CN117834236B - Intelligent substation network attack detection method and device based on GOOSE flow characteristics - Google Patents
Intelligent substation network attack detection method and device based on GOOSE flow characteristics Download PDFInfo
- Publication number
- CN117834236B CN117834236B CN202311825146.5A CN202311825146A CN117834236B CN 117834236 B CN117834236 B CN 117834236B CN 202311825146 A CN202311825146 A CN 202311825146A CN 117834236 B CN117834236 B CN 117834236B
- Authority
- CN
- China
- Prior art keywords
- goose
- message
- flow characteristic
- characteristic matrix
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000272814 Anser sp. Species 0.000 title claims abstract description 192
- 238000001514 detection method Methods 0.000 title claims abstract description 86
- 239000011159 matrix material Substances 0.000 claims abstract description 109
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000012549 training Methods 0.000 claims abstract description 39
- 238000013135 deep learning Methods 0.000 claims abstract description 13
- 238000004806 packaging method and process Methods 0.000 claims abstract description 8
- 230000004913 activation Effects 0.000 claims description 34
- 238000001994 activation Methods 0.000 claims description 34
- 230000006870 function Effects 0.000 claims description 30
- 238000010606 normalization Methods 0.000 claims description 17
- 238000003062 neural network model Methods 0.000 claims description 16
- 230000008859 change Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 9
- 238000011176 pooling Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000002347 injection Methods 0.000 claims description 5
- 239000007924 injection Substances 0.000 claims description 5
- 238000005206 flow analysis Methods 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 4
- 238000011161 development Methods 0.000 abstract description 3
- 230000000694 effects Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000010801 machine learning Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 241000234282 Allium Species 0.000 description 3
- 235000002732 Allium cepa var. cepa Nutrition 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000017074 necrotic cell death Effects 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intelligent substation network attack detection method and device based on GOOSE flow characteristics, wherein the method comprises the following steps: s1, collecting message data of GOOSE network attack, checking the content of the message, and analyzing the text segment of the message; s2, extracting message characteristics according to GOOSE protocol characteristics, and constructing a GOOSE flow characteristic matrix; s3, marking tag data of the GOOSE flow characteristic matrix, and packaging the tag data into a training set; s4, constructing a GOOSE network attack detection model based on the flow characteristic matrix based on the training set and the deep learning algorithm; s5, constructing a flow characteristic matrix by using GOOSE protocol flow data of the intelligent substation to be detected, inputting the flow characteristic matrix into a detection model, and outputting a detection result. The invention provides an intelligent substation network attack detection method based on GOOSE flow characteristics, which can effectively detect the development of the existing GOOSE network attack and provides guarantee for the safe operation of an intelligent substation network.
Description
Technical Field
The invention relates to the field of intelligent substation network security, in particular to an intelligent substation network attack detection method and device based on GOOSE flow characteristics.
Background
With the development of intelligent power grid informatization, the network security risk faced by the intelligent substation is increasingly prominent, and in recent years, the occurrence of the event of power equipment or power grid faults caused by network attack is frequent, so that the intelligent substation needs stronger security measures to improve the network security.
Existing detection methods for intelligent substation network attack can be divided into a traditional detection method and a detection method based on machine learning. The traditional detection methods comprise a rule-based detection method, an anomaly-based detection method and a signature-based detection method, the detection methods depend on professional knowledge of a designer, flexibility is insufficient, only attack scenes which are defined in rules, anomalies or signatures can be detected, the detection effect depends on the number and types of attack scenes introduced in a related method, the detection cannot be performed for attack scenes which are out of definition, and the detection range is limited. The detection method based on machine learning introduces a machine learning model to train the flow characteristics, thereby carrying out network attack detection. Compared with the traditional detection method, the detection method has small dependency on professional knowledge of a designer, a trained model can detect undefined attack scenes, the detection range is wider than that of the traditional detection method, but the traditional method detects a single network flow message and has insufficient consideration on the relationship between the current message and the front and back messages.
Disclosure of Invention
The invention provides a GOOSE flow characteristic-based intelligent substation network attack detection method and device, which are used for solving or at least partially solving the technical problem of poor detection effect caused by insufficient consideration of the relationship between a current message and a front message and a rear message in the prior art by detecting only a single network flow message.
In order to solve the technical problem, a first aspect of the present invention provides a method for detecting network attack of an intelligent substation based on GOOSE flow characteristics, including:
s1: collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and obtaining each field value in the messages;
S2: according to the obtained field value and combining with GOOSE protocol characteristics, constructing message field characteristics and message time sequence characteristics, and constructing a GOOSE flow characteristic matrix;
s3: marking the constructed GOOSE flow characteristic matrix, and packaging the GOOSE flow characteristic matrix into a training set;
s4: constructing a GOOSE network attack detection model based on a flow characteristic matrix based on a training set and a deep learning algorithm;
S5: and collecting GOOSE messages to be detected in an actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result.
In one embodiment, the step of constructing the message field feature and the message time sequence feature according to the acquired field value and by combining with the GOOSE protocol feature includes:
S2.1: constructing a character segment characteristic according to the acquired field value;
s2.2: and constructing the time sequence characteristics of the messages according to the relevance among the messages and the relevance among the fields.
In one embodiment, the message field constructed in step S2.1 is characterized by:
FieldMatrix denotes a message field feature, source denotes a Source MAC address, destination denotes a Destination MAC address, appid denotes an application identifier, goID denotes a GOOSE identifier, numDatSetEntries denotes the number of AllData field entries, allData denotes a GOOSE dataset.
In one embodiment, the message timing characteristics constructed in step S2.2 are:
TimeMatrix denotes a message Time sequence feature, LENCHANGE denotes a GOOSE message length change condition, time delta denotes Time interval information between messages in a current window, st-Sq delta denotes feature information after integrating StNum field and SqNum field, stNum field is a message state sequence number field, sqNum field is a message sequence number field, allData delta denotes field change information in AllData.
In one embodiment, the GOOSE traffic characteristic matrix constructed in step S2 is:
GooseMatrix is GOOSE flow characteristic matrix.
In one embodiment, step S3 includes:
And for a GOOSE flow characteristic matrix, marking the GOOSE flow characteristic matrix by taking the latest received message label in a window as a matrix label to form a training set, wherein the label of a normal message is 0, and the label of an attack type message is 1-4, which respectively represent replay attack, injection attack, flooding attack and malformed message attack.
In one embodiment, step S4 includes:
S4.1: constructing a AlexNet neural network model based on PyTorch frames, wherein the AlexNet neural network model comprises 9 layers, and the first layer is an input layer for inputting a GOOSE flow characteristic matrix constructed from GOOSE flow analysis; the second layer and the third layer are convolution layers of the first type, and comprise convolution operation, activation function activation, pooling and normalization; the fourth layer and the fifth layer are convolution layers of the second type, and comprise convolution operation and activation function activation; the sixth layer is a third convolution layer, comprising operations including convolution, activation of an activation function and pooling; the seventh layer, the eighth layer and the ninth layer are respectively two full-connection layers and an output layer, and input GOOSE flow characteristic matrixes are detected through full-connection layers and softmax functions, and detection results are output;
S4.2: improving AlexNet the neural network model, and taking the improved model as a GOOSE network attack detection model based on a flow characteristic matrix, wherein the improvement mode comprises the following steps: the method comprises the steps of using a leak ReLU to replace a ReLU as an activation function of a convolution layer, using a batch normalization algorithm to replace a local normalization algorithm, and modifying the dimensions of an output layer and a full connection layer;
S4.3: and taking the marked GOOSE flow characteristic matrix training set as a model input, carrying out multi-round training on the GOOSE network attack detection model based on the flow characteristic matrix, and storing an optimal model in the training process.
Based on the same inventive concept, a second aspect of the present invention provides an intelligent substation network attack detection device based on GOOSE flow characteristics, including:
The message acquisition and analysis module is used for collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and acquiring each field value in the messages;
The feature matrix construction module is used for constructing character segment features and time sequence features of the message according to the acquired field values and combining with the GOOSE protocol characteristics, and constructing a GOOSE flow feature matrix;
The marking module is used for marking the constructed GOOSE flow characteristic matrix and packaging the GOOSE flow characteristic matrix into a training set;
the model construction module is used for constructing a GOOSE network attack detection model based on the flow characteristic matrix based on the training set and the deep learning algorithm;
The detection module is used for collecting GOOSE messages to be detected in the actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result.
Based on the same inventive concept, a third aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the method according to the first aspect.
Based on the same inventive concept, a fourth aspect of the present invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, said processor implementing the method according to the first aspect when executing said program.
Compared with the prior art, the invention has the following advantages and beneficial technical effects:
The invention provides an intelligent substation network attack detection method based on GOOSE flow characteristics, which constructs the character of message segments in messages and the time sequence characteristics among the messages according to the message field values and the GOOSE protocol characteristics obtained by analysis, and further constructs a GOOSE flow characteristic matrix according to the character of the message segments and the time sequence characteristics of the GOOSE flow, wherein the GOOSE flow characteristic matrix considers the relation between the current message and the front and back messages, detects the flow characteristic matrix based on a deep learning algorithm, can effectively detect the attack development of the existing GOOSE network, and improves the security of an intelligent substation network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an intelligent substation network attack detection method based on GOOSE flow characteristics provided by an embodiment of the present invention;
fig. 2 is a specific implementation step of an intelligent substation network attack detection method based on GOOSE flow characteristics provided by the embodiment of the present invention;
fig. 3 is a schematic diagram of a GOOSE network attack scenario of an intelligent substation provided by an embodiment of the present invention;
FIG. 4 is a field structure of a GOOSE message according to an embodiment of the present invention;
FIG. 5 is a transmission mechanism of GOOSE messages according to an embodiment of the present invention;
Fig. 6 is an improved AlexNet neural network model architecture for training a detection model in the intelligent substation network attack detection method based on GOOSE flow characteristics according to the embodiment of the present invention;
fig. 7 is a schematic diagram of comparison of accuracy between a detection model based on deep learning and other detection models based on machine learning according to an embodiment of the present invention.
Detailed Description
The invention aims to provide an intelligent substation network attack detection method based on GOOSE flow characteristics, which constructs a flow characteristic matrix based on the GOOSE flow characteristics and introduces a deep learning algorithm to detect the flow characteristic matrix, so that the detection effect of network attack messages is improved, and a guarantee is provided for the safe operation of an intelligent substation network.
In order to achieve the technical effects, the main conception of the invention is as follows:
S1, collecting GOOSE message data of known attack types, checking the message content, and analyzing the message segment; s2, extracting message characteristics according to GOOSE protocol characteristics, and constructing a GOOSE flow characteristic matrix; s3, marking tag data of the GOOSE flow characteristic matrix, and packaging the tag data into a training set; s4, constructing a GOOSE network attack detection model based on the flow characteristic matrix based on the training set and the deep learning algorithm; s5, constructing a flow characteristic matrix by using GOOSE protocol flow data of the intelligent substation to be detected, inputting the flow characteristic matrix into a detection model, and outputting a detection result.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
The embodiment of the invention provides an intelligent substation network attack detection method based on GOOSE flow characteristics, referring to FIG. 1, the method comprises the following steps:
s1: collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and obtaining each field value in the messages;
S2: according to the obtained field value and combining with GOOSE protocol characteristics, constructing message field characteristics and message time sequence characteristics, and constructing a GOOSE flow characteristic matrix;
s3: marking the constructed GOOSE flow characteristic matrix, and packaging the GOOSE flow characteristic matrix into a training set;
s4: constructing a GOOSE network attack detection model based on a flow characteristic matrix based on a training set and a deep learning algorithm;
S5: and collecting GOOSE messages to be detected in an actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result.
Specifically, the step S2 is to construct a GOOSE flow characteristic matrix according to the characteristics of the message field and the time sequence characteristics of the message, and the deep learning algorithm in the step S4 can be AlexNet neural network model or other model algorithms. The GOOSE message data in the step S1 and the message data in the step S5 are GOOSE message data of known attack types and used for training a model, the GOOSE message data of unknown attack types (to be detected) are used for constructing a GOOSE flow characteristic matrix corresponding to the GOOSE message data to be detected in the actual environment in the step S5 by adopting the same method as the steps S1 and S2.
In one embodiment, the step of constructing the message field feature and the message time sequence feature according to the acquired field value and by combining with the GOOSE protocol feature includes:
S2.1: constructing a character segment characteristic according to the acquired field value;
s2.2: and constructing the time sequence characteristics of the messages according to the relevance among the messages and the relevance among the fields.
In one embodiment, the message field constructed in step S2.1 is characterized by:
FieldMatrix denotes a message field feature, source denotes a Source MAC address, destination denotes a Destination MAC address, appid denotes an application identifier, goID denotes a GOOSE identifier, numDatSetEntries denotes the number of AllData field entries, allData denotes a GOOSE dataset.
Please refer to fig. 4, fig. 4 illustrates a GOOSE message field structure, and in the parsing process, values of certain fields in the message are extracted to construct a message field feature, and further construct a GOOSE flow feature matrix. As shown in formula (1), the field information in the matrix corresponds to the fields in the GOOSE message structure.
In one embodiment, the message timing characteristics constructed in step S2.2 are:
TimeMatrix denotes a message Time sequence feature, LENCHANGE denotes a GOOSE message length change condition, time delta denotes Time interval information between messages in a current window, st-Sq delta denotes feature information after integrating StNum field and SqNum field, stNum field is a message state sequence number field, sqNum field is a message sequence number field, allData delta denotes field change information in AllData.
Specifically, the message timing sequence characteristics mainly comprise two aspects of content, namely, one of the two aspects of content, namely, the relevance among the messages mainly comprises two aspects of time relation and message length relation. And secondly, the relevance between fields, such as StNum (state number) field and SqNum (sequence number) field, comprises the current GOOSE message sequence information, and the AllData field of message transmission comprises the state information in the current subscription relation, and the relevance exists between the values of the fields and the front and back messages. In order to collect the time sequence characteristics of a plurality of GOOSE messages into a flow characteristic matrix, the embodiment uses a sliding window with constant quantity to extract all the data information of the GOOSE messages in the current window. If the window size is w, the window contains the following messages, wherein PacketWindow represents a message window formed by all the messages, and Packet w represents the w-th message in the window:
PacketWindow=[Packetw,Packetw-1,…,Packet1] (4)
Please refer to fig. 5, fig. 5 illustrates a GOOSE message transmission mechanism. When no event occurs in the intelligent substation, the intelligent terminal sends a heartbeat message at a specific time interval T 0, when the event occurs in the intelligent substation, the terminal immediately sends a GOOSE response message, and sends an updated heartbeat message at an exponentially increased time interval until the state of sending the heartbeat message at the time interval T 0 is restored. The arrival Time of the w-th message in the window is denoted by t w, and the Time interval information Time delta between the messages in the current window can be obtained:
Timedelta=[tw-tw-1,tw-1-tw-2,…,t2-t1] (5)
in the message length relationship, due to stability of GOOSE subscription relationship, the length of GOOSE message is generally a fixed length, and the change condition of the message length is identified by the following formula:
because StNum and SqNum fields are used for counting the message sequence, the value change is more important than the value of the field. Therefore, using a method similar to the time interval, the change information of the StNum and SqNum fields in the window is obtained, where St delta represents the change information of the StNum in the window, sq delta represents the change information of the SqNum in the window, and StNum i、SqNumi represents the StNum value of the i-th message and the SqNum value of the i-th message in the window, respectively:
Stdelta=[StNumw-StNumw-1,StNumw-1-StNumw-2,…,StNum2-SqNum1] (7)
Sqdelta=[SqNumw-SqNumw-1,SqNumw-1-SqNumw-2,…,SqNum2-SqNum1] (8)
SqNum will vary with StNum, and St delta is combined with Sq delta in order to combine the two features. The merging algorithm is defined as Onion algorithm, and the following formula is shown:
wherein M 1、M2 is a matrix of size 1 x (w-1), AndThe 1 st row i element in the two matrices. And using Onion algorithm to obtain St-Sq delta feature matrix after combining StNum and SqNum, and integrating feature information of StNum field and SqNum field.
St-Sqdelta=Onion(Stdelta,Sqdelta) (10)
In addition, for AllData fields, the Value in the normal state includes the current state of some devices in the current dataset and some action information, and when the dataset Value in the subscription relationship changes, the AllData field changes, and thus the new dataset generated changes from the original dataset. Therefore, in the traffic feature matrix, more attention is paid to the change condition in AllData fields, the number of data set items in the current subscription is set to be n, the j data of the i-th message in the window is recorded as data ij, and similar methods are used to obtain field change information in AllData:
in one embodiment, the GOOSE traffic characteristic matrix constructed in step S2 is:
GooseMatrix is GOOSE flow characteristic matrix.
Specifically, the GOOSE flow characteristics comprise field characteristics in the messages and time sequence characteristics among the messages, a GOOSE flow characteristic matrix is constructed from the two aspects, and a data set is formed as input data for training and testing a classification model.
In one embodiment, step S3 includes:
And for a GOOSE flow characteristic matrix, marking the GOOSE flow characteristic matrix by taking the latest received message label in a window as a matrix label to form a training set, wherein the label of a normal message is 0, and the label of an attack type message is 1-4, which respectively represent replay attack, injection attack, flooding attack and malformed message attack.
Turning to fig. 3, fig. 3 shows the intelligent substation GOOSE network attack scene information applied by the method of the present invention, wherein an attack computer is connected to a process layer switch, and a specially constructed GOOSE message is sent in the process layer network, so as to implement the attack. The main attack method comprises four kinds of replay attack, injection attack, flooding attack and malformed message attack.
In one embodiment, step S4 includes:
S4.1: constructing a AlexNet neural network model based on PyTorch frames, wherein the AlexNet neural network model comprises 9 layers, and the first layer is an input layer for inputting a GOOSE flow characteristic matrix constructed from GOOSE flow analysis; the second layer and the third layer are convolution layers of the first type, and comprise convolution operation, activation function activation, pooling and normalization; the fourth layer and the fifth layer are convolution layers of the second type, and comprise convolution operation and activation function activation; the sixth layer is a third convolution layer, comprising operations including convolution, activation of an activation function and pooling; the seventh layer, the eighth layer and the ninth layer are respectively two full-connection layers and an output layer, and input GOOSE flow characteristic matrixes are detected through full-connection layers and softmax functions, and detection results are output;
S4.2: improving AlexNet the neural network model, and taking the improved model as a GOOSE network attack detection model based on a flow characteristic matrix, wherein the improvement mode comprises the following steps: the method comprises the steps of using a leak ReLU to replace a ReLU as an activation function of a convolution layer, using a batch normalization algorithm to replace a local normalization algorithm, and modifying the dimensions of an output layer and a full connection layer;
S4.3: and taking the marked GOOSE flow characteristic matrix training set as a model input, carrying out multi-round training on the GOOSE network attack detection model based on the flow characteristic matrix, and storing an optimal model in the training process.
Referring to fig. 6, an improved AlexNet neural network model architecture for training a detection model in a GOOSE flow characteristic-based intelligent substation network attack detection method according to an embodiment of the present invention is shown.
Specifically, the invention improves AlexNet neural network models, and mainly comprises the following 3 points:
(1) The activation function is optimized.
In AlexNet, the ReLU function is used as the activation function, and since ReLU is a one-way activation function, when the neuron input is less than 0, the weights cannot be updated and the neuron is deactivated. Therefore, using a leak ReLU instead of ReLU as an activation function of the convolution layer, a smaller fixed parameter a is added to modify on the basis of ReLU to avoid neuronal necrosis, as shown in the following formula:
In AlexNet, the original activation functions ReLU functions of five convolutional layers Conv1, conv2, conv3, conv4 and Conv5 are all optimized to be the Leaky ReLU functions.
(2) Optimizing the normalization method.
AlexNet the use of a local normalization (Local Response Normalization, LRN) algorithm in the convolutional layer normalizes the input values, but subsequent studies demonstrated little effect on model performance with LRNs. The batch normalization (Batch Normalization, BN) algorithm can relieve the problems of gradient disappearance and gradient explosion in the training process, lighten the sensitivity of the learning rate and improve the model performance. Thus, the original LRN layer is removed and the BN algorithm is added after convolution and before activation of the function. The BN algorithm formula is as follows:
Wherein X is input data, Y is output data, beta and r are translation parameters and scaling parameters respectively, the two parameters can be trained in back propagation, epsilon is a smaller numerical value larger than 0, m is the number of input data, u is the mean value of the input data, and delta is the standard deviation of the input data.
(3) And optimizing parameters of the full connection layer.
The full connection layer mainly performs the final classification task in the network, and the original output layer dimension is 1000 in AlexNet, but in the method of the invention, the output layer dimension is modified to be 5 because the output class is 5 in total. In addition, the full-connection layer has larger parameter redundancy, larger parameter number, larger model occupation space and longer training time. Thus, the method reduces the full connection layer dimensions in the model from 4096 to 1024 and 512 for FC6 and FC7 layers, respectively. Experimental results show that reducing the full link layer dimension reduces the time taken for training, and does not reduce the accuracy of classification.
Referring to fig. 2, the steps of the intelligent substation network attack detection method based on GOOSE flow characteristics provided by the embodiment of the invention are implemented.
When analyzing the GOOSE flow to be detected, if the analysis according to the GOOSE protocol standard can not be normally performed, the structure of the message is not in accordance with the protocol standard, and the GOOSE malformed message attack is alarmed. Otherwise, constructing a GOOSE flow characteristic matrix according to the previous methods (S1 and S2), and inputting the GOOSE flow characteristic matrix into a trained detection model to obtain a flow detection result.
Please refer to fig. 7, in different application scenarios, the detection of the intelligent substation network attack algorithm based on GOOSE flow characteristics provided by the invention achieves a better detection effect. In fig. 7, accuracy represents the Accuracy, that is, the proportion of the samples with correct classification results to the total samples, and F1 represents the F1 score, that is, the harmonic mean of the precision and recall. The result in the graph can be obtained, and the GOOSE network attack detection obtains higher accuracy and F1 score, so that the effect is better compared with other machine learning or deep learning methods.
Example two
Based on the same inventive concept, the embodiment discloses an intelligent substation network attack detection device based on GOOSE flow characteristics, which comprises:
The message acquisition and analysis module is used for collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and acquiring each field value in the messages;
The feature matrix construction module is used for constructing character segment features and time sequence features of the message according to the acquired field values and combining with the GOOSE protocol characteristics, and constructing a GOOSE flow feature matrix;
The marking module is used for marking the constructed GOOSE flow characteristic matrix and packaging the GOOSE flow characteristic matrix into a training set;
the model construction module is used for constructing a GOOSE network attack detection model based on the flow characteristic matrix based on the training set and the deep learning algorithm;
The detection module is used for collecting GOOSE messages to be detected in the actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result.
Because the device described in the second embodiment of the present invention is a device used for implementing the method for detecting network attack of an intelligent substation based on GOOSE flow characteristics in the first embodiment of the present invention, based on the method described in the first embodiment of the present invention, a person skilled in the art can know the specific structure and deformation of the device, and therefore, the detailed description thereof is omitted herein. All devices used in the method of the first embodiment of the present invention are within the scope of the present invention.
Example III
Based on the same inventive concept, the present invention also provides a computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the method as described in embodiment one.
Because the computer readable storage medium introduced in the third embodiment of the present invention is a computer readable storage medium used for implementing the method for detecting network attack of intelligent substation based on GOOSE flow characteristics in the first embodiment of the present invention, based on the method introduced in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and deformation of the computer readable storage medium, and therefore, the detailed description thereof is omitted herein. All computer readable storage media used in the method according to the first embodiment of the present invention are included in the scope of protection.
Example IV
Based on the same inventive concept, the application also provides a computer device, comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor executes the program to implement the method in the first embodiment.
Because the computer device described in the fourth embodiment of the present invention is a computer device used for implementing the intelligent substation network attack detection method based on the GOOSE flow characteristics in the first embodiment of the present invention, based on the method described in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and deformation of the computer device, and therefore, the detailed description thereof is omitted herein. All computer devices used in the method of the first embodiment of the present invention are within the scope of the present invention.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention. It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims and the equivalents thereof, the present invention is also intended to include such modifications and variations.
Claims (4)
1. The intelligent substation network attack detection method based on GOOSE flow characteristics is characterized by comprising the following steps of:
s1: collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and obtaining each field value in the messages;
S2: according to the obtained field value and combining with GOOSE protocol characteristics, constructing message field characteristics and message time sequence characteristics, and constructing a GOOSE flow characteristic matrix;
s3: marking the constructed GOOSE flow characteristic matrix, and packaging the GOOSE flow characteristic matrix into a training set;
s4: constructing a GOOSE network attack detection model based on a flow characteristic matrix based on a training set and a deep learning algorithm;
S5: acquiring a GOOSE message to be detected in an actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result;
according to the obtained field value and combining GOOSE protocol characteristics, the message field characteristics and the message time sequence characteristics are constructed, and the method comprises the following steps:
S2.1: constructing a character segment characteristic according to the acquired field value;
S2.2: according to the relevance between the messages and the relevance between the fields, constructing a message time sequence characteristic;
The message segment constructed in step S2.1 is characterized in that:
FieldMatrix denotes a message field feature, source denotes a Source MAC address, destination denotes a Destination MAC address, appid denotes an application identifier, goID denotes a GOOSE identifier, numDatSetEntries denotes the number of AllData field entries, allData denotes a GOOSE dataset;
the message time sequence constructed in the step S2.2 is characterized in that:
TimeMatrix denotes a message Time sequence feature, LENCHANGE denotes a GOOSE message length change condition, time delta denotes Time interval information between messages in a current window, st-Sq delta denotes feature information after integrating StNum fields and SqNum fields, stNum fields are message state sequence number fields, sqNum fields are message sequence number fields, and AllData delta denotes field change information in AllData;
The GOOSE flow characteristic matrix constructed in the step S2 is as follows:
GooseMatrix is GOOSE flow characteristic matrix;
The step S3 comprises the following steps:
For a GOOSE flow characteristic matrix, a latest received message label in a window is used as a matrix label, the GOOSE flow characteristic matrix is marked to form a training set, wherein the label of a normal message is 0, and the label of an attack type message is 1-4, which respectively represent replay attack, injection attack, flooding attack and malformed message attack;
The step S4 includes:
S4.1: constructing a AlexNet neural network model based on PyTorch frames, wherein the AlexNet neural network model comprises 9 layers, and the first layer is an input layer for inputting a GOOSE flow characteristic matrix constructed from GOOSE flow analysis; the second layer and the third layer are convolution layers of the first type, and comprise convolution operation, activation function activation, pooling and normalization; the fourth layer and the fifth layer are convolution layers of the second type, and comprise convolution operation and activation function activation; the sixth layer is a third convolution layer, comprising operations including convolution, activation of an activation function and pooling; the seventh layer, the eighth layer and the ninth layer are respectively two full-connection layers and an output layer, and input GOOSE flow characteristic matrixes are detected through full-connection layers and softmax functions, and detection results are output;
S4.2: improving AlexNet the neural network model, and taking the improved model as a GOOSE network attack detection model based on a flow characteristic matrix, wherein the improvement mode comprises the following steps: the method comprises the steps of using a leak ReLU to replace a ReLU as an activation function of a convolution layer, using a batch normalization algorithm to replace a local normalization algorithm, and modifying the dimensions of an output layer and a full connection layer;
S4.3: and taking the marked GOOSE flow characteristic matrix training set as a model input, carrying out multi-round training on the GOOSE network attack detection model based on the flow characteristic matrix, and storing an optimal model in the training process.
2. Intelligent substation network attack detection device based on GOOSE flow characteristics, which is characterized by comprising:
The message acquisition and analysis module is used for collecting GOOSE messages with known attack types, analyzing message segments in the GOOSE messages with known attack types, and acquiring each field value in the messages;
The feature matrix construction module is used for constructing character segment features and time sequence features of the message according to the acquired field values and combining with the GOOSE protocol characteristics, and constructing a GOOSE flow feature matrix;
The marking module is used for marking the constructed GOOSE flow characteristic matrix and packaging the GOOSE flow characteristic matrix into a training set;
the model construction module is used for constructing a GOOSE network attack detection model based on the flow characteristic matrix based on the training set and the deep learning algorithm;
The detection module is used for collecting GOOSE messages to be detected in an actual environment, constructing a corresponding GOOSE flow characteristic matrix, inputting the GOOSE flow characteristic matrix into a GOOSE network attack detection model based on the flow characteristic matrix, and outputting a detection result;
The feature matrix construction module is specifically configured to execute the following steps:
S2.1: constructing a character segment characteristic according to the acquired field value;
S2.2: according to the relevance between the messages and the relevance between the fields, constructing a message time sequence characteristic;
The message segment constructed in step S2.1 is characterized in that:
FieldMatrix denotes a message field feature, source denotes a Source MAC address, destination denotes a Destination MAC address, appid denotes an application identifier, goID denotes a GOOSE identifier, numDatSetEntries denotes the number of AllData field entries, allData denotes a GOOSE dataset;
the message time sequence constructed in the step S2.2 is characterized in that:
TimeMatrix denotes a message Time sequence feature, LENCHANGE denotes a GOOSE message length change condition, time delta denotes Time interval information between messages in a current window, st-Sq delta denotes feature information after integrating StNum fields and SqNum fields, stNum fields are message state sequence number fields, sqNum fields are message sequence number fields, and AllData delta denotes field change information in AllData;
the GOOSE flow characteristic matrix constructed in the characteristic matrix construction module is as follows:
GooseMatrix is GOOSE flow characteristic matrix;
the marking module is specifically used for:
For a GOOSE flow characteristic matrix, a latest received message label in a window is used as a matrix label, the GOOSE flow characteristic matrix is marked to form a training set, wherein the label of a normal message is 0, and the label of an attack type message is 1-4, which respectively represent replay attack, injection attack, flooding attack and malformed message attack;
The model construction module is specifically configured to execute the following steps:
S4.1: constructing a AlexNet neural network model based on PyTorch frames, wherein the AlexNet neural network model comprises 9 layers, and the first layer is an input layer for inputting a GOOSE flow characteristic matrix constructed from GOOSE flow analysis; the second layer and the third layer are convolution layers of the first type, and comprise convolution operation, activation function activation, pooling and normalization; the fourth layer and the fifth layer are convolution layers of the second type, and comprise convolution operation and activation function activation; the sixth layer is a third convolution layer, comprising operations including convolution, activation of an activation function and pooling; the seventh layer, the eighth layer and the ninth layer are respectively two full-connection layers and an output layer, and input GOOSE flow characteristic matrixes are detected through full-connection layers and softmax functions, and detection results are output;
S4.2: improving AlexNet the neural network model, and taking the improved model as a GOOSE network attack detection model based on a flow characteristic matrix, wherein the improvement mode comprises the following steps: the method comprises the steps of using a leak ReLU to replace a ReLU as an activation function of a convolution layer, using a batch normalization algorithm to replace a local normalization algorithm, and modifying the dimensions of an output layer and a full connection layer;
S4.3: and taking the marked GOOSE flow characteristic matrix training set as a model input, carrying out multi-round training on the GOOSE network attack detection model based on the flow characteristic matrix, and storing an optimal model in the training process.
3. A computer readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the method according to claim 1.
4. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of claim 1 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311825146.5A CN117834236B (en) | 2023-12-27 | 2023-12-27 | Intelligent substation network attack detection method and device based on GOOSE flow characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311825146.5A CN117834236B (en) | 2023-12-27 | 2023-12-27 | Intelligent substation network attack detection method and device based on GOOSE flow characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117834236A CN117834236A (en) | 2024-04-05 |
| CN117834236B true CN117834236B (en) | 2024-07-02 |
Family
ID=90505376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311825146.5A Active CN117834236B (en) | 2023-12-27 | 2023-12-27 | Intelligent substation network attack detection method and device based on GOOSE flow characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117834236B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117134938A (en) * | 2023-06-26 | 2023-11-28 | 南方电网科学研究院有限责任公司 | GOOSE data intrusion detection method, device and intrusion detection system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111079645A (en) * | 2019-12-16 | 2020-04-28 | 国网重庆市电力公司永川供电分公司 | Insulator self-explosion identification method based on AlexNet network |
-
2023
- 2023-12-27 CN CN202311825146.5A patent/CN117834236B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117134938A (en) * | 2023-06-26 | 2023-11-28 | 南方电网科学研究院有限责任公司 | GOOSE data intrusion detection method, device and intrusion detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117834236A (en) | 2024-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11438212B2 (en) | Fault root cause analysis method and apparatus | |
| CN106709345B (en) | Method, system and equipment for deducing malicious code rules based on deep learning method | |
| CN108737406B (en) | Method and system for detecting abnormal flow data | |
| AU2015201161B2 (en) | Event correlation | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| KR102279983B1 (en) | Network Intrusion Detection Method using unsupervised deep learning algorithms and Computer Readable Recording Medium on which program therefor is recorded | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN113361279A (en) | Medical entity alignment method and system based on double neighborhood map neural network | |
| CN109660517A (en) | Anomaly detection method, device and equipment | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| US11539730B2 (en) | Method, device, and computer program product for abnormality detection | |
| CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
| CN116668089B (en) | Network attack detection method, system and medium based on deep learning | |
| CN117834236B (en) | Intelligent substation network attack detection method and device based on GOOSE flow characteristics | |
| CN111464507A (en) | APT detection method based on network alarm information | |
| CN109255238B (en) | Terminal threat detection and response method and engine | |
| CN115470489A (en) | Detection model training method, detection method, device and computer readable medium | |
| CN111953712B (en) | Intrusion detection method and device based on feature fusion and density clustering | |
| CN115767546A (en) | 5G network security situation assessment method for quantifying node risks | |
| CN114090850A (en) | Log classification method, electronic device and computer-readable storage medium | |
| CN114124834A (en) | Integrated learning device and method for ICMP (information control network protocol) hidden tunnel detection in industrial control network | |
| CN117710100B (en) | Data analysis method based on block chain and calculation server | |
| CN118034972A (en) | Intelligent dial testing alarm method and device based on multidimensional data analysis | |
| Ma et al. | Anomaly Behavior Detection for the Web Application Based on LSTM | |
| Lin et al. | KPatch: Knowledge Patch to Pre-trained Language Model for Zero-Shot Stance Detection on Social Media |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |