_2
wherein X is c Represents the core point, r represents the radius of the circular assist, p represents the number of the assist upsampling points, X r,p,n Representing p operation data points uniformly distributed at equal angles on circumference with r as radius, X r,p,n The third value of the subscript of (a) is used to indicate the position of certain auxiliary operation data.
When the basic operation compliance parameter of the host is abnormal, namely an abnormal result, the power system control host updates the Gaussian denoising program for the video, continuously inputs the video data, updates the video data loaded into the memory, splices the source information (such as a source IP address) of the video and the classification result information in the basic operation compliance parameter of the host into signals (redundant data elimination), and updates the network end data of the power system control host to the man-machine interaction alarm interface of the power system.
Further, the method further comprises:
and 4, when the basic operation compliance parameter of the host is judged to be an abnormal result, updating the current and voltage data received by the control host of the power system, generating an abnormal data host basic operation compliance parameter signal according to the information source corresponding to the current and voltage data and the basic operation compliance parameter of the host, and sending the abnormal data host basic operation compliance parameter signal to a man-machine interaction alarm interface of the power system.
Specifically, taking the example of IPV4 data update (see IPV4 header format), the signal of the present invention is in the data field of IPV4, where the signal format is [ source information of abnormal video (link host basic operation compliance parameter) +abnormal identifier+computer security host basic operation compliance parameter ], while the IP address of the power system man-machine interaction alarm interface is in the destination IP address field of the IPV4 signal header, and the IP address of the power system control host is in the source IP address field of the IPV4 signal header. And the power system control host transmits an IPV4 header containing the signal to the power system through an IPV4 data updating protocol, updates data to a man-machine interaction alarm interface of the power system, and realizes the basic operation compliance parameter data coding of the abnormal data host.
Preferably, the system receives current and voltage data through a gaussian noise removal program installed in a power system control host, and when determining that a host basic operation compliance parameter corresponding to the current and voltage data is an abnormal result, step 4 specifically includes:
step 41, updating the data of the power system control host and prohibiting the current and voltage data with confirmed abnormality from being updated to the inside of the power system control host, stopping the Gaussian denoising program from receiving the current and voltage data, and updating the received current and voltage data;
and 42, generating and sending abnormal data host basic operation compliance parameter signals to a man-machine interaction alarm interface of the power system according to the information sources of the current and voltage data and the host basic operation compliance parameters.
Specifically, when the received current and voltage data are judged to be computer safe, the corresponding host basic operation compliance parameters are marked as abnormal, source IP addresses contained in the current and voltage data sent to the power system control host by the power system are collected, redundant data are removed from the corresponding information sources and the host basic operation compliance parameters, abnormal data host basic operation compliance parameter signals are generated, the signals are sent to a man-machine interaction alarm interface of the power system together with record numbers corresponding to a Gaussian denoising program, and computer safe reporting is carried out, so that the man-machine interaction alarm interface of the power system can conveniently monitor the information sources. Meanwhile, the data update is used for receiving the current and voltage data, updating the data of the current and voltage data in a power system control host and Gaussian denoising program, and updating the received current and voltage data.
Further, the system receives current and voltage data through a gaussian noise removal program installed in the power system control host, and when the power system control host determines that the basic operation compliance parameters of the host are normal, the method further comprises: and 5, data updating the current and voltage data to a Gaussian denoising program, executing the Gaussian denoising program, receiving subsequent data updating data of the current and voltage data, generating a sampling database according to the subsequent data updating data, detecting the sampling database by using a multivariate correlation analysis model, and generating a host basic operation compliance parameter until the data detection is finished or the host basic operation compliance parameter is judged to be an abnormal result.
In summary, after the system collects current and voltage data, the current and voltage data are firstly cached, the cached current and voltage data are sampled and a sampling database is generated, each sampling database is detected, when the current sampling database is judged to not contain computer security, execution permission of a corresponding Gaussian denoising program is given, and the detected current and voltage data which do not contain computer security are displayed through the Gaussian denoising program installed on a power system control host.
When the current sampling database is judged to contain computer safety, the power system control host updates the current cached abnormal data (current and voltage data), the data updates the input of the data, and the source information of the input data and the abnormal identification are subjected to redundant data rejection to form signals, and the power system control host encodes the data to a supervision network end or a server end (a power system man-machine interaction alarm interface) so as to facilitate supervision of the source information.
The invention provides an analysis method 100 based on host vulnerability data and abnormal behaviors, wherein the method 100 is suitable for a system-oriented power system control host, and the method 100 comprises the following steps: a signal receiving unit 140, a data model operation unit 110, an abnormality detection unit 120, and a data storage and recall library unit 130;
the signal receiving unit 140 is configured to receive current and voltage data of a power line of the power system control host, and send a signal generated by the power system control host;
the data model operation unit 110 is provided with a gaussian noise removal program, the data model operation unit 110 receives current and voltage data by using the signal receiving unit 140 after the system runs the gaussian noise removal program, generates and transmits a sampling database of the current and voltage data to the anomaly detection unit 120, and temporarily stores the current and voltage data into the data storage and recall library unit 130;
The anomaly detection unit 120 includes a buffer unit 121 and a detection unit 122, the buffer unit 121 is used for loading vulnerability and anomaly data, a feature matrix set and a scale factor in the data storage and call library unit 130, and the detection unit 122 is used for detecting a sampling database by using a multivariate correlation analysis model according to the vulnerability and anomaly data, the feature matrix set and the scale factor to generate a host basic operation compliance parameter;
the data model operation unit 110 is further configured to operate on the received current and voltage data according to the host-based operation compliance parameters, where the operation includes performing one or more operations of gaussian denoising, data updating, redundant data culling, and data encoding.
Specifically, the power system performs data communication with a plurality of power system control hosts under the network end through the corresponding network end. When the system sends a data communication request to the network end through a Gaussian denoising program installed in the power system control host, the network end receives communication information sent to the power system control host by the power system, the power system and the power system control host carry out data communication, and the network end carries out first computer safety detection on the communication information sent to the power system control host by the power system, but due to data vulnerability and abnormality of the network end, the situation of non-compliance current and voltage data can exist, and at the moment, the computer safety can still be collected by the system through the power system control host.
The machine learning model with the function of classifying target data, such as a convolutional neural network, an LSTM (least squares) and a deep neural network, is used as (abnormal) vulnerability and abnormal data in the embodiment, the vulnerability and abnormal data are implanted on a power system control host through a neural network accelerator, the vulnerability and abnormal data are trained by a learning mechanism and a sampling database of machine learning, a corresponding model feature matrix set and weight values are generated, and input data (current and voltage data of a power transmission line received by the power system control host) are detected by the model feature matrix set and the weight values.
According to different data formats (types) of current and voltage data to be detected, the current and voltage data are divided into three types, namely host bottom code bug data, operation model data and sensor data, and three different vulnerability and abnormal data are respectively established for the three types of information so as to facilitate improvement of accuracy of computer safety identification. It should be noted that the host underlying code bug data includes video and/or pictures.
Further, the data model operation unit 110 is further configured to: when the host basic operation compliance parameter is judged to be an abnormal result, the current and voltage data in the data storage and calling library unit 130 are updated, an abnormal data host basic operation compliance parameter signal is generated according to the information source corresponding to the current and voltage data and the host basic operation compliance parameter, and the signal receiving unit 140 is utilized to send the abnormal data host basic operation compliance parameter signal to the man-machine interaction alarm interface of the power system.
Further, the data model operation unit 110 is further configured to: when it is determined that the detection result is normal, the current and voltage data temporarily stored in the data storage and recall library unit 130 is updated to the gaussian noise removal program, and the subsequent operation of the gaussian noise removal program is performed.
On the power system control host in the embodiment, a sampling database, a model feature matrix set and a scale factor are stored in a cache mode, and meanwhile, the related model feature matrix set and the scale factor can be stored through a nonvolatile storage medium; the model feature matrix set and the scale factors can be trained offline at the server side, and the iterative model feature matrix set and the weights can be updated to the power system control host through network data.
In summary, after the system collects current and voltage data, the current and voltage data are cached, the cached current and voltage data are sampled and a sampling database is generated, then each sampling database is detected, when the fact that the current cached sampling database does not contain computer security is judged, execution permission of a corresponding Gaussian denoising program is given, the Gaussian denoising program on a control host of an electric power system is used for displaying that the detected current and voltage data do not contain computer security.
When the current and voltage data of the current buffer memory are judged to contain computer safety, the electric power system control host updates the abnormal data (current and voltage data) of the current buffer memory, the data update the data input Gaussian denoising program, and the source information of the input data and the abnormal identification are subjected to redundant data rejection to form signals, and the electric power system control host encodes the data to a reporting related monitoring network end or a server end.
Embodiment III:
the invention provides an analysis method 101 based on host vulnerability data and abnormal behaviors, comprising the following steps: at least one data store and call library unit 102, at least one general purpose operator (master control) module 103, at least one data classification theory operation (detection) module 104, and at least one data transmission and connection management module 105. In addition, the method 101 provided by the invention further comprises a caching module, wherein the caching module is used for caching the feature matrix set and the sampling database and accelerating data operation. All modules are connected in a bus mode to ensure correct data transmission.
The general data storage module 102 is configured to receive and temporarily store received data to be detected, where the data to be detected includes data such as pictures, videos, operation models, sensors, etc., and provides input data for the general operator module 103 and the data classification theory operation module 104, and in addition, the general data storage module 102 stores a trained model feature matrix set and weights for computer security detection, so that the neural network accelerator can load the machine learning model. The general data storage module 102 may be set up separately according to different operators, or may be shared for each operator.
The general purpose arithmetic unit (main control) module 103 is connected with the general purpose data storage module 102, and the general purpose arithmetic unit module 103 is used for controlling the receiving or further arithmetic of the data updated from the data transmission and connection management module 105; extracting a sample to be detected from the input data, and controlling the sample to be detected to be transmitted to a special classification arithmetic unit module 104; controlling the working state of the slave arithmetic unit, providing an information classification request for the slave arithmetic unit, and receiving the classification result of the slave arithmetic unit; cutting off the data updating of the abnormal data, and executing the safe updating operation of the computer; generating a detection signal aiming at computer security, and updating data to a server terminal through a data transmission and connection management module 105; and further calculating harmless information according to actual Gaussian denoising.
The data classification theory operation module 104 is connected with the general purpose arithmetic unit module 103, and the data classification theory operation module 104 is used for receiving information classification requests and position information of data to be detected; the module is connected to the general data storage module 102, and is used for loading data to be tested, performing information classification operation, and outputting classification result to the main arithmetic unit module 103.
The data transmission and connection management module 105 is used for receiving input data from the power system, transmitting the data to the general data storage module 102 or each arithmetic unit buffer memory for further operation, and simultaneously responding to the external data of the main arithmetic unit module 103 to update the computer security detection signal.
Embodiment four:
the invention provides an analysis method based on host vulnerability data and abnormal behaviors, which comprises the following steps:
step S10, taking the computer security as a training sample of a learning model, training the learning model, and generating a model feature matrix set and weight for identifying the computer security;
step S20, transmitting the trained multi-class model feature matrix set and the weight to a memory of the method;
step S30, starting the method, loading a multi-class model feature matrix set and weights into a memory, and receiving transmission line data to be tested;
step S40, the main arithmetic unit generates a test sampling database according to the type of the received data, and the slave arithmetic unit loads the corresponding model feature matrix set;
step S50, the master arithmetic unit controls the test sampling database to be transmitted to the slave arithmetic unit and sends a request classification signal;
step S60, aiming at the test sampling database, the slave arithmetic unit executes forward reasoning classification operation, generates classification results and updates the classification results and classification completion signal data to the master arithmetic unit;
in step S70, the master arithmetic unit performs decision operation on the received data according to the classification result of the slave arithmetic unit, performs operations such as data update, redundant data removal, and quarantine on the computer, and performs specified gaussian denoising operation on the harmless information.
The method for analyzing the vulnerability data and the abnormal behaviors based on the host machine can be a micro-arithmetic unit designed for machine learning, can also be only a part of the micro-arithmetic unit, can be used for Gaussian denoising in the fields of word operation, sensor identification and operation, host bottom code bug identification, intelligent control and the like, and can be used as mobile equipment such as intelligent computing arithmetic units, mobile phones, tablets, notebooks and the like, and media data Gaussian denoising equipment such as routers, desktops, digital televisions and the like with host bottom code bug and video playing functions.
In summary, the method for analyzing the vulnerability data and the abnormal behavior based on the host and the corresponding host security system of the power system provided by the invention are applicable to the system terminal. Training the abnormal data sample by utilizing a machine learning model, and generating a model feature matrix set and/or weight with an identification function for computer safety; performing forward classification operation on the data input online, and performing arbitration on the received information according to the result; the abnormal data is detected and updated, and harmless data is further calculated. The analysis method based on the host vulnerability data and the abnormal behavior and the method can effectively prevent the computer security from transmitting to the terminal and preventing the computer security from being transmitted to the system, and can also detect the computer security source so as to operate the computer security source conveniently and purify the power system.
It should be noted that, although the steps are described above in a specific order, it is not meant to necessarily be performed in the specific order, and in fact, some of the steps may be performed concurrently or even in a changed order, as long as the required functions are achieved.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "mounted," "connected," and "fixed" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art in a specific case.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various equivalent changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (8)

1. The method for analyzing the vulnerability data and the abnormal behavior based on the host machine is operated in that the method comprises the following steps:
step 1, a power system control host collects a vulnerability and abnormal conventional operation set for detecting computer safety, and normalizes or iterates a feature matrix set and a scale factor of the vulnerability and abnormal data according to the conventional operation set;
step 2, a power system control host receives current and voltage data of a power transmission line, generates a sampling database of the current and voltage data according to the types of the current and voltage data, and detects the sampling database by utilizing a multivariate correlation analysis model according to the vulnerability and abnormal data, the feature matrix set and the scale factors to generate basic operation compliance parameters of the host;
and 3, the power system control host computer operates the received current and voltage data according to the host computer basic operation compliance parameters, wherein the operation process comprises one or more operations of Gaussian denoising, data updating, redundant data eliminating and data encoding.
2. The method for analyzing vulnerability data and abnormal behaviors based on claim 1, wherein the method further comprises:
And 4, when the basic operation compliance parameter of the host is judged to be an abnormal result, updating the current and voltage data received by the control host of the power system, generating an abnormal data host basic operation compliance parameter signal according to an information source corresponding to the current and voltage data and the basic operation compliance parameter of the host, and sending the abnormal data host basic operation compliance parameter signal to a man-machine interaction alarm interface of the power system.
3. The method according to claim 2, wherein the system receives the current and voltage data through a gaussian noise removal program installed in a power system control host, and when determining that the host basic operation compliance parameter corresponding to the current and voltage data is an abnormal result, the step 4 specifically includes:
step 41, updating the data of the power system control host and prohibiting the current and voltage data with confirmed abnormality from being updated to the inside of the power system control host, stopping the Gaussian denoising program from receiving the current and voltage data, and updating the received current and voltage data;
and 42, generating and sending the abnormal data host basic operation compliance parameter signal to the man-machine interaction alarm interface of the power system according to the information source of the current and voltage data and the host basic operation compliance parameter.
4. The method for analyzing vulnerability data and abnormal behaviors based on claim 2, wherein the system receives the current and voltage data through a gaussian noise removal program installed in a power system control host, and when the power system control host determines that the host basic operation compliance parameters are normal, the method further comprises:
and 5, data updating the current and voltage data to the Gaussian denoising program, executing the Gaussian denoising program, receiving subsequent data updating data of the current and voltage data, generating the sampling database according to the subsequent data updating data, detecting the sampling database by using the multivariate correlation analysis model, and generating the host basic operation compliance parameter until the data detection is finished or the host basic operation compliance parameter is judged to be the abnormal result.
5. The method for analyzing vulnerability data and abnormal behavior based on claim 1, wherein the vulnerability and abnormal data comprises host underlying code bug detection data, operation model detection data and sensor detection data, and the step 2 specifically comprises:
Step 21, when the types of the current and voltage data are judged to be host bottom code bug data, analyzing and collecting corresponding sub-host bottom code bug data of the current and voltage data, and generating the sampling database according to the sub-host bottom code bug data, wherein the sampling database is a host bottom code bug sample;
and step 22, selecting the host bottom code bug detection data, detecting the sampling database by using the multivariate correlation analysis model according to the host bottom code bug detection data, the feature matrix set and the scale factors, and generating the host basic operation compliance parameters.
6. The method for analyzing vulnerability data and abnormal behaviors according to claim 5, further comprising:
step 23, when the class is determined to be operation model data, extracting continuous operation model data in the current and voltage data, and generating the sampling database according to the continuous operation model data, wherein the sampling database is an operation model sample;
and step 24, selecting the operation model detection data, detecting the sampling database by using the multivariate correlation analysis model according to the operation model detection data, the feature matrix set and the scale factors, and generating the basic operation compliance parameters of the host.
7. The method for analyzing vulnerability data and abnormal behaviors according to claim 4, wherein the method further comprises:
step 25, randomly extracting input sensor segments in the current and voltage data when the category is determined to be sensor data, and generating the sampling database according to the input sensor segments, wherein the sampling database is a sensor sample;
and step 26, selecting the sensor detection data, detecting the sample to be monitored by using the multivariate correlation analysis model according to the sensor detection data, the feature matrix set and the scale factors, and generating the basic operation compliance parameters of the host.
8. A method of analyzing host vulnerability data and abnormal behaviour according to claim 1, wherein the process of collecting a regular run set comprises receiving said regular run set from a power line and/or reading said regular run set from a memory of a power system control host.
CN202211596259.8A 2022-12-13 2022-12-13 Analysis method based on host vulnerability data and abnormal behaviors Pending CN116340946A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211596259.8A CN116340946A (en) 2022-12-13 2022-12-13 Analysis method based on host vulnerability data and abnormal behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211596259.8A CN116340946A (en) 2022-12-13 2022-12-13 Analysis method based on host vulnerability data and abnormal behaviors

Publications (1)

Publication Number Publication Date
CN116340946A true CN116340946A (en) 2023-06-27

Family

ID=86893618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211596259.8A Pending CN116340946A (en) 2022-12-13 2022-12-13 Analysis method based on host vulnerability data and abnormal behaviors

Country Status (1)

Country Link
CN (1) CN116340946A (en)

Similar Documents

Publication Publication Date Title
CN110855676B (en) Network attack processing method and device and storage medium
CN114584405B (en) Electric power terminal safety protection method and system
CN109818964B (en) DDoS attack detection method, device, equipment and storage medium
CN111177779B (en) Database auditing method, device, electronic equipment and computer storage medium
CN113162794B (en) Next attack event prediction method and related equipment
CN111741002B (en) Method and device for training network intrusion detection model
CN115134099B (en) Network attack behavior analysis method and device based on full flow
CN111049827A (en) Network system safety protection method, device and related equipment
CN112491860A (en) Industrial control network-oriented collaborative intrusion detection method
CN114090406A (en) Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium
CN111935064A (en) Industrial control network threat automatic isolation method and system
CN113660273A (en) Intrusion detection method and device based on deep learning under super-fusion framework
CN112565278A (en) Attack capturing method and honeypot system
CN117220920A (en) Firewall policy management method based on artificial intelligence
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
CN117235745A (en) Deep learning-based industrial control vulnerability mining method, system, equipment and storage medium
CN111614614B (en) Safety monitoring method and device applied to Internet of things
CN112073396A (en) Method and device for detecting transverse movement attack behavior of intranet
CN116340946A (en) Analysis method based on host vulnerability data and abnormal behaviors
CN116248393A (en) Intranet data transmission loophole scanning device and system
CN114240476A (en) Abnormal user determination method, device, equipment and storage medium
CN109714199B (en) Network traffic analysis and traceability system based on big data architecture
CN116915506B (en) Abnormal flow detection method and device, electronic equipment and storage medium
CN115378825B (en) Interactive simulation system and method based on application layer industrial control protocol analysis
CN117290898B (en) Security protection method for Chiplet chip system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination