CN117692207B - Instruction-level power system service protection method based on weighted similarity matching - Google Patents

Instruction-level power system service protection method based on weighted similarity matching Download PDF

Info

Publication number
CN117692207B
CN117692207B CN202311701147.9A CN202311701147A CN117692207B CN 117692207 B CN117692207 B CN 117692207B CN 202311701147 A CN202311701147 A CN 202311701147A CN 117692207 B CN117692207 B CN 117692207B
Authority
CN
China
Prior art keywords
instruction
service
vector
power system
hash
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311701147.9A
Other languages
Chinese (zh)
Other versions
CN117692207A (en
Inventor
汪俊洋
吴青
周康
张敏
魏博文
吴慧萍
陈果
姚武
王猛
郭姗姗
陈明德
陈高校
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ezhou Power Supply Co of State Grid Hubei Electric Power Co Ltd
Original Assignee
Ezhou Power Supply Co of State Grid Hubei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ezhou Power Supply Co of State Grid Hubei Electric Power Co Ltd filed Critical Ezhou Power Supply Co of State Grid Hubei Electric Power Co Ltd
Priority to CN202311701147.9A priority Critical patent/CN117692207B/en
Publication of CN117692207A publication Critical patent/CN117692207A/en
Application granted granted Critical
Publication of CN117692207B publication Critical patent/CN117692207B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The application relates to a service protection method of an instruction-level power system based on weighted similarity matching, which comprises the following specific steps: and carrying out protocol deep analysis on the service flow in the power system by analyzing the network flow in the power system to obtain a vector of the service instruction. Dividing the business instruction vector into multiple classes according to the electric power characteristics, and carrying out instruction classification and class classification for subsequent calculation of weighted items; and marking the service instruction vector as normal and abnormal according to the system fault moment. And combining all the service instruction vectors in pairs to form a plurality of data pairs, and obtaining a training data set P. Training a convolution neural network model prepared in advance by using the training data set P and the weighting loss function to obtain a trained abnormality detection model, and performing abnormality detection by using the trained abnormality detection model. The problem of in the industry control network unusual data less, training degree of depth learning model effect is not good is solved. The method has the characteristics of high detection precision and capability of detecting unknown business anomalies.

Description

Instruction-level power system service protection method based on weighted similarity matching
Technical Field
The application relates to the field of industrial control system safety, in particular to a service protection method of an instruction-level power system based on weighted similarity matching.
Background
The power monitoring system plays a key role in modern society and is responsible for ensuring the stable operation of the power system. With advances in information technology, power monitoring systems are increasingly dependent on computerized and networked technologies. However, this also exposes the system to increasingly complex and advanced network threats, such as malware, cyber attacks, and data tampering. In such a context, it becomes critical to provide instruction-level traffic protection for power monitoring systems.
Currently, power monitoring systems typically employ a series of measures to ensure the security of their operation, including network firewalls, intrusion Detection Systems (IDS), encrypted communications, and the like. However, these approaches focus mainly on the network level and the communication level, while the traffic protection at the instruction level is relatively weak. Instruction-level business protection requires attention to software execution inside the system to prevent injection of malicious instructions, hijacking of execution processes, and tampering with critical data. At present, the solution for instruction-level service protection is mainly based on rule matching, namely, a character string of a service instruction is obtained by deeply analyzing the communication flow of a power system, and a series of rules formulated by an expert are used for matching potential high-risk service instructions. However, this approach relies on extensive manpower for rule customization and cannot discover unknown threats. The existing detection method based on instruction matching can not find the problem of unknown business abnormality.
Based on the background, the invention provides a service protection method for an instruction-level power system based on weighted similarity matching. According to the method, the instruction hash of the service instruction is calculated by using a deep learning method, and the unknown abnormal service instruction can be detected by comparing the distances between the service instruction hash codes to perform abnormality detection.
Disclosure of Invention
The embodiment of the application aims to provide a service protection method for an instruction-level power system based on weighted similarity matching, which solves the problems of less abnormal data and poor training effect of a deep learning model in an industrial control network. The existing detection method based on instruction matching can not find the problem of unknown business abnormality. The method has the characteristics of high detection precision and capability of detecting unknown business anomalies.
In order to achieve the above purpose, the present application provides the following technical solutions:
The embodiment of the application provides a service protection method for an instruction-level power system based on weighted similarity matching, which is characterized by comprising the following specific steps:
(1) Collecting network flow in the power system, carrying out protocol analysis on service flow in the network flow to obtain information comprising fields of frame header information, address information, function codes, data fields and the like, combining the information into a vector of 1 x 1024, and filling 0x00 backwards when the field length is insufficient to form a service instruction vector Where v i denotes the ith service instruction vector, consisting of 1024 16 bins. The length of the element v j in each vector is 4 bits. Wherein 0x00 is the default field filled when the service instruction vector length is less than 1024;
(2) According to the characteristics of the service in the power system, the service instructions are classified into multiple classes according to the operation classes, and each class is numbered. The rules of the operation class instruction classification are shown in the following table:
(3) According to the characteristics of the service in the power system, the service instruction is classified into multiple categories according to the security class, and each category is numbered. The rules of the security level instruction hierarchy are shown in the following table:
(4) And marking the service instruction vector v corresponding to the abnormal moment of the system as abnormal, wherein the corresponding value is 1. The service instruction vector at other moments is marked as normal, and the corresponding value is 0. Each business instruction vector v i is labeled d i;
(5) According to the classification method in step (2) and step (3), each service instruction vector v i corresponds to a class number c i and corresponds to a security class number s i. The sample label corresponding to each service instruction vector v i is y i={di,ci,si;
(6) All the service instruction vectors are combined in pairs to form a plurality of data pairs Wherein N is the total number of all the collected service instruction vectors, and P is a training data set;
(7) Training the CNN network designed in advance by using the training data set P. Specifically, each tuple (v a,vb) in the training data set P is sequentially fetched, and the first instruction vector v a is input to CNN, which outputs a1×64-dimensional feature hash h a. The second instruction vector v b is input into the neural network, and the CNN outputs a characteristic hash h b with 1 x 64 dimensions;
(8) The training loss l H(va,vb is calculated by a weighted loss function), the specific calculation steps are as follows:
Wherein D w is the euclidean distance of h a and h b. Y is obtained according to the category to which the tuple (v a,vb) belongs, v a and v b are both normal or abnormal categories, Y is 0, and otherwise, Y is 1.G (a, b) is a weighted term calculated from the class number and the level number corresponding to the tuple (v a,vb). M is the vector dimension of the neural network output, which is 64.I [.] is a 1 function, and if true, is 1, otherwise is 0.T c is category weight, and 0.6 is taken; t s is the grade weight, and 0.8 is taken;
(9) According to the category loss calculated in the step (8), gradient updating is carried out on the gradient omega old of the current model by using a gradient descent method to obtain an updated gradient omega new, and the specific calculation steps are as follows:
Wherein eta is learning rate and 0.001 is taken;
(10) Repeating the steps (7) to (9) until the training loss l H is smaller than the set threshold or the iteration number reaches the maximum set number. Obtaining a trained model
(11) Sequentially inputting the business instruction vectors in v into the modelObtaining corresponding characteristic hashes to form a sample hash group H g=(h1,h2,...,hn);
(12) And (3) according to the method in the step (1), collecting and analyzing the service flow in real time to obtain a service instruction vector v t at the time t. Input vector v t into trained model Obtaining a characteristic hash h t;
(13) The feature hash H t is sequentially compared with the feature hash H i in the sample hash group H g, and the euclidean distance dis i therebetween is calculated. The specific calculation steps are as follows:
Wherein M is the vector dimension output by the neural network and is 64;
(14) In the hash group H g, a feature hash H m having the smallest euclidean distance from the feature hash H t is taken, wherein, And obtaining a mark corresponding to h m as d m, and if d m is 0, indicating that the current service instruction is normal. If d m is 1, it is judged whether dis m is less than the set threshold T h. If the current service instruction is smaller than the preset threshold, judging that the current service instruction is abnormal, blocking the current service instruction in real time, and guaranteeing the service safety of the power system.
Compared with the prior art, the invention has the beneficial effects that: because the relation between input pairs is utilized during training, and the training is not only dependent on a large amount of labeling data, the training can be performed under the condition that the labeling data are relatively less, and the problem that the training deep learning model is poor in effect due to the fact that abnormal data in an industrial control network are less is solved. By introducing the instruction grading weighting item into the loss function, the model can learn the relation between the service instructions of the power system more quickly, and the method has the characteristic of high abnormality detection precision. By comparing the distances between the hash codes of the business instructions to perform anomaly detection, unknown abnormal business instructions can be detected.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an instruction-level power system service protection method based on weighted similarity matching.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The terms "first," "second," and the like, are used merely to distinguish one entity or action from another entity or action, and are not to be construed as indicating or implying any actual such relationship or order between such entities or actions.
The basic idea of the invention is that the network flow in the power system is analyzed, and the service flow in the network flow is subjected to protocol deep analysis to obtain the vector of the service instruction. Dividing the service instruction vector into multiple classes according to the characteristics of services in the power system, and classifying the service instruction vector into instruction classes and class classes for subsequent calculation of weighted items; and marking the service instruction vector as normal and abnormal according to the system fault moment. And combining all the service instruction vectors in pairs to form a plurality of data pairs, thereby obtaining a training data set P. Training a Convolutional Neural Network (CNN) model prepared in advance by using the training data set P and the weighted loss function to obtain a trained anomaly detection model, and performing anomaly detection by using the trained anomaly detection model. Because the relation between input pairs is utilized during training, and the training is not only dependent on a large amount of labeling data, the training can be performed under the condition that the labeling data are relatively less, and the problem that the training deep learning model is poor in effect due to the fact that abnormal data in an industrial control network are less is solved. By introducing the instruction grading weighting item into the loss function, the model can learn the relation between the service instructions of the power system more quickly, and the method has the characteristic of high abnormality detection precision. By comparing the distances between the hash codes of the business instructions to perform anomaly detection, unknown abnormal business instructions can be detected. An instruction-level power system business protection method based on weighted similarity matching is provided.
As shown in fig. 1, the invention provides a service protection method of an instruction-level power system based on weighted similarity matching, which comprises the following steps:
(1) Collecting network flow in the power system, carrying out protocol analysis on service flow in the network flow to obtain information comprising fields of frame header information, address information, function codes, data fields and the like, combining the information into a vector of 1 x 1024, and filling 0x00 backwards when the field length is insufficient to form a service instruction vector Where v i denotes the ith service instruction vector, consisting of 1024 16 bins. The length of the element v j in each vector is 4 bits. Wherein 0x00 is the default field filled when the service instruction vector length is less than 1024;
(2) According to the characteristics of the service in the power system, the service instructions are classified into multiple classes according to the operation classes, and each class is numbered. The rules of the operation class instruction classification are shown in the following table:
(3) According to the characteristics of the service in the power system, the service instruction is classified into multiple categories according to the security class, and each category is numbered. The rules of the security level instruction hierarchy are shown in the following table:
(4) And marking the service instruction vector v corresponding to the abnormal moment of the system as abnormal, wherein the corresponding value is 1. The service instruction vector at other moments is marked as normal, and the corresponding value is 0. Each business instruction vector v i is labeled d i;
(5) According to the classification method in step (2) and step (3), each service instruction vector v i corresponds to a class number c i and corresponds to a security class number s i. The sample label corresponding to each service instruction vector v i is y i={di,ci,si;
(6) All the service instruction vectors are combined in pairs to form a plurality of data pairs Wherein N is the total number of all the collected service instruction vectors, and P is a training data set;
(7) Training the CNN network designed in advance by using the training data set P. Specifically, each tuple (v a,vb) in the training data set P is sequentially fetched, and the first instruction vector v a is input to CNN, which outputs a1×64-dimensional feature hash h a. The second instruction vector v b is input into the neural network, and the CNN outputs a characteristic hash h b with 1 x 64 dimensions;
(8) The training loss l H(va,vb is calculated by a weighted loss function), the specific calculation steps are as follows:
Wherein D w is the euclidean distance of h a and h b. Y is obtained according to the category to which the tuple (v a,vb) belongs, v a and v b are both normal or abnormal categories, Y is 0, and otherwise, Y is 1.G (a, b) is a weighted term calculated from the class number and the level number corresponding to the tuple (v a,vb). M is the vector dimension of the neural network output, which is 64 in this embodiment. I [.] is a1 function, and if true, is 1, otherwise is 0.T c is the category weight, which is 0.6 in this embodiment; t s is the class weight, which is 0.8 in this example;
(9) According to the category loss calculated in the step (8), gradient updating is carried out on the gradient omega old of the current model by using a gradient descent method to obtain an updated gradient omega new, and the specific calculation steps are as follows:
Wherein η is the learning rate, the present embodiment takes 0.001;
(10) Repeating the steps (7) to (9) until the training loss l H is smaller than the set threshold or the iteration number reaches the maximum set number. Obtaining a trained model
(11) Sequentially inputting the business instruction vectors in v into the modelObtaining corresponding characteristic hashes to form a sample hash group H g=(h1,h2,...,hn);
(12) And (3) according to the method in the step (1), collecting and analyzing the service flow in real time to obtain a service instruction vector v t at the time t. Input vector v t into trained model Obtaining a characteristic hash h t;
(13) The feature hash H t is sequentially compared with the feature hash H i in the sample hash group H g, and the euclidean distance dis i therebetween is calculated. The specific calculation steps are as follows:
wherein M is the vector dimension output by the neural network, which is 64 in this embodiment;
(14) In the hash group H g, a feature hash H m having the smallest euclidean distance from the feature hash H t is taken, wherein, And obtaining a mark corresponding to h m as d m, and if d m is 0, indicating that the current service instruction is normal. If d m is 1, it is judged whether dis m is less than the set threshold T h. If the current service instruction is smaller than the preset threshold, judging that the current service instruction is abnormal, blocking the current service instruction in real time, and guaranteeing the service safety of the power system.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (1)

1. The instruction-level power system business protection method based on weighted similarity matching is characterized by comprising the following specific steps of:
(1) Collecting network flow in the power system, carrying out protocol analysis on service flow in the network flow to obtain information containing frame header information, address information, function codes and data fields, combining the information into a vector of 1 x 1024, and filling 0x00 backwards when the field length is insufficient to form a service instruction vector v i = Wherein v i represents an ith service instruction vector, which consists of 1024 16-ary numbers, and the length of the element v j in each vector is 4 bits;
(2) According to the characteristics of the service in the power system, classifying the service instructions into multiple classes according to the operation classes, numbering each class, and classifying the operation class instructions according to the rule shown in the following table:
Operation class Detailed operation Class numbering Basic operation Switching operation, scheduling instruction, power adjustment, voltage adjustment, protection instruction 1 Data management Data acquisition, event recording 2 Communication management Communication test, remote operation 3 Emergency operation Emergency stop 4 Intelligent operation Automated scheduling, equipment maintenance instructions, and energy management 5
(3) According to the characteristics of the service in the power system, classifying the service instructions into multiple categories according to the security class, and numbering each category, wherein the rule of classifying the security class instructions is shown in the following table:
(4) Marking a service instruction vector v corresponding to the abnormal moment of the system as abnormal, wherein the corresponding value is 1, the service instruction vectors at other moments are marked as normal, the corresponding value is 0, and the mark of each service instruction vector v i is d i;
(5) According to the classification method in step (2) and step (3), each service instruction vector v i corresponds to a class number c i, the corresponding security class number s i, and the sample label corresponding to each service instruction vector v i is y i={di,ci,si;
(6) All the service instruction vectors are combined in pairs to form a plurality of data pairs Wherein N is the total number of all the collected service instruction vectors, and P is a training data set;
(7) Training a designed CNN network by using a training data set P, specifically, sequentially taking out each tuple (v a,vb) in the training data set P, wherein a first instruction vector v a is input into the CNN, the CNN outputs a characteristic hash h a with 1 x 64 dimensions, a second instruction vector v b is input into the neural network, and the CNN outputs a characteristic hash h b with 1 x 64 dimensions;
(8) The training loss l H(va,vb is calculated by a weighted loss function), the specific calculation steps are as follows:
wherein D w is the Euclidean distance of h a and h b, Y is obtained according to the category to which the tuple (v a,vb) belongs, v a and v b are both normal or abnormal categories, Y is 0, otherwise 1, G (a, b) is a weighted term calculated according to the category number and the class number corresponding to the tuple (v a,vb), M is the vector dimension output by the neural network, 64, I [.] is a 1 function, the condition is true and is 1, otherwise 0, T c is category weight, and 0.6 is taken; t s is the grade weight, and 0.8 is taken;
(9) According to the category loss calculated in the step (8), gradient updating is carried out on the gradient omega old of the current model by using a gradient descent method to obtain an updated gradient omega new, and the specific calculation steps are as follows:
Wherein eta is learning rate and 0.001 is taken;
(10) Repeating the steps (7) to (9) until the training loss l H is smaller than the set threshold value or the iteration number reaches the maximum set number of times to obtain a trained model
(11) Sequentially inputting the business instruction vectors in v into the modelObtaining corresponding characteristic hashes to form a sample hash group H g=(h1,h2,...,hn);
(12) According to the method in the step (1), the service flow is collected and analyzed in real time to obtain a service instruction vector v t at the time t, and the vector v t is input into a trained model Obtaining a characteristic hash h t;
(13) The feature hash H t is compared with the feature hash H i in the sample hash group H g in sequence, and the Euclidean distance dis i between the feature hash H t and the feature hash group H g is calculated, wherein the specific calculation steps are as follows:
Wherein M is the vector dimension output by the neural network and is 64;
(14) In the hash group H g, a feature hash H m having the smallest euclidean distance from the feature hash H t is taken, wherein, Obtaining a mark d m corresponding to h m, if d m is 0, indicating that the current service instruction is normal, if d m is 1, judging whether dis m is smaller than a set threshold T h, if so, judging that the current service instruction is abnormal, blocking the current service instruction in real time, and guaranteeing the service safety of the power system.
CN202311701147.9A 2023-12-12 2023-12-12 Instruction-level power system service protection method based on weighted similarity matching Active CN117692207B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311701147.9A CN117692207B (en) 2023-12-12 2023-12-12 Instruction-level power system service protection method based on weighted similarity matching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311701147.9A CN117692207B (en) 2023-12-12 2023-12-12 Instruction-level power system service protection method based on weighted similarity matching

Publications (2)

Publication Number Publication Date
CN117692207A CN117692207A (en) 2024-03-12
CN117692207B true CN117692207B (en) 2024-05-03

Family

ID=90125960

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311701147.9A Active CN117692207B (en) 2023-12-12 2023-12-12 Instruction-level power system service protection method based on weighted similarity matching

Country Status (1)

Country Link
CN (1) CN117692207B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108200005A (en) * 2017-09-14 2018-06-22 国网浙江省电力公司宁波供电公司 Electric power secondary system network flow abnormal detecting method based on unsupervised learning
CN113705699A (en) * 2021-08-31 2021-11-26 平安科技(深圳)有限公司 Sample abnormity detection method, device, equipment and medium based on machine learning
CN113949527A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN115643104A (en) * 2022-11-10 2023-01-24 南京奥科服信息技术有限公司 Network intrusion detection method based on deep supervision discrete hash
CN116010836A (en) * 2022-12-13 2023-04-25 国网湖北省电力有限公司电力科学研究院 Instruction level protection method for power grid side equipment based on federal learning framework
US11829866B1 (en) * 2017-12-27 2023-11-28 Intuit Inc. System and method for hierarchical deep semi-supervised embeddings for dynamic targeted anomaly detection

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050096949A1 (en) * 2003-10-29 2005-05-05 International Business Machines Corporation Method and system for automatic continuous monitoring and on-demand optimization of business IT infrastructure according to business objectives
JP5942639B2 (en) * 2012-06-29 2016-06-29 富士通株式会社 Monitoring device, monitoring program, and monitoring method
US11252169B2 (en) * 2019-04-03 2022-02-15 General Electric Company Intelligent data augmentation for supervised anomaly detection associated with a cyber-physical system
KR102291869B1 (en) * 2019-12-31 2021-08-19 아주대학교산학협력단 Method and apparatus for anomaly detection of traffic pattern
CN111131335B (en) * 2020-03-30 2020-08-28 腾讯科技(深圳)有限公司 Network security protection method and device based on artificial intelligence and electronic equipment
EP3955076A1 (en) * 2020-08-10 2022-02-16 Siemens Aktiengesellschaft System, device and method of detecting abnormal datapoints
US20220385635A1 (en) * 2021-05-27 2022-12-01 Palo Alto Networks, Inc. Combined machine learning and formal techniques for network traffic analysis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108200005A (en) * 2017-09-14 2018-06-22 国网浙江省电力公司宁波供电公司 Electric power secondary system network flow abnormal detecting method based on unsupervised learning
US11829866B1 (en) * 2017-12-27 2023-11-28 Intuit Inc. System and method for hierarchical deep semi-supervised embeddings for dynamic targeted anomaly detection
CN113705699A (en) * 2021-08-31 2021-11-26 平安科技(深圳)有限公司 Sample abnormity detection method, device, equipment and medium based on machine learning
CN113949527A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN115643104A (en) * 2022-11-10 2023-01-24 南京奥科服信息技术有限公司 Network intrusion detection method based on deep supervision discrete hash
CN116010836A (en) * 2022-12-13 2023-04-25 国网湖北省电力有限公司电力科学研究院 Instruction level protection method for power grid side equipment based on federal learning framework

Also Published As

Publication number Publication date
CN117692207A (en) 2024-03-12

Similar Documents

Publication Publication Date Title
CN111475804B (en) Alarm prediction method and system
CN106888205B (en) Non-invasive PLC anomaly detection method based on power consumption analysis
US20210319113A1 (en) Method for generating malicious samples against industrial control system based on adversarial learning
CN114124482B (en) Access flow anomaly detection method and equipment based on LOF and isolated forest
Chang et al. Anomaly detection for industrial control systems using k-means and convolutional autoencoder
CN111598179B (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN113162893B (en) Attention mechanism-based industrial control system network flow abnormity detection method
CN111901340A (en) Intrusion detection system and method for energy Internet
CN115277180B (en) Block chain log anomaly detection and tracing system
CN110309884A (en) Electricity consumption data anomalous identification system based on ubiquitous electric power Internet of Things net system
CN112019529B (en) New forms of energy electric power network intrusion detection system
CN113067798A (en) ICS intrusion detection method and device, electronic equipment and storage medium
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN117692207B (en) Instruction-level power system service protection method based on weighted similarity matching
CN117411703A (en) Modbus protocol-oriented industrial control network abnormal flow detection method
CN112653675A (en) Intelligent intrusion detection method and device based on deep learning
Zhang et al. Using machine learning techniques to improve intrusion detection accuracy
CN115333915B (en) Heterogeneous host-oriented network management and control system
Tomio et al. A multi-view intrusion detection model for reliable and autonomous model updates
Tan et al. Using hidden markov models to evaluate the real-time risks of network
CN114330504A (en) Network malicious traffic detection method based on Sketch
CN113468555A (en) Method, system and device for identifying client access behavior
CN116647374B (en) Network flow intrusion detection method based on big data
EP4254237A1 (en) Security data processing device, security data processing method, and computer-readable storage medium for storing program for processing security data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant