CN116708026B - Method and device for detecting network attack of direct-current micro-grid and estimating global state - Google Patents

Method and device for detecting network attack of direct-current micro-grid and estimating global state Download PDF

Info

Publication number
CN116708026B
CN116708026B CN202310969950.4A CN202310969950A CN116708026B CN 116708026 B CN116708026 B CN 116708026B CN 202310969950 A CN202310969950 A CN 202310969950A CN 116708026 B CN116708026 B CN 116708026B
Authority
CN
China
Prior art keywords
state
estimation
area
initial
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310969950.4A
Other languages
Chinese (zh)
Other versions
CN116708026A (en
Inventor
那琼澜
苏丹
来骥
张实君
杨艺西
曾婧
李信
庞思睿
任建伟
马跃
娄竞
邬小波
杨峰
许大卫
卢嫱舒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jibei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jibei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jibei Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202310969950.4A priority Critical patent/CN116708026B/en
Publication of CN116708026A publication Critical patent/CN116708026A/en
Application granted granted Critical
Publication of CN116708026B publication Critical patent/CN116708026B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of electric power, in particular to a method and a device for detecting network attack and estimating global state of a direct current micro-grid. The method comprises the following steps: determining an initial global state vector and an initial covariance matrix; determining an estimated state vector of the current time region according to the initial global state vector, the initial covariance matrix, the input vectors of all regions at the initial time and the observed state vector of the current time region; determining an area which is not attacked by the network according to the area estimation state vector at the current moment; updating the initial global state vector by using the area estimation state vector of the area not attacked by the network to obtain an updated global estimation state; and taking the current moment as the initial moment, and iteratively calculating the area estimation state vector of each area at the next moment according to the updated global estimation state. The method and the device detect the specific condition of the network attack, analyze the specific attacked area when the network attack occurs, provide accurate health state estimation and have practical value.

Description

Method and device for detecting network attack of direct-current micro-grid and estimating global state
Technical Field
The invention relates to the technical field of electric power, in particular to a method and a device for detecting network attack and estimating global state of a direct current micro-grid.
Background
The direct-current micro-grid is an important component of an intelligent power distribution system, can effectively solve the utilization problem of distributed renewable energy power generation, and has important significance for propulsion energy conservation and emission reduction and sustainable energy development. The direct-current micro-grid is connected with the distributed generator set through a communication network, and information sharing is carried out with the control decision center so as to construct an intelligent direct-current micro-grid with interconnection and cooperation. Communication networks are vulnerable to various network attacks, such as false data injection attacks, communication delay attacks, denial of service attacks, etc., which can have a significant impact on system stability and performance, resulting in erroneous supervisory decisions by the control decision center.
The existing intelligent direct current micro-grid network attack detection method is concentrated on detecting attack positions of the intelligent direct current micro-grid fault positions, and when a plurality of network attacks occur simultaneously, the research on the total attack times and attack positions of all the network attacks is lacking, so that network attack information of complex attack conditions cannot be accurately obtained. Meanwhile, most researches lack the research on the communication quality of research networking for accurately estimating the overall state of the micro-grid when the attack occurs, and the function of the electric power internet of things cannot be exerted.
Disclosure of Invention
In order to solve the problem that the prior art cannot accurately acquire the complex attack situation, the embodiment provides a method and a device for detecting the network attack of a direct current micro-grid and estimating the global state.
Embodiments herein provide a method for detecting a direct current micro grid network attack and estimating a global state, the method comprising: determining an initial global state vector and an initial covariance matrix according to state vectors of buck converters of all areas in a direct current micro-grid at an initial moment, wherein the initial global state vector is a global state vector at the initial moment; determining a current time zone estimation state vector according to the initial global state vector, the initial covariance matrix, input vectors of all zones at the initial time and a current time zone state observation vector, wherein elements in the current time zone state observation vector are the sum of output voltage of each zone buck converter, noise signals received by each zone and network attack signals received by each zone; according to the current time zone estimation state vector, determining a zone which is not attacked by the network in the direct current micro-grid; updating the initial global state vector by using the area estimation state vector of the area not attacked by the network to obtain an updated global estimation state; and taking the current moment as the initial moment, and iteratively calculating the area estimation state vector of each area at the next moment according to the updated global estimation state.
According to one aspect of embodiments herein, determining the region estimation state for the current time instant includes: determining an initial region estimation state vector and an estimation covariance matrix according to the initial global state vector and the initial covariance matrix; calculating a first region estimation state vector and a first estimation covariance matrix by using volume points according to the initial region estimation state vector and the estimation covariance matrix; and determining the current time region estimation state vector and the current time estimation covariance matrix according to the first region estimation state vector, the first estimation covariance matrix and the Kalman filtering algorithm.
According to one aspect of embodiments herein, determining an area within the dc micro-grid that is not under network attack based on the current time-of-day area estimation state includes: according to the area estimation state of each area, determining the attack characteristic value of each area at the current moment; determining the deviation degree of the attack characteristic value and the average area state vector of the area estimation state; determining an area with the deviation degree exceeding a preset threshold value as an area under network attack; and determining the area with the deviation degree smaller than or equal to the preset threshold value as the area not attacked by the network.
According to one aspect of embodiments herein, the method further comprises: performing cluster analysis on the attack characteristic values of each region at the current moment to obtain a cluster; and determining the number of network attacks to which the area is subjected according to the number of the clustered clusters and the areas corresponding to the attack characteristic values in the clusters.
According to one aspect of embodiments herein, the determining the global estimation state includes: judging whether the number of the areas not attacked by the network exceeds half of the total number of the areas; if yes, determining a global estimation state; if not, the global state estimation is not performed.
The embodiment also discloses a device for detecting the network attack of the direct current micro-grid and estimating the global state, which comprises: the initial determining unit is used for determining an initial global state vector and an initial covariance matrix according to the state vectors of the buck converters of all areas in the direct current micro-grid at the initial moment, wherein the initial global state vector is the global state vector at the initial moment;
the current determining unit is used for determining a current time zone estimation state vector according to the initial global state vector, the initial covariance matrix, input vectors of all zones at the initial time and a current time zone state observation vector, wherein elements in the current time zone state observation vector are the sum of output voltage of the buck converter of each zone, noise signals received by each zone and network attack signals received by each zone; the network attack determining unit is used for determining an area which is not attacked by the network in the direct current micro-grid according to the area estimation state vector at the current moment; the updating unit is used for updating the initial global state vector by utilizing the area estimation state vector of the area which is not attacked by the network to obtain an updated global estimation state; and the iterative calculation unit is used for taking the current moment as the initial moment and iteratively calculating the area estimation state vector of each area at the next moment according to the updated global estimation state.
Embodiments herein also provide a computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the direct current microgrid network attack detection and global state estimation method when executing the computer program.
The embodiments of the present specification also provide a computer readable storage medium storing a computer program, which when executed by a processor, implements the dc micro-grid network attack detection and global state estimation method.
The embodiment of the invention detects the specific condition of the network attack, analyzes the specific attacked area when the network attack happens for a plurality of times, provides accurate health state estimation, and has practical value.
Drawings
In order to more clearly illustrate the embodiments herein or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments herein and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a flowchart of a method for detecting a dc micro-grid network attack and estimating a global state according to an embodiment of the disclosure;
FIG. 2 is a flow chart of a method for determining a state of estimation of a region at a current time according to an embodiment herein;
FIG. 3 is a flow chart of a method for determining regions not under network attack according to an embodiment herein;
FIG. 4 is a flowchart illustrating a method for determining the number of network attacks on a region according to an embodiment of the present disclosure;
FIG. 5 is a flow chart illustrating a method of determining a global estimation state according to an embodiment herein;
fig. 6 is a schematic structural diagram of a dc micro-grid network attack detection and global state estimation device according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a system for detecting a DC micro-grid network attack and estimating a global state according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure.
Description of the drawings:
601. an initial determination unit;
602. a current determination unit;
603. a network attack determination unit;
604. an updating unit;
605. an iterative calculation unit;
802. a computer device;
804. a processor;
806. a memory;
808. a driving mechanism;
810. an input/output module;
812. An input device;
814. an output device;
816. a presentation device;
818. a graphical user interface;
820. a network interface;
822. a communication link;
824. a communication bus.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments herein will be clearly and completely described below with reference to the drawings in the embodiments herein, and it is apparent that the described embodiments are only some embodiments herein, but not all embodiments. All other embodiments, based on the embodiments herein, which a person of ordinary skill in the art would obtain without undue burden, are within the scope of protection herein.
It should be noted that the terms "first," "second," and the like in the description and claims herein and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device.
The present specification provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When a system or apparatus product in practice is executed, it may be executed sequentially or in parallel according to the method shown in the embodiments or the drawings.
It should be noted that, the method for detecting the network attack and estimating the global state of the direct current micro-grid can be used in the technical field of electric power and the field of communication security, and the application fields of the method and the device are not limited.
Fig. 1 is a flowchart of a method for detecting a dc micro-grid network attack and estimating a global state according to an embodiment of the present disclosure, which specifically includes the following steps:
step 101, determining an initial global state vector and an initial covariance matrix according to state vectors of buck converters of all areas in a direct current micro-grid at an initial moment, wherein the initial global state vector is a global state vector at the initial moment.
In the present embodiment, each of all the regions within the dc micro grid has a buck converter. The state vector of the buck converter of each region in the DC micro-grid at the initial moment can be formed by And (3) representing. Wherein, irepresent the firstiThe number of areas in the region of the substrate,kindicating the current time as the firstkAt the moment, in the embodiment of the present specification, the thkThe time instants are denoted initial time instants. The state vector at the initial time may be understood as an electrical signal output by each area at the initial time, including: the output voltage and the output current of the buck converter.
In some embodiments of the present disclosure, a dc micro-grid global state estimator and a network attack detection locator are designed for an overall dc micro-grid, and a local state estimator is designed for each region in the dc micro-grid, where a plurality of local state estimators are sequentially distributed in parallel in each region. The global state estimator and the attack detection locator are connected with all the local state estimators. The local state estimator of each region performs nonlinear region state estimation on the region based on the output signals of other regions, thereby obtaining the region estimation state of each region.
In the embodiment of the present specification, the state vector of each region at the initial timeCan be used as the whole of all areasAn input of the office state estimator.
Direct acquisition from a global state estimator of a direct current micro gridkGlobal estimation state vector of time And covariance matrix thereof->. Based on the current timekThe time immediately before the momentk-1The combination of the local state estimators at the moment can be calculatedkTime of day (time)iInitial region estimation State vector of individual region +.>Estimating covariance matrix->. The detailed calculation method is described in fig. 2.
Step 102, determining a current time zone estimation state vector according to the initial global state vector, the initial covariance matrix, input vectors of all zones at the initial time and a current time zone state observation vector, wherein elements in the current time zone state observation vector are the sum of output voltages of the buck converters of all zones, noise signals of all zones and network attack signals.
In some embodiments of the present description, the input vectors for all regions at the initial time are denoted by U. First, theiThe regional input vector of each regional local state estimator is composed ofAnd (3) representing. The current time zone state observation vector is composed ofZThe representation is made of a combination of a first and a second color,. Wherein, Mindicating the total number of regions. The regional state observation vector at the current moment can be directly collected from the direct-current micro-grid. And further calculating the area state vector according to the area state observation vector.
In the present description In the embodiment of the book, the elements in the current time zone state observation vector are the sum of the output voltage of the buck converter of each zone, the noise signal received by each zone and the network attack signal received by each zone. Can be expressed by the following formula:wherein->Represent the firstiA measurement output signal for each region; />Represent the firstiExternal noise to which the individual areas are subjected; />Represent the firstiNetwork attacks to individual areasq. This step is described in detail with respect to determining the current time zone estimation state with reference to fig. 2.
And step 103, determining the area which is not attacked by the network in the direct current micro-grid according to the area estimation state vector at the current moment. In the step, according to the area estimation state of each area, the attack characteristic value of each area at the current moment is determined, the deviation degree of the area and the average area state vector is determined according to the attack characteristic value, and whether the area is attacked by the network is further determined. A detailed description of step 103 is described in detail with reference to fig. 3.
And 104, updating the initial global state vector by using the area estimation state vector of the area which is not attacked by the network to obtain an updated global estimation state. The area estimation state vector of the area which does not receive the network attack is accurate, so that the area estimation state vector of the healthy area is used for updating the initial global vector at the next moment to obtain the updated global estimation state.
Step 105, using the current time as the initial time, and iteratively calculating the area estimation state vector of each area at the next time according to the updated global estimation state.
According to the updated global estimation state of the direct current micro-grid, calculating the regional estimation state of each region at the next moment, and considering that the sensors possibly are not identical when each region measures output signals, the measured output signals have different noise characteristics, reliability levels and measurement accuracy, so that the step introduces each regional information weight factor to accurately evaluate the local state vector of each regional local state estimator.
The area estimation state at the next time is determined specifically using the following formula.
Wherein, representation ofkThe weight factor of each region information at the moment,Mindicating the total number of regions. When the sensor performance of each area responsible for measuring the output signal is the same, < >>MIndicating the total number of regions.
Fig. 2 is a flowchart of a method for determining a state of area estimation at a current moment according to an embodiment of the present disclosure, which specifically includes the following steps:
step 201, determining an initial region estimation state vector and an estimation covariance matrix according to the initial global state vector and the initial covariance matrix. In some embodiments of the present description, the initial region estimation state vector and the estimation covariance matrix are determined, for example, as follows:
Wherein->Representation ofkInformation weighting factors of each region at a time, when the sensor performance of each region responsible for measuring the output signal is the same, < >>;/>Representation ofkTime of day (time)iInitial region estimation state vectors for individual regions; />Representation ofkEstimating a state vector by a global state at a moment; />Representation ofkTime of day (time)iInitial region estimation state vector covariance matrix of each region;Nthe system is an array, and represents all area serial numbers of the intelligent direct current micro-grid;Aand the array is used for representing the sequence number of the area of the intelligent direct-current micro-grid under network attack at the current moment.
Step 202, calculating a first region estimation state vector and a first estimation covariance matrix by using the volume points according to the initial region estimation state vector and the estimation covariance matrix. The initial region estimation state vector determined in the foregoing step is a predicted region estimation state vector, and the value is not a completely true region state vector. Thus, in this step, the first region estimation state vector and the first estimation covariance matrix are determined according to the following formula:
wherein, representation ofk+1Time of day (time)iThe prior prediction vector of the regional state vector of each region is the first regional estimation state vector,/- >Representation ofk+1Time of day (time)iA covariance matrix of the prior prediction errors of the regional state vectors of the individual regions is the first estimated covariance matrix; />Representing a volume point;mfor all volume points, this is takenm =4;/>Indicate->A plurality of volume points; />Representing the identity matrix; />Is->Is a variance matrix of (a); />Representation ofkTime of day (time)iInitial region estimation state vectors for individual regions; />Representation ofkTime of day (time)iThe initial region of each region estimates the covariance matrix of the state vector.
Step 203, determining the current time region estimation state vector and the current time estimation covariance matrix according to the first region estimation state vector, the first estimation covariance matrix and the kalman filtering algorithm.
In the embodiment of the present specification, the current time region estimation state vector and the current time estimation covariance matrix are determined by using the following formulas:
wherein, representation ofk+1Time of day (time)iA priori prediction vector of the regional state observation vector of each regional local state estimator; />Representation ofk+1Time of day (time)iThe regional state vector of each region is the regional estimation state vector of the current moment, +.>Representation ofk+1Time of day (time)iThe covariance matrix of the regional state vector of each region is the estimated covariance matrix of the current moment; / >For Kalman gain, ++>And a relationship matrix representing the local state vector and the local state observation vector.
Fig. 3 is a flowchart of a method for determining an area not attacked by a network according to an embodiment of the present disclosure, which specifically includes the following steps:
step 301, determining attack characteristic values of all areas at the current moment according to the area estimation states of all areas. In the embodiment of the present specification, the attack characteristic value may embody the influence of the network attack on different areas. The step can calculate the attack characteristic value of each region according to the region estimation state of each region. The attack characteristic value represents the deviation degree of the attack suffered by the region from the average region state of all the regions. The larger the attack characteristic value and the larger the deviation degree, the larger the influence caused by the attack of the region is; conversely, the smaller the attack characteristic value and the smaller the deviation degree, the smaller the change caused by the attack on the region. In this step, attack characteristic values of the respective areas are calculated according to the following formula.
Representation ofk+1Time (i.e., next time) of dayiAttack characteristic values of the individual areas; />An average region state vector representing all local state estimators;Wis a weight matrix used for adjusting the importance of the local state of each regional local state estimator.
Step 302, determining the deviation degree of the attack characteristic value and the average area state vector of the area estimation state. And determining the deviation degree according to the magnitude of the attack characteristic value.
And step 303, determining the area with the deviation degree exceeding the preset threshold value as the area under the network attack. In the example of the present specification, a preset threshold value for determining whether the network attack area belongs is set according to the deviation degree and the attack characteristic value. And if the deviation degree calculated according to the attack characteristic value is greater than a preset threshold value, indicating that the area suffers from network attack.
And 304, determining the area with the deviation degree smaller than or equal to the preset threshold value as the area not attacked by the network. If the deviation degree calculated according to the attack characteristic value is smaller than a preset threshold value, the area is not attacked by the network.
Fig. 4 is a flowchart of a method for determining the number of network attacks on an area according to an embodiment of the present disclosure, which specifically includes the following steps:
and step 401, performing cluster analysis on the attack characteristic values of each area at the current moment to obtain a cluster.
In the step, a fuzzy c-means clustering algorithm is used for processing the attack characteristic values of all areas at the current moment, so that the network attack condition of all areas is detected. The method comprises the steps of analyzing and determining the number of times of attack and the type of network attack of each area, so as to cluster different areas.
The objective function is constructed, and clustering is completed by minimizing the objective function. Randomly initializing the membership degree, calculating a cluster center corresponding to the current membership degree, and iteratively calculating the membership degree and the cluster center corresponding to the membership degree until the clustering ending condition is met. Wherein, the formula expression of the objective function is as follows:
wherein, is membership degree; />The number of clusters is the number of clusters; />Represent the firstjThe center of the cluster of the clusters is clustered,Mfor the total number of regions>Representation ofk+1Time of day (time)iAttack characteristic value of each region.
The cluster center calculation formula is expressed as follows:
;/>represent the firstbClustering cluster centers;
wherein, the membership iterative formula is expressed as follows:
;/>represent the firstjClustering cluster center,/->Represent the firstbClustering cluster centers; the conditional formula for the end of clustering is expressed as follows:
,/>represent the firsttAn objective function after the iteration; />And (5) clustering ending threshold value.
Step 402, determining the number of network attacks to be performed on the area according to the number of clustered clusters and the area corresponding to each attack characteristic value in the clusters.
In the embodiment of the present disclosure, after cluster analysis is performed on the attack feature values of each region, a cluster may be obtained. The number of clusters obtained by clustering may reflect the number of times the area is subject to network attacks. The cluster with the smallest cluster center is a safety cluster, and the deviation degree of the attack characteristic value of the cluster is smallest. The area corresponding to each attack characteristic value in the security cluster is the security area not suffering from network attack, and the number of network attacks suffered by the intelligent micro-grid at the current moment is
For example, if the number of cluster clusters is 5, the network attack is performed 4 times. Further, it may be determined whether the network attacks suffered by different areas are of the same type according to the attack characteristic value. Except for the security clusters, each cluster represents a network attack, and the area corresponding to each attack characteristic value in the same cluster is the area which is attacked by the same time. The serial numbers of all areas under network attack at the current moment are formed by an arrayAThe number of areas that will be attacked by the network at the present time can be represented byaAnd (3) representing.
In the embodiment of the present specification, the attack detection locator analyzes the obtained sequence number of the attacked area and the number of the areas attacked by the network. The local state estimator that is subject to errors due to network attacks is further isolated and receives the region state vector and its covariance matrix estimated in step 203 by the local state estimator for the secure region that is not subject to network attacks.
In some embodiments of the present description, the initial global state vector is updated with the region estimation state of the region not under network attack. Specifically, the following formula is used to determine the updated global estimation state:
Wherein, Aa sequence number representing the area under attack,Nfor an array comprising the sequence numbers of all areas of the direct current micro-grid, thenN-AA sequence number indicating an area not under network attack;representing the global estimate vector of the current time zone, +.>And the covariance matrix of the global estimation vector at the current moment is represented. The embodiment of the specification analyzes specific attacked areas when multiple network attacks occur and provides accurate health state estimation by detecting specific conditions of the network attacks.
Fig. 5 is a flowchart of a method for determining a global estimation state according to an embodiment of the present disclosure, which specifically includes the following steps:
step 501, it is determined whether the number of areas not under network attack exceeds half of the total number of areas. Judging the number of areas not under network attackN-aAnd 0.5 ofMIs a size relationship of (a).
Step 502, if yes, determining a global estimation state. In this step, when the number of regions under network attack is smaller than the total number of regionsMThe local state vectors of the local state estimators of the areas and the covariance matrix information thereof received by the global state estimator are sufficient, so that the global estimated state of the intelligent direct current micro-grid can be calculated and obtained.
If not, step 503, no global state estimation is performed. When the number of regions under attack is greater than or equal to half of the total number of regions, i.eWhen the local state vector and covariance matrix information of each local state estimator received by the global state estimator are less in quantity, the global estimated state of the intelligent direct current micro-grid cannot be fully calculated;
fig. 6 is a schematic structural diagram of a dc micro-grid network attack detection and global state estimation device according to an embodiment of the present disclosure, in which a basic structure of the dc micro-grid network attack detection and global state estimation device is described, and functional units and modules thereof may be implemented in a software manner, or may also be implemented in a general chip or a specific chip, where the dc micro-grid network attack detection and global state estimation device specifically includes:
the initial determining unit 601 is configured to determine an initial global state vector and an initial covariance matrix according to state vectors of buck converters of all areas in the dc micro-grid at an initial time, where the initial global state vector is a global state vector at the initial time;
The current determining unit 602 is configured to determine a current time zone estimation state vector according to the initial global state vector, the initial covariance matrix, input vectors of all zones at an initial time, and a current time zone state observation vector, where elements in the current time zone state observation vector are a sum of output voltages of the buck converters of each zone, noise signals received by each zone, and network attack signals received by each zone;
the network attack determining unit 603 is configured to determine an area that is not under network attack in the dc micro-grid according to the current time area estimation state vector;
an updating unit 604, configured to update the initial global state vector by using the area estimation state vector of the area not attacked by the network, so as to obtain an updated global estimation state;
the iterative calculation unit 605 is configured to iteratively calculate the region estimation state vector of each region at the next time according to the updated global estimation state, with the current time as the initial time.
The embodiment of the invention is suitable for the nonlinear system such as the intelligent direct current micro-grid containing nonlinear load, and the nonlinear equation is not required to be linearized, so that the on-line calculation load is reduced; the scheme adopts a mode of parallel arrangement of multiple filters, avoids the defect of weak noise reduction capability of a single volume Kalman filter, achieves better noise reduction effect, and reduces the influence of noise on a final global estimation state; the attack characteristic value is calculated based on the residual error through the weighted 2 norm, so that the detection is more sensitive to the state change caused by attack, and the success rate of the detection is enhanced; the attacked estimation is eliminated by a clustering method, and the information weight factors of all the areas are introduced to reflect the reliability of the sensors of different areas, so that the accuracy of global state estimation is improved; the method can detect the specific condition of the network attack, analyze the specific attacked area when the network attack happens for many times, provide accurate health state estimation and has practical value.
Fig. 7 is a schematic diagram of a dc micro-grid network attack detection and global state estimation system according to an embodiment of the disclosure. In the figure, the DC micro-grid is provided with a plurality of areas, namely an area 1, an area 2 and an areai… … regionM. Each region comprises a direct current power supply, a buck converter and a nonlinear load. The buck converter has parameters such as capacitance, inductance, resistance and the like, and nonlinear loads in the region comprise resistance and constant power. The system comprises a global state estimator and a network attack detection locator, wherein each region in the direct current micro-grid is provided with a local state estimator. The global state estimator and the attack detection locator are connected with all local state estimators.
Specifically, the local state estimator of each region outputs the initial state vector of each region at the previous time as the input signal of the global state estimator. The global state estimator output is returned to the local state estimator for calculating the regional state estimate for the next time.
As shown in fig. 8, a computer device is provided in an embodiment herein. The direct current micro-grid network attack detection and global state estimation method can be applied to the computer equipment. The computer device 802 may include one or more processors 804, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 802 may also include any memory 806 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, memory 806 may include any one or more of the following combinations: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may store information using any technique. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 802. In one case, the computer device 802 may perform any of the operations of the associated instructions when the processor 804 executes the associated instructions stored in any memory or combination of memories. The computer device 802 also includes one or more drive mechanisms 808, such as a hard disk drive mechanism, an optical disk drive mechanism, and the like, for interacting with any memory.
The computer device 802 may also include an input/output module 810 (I/O) for receiving various inputs (via an input device 812) and for providing various outputs (via an output device 814). One particular output mechanism may include a presentation device 816 and an associated Graphical User Interface (GUI) 818. In other embodiments, input/output module 810 (I/O), input device 812, and output device 814 may not be included, but merely as a computer device in a network. The computer device 802 may also include one or more network interfaces 820 for exchanging data with other devices via one or more communication links 822. One or more communications buses 824 couple the above-described components together.
The communication link 822 may be implemented in any manner, such as, for example, through a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. Communication link 822 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
Corresponding to the method in fig. 1 to 5, embodiments herein also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above method.
Embodiments herein also provide a computer readable instruction wherein the program therein causes the processor to perform the method as shown in fig. 1 to 5 when the processor executes the instruction.
It should be understood that, in the various embodiments herein, the sequence number of each process described above does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments herein.
It should also be understood that in embodiments herein, the term "and/or" is merely one relationship that describes an associated object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the elements may be selected according to actual needs to achieve the objectives of the embodiments herein.
In addition, each functional unit in the embodiments herein may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions herein are essentially or portions contributing to the prior art, or all or portions of the technical solutions may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments herein. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Specific examples are set forth herein to illustrate the principles and embodiments herein and are merely illustrative of the methods herein and their core ideas; also, as will be apparent to those of ordinary skill in the art in light of the teachings herein, many variations are possible in the specific embodiments and in the scope of use, and nothing in this specification should be construed as a limitation on the invention.

Claims (12)

1. A method for detecting a direct current micro-grid network attack and estimating a global state, the method comprising:
determining an initial global state vector and an initial covariance matrix according to state vectors of buck converters of all areas in a direct current micro-grid at an initial moment, wherein the initial global state vector is a global state vector at the initial moment;
determining an area estimation state vector at the current moment according to the initial global state vector, the initial covariance matrix, input vectors of all areas at the initial moment and an area state observation vector at the current moment, wherein elements in the area state observation vector at the current moment are the sum of output voltage of the buck converter at each area, noise signals received by each area and network attack signals received by each area;
According to the current time zone estimation state vector, determining a zone which is not attacked by the network in the direct current micro-grid;
updating the initial global state vector by using the area estimation state vector of the area not attacked by the network to obtain an updated global estimation state;
and taking the current moment as the initial moment, and iteratively calculating the area estimation state vector of each area at the next moment according to the updated global estimation state.
2. The method for detecting and estimating a global state of a dc micro-grid network attack according to claim 1, wherein determining the area estimation state at the current moment comprises:
determining an initial region estimation state vector and an estimation covariance matrix according to the initial global state vector and the initial covariance matrix;
calculating a first region estimation state vector and a first estimation covariance matrix by using volume points according to the initial region estimation state vector and the estimation covariance matrix;
and determining the area estimation state vector at the current moment and the estimation covariance matrix at the current moment according to the first area estimation state vector, the first estimation covariance matrix and the Kalman filtering algorithm.
3. The method for detecting and estimating the global state of a direct current micro grid network attack according to claim 2, wherein the method comprises the following steps: the initial region estimation state vector and the estimation covariance matrix are determined by using the following formula: Wherein->Representation->Information weighting factors of each region at a time, when the sensor performance of each region responsible for measuring the output signal is the same, < >>M represents the total number of areas, a represents the total number of areas subject to network attacks,each region information weight factor indicating the time k+1; />Representation->Time of day (time)iInitial region estimation state vectors for individual regions; />Representation->Estimating a state vector by a global state at a moment; />Representation->Time of day (time)iInitial region estimation state vector covariance matrix of each region;Nthe system is an array, and represents all area serial numbers of the intelligent direct current micro-grid;Ais an array, which indicates the sequence number of the area of the intelligent direct-current micro-grid under network attack at the current moment,/->And represents the covariance matrix of the global state estimation vector at time k.
4. The method for detecting and estimating a global state of a dc micro-grid network attack of claim 3, wherein the first area estimation state vector and the first estimation covariance matrix are determined by using the following formula:
wherein (1)>Representation of k+ 1Time->Priori pre-prediction of region state vectors for individual regionsA measured vector, namely the first area estimation state vector,Representation ofk+1Time->A covariance matrix of the prior prediction errors of the regional state vectors of the individual regions is the first estimated covariance matrix; / >Representing a volume point;mfor all volume points, this is takenm=4;/>Represent the firstjA plurality of volume points; />Representing the identity matrix; />Is->Is a variance matrix of (a); />Representation ofkTime of day (time)iInitial region estimation state vectors for individual regions; />Representation->Time->Initial region estimation state vector covariance matrix of each region, f ()A relationship function representing a region state vector at a previous time and a region state vector at a subsequent time;a region input vector representing an i-th region at a time k; />A relationship function representing a region state vector at a current time and a region input vector at the current time; />A transpose of the matrix of prior prediction errors of the region state vector representing the i-th region at time k+1.
5. The method for detecting and estimating a global state of a direct current micro-grid network attack according to claim 4, wherein the current time zone estimation state vector and the current time estimation covariance matrix are determined by using the following formula:
wherein (1)>Representation ofTime->A priori prediction vector of the regional state observation vector of the regional local state estimator of each region; />Representation ofTime->The regional state vector of each region is the regional estimation state vector of the current moment, +. >Representation->Time->The covariance matrix of the regional state vector of each region is the estimated covariance matrix of the current moment; />For Kalman gain, ++>Is a relation matrix of the regional state vector and the regional state observation vector,>represents time k-1>The initial region of each region estimates the covariance matrix of the state vector.
6. The method for detecting and estimating the global state of network attacks on a direct current micro-grid according to claim 5, wherein determining the area which is not attacked by the network in the direct current micro-grid according to the current time area estimation state comprises:
according to the area estimation state of each area, determining the attack characteristic value of each area at the current moment;
determining the deviation degree of the attack characteristic value and the average area state vector of the area estimation state;
determining an area with the deviation degree exceeding a preset threshold value as an area under network attack;
and determining the area with the deviation degree smaller than or equal to the preset threshold value as the area not attacked by the network.
7. The method of direct current micro grid network attack detection and global state estimation according to claim 6, further comprising:
performing cluster analysis on the attack characteristic values of each region at the current moment to obtain a cluster;
And determining the number of network attacks to which the area is subjected according to the number of the clustered clusters and the areas corresponding to the attack characteristic values in the clusters.
8. The method of claim 7, wherein updating the initial global state vector with the area estimation state of the area not under network attack comprises:
the updated global estimated state is determined using the following formula:wherein, Ais an array, represents the sequence number of the area under attack,Nthe array comprises serial numbers of all areas of the direct current micro-grid; />Representing the global estimate vector of the current time zone, +.>And the covariance matrix of the global estimation vector at the current moment is represented.
9. The method for detecting and estimating a global state of a dc micro-grid network attack of claim 8, wherein determining the global estimated state comprises:
judging whether the number of the areas not attacked by the network exceeds half of the total number of the areas;
if yes, determining a global estimation state;
if not, the global state estimation is not performed.
10. A direct current micro grid network attack detection and global state estimation device, the device comprising:
The initial determining unit is used for determining an initial global state vector and an initial covariance matrix according to the state vectors of the buck converters of all areas in the direct current micro-grid at the initial moment, wherein the initial global state vector is the global state vector at the initial moment;
the current determining unit is used for determining a current time zone estimation state vector according to the initial global state vector, the initial covariance matrix, input vectors of all zones at the initial time and a current time zone state observation vector, wherein elements in the current time zone state observation vector are the sum of output voltage of the buck converter of each zone, noise signals received by each zone and network attack signals received by each zone;
the network attack determining unit is used for determining an area which is not attacked by the network in the direct current micro-grid according to the area estimation state vector at the current moment;
the updating unit is used for updating the initial global state vector by utilizing the area estimation state vector of the area which is not attacked by the network to obtain an updated global estimation state;
and the iterative calculation unit is used for taking the current moment as the initial moment and iteratively calculating the area estimation state vector of each area at the next moment according to the updated global estimation state.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 9 when executing the computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 9.
CN202310969950.4A 2023-08-03 2023-08-03 Method and device for detecting network attack of direct-current micro-grid and estimating global state Active CN116708026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310969950.4A CN116708026B (en) 2023-08-03 2023-08-03 Method and device for detecting network attack of direct-current micro-grid and estimating global state

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310969950.4A CN116708026B (en) 2023-08-03 2023-08-03 Method and device for detecting network attack of direct-current micro-grid and estimating global state

Publications (2)

Publication Number Publication Date
CN116708026A CN116708026A (en) 2023-09-05
CN116708026B true CN116708026B (en) 2023-10-24

Family

ID=87839569

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310969950.4A Active CN116708026B (en) 2023-08-03 2023-08-03 Method and device for detecting network attack of direct-current micro-grid and estimating global state

Country Status (1)

Country Link
CN (1) CN116708026B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765880A (en) * 2021-07-01 2021-12-07 电子科技大学 Power system network attack detection method based on space-time correlation
CN115296853A (en) * 2022-07-06 2022-11-04 国网山西省电力公司信息通信分公司 Network attack detection method based on network space-time characteristics

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765880A (en) * 2021-07-01 2021-12-07 电子科技大学 Power system network attack detection method based on space-time correlation
CN115296853A (en) * 2022-07-06 2022-11-04 国网山西省电力公司信息通信分公司 Network attack detection method based on network space-time characteristics

Also Published As

Publication number Publication date
CN116708026A (en) 2023-09-05

Similar Documents

Publication Publication Date Title
An et al. Defending against data integrity attacks in smart grid: A deep reinforcement learning-based approach
CN106645934B (en) Electricity consumption behavior based on dynamic grid outlier is opposed electricity-stealing diagnostic method and device
Jiang et al. Multiobjective two-dimensional CCA-based monitoring for successive batch processes with industrial injection molding application
WO2020124010A1 (en) Condition monitoring via energy consumption audit in electrical devices and electrical waveform audit in power networks
CN108490923B (en) System design method for detecting and positioning tiny faults of electric traction system
CN111965476B (en) Low-voltage diagnosis method based on graph convolution neural network
Weimer et al. Distributed detection and isolation of topology attacks in power networks
CN109921415B (en) Hybrid measurement-oriented online defense method for power grid malignant data injection attack
CN111796233A (en) Method for evaluating secondary errors of multiple voltage transformers in double-bus connection mode
CN112381351A (en) Power utilization behavior change detection method and system based on singular spectrum analysis
KR20240063928A (en) Battery system health status monitoring system
CN114401145A (en) Network flow detection system and method
CN116708026B (en) Method and device for detecting network attack of direct-current micro-grid and estimating global state
CN101106487A (en) A method and device for detecting exception of network traffic
CN112009252A (en) Fault diagnosis and fault-tolerant control method for power battery system
Dabush et al. Detection of false data injection attacks in unobservable power systems by Laplacian regularization
CN116643190A (en) Real-time monitoring method and system for lithium battery health state
CN110824293A (en) Power grid fault diagnosis method based on multi-feature fusion parameters of wolf pack algorithm
CN106788816A (en) A kind of channel status detection method and device
Nguyen et al. Lstm based network traffic volume prediction
CN106936628B (en) It is a kind of meter and sensor fault fractional order network system situation estimation method
CN109670243A (en) A kind of life-span prediction method based on lebesgue space model
Gonzalez et al. Data-driven modeling of the temporal evolution of breakers’ states in the French electrical transmission grid
Cavraro et al. Learning power grid topologies
CN116541794B (en) Sensor data anomaly detection method based on self-adaptive graph annotation network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant