CN109389181B - Association rule generation method and device for power grid abnormal event - Google Patents

Association rule generation method and device for power grid abnormal event Download PDF

Info

Publication number
CN109389181B
CN109389181B CN201811284261.5A CN201811284261A CN109389181B CN 109389181 B CN109389181 B CN 109389181B CN 201811284261 A CN201811284261 A CN 201811284261A CN 109389181 B CN109389181 B CN 109389181B
Authority
CN
China
Prior art keywords
preset
association rule
events
abnormal
case set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811284261.5A
Other languages
Chinese (zh)
Other versions
CN109389181A (en
Inventor
章锐
费稼轩
石聪聪
张涛
张小建
黄秀丽
陈伟
范杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Original Assignee
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Global Energy Interconnection Research Institute filed Critical State Grid Corp of China SGCC
Priority to CN201811284261.5A priority Critical patent/CN109389181B/en
Publication of CN109389181A publication Critical patent/CN109389181A/en
Application granted granted Critical
Publication of CN109389181B publication Critical patent/CN109389181B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/12Computing arrangements based on biological models using genetic models
    • G06N3/126Evolutionary algorithms, e.g. genetic algorithms or genetic programming

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Biophysics (AREA)
  • Evolutionary Biology (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Genetics & Genomics (AREA)
  • Computational Linguistics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Physiology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Supply And Distribution Of Alternating Current (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of power information safety, and discloses a method and a device for generating association rules of power grid abnormal events, wherein the method comprises the following steps: acquiring a plurality of abnormal events; classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set; the preset classification model is obtained by training a neural network model by using a sample abnormal event; forming a plurality of preset association rules by utilizing the rule set; and training a preset association rule according to a preset algorithm, the positive case set and the negative case set to generate an association rule of the abnormal event. The method initially classifies a plurality of abnormal events according to attack scenes based on a neural network model, and then combines a preset algorithm (such as an improved genetic algorithm), so that the optimization global property is ensured, and the accuracy of the generated association rule is improved; the accuracy of the association rule is improved by improving the initialization scheme, the intersection and the genetic probability of the genetic algorithm, namely setting the self-adaptive intersection probability and the genetic probability.

Description

Association rule generation method and device for power grid abnormal event
Technical Field
The invention relates to the technical field of power information security, in particular to a method and a device for generating association rules of power grid abnormal events.
Background
With the continuous promotion of smart grid construction and the more and more extensive application of information communication technology in the power grid, and the major power failure accidents occurring in countries such as india, ukraine, india and the like in recent years indicate that the power grid still has shortcomings in the aspect of network safety protection.
The method mainly comprises the steps of analyzing the reason of the blackout accident caused by network attack, not finding the intention of an attacker in time in a series of attack stages of the attack of the attacker on a power grid, carrying out high-precision correlation analysis on abnormal events generated by the behavior of the attacker, and taking related measures to miss the optimal period for controlling the development of the network security accident. In addition, the power grid structures and the used stability control devices in different areas are different, the generated abnormal events are different, and different attackers have different attack modes. Therefore, in response to a complex and variable environment, an automatic generation method of an association rule of a power grid abnormal event needs to be researched, and the association rule is updated in real time according to the real-time and variable power grid environment and different attack means, so that the association analysis of the abnormal event generated by the power grid is performed in real time, potential attack behaviors are mined, and the network security defense capability of the power grid is improved.
In different attack means and complex and variable power grid operation environments, methods for generating association rules based on network abnormal events mainly include a similarity-based method, a causal association relationship-based method, an attack graph-based method, a data mining-based method and an Apriori-based association algorithm. However, the above method highly depends on manual intervention in the generation and updating processes of the association rule, so that the generated association rule is affected by human subjective factors, and the accuracy of the generated association rule is low.
Disclosure of Invention
In view of this, the embodiment of the present invention provides a method and an apparatus for generating association rules of power grid abnormal events, so as to solve the problem that the accuracy of association rules generated by the existing method is low.
According to a first aspect, an embodiment of the present invention provides a method for generating association rules of grid abnormal events, including:
acquiring a plurality of abnormal events;
classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set in a preset attack scene; the preset classification model is obtained by training a neural network model by using a sample abnormal event;
forming a plurality of preset association rules by utilizing the positive example set;
training the preset association rule according to a preset algorithm, the positive case set and the negative case set to generate an association rule of the abnormal event; the preset algorithm is used for carrying out global optimization on the preset association rule.
According to the association rule generation method for the power grid abnormal events, provided by the embodiment of the invention, firstly, a plurality of abnormal events are preliminarily classified according to attack scenes based on a neural network model so as to eliminate non-relevant abnormal events under each attack scene, and a foundation is provided for subsequently ensuring the accuracy of the generated association rule; in addition, the initial preset association rule is trained by combining a preset algorithm (for example, an improved genetic algorithm) so as to ensure the global property of optimization and improve the accuracy of the generated association rule.
With reference to the first aspect, in a first implementation manner of the first aspect, the positive example set includes an information quantity abnormal event and an electrical quantity abnormal event; wherein the forming a plurality of preset association rules using the positive case set includes:
forming a plurality of initial association rules based on the traffic anomaly events in the regular set;
sequencing the information quantity abnormal events in each initial association rule according to a time sequence;
setting the electrical quantity abnormal event at the preset depth of the sorted initial association rule to form the preset association rule.
According to the association rule generation method for the abnormal events of the power grid, the abnormal events of the information quantity in the normal case set are sequenced according to the time sequence, and the effectiveness of the initial association rule is improved; in addition, the electric system cannot be influenced by the power grid attack in the scanning and authority obtaining stage, and the electric quantity is influenced only in the attack stage, so that the electric quantity abnormal event is set at the preset depth of the sequenced initial association rule, and the effectiveness of the generated preset association rule can be improved.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the training the preset association rule according to a preset algorithm, the positive example set, and the negative example set to generate an association rule of the abnormal event includes:
matching the positive case set and the negative case set with the preset association rule to determine a first case number and a second case number; the first example number is the number of successful matching in the positive example set, and the second example number is the number of failed matching in the negative example set;
calculating a fitness based on the first number of instances, the second number of instances, the positive set of instances, and the negative set of instances;
and training the preset association rule by using the preset algorithm according to the fitness and the preset iteration times.
According to the association rule generation method for the power grid abnormal event, the fitness is calculated by using the matching result, so that the performance of the preset association rule can be reflected, and a training basis is provided for subsequently training the preset association rule by using a preset algorithm.
With reference to the second embodiment of the first aspect, in the third embodiment of the first aspect, the fitness is calculated by using the following formula:
Figure BDA0001847494380000031
wherein, OfThe fitness is the fitness; zPThe first number is; zNIs the second example number; sP(ii) the number of said exception events in said positive case; sNThe number of exceptional events in the negative case set.
With reference to the second implementation manner of the first aspect, in a fourth implementation manner of the first aspect, the training the preset association rule by using the preset algorithm according to the fitness and the preset iteration number includes:
judging whether the fitness is smaller than a preset threshold value or not;
when the fitness is smaller than the preset threshold, judging whether the current iteration times reach the preset iteration times;
when the current iteration times are smaller than the preset iteration times, calculating the cross probability and the variation probability by using the current iteration times;
and training the preset association rule based on the calculation result.
According to the association rule generation method for the power grid abnormal event, provided by the embodiment of the invention, the cross probability and the variation probability are improved, the cross probability and the variation probability have great effects on the optimization of the preset association rule, and a larger probability value is set at the initial stage of iteration, so that the optimization globality is ensured, and the optimization cannot be trapped in local optimization; and when the iteration is finished, a smaller probability value is set, the inheritance of a good rule is ensured, and the accuracy of the generated association rule is improved.
With reference to the fourth embodiment of the first aspect, in the fifth embodiment of the first aspect, the cross probability is calculated by using the following formula:
Figure BDA0001847494380000041
wherein P is the crossover probability; p1Is the initial crossover probability; p2To end the crossover probability; t is the preset iteration times; t is the current iteration number;
and/or the presence of a gas in the gas,
calculating the mutation probability by adopting the following formula:
Figure BDA0001847494380000042
wherein K is the mutation probability; k1Is the initial mutation probability; k2To end mutation probability; t is the preset iteration times; and t is the current iteration number.
With reference to the fifth implementation manner of the first aspect, in a sixth implementation manner of the first aspect, the training the preset association rule based on the calculation result includes:
extracting an information quantity abnormal event in the preset association rule;
performing cross operation on the extracted information quantity abnormal events by using the cross probability;
and carrying out mutation operation on the result of the cross operation by using the mutation probability to obtain a training result.
The association rule generation method for the power grid abnormal events provided by the embodiment of the invention trains the classified abnormal events based on the improved genetic algorithm to generate the association rule, thereby providing a basis for association analysis of power grid malicious attacks.
With reference to the sixth implementation manner of the first aspect, in the seventh implementation manner of the first aspect, the calculating the cross probability and the variation probability according to the fitness and a preset number of iterations further includes:
with reference to the first aspect, or any implementation manner of the first aspect, in an eighth implementation manner of the first aspect, the preset classification model is obtained by training through the following steps:
acquiring a plurality of sample abnormal events; the sample abnormal events comprise positive sample abnormal events generated by a preset attack scene and negative sample abnormal events generated by a non-preset attack scene;
initializing the neural network model corresponding to the preset attack scene; wherein the neural network model comprises an input layer, a hidden layer and an output layer;
based on the sample abnormal event, adjusting a first weight, a second weight and a judgment threshold value to obtain the preset classification model; wherein the first weight is a weight from the hidden layer to the output layer, and the second weight is a weight from the input layer to the hidden layer.
According to the association rule generation method for the power grid abnormal events, provided by the embodiment of the invention, a neural network model is trained by adopting a large number of abnormal events in different attack scenes, so that abnormal event classification models in different attack scenes are obtained, namely, preset classification models are obtained; the preset classification model can classify abnormal events corresponding to a certain attack scene.
According to a second aspect, an embodiment of the present invention further provides a method for generating association rules of grid abnormal events, including:
the acquisition module is used for acquiring a plurality of abnormal events;
the classification module is used for classifying the abnormal events based on a preset classification model so as to obtain a positive case set and a negative case set in a preset attack scene; the preset classification model is obtained by training a neural network model by using a sample abnormal event;
the preset association rule forming module is used for forming a plurality of preset association rules by utilizing the rule set;
the association rule generating module is used for training the preset association rule according to a preset algorithm, the positive case set and the negative case set so as to generate an association rule of the abnormal event; the preset algorithm is used for carrying out global optimization on the preset association rule.
According to the association rule generation device for the power grid abnormal events, provided by the embodiment of the invention, the plurality of abnormal events are preliminarily classified according to attack scenes based on the neural network model so as to eliminate non-relevant abnormal events under each attack scene, and a foundation is provided for subsequently ensuring the accuracy of the generated association rule; in addition, the initial preset association rule is trained by combining a preset algorithm, so that the optimization global property is ensured, and the accuracy of the generated association rule is improved.
According to a third aspect, an embodiment of the present invention further provides an electronic device, including:
the storage and the processor are communicatively connected with each other, the storage stores computer instructions, and the processor executes the computer instructions to execute the method for generating association rules of grid abnormal events according to the first aspect of the present invention or any embodiment of the first aspect.
According to a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to cause the computer to execute the method for generating the association rule for the grid abnormal event according to the first aspect of the present invention or any implementation manner of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for generating association rules for grid exceptional events according to an embodiment of the present invention;
FIG. 2 is a flowchart of a preset association rule generating method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a predetermined classification model according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for generating association rules for grid exceptional events according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a preset association rule structure according to an embodiment of the present invention;
fig. 6 is a flowchart of a method for generating association rules for grid exceptional events according to an embodiment of the present invention;
fig. 7 is a flowchart of a method for generating association rules for grid exceptional events according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a power grid system according to an embodiment of the present invention;
FIG. 9a is a schematic diagram of a DDos attack association rule according to an embodiment of the invention;
FIG. 9b is a diagram illustrating attack paths of a DDos attack scenario according to an embodiment of the present invention;
FIG. 10a is a schematic diagram of a distributed data tampering attack association rule according to an embodiment of the present invention;
FIG. 10b is a schematic diagram of an attack path of a distributed data tampering attack scenario, according to an embodiment of the present invention;
FIG. 11a is a schematic diagram of a fake control instruction attacking an association rule according to an embodiment of the invention;
FIG. 11b is a schematic diagram of an attack path of a forged control instruction attack scenario according to an embodiment of the present invention;
fig. 12 is a block diagram of a structure of an association rule generation apparatus for a grid abnormal event according to an embodiment of the present invention;
fig. 13 is a block diagram of a structure of an association rule generation apparatus for a grid abnormal event according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
According to an embodiment of the present invention, there is provided an embodiment of a method for generating association rules for grid exceptional events, it should be noted that the steps illustrated in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be executed in an order different from that herein.
In this embodiment, a method for generating association rules of grid abnormal events is provided, which can be used in the above electronic device, and fig. 1 is a flowchart of a method for generating association rules of grid abnormal events according to an embodiment of the present invention, as shown in fig. 1, the flowchart includes the following steps:
s11, acquiring a plurality of abnormal events.
The power grid abnormal event acquired by the electronic equipment can be an abnormal event generated by utilizing a simulation environment or an abnormal event acquired on site; may also be obtained by other means; only the electronic device needs to be ensured to acquire the abnormal event.
And S12, classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set in a preset attack scene.
The preset classification model is obtained by training a neural network model by using a sample abnormal event.
Specifically, the preset classification model corresponds to a specific power grid attack scenario (e.g., intrusion attack, distributed data tampering attack, or forged control instruction attack, etc.), that is, a specific power grid attack scenario corresponds to a preset classification model.
The preset classification model is used for classifying the abnormal events, so that the specific attack scene of the power grid corresponding to the abnormal events is convenient to determine, therefore, the sample abnormal events can be abnormal events under a large number of different attack scenes, namely correspond to a specific power grid attack scene, the sample abnormal events can be various abnormal events generated by the attack scene acquired by using a simulation environment or a field, and can also be network abnormal events and the like acquired by parts other than the attack scene. And training the neural network model by using the sample abnormal event to obtain a preset network model.
The preset network model is used for classifying a plurality of abnormal events acquired by the electronic equipment, and the preset network model corresponds to a power grid attack scene, so that the preset network model divides the plurality of abnormal events into two types, wherein one type is an abnormal event generated by the preset network model, namely a normal case set; one is an abnormal event which is not generated by the preset network model, namely a negative case set; the electronic equipment can realize the preliminary classification of a plurality of abnormal events by utilizing a preset network model.
And S13, forming a plurality of preset association rules by using the positive example set.
The abnormal events in the normal case set obtained by classifying the abnormal events by the electronic device are the abnormal events generated in a specific attack scene, so that the electronic device can form a plurality of preset association rules by using the normal case set.
The preset association rule is used for representing the correlation between the corresponding generated abnormal events when the power grid is subjected to a specific attack. The electronic device may incorporate some expert knowledge, or utilize a priori knowledge, etc., when forming the plurality of preset association rules using the positive case set.
And S14, training the preset association rule according to the preset algorithm, the positive case set and the negative case set to generate the association rule of the abnormal event.
The preset algorithm is used for carrying out global optimization on a preset association rule.
After the preset association rules are formed, the electronic equipment utilizes the positive case set and the negative case set obtained by the preset classification model and combines a preset algorithm to carry out global optimization on the plurality of preset association rules so as to find out the optimal association rule from the plurality of preset association rules. For example, the preset algorithm may be a genetic algorithm, a simulated annealing algorithm, a tabu search algorithm, a particle swarm algorithm or an ant colony algorithm, and the like, and may also be other global optimization algorithms; only by using the preset algorithm, the optimal association rule can be found from a plurality of preset association rules.
According to the association rule generation method for the power grid abnormal events, firstly, a plurality of abnormal events are preliminarily classified according to attack scenes based on a neural network model so as to eliminate non-relevant abnormal events under each attack scene, and a foundation is provided for subsequently ensuring the accuracy of the generated association rule; in addition, the initial preset association rule is trained by combining a preset algorithm, so that the optimization global property is ensured, and the accuracy of the generated association rule is improved.
As an optional implementation manner of this embodiment, as shown in fig. 2, the preset classification model is obtained by training through the following steps:
s21, acquiring a plurality of sample abnormal events.
The sample abnormal events comprise positive sample abnormal events generated by a preset attack scene and negative sample abnormal events generated by a non-preset attack scene.
Specifically, the positive sample abnormal event is an abnormal event generated in a specific power grid attack scenario, and the negative sample abnormal event is an abnormal event generated in a non-attack scenario. The sample abnormal event can be acquired by utilizing a simulation environment or field acquisition.
For example, a sample exception may be an information-intensive exception: i.e., traffic exception events, denial of service events, scan events, etc.; an electrical quantity anomaly event may also be: i.e., voltage exception event, current exception event, rejection event, etc.; or include both the information quantity abnormal event and the electric quantity abnormal event, etc.
And S22, initializing a neural network corresponding to the preset attack scene.
As shown in fig. 3, the neural network model includes an input layer, a hidden layer, and an output layer. The number of hidden layers may be specifically set according to actual situations, and may be one layer, two layers, three layers, and the like, and in fig. 3, only one input layer, one hidden layer, and one output layer are taken as an example to specifically describe.
When a neural network model corresponding to a preset attack scene is initialized, the number of each layer of the neural network model needs to be set, and the connection weight between each layer, the output judgment threshold value and the like need to be set.
Specifically, as shown in fig. 3, f (t) in the output layer1)、f(t2)、f(t3) … …, and f (t)m) For sample anomalous events, ω11、……、ωmkRespectively the connection weight between the input layer and the hidden layer,12、……、mvalue of the hidden layer, v1、……、vkThe connection weight between the hidden layer and the output layer is the numerical value of the output layer, and h is the judgment threshold value of the output.
S23, adjusting the first weight, the second weight and the judgment threshold value based on the sample abnormal event to obtain the preset classification model.
Wherein the first weight is a weight from a hidden layer to an output layer, and the second weight is a weight from an input layer to a hidden layer.
Specifically, the first weight, the second weight, and the determination threshold may be adjusted using the following formulas.
Figure BDA0001847494380000091
vj(N+1)=vj(N)+α×(c-)×y×(1-)×j; (2)
wij(N+1)=wij(N)+α×(c-)×y×(1-)×vj×j×(1-j)×f(ti); (3)
h(N+1)=h(N)+β×(c-)×y×(1-); (4)
In the above formulas, y is the output of the preset classification model; h is the judgment threshold; v. ofjIs the first weight; w is aijIs the second weight; f (t)i) Is the sample exception event;
that is, the input tagged and untagged attack scenarios correspond to exceptional events f (t)i) Calculating the output of the model, w, from equation (1)ij、vjRespectively is the weight of each layer, and h is a judgment threshold value;
weight v from hidden layer to output layer of neural network by using formula (2)jAdjusting, wherein c is the expected output of the output layer, and alpha is the weight learning rate;
weight w of input layer to hidden layer of neural network using equation (3)ijAdjusting;
the threshold of the model is updated using equation (4), where β is the threshold learning rate.
And continuing inputting training data, turning to the formula (1), and repeating continuously until all samples are trained completely, thereby outputting the neural network classification models corresponding to different attack scenes.
According to the association rule generation method for the power grid abnormal events, a neural network model is trained by adopting a large number of abnormal events in different attack scenes, so that abnormal event classification models in different attack scenes are obtained, namely preset classification models; the preset classification model can classify abnormal events corresponding to a certain attack scene.
In this embodiment, a method for generating association rules of grid abnormal events is provided, which can be used in the above electronic device, and fig. 4 is a flowchart of a method for generating association rules of grid abnormal events according to an embodiment of the present invention, as shown in fig. 4, the flowchart includes the following steps:
s31, acquiring a plurality of abnormal events. Please refer to S11 in fig. 1, which is not described herein again.
And S32, classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set.
The preset classification model is obtained by training a neural network model by using a sample abnormal event.
For a specific attack scenario, in this embodiment, the abnormal events output by the preset classification model as 1 are collected as a positive example set SPThe set of exceptional events with an output of-1 is called negative case set SN. Please refer to S12 in fig. 1, which is not described herein again.
And S33, forming a plurality of preset association rules by using the positive example set.
The generation process of the preset association rule can be regarded as a reverse process of association analysis, that is, a positive case set S generated by the electronic device by using an attack case of a known attack scenarioPAnd generating an association rule corresponding to the scene. Specifically, the following steps may be included:
s331, a plurality of initial association rules are formed based on the traffic anomaly events in the normal case.
Because the power grid attack does not affect the electrical system in the scanning and authority obtaining stage, and the electrical quantity is affected only in the attack stage, the information quantity abnormal event is far more than the electrical quantity abnormal event in the abnormal events generated in a specific power grid attack scene. Therefore, the information quantity abnormal events in the normal case set can be utilized to form a plurality of initial association rules, and the initial association rules can be formed by utilizing prior knowledge or combining expert knowledge and the like.
S332, sorting the information quantity abnormal events in each initial association rule according to time sequence.
The electronic equipment sequences the information quantity abnormal events in the initial association rules according to the time sequence, so that the effectiveness of each initial association rule can be improved.
And S333, setting an electrical quantity abnormal event at the preset depth of the sorted initial association rule to form a preset association rule.
The electronic device sets an electrical quantity abnormal event at a preset depth of the initial association rule, namely, adds the electrical quantity abnormal event at an attack stage of the sequenced initial association rule, so as to further improve the effectiveness of the preset association rule.
For example, as shown in FIG. 5, a set S of events in the input layer is modeled using an N-gramP1、SP2、……、SPn(i.e., the positive case set) to obtain a plurality of preset association rules TR1、TR2、……、TRm. Where N-gram is a concept in the domain of computer linguistics and probability theory, and refers to a sequence of N items (items) in a given piece of text or speech.
Optionally, for clearly AND intuitively presenting the preset association rule, the attack scene may be described by using the preset association rule with a tree structure, as shown in fig. 5, where the rule mainly includes an AND (AND) OR (OR) relationship. I.e. each preset association rule TRkA tree structure representation may be employed.
And S34, training the preset association rule according to the preset algorithm, the positive case set and the negative case set to generate the association rule of the abnormal event.
The preset algorithm is used for carrying out global optimization on the preset association rule. Please refer to S14 in fig. 1, which is not described herein again.
Compared with the embodiment shown in fig. 1, the association rule generating method for the power grid abnormal events provided by the embodiment sorts the information quantity abnormal events in the normal set according to the time sequence, so that the effectiveness of the initial association rule is improved; in addition, the electric system cannot be influenced by the power grid attack in the scanning and authority obtaining stage, and the electric quantity is influenced only in the attack stage, so that the electric quantity abnormal event is set at the preset depth of the sequenced initial association rule, and the effectiveness of the generated preset association rule can be improved.
In this embodiment, a method for generating association rules of grid abnormal events is provided, which can be used in the above electronic device, and fig. 6 is a flowchart of a method for generating association rules of grid abnormal events according to an embodiment of the present invention, as shown in fig. 6, where the flowchart includes the following steps:
s41, acquiring a plurality of abnormal events. Please refer to S31 in fig. 4 for details, which are not described herein.
And S42, classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set.
The preset classification model is obtained by training a neural network model by using a sample abnormal event. Please refer to S32 in fig. 4 for details, which are not described herein.
And S43, forming a plurality of preset association rules by using the positive example set. Please refer to S33 in fig. 4 for details, which are not described herein.
And S44, training the preset association rule according to the preset algorithm, the positive case set and the negative case set to generate the association rule of the abnormal event.
The preset algorithm is used for carrying out global optimization on a preset association rule. The preset algorithm adopted in the embodiment is a genetic algorithm, and when the genetic algorithm is used for carrying out global optimization on a plurality of preset association rules, the following parameters are mainly adjusted: cross probability, mutation probability, and fitness function. Specifically, the method comprises the following steps:
s441, matching the positive example set and the negative example set with a preset association rule to determine a first example number and a second example number.
The first number of instances is the number of successful matching in the positive instance set, and the second number of instances is the number of failed matching in the negative instance set.
Electronic device utilizing positive case set SPAnd negative case set SNRespectively matching with all preset association rules to determine a matching positive case set SPNumber of successful matches in, and negative set SNThe number of matching failures.
For example, the preset association rule is TR1、TR2And TR3When matching, the positive example set S is usedPRespectively with TR1、TR2And TR3Matching is performed to determine a positive case set S corresponding to each preset association rulePThe number of successful matches; using a negativeExample set SNRespectively with TR1、TR2And TR3Matching is performed to determine a negative case set S corresponding to each preset association ruleNThe number of matching failures.
Specifically, the matching method may adopt a single-thread-based association matching method, a multi-thread-based association matching method, a heuristic-based association analysis engine, and the like.
S442, the fitness is calculated based on the first number of instances, the second number of instances, the positive set of instances, and the negative set of instances.
After the first example number and the second example number are determined, the electronic equipment calculates the fitness corresponding to each preset association rule; specifically, the fitness may be calculated using the following formula:
Figure BDA0001847494380000131
wherein, OfThe fitness is the fitness; zPThe first number is; zNIs the second example number; sP(ii) the number of said exception events in said positive case; sNThe number of exceptional events in the negative case set.
And S443, training a preset association rule by using a preset algorithm according to the fitness and the preset iteration times.
After the fitness is calculated, the electronic device may train the preset association rule by adopting the following steps:
(1) and judging whether the fitness is smaller than a preset threshold value.
(2) And when the fitness is smaller than a preset threshold value, judging whether the current iteration times reach the preset iteration times.
(3) And when the current iteration times are smaller than the preset iteration times, calculating the cross probability and the variation probability by using the current iteration times.
Specifically, the cross probability is calculated using the following formula:
Figure BDA0001847494380000132
wherein P is the crossover probability; p1Is the initial crossover probability; p2To end the crossover probability; t is the preset iteration times; and t is the current iteration number. E.g. initial cross probability P1Can take 0.5, end the crossover probability P2May take 0.2 and the preset number of iterations T may take 100.
And/or the presence of a gas in the gas,
calculating the mutation probability by adopting the following formula:
Figure BDA0001847494380000133
wherein K is the mutation probability; k1Is the initial mutation probability; k2To end mutation probability; t is the preset iteration times; and t is the current iteration number. For example, the initial mutation probability K1Can be taken as 0.4, and the mutation probability K is ended2May be taken to be 0.1 and the preset number of iterations T may be taken to be 100.
(4) And training a preset association rule based on the calculation result.
After the cross probability and the variation probability are obtained through calculation, the electronic device trains all preset association rules by using the obtained calculation result, which may specifically include:
1) and extracting the information quantity abnormal event in the preset association rule.
2) And performing cross operation on the extracted information quantity abnormal events by using the cross probability.
3) And carrying out mutation operation on the result of the cross operation by using the mutation probability to obtain a training result.
Because the electrical quantity abnormal event is set in the attack stage of the preset association rule, the electrical quantity abnormal event in the attack stage is skipped during genetic operation, excellent genetic genes are reserved, and the generation speed of the association rule is increased.
As an optional implementation manner of this embodiment, in S443, when the fitness is greater than or equal to the preset threshold, outputting an association rule corresponding to the fitness; or when the current iteration times are larger than or equal to the preset iteration times, outputting a training result, wherein the training result is an association rule of the abnormal event.
As another optional implementation manner of this embodiment, when the method is used in the field, online data collected in the field is firstly classified by a preset classification model, and then is matched with the generated preset association rule, and according to the degree of successful matching, the online data is imported into the database, so as to improve the initial association rule generation method based on the improved genetic algorithm, thereby improving the engineering practicability. Namely, the association rule is continuously updated in an iterative manner according to the actual attack scene, and the association rule generation method of the power grid abnormal event is evolved on line, so that the quality and efficiency of the power grid network security analysis are effectively improved, and the safe and stable operation of the power grid is guaranteed.
Optionally, in the embodiment, as shown in fig. 7, a specific flow of the method for generating the association rule of the grid abnormal event,
(1) and classifying the abnormal events by using a preset classification model so as to classify the abnormal events into two sets. The abnormal events belonging to the attack scenario are called as a positive case set SPAn exceptional event not belonging to the attack scenario is called negative case set SN
(2) And performing initialization scheme improvement, sequencing each preset association rule abnormal event according to time, and setting an electrical quantity abnormal event at the depth X of the initial association rule.
(3) And matching the positive example set and the negative example set with the generated preset association rule.
(4) And calculating the fitness of each preset association rule according to the matching result.
(5) And judging whether the fitness function is greater than or equal to a preset threshold value. If the correlation rule is larger than or equal to the preset correlation rule, outputting the correlation rule, otherwise, carrying out genetic operation.
(6) The selection operator improves. In genetic manipulation, a genetic factor needs to be selected first, and when a genetic factor is selected, an electrical quantity abnormal event other than the association rule depth X is selected, and a good genetic gene is retained.
(7) And the crossover and mutation probability are improved. In the genetic operation, the selected genetic operator needs to be crossed and subjected to genetic operation, and self-adaptive crossing and genetic operators are set, so that the generation efficiency and the generation quality of the association rule are improved. Then, returning to the step (3), and repeating the process.
Compared with the embodiment shown in fig. 4, the association rule generation method for the power grid abnormal event provided by the embodiment improves the cross probability and the variation probability, the cross probability and the variation probability have great effect on the optimization of the preset association rule, and in the initial stage of iteration, a larger probability value is set, so that the optimization globality is ensured, and the method cannot be trapped in local optimization; and when the iteration is finished, a smaller probability value is set, the inheritance of a good rule is ensured, and the accuracy of the generated association rule is improved.
To sum up, the method for generating association rules of power grid abnormal events provided by the embodiment of the present invention has the following characteristics:
(1) an attack scene classification model based on a neural network. The scene classification model is mainly used for preliminarily classifying abnormal events according to attack scenes based on a neural network model, preliminarily removing non-relevant abnormal events under each attack scene, improving the generation efficiency of an off-line association rule and providing a data basis for automatic generation of the association rule based on an improved genetic algorithm;
(2) an initialization scheme is improved. The association rule abnormal events generated by the initial population are sequenced according to the time sequence, and the electrical side abnormal events are set in the attack stage, so that the effectiveness of the initial association rule is improved;
(3) the selection operator is improved. Because the electrical side abnormal event is set in the association rule attack stage, the electrical side abnormal event in the attack stage is skipped during genetic operation, excellent genetic genes are reserved, and the automatic generation speed of the association rule is increased;
(4) the cross probability and the mutation probability are improved. The cross probability and the genetic probability have great effect on the optimization of the association rule, and in the initial stage of iteration, a larger probability value is set, so that the optimization global property is guaranteed, and the optimization cannot be trapped in local optimization. And when the iteration is finished, a smaller probability value is set, so that the inheritance of a good rule is ensured. The accuracy of the association rule is improved;
(5) and a training mode of online automatic generation, loop iteration and continuous evolution of association rules is realized. When the method is used on site, online data acquired on site are firstly classified through a trained neural network model, then are matched with generated association rules, and are imported into a database according to the degree of successful matching, so that the association rule automatic generation model based on the improved genetic algorithm is improved, the engineering practicability is greatly improved, and the method has wide engineering practical value.
As a specific application example of the present embodiment, a structure of a power grid system is shown in fig. 8, and includes a source grid load master station, a substation, a user side, and a grid load terminal, and according to an association generation method of a power grid abnormal event, an association rule is generated as follows:
based on an improved genetic algorithm, based on abnormal events in a DDos attack scene, carrying out neural network classification model training on the abnormal events, and carrying out association rule automatic generation training based on the improved genetic algorithm to obtain a DDos attack association rule, as shown in FIG. 9 a; furthermore, the association rule of the DDos attack in the entity system is embodied as a path shown in fig. 9 b. And correlating the abnormal events at the information side reported by the terminal and the user switch with the abnormal events of the electrical quantity monitored by the system, and identifying the DDos attack of the power grid.
Based on an improved genetic algorithm, based on abnormal events in a distributed data tampering attack scene, performing neural network classification model training on the abnormal events, and performing association rule automatic generation training based on the improved genetic algorithm to obtain a distributed data tampering attack association rule, as shown in fig. 10 a; furthermore, the association rule of the distributed data tampering attack in the entity system is embodied as a path shown in fig. 10 b. And associating the abnormal events at the information side monitored by the substation switch with the abnormal events of the electrical quantity monitored by the system, and identifying the distributed data tampering attack of the power grid.
Based on an improved genetic algorithm, based on abnormal events in the scene of forged control instruction attack, performing neural network classification model training on the abnormal events, and performing association rule automatic generation training based on the improved genetic algorithm to obtain forged control instruction attack association rules, as shown in fig. 11 a; furthermore, the fake control instruction attacks the association rule in the entity system as embodied by the path shown in fig. 11 b. And correlating the abnormal events at the information side monitored by the substation switch with the abnormal events of the electrical quantity monitored by the system, and identifying the power grid falsification control instruction attack.
The present embodiment further provides a device for generating association rules of grid abnormal events, where the device is used to implement the foregoing embodiments and preferred embodiments, and the description of the device that has been already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The present embodiment provides an association rule generating device for grid abnormal events, as shown in fig. 12, including:
an obtaining module 51, configured to obtain a plurality of abnormal events;
the classification module 52 is configured to classify the abnormal event based on a preset classification model to obtain a positive case set and a negative case set in a preset attack scene; the preset classification model is obtained by training a neural network model by using a sample abnormal event;
a preset association rule forming module 53, configured to form a plurality of preset association rules by using the rule set;
an association rule generating module 54, configured to train the preset association rule according to a preset algorithm, the positive case set, and the negative case set, so as to generate an association rule of the abnormal event; the preset algorithm is used for carrying out global optimization on the preset association rule.
As an optional implementation manner of this embodiment, the positive example set includes an information quantity abnormal event and an electrical quantity abnormal event, where as shown in fig. 13, the preset association rule forming module 53 includes:
an initial association rule forming unit 531, configured to form a plurality of initial association rules based on the traffic abnormal event in the regular set.
The sorting unit 532 is configured to sort the traffic exception events in each initial association rule according to a time sequence.
A preset association rule forming unit 533, configured to set an electrical quantity abnormal event at a preset depth of the sorted initial association rules to form a preset association rule.
The association rule generating device of the grid abnormal event in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and a memory executing one or more software or fixed programs, and/or other devices that can provide the above functions.
Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.
An embodiment of the present invention further provides an electronic device, which has the association rule generating apparatus for the grid abnormal event shown in fig. 12 or 13.
Referring to fig. 14, fig. 14 is a schematic structural diagram of a terminal according to an alternative embodiment of the present invention, and as shown in fig. 14, the terminal may include: at least one processor 61, such as a CPU (Central Processing Unit), at least one communication interface 63, memory 64, at least one communication bus 62. Wherein a communication bus 62 is used to enable the connection communication between these components. The communication interface 63 may include a Display (Display) and a Keyboard (Keyboard), and the optional communication interface 63 may also include a standard wired interface and a standard wireless interface. The Memory 64 may be a high-speed RAM Memory (volatile Random Access Memory) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The memory 64 may optionally be at least one memory device located remotely from the processor 61. Wherein the processor 61 may be in connection with the apparatus described in fig. 12 or fig. 13, the memory 64 stores an application program, and the processor 61 calls the program code stored in the memory 64 for performing any of the above-mentioned method steps.
The communication bus 62 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus 62 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The memory 64 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated: HDD) or a solid-state drive (english: SSD); the memory 64 may also comprise a combination of the above types of memory.
The processor 61 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of CPU and NP.
The processor 61 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the memory 64 is also used to store program instructions. The processor 61 may call a program instruction to implement the association rule generation method for the grid abnormal event as shown in the embodiments of fig. 1, 4 and 6 of the present application.
The embodiment of the invention also provides a non-transitory computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions can execute the association rule generation method of the power grid abnormal event in any method embodiment. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (11)

1. A method for generating association rules of grid abnormal events is characterized by comprising the following steps:
acquiring a plurality of abnormal events;
classifying the abnormal events based on a preset classification model to obtain a positive case set and a negative case set in a preset attack scene; the preset classification model is obtained by training a neural network model by using a sample abnormal event;
forming a plurality of preset association rules by utilizing the positive example set;
training the preset association rule according to a preset algorithm, the positive case set and the negative case set to generate an association rule of the abnormal event; the preset algorithm is used for carrying out global optimization on the preset association rule;
the positive case set comprises an information quantity abnormal event and an electrical quantity abnormal event; wherein the forming a plurality of preset association rules using the positive case set includes:
forming a plurality of initial association rules based on the traffic anomaly events in the regular set;
sequencing the information quantity abnormal events in each initial association rule according to a time sequence;
setting the electrical quantity abnormal event at the preset depth of the sorted initial association rule to form the preset association rule.
2. The method of claim 1, wherein training the preset association rules according to a preset algorithm, the positive case set and the negative case set to generate the association rules of the abnormal events comprises:
matching the positive case set and the negative case set with the preset association rule to determine a first case number and a second case number; the first example number is the number of successful matching in the positive example set, and the second example number is the number of failed matching in the negative example set;
calculating a fitness based on the first number of instances, the second number of instances, the positive set of instances, and the negative set of instances;
and training the preset association rule by using the preset algorithm according to the fitness and the preset iteration times.
3. The method of claim 2, wherein the fitness is calculated using the formula:
Figure FDA0002604297370000021
wherein, OfThe fitness is the fitness; zPThe first number is; zNIs the second example number; sP(ii) the number of said exception events in said positive case; sNThe number of exceptional events in the negative case set.
4. The method according to claim 2, wherein the training the preset association rule using the preset algorithm according to the fitness and a preset number of iterations comprises:
judging whether the fitness is smaller than a preset threshold value or not;
when the fitness is smaller than the preset threshold, judging whether the current iteration times reach the preset iteration times;
when the current iteration times are smaller than the preset iteration times, calculating the cross probability and the variation probability by using the current iteration times;
and training the preset association rule based on the calculation result.
5. The method of claim 4, wherein the cross probability is calculated using the following formula:
Figure FDA0002604297370000022
wherein P is the crossover probability; p1Is the initial crossover probability; p2To end the crossover probability; t is the preset iteration times; t is the current iteration number;
and/or the presence of a gas in the gas,
calculating the mutation probability by adopting the following formula:
Figure FDA0002604297370000023
wherein K is the mutation probability; k1Is the initial mutation probability; k2To end mutation probability; t is the preset iteration times; and t is the current iteration number.
6. The method of claim 5, wherein training the preset association rule based on the calculation result comprises:
extracting an information quantity abnormal event in the preset association rule;
performing cross operation on the extracted information quantity abnormal events by using the cross probability;
and carrying out mutation operation on the result of the cross operation by using the mutation probability to obtain a training result.
7. The method of claim 6, wherein the calculating the cross probability and the variation probability according to the fitness and a predetermined number of iterations further comprises:
when the current iteration times reach the preset iteration times, outputting a training result; wherein the training result is an association rule of the abnormal event.
8. The method according to any one of claims 1 to 7, wherein the preset classification model is trained by:
acquiring a plurality of sample abnormal events; the sample abnormal events comprise positive sample abnormal events generated by a preset attack scene and negative sample abnormal events generated by a non-preset attack scene;
initializing the neural network model corresponding to the preset attack scene; wherein the neural network model comprises an input layer, a hidden layer and an output layer;
based on the sample abnormal event, adjusting a first weight, a second weight and a judgment threshold value to obtain the preset classification model; wherein the first weight is a weight from the hidden layer to the output layer, and the second weight is a weight from the input layer to the hidden layer.
9. An association rule generation device for grid abnormal events is characterized by comprising:
the acquisition module is used for acquiring a plurality of abnormal events;
the classification module is used for classifying the abnormal events based on a preset classification model so as to obtain a positive case set and a negative case set in a preset attack scene; the preset classification model is obtained by training a neural network model by using a sample abnormal event;
the preset association rule forming module is used for forming a plurality of preset association rules by utilizing the rule set;
the association rule generating module is used for training the preset association rule according to a preset algorithm, the positive case set and the negative case set so as to generate an association rule of the abnormal event; the preset algorithm is used for carrying out global optimization on the preset association rule;
the positive case set comprises an information quantity abnormal event and an electrical quantity abnormal event; wherein the forming a plurality of preset association rules using the positive case set includes:
forming a plurality of initial association rules based on the traffic anomaly events in the regular set;
sequencing the information quantity abnormal events in each initial association rule according to a time sequence;
setting the electrical quantity abnormal event at the preset depth of the sorted initial association rule to form the preset association rule.
10. An electronic device, comprising:
a memory and a processor, wherein the memory and the processor are communicatively connected with each other, the memory stores computer instructions, and the processor executes the computer instructions to execute the association rule generation method for grid abnormal events according to any one of claims 1 to 8.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions for causing the computer to execute the association rule generation method for grid exceptional events according to any one of claims 1-8.
CN201811284261.5A 2018-10-30 2018-10-30 Association rule generation method and device for power grid abnormal event Active CN109389181B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811284261.5A CN109389181B (en) 2018-10-30 2018-10-30 Association rule generation method and device for power grid abnormal event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811284261.5A CN109389181B (en) 2018-10-30 2018-10-30 Association rule generation method and device for power grid abnormal event

Publications (2)

Publication Number Publication Date
CN109389181A CN109389181A (en) 2019-02-26
CN109389181B true CN109389181B (en) 2020-11-24

Family

ID=65428350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811284261.5A Active CN109389181B (en) 2018-10-30 2018-10-30 Association rule generation method and device for power grid abnormal event

Country Status (1)

Country Link
CN (1) CN109389181B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110071931A (en) * 2019-04-29 2019-07-30 广东电网有限责任公司 Mimicry honey jar evolution method, device, equipment and computer readable storage medium
CN110348472B (en) * 2019-05-24 2023-08-15 中国平安财产保险股份有限公司 Data detection rule generation method, device, computer equipment and storage medium
CN110488150A (en) * 2019-08-09 2019-11-22 国网河北省电力有限公司沧州供电分公司 A kind of intelligent fault diagnosis method based on more algorithm fusions
CN111404914A (en) * 2020-03-11 2020-07-10 南京邮电大学 Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN112862347A (en) * 2021-03-02 2021-05-28 同济大学 Equipment abnormity monitoring method and system based on federal learning, storage medium and terminal
CN113420069B (en) * 2021-06-24 2023-08-11 平安科技(深圳)有限公司 Association rule mining method, system, terminal and storage medium based on abnormal samples
CN113591813B (en) * 2021-09-29 2022-02-08 国网江苏省电力有限公司营销服务中心 Association rule algorithm-based abnormity studying and judging method, model construction method and device
CN115438592B (en) * 2022-11-08 2023-01-24 成都中科合迅科技有限公司 Industrial research and development design data modeling method based on system engineering

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634296A (en) * 2013-11-07 2014-03-12 西安交通大学 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging
CN104753178A (en) * 2015-04-16 2015-07-01 河南行知专利服务有限公司 Power grid fault handling system
WO2016090961A1 (en) * 2014-12-08 2016-06-16 中兴通讯股份有限公司 Method and device for network associations analysis
CN105912652A (en) * 2016-04-08 2016-08-31 华南师范大学 Abnormal behavior detection method and system based on association rules and user attributes
CN106357002A (en) * 2016-10-19 2017-01-25 国网江苏省电力公司泰州供电公司 Intelligent signal processing system of power grid equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013039911A1 (en) * 2011-09-12 2013-03-21 Oktem Ulku Dynamic prediction of risk levels for manufacturing operations through leading risk indicators
CN105426966A (en) * 2015-12-14 2016-03-23 河海大学常州校区 Association rule digging method based on improved genetic algorithm
CN106779505B (en) * 2017-02-28 2021-04-02 中国南方电网有限责任公司 Power transmission line fault early warning method and system based on big data driving
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
CN107133255B (en) * 2017-03-15 2022-11-25 中国电力科学研究院 Panoramic security defense method and system for large power grid

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634296A (en) * 2013-11-07 2014-03-12 西安交通大学 Intelligent electricity network attack detection method based on physical system and information network abnormal data merging
WO2016090961A1 (en) * 2014-12-08 2016-06-16 中兴通讯股份有限公司 Method and device for network associations analysis
CN104753178A (en) * 2015-04-16 2015-07-01 河南行知专利服务有限公司 Power grid fault handling system
CN105912652A (en) * 2016-04-08 2016-08-31 华南师范大学 Abnormal behavior detection method and system based on association rules and user attributes
CN106357002A (en) * 2016-10-19 2017-01-25 国网江苏省电力公司泰州供电公司 Intelligent signal processing system of power grid equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A Rule-based Exception Reason Diagnosis System for Electric Power Data;Xiang Lin et al.;《5th International Conference on Electricity Distribution》;20130429;第1-4页 *
Design of anomaly monitoring framework for Source-Grid-Load Friendly Coordination System;Huang Xiuli et al.;《2018 International Conference on Smart Grid and Electrical Automation》;20181022;第99-103页 *
基于深度学习的电力大数据融合与异常检测方法;刘东兰 等;《计算机应用与软件》;20180430;第35卷(第4期);第61-64、136页 *

Also Published As

Publication number Publication date
CN109389181A (en) 2019-02-26

Similar Documents

Publication Publication Date Title
CN109389181B (en) Association rule generation method and device for power grid abnormal event
CN111784348B (en) Account risk identification method and device
CN109191021B (en) Association rule matching method and device for power grid abnormal event
CN111783442A (en) Intrusion detection method, device, server and storage medium
CN109902018B (en) Method for acquiring test case of intelligent driving system
CN112165462A (en) Attack prediction method and device based on portrait, electronic equipment and storage medium
CN106060008B (en) A kind of network intrusions method for detecting abnormality
CN111541685B (en) Edge cloud anomaly detection method based on network structure learning
Anwar et al. A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid
CN113094707B (en) Lateral movement attack detection method and system based on heterogeneous graph network
CN109325232A (en) A kind of user behavior exception analysis method, system and storage medium based on LDA
Li et al. PhishBox: An approach for phishing validation and detection
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
Pham et al. Generating artificial attack data for intrusion detection using machine learning
CN104731937A (en) User behavior data processing method and device
CN116737850A (en) Graph neural network model training method for APT entity relation prediction
Anwer et al. Intrusion detection using deep learning
CN114726823B (en) Domain name generation method, device and equipment based on generation countermeasure network
CN115758337A (en) Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
Wang et al. An efficient intrusion detection model combined bidirectional gated recurrent units with attention mechanism
Zhang et al. Biological lateral inhibition and Electimize approach to template matching
CN113132414A (en) Multi-step attack mode mining method
Lian et al. Critical meter identification and network embedding based attack detection for power systems against false data injection attacks
CN111104963A (en) Target user determination method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant