CN111932051A - Malicious behavior detection method based on non-invasive power terminal time sequence monitoring - Google Patents

Abstract

The invention discloses a malicious behavior detection method based on non-invasive power terminal time sequence monitoring, which comprises the following steps of: s1, edge computing equipment constructs a database of historical electrical quantities of each power terminal device; s2, establishing a power consumption behavior data set for each power terminal device; s3, performing event detection and feature extraction on the electric quantity time sequence series of each power terminal to obtain a sample set, and training a load classifier; s4, carrying out event detection and feature extraction on the time sequence number series of the electric power total outlet electric quantity, inputting the event detection and feature extraction into the trained classifier model, and determining the type of equipment to which the electric power terminal to be detected belongs; s5, counting power utilization information of the power terminal to be tested; s6, detecting the electricity utilization behavior of the power terminal to be detected, and judging whether the electricity utilization equipment is abnormal or not according to the electricity utilization behavior; and S7, the edge computing equipment records and reports the abnormity. The method and the device realize the online detection of the malicious behaviors of the power terminal equipment by comparing the power consumption behaviors formed by the power terminal with historical power information based on the non-invasive power terminal time sequence monitoring.

Description

Malicious behavior detection method based on non-invasive power terminal time sequence monitoring

Technical Field

The invention relates to a method for detecting malicious behaviors of power terminal equipment under an edge computing system, in particular to a method for detecting malicious behaviors based on non-invasive power terminal time sequence monitoring.

Background

In recent years, with the continuous deployment of smart grid systems, smart grid devices such as smart meters play an important role in collecting data related to power usage and smart grid conditions. With the continuous emergence of new equipment and new technology in the fields of primary equipment intellectualization, wireless communication and the like, and the method is gradually and widely applied to the construction of a power communication network, so that the smart grid has the characteristics of complex access environment, flexible and various access modes, a large number of intelligent access terminals and the like, and the security risk of the smart grid is increased. Therefore, technical precautions against unsafe behavior of the smart grid are needed.

The electric power internet of things edge computing technology utilizes intelligent equipment close to a user side of an intelligent power grid and adopts an open platform integrating network, computing, storing and application core capabilities, so that services are provided nearby. Under the background, based on the calculation resource support of the edge side, the non-invasive power terminal time sequence monitoring and analysis can be carried out by adopting a complex calculation method, the malicious behavior detection of the intelligent power grid equipment level is realized, and the method has important significance for improving the safety of the intelligent power grid equipment level.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a malicious behavior detection method based on non-invasive power terminal time sequence monitoring.

The purpose of the invention is realized by the following technical scheme: a malicious behavior detection method based on non-intrusive power terminal time sequence monitoring comprises the following steps:

s1, collecting power terminal data by edge computing equipment, and constructing a historical database for a power terminal needing to be detected; the database comprises a plurality of types of the electric terminal equipment to be detected and electric quantity data thereof;

s2, extracting a time sequence of electric quantity of each power terminal in a historical database to obtain historical power consumption information of the corresponding power terminal, wherein the historical power consumption information of the power terminal comprises steady-state power, starting time, running duration and electric energy consumption, and constructing a power consumption behavior data set of the power terminal according to the historical power consumption information of the power terminal;

s3, performing event detection and feature extraction according to the historical electrical quantity time sequence number of each power terminal in the database to obtain a sample set, and training a load classifier;

s4, carrying out event detection and feature extraction on the electric quantity time sequence number series of the electric power total outlet, inputting the electric quantity time sequence number series into a trained classifier model, and determining the specific electric power terminal type to which the electric power terminal to be detected belongs;

s5, counting power consumption information of the power terminal to be measured, wherein the power consumption information specifically comprises steady-state power, starting time, running time and electric energy consumption;

s6, detecting the electricity utilization behavior of the electric power terminal to be detected according to the electricity utilization behavior data set obtained in the step S2 and the electricity utilization information of the electric power terminal to be detected obtained in the step S5, and judging whether the electric power terminal equipment is abnormal or not according to the electricity utilization behavior data set;

and S7, the edge computing equipment records the abnormal behavior of the power terminal and reports the abnormality.

Wherein the step S1 includes the following substeps:

s11, historical electric quantity data of each power terminal to be detected are collected by edge computing equipment, the historical electric quantity data comprise current and power data with time stamps, and the electric quantity data of a power main outlet comprise real-time current and power data; the data sampling frequency meets the Nyquist sampling theorem;

s12, the edge computing equipment constructs a database of historical electric quantity data and total electric outlet electric quantity data of each power terminal to be detected.

Further, the step S2 includes the following sub-steps:

s21, counting and calculating the steady-state power of each power terminal to be detected, wherein the steady-state power is a power value p when the equipment normally operates;

s22, counting and calculating the starting time of each power terminal to be detected, wherein the starting time is the power-on time t of the equipment_startTo the moment t when the steady-state power is reached_pDifference t of_p-t_startIs denoted by t_on；

S23, counting and calculating the operation time of each power terminal to be detected, wherein the operation time is the power-on time t of the equipment_startTo the power-off time t_stopDifference t of_stop-t_startIs denoted by t_run；

S24, counting and calculating the power consumption of each power terminal to be detected, wherein the power consumption is the power-on time t of the equipment_startTo the power-off time t_stopIntegral of power P to operating time ^ integral_tP, is marked as w;

and S25, constructing a power consumption behavior data set of the power terminal, wherein the data set comprises the steady-state power, the starting time, the running duration and the power consumption.

Further, the step S3 includes the following sub-steps:

s31, taking a sliding window for the specific power terminal power time sequence, detecting an event, and carrying out event detection at a power point P_iTaking the window power sequence S ═ P_i-N…P_i…P_i+N]N is P_iWindow length on both sides, 2N +1 for slidingThe overall length of the window; calculating the variance of S_varCalculating the average power S as S_mean. If S is_var＞＞αS_meanIf alpha is a threshold control coefficient, judging that the power is suddenly changed;

s32, extracting a power terminal window current time sequence array sample from the power abrupt change point, performing Fourier series expansion, taking each current harmonic amplitude as a load characteristic, and recording as x ═ x (x ═ x-₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s33, load characteristic sample x is used_j＝(x_j1,x_j2,…,x_jn) As input, the load classifier M, the sample label y, is trained_jWhere j is the number of detected power terminals.

The step S33 includes:

s331, forming a training set X ═ X according to the load characteristic samples₁,x₂,…,x_mAnd the corresponding power terminal type label sequence Y is { Y ═ Y₁,y₂,…,y_mIs the desired output; initializing sample weight D₁＝{d₁₁,d₁₂,…,d_1mTherein of

i is 1,2, …, m is the number of load characteristic samples in the training set;

s332, selecting the weak classifier H with the lowest current error as the kth basic classifier H_kAccording to weak classifier H_kClassification result of (G)_t＝{y′₁,y′₂,…,y′_mAnd the desired output Y ═ Y₁,y₂,…,y_mComparing to obtain misclassified samples, and calculating H_tClassification error of

Wherein K is 1,2, …, and K is the number of weak classifiers;

s333, calculating the kth weak classifier H_kHas a weight coefficient of

Sample weight d (k) ═ d for the kth weak classifier_k1,d_k2,…,d_kmH, updating the corresponding (k + 1) th weak classifier H_k+1The sample set weight coefficients of (a) are:

wherein Z_kIs a normalization factor that is a function of the normalization factor,

s334, executing steps S332 and S333 in a circulating mode, and obtaining the final strong classifier when the training of the K weak classifiers is finished

Namely the classifier M.

Further, the step S4 includes the following sub-steps:

s41, taking a sliding window for the total outlet power time sequence, and detecting an event at a power point

Taking window power sequence

N is

The length of the window at two sides, 2N +1 is the total length of the sliding window; to pair

Calculate its variance as

Average power of

If it is not

Wherein

If the power is the threshold control coefficient, judging that the power is suddenly changed;

s42, extracting a current time sequence array sample of a power main outlet window for the power abrupt change point, performing Fourier series expansion, taking the amplitude of each current harmonic as a load characteristic, and recording as x ═ x₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s43, load characteristic sample x ═ x₁,x₂,…,x_n) As input, y is output by the trained load classifier M_jAnd obtaining the type of the specific electric power terminal equipment.

Further, the step S5 includes the following sub-steps:

s51, calculating the steady-state power of the specific power terminal according to the event detected by the total outlet power and the obtained specific power terminal, and recording the steady-state power as p';

s52, calculating the starting time of the specific power terminal according to the event detected at the total outlet of the step S4 and the obtained specific power terminal, and recording the starting time as t_on′；

S53, calculating the operation duration of the specific power terminal according to the events detected at the total outlet of the step S4 and the obtained specific power terminal, and recording the operation duration as t_run′；

And S54, calculating the electric energy consumption of the specific electric power terminal according to the event detected at the total outlet of the step S4 and the obtained specific electric power terminal, and recording the electric energy consumption as w'.

Further, the step S6 includes the following sub-steps:

s61, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, carrying out steady-state power detection, if so, carrying out steady-state power detection

The electrical equipment operates with power abnormality, wherein_pIs a threshold control coefficient;

s62, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, the startup time is detected, if so, the startup time is detected

The powered device startup process takes an exception, wherein

Is a threshold control coefficient;

s63, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total outlet in the step S5, detecting the running time, if so, detecting the running time

The running time of the electric equipment is abnormal, wherein t_run,minThe shortest time length t of single operation of the power terminal in the historical database_run,maxThe maximum operation time of the power terminal in the historical database is the maximum time of single operation;

s64, detecting the power consumption according to the historical power consumption information of each power terminal in the step S2 and the power consumption information of the specific power terminal detected by the total outlet in the step S5, if the power consumption information is detected, detecting the power consumption of the specific power terminal according to the historical power consumption information of each power terminal in the step S2

The power consumption of the electric device is abnormal, wherein_wIs a threshold control coefficient.

The invention has the beneficial effects that: (1) according to the method, the edge computing equipment is used for collecting power data, non-invasive power terminal time sequence monitoring is carried out, malicious behavior detection of the power terminal equipment is realized, and the safety level of the intelligent power grid power terminal equipment based on the edge computing is improved; (2) the invention utilizes the non-invasive power terminal time sequence monitoring, is superior to the traditional invasive monitoring system, can measure the power data of the power terminal without directly installing any instrument on specific power terminal equipment, and can reduce the cost of a sensor and equipment; (3) the invention utilizes the edge computing equipment to collect and compute data at the power data generation source end, and has the characteristics of timeliness and instantaneity. Meanwhile, compared with the method that the data of the source power terminal is transmitted to the power load management terminal and the master station system for centralized processing, the method greatly saves the communication bandwidth; (4) the method and the device make full use of the edge computing power, and effectively perform online detection on the malicious behaviors of the power equipment by analyzing and comparing the historical power information.

Drawings

FIG. 1 is a flow chart of a method of the present invention;

fig. 2 is a flowchart of a method for detecting malicious behavior of power terminal equipment based on non-intrusive time-series monitoring based on edge calculation in the embodiment.

Detailed Description

The technical solutions of the present invention are further described in detail below with reference to the accompanying drawings, but the scope of the present invention is not limited to the following.

As shown in fig. 1, a malicious behavior detection method based on non-intrusive power terminal timing monitoring includes the following steps:

s1, collecting power terminal data by edge computing equipment, and constructing a historical database for a power terminal needing to be detected; the database comprises a plurality of types of the electric terminal equipment to be detected and electric quantity data thereof;

s2, extracting a time sequence of electric quantity of each power terminal in a historical database to obtain historical power consumption information of the corresponding power terminal, wherein the historical power consumption information of the power terminal comprises steady-state power, starting time, running duration and electric energy consumption, and constructing a power consumption behavior data set of the power terminal according to the historical power consumption information of the power terminal;

s3, performing event detection and feature extraction according to the historical electrical quantity time sequence number of each power terminal in the database to obtain a sample set, and training a load classifier;

s4, carrying out event detection and feature extraction on the electric quantity time sequence number series of the electric power total outlet, inputting the electric quantity time sequence number series into a trained classifier model, and determining the specific electric power terminal type to which the electric power terminal to be detected belongs;

s5, counting power consumption information of the power terminal to be measured, wherein the power consumption information specifically comprises steady-state power, starting time, running time and electric energy consumption;

s6, detecting the electricity utilization behavior of the electric power terminal to be detected according to the electricity utilization behavior data set obtained in the step S2 and the electricity utilization information of the electric power terminal to be detected obtained in the step S5, and judging whether the electric power terminal equipment is abnormal or not according to the electricity utilization behavior data set;

and S7, the edge computing equipment records the abnormal behavior of the power terminal and reports the abnormality.

Wherein the step S1 includes the following substeps:

s11, historical electric quantity data of each power terminal to be detected are collected by edge computing equipment, the historical electric quantity data comprise current and power data with time stamps, and the electric quantity data of a power main outlet comprise real-time current and power data; the data sampling frequency meets the Nyquist sampling theorem;

s12, the edge computing equipment constructs a database of historical electric quantity data and total electric outlet electric quantity data of each power terminal to be detected.

Further, the step S2 includes the following sub-steps:

s21, counting and calculating the steady-state power of each power terminal to be detected, wherein the steady-state power is a power value p when the equipment normally operates;

s22, counting and calculating the starting time of each power terminal to be detected, wherein the starting time is the power-on time t of the equipment_startTo the moment t when the steady-state power is reached_pDifference t of_p-t_startIs denoted by t_on；

S23, counting and calculating the operation time of each power terminal to be detected, wherein the operation time is the power-on time t of the equipment_startTo the power-off time t_stopDifference t of_stop-t_startIs denoted by t_run；

S24, counting and calculating the power consumption of each power terminal to be detected, wherein the power consumption is calculatedThe power consumption is the time t from the power-on of the equipment_startTo the power-off time t_stopIntegral of power P to operating time ^ integral_tP, is marked as w;

and S25, constructing a power consumption behavior data set of the power terminal, wherein the data set comprises the steady-state power, the starting time, the running duration and the power consumption.

Further, the step S3 includes the following sub-steps:

s31, taking a sliding window for the specific power terminal power time sequence, detecting an event, and carrying out event detection at a power point P_iTaking the window power sequence S ═ P_i-N…P_i…P_i+N]N is P_iThe length of the window at two sides, 2N +1 is the total length of the sliding window; calculating the variance of S_varCalculating the average power S as S_mean. If S is_var＞＞αS_meanIf alpha is a threshold control coefficient, judging that the power is suddenly changed;

s32, extracting a power terminal window current time sequence array sample from the power abrupt change point, performing Fourier series expansion, taking each current harmonic amplitude as a load characteristic, and recording as x ═ x (x ═ x-₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s33, load characteristic sample x is used_j＝(x_j1,x_j2,…,x_jn) As input, the load classifier M, the sample label y, is trained_jWhere j is the number of detected power terminals.

The step S33 includes:

s331, forming a training set X ═ X according to the load characteristic samples₁,x₂,…,x_mAnd the corresponding power terminal type label sequence Y is { Y ═ Y₁,y₂,…,y_mIs the desired output; initializing sample weight D₁＝{d₁₁,d₁₂,…,d_1mTherein of

i is 1,2, …, m is the number of load characteristic samples in the training set;

s332, selecting the weak classifier H with the lowest current error as the kth basic classifier H_kAccording to weak classifier H_kClassification result of (G)_t＝{y′₁,y′₂,…,y′_mAnd the desired output Y ═ Y₁,y₂,…,y_mComparing to obtain misclassified samples, and calculating H_tClassification error of

Wherein K is 1,2, …, and K is the number of weak classifiers;

s333, calculating the kth weak classifier H_kHas a weight coefficient of

Sample weight d (k) ═ d for the kth weak classifier_k1,d_k2,…,d_kmH, updating the corresponding (k + 1) th weak classifier H_k+1The sample set weight coefficients of (a) are:

wherein Z_kIs a normalization factor that is a function of the normalization factor,

s334, executing steps S332 and S333 in a circulating mode, and obtaining the final strong classifier when the training of the K weak classifiers is finished

Namely the classifier M.

Further, the step S4 includes the following sub-steps:

s41, taking a sliding window for the total outlet power time sequence, and detecting an event at a power point

Taking window power sequence

N is

The length of the window at two sides, 2N +1 is the total length of the sliding window; to pair

Calculate its variance as

Average power of

If it is not

Wherein

If the power is the threshold control coefficient, judging that the power is suddenly changed;

s42, extracting a current time sequence array sample of a power main outlet window for the power abrupt change point, performing Fourier series expansion, taking the amplitude of each current harmonic as a load characteristic, and recording as x ═ x₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s43, load characteristic sample x ═ x₁,x₂,…,x_n) As input, y is output by the trained load classifier M_jAnd obtaining the type of the specific electric power terminal equipment.

Further, the step S5 includes the following sub-steps:

s51, calculating the steady-state power of the specific power terminal according to the event detected by the total outlet power and the obtained specific power terminal, and recording the steady-state power as p';

s52, calculating the starting time of the specific power terminal according to the event detected at the total outlet of the step S4 and the obtained specific power terminal, and recording the starting time as t_on′；

S53, according to the aboveStep S4, calculating the operation time length of the specific power terminal and recording the operation time length as t according to the event detected at the total outlet of the step S4 and the obtained specific power terminal_run′；

And S54, calculating the electric energy consumption of the specific electric power terminal according to the event detected at the total outlet of the step S4 and the obtained specific electric power terminal, and recording the electric energy consumption as w'.

Further, the step S6 includes the following sub-steps:

s61, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, carrying out steady-state power detection, if so, carrying out steady-state power detection

The electrical equipment operates with power abnormality, wherein_pIs a threshold control coefficient;

s62, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, the startup time is detected, if so, the startup time is detected

The powered device startup process takes an exception, wherein

Is a threshold control coefficient;

s63, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total outlet in the step S5, detecting the running time, if so, detecting the running time

The running time of the electric equipment is abnormal, wherein t_run,minThe shortest time length t of single operation of the power terminal in the historical database_run,maxThe maximum operation time of the power terminal in the historical database is the maximum time of single operation;

s64, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5Information, detecting the power consumption, if

The power consumption of the electric device is abnormal, wherein_wIs a threshold control coefficient.

As shown in fig. 2, in the embodiment of the application, according to power terminal data collected by an edge computing side of a smart grid, detection of malicious behavior of electric equipment on the edge computing side is implemented by using non-intrusive power terminal timing monitoring, which specifically includes the following processes:

1. the method comprises the steps that edge computing equipment collects historical power data of a power terminal to be detected and builds a historical current and power database for the power terminal equipment; meanwhile, collecting power data of a power main outlet, and constructing a current and power database with a timestamp on the power main outlet;

2. obtaining historical power utilization information of the power terminal according to the time sequence number series of each specific power terminal in the historical database of the power terminal equipment, wherein the historical power utilization information specifically comprises steady-state power p and starting time t_onLength of operation t_runThe electric energy consumption w is obtained, and an electric power terminal electricity consumption behavior data set is constructed according to the historical electricity consumption information of the electric power terminal;

3. according to the electrical quantity time sequence series of each power terminal in the database, performing event detection and feature extraction to obtain a sample set, and training a load classifier;

a) taking a sliding window for the power time sequence of each specific power terminal, and detecting events at a power point P_iTaking the window power sequence S ═ P_i-N…P_i…P_i+N]N is P_iThe length of the window at two sides, 2N +1 is the total length of the sliding window; calculating the variance of S_varCalculating the average power S as S_mean. When S is_vra＞＞αS_meanAnd if alpha is a threshold control coefficient and the power is judged to be suddenly changed at the moment, the event occurs in the power terminal.

b) Extracting window current samples of the power terminal from the power abrupt change points, performing Fourier series expansion, taking the harmonic amplitude of each current as a load characteristic, and recordingIs x ═ x₁,x₂,…,x_n) Where n is the number of odd harmonics with the largest amplitude, where n is 7.

c) When all the load characteristics of the power terminal to be detected are extracted, each load characteristic sample X is set as { X ═ X }₁,x₂,…,x_mAs input, the corresponding power terminal type tag sequence Y ═ Y₁,y₂,…,y_mIs the desired output. Initializing sample weight D₁＝{d₁₁,d₁₂,…,d_1mTherein of

i is 1,2, …, m is the number of load characteristic samples in the training set;

d) selecting the weak classifier H with the lowest current error as the kth basic classifier H_kAccording to weak classifier H_kClassification result of (G)_t＝{y′₁,y′₂,…,y′_mAnd the desired output Y ═ Y₁,y₂,…,y_mComparing to obtain misclassified samples, and calculating H_tClassification error of

Wherein K is 1,2, …, and K is the number of weak classifiers;

e) computing the kth weak classifier H_kHas a weight coefficient of

Sample weight d (k) ═ d for the kth weak classifier_k1,d_k2,…,d_kmH, updating the corresponding (k + 1) th weak classifier H_k+1The sample set weight coefficient of

Where Z is_kIs a normalization factor that is a function of the normalization factor,

f) circularly executing the step d) and the step e) when K weak classifiers are usedTraining is completed to obtain the final strong classifier

Namely a classifier M;

4. event detection and feature extraction are carried out on the time sequence series of the total power outlet, the time sequence series are input into a trained classifier model M, and the specific equipment type of the power terminal to be detected is determined;

a) taking a sliding window for the total outlet power time sequence, detecting the event, and carrying out the detection at the power point

Taking window power sequence

N is

The length of the window at two sides, 2N +1 is the total length of the sliding window; to pair

Calculate its variance as

Average power of

When in use

Wherein

And if the total power outlet power is a threshold control coefficient, judging that the total power outlet power suddenly changes, and detecting that the behavior event of the power terminal occurs.

b) And extracting a current sample of a total power outlet window of the power catastrophe point, performing Fourier series expansion, taking the amplitude of each current harmonic as a load characteristic, and recording as x ═ x (x)₁,x₂,…,x_n) Wherein n isThe number of odd harmonics with the largest amplitude is taken, where n is 7.

c) Obtaining a load characteristic sample x ═ x (x) as described above₁,x₂,…,x₇) As input, y is output by the trained load classifier M_jAnd obtaining the specific electric power terminal to which the power abrupt change point corresponds to the event.

5. Counting the detected current-period power utilization information of the power terminal, specifically including the steady-state power p' and the starting time t_on', length of operation t_run', power consumption w';

6. detecting the current time period electricity consumption behavior of the electric power terminal to be detected according to the electricity consumption behavior data set in the step 2 and the current time period electricity consumption information of the electric power terminal to be detected in the step 5, and judging whether the electric power terminal equipment is abnormal or not according to the current time period electricity consumption behavior;

a)

the steady state power at the current moment is abnormal;

b)

the current starting time is abnormal;

c)

the current running time is abnormal;

d)

the electric energy consumption in the current time period is abnormal;

7. and (3) the edge computing device records the abnormal behavior monitored in the step (6) and reports the abnormal behavior, and under a general condition, the monitored abnormal behavior can be reported to a monitoring center communicated with the edge computing device, and the abnormal behavior can also be reported to a handheld mobile terminal communicated with the edge computing device.

In the embodiment of the present application, the power terminal electricity consumption information in step S2 includes, but is not limited to, steady state power, start time, operation duration, and power consumption. The power utilization information of the power terminal can be represented by instantaneous peak power, frequency spectrum jitter, frequency variation and the use sequence of the power terminal. The feature extraction method in step S3 and step S4 adopts fourier series expansion of current to extract odd harmonics as features, and may also adopt wavelet transformation, variable point detection, and edge detection methods to extract feature tuples. Step S3 may also use, for example, a k-nearest neighbor algorithm, an SVM algorithm, and a decision tree algorithm, or a convolutional neural network algorithm, a feed-forward neural network algorithm, and a radial basis function neural network algorithm to construct a corresponding neural network, in addition to the machine learning algorithm to construct the load classification model, and train the neural network using the training set to obtain a corresponding mature model.

In conclusion, the method adopts non-invasive power terminal time sequence monitoring, the collected power terminal data are decomposed on line, and the malicious behavior of the power terminal equipment is detected on line by comparing the collected power terminal data with the power consumption behavior formed by historical power information, so that the safety guarantee of the power terminal equipment level of the smart grid under the edge calculation is realized; compared with the traditional invasive monitoring method, the non-invasive introduction greatly reduces the use of the sensor and effectively reduces the detection cost; the event detection algorithm based on the sliding window is designed, so that the change of the power utilization behavior of the power terminal equipment can be accurately judged, and meanwhile, the influence of system noise and short-time peaks can be reduced; the load identification is carried out by adopting a machine learning algorithm, so that the accuracy of the load identification is effectively improved; the electric power information of the electric power terminal is collected and processed by utilizing the computing performance of the edge computing device, so that the malicious behavior of the electric power terminal equipment is detected on line, the characteristics of real-time performance and timeliness are met, and compared with the method that the data of the source electric power terminal is transmitted to the electric power load management terminal and the main station system for centralized processing, the communication bandwidth is greatly saved and the data delay is effectively avoided.

The foregoing is a preferred embodiment of the present invention, it is to be understood that the invention is not limited to the form disclosed herein, but is not to be construed as excluding other embodiments, and is capable of other combinations, modifications, and environments and is capable of changes within the scope of the inventive concept as expressed herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (8)

1. A malicious behavior detection method based on non-invasive power terminal time sequence monitoring is characterized in that: the method comprises the following steps:

s1, collecting power terminal data by edge computing equipment, and constructing a historical database for a power terminal needing to be detected; the database comprises a plurality of types of the electric terminal equipment to be detected and electric quantity data thereof;

s2, extracting a time sequence of electric quantity of each power terminal in a historical database to obtain historical power consumption information of the corresponding power terminal, wherein the historical power consumption information of the power terminal comprises steady-state power, starting time, running duration and electric energy consumption, and constructing a power consumption behavior data set of the power terminal according to the historical power consumption information of the power terminal;

s3, performing event detection and feature extraction according to the historical electrical quantity time sequence number of each power terminal in the database to obtain a sample set, and training a load classifier;

s4, carrying out event detection and feature extraction on the electric quantity time sequence number series of the electric power total outlet, inputting the electric quantity time sequence number series into a trained classifier model, and determining the specific electric power terminal type to which the electric power terminal to be detected belongs;

s5, counting power consumption information of the power terminal to be measured, wherein the power consumption information specifically comprises steady-state power, starting time, running time and electric energy consumption;

s6, detecting the electricity utilization behavior of the electric power terminal to be detected according to the electricity utilization behavior data set obtained in the step S2 and the electricity utilization information of the electric power terminal to be detected obtained in the step S5, and judging whether the electric power terminal equipment is abnormal or not according to the electricity utilization behavior data set;

and S7, the edge computing equipment records the abnormal behavior of the power terminal and reports the abnormality.

2. The method of claim 1, wherein the method comprises the following steps: the step S1 includes the following sub-steps:

s11, historical electric quantity data of each power terminal to be detected are collected by edge computing equipment, the historical electric quantity data comprise current and power data with time stamps, and the electric quantity data of a power main outlet comprise real-time current and power data; the data sampling frequency meets the Nyquist sampling theorem;

s12, the edge computing equipment constructs a database of historical electric quantity data and total electric outlet electric quantity data of each power terminal to be detected.

3. The method of claim 1, wherein the method comprises the following steps: the step S2 includes the following sub-steps:

s21, counting and calculating the steady-state power of each power terminal to be detected, wherein the steady-state power is a power value p when the equipment normally operates;

s22, counting and calculating the starting time of each power terminal to be detected, wherein the starting time is the power-on time t of the equipment_startTo the moment t when the steady-state power is reached_pDifference t of_p-t_startIs denoted by t_on；

S23, counting and calculating the operation time of each power terminal to be detected, wherein the operation time is the power-on time t of the equipment_startTo the power-off time t_stopDifference t of_stop-t_startIs denoted by t_run；

S24, counting and calculating the power consumption of each power terminal to be detected, wherein the power consumption is the power-on time t of the equipment_startTo the power-off time t_sto_pIntegral of power P to operating time ^ integral_tP, is marked as w;

and S25, constructing a power consumption behavior data set of the power terminal, wherein the data set comprises the steady-state power, the starting time, the running duration and the power consumption.

4. The method of claim 1, wherein the method comprises the following steps: the step S3 includes the following sub-steps:

s31, taking a sliding window for the specific power terminal power time sequence, detecting an event, and carrying out event detection at a power point P_iTaking the window power sequence S ═ P_i-N…P_i…P_i+N]N is P_iThe length of the window at two sides, 2N +1 is the total length of the sliding window; calculating the variance of S_varCalculating the average power S as S_mean. If S is_var＞＞αS_meanIf alpha is a threshold control coefficient, judging that the power is suddenly changed;

s32, extracting a power terminal window current time sequence array sample from the power abrupt change point, performing Fourier series expansion, taking each current harmonic amplitude as a load characteristic, and recording as x ═ x (x ═ x-₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s33, load characteristic sample x is used_j＝(x_j1,x_j2,…,x_jn) As input, the load classifier M, the sample label y, is trained_jWhere j is the number of detected power terminals.

5. The method of claim 1, wherein the method comprises the following steps: the step S4 includes the following sub-steps:

s41, taking a sliding window for the total outlet power time sequence, and detecting an event at a power point

Taking window power sequence

N is

The length of the window at two sides, 2N +1 is the total length of the sliding window; to pair

Calculate its variance as

Average power of

If it is not

Wherein

If the power is the threshold control coefficient, judging that the power is suddenly changed;

s42, extracting a current time sequence array sample of a power main outlet window for the power abrupt change point, performing Fourier series expansion, taking the amplitude of each current harmonic as a load characteristic, and recording as x ═ x₁,x₂,…,x_n) Wherein n is the number of odd harmonics with the largest amplitude;

s43, load characteristic sample x ═ x₁,x₂,…,x_n) As input, y is output by the trained load classifier M_jAnd obtaining the type of the specific electric power terminal equipment.

6. The method of claim 1, wherein the method comprises the following steps: the step S5 includes the following sub-steps:

s51, calculating the steady-state power of the specific power terminal according to the event detected by the total outlet power and the obtained specific power terminal, and recording the steady-state power as p';

s52, calculating the starting time of the specific power terminal according to the event detected at the total outlet of the step S4 and the obtained specific power terminal, and recording the starting time as t_on′；

S53, according to the events detected at the total outlet of the step S4 and the obtained specific power terminal, calculating the running time of the specific power terminal, and recording the running time as the running timet_run′；

And S54, calculating the electric energy consumption of the specific electric power terminal according to the event detected at the total outlet of the step S4 and the obtained specific electric power terminal, and recording the electric energy consumption as w'.

7. The method of claim 1, wherein the method comprises the following steps: the step S6 includes the following sub-steps:

s61, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, carrying out steady-state power detection, if so, carrying out steady-state power detection

The electrical equipment operates with power abnormality, wherein_pIs a threshold control coefficient;

s62, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total exit in the step S5, the startup time is detected, if so, the startup time is detected

The powered device startup process takes an exception, wherein

Is a threshold control coefficient;

s63, according to the historical electricity utilization information of each power terminal in the step S2 and the electricity utilization information of the specific power terminal detected by the total outlet in the step S5, detecting the running time, if so, detecting the running time

The running time of the electric equipment is abnormal, wherein t_run,minThe shortest time length t of single operation of the power terminal in the historical database_run,maxThe maximum operation time of the power terminal in the historical database is the maximum time of single operation;

s64, according to each electric power terminal in the step S2The terminal history power consumption information and the power consumption information of the specific power terminal detected in the step S5, if it is detected that the power consumption is not enough

The power consumption of the electric device is abnormal, wherein_wIs a threshold control coefficient.

8. The method of claim 4, wherein the malicious behavior detection method is based on the non-intrusive power terminal timing monitoring, and comprises: the step S33 includes:

s331, forming a training set X ═ X according to the load characteristic samples₁,x₂,…,x_mAnd the corresponding power terminal type label sequence Y is { Y ═ Y₁,y₂,…,y_mIs the desired output; initializing sample weight D₁＝{d₁₁,d₁₂,…,d_1mTherein of

m is the number of load characteristic samples in the training set;

s332, selecting the weak classifier H with the lowest current error as the kth basic classifier H_kAccording to weak classifier H_kClassification result of (G)_t＝{y′₁,y′₂,…,y′_mAnd the desired output Y ═ Y₁,y₂,…,y_mComparing to obtain misclassified samples, and calculating H_tClassification error of

Wherein K is 1,2, …, and K is the number of weak classifiers;

s333, calculating the kth weak classifier H_kHas a weight coefficient of

Sample weight d (k) ═ d for the kth weak classifier_k1,d_k2,…,d_kmUpdate the corresponding k +1 th weakClassifier H_k+1The sample set weight coefficients of (a) are:

wherein Z_kIs a normalization factor that is a function of the normalization factor,

s334, executing steps S332 and S333 in a circulating mode, and obtaining the final strong classifier when the training of the K weak classifiers is finished

Namely the classifier M.

Images