CN117061214A - Security defense system and method for power transmission edge gateway network - Google Patents

Abstract

The invention aims to provide a comprehensive, efficient and real-time transmission edge gateway network security defense system and method so as to cope with the ever-increasing and evolving network security threat and ensure the network communication security and stability of enterprises and organizations. According to the invention, through the gateway blocking weight calculation method based on the improved type, the power transmission edge gateway system can monitor flow in real time, calculate blocking weight and carry out blocking decision according to the weight; the method has flexibility and instantaneity, and can dynamically evaluate the abnormal degree of the flow, so that the sensing and response capability to potential security threat is enhanced, and the security of the Internet of things transmission edge gateway is protected. The invention can be applied to the field of power transmission network safety.

Description

Security defense system and method for power transmission edge gateway network

Technical Field

The invention relates to the field of power transmission network security, in particular to a power transmission edge gateway network security defense system and method.

Background

With the rapid development and wide application of the internet of things technology, the internet of things transmission edge gateway serves as an important hub between internet of things equipment and a cloud platform and plays a key role in data collection, transmission and processing. However, the internet of things transmission edge gateway faces increasingly complex and serious cyber security threats, mainly represented by:

(1) Adding an attack surface: an internet of things edge gateway connects a large number of internet of things devices that typically have different operating systems, communication protocols, and security capabilities. This increases the potential attack surface, making the power edge gateway more likely to be the target of an attacker;

(2) Vulnerability exploitation: because of the large number of internet of things devices, many devices ignore security in the design and manufacturing process. The devices may have weaknesses and vulnerabilities, and an attacker can utilize the vulnerabilities to invade the power transmission edge gateway, acquire sensitive information or perform malicious operations;

(3) Data privacy protection: the internet of things (things) transmission edge gateway processes a large amount of sensitive data including equipment information, location data, monitoring data and the like. The data are easily subjected to eavesdropping, tampering and unauthorized access risks in the transmission and storage processes, and effective encryption and access control protection are required;

(4) Distributed network environment: internet of things (IOT) edge gateways are typically deployed in a distributed network environment where devices are dispersed in different geographical locations and network connections may be unstable or unreliable. This presents challenges for security monitoring and management, requiring the use of special security mechanisms and techniques to ensure security across the network.

In view of these challenges, the internet of things edge gateway needs to take comprehensive network security defenses including intrusion detection and blocking systems, data encryption and identity authentication, traffic monitoring and analysis, security policies and access control, etc. Through comprehensive application of various technical means, the internet of things transmission edge gateway can effectively protect the safety of internet of things equipment and data, and the credibility and stability of the internet of things are ensured.

Disclosure of Invention

The invention aims to overcome the defects of the prior art, and provides a comprehensive, efficient and real-time transmission edge gateway network security defense system and method, which are used for coping with the ever-increasing and evolving network security threats and ensuring the network communication security and stability of enterprises and organizations.

The technical scheme adopted by the invention is that the system comprises a flow monitoring module which is arranged on the power transmission edge gateway and is used for monitoring the flow values of the inbound and outbound of the power transmission edge gateway in real time;

based on a weighted moving average algorithm, obtaining a blocking weight calculation module of the blocking weight of the current time point according to the real-time flow value and the historical blocking weight; and

a blocking decision module for determining whether to trigger blocking action according to the blocking weight and the preset threshold value at the current time point and executing the corresponding blocking strategy;

the flow monitoring module, the blocking weight calculation module and the blocking decision module jointly form the network security defense system which is matched with the power transmission edge gateway.

The flow monitoring module is an intrusion detection system, a flow analyzer, a network packet grabbing tool or a self-defined flow monitoring algorithm.

The blocking weight calculation module calculates based on an exponentially weighted moving average, and the calculation formula of the blocking weight is as follows: s_n=λ×n+ (1- λ) ×s_ (n-1), λ is an attenuation factor, x_n is a traffic observation value at the current time point, s_ (n-1) is a blocking weight value at the previous time point, and n is the number of traffic observations.

The blocking decision module compares the blocking weight of the current time point with a preset threshold value, and when the blocking weight of the current time point is smaller than the preset threshold value, the blocking decision is implemented as follows: no blocking; when the blocking weight value of the current time point is equal to a preset threshold value, the blocking decision is implemented as follows: partial blocking; when the blocking weight value of the current time point is larger than a preset threshold value, the blocking decision is carried out as follows: blocking comprehensively.

The invention also comprises an optimizing and updating module which periodically evaluates the system performance and accuracy and adjusts the attenuation factors, the initial weights and the threshold values according to actual conditions.

A defending method of a security defending system of a power transmission edge gateway network comprises the following steps:

a. deploying a flow monitoring module, and monitoring inbound and outbound flows of the power transmission edge gateway in real time;

b. initializing parameters including attenuation factors and initial blocking weights of the power transmission edge gateway;

c. acquiring a flow observation value through flow monitoring equipment, and calculating a real-time blocking weight value according to a weighted moving average calculation formula;

d. the blocking decision module establishes a corresponding blocking strategy according to the blocking weight and a preset threshold, determines whether to trigger blocking action according to the blocking weight and the preset threshold of the current time point, and executes the corresponding blocking strategy.

It also comprises the following steps:

the optimizing and updating module periodically evaluates the performance and accuracy of the system, optimizes and adjusts the attenuation factors, the initial weights and the threshold values, and ensures the effectiveness and the safety of the system.

The specific process of the blocking weight calculation module for blocking weight calculation is as follows:

(1) Initializing parameters: before starting calculation, the blocking weight calculation module initializes an attenuation factor lambda and an initial blocking weight S_0 of the power transmission edge gateway, wherein lambda takes a value of 0-1;

(2) Calculating an initial weight: taking the first flow observation value as an initial weight value S_0, namely S_0=X_0, wherein X_0 is the first flow observation value;

(3) And (5) updating weight values: starting from the second flow observation, updating the blocking weight according to a weighted moving average calculation formula by the following steps:

a. calculating a new blocking weight: s_n=λ x_n+ (1- λ) s_ (n-1), where x_n is the observed flow value at the current time point and s_ (n-1) is the blocking weight at the previous time point;

b. updating blocking weight: updating the newly calculated blocking weight S_n as the blocking weight of the current time point, wherein n is the flow observation times.

The method comprises the steps that a power transmission edge gateway meets the execution conditions of an attack blocking strategy, parameters of the gateway are required to be determined, the parameters comprise network bandwidth F, real-time network flow F, distance d between the gateway and an attack source, time t and load parameters E, the load parameters E are used for obtaining network load according to real-time network monitoring conditions, and the network load conditions are calculated in an exponential weighted moving average algorithm as follows:

c、EWMA(t)＝AY(t)+(1-A)EWMA(t-1)；

d、

e、E＝E/n；

f、a＝2/(n+1)；

g、Ni＝Ei/CPUNi；

h、

wherein, EWMA (t) represents a blocking weight value calculated by a weighted moving average algorithm at a current time point (time is t); EWMA (t-1) represents the blocking weight calculated by the weighted moving average algorithm at the last time point (time is t-1); the gateway performance measurement value is represented by Y (t), the CPU acquisition time length is represented by N, the weight coefficient obtained by the historical observation value is a, wherein 0< a <1, a is exponentially decreased, the weight representing the index in calculation is decreased according to the measurement time change, the number of the CPUs contained in the gateway is represented as CPUN, N is used for judging the real-time state of the gateway and is a judgment factor, and the gateway number is represented as i;

obtaining gateway load conditions by using a formula g, if a policy instruction can be issued after judgment, summarizing the gateway into a gateway set capable of executing the instruction, and then calculating the weight of the instruction issued by the gateway and selecting the gateway;

calculating the weight ratio of the gateway through a formula h, wherein the calculated weight ratio of the gateway is R, the weight coefficient of the gateway is k, the flow of the gateway at the moment t is represented by Ft, and the distance from the network attack source flow to the attacked through a plurality of gateways is represented by D; the gateway weight ratio is obtained according to the actual gateway flow judgment, and if the obtained gateway weight value is smaller, the gateway weight ratio is more suitable for executing the network attack blocking strategy instruction.

The beneficial effects of the invention are as follows: by the gateway blocking weight calculation method based on the improved type, the power transmission edge gateway system can monitor flow in real time, calculate blocking weight and carry out blocking decision according to the weight. The method has flexibility and instantaneity, and can dynamically evaluate the abnormal degree of the flow, so that the sensing and response capability to potential security threat is enhanced, and the security of the Internet of things transmission edge gateway is protected. Specifically, in the context of the power transmission edge gateway network security defense system and method, the following is a specific description of the beneficial effects:

(1) And improving the reliability of the network: the reliability and stability of the network are improved, and the risks of network interruption and faults are reduced.

(2) The risk of security threat is reduced: and the security threat is quickly identified and prevented, the risk of being attacked is reduced, and the security of sensitive data and business is protected.

(3) Reducing security event response time: and the safety event is responded in time, corresponding countermeasures are taken, the response time of the safety event is effectively shortened, and the potential loss is reduced.

(4) Strengthening network security defenses: and the defending effect and accuracy are improved, the network security defending capability of enterprises and organizations is enhanced, and a reliable protective barrier is provided.

(5) The labor cost is reduced: and the flow analysis and threat identification are automatically carried out, so that the labor cost is reduced, and the product clients can concentrate on coping with complex security events and strategy planning.

Drawings

FIG. 1 is a schematic flow chart of the method of the present invention;

fig. 2 is a diagram of experimental network topology in an embodiment of the present invention.

Detailed Description

As shown in fig. 1 and 2, the security defense system of the power transmission edge gateway network according to the present invention comprises

The flow monitoring module is arranged on the power transmission edge gateway and used for monitoring the flow values of the inbound and outbound of the power transmission edge gateway in real time;

based on a weighted moving average algorithm, obtaining a blocking weight calculation module of the blocking weight of the current time point according to the real-time flow value and the historical blocking weight; and

a blocking decision module for determining whether to trigger blocking action according to the blocking weight and the preset threshold value at the current time point and executing the corresponding blocking strategy;

the flow monitoring module, the blocking weight calculation module and the blocking decision module jointly form the network security defense system which is matched with the power transmission edge gateway.

The invention also comprises an optimizing and updating module which periodically evaluates the system performance and accuracy and adjusts the attenuation factors, the initial weights and the threshold values according to actual conditions. Here, an embodiment is provided to illustrate under what circumstances the attenuation factor, initial weight, and threshold may be adjusted.

Examples:

(1) Adjustment of high flow period: when the network is exposed to high traffic loads, the system may need to detect anomalies more quickly. In this case, the attenuation factor may be moderately increased, allowing the system to adapt more quickly to new flow changes in order to detect and address potential threats earlier. The initial weights may also be adjusted based on changes in the historical data to more accurately reflect the current network state. The threshold may need to be raised because during periods of high flow, normal flow fluctuations may also exceed lower thresholds.

(2) Adjustment when threat increases: if the system monitors a significant increase in cyber-threat, such as the occurrence of large amounts of malicious traffic for a particular period of time, the decay factor may be temporarily reduced to more quickly reflect the threat situation. This may help the system discover and cope with new attack patterns faster. The initial weights may also be adjusted to more sensitively detect anomalies. The threshold may need to be lowered in order to trigger the blocking measure more easily.

(3) Adjustment at normal behavior change: if the normal behavior of the network changes, for example, due to traffic demands, a new traffic pattern is introduced, the system may need to adjust the decay factors and initial weights to better accommodate the new normal behavior. The threshold may need to be adjusted according to the new normal behavior to avoid false positives.

(4) Adjustment at system stabilization: under the condition that the network environment is relatively stable, the attenuation factor can be moderately increased so as to balance the influence on the historical data, thereby improving the stability of the system. The initial weights and thresholds may also be fine-tuned to accommodate stable network traffic patterns.

The flow monitoring module is an intrusion detection system, a flow analyzer, a network packet grabbing tool or a self-defined flow monitoring algorithm. Here, the custom flow monitoring algorithm is implemented by the following code:

the blocking weight calculation module calculates based on an exponentially weighted moving average, and the calculation formula of the blocking weight is as follows: s_n=λ×n+ (1- λ) ×s_ (n-1), λ is an attenuation factor, x_n is a traffic observation value at the current time point, s_ (n-1) is a blocking weight value at the previous time point, and n represents the number of traffic observations, which can be regarded as a discrete representation of time, and represents the nth observed traffic.

The blocking decision module compares the blocking weight value of the current time point with a preset threshold value, (1) when the blocking weight value of the current time point is smaller than the preset threshold value, the blocking decision is implemented as follows: no blocking. In this case, the system considers that the network traffic is within a normal range, and the condition for triggering blocking is not reached, and thus any blocking operation is not performed. (2) When the blocking weight value of the current time point is equal to a preset threshold value, the blocking decision is implemented as follows: partial blocking. In this case, the system may perform some slight blocking operation, such as limiting certain types of traffic or lowering the priority of certain services, to cope with potential anomalies. (3) When the blocking weight of the current time point is larger than a preset threshold, the blocking decision is implemented as follows: blocking comprehensively. In this case, the system considers that the network traffic is abnormally severe, and an attack or security threat may exist, so that more strict blocking measures, such as completely disconnecting from the affected part, suspending certain network services, etc., may be taken to ensure the security of the network.

The defending method by using the security defending system of the power transmission edge gateway network comprises the following steps:

a. deploying a flow monitoring module, and monitoring inbound and outbound flows of the power transmission edge gateway in real time;

b. initializing parameters including attenuation factors and initial blocking weights of the power transmission edge gateway;

c. acquiring a flow observation value through flow monitoring equipment, and calculating a real-time blocking weight value according to a weighted moving average calculation formula;

d. the blocking decision module establishes a corresponding blocking strategy according to the blocking weight and a preset threshold, determines whether to trigger blocking action according to the blocking weight and the preset threshold of the current time point, and executes the corresponding blocking strategy.

It also comprises the following steps:

the optimizing and updating module periodically evaluates the performance and accuracy of the system, optimizes and adjusts the attenuation factors, the initial weights and the threshold values, and ensures the effectiveness and the safety of the system.

The specific process of the blocking weight calculation module for blocking weight calculation is as follows:

(1) Initializing parameters: before starting calculation, the blocking weight calculation module initializes an attenuation factor lambda and an initial blocking weight S_0 of the power transmission edge gateway, wherein lambda takes a value of 0-1;

(2) Calculating an initial weight: taking the first flow observation value as an initial weight value S_0, namely S_0=X_0, wherein X_0 is the first flow observation value;

(3) And (5) updating weight values: starting from the second flow observation, updating the blocking weight according to a weighted moving average calculation formula by the following steps:

a. calculating a new blocking weight: s_n=λ x_n+ (1- λ) s_ (n-1), where x_n is the observed flow value at the current time point and s_ (n-1) is the blocking weight at the previous time point;

b. updating blocking weight: updating the newly calculated blocking weight S_n as the blocking weight of the current time point, wherein n is the flow observation times.

The method comprises the steps that a power transmission edge gateway meets the execution conditions of an attack blocking strategy, parameters of the gateway are required to be determined, the parameters comprise network bandwidth F, real-time network flow F, distance d between the gateway and an attack source, time t and load parameters E, the load parameters E are used for obtaining network load according to real-time network monitoring conditions, and the network load conditions are calculated in an exponential weighted moving average algorithm as follows:

c、EWMA(t)＝AY(t)+(1-A)EWMA(t-1)；

d、

e、E＝E/n；

f、a＝2/(n+1)；

g、Ni＝Ei/CPUNi；

h、

wherein, EWMA (t) represents the blocking weight calculated by the weighted moving average algorithm at the current time point (time is t), the blocking weight of the current time point is obtained according to the real-time flow value and the historical blocking weight by using the weighted moving average algorithm, and the calculated value is EWMA (t) "; EWMA (t-1) indicates that the EWMA (t-1) indicates the blocking weight calculated by the weighted moving average algorithm at the last time point (time is t-1), and historical blocking weights are mentioned in the description, wherein the weight of the last time point in the historical weights is EWMA (t-1) "; the gateway performance measurement value is represented by Y (t), the CPU acquisition time length is represented by n, the weight coefficient obtained by the history observation value is a, wherein 0< a <1, a is exponentially decreased, the weight of the index in calculation is decreased according to the measurement time change, when the weight coefficient a is infinitely close to 1, the weight coefficient representing the current area sampling value is high, the weight coefficient for the history measurement value is lower, and the timeliness is strongest. Therefore, the magnitude of the weight coefficient a is affected by the network attack blocking execution condition. For example, if the network load of the gateway is high in a certain period of time, but the result obtained by calculating the blocking weight is low, an error occurs in the whole calculation result, and the network computing performance is affected due to the fact that the network load is too high. The error rate can be reduced by calculating the historical weight parameters by an exponentially weighted moving average algorithm. The load condition can be obtained through weighted moving average calculation, and the performance and load parameters of the gateway determine whether the gateway can issue policy instructions. The number of the CPUs contained in the gateway is expressed as CPUN, N is a judgment factor when judging the real-time state of the gateway, and the gateway number is expressed as i.

Obtaining gateway load conditions by using a formula g, if a policy instruction can be issued after judgment, summarizing the gateway into a gateway set capable of executing the instruction, and then calculating the weight of the instruction issued by the gateway and selecting the gateway; the gateway weight is calculated mainly according to the distance from the gateway to the attack source and the network traffic condition.

Since the filtering rules affect the actual traffic of the gateway, the closer the gateway is to the source of the attack, the smaller the gateway traffic, the higher the weight given (9-10). If the gateway has higher self-flow and more filtering rules are given, the gateway performance is further reduced. Calculating the weight ratio of the gateway through a formula h, wherein the calculated weight ratio of the gateway is R, the weight coefficient of the gateway is k, the flow of the gateway at the moment t is represented by Ft, and the distance from the network attack source flow to the attacked through a plurality of gateways is represented by D; the gateway weight ratio is obtained according to the actual gateway flow judgment, and if the obtained gateway weight value is smaller, the gateway weight ratio is more suitable for executing the network attack blocking strategy instruction.

To this end, gateway load and attack source distance impact factors are validated. Specifically, the following is described.

The experiment mainly verifies the influence of the attack distance and the gateway load ratio on the calculation result in the calculation of the network attack blocking weight of the gateway. The method adopts a longitudinal comparison mode, and under the condition that different attack distances and gateway load duty ratios are set, the obtained gateway attack blocking weight result is in actual gap with a preset value, so that the optimal attack distance and gateway load duty ratio are obtained. The experimental network topology structure diagram is shown in fig. 2, the network attack flow of the attack source is accessed into the integrated intelligent backbone network through the gateway, and the attack flow is forwarded in different internet gateways, so that a complete network attack is finally completed. The gateway comprises two network ports, so that the gateway is displayed as two ip addresses, and the ip addresses are network addresses set by the experiment. The experimental steps are as follows: constructing a network topology structure diagram and setting a gateway routing table; the ip and the routing tables of the attack host and the attacked host are set, so that network communication between the attack host and the attacked host is realized; installing network malicious attack software on an attack host, setting an attack target ip as an ip address of the attacked host, and carrying out distributed denial of service attack; and changing a system program, setting a plurality of gateway load k values, and launching a plurality of network attacks to an attacked host to obtain a network attack blocking weight calculation result.

After the network topology structure diagram required by the experiment is completed, a channel between the access gateway and the Internet gateway is built in a virtual machine mode. Table 1 is a set gateway routing table, and includes each gateway address, an attack host, and an ip address of the attacked host in the network topology. The target address is the ip address of the attacked host to which the attack traffic needs to reach, and when the gateway forwards the attack traffic and reaches the target address, the gateway address is the ip address of the next attack target.

Table 2 shows experimental results of different k values, the number of gateways issued by the attack blocking policy, and the product of the sum of the flows of each gateway to determine the effect of attack blocking. For the practical situation of the attack blocking effect, if the total flow of each gateway is lower, the influence of the blocking strategy on the gateway is smaller, and the attack blocking effect is better. The value of the network attack flow can be controlled through the installed network attack software, the network attack flow is set to 1000MB through experiments, and the gateway flow is collected and stored in real time through creating a timed network flow collection script for experimental analysis. And calculating and recording the gateway load in real time by setting a special gateway load calculation script, wherein the special gateway load calculation script is used for calculating the average value of the gateway load in the network attack process. In order to improve the effectiveness and reliability of the experiment, the accuracy of test results in different environments is ensured, gateway load tests are increased, the value of the gateway load test is infinitely close to the highest gateway load condition of each gateway, and the reliability of factor value in the blocking weight calculation process is ensured. As can be seen from table 2, when the gateway load factor is between 0.5 and 0.6 and a network attack occurs, the blocking effect can be improved by using the gateway blocking weight calculation method.

Experimental results show that in the attack blocking method close to the network attack source, the attack distance and the duty ratio of the gateway load have larger influence on the calculation result of the network attack blocking weight. The calculation result is compared by changing the value of the network load duty ratio variable k in a longitudinal comparison mode, and the actual effect of the attack blocking algorithm is analyzed. Finally, the best blocking effect is obtained by adopting an attack blocking algorithm when the network load duty ratio k value is between 0.5 and 0.6.

The following are two embodiments of the invention.

Embodiment one: edge gateway defense system based on hardware equipment

a. Deploying a flow monitoring device: appropriate hardware devices, such as intrusion detection systems or traffic analyzers, are selected for deployment on the power transmission edge gateway for real-time monitoring of inbound and outbound traffic.

b. And (3) configuring a blocking weight calculation module: and developing a software module, and calculating the blocking weight of the current time point based on the weighted moving average algorithm according to the real-time flow observation value and the historical blocking weight.

c. Designing a blocking decision module: and setting a threshold according to the blocking weight value, and formulating a corresponding blocking strategy. For example, when the blocking weight exceeds a threshold, a blocking action is triggered, such as blocking the source IP address or disabling access to a particular port.

d. Deployment and testing: the developed modules are deployed on the power transmission edge gateway, and are tested and verified, so that the system can accurately calculate the blocking weight and execute the blocking decision.

Embodiment two: edge gateway defense system based on software application

a. Developing a flow monitoring module: a software module is designed and developed that can monitor inbound and outbound traffic on the edge gateway in real time. A network packet-grabbing tool or a custom traffic monitoring algorithm may be used.

b. And a blocking weight calculation module is realized: and a programming language and an algorithm are utilized to realize a weighted moving average calculation formula, and the blocking weight of the current time point is calculated according to the real-time flow observation value and the historical blocking weight.

c. An integrated blocking decision module: developing a decision module, determining whether to trigger blocking action according to the blocking weight and a preset threshold value, and executing a corresponding blocking strategy.

d. Deployment and testing: and integrating the developed software module into an edge gateway system, and testing and verifying the system level and the function level to ensure the correctness and reliability of the blocking weight calculation and decision function.

According to the invention, through the real-time flow analysis and the deep learning algorithm, the system can accurately identify and block various security threats, protect the network of enterprises and organizations from malicious attack, and improve the overall security of the network. The system can monitor and analyze the network traffic of the power transmission edge gateway in real time so as to quickly respond and block security threat, reduce the influence of attack on the network and reduce the spread of malicious traffic. The system is provided with a real-time alarm mechanism, and can timely send alarm information to a network manager, so that the network manager can quickly respond to a security event and take corresponding countermeasures, and the potential risk is reduced. The system regularly performs model optimization and updating so as to adapt to security threat and attack means which are continuously evolved, improve the defending effect and accuracy and ensure the long-term network security. Through effective transmission of electricity edge gateway network security defense, the system can protect gateway and important data and privacy information of monitoring, prevent it by illegal acquisition and misuse, maintain the data reliability of product.

In summary, the present invention aims to provide a comprehensive, efficient and real-time security defense system and method for a power transmission edge gateway network, so as to cope with the ever-increasing and evolving network security threats and ensure the network communication security and stability of enterprises and organizations.

Finally, it should be emphasized that the foregoing description is merely illustrative of the preferred embodiments of the invention, and that various changes and modifications can be made by those skilled in the art without departing from the spirit and principles of the invention, and any such modifications, equivalents, improvements, etc. are intended to be included within the scope of the invention.

Claims (9)

1. The utility model provides a transmission of electricity edge gateway network security defense system which characterized in that, it includes

The flow monitoring module is arranged on the power transmission edge gateway and used for monitoring the flow values of the inbound and outbound of the power transmission edge gateway in real time;

based on a weighted moving average algorithm, obtaining a blocking weight calculation module of the blocking weight of the current time point according to the real-time flow value and the historical blocking weight; and

a blocking decision module for determining whether to trigger blocking action according to the blocking weight and the preset threshold value at the current time point and executing the corresponding blocking strategy;

the flow monitoring module, the blocking weight calculation module and the blocking decision module jointly form the network security defense system which is matched with the power transmission edge gateway.

2. The system of claim 1, wherein the traffic monitoring module is an intrusion detection system, a traffic analyzer, a network packet grasping tool, or a custom traffic monitoring algorithm.

3. The power transmission edge gateway network security defense system according to claim 1, wherein the blocking weight calculation module calculates based on an exponentially weighted moving average, and a calculation formula of the blocking weight is: s_n=λ×n+ (1- λ) ×s_ (n-1), λ is an attenuation factor, x_n is a traffic observation value at the current time point, s_ (n-1) is a blocking weight value at the previous time point, and n is the number of traffic observations.

4. The system of claim 1, wherein the blocking decision module compares a blocking weight at a current time point with a preset threshold, and performs a blocking decision when the blocking weight at the current time point is smaller than the preset threshold, as follows: no blocking; when the blocking weight value of the current time point is equal to a preset threshold value, the blocking decision is implemented as follows: partial blocking; when the blocking weight value of the current time point is larger than a preset threshold value, the blocking decision is carried out as follows: blocking comprehensively.

5. The power transmission edge gateway network security defense system of claim 1 further comprising an optimization and update module that periodically evaluates system performance and accuracy and adjusts attenuation factors, initial weights, and thresholds based on actual conditions.

6. A method of defending a security defense system of a power transmission edge gateway network according to any one of claims 1 to 5, the method comprising the steps of:

a. deploying a flow monitoring module, and monitoring inbound and outbound flows of the power transmission edge gateway in real time;

b. initializing parameters including attenuation factors and initial blocking weights of the power transmission edge gateway;

c. acquiring a flow observation value through flow monitoring equipment, and calculating a real-time blocking weight value according to a weighted moving average calculation formula;

d. the blocking decision module establishes a corresponding blocking strategy according to the blocking weight and a preset threshold, determines whether to trigger blocking action according to the blocking weight and the preset threshold of the current time point, and executes the corresponding blocking strategy.

7. The network security defense method of the power transmission edge gateway according to claim 6, further comprising the steps of:

the optimizing and updating module periodically evaluates the performance and accuracy of the system, optimizes and adjusts the attenuation factors, the initial weights and the threshold values, and ensures the effectiveness and the safety of the system.

8. The network security defense method of the power transmission edge gateway according to claim 6, wherein the specific process of the blocking weight calculation module for performing blocking weight calculation is as follows:

(1) Initializing parameters: before starting calculation, the blocking weight calculation module initializes an attenuation factor lambda and an initial blocking weight S_0 of the power transmission edge gateway, wherein lambda takes a value of 0-1;

(2) Calculating an initial weight: taking the first flow observation value as an initial weight value S_0, namely S_0=X_0, wherein X_0 is the first flow observation value;

(3) And (5) updating weight values: starting from the second flow observation, updating the blocking weight according to a weighted moving average calculation formula by the following steps:

a. calculating a new blocking weight: s_n=λ x_n+ (1- λ) s_ (n-1), where x_n is the observed flow value at the current time point and s_ (n-1) is the blocking weight at the previous time point;

b. updating blocking weight: updating the newly calculated blocking weight S_n as the blocking weight of the current time point, wherein n is the flow observation times.

9. The network security defense method of the power transmission edge gateway according to claim 6, wherein the power transmission edge gateway is required to determine parameters of the gateway according to execution conditions of an attack blocking strategy, the parameters include a network bandwidth F, a real-time network traffic F, a distance d between the gateway and an attack source, a time t and a load parameter E, the load parameter E is obtained according to a real-time network monitoring condition, and the network load condition is calculated by an exponential weighted moving average algorithm as follows:

c、EWMA(t)＝AY(t)+(1-A)EWMA(t-1)；

d、

e、E＝E/n；

f、a＝2/(n+1)；

g、Ni＝Ei/CPUNi；

h、

wherein, EWMA (t) represents a blocking weight value calculated by a weighted moving average algorithm at a current time point (time is t); EWMA (t-1) represents the blocking weight calculated by the weighted moving average algorithm at the last time point (time is t-1); the gateway performance measurement value is represented by Y (t), the CPU acquisition time length is represented by N, the weight coefficient obtained by the historical observation value is a, wherein 0< a <1, a is exponentially decreased, the weight representing the index in calculation is decreased according to the measurement time change, the number of the CPUs contained in the gateway is represented as CPUN, N is used for judging the real-time state of the gateway and is a judgment factor, and the gateway number is represented as i;

obtaining gateway load conditions by using a formula g, if a policy instruction can be issued after judgment, summarizing the gateway into a gateway set capable of executing the instruction, and then calculating the weight of the instruction issued by the gateway and selecting the gateway;

calculating the weight ratio of the gateway through a formula h, wherein the calculated weight ratio of the gateway is R, the weight coefficient of the gateway is k, the flow of the gateway at the moment t is represented by Ft, and the distance from the network attack source flow to the attacked through a plurality of gateways is represented by D; the gateway weight ratio is obtained according to the actual gateway flow judgment, and if the obtained gateway weight value is smaller, the gateway weight ratio is more suitable for executing the network attack blocking strategy instruction.