CN117155629A - Electric power information system network active defense method and system based on artificial intelligence - Google Patents
Electric power information system network active defense method and system based on artificial intelligence Download PDFInfo
- Publication number
- CN117155629A CN117155629A CN202311094580.0A CN202311094580A CN117155629A CN 117155629 A CN117155629 A CN 117155629A CN 202311094580 A CN202311094580 A CN 202311094580A CN 117155629 A CN117155629 A CN 117155629A
- Authority
- CN
- China
- Prior art keywords
- network
- data
- attack
- feature
- power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000007123 defense Effects 0.000 title claims abstract description 29
- 238000013473 artificial intelligence Methods 0.000 title claims abstract description 20
- 230000000903 blocking effect Effects 0.000 claims abstract description 45
- 238000003066 decision tree Methods 0.000 claims abstract description 38
- 238000013528 artificial neural network Methods 0.000 claims abstract description 37
- 230000006855 networking Effects 0.000 claims abstract description 37
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims abstract description 17
- 230000006399 behavior Effects 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000000694 effects Effects 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 9
- 238000003062 neural network model Methods 0.000 claims description 9
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 238000005192 partition Methods 0.000 claims 1
- 230000008859 change Effects 0.000 abstract description 3
- 239000011159 matrix material Substances 0.000 abstract 1
- 230000008569 process Effects 0.000 description 15
- 210000002569 neuron Anatomy 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000013136 deep learning model Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000012360 testing method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000012549 training Methods 0.000 description 6
- 238000013135 deep learning Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 230000007704 transition Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An artificial intelligence-based active defense method and system for a power information system network comprise the following steps: monitoring the flow of the power information system network in real time, and collecting network flow data; step 2: after collecting network traffic data, analyzing the data by adopting an improved decision tree neural network algorithm to realize accurate tracing of network attack; step 3: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes; step 4: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved. The method for calculating the update degree matrix value and the change degree value can remarkably improve the selection rate of a remarkable region and greatly reduce image distortion.
Description
Technical Field
The application relates to the technical field of power system safety, in particular to an artificial intelligence-based active defense method and system for a power information system network.
Background
With the development of information technology, an electric power system is increasingly dependent on a complex network system for operation and management. However, this also exposes the power system to various threats from the network, including hacking, virus infection, data leakage, and the like. These threats may not only affect the proper operation of the power system, but may also cause significant loss to the socioeconomic. Therefore, how to effectively defend against network attacks and ensure safe and stable operation of the power system has become an important research topic.
The traditional network defense method mainly relies on equipment such as a firewall, an intrusion detection system and the like, and filters and controls network traffic through preset rules and strategies. However, this approach tends to be frustrating in the face of complex and varying network attacks. On the one hand, the preset rules and strategies often cannot cover all attack scenes and are easy to attack by an attacker by utilizing the loopholes. On the other hand, the means and policies of network attacks are constantly changing, requiring constantly updating and adjusting defense rules, which is a significant challenge for network administrators. To address these problems, attempts have been made in the prior art to introduce artificial intelligence techniques to improve the degree of intelligence and automation of network defense. By using algorithms such as machine learning, deep learning and the like, the network traffic can be deeply analyzed, and network attacks can be automatically discovered and defended. Meanwhile, a flexible and controllable network environment can be constructed through a virtualization technology, and network attacks can be effectively isolated and controlled.
The network defense method based on artificial intelligence has good effects in some fields, but the application in the field of power systems is still in a primary stage, the accuracy and efficiency of the network defense method in the aspects of tracing and dynamic blocking are low, and the intelligent requirement cannot be met; in addition, the existing method only processes the characteristic data features of the power equipment, but does not process the data combined by the extracted features and the original features, so that the accuracy and convenience of active defense are low, and the method is very necessary at present, and is accurate, quick, convenient and efficient. Become an urgent need to improve the user's experience.
Disclosure of Invention
In order to solve the technical problems, the invention provides an artificial intelligence-based active defense system method and system for a power information system network, which are characterized in that according to the arrangement of the whole flow structure and the arrangement of the feature extraction mode, accurate tracing is realized through the initial classification of an improved decision tree algorithm and then through a neural network algorithm, the tracing accuracy is greatly enhanced, and the protection efficiency of the power system is remarkably improved; it is realized by the following modes:
An artificial intelligence-based active defense method for a power information system network comprises the following steps: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current;
step 2: after collecting network traffic data, analyzing the data by adopting an improved decision tree neural network algorithm to realize accurate tracing of network attack;
step 2.1, performing primary classification on data according to data information Gain by adopting an improved decision tree algorithm, wherein the information Gain (D, A) of the data set D by the feature A is calculated as follows:
wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I d| represents the number of elements of D, δ represents the power device current related value, the larger the difference from the power device current reference value, the higher the value, entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
Step 2.2, taking the classification result of the decision tree on each sample as a new feature, then inputting the new feature and the original feature into a neural network model, and outputting attack source information with highest probability by the neural network;
step 3: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
step 4: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved.
Preferably, the network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses.
Preferably, the feature a is used to divide the attributes of the data set, including: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
Preferably, the blocking program is automatically started after the attack source is determined, and the dynamic blocking of the attack source is realized according to blocking time and direction indexes, including that all data packets from the IP address of the attack source are blocked by modifying the configuration of network equipment, and if the malicious behavior of the IP address is stopped, the blocking of the IP address is released.
Preferably, after dynamic blocking, virtual networking is realized by analyzing network traffic data, determining network segments and TCP data indexes, and improving network security, including placing equipment or sensitive data with importance greater than a set threshold in an isolated network environment to prevent potential network attacks.
The invention also discloses an artificial intelligence-based active defense system of the electric power information system network, which comprises a processor, a network sniffer and a memory; wherein the network sniffer is used for collecting network traffic data: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current;
accurate traceability module: after collecting network traffic data, the processor analyzes the data by adopting an improved decision tree neural network algorithm, so as to realize accurate tracing of network attack;
The primary classification module adopts an improved decision tree algorithm to conduct primary classification on data according to data information Gain, and the information Gain (D, A) of the data set D by the feature A is calculated as follows:
wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I D i represents the number of elements of D, δ represents the power plant current related value, and electricalThe larger the force device current reference value phase difference, the higher the value, the Entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
dynamic plugging module: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
preferably, the network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses.
Preferably, the feature a is used to divide the attributes of the data set, including: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
Preferably, the blocking program is automatically started after the attack source is determined, and the dynamic blocking of the attack source is realized according to blocking time and direction indexes, including that all data packets from the IP address of the attack source are blocked by modifying the configuration of network equipment, and if the malicious behavior of the IP address is stopped, the blocking of the IP address is released.
Preferably, after dynamic blocking, virtual networking is realized by analyzing network traffic data, determining network segments and TCP data indexes, and improving network security, including placing equipment or sensitive data with importance greater than a set threshold in an isolated network environment to prevent potential network attacks.
Compared with the prior art, the technical scheme of the application has the following beneficial effects:
according to the method and the system for actively defending the power information system network based on artificial intelligence, the improved decision tree neural network algorithm is adopted to analyze data, accurate tracing of network attack is achieved, the delta power equipment current correlation value and the beta power equipment voltage correlation value are added into the decision tree classification process, primary classification accuracy is greatly enhanced through the addition of key data of the power equipment, wherein the larger the difference between the delta power equipment current correlation value and the power equipment current reference value is, the higher the difference between the delta power equipment current correlation value and the power equipment current reference value is, the larger the difference between the beta power equipment voltage correlation value and the power equipment voltage reference value is, and adjustment efficiency is greatly enhanced.
The classification result of the decision tree on each sample is creatively provided as a new feature, then the new feature and the original feature are input into the neural network model together, the neural network outputs attack source information with highest probability, the feature information is enriched, the accurate identification and flexible adjustment of the attack source are realized, and the initiative defense speed is greatly accelerated to provide attack tracing accuracy. The attribute that uses feature a to divide the dataset includes: network flow characteristics, network protocol characteristics and power system characteristics, namely combining the power system characteristics with the network flow characteristics and the like to comprehensively judge.
And through the dynamic shutoff module: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes; virtual networking module: after dynamic blocking, network flow data are analyzed, network segment and TCP data indexes are determined, virtual networking is realized, network safety is improved, and the above consecutive steps greatly enhance the network safety of the power system.
Drawings
Fig. 1 is a flow chart of a method for actively defending a network of an electric power information system based on artificial intelligence.
Detailed Description
As understood by those skilled in the art, as the background technology is, the conventional liquid crystal display has low operation efficiency, large video data transmission amount and high cost, and cannot meet the requirement of intellectualization; the intelligent operation of the large liquid crystal spliced display screen is necessary at present, and the rapid, convenient and efficient transmission is realized. In addition, the traditional video transmission is to transmit all data, so that the structural characteristics of the transmitted data can not be effectively utilized; therefore, an operation capable of reducing the amount of invalid data in real time, rapidly, and rapidly has become an urgent need, thereby improving the user experience. In order to make the above objects, features and advantages of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
Example 1:
an artificial intelligence-based active defense method for a power information system network, as shown in fig. 1, comprises the following steps: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current; in power information system networks, real-time monitoring of network traffic may typically be accomplished through the use of network traffic analysis tools. These tools may capture and analyze network traffic data including attack times, time, attack information, etc. When monitoring network traffic, the following types of data can be collected for subsequent steps such as tracing besides collecting basic data such as attack times, time and attack information:
Source and destination IP addresses: this is key information in determining the source and destination of a network attack. By analyzing the source and target IP addresses, we can be helped to know the origin and target of the attack, so that effective tracing and defending can be performed.
Port number: the port number may help us know which services an attacker is attempting to attack, such as HTTP service (port 80) or SSH service (port 22).
Protocol type: the protocol type (e.g., TCP, UDP, ICMP, etc.) may provide more information about the behavior of the attack. For example, a large number of ICMP requests may indicate that the network is experiencing a denial of service attack.
The content of the data packet is as follows: the payload content of the data packet may provide detailed information about the attack, e.g., malicious code, virus signatures, etc.
Packet size and frequency: an abnormal packet size or frequency may indicate that the network is under attack. For example, a large number of small packets may indicate that the network is being subjected to a flood attack.
Network connection mode: the pattern (e.g., duration, frequency, etc.) of network connections may also provide information about the behavior of the attack. For example, a large number of new connection requests in a short time may indicate that the network is being subjected to a SYN flood attack.
The following is one possible implementation: deep packet inspection (Deep Packet Inspection, DPI) is a network packet filtering method that can inspect the contents of packets in network traffic, including source address, destination address, protocol type, etc., and even the load of the packets. By deep packet inspection, we can acquire detailed information of network traffic, including attack times, time, attack information, etc.
For example, as a packet is transmitted through the network, the DPI tool captures the packet and examines it in detail. If the inspection reveals that the packet is an attack packet (e.g., it contains malicious code or is from a known malicious source address), the DPI tool records the attack, including information about the time of attack, source address, destination address, etc. In this way, we can collect data such as the number of network attacks, time, attack information, etc.
Step 2: after collecting network traffic data, analyzing the data by adopting an improved decision tree neural network algorithm to realize accurate tracing of network attack;
data collection and preprocessing: first, a large amount of network traffic data needs to be collected, including normal data and attack data. Then, preprocessing of the data is needed, including data cleaning, feature extraction, etc.
Preliminary classification: next, we can use decision tree algorithms to initially classify the preprocessed data. The decision tree algorithm has the advantages of simplicity, intuitiveness and high calculation efficiency, and can be used for quickly carrying out preliminary classification on a large amount of data.
Deep learning: then, we can use the result of the preliminary classification as the input of the deep learning model to perform further classification. The deep learning model may automatically learn advanced features of the data, thereby improving classification accuracy. For example, we can construct a deep learning model using Convolutional Neural Networks (CNNs) or Recurrent Neural Networks (RNNs).
Model training and testing: next, we need to train a deep learning model using a large amount of annotation data. After training is completed, we need to test the performance of the model with a portion of the data that does not participate in the training.
Tracing network attack: finally, when new network traffic data arrives, we can use decision tree model to make preliminary classification, then use deep learning model to make further classification so as to implement accurate tracing of network attack.
Step 2.1, performing primary classification on data according to data information Gain by adopting an improved decision tree algorithm, wherein the information Gain (D, A) of the data set D by the feature A is calculated as follows:
Wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I d| represents the number of elements of D, δ represents the power device current related value, the larger the difference from the power device current reference value, the higher the value, entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
dividing data: we then divide the data into subsets according to the values of the optimal features. The data in each subset is the same in value for the optimal feature.
And (3) constructing a decision tree: next, we recursively repeat the above process for each subset until a stop condition is met (e.g., all data belongs to the same category, or no features are available to divide the data).
Classification prediction: finally, when new data arrives, we can classify it according to the decision tree model. Specifically, we start from the root node of the decision tree, choose branches according to the value of the data on each feature, until the leaf node is reached, the class of which is our predicted result.
In the decision tree algorithm, gain (D, a) represents the information Gain of the feature a on the data set D, i.e. the degree to which the uncertainty (or degree of confusion) of the data set D is reduced under the division of the feature a. The larger the information gain, the better the partitioning effect of feature a on data set D.
Here, a denotes a feature, i.e. an attribute that we use to divide the dataset. In the context of a power system network attack, these features may include:
network traffic characteristics: such as the number, size, frequency of transmission, etc. of the data packets.
Network protocol features: such as the type of protocol used (TCP, UDP, etc.), port number, etc.
Network behavior characteristics: such as whether there are a large number of connection requests, whether there are abnormal packets, etc.
The power system is characterized in that: such as a state of the power device, a change in a power parameter (voltage, current, etc.), etc.
For example, assume that we have a feature a that indicates "whether the packet transmission frequency exceeds the normal range". We can calculate the information Gain (D, a) of the dataset under this division of features. If Gain (D, a) is large enough, we can consider that "whether the packet transmission frequency exceeds the normal range" is an effective feature that can be used to divide network attacks and normal network behavior.
Step 2.2, taking the classification result of the decision tree on each sample as a new feature, then inputting the new feature and the original feature into a neural network model, and outputting attack source information with highest probability by the neural network;
in the process of combining the decision tree algorithm and the deep learning algorithm, we can take the output result of the decision tree as the input of the deep learning model. Specifically, we can take the classification result (or classification probability) of the decision tree for each sample as a new feature, and then input this new feature into the deep learning model along with the original feature.
The following is a specific example:
let us assume that we have a data set D containing n samples, each sample having m features. We first classify this dataset using a decision tree model, resulting in a classification result (or classification probability) for each sample. Then, we add this classification result (or classification probability) as a new feature to the feature vector of each sample, resulting in a new dataset D'.
Next, we can train the new data set D' using a deep learning model (e.g., neural network). The input layer of the neural network has m+1 nodes (corresponding to m+1 features), and the output layer has k nodes (corresponding to k classes). The training process of the neural network can be implemented by a back propagation algorithm and a gradient descent algorithm.
After the neural network training is completed, when new data arrives, the new data can be classified by using a decision tree model to obtain a classification result (or classification probability), and then the result and the original characteristics are input into the neural network together to obtain a final classification result. The output of the deep learning algorithm is typically a probability distribution representing the probability of each possible category (in this case, the possible source of the attack). For example, if we have three possible attack sources: IP1, IP2, and IP3, the deep learning algorithm may output the following probability distributions: { IP1:0.1, IP2:0.7, IP3:0.2}. This means that the deep learning model considers IP2 as the most likely source of attack.
The output result can help us to accurately trace the source of the network attack. In particular, we can select the IP address with the highest probability as the source of the attack. In the above example, we will choose IP2 as the source of the attack. Then, we can take some measures, such as blocking this IP address, or further investigating the activity of this IP address, to prevent future attacks.
Step 3: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
Step 4: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved.
In implementing virtual networking, we need to acquire and process some key network parameters, including network segments, TCP data, etc. The following are how to obtain these parameters and how to implement virtual networking based on these parameters:
obtaining a network segment: a network segment refers to a collection of IP addresses for all devices in a network. In most cases, we can obtain the network segment information by querying the configuration information of the network device, or using a network scanning tool.
Acquiring TCP data: TCP data refers to data communicated between network devices via the TCP protocol. We can capture and analyze TCP data through a network sniffing tool, such as Wireshark, etc.
Virtual networking is realized: after the network segments and TCP data are acquired, we can implement virtual networking based on these information. In particular, we can determine the structure of the virtual network from the segment information, e.g., which devices should be in the same virtual network. Then, we can configure the communication rules of the virtual network according to the TCP data, for example, which devices can communicate directly and which devices need to communicate through a router or firewall. Acquiring the hop count of a network path: the network path hop count refers to the number of network nodes that a packet needs to traverse from a source node to a destination node. We can obtain the network path hop count through a network diagnostic tool, such as traceroute, etc.
Acquiring a transformation path time interval: the transition path time interval refers to a time interval during which the network path changes. We can obtain the transition path time interval through a network monitoring tool such as NetFlow.
Network path optimization is realized: after obtaining the hop count of the network path and the time interval of the transformation path, we can realize the optimization of the network path according to the information. In particular, we can select the shortest network path based on the number of network path hops to reduce network delay. At the same time, we can adjust the network path according to the transition path time interval to cope with the change of the network state. For example, if we find that the network path is changing frequently, we can choose a more stable network path to improve the reliability of the network.
Virtual networking (Virtual Networking) is a networking technology that allows creation of a virtual, isolated network environment on a physical network. Such techniques may be used in a variety of scenarios, including but not limited to network security defenses.
In the context of network security defense, virtual networking may be performed after blocking the source of the attack, or as a preventive measure. For example, if we find that an IP address is the source of an attack, we can remove this IP address from the virtual network to prevent it from affecting other devices. Meanwhile, important equipment or sensitive data can be placed in an isolated network environment through virtual networking so as to prevent potential network attacks.
The relationship between virtual networking and network attacks is mainly manifested in the following aspects:
isolation: virtual networking can create an isolated network environment that prevents network attackers from jumping from one device to another.
Flexibility: the virtual networking can dynamically adjust the network structure and the communication rule according to the network attack condition.
Controllability: virtual networking may provide finer granularity of network control, e.g., we may control which devices may communicate and which may not.
Transparency: virtual networking can provide detailed information of network traffic, helping us better understand and defend against network attacks.
In some embodiments, the network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses. Characteristics and requirements of the power system need to be considered. The following are some possible considerations:
real-time performance: the operation of the power system requires real-time monitoring and control, so in network traffic monitoring, we need to pay attention to factors that may affect the real-time performance, such as network delay, packet loss, etc. By monitoring network traffic in real time, the problems can be found and processed in time.
Reliability: stable operation of the power system is critical to socioeconomic activities, so we need to ensure high reliability of the network. The reliability of the network can be improved through the technologies of redundancy design, fault switching and the like.
Safety: the security of the power system includes not only network security but also physical security of the power equipment. Therefore, in network traffic monitoring, we need to pay attention not only to network attacks, but also to information that may affect the safety of the power equipment, such as equipment failure, overload operation, etc.
Parameters of the power system: in network traffic monitoring, we can collect and analyze various parameters of the power system, such as voltage, current, frequency, etc. These parameters can help us to understand the operating state of the power system and thus better perform network defense.
Electric power system model: the method can build a model of the power system, predict the running state of the power system, and then adjust the network defense strategy according to the prediction result. For example, if we predict that a certain device may fail, we can take action in advance to avoid network disruption.
In some embodiments, the feature a is used to divide attributes of the dataset, including: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
In some embodiments, the blocking program is automatically started after the attack source is determined, and the dynamic blocking of the attack source is realized according to the blocking time and the direction index, including that all data packets from the IP address of the attack source are blocked by modifying the configuration of the network device, and if the malicious behavior of the IP address has stopped, the blocking of the IP address is released.
In some embodiments, after dynamic blocking, network traffic data is analyzed to determine network segments and TCP data indexes, thereby realizing virtual networking and improving network security.
Example 2:
the invention also discloses an artificial intelligence-based active defense system of the electric power information system network, which comprises a processor, a network sniffer and a memory; wherein the network sniffer is used for collecting network traffic data: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current;
accurate traceability module: after collecting network traffic data, the processor analyzes the data by adopting an improved decision tree neural network algorithm, so as to realize accurate tracing of network attack; the neural network computing module takes the classification result of the decision tree on each sample as a new feature, then inputs the new feature and the original feature into a neural network model, and the neural network outputs attack source information with highest probability and stores the attack source information in a memory;
The neural network is composed of a plurality of layers, each layer containing a plurality of neurons. Each neuron receives input from a previous layer of neurons and then calculates an output. This output will serve as input to the next layer of neurons.
The following is a specific working procedure of the neural network:
forward propagation: in the forward propagation process, the neural network starts from the input layer, passes through each layer in turn, and reaches the output layer. In each layer, neurons receive input from the previous layer and then calculate an output. The output calculation formula of the neuron is as follows:
where n is the number of inputs, x i Is the ith input, w i Is the weight corresponding to the ith input, b is the bias term, f is the activation function (e.g. sigmoid function, reLU function, etc.), and the power system equipment parameter delta is added to the calculation process.
Back propagation: in the back propagation process, the neural network starts from the output layer, passes through each layer in turn, until the input layer. In each layer, neurons update weights and bias terms according to the gradient of the loss function. The update formula of the weights and bias terms is as follows:
where L is the loss function, alpha is the learning rate,and->Is the gradient of the loss function over the weight and bias terms. Forward propagation and backward propagation are two key steps in the neural network training process, and there is a close relationship between them.
Forward propagation (Forward Propagation): in the forward propagation process, the neural network starts from the input layer, passes through each layer in turn, and reaches the output layer. In each layer, neurons receive input from the previous layer and then calculate an output. This output will serve as input to the next layer of neurons. After the forward propagation is completed, the output layer of the neural network obtains a prediction result.
Back propagation): in the back propagation process, the neural network starts from the output layer, passes through each layer in turn, until the input layer. In each layer, neurons update weights and bias terms according to the gradient of the loss function. The purpose of this process is to make the predicted outcome of the neural network as close as possible to the actual label by adjusting the parameters (weights and bias terms) of the neural network.
The relationship between forward propagation and backward propagation is that forward propagation provides all intermediate computation results required for backward propagation. During the forward propagation, each layer of the neural network holds its inputs and outputs, which are used to calculate gradients during the backward propagation. Thus, back propagation depends on the result of forward propagation.
The primary classification module adopts an improved decision tree algorithm to conduct primary classification on data according to data information Gain, and the information Gain (D, A) of the data set D by the feature A is calculated as follows:
wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I d| represents the number of elements of D, δ represents the power device current related value, the larger the difference from the power device current reference value, the higher the value, entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
the neural network computing module takes the classification result of the decision tree on each sample as a new feature, then inputs the new feature and the original feature into a neural network model, and the neural network outputs attack source information with highest probability and stores the attack source information in a memory;
dynamic plugging module: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
Virtual networking module: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved.
The dynamic blocking can be performed by adopting the following steps:
confirmation attack: first, we need to confirm whether this is indeed a network attack. We can determine whether this is a network attack by analyzing the content of the packets sent by this IP address, and the communication pattern with other IP addresses. If it is confirmed that this is a network attack, then we need to do the blocking.
Plugging attack: we can then block all packets from this IP address by modifying the configuration of the network device. For example, we can add a rule to the firewall to discard all packets from this IP address.
Recording plugging information: next, we need to record the information of this occlusion, including the time of the occlusion, the IP address of the occlusion, the reason for the occlusion, etc. This information can help us to learn the pattern of network attacks, thereby improving our defense strategies.
Dynamic adjustment: finally, we need to dynamically adjust the blocking policy according to the real-time situation of the network traffic. For example, if we find that malicious activity of an IP address has ceased, we can unblock the IP address. Conversely, if we find a new IP address to start a network attack, we need to block this IP address.
Virtual networking module: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved. Virtual networking is a networking technology that can create one or more virtual networks over a physical network. These virtual networks may have their own network topology and network protocols, which may be configured and managed independently of the physical network.
The following is an example of a specific virtual networking:
suppose we have a physical network comprising three servers A, B and C. It is desirable to create a virtual network that includes only servers a and B.
Creating a virtual network: first, we need to create a virtual network in the management system of the physical network. In creating a virtual network, we can assign a network ID to the virtual network to facilitate subsequent management.
Adding a network node: then, we need to add servers a and B to the virtual network. When adding network nodes, we can assign each node a virtual IP address. This virtual IP address is unique within the virtual network and can be used to identify the network node.
Configuring network connection: next, we need to configure the network connection between servers a and B. In configuring a network connection, we can specify the bandwidth, delay, etc. parameters of the connection.
Starting a virtual network: finally, we need to start the virtual network to start working. After the virtual network is started, the servers a and B can communicate through the virtual network.
Network path optimization is a network technique that improves the efficiency and reliability of network communications by selecting an optimal network path. The following is an example of one specific network path optimization:
let us assume that we have a network comprising four servers A, B, C and D. Server a and server D need to communicate, there are two possible paths: one is A-B-D and the other is A-C-D.
And (3) path selection: first, we need to select one path as the communication path of the server a and the server D. In selecting a path, we can consider a number of factors, such as the bandwidth of the path, delay, packet loss rate, etc.
Path test: then we need to test the performance of the selected path. During the test, we can send some test data packets and observe the transmission conditions of these data packets, such as transmission time, packet loss number, etc.
Path evaluation: next, we need to evaluate the performance of the path based on the test results. If the performance of the path meets the requirements, then we can use this path for communication. Otherwise, we need to reselect the path.
Path switching: finally, if we find that the current path performance is degraded or that a better path is available, we need to switch to the new path. When switching paths, it is necessary to ensure continuity of communication and avoid interruption of communication.
In some embodiments, the network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses. Active defense of the power system network needs to pay attention not only to traditional network security factors such as attack times, attack types and the like, but also to specific parameters of the power system. These parameters may help us better understand the operating state of the power system and thus make network defense more efficient. The following are some possible power system parameters:
device status parameters: this includes the operating status of the electrical equipment, load conditions, fault information, etc. For example, if the load on one device is too high, it may cause the device to overheat, thereby affecting the proper operation of the device. By monitoring these parameters, we can discover and handle equipment problems in time, avoiding network disruption.
Electric power parameters: this includes parameters such as voltage, current, frequency, power, etc. These parameters may reflect the operation of the power system. For example, if the voltage or frequency is outside of normal range, it may cause damage to the device, thereby affecting the stability of the network.
Network communication parameters: this includes network delay, packet loss rate, network bandwidth usage, etc. These parameters may reflect the operating state of the network. For example, if the network delay is too high, real-time control of the power system may be affected, thereby affecting stable operation of the power system.
Power system events: this includes fault events, maintenance events, operational events, etc. of the power system. These events may affect the operation of the power system, thereby affecting the stability of the network. By monitoring these events, we can adjust the network defense strategy in time to cope with possible network problems.
In some embodiments, the feature a is used to divide attributes of the dataset, including: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
In some embodiments, the blocking program is automatically started after the attack source is determined, and the dynamic blocking of the attack source is realized according to the blocking time and the direction index, including that all data packets from the IP address of the attack source are blocked by modifying the configuration of the network device, and if the malicious behavior of the IP address has stopped, the blocking of the IP address is released.
In some embodiments, after dynamic blocking, network traffic data is analyzed to determine network segments and TCP data indexes, thereby realizing virtual networking and improving network security.
Compared with the prior art, the technical scheme of the application has the following beneficial effects:
according to the method and the system for actively defending the power information system network based on artificial intelligence, the improved decision tree neural network algorithm is adopted to analyze data, accurate tracing of network attack is achieved, the delta power equipment current correlation value and the beta power equipment voltage correlation value are added into the decision tree classification process, primary classification accuracy is greatly enhanced through the addition of key data of the power equipment, wherein the larger the difference between the delta power equipment current correlation value and the power equipment current reference value is, the higher the difference between the delta power equipment current correlation value and the power equipment current reference value is, the larger the difference between the beta power equipment voltage correlation value and the power equipment voltage reference value is, and adjustment efficiency is greatly enhanced.
The classification result of the decision tree on each sample is creatively provided as a new feature, then the new feature and the original feature are input into the neural network model together, the neural network outputs attack source information with highest probability, the feature information is enriched, the accurate identification and flexible adjustment of the attack source are realized, and the initiative defense speed is greatly accelerated to provide attack tracing accuracy.
And through the dynamic shutoff module: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes; virtual networking module: after dynamic blocking, network flow data are analyzed, network segment and TCP data indexes are determined, virtual networking is realized, network safety is improved, and the above consecutive steps greatly enhance the network safety of the power system.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product, and that the present application thus may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects.
Although the present application is disclosed above, the present application is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the application, and the scope of the application should be assessed accordingly to that of the appended claims.
Claims (10)
1. An artificial intelligence-based active defense method for a power information system network is characterized by comprising the following steps of:
step 1: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current;
Step 2: after collecting network traffic data, analyzing the data by adopting an improved decision tree neural network algorithm to realize accurate tracing of network attack;
step 2.1, performing primary classification on data according to data information Gain by adopting an improved decision tree algorithm, wherein the information Gain (D, A) of the data set D by the feature A is calculated as follows:
wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I D i represents the number of elements of D, delta represents the power device current related value,the larger the difference from the power device current reference value, the higher the value, entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
step 2.2, taking the classification result of the decision tree on each sample as a new feature, then inputting the new feature and the original feature into a neural network model, and outputting attack source information with highest probability by the neural network model;
Step 3: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
step 4: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved.
2. The method for actively defending a network of an artificial intelligence based power information system according to claim 1, wherein said network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses.
3. The method of claim 1, wherein the feature a is used to divide the attributes of the data set, and comprises: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
4. The method according to claim 2, wherein the step of automatically starting the blocking program after determining the source of the attack, and implementing the dynamic blocking of the source of the attack according to the blocking time and the direction index, includes blocking all data packets from the IP address of the source of the attack by modifying the configuration of the network device, and unblocking the IP address if the malicious behavior of the IP address has stopped.
5. The method for actively defending a network of an electric power information system based on artificial intelligence according to claim 1, wherein after dynamic blocking, network segments and TCP data indexes are determined by analyzing network traffic data, virtual networking is realized, network security is improved, and equipment with importance greater than a set threshold or sensitive data are placed in an isolated network environment to prevent potential network attacks.
6. An artificial intelligence-based active defense system for a power information system network, comprising:
a processor, a network sniffer and a memory; wherein the network sniffer is used for collecting network traffic data: monitoring the flow of the power information system network in real time, and collecting network flow data comprises: attack times, attack time, data packet size, transmission frequency, power equipment voltage and current;
Accurate traceability module: after collecting network traffic data, the processor analyzes the data by adopting an improved decision tree neural network algorithm, so as to realize accurate tracing of network attack;
the primary classification module adopts an improved decision tree algorithm to conduct primary classification on data according to data information Gain, and the information Gain (D, A) of the data set D by the feature A is calculated as follows:
wherein D represents the dataset, A represents the feature, values (A) represent all possible Values of feature A, D v Representing a subset of feature A values v in dataset D, |D v I represents D v I d| represents the number of elements of D, δ represents the power device current related value, the larger the difference from the power device current reference value, the higher the value, entropy (D) represents the Entropy of the data set D, and the calculation formula is as follows:
wherein K represents the number of categories, p k Representing the proportion of class k in dataset D; the larger the information gain is, the better the dividing effect of the feature A on the data set D is; beta represents a power equipment voltage related value, and the larger the difference between the beta and the power equipment voltage reference value is, the higher the value is;
the neural network computing module takes the classification result of the decision tree on each sample as a new feature, then inputs the new feature and the original feature into a neural network model, and the neural network outputs attack source information with highest probability and stores the attack source information in a memory;
Dynamic plugging module: after the attack source is determined, a plugging program is automatically started, and the dynamic plugging of the attack source is realized according to plugging time and direction indexes;
virtual networking module: after dynamic blocking, network flow data are analyzed to determine network segment and TCP data indexes, virtual networking is realized, and network safety is improved.
7. The artificial intelligence based power information system network active defense system of claim 6 wherein the network traffic data further comprises: port number, protocol type, packet content, network connection mode, source and destination IP addresses.
8. The artificial intelligence based power information system network active defense system of claim 6 wherein the feature a is used to partition attributes of a data set, comprising: network traffic characteristics, network protocol characteristics and power system characteristics, wherein the network traffic characteristics comprise the number, the size and the sending frequency of data packets, and the network protocol characteristics comprise the used protocol types TCP or UDP and port numbers; the network behavior characteristics comprise whether a large number of connection requests exist and whether abnormal data packets exist or not; the power system characteristics include changes in the status, voltage, and current of the power equipment.
9. The system of claim 7, wherein the step of automatically starting a blocking program after determining the source of the attack according to the blocking time and direction index, and the step of dynamically blocking the source of the attack comprises blocking all data packets from the IP address of the source of the attack by modifying the configuration of the network device, and unblocking the IP address if the malicious behavior of the IP address has stopped.
10. The system of claim 6, wherein after dynamic blocking, by analyzing network traffic data, determining network segments and TCP data indexes, virtual networking is implemented, and network security is improved, comprising placing devices or sensitive data with importance greater than a set threshold in an isolated network environment to prevent potential network attacks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311094580.0A CN117155629A (en) | 2023-08-29 | 2023-08-29 | Electric power information system network active defense method and system based on artificial intelligence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311094580.0A CN117155629A (en) | 2023-08-29 | 2023-08-29 | Electric power information system network active defense method and system based on artificial intelligence |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117155629A true CN117155629A (en) | 2023-12-01 |
Family
ID=88901953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311094580.0A Pending CN117155629A (en) | 2023-08-29 | 2023-08-29 | Electric power information system network active defense method and system based on artificial intelligence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155629A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117857222A (en) * | 2024-03-07 | 2024-04-09 | 国网江西省电力有限公司电力科学研究院 | Dynamic IP-based network dynamic defense system and method for new energy centralized control station |
| CN118250106A (en) * | 2024-05-30 | 2024-06-25 | 南京华飞数据技术有限公司 | Prony algorithm-based network transmission data management system and method |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | Perception safety protection method, system and equipment based on network port protection device |
| CN118250106B (en) * | 2024-05-30 | 2024-10-22 | 南京华飞数据技术有限公司 | Prony algorithm-based network transmission data management system and method |
-
2023
- 2023-08-29 CN CN202311094580.0A patent/CN117155629A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117857222A (en) * | 2024-03-07 | 2024-04-09 | 国网江西省电力有限公司电力科学研究院 | Dynamic IP-based network dynamic defense system and method for new energy centralized control station |
| CN118250106A (en) * | 2024-05-30 | 2024-06-25 | 南京华飞数据技术有限公司 | Prony algorithm-based network transmission data management system and method |
| CN118250106B (en) * | 2024-05-30 | 2024-10-22 | 南京华飞数据技术有限公司 | Prony algorithm-based network transmission data management system and method |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | Perception safety protection method, system and equipment based on network port protection device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking | |
| KR101917062B1 (en) | Honeynet method, system and computer program for mitigating link flooding attacks of software defined network | |
| Wang et al. | An entropy-based distributed DDoS detection mechanism in software-defined networking | |
| Braga et al. | Lightweight DDoS flooding attack detection using NOX/OpenFlow | |
| Maeda et al. | A botnet detection method on SDN using deep learning | |
| Hande et al. | A survey on intrusion detection system for software defined networks (SDN) | |
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| Van Trung et al. | A multi-criteria-based DDoS-attack prevention solution using software defined networking | |
| CN117155629A (en) | Electric power information system network active defense method and system based on artificial intelligence | |
| Su et al. | Detecting p2p botnet in software defined networks | |
| Chen et al. | Detpro: A high-efficiency and low-latency system against ddos attacks in sdn based on decision tree | |
| US11757917B2 (en) | Network attack identification, defense, and prevention | |
| Kim et al. | Deep reinforcement learning-based traffic sampling for multiple traffic analyzers on software-defined networks | |
| Khamaiseh et al. | vswitchguard: Defending openflow switches against saturation attacks | |
| Chiu et al. | Rapid detection of disobedient forwarding on compromised OpenFlow switches | |
| CN114531273A (en) | Method for defending distributed denial of service attack of industrial network system | |
| Abhiroop et al. | A machine learning approach for detecting DoS attacks in SDN switches | |
| Linhares et al. | SDNTruth: innovative DDoS detection scheme for software-defined networks (SDN) | |
| Oo et al. | Effective detection and mitigation of SYN flooding attack in SDN | |
| Omar et al. | Detection of DDoS in SDN environment using entropy-based detection | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Tran et al. | Challenges of and solution to the control load of stateful firewall in software defined networks | |
| Zhai et al. | Distributed denial of service defense in software defined network using openflow | |
| Liu et al. | Toward Autonomous Trusted Networks-From Digital Twin Perspective | |
| Kirutika et al. | Controller monitoring system in software defined networks using random forest algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |