CN116488325A - Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium - Google Patents
Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium Download PDFInfo
- Publication number
- CN116488325A CN116488325A CN202310240818.XA CN202310240818A CN116488325A CN 116488325 A CN116488325 A CN 116488325A CN 202310240818 A CN202310240818 A CN 202310240818A CN 116488325 A CN116488325 A CN 116488325A
- Authority
- CN
- China
- Prior art keywords
- data
- anomaly detection
- classification
- network
- samples
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 122
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000012549 training Methods 0.000 claims abstract description 40
- 230000002159 abnormal effect Effects 0.000 claims abstract description 32
- 238000005259 measurement Methods 0.000 claims abstract description 14
- 230000005856 abnormality Effects 0.000 claims abstract description 9
- 238000007781 pre-processing Methods 0.000 claims abstract description 5
- 238000012360 testing method Methods 0.000 claims abstract description 4
- 239000013598 vector Substances 0.000 claims description 54
- 230000006870 function Effects 0.000 claims description 30
- 230000004913 activation Effects 0.000 claims description 20
- 238000004364 calculation method Methods 0.000 claims description 16
- 238000009826 distribution Methods 0.000 claims description 11
- 238000013528 artificial neural network Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 238000011156 evaluation Methods 0.000 claims description 6
- 230000003042 antagnostic effect Effects 0.000 claims description 5
- 238000013135 deep learning Methods 0.000 claims description 5
- 230000003278 mimic effect Effects 0.000 claims description 4
- 238000009827 uniform distribution Methods 0.000 claims description 4
- 238000005070 sampling Methods 0.000 claims description 3
- 239000000523 sample Substances 0.000 description 53
- 238000013136 deep learning model Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00001—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by the display of information or by user interaction, e.g. supervisory control and data acquisition systems [SCADA] or graphical user interfaces [GUI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00002—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by monitoring
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00006—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
- H02J13/00016—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment using a wired telecommunication network or a data transmission bus
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00006—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
- H02J13/00028—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment involving the use of Internet protocols
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00032—Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J3/00—Circuit arrangements for ac mains or ac distribution networks
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J2203/00—Indexing scheme relating to details of circuit arrangements for AC mains or AC distribution networks
- H02J2203/20—Simulating, e g planning, reliability check, modelling or computer assisted design [CAD]
Landscapes
- Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Human Computer Interaction (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention belongs to the technical field of power grid anomaly detection, and particularly relates to intelligent power grid anomaly detection and classification method equipment and a readable storage medium; step 1, acquiring a proper training data set, and step 2, constructing an Anomaly Detection and Classification System (ADCS), wherein the anomaly detection and classification system comprises a self-coding and generation countermeasure network architecture, and is divided into an anomaly detection system and an anomaly classification system; step 3, training an anomaly detection and classification system network, preprocessing training data, and formatting the data by using a sliding window; step 4, inputting a test data set of the intelligent power grid, carrying out coding and decoding operations on the trained abnormality detection and classification system network on data consisting of normal and abnormal time series electric measurement, and outputting results of abnormality detection and abnormality classification; the method and the device solve the technical problems that the intrusion detection speed aiming at the intelligent power grid system is not fast enough and the precision is not high enough in the prior art.
Description
Technical Field
The invention belongs to the technical field of power grid anomaly detection, and particularly relates to intelligent power grid anomaly detection and classification method equipment and a readable storage medium.
Background
The rapid development of the industrial Internet of things brings a traditional power grid into a new digital paradigm called a smart power grid, and provides significant benefits of better utilization of existing resources, popularization control, self-repair and the like. According to the related research information, the intelligent power grid can be known to form the largest application of the Internet of things. However, the development of intelligent technology brings about serious network security problems, because: there must be unsafe legacy systems such as industrial control system monitoring and data acquisition, vulnerability of transmission control protocol/internet protocol, and new attack surface introduced by intelligent technology.
Denial of service, unauthorized access, and spurious data injection constitute the expected attack carrier for smart grids and have disastrous consequences. The first goal is the availability of the relevant system, while the other exploits the vulnerability of the industrial protocol to jeopardize the confidentiality, integrity and authenticity of the exchanged information.
At present, in the big data age, deep learning is an emerging technology, which can realize the characteristic of autonomous identification targets through training of a large amount of data and plays an important role in defending rapidly-developed network threats and timely detecting abnormal operation. Deep learning relies on a large amount of tagging data, however, most of the previous work has not been validated by the real smart grid environment and data.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a smart grid anomaly detection and classification method to solve the technical problems of insufficient intrusion detection speed and insufficient precision aiming at a smart grid system in the prior art.
The purpose of the invention is realized in the following way: a smart grid anomaly detection and classification method comprises the following steps:
step 1, acquiring a proper training data set, which comprises two cases:
in the first case, manually injecting an abnormal sample created by statistics into a database of the main terminal unit, and creating a data set consisting of normal and abnormal time-series electrical measurements for a plurality of smart grid environments;
in the second case, the intrusion detection data set is combined with the normal DNP3 network flow of the substation environment to generate a data set consisting of normal and malicious Modbus/TCP and DNP3 network flows;
step 2, constructing an Anomaly Detection and Classification System (ADCS), wherein the anomaly detection and classification system comprises a self-coding and generation countermeasure network architecture, and is divided into an architecture in the two cases of anomaly detection and anomaly classification;
step 3, training an anomaly detection and classification system network, preprocessing training data, formatting the data by using a sliding window, normalizing the data in the range of [0,1], and then inputting the data into the anomaly detection and classification system network for training;
and 4, inputting a test data set of the intelligent power grid, performing coding and decoding operations on the trained abnormal detection and classification system network of the data consisting of the normal and abnormal time series electric measurement, and outputting the result of abnormal detection and abnormal classification.
The generation of the countermeasure network in step 2 depends on two sub-neural networks, a generator G and a discriminator D, the generator G obtaining random noise data and generating data similar to real data, the discriminator D attempting to classify the input data sample as true or false, the generation of the two sub-networks in which the countermeasure network is intended to push and train in competition with each other, so that the generator G can generate data which the discriminator D cannot distinguish from the real data, and the relation equation between G and D is expressed as follows:
g accumulates noise Z from Z space, maps it to the space where D input x is located, P data (x) And P z (Z) represents probability distributions for spaces X and Z, respectively;
the self-encoding network structure is a deep learning network that learns analog input data by compressing and expanding the input data into a multi-layered channel; the automatic encoder consists of two sub-networks, namely an encoder and a decoder, the encoding sub-network compresses the input data of space X to manifold F, and conversely the decoder sub-network expands the data of manifold F into samples P, the goal of the automatic encoder architecture being to assist the network in generating samples similar to given actual data through the training process; after the training process, the network inputs new data similar to the training data, and the data pipeline formula for the auto-encoder architecture is shown below.
r,p:
r:X→F,p:F→P
The anomaly detection and classification system links self-encoding with generating a combination of the countermeasure network by encapsulating the automatic encoder architecture into a structure that generates the countermeasure network; the generator takes the form of a decoder and the discriminator takes the form of an encoder;
the generator-decoder accepts an input of noise samples N x M, where N is the number of noise points in the samples and M is the number of input samples; the generator-decoder expands the samples to produce samples that mimic the desired data; the discriminator-encoder compresses the output of the generator-decoder to a point, which is the validity label of the sample; this function is used to distinguish between true and false samples; after the training process, deriving an intermediate model from the discriminator-encoder sub-network; the model is part of a discriminator-encoder for the anomaly detection process; it includes an input layer, a hidden layer until network output;
the contrast loss is the difference between the generated sample and the real sample; the generator-decoder learns to generate normal samples, the greater the combat loss, the higher the probability of real sample anomalies, and the following equation describes the adversary's loss:
AdvL(d r ,d p )=||d r -d p ||
wherein AdvL (x) is the generation of an antagonistic network loss score, d r And d p The actual sample and the predictions of the potential models in the generated sample, respectively.
The anomaly detection and classification system architecture is trained with only one set of normal samples and distinguishes between outliers in a dataset containing normal and abnormal samples; the structure of the whole network is divided into three parts: an input layer, a generator-decoder and a discriminator-encoder;
input layer of anomaly detection: the input layer represents the input of the proposed deep neural network; the noise vector with the size of N is adopted, and the noise vector is generated based on uniform distribution with the mean value of mu and the standard deviation of sigma;
generator-decoder for anomaly detection: the generator-decoder is responsible for expanding a random noise input vector of size z=10 to a size M, where M is the number of features, and the generated data mimics real data; it is trained to produce normal samples; the calculation process is as follows:
F 1 =σ(Conv(x))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =tanh(Conv(x))
wherein σ represents a nonlinear activation function ReLU, tanh represents a nonlinear activation function Tanh, and Dr represents regularization;
discriminator-encoder for anomaly detection: the role of the discriminator-encoder is to distinguish between the true data samples and the generated data samples, i.e. the samples generated by the generator-decoder; it uses vectors representing M features of the data instance samples; it compresses the data through the multi-layer channel into a single point representing the significance layer, i.e., whether the binary classification of the sample is true or false; the discriminator-encoder trains with the generator-decoder, receives the true and generated samples, each sample having a true tag; the calculation process is as follows:
F 1 =Dr(σ(Conv(x)))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =Sigmoid(Conv(x))
where σ represents the nonlinear activation function ReLU, tanh represents the nonlinear activation function Tanh, dr represents regularization, sigmoid represents the nonlinear activation function Sigmoid.
In the anomaly classification case, the ADCS architecture for anomaly classification is derived on the basis of the ADCS architecture for anomaly detection, in which case the anomaly detection and anomaly classification processes are combined into a single deep neural network, resulting in three fundamental true points, one for the validity of the sample, one for anomaly approximation, one describing the anomaly class of the sample; the architecture is divided into three parts: an input layer, a generator decoder and a discriminator-encoder; the main difference is that the network is designed to handle multiple classes of data with fewer features; in contrast, ADCS structures for anomaly detection are designed to handle a class of data and with a large number of features;
an anomaly classification input layer: the input layer receives the noise vector input with the size of N and a vector containing sampling classes; the elements of the random noise vector obey a normal distribution, where μ=0, σ=1; dimension of [1 XC ]]Is a zero vector with class position 1; c represents the number of classes present in a given dataset; class of sample is defined by c p Representation, c p Derived from the following formula;
c p =argmax(V label )
wherein V is label Is a label vector;
anomaly classification generator-decoder: is a modified version of the generator-decoder for anomaly detection; in this case, the generator-decoder inputs the two vectors interpreted in the input layer and connects them in order to pass through the structure of the generator-decoder; the calculation process is as follows:
F 0 =σ(Conv(x t ,x f ))
F i =σ(Conv(x)),i=1,2,3
wherein x is t Is the noise vector, x f Is a label vector;
discriminator-encoder for anomaly classification: the discriminator-encoder uses input vectors of M features representing data samples; the proposed structure not only produces a validity approximation, but also produces an anomaly classification of the incoming samples, the output of the discriminator-encoder comprising two parts; the first part is a validity label of a given sample and is used for distinguishing the authenticity of the sample; the second part is a label vector representing multi-class classification of the sample based on a given class in the dataset; the calculation process is as follows:
F i =σ(Conv(x)),i=0,1,2
F out1 =Softmax(Conv(x))
F out2 =Sigmoid(Conv(x))
wherein Softmax represents the Softmax function, F out1 Is the classification result of the sample data, F out2 Is the result of abnormality detection of the sample data.
The four real smart grid evaluation environments for evaluating and verifying the smart grid anomaly detection and classification method are smart grid laboratories, distribution substations, hydropower stations and power plants, respectively.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the smart grid anomaly detection and classification method when executing the computer program.
A computer-readable storage medium storing a computer program for executing the smart grid anomaly detection and classification method.
The invention has the beneficial effects that: the invention relates to a smart grid anomaly detection and classification method, which is characterized in that in the using process, a self-coding network is used for extracting characteristics of input power measurement data, the self-coding network and a structure for generating an countermeasure network are integrally adopted, an ADCS system structure for anomaly detection and a generator-decoder and a discriminator-encoder structure thereof are provided in a model, an ADCS system structure for anomaly classification and a generator-decoder and a discriminator-encoder structure thereof are provided, a deep learning model structure realizes anomaly detection and classification of a smart grid, solves the problem of anomaly detection, distinguishes five network attacks aiming at DNP3 and potential anomalies related to running data (namely instant sequence power measurement), solves the challenging multi-class classification problem consisting of 14 classes (13 MODBUS/TCP network attacks and normal examples), and has better recognition accuracy in various actual smart grid evaluation environments than the prior art.
Drawings
FIG. 1 is an architecture of the self-encoding and countermeasure network of the present invention for anomaly detection.
Fig. 2 is a generator-decoder architecture for anomaly detection of the present invention.
Fig. 3 is a discriminator-encoder configuration of the anomaly detection of the present invention.
FIG. 4 is an architecture of the self-encoding and countermeasure network of the present invention for anomaly classification.
Fig. 5 is a generator-decoder architecture of the anomaly classification of the present invention.
Fig. 6 is a discriminator-encoder configuration of the anomaly classification of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Example 1
The invention relates to a smart grid anomaly detection and classification method, as shown in fig. 1, which comprises the following steps:
step 1, acquiring a proper training data set, which comprises two cases:
in the first case, manually injecting an abnormal sample created by statistics into a database of the main terminal unit, and creating a data set consisting of normal and abnormal time-series electrical measurements for a plurality of smart grid environments;
in the second case, the intrusion detection data set is combined with the normal DNP3 network flow of the substation environment to generate a data set consisting of normal and malicious Modbus/TCP and DNP3 network flows;
step 2, constructing an Anomaly Detection and Classification System (ADCS), wherein the anomaly detection and classification system comprises a self-coding and generation countermeasure network architecture, and is divided into an architecture in the two cases of anomaly detection and anomaly classification;
step 3, training an anomaly detection and classification system network, preprocessing training data, formatting the data by using a sliding window, normalizing the data in the range of [0,1], and then inputting the data into the anomaly detection and classification system network for training;
and 4, inputting a test data set of the intelligent power grid, performing coding and decoding operations on the trained abnormal detection and classification system network of the data consisting of the normal and abnormal time series electric measurement, and outputting the result of abnormal detection and abnormal classification.
The generation of the countermeasure network in step 2 depends on two sub-neural networks, a generator G and a discriminator D, the generator G obtaining random noise data and generating data similar to real data, the discriminator D attempting to classify the input data sample as true or false, the generation of the two sub-networks in which the countermeasure network is intended to push and train in competition with each other, so that the generator G can generate data which the discriminator D cannot distinguish from the real data, and the relation equation between G and D is expressed as follows:
g accumulates noise Z from Z space, maps it to the space where D input x is located, P data (x) And P z (Z) represents probability distributions for spaces X and Z, respectively;
the self-encoding network structure is a deep learning network that learns analog input data by compressing and expanding the input data into a multi-layered channel; the automatic encoder consists of two sub-networks, namely an encoder and a decoder, the encoding sub-network compresses the input data of space X to manifold F, and conversely the decoder sub-network expands the data of manifold F into samples P, the goal of the automatic encoder architecture being to assist the network in generating samples similar to given actual data through the training process; after the training process, the network inputs new data similar to the training data, and the data pipeline formula for the auto-encoder architecture is shown below.
r,p:
r:X→F,p:F→P
The anomaly detection and classification system links self-encoding with generating a combination of the countermeasure network by encapsulating the automatic encoder architecture into a structure that generates the countermeasure network; the generator takes the form of a decoder and the discriminator takes the form of an encoder;
the generator-decoder accepts an input of noise samples N x M, where N is the number of noise points in the samples and M is the number of input samples; the generator-decoder expands the samples to produce samples that mimic the desired data; the discriminator-encoder compresses the output of the generator-decoder to a point, which is the validity label of the sample; this function is used to distinguish between true and false samples; after the training process, deriving an intermediate model from the discriminator-encoder sub-network; the model is part of a discriminator-encoder for the anomaly detection process; it includes an input layer, a hidden layer until network output;
the contrast loss is the difference between the generated sample and the real sample; the generator-decoder learns to generate normal samples, the greater the combat loss, the higher the probability of real sample anomalies, and the following equation describes the adversary's loss:
AdvL(d r ,d p )=||d r -d p ||
wherein AdvL (x) is the generation of an antagonistic network loss score, d r And d p The actual sample and the predictions of the potential models in the generated sample, respectively.
The anomaly detection and classification system architecture is trained with only one set of normal samples and distinguishes between outliers in a dataset containing normal and abnormal samples; the structure of the whole network is divided into three parts: an input layer, a generator-decoder and a discriminator-encoder;
input layer of anomaly detection: the input layer represents the input of the proposed deep neural network; the noise vector with the size of N is adopted, and the noise vector is generated based on uniform distribution with the mean value of mu and the standard deviation of sigma;
generator-decoder for anomaly detection: the generator-decoder is responsible for expanding a random noise input vector of size z=10 to a size M, where M is the number of features, and the generated data mimics real data; it is trained to produce normal samples; the calculation process is as follows:
F 1 =σ(Conv(x))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =tanh(Conv(x))
wherein σ represents a nonlinear activation function ReLU, tanh represents a nonlinear activation function Tanh, and Dr represents regularization;
discriminator-encoder for anomaly detection: the role of the discriminator-encoder is to distinguish between the true data samples and the generated data samples, i.e. the samples generated by the generator-decoder; it uses vectors representing M features of the data instance samples; it compresses the data through the multi-layer channel into a single point representing the significance layer, i.e., whether the binary classification of the sample is true or false; the discriminator-encoder trains with the generator-decoder, receives the true and generated samples, each sample having a true tag; the calculation process is as follows:
F 1 =Dr(σ(Conv(x)))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =Sigmoid(Conv(x))
where σ represents the nonlinear activation function ReLU, tanh represents the nonlinear activation function Tanh, dr represents regularization, sigmoid represents the nonlinear activation function Sigmoid.
In the anomaly classification case, the ADCS architecture for anomaly classification is derived on the basis of the ADCS architecture for anomaly detection, in which case the anomaly detection and anomaly classification processes are combined into a single deep neural network, resulting in three fundamental true points, one for the validity of the sample, one for anomaly approximation, one describing the anomaly class of the sample; the architecture is divided into three parts: an input layer, a generator decoder and a discriminator-encoder; the main difference is that the network is designed to handle multiple classes of data with fewer features; in contrast, ADCS structures for anomaly detection are designed to handle a class of data and with a large number of features;
an anomaly classification input layer: the input layer receives the noise vector input with the size of N and a vector containing sampling classes; the elements of the random noise vector obey a normal distribution, where μ=0, σ=1; dimension of [1 XC ]]Is a zero vector with class position 1; c represents the number of classes present in a given dataset; class of sample is defined by c p Representation, c p Derived from the following formula;
c p =argmax(V label )
wherein V is label Is a label vector;
anomaly classification generator-decoder: is a modified version of the generator-decoder for anomaly detection; in this case, the generator-decoder inputs the two vectors interpreted in the input layer and connects them in order to pass through the structure of the generator-decoder; the calculation process is as follows:
F 0 =σ(Conv(x t ,x f ))
F i =σ(Conv(x)),i=1,2,3
wherein x is t Is the noise vector, x f Is the direction of the labelAn amount of;
discriminator-encoder for anomaly classification: the discriminator-encoder uses input vectors of M features representing data samples; the proposed structure not only produces a validity approximation, but also produces an anomaly classification of the incoming samples, the output of the discriminator-encoder comprising two parts; the first part is a validity label of a given sample and is used for distinguishing the authenticity of the sample; the second part is a label vector representing multi-class classification of the sample based on a given class in the dataset; the calculation process is as follows:
F i =σ(Conv(x)),i=0,1,2
F out1 =Softmax(Conv(x))
F out2 =Sigmoid(Conv(x))
wherein Softmax represents the Softmax function, F out1 Is the classification result of the sample data, F out2 Is the result of abnormality detection of the sample data.
The four real smart grid evaluation environments for evaluating and verifying the smart grid anomaly detection and classification method are smart grid laboratories, distribution substations, hydropower stations and power plants, respectively.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the smart grid anomaly detection and classification method when executing the computer program.
A computer-readable storage medium storing a computer program for executing the smart grid anomaly detection and classification method.
In summary, in the smart grid anomaly detection and classification method of the present invention, in the use process, the self-coding network is used to perform feature extraction on the input power measurement data, the self-coding network and the structure of generating the countermeasure network are integrally adopted, the ADCS architecture for anomaly detection and the generator-decoder and discriminator-encoder architecture thereof are proposed in the model, the ADCS architecture for anomaly classification and the generator-decoder and discriminator-encoder architecture thereof are provided, the deep learning model architecture realizes anomaly detection and classification on the smart grid, solves the problem of anomaly detection, distinguishes five network attacks for DNP3 and potential anomalies related to the running data (i.e. real-time sequential power measurement), and solves the challenging multi-class classification problem consisting of 14 classes (13 MODBUS/TCP network attacks and normal examples), and the recognition accuracy in various practical smart grid evaluation environments is superior to the existing method.
Example 2
The invention discloses a smart grid anomaly detection and classification method, which comprises the following steps:
1. acquisition of training and data sets:
first, a suitable dataset is constructed. The power data of four real smart grid environments are used, namely a smart grid laboratory, a distribution substation, a hydropower station and a power plant. Each of the smart grid environments described above generates different operational data and is characterized by the establishment of an appropriate regional management unit that manages the operation of industrial components such as generators, turbines, and transformers. In the first case, statistically created anomaly samples are manually injected in the database of the master terminal unit, creating a dataset for the smart grid environment consisting of normal and anomaly time-series electrical measurements. This data is different for each smart grid environment. In the preprocessing step, the data is formatted using a sliding window of 30 instances and normalized in the range of [0,1 ]. In the second case, the intrusion detection data set is combined with the normal DNP3 network flows of the substation environment, resulting in a data set consisting of normal and malicious Modbus/TCP and DNP3 network flows. Both data sets are marked, in the first case, the exception instance is known, and in the second case, malicious IP is known.
2. Construct abnormal detection of smart power grids and classification system architecture
The architecture links self-encoding with generating a combination of countermeasure networks by encapsulating an automatic encoder architecture into the architecture of the generating countermeasure networks. The generator takes the form of a decoder and the discriminator takes the form of an encoder. The generator-decoder accepts an input of noise samples N x M, where N is the number of noise points in the samples and M is the number of input samples. The generator-decoder then expands the samples to produce samples that mimic the desired data. The discriminator-encoder compresses the output of the generator-decoder to a point, which is the validity label of the sample. This function is used to distinguish between true and false samples. After the training process, an intermediate model is derived from the discriminator-encoder sub-network. The model is part of a discriminator-encoder for the anomaly detection process. It includes an input layer up to the hidden layer before the network outputs. In particular, it is used to dimension down an input dimension to a specified potential space. Two samples were run through the intermediate model: actual data samples and generated samples. In this regard, the generator-decoder has learned to generate near-real data that mimics normal samples. To calculate the anomaly score for a real sample, an antagonistic loss function is used. The contrast loss is the difference between the generated sample and the real sample. Since the generator-decoder has learned to produce normal samples, the greater the combat loss, the higher the probability that the true samples will be abnormal. The following equation describes the adversary's loss:
AdvL(d r ,d p )=||d r -d p ||
wherein AdvL (x) is the generation of an antagonistic network loss score, d r And d p The actual sample and the predictions of the potential models in the generated sample, respectively.
A method of anomaly detection and classification system architecture for anomaly detection is shown in FIG. 1. The ADCS architecture is trained with only one set of normal samples and can distinguish outliers in the dataset that contain normal and outlier samples. The structure of the entire network can be divided into three parts: input layer, generator-decoder and discriminator-encoder.
Input layer of anomaly detection: the input layer represents the input of the proposed DNN. It uses a noise vector of size N, which is generated based on a uniform distribution of mean μ and standard deviation σ.
Generator-decoder for anomaly detection: the generator-decoder is responsible for expanding a random noise input vector of size z=10 to a size M, where M is the number of features, and the generated data mimics real data. It is trained to produce normal samples. The calculation process is as follows:
F 1 =σ(Conv(x))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =tanh(Conv(x))
where σ represents the nonlinear activation function ReLU, tanh represents the nonlinear activation function Tanh, and Dr represents regularization.
Discriminator-encoder for anomaly detection: the role of the discriminator-encoder is to distinguish between the true data samples and the generated data samples (i.e. the samples generated by the generator-decoder). It employs vectors representing M features of data instance samples. It compresses the data through the multi-layer channel into a single point representing the significance layer (i.e., whether the binary classification of the sample is true or false). The discriminator-encoder trains with the generator-decoder, receiving the true and generated samples, each with a true tag. The calculation process is as follows:
F 1 =Dr(σ(Conv(x)))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =Sigmoid(Conv(x))
where σ represents the nonlinear activation function ReLU, tanh represents the nonlinear activation function Tanh, dr represents regularization, sigmoid represents the nonlinear activation function Sigmoid.
The method of the anomaly detection and classification system architecture for anomaly classification is shown in FIG. 4. In the case of anomaly classification, the ADCS architecture is further derived on the basis of the architecture used for anomaly detection. In which case the anomaly detection and anomaly classification processes are combined into a single deep neural network. In particular, it creates three basic realism points, one for the validity of the sample, one for the outlier approximation and one for the outlier class describing the sample. The architecture can also be divided into three parts: an input layer, a generator decoder and a discriminator-encoder. The main difference is that the network is designed to handle multiple classes of data with fewer features. In contrast, ADCS structures for anomaly detection are designed to handle a class of data and with a large number of features.
An anomaly classification input layer: the input layer accepts a noise vector input of size N and a vector containing a class of samples. The elements of the random noise vector obey a normal distribution, where μ=0, σ=1. Dimension of [1 XC ]]Is a zero vector with class position 1. C represents the number of classes present in a given dataset. Class of sample is defined by c p Representation, c p Derived from the following formula.
c p =argmax(V label )
Wherein V is label Is a label vector.
Anomaly classification generator-decoder: is a modified version of the generator-decoder for anomaly detection. In this case, the generator-decoder inputs the two vectors interpreted in the input layer and connects them in order to pass through the structure of the generator-decoder. The calculation process is as follows:
F 0 =σ(Conv(x t ,x f ))
F i =σ(Conv(x)),i=1,2,3
wherein x is t Is the noise vector, x f Is a label vector.
Discriminator-encoder for anomaly classification: the discriminator-encoder uses the input vector of M features to represent the data samples. Since the proposed structure not only produces a validity approximation, but also an abnormal classification of the incoming samples, the output of the discriminator-encoder consists of two parts. The first part is a validity label for a given sample, which is used to distinguish between authenticity of the sample. The second part is a label vector representing the multi-class classification of the sample based on the class given in the dataset. The calculation process is as follows:
F i =σ(Conv(x)),i=0,1,2
F out1 =Softmax(Conv(x))
F out2 =Sigmoid(Conv(x))
wherein Softmax represents the Softmax function, F out1 Is the classification result of the sample data, F out2 Is the result of abnormality detection of the sample data.
3. Training of the network model using the data set:
the invention adopts a supervision training mode, firstly converts original power data and corresponding labels into tensors, then inputs the tensors into a model for abnormality detection and sample generation training, and then inputs generated power data obtained by generating an countermeasure network and corresponding labels into the model for abnormality detection and classification training. The invention calculates network loss by adopting a binary cross entropy function, sets the batch size of each training as 16, sets the learning rate of the equal interval adjustment (StepLR) strategy to correspondingly reduce the learning rate along with the increase of training times to train so as to achieve better training effect, wherein the initial learning rate is set as 0.0002, the attenuation coefficient is 0.98, and the learning rate is updated every 5 times of training, and is totally trained 500 times. RMSprop optimizer compilation was used in the training process.
4. Predicting and generating abnormal detection and classification conditions of the intelligent power grid by using the trained network model:
the method comprises the steps of obtaining the weight of a model after training, and entering a prediction stage of the model.
In summary, the method for detecting and classifying the abnormal condition of the smart grid according to the invention uses the self-coding network to extract the characteristics of the input power measurement data in the using process, integrally adopts the self-coding network and the structure for generating the countermeasure network, proposes an ADCS system structure for detecting the abnormal condition and a generator-decoder and a discriminator-encoder structure thereof in a model, and realizes the abnormal condition detection and classification of the smart grid by a deep learning model structure, solves the problem of abnormal condition detection, distinguishes five network attacks aiming at DNP3 and potential abnormal conditions related to operation data (namely, instant sequence power measurement), solves the challenging multi-class classification problem consisting of 14 classes (13 MODBUS/TCP network attacks and normal examples), and is superior to the prior method in the identification accuracy in various actual smart grid evaluation environments.
Claims (8)
1. The intelligent power grid anomaly detection and classification method is characterized by comprising the following steps of:
step 1, acquiring a proper training data set, which comprises two cases:
in the first case, manually injecting an abnormal sample created by statistics into a database of the main terminal unit, and creating a data set consisting of normal and abnormal time-series electrical measurements for a plurality of smart grid environments;
in the second case, the intrusion detection data set is combined with the normal DNP3 network flow of the substation environment to generate a data set consisting of normal and malicious Modbus/TCP and DNP3 network flows;
step 2, constructing an Anomaly Detection and Classification System (ADCS), wherein the anomaly detection and classification system comprises a self-coding and generation countermeasure network architecture, and is divided into an architecture in the two cases of anomaly detection and anomaly classification;
step 3, training an anomaly detection and classification system network, preprocessing training data, formatting the data by using a sliding window, normalizing the data in the range of [0,1], and then inputting the data into the anomaly detection and classification system network for training;
and 4, inputting a test data set of the intelligent power grid, performing coding and decoding operations on the trained abnormal detection and classification system network of the data consisting of the normal and abnormal time series electric measurement, and outputting the result of abnormal detection and abnormal classification.
2. The smart grid anomaly detection and classification method of claim 1, wherein: the generation of the countermeasure network in step 2 depends on two sub-neural networks, a generator G and a discriminator D, the generator G obtaining random noise data and generating data similar to real data, the discriminator D attempting to classify the input data sample as true or false, the generation of the two sub-networks in which the countermeasure network is intended to push and train in competition with each other, so that the generator G can generate data which the discriminator D cannot distinguish from the real data, and the relation equation between G and D is expressed as follows:
g accumulates noise Z from Z space, maps it to the space where D input x is located, P data (x) And P z (Z) represents probability distributions for spaces X and Z, respectively;
the self-encoding network structure is a deep learning network that learns analog input data by compressing and expanding the input data into a multi-layered channel; the automatic encoder consists of two sub-networks, namely an encoder and a decoder, the encoding sub-network compresses the input data of space X to manifold F, and conversely the decoder sub-network expands the data of manifold F into samples P, the goal of the automatic encoder architecture being to assist the network in generating samples similar to given actual data through the training process; after the training process, the network inputs new data similar to the training data, and the data pipeline formula for the auto-encoder architecture is shown below.
r:X→F,p:F→P。
3. The smart grid anomaly detection and classification method of claim 1, wherein:
the anomaly detection and classification system links self-encoding with generating a combination of the countermeasure network by encapsulating the automatic encoder architecture into a structure that generates the countermeasure network; the generator takes the form of a decoder and the discriminator takes the form of an encoder;
the generator-decoder accepts an input of noise samples N x M, where N is the number of noise points in the samples and M is the number of input samples; the generator-decoder expands the samples to produce samples that mimic the desired data; the discriminator-encoder compresses the output of the generator-decoder to a point, which is the validity label of the sample; this function is used to distinguish between true and false samples; after the training process, deriving an intermediate model from the discriminator-encoder sub-network; the model is part of a discriminator-encoder for the anomaly detection process; it includes an input layer, a hidden layer until network output;
the contrast loss is the difference between the generated sample and the real sample; the generator-decoder learns to generate normal samples, the greater the combat loss, the higher the probability of real sample anomalies, and the following equation describes the adversary's loss:
AdvL(d r ,d p )=||d r -d p ||
wherein AdvL (x) is the generation of an antagonistic network loss score, d r And d p The actual sample and the predictions of the potential models in the generated sample, respectively.
4. The smart grid anomaly detection and classification method of claim 1, wherein:
the anomaly detection and classification system architecture is trained with only one set of normal samples and distinguishes between outliers in a dataset containing normal and abnormal samples; the structure of the whole network is divided into three parts: an input layer, a generator-decoder and a discriminator-encoder;
input layer of anomaly detection: the input layer represents the input of the proposed deep neural network; the noise vector with the size of N is adopted, and the noise vector is generated based on uniform distribution with the mean value of mu and the standard deviation of sigma;
generator-decoder for anomaly detection: the generator-decoder is responsible for expanding a random noise input vector of size z=10 to a size M, where M is the number of features, and the generated data mimics real data; it is trained to produce normal samples; the calculation process is as follows:
F 1 =σ(Conv(x))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =tanh(Conv(x))
wherein σ represents a nonlinear activation function ReLU, tanh represents a nonlinear activation function Tanh, and Dr represents regularization;
discriminator-encoder for anomaly detection: the role of the discriminator-encoder is to distinguish between the true data samples and the generated data samples, i.e. the samples generated by the generator-decoder; it uses vectors representing M features of the data instance samples; it compresses the data through the multi-layer channel into a single point representing the significance layer, i.e., whether the binary classification of the sample is true or false; the discriminator-encoder trains with the generator-decoder, receives the true and generated samples, each sample having a true tag; the calculation process is as follows:
F 1 =Dr(σ(Conv(x)))
F 2 =Dr(σ(Conv(x)))
F 3 =Conv(x)
F out =Sigmoid(Conv(x))
where σ represents the nonlinear activation function ReLU, tanh represents the nonlinear activation function Tanh, dr represents regularization, sigmoid represents the nonlinear activation function Sigmoid.
5. The smart grid anomaly detection and classification method of claim 1, wherein:
in the anomaly classification case, the ADCS architecture for anomaly classification is derived on the basis of the ADCS architecture for anomaly detection, in which case the anomaly detection and anomaly classification processes are combined into a single deep neural network, resulting in three fundamental true points, one for the validity of the sample, one for anomaly approximation, one describing the anomaly class of the sample; the architecture is divided into three parts: an input layer, a generator decoder and a discriminator-encoder; the main difference is that the network is designed to handle multiple classes of data with fewer features; in contrast, ADCS structures for anomaly detection are designed to handle a class of data and with a large number of features;
an anomaly classification input layer: the input layer receives the noise vector input with the size of N and a vector containing sampling classes; the elements of the random noise vector obey a normal distribution, where μ=0, σ=1; dimension of [1 XC ]]Is a zero vector with class position 1; c represents the number of classes present in a given dataset; class of sample is defined by c p Representation, c p Derived from the following formula;
c p =argmax(V label )
wherein V is label Is a label vector;
anomaly classification generator-decoder: is a modified version of the generator-decoder for anomaly detection; in this case, the generator-decoder inputs the two vectors interpreted in the input layer and connects them in order to pass through the structure of the generator-decoder; the calculation process is as follows:
F 0 =σ(Conv(x t ,x f ))
F i =σ(Conv(x)),i=1,2,3
wherein x is t Is the noise vector, x f Is a label vector;
discriminator-encoder for anomaly classification: the discriminator-encoder uses input vectors of M features representing data samples; the proposed structure not only produces a validity approximation, but also produces an anomaly classification of the incoming samples, the output of the discriminator-encoder comprising two parts; the first part is a validity label of a given sample and is used for distinguishing the authenticity of the sample; the second part is a label vector representing multi-class classification of the sample based on a given class in the dataset; the calculation process is as follows:
F i =σ(Conv(x)),i=0,1,2
F out1 =Softmax(Conv(x))
F out2 =Sigmoid(Conv(x))
wherein Softmax represents the Softmax function, F out1 Is the classification result of the sample data, F out2 Is the result of abnormality detection of the sample data.
6. The smart grid anomaly detection and classification method of claim 1, wherein: the four real smart grid evaluation environments for evaluating and verifying the smart grid anomaly detection and classification method are smart grid laboratories, distribution substations, hydropower stations and power plants, respectively.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the smart grid anomaly detection and classification method of any one of claims 1 to 6 when the computer program is executed.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program that performs the smart grid anomaly detection and classification method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310240818.XA CN116488325A (en) | 2023-03-14 | 2023-03-14 | Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310240818.XA CN116488325A (en) | 2023-03-14 | 2023-03-14 | Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116488325A true CN116488325A (en) | 2023-07-25 |
Family
ID=87225764
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310240818.XA Pending CN116488325A (en) | 2023-03-14 | 2023-03-14 | Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116488325A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117411674A (en) * | 2023-09-22 | 2024-01-16 | 南京中新赛克科技有限责任公司 | Industrial Internet abnormal flow detection method and detection system based on generation and diffusion |
-
2023
- 2023-03-14 CN CN202310240818.XA patent/CN116488325A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117411674A (en) * | 2023-09-22 | 2024-01-16 | 南京中新赛克科技有限责任公司 | Industrial Internet abnormal flow detection method and detection system based on generation and diffusion |
| CN117411674B (en) * | 2023-09-22 | 2024-05-14 | 南京中新赛克科技有限责任公司 | Industrial Internet abnormal flow detection method and detection system based on generation and diffusion |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wilson et al. | Deep learning-aided cyber-attack detection in power transmission systems | |
| CN111585948B (en) | Intelligent network security situation prediction method based on power grid big data | |
| CN111860677B (en) | Rolling bearing migration learning fault diagnosis method based on partial domain countermeasure | |
| CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
| CN112257263B (en) | Equipment residual life prediction system based on self-attention mechanism | |
| CN116488325A (en) | Smart power grid anomaly detection and classification method, smart power grid anomaly detection and classification equipment and readable storage medium | |
| Gu et al. | An improved sensor fault diagnosis scheme based on TA-LSSVM and ECOC-SVM | |
| CN113556319A (en) | Intrusion detection method based on long-short term memory self-coding classifier under internet of things | |
| Fujita et al. | An approach for intelligent evaluation of the state of complex autonomous objects based on the wavelet analysis | |
| CN112019529A (en) | New forms of energy power network intrusion detection system | |
| Ouyang et al. | FS-IDS: a novel few-shot learning based intrusion detection system for scada networks | |
| Qu et al. | Active and passive hybrid detection method for power CPS false data injection attacks with improved AKF and GRU‐CNN | |
| Chen | Review on supervised and unsupervised learning techniques for electrical power systems: Algorithms and applications | |
| CN115221233A (en) | Transformer substation multi-class live detection data anomaly detection method based on deep learning | |
| Potluri et al. | Deep learning based efficient anomaly detection for securing process control systems against injection attacks | |
| CN114091549A (en) | Equipment fault diagnosis method based on deep residual error network | |
| CN116827685B (en) | Dynamic defense strategy method of micro-service system based on deep reinforcement learning | |
| CN111967577B (en) | Energy Internet scene generation method based on variation self-encoder | |
| Tan et al. | Using hidden markov models to evaluate the real-time risks of network | |
| CN113935023A (en) | Database abnormal behavior detection method and device | |
| Lu et al. | Anomaly Recognition Method for Massive Data of Power Internet of Things Based on Bayesian Belief Network | |
| Xu et al. | Security monitoring data fusion method based on ARIMA and LS-SVM | |
| CN117688504B (en) | Internet of things abnormality detection method and device based on graph structure learning | |
| Kong et al. | A hierarchical terminal recognition approach based on network traffic analysis | |
| Sun et al. | Industrial Control System Attack Detection Model Based on Bayesian Network and Timed Automata |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |