WO2015160010A1 - Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant - Google Patents

Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant Download PDF

Info

Publication number
WO2015160010A1
WO2015160010A1 PCT/KR2014/003366 KR2014003366W WO2015160010A1 WO 2015160010 A1 WO2015160010 A1 WO 2015160010A1 KR 2014003366 W KR2014003366 W KR 2014003366W WO 2015160010 A1 WO2015160010 A1 WO 2015160010A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
information
state transition
smart grid
packet
Prior art date
Application number
PCT/KR2014/003366
Other languages
English (en)
Korean (ko)
Inventor
신인철
김신규
서정택
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to PCT/KR2014/003366 priority Critical patent/WO2015160010A1/fr
Publication of WO2015160010A1 publication Critical patent/WO2015160010A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to a technology for responding to various cyber attacks targeting a controller in a smart grid AMI (Advanced Metering Infrastructure) system, an anomaly detection system and method using the same in a smart grid AMI network through network packet analysis (ABNOMAL BEHAVIOR DETECTION SYSTEM IN SMART GRID ADVANCED METERING INFRASTRUCTURE NETWORK AND METHOD USING THE SAME).
  • AMI Advanced Metering Infrastructure
  • Smart meters play an important role in the Advanced Metering Infrastructure (AMI), which has evolved from the previous one-way automatic meter reading system (AMR) to enable two-way data communication between consumers and utilities. Can be said to be the target device that has the greatest damage ripple effect when a cyber attack occurs on the smart grid system.
  • AMI Advanced Metering Infrastructure
  • AMR automatic meter reading system
  • NAN Network Area Network
  • DCU Data Concentration Unit
  • the smart grid AMI network is composed of embedded devices designed and manufactured using limited system resources, it is impossible to apply intrusion detection and network anomaly detection systems that operate based on abundant system resources in the existing Internet environment. Do.
  • the smart grid AMI system Unlike the terminals in the existing Internet environment, the smart grid AMI system has only limited system resources because it performs functions according to a predetermined routine unlike terminals in the existing Internet environment. Due to such an operating environment, the various embedded devices of the smart grid AMI system have security weaknesses, but it is difficult to expect an improvement in system performance due to a problem such as an increase in device manufacturing cost.
  • the technical problem to be achieved by the present invention is to detect anomalies in communication traffic between devices using the Smart Grid AMI protocol, which consists only of limited system resources by performing functions according to a predetermined routine in a short time. It is.
  • an object of the present invention is to provide a higher security at a lower cost by performing intrusion detection and anomaly detection without the addition of additional hardware smart grid AMI embedded devices using the same protocol.
  • an object of the present invention is to implement a simple and economical detection function than the network traffic anomaly detection system operating in the existing Internet environment by using the characteristics of the smart grid AMI network environment.
  • the abnormal behavior detection system of the monitoring device in the smart grid AMI network includes a network packet receiving device for identifying a target protocol packet to receive and monitor the network packets in the smart grid AMI network; A packet analyzer for separating a header and a payload of the target protocol packet; A device information storage device for providing device information of a device corresponding to the header; A device state transition information storage device for updating device state transition information of a device corresponding to the device information and detecting occurrence of an abnormal behavior based on the device state transition information; And a network packet transmission device configured to deliver the target protocol packet only when the occurrence of the abnormal behavior is not detected.
  • the network packet receiving apparatus for receiving the network packets in the smart grid AMI network to identify the target protocol packet to be monitored; Separating, by a packet analyzer, the header and payload of the target protocol packet; Providing, by the device information storage device, device information of the device corresponding to the header; Updating, by the device state transition information storage device, device state transition information of a device corresponding to the device information, and detecting occurrence of an abnormal behavior based on the device state transition information; And forwarding the target protocol packet only when the occurrence of the abnormal behavior is not detected.
  • devices performing traffic monitoring in the smart grid AMI network maintain and update network state transition information of all devices through communication packet analysis. Through this, packets that are in violation of the network protocol and interfere with the normal operation of the target device are detected and identified as anomalous. More specifically, unlike the prior art, the present invention provides methods for identifying a message that induces an abnormal state transition by analyzing network state transition information of all devices through analysis of communication packets using the smart grid AMI protocol. do. This method allows devices using the same protocol to detect intrusions and abnormal behaviors without additional hardware, thereby providing higher security at a lower cost.
  • FIG. 1 is a view schematically illustrating a smart grid AMI network anomaly detection system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a method for detecting anomalous behavior of a smart grid AMI network according to an embodiment of the present invention.
  • 3 is an example of a data structure for maintaining and updating device state information in a device information storage device.
  • 4 is a device state information structure in a device state transition information storage device.
  • the present invention relates to the invention of a lightweight state transition information tracking system for embedded devices and network devices in the system through smart grid AMI protocol packet analysis.
  • Smart Grid AMI network can track the state transition information of all devices through the analysis of network traffic packets exchanged between the embedded systems performing only the tasks defined according to the corresponding protocol. This is possible because all message delivery paths of the smart grid AMI network are not fluid and are maintained and managed through configuration. In other words, it can be explained in other words that a message to a specific device has a network environment characteristic that can be achieved only through predetermined devices. By maximizing the advantages of the environmental characteristics, it is possible to maintain the state transition information of the destination devices through the analysis of network communication messages transmitted through any device, and also to detect packets causing abnormal behaviors through the corresponding information. . In addition, even in a fluidly changing network, all devices are connected to at least one relay or network device so that state transition information can be maintained through such devices.
  • the present invention tracks the state transition information of the network device through the analysis of smart grid AMI (Advanced Metering Infrastructure) protocol communication packet in order to respond to cyber attacks targeting the smart grid AMI network, The transition will confirm that the transition is legitimate for the Smart Grid AMI communication protocol.
  • AMI Advanced Metering Infrastructure
  • the packet is identified as an abnormal behavior and discarded. This detection method is possible due to the difference in communication environment between the smart grid AMI environment and the Internet environment. In other words, while the transmission path of communication packets is flexible in the Internet environment, the communication path between arbitrary devices does not change in the smart grid network.
  • the difference is that the path is diversified due to network congestion. Due to such characteristics, it is possible to track the network state transition information of the smart grid AMI device, and it is possible to configure the smart grid AMI network protocol target abnormal behavior detection system according to the present invention.
  • An object of the present invention is to implement a lightweight detection function than the network traffic anomaly detection system operating in the existing Internet environment by using the characteristics of the smart grid AMI network environment. This makes it possible to efficiently configure anomaly detection systems that can be used in smart grid AMI embedded devices and network devices.
  • Devices performing traffic monitoring in the smart grid AMI network maintain and update network state transition information of target devices through communication packet analysis. Through this, packets that are in violation of the network protocol and interfere with the normal operation of the target device are detected and identified as anomalous.
  • the present invention identifies messages inducing abnormal state transitions through network state transition information analysis of all devices through analysis of communication packets using the smart grid AMI protocol. This method allows devices using the same protocol to detect intrusions and anomalies without additional hardware, thereby providing higher security at a lower cost.
  • FIG. 1 is a block diagram illustrating an anomaly detection system of a smart grid AMI network according to an embodiment of the present invention.
  • an abnormal behavior detection system in a smart grid AMI network includes a network packet receiver 101, a packet analyzer 102, a device information storage device 103, and a device state transition information storage device ( 104 and a network packet transmission device 105.
  • the network packet receiver 101 may be implemented in a network device such as a terminal, a message delivery device, a router, and a switch in a smart grid AMI network, and analyzes and interprets a message using a target protocol that is an object of anomaly detection. To perform. That is, in the network packet receiving apparatus 101, any device capable of packet monitoring may be a candidate.
  • the network packet receiving apparatus 101 receives all packets arriving through the network communication unit, checks a target protocol packet to be monitored, and then transfers the identified target protocol packet to the packet analyzer 102.
  • the packet analyzer 102 separates the protocol header and the payload, and passes the packet header to the device information storage 103.
  • the device information storage device 103 finds the device by using the receiving device address in the received packet header and transfers the device information to the device state transition information storage device 104.
  • the device state transition information storage device 104 updates the device state transition information and does not send the packet to the network packet transmission device 105 when an abnormal behavior occurs, and transmits the packet only when there is no error. Filter the packet by forwarding
  • FIG. 2 is a diagram illustrating an anomaly detection method in a smart grid AMI network according to an embodiment of the present invention.
  • the method for detecting anomalous behavior in the smart grid AMI network is a packet analyzer 102 when the network packet received through the network packet receiver 101 is an anomalous symptom detection protocol and is interpretable. Deliver the contents of the reception.
  • the packet analyzer 102 separates the header and payload of the received packet to determine whether there is a simple abnormality of the protocol information, and transfers the header of the received packet to the device information storage device 103 to obtain device information corresponding to the destination address. do.
  • the device state information storage device 104 updates the state transition information of the device through the identification information of the device, and confirms whether the state transition of the device is safe through the information. Only when the state transition is secure is sent to the network packet transmitter 105.
  • 3 is a diagram for describing a method of maintaining device information in the device information storage device 103.
  • the device information storage device 103 basically maps network devices to one node and maintains a binary tree using a node ID (or a unique number such as an address value).
  • the node (device) accessed through the address value of the packet collected through the network packet receiver 101 of the monitoring device is raised by one level in the tree structure. This increases the locality of the tree. This allows faster access to the node when messages corresponding to the same destination arrive when the message arrives.
  • the DoS attack traffic generating device can be identified.
  • the parent node may be insufficient when the level is increased. In this case, the parent node is branched through the dummy node to maintain the binary tree format.
  • 3 illustrates an example of a structure update process according to the second node access, wherein a black node is a device node and a white node is a dummy node.
  • FIG. 4 illustrates a structure of device state information in the smart grid device state transition information storage device 104 according to an embodiment of the present invention.
  • This basically converts the information of the header field, which causes the state transition of the device in the Smart Grid AMI protocol, to a binary value to create a binary graph and maintains a binary graph. Navigate through the graph. If you deviate from the graph like this, the message including the allowed header values did not arrive and it is detected and identified as an anomaly. When anomalous behavior occurs, the message is filtered and not transmitted to the network packet transmitter 105. Otherwise, the state information is transferred so that the device points to the state node of the binary graph.
  • FIG. 4 is an example of a state transition information structure in which a state transition instruction "0110" should be received after a state transition instruction "0101".
  • a command other than "0110” is received after "0101", it can be detected as an abnormal behavior.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système de détection de comportement anormal dans un réseau AMI d'infrastructure électrique intelligente, et un procédé l'utilisant. Le système de détection de comportement anormal dans un réseau AMI d'infrastructure électrique intelligente comporte: un dispositif de réception de paquets de réseau qui reçoit des paquets de réseau in un réseau AMI d'infrastructure électrique intelligente et identifie un paquet de protocole d'intérêt à surveiller; un analyseur de paquets servant à séparer un en-tête et une charge utile du paquet de protocole d'intérêt; un dispositif de stockage d'informations d'appareil servant à fournir des informations d'appareil d'un appareil correspondant à l'en-tête; un dispositif de stockage d'informations de changement d'état d'appareil qui met à jour des informations de changement d'état d'appareil de l'appareil correspondant aux informations d'appareil et détecte la survenue d'un comportement anormal en se basant sur les informations de changement d'état d'appareil; et un dispositif d'émission de paquets de réseau servant à émettre le paquet de protocole d'intérêt uniquement lorsque la survenue d'un comportement anormal n'est pas détectée.
PCT/KR2014/003366 2014-04-17 2014-04-17 Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant WO2015160010A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/KR2014/003366 WO2015160010A1 (fr) 2014-04-17 2014-04-17 Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2014/003366 WO2015160010A1 (fr) 2014-04-17 2014-04-17 Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant

Publications (1)

Publication Number Publication Date
WO2015160010A1 true WO2015160010A1 (fr) 2015-10-22

Family

ID=54324209

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/003366 WO2015160010A1 (fr) 2014-04-17 2014-04-17 Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant

Country Status (1)

Country Link
WO (1) WO2015160010A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768765A (zh) * 2018-05-11 2018-11-06 中国联合网络通信集团有限公司 异常状态物联网卡稽查方法、装置及计算机可读存储介质
CN113515543A (zh) * 2021-03-23 2021-10-19 广东便捷神科技股份有限公司 一种无人售货机自动提货方法及系统
CN113810341A (zh) * 2020-06-12 2021-12-17 武汉斗鱼鱼乐网络科技有限公司 一种识别目标网络团体的方法及系统、存储介质、设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120198551A1 (en) * 2011-01-31 2012-08-02 General Electric Company Method, system and device for detecting an attempted intrusion into a network
US20120307624A1 (en) * 2011-06-01 2012-12-06 Cisco Technology, Inc. Management of misbehaving nodes in a computer network
US20130223446A1 (en) * 2012-02-29 2013-08-29 Lars Ernström Compound Masking and Entropy for Data Packet Classification using Tree-based Binary Pattern Matching
US20130227689A1 (en) * 2012-02-17 2013-08-29 Tt Government Solutions, Inc. Method and system for packet acquisition, analysis and intrusion detection in field area networks
US8619657B2 (en) * 2011-05-20 2013-12-31 Arnab Das Cost optimization of wireless-enabled metering infrastructures

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120198551A1 (en) * 2011-01-31 2012-08-02 General Electric Company Method, system and device for detecting an attempted intrusion into a network
US8619657B2 (en) * 2011-05-20 2013-12-31 Arnab Das Cost optimization of wireless-enabled metering infrastructures
US20120307624A1 (en) * 2011-06-01 2012-12-06 Cisco Technology, Inc. Management of misbehaving nodes in a computer network
US20130227689A1 (en) * 2012-02-17 2013-08-29 Tt Government Solutions, Inc. Method and system for packet acquisition, analysis and intrusion detection in field area networks
US20130223446A1 (en) * 2012-02-29 2013-08-29 Lars Ernström Compound Masking and Entropy for Data Packet Classification using Tree-based Binary Pattern Matching

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768765A (zh) * 2018-05-11 2018-11-06 中国联合网络通信集团有限公司 异常状态物联网卡稽查方法、装置及计算机可读存储介质
CN113810341A (zh) * 2020-06-12 2021-12-17 武汉斗鱼鱼乐网络科技有限公司 一种识别目标网络团体的方法及系统、存储介质、设备
CN113810341B (zh) * 2020-06-12 2023-08-22 武汉斗鱼鱼乐网络科技有限公司 一种识别目标网络团体的方法及系统、存储介质、设备
CN113515543A (zh) * 2021-03-23 2021-10-19 广东便捷神科技股份有限公司 一种无人售货机自动提货方法及系统
CN113515543B (zh) * 2021-03-23 2024-02-13 广东便捷神科技股份有限公司 一种无人售货机自动提货方法及系统

Similar Documents

Publication Publication Date Title
US10015176B2 (en) Network protection
US10868734B2 (en) Service function chain detection path method and device
US7607049B2 (en) Apparatus and method for detecting network failure location
WO2016172055A1 (fr) Analyse de sécurité de réseau pour appareils intelligents
CN108183886B (zh) 一种轨道交通信号系统安全网关的安全增强设备
US10701076B2 (en) Network management device at network edge for INS intrusion detection based on adjustable blacklisted sources
CN105429963A (zh) 基于Modbus/Tcp的入侵检测分析方法
US10474613B1 (en) One-way data transfer device with onboard system detection
US9548928B2 (en) Network system, controller, and load distribution method
KR101527353B1 (ko) 스마트그리드 ami 네트워크에서 이상행위 탐지 시스템 및 이를 이용한 방법
KR20150037285A (ko) 침입 탐지 장치 및 방법
WO2015160010A1 (fr) Système de détection de comportement anormal dans un réseau ami d'infrastructure électrique intelligente, et procédé l'utilisant
CN107172780A (zh) 一种助航灯控制系统
ES2922817T3 (es) Análisis de seguridad de red para electrodomésticos inteligentes
CN106789982B (zh) 一种应用于工业控制系统中的安全防护方法和系统
CN103401312A (zh) 智能变电站goose网络通信的冗余告警系统及控制方法
CN103634166A (zh) 一种设备存活检测方法及装置
CN111049780B (zh) 一种网络攻击的检测方法、装置、设备及存储介质
CN104766422A (zh) 一种周界入侵监测系统及方法
CN102739462A (zh) 一种测试报文的发送方法以及装置
CN116781412A (zh) 一种基于异常行为的自动防御方法
KR20150110065A (ko) 실행파일 모니터링 기반 악성코드 탐지 방법 및 시스템
WO2013176439A1 (fr) Procédé de brouillage de communications efficace basé sur le routage dans un réseau sans fil et dispositif afférent
KR101429178B1 (ko) 무선 네트워크 보안 시스템 및 방법
CN103684719A (zh) 一种与平台无关的网络双冗余热切换方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14889242

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14889242

Country of ref document: EP

Kind code of ref document: A1