CN111953684A - APT attack analysis system in power network - Google Patents

Abstract

The invention discloses an APT attack analysis system in a power network, which belongs to the technical field of power and comprises an information collection system and an APT virus search system, the invention is scientific and reasonable, the use is safe and convenient, the information collection system randomly grabs packets for transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the random packet grabbing ensures the randomness, saves time and resources, encrypts the information streams to obtain the transmission streams, different encryption modes are adopted for different parts of elements in the transmission stream in the system obtained by packet capturing, the system has the advantages that the security can be greatly improved, the information is prevented from being attacked and stolen by the APT in the packet capturing process, the virus sequence database is preset in the system, the APT virus searching system compares the virus sequence database prestored in the system with elements in the transmission stream, whether the superposition exists is judged, and whether the virus exists in the APT attack analysis system can be judged; and if the virus exists, further judging whether the attack initiated by the virus is an APT attack.

Description

APT attack analysis system in power network

Technical Field

The invention relates to the technical field of electric power, in particular to an APT attack analysis system in an electric power network.

Background

The APT refers to a high-level persistent threat, and refers to a network attack form which utilizes an advanced attack section to carry out long-term persistent attack on a specific target, compared with other network attack forms, the principle of the APT attack is higher and more advanced, and the high level is mainly reflected in that the APT attack can utilize a vulnerability in a network to accurately collect a target system. After the collection process is completed, continuous high-strength attack is carried out on the network system; advanced Persistent Threat (APT), which threatens the data security of an enterprise. The APT is a "malicious commercial spy threat" which is a long-lasting consummated object for hackers to steal core data and aim at network attacks and attacks launched by clients. Such activities are often conducted and planned for a long period of time and are highly concealed. The APT attack method is to hide itself, steal data for a specific object in a long-term, planned and organized manner, and the actions of stealing data and collecting information in a digital space are the actions of 'network spy'.

Because the power network is more and more popularized and the power control system is more and more complex in the life nowadays, the security requirement of the power system is continuously improved, and network virus intrusion, especially APT attack, poses a considerable threat to the network security, so that an APT attack analysis system in the power network is needed to solve the problem.

Disclosure of Invention

The invention aims to provide an APT attack analysis system in a power network to solve the problems in the prior art.

In order to achieve the purpose, the invention provides the following technical scheme: an APT attack analysis system in a power network is characterized in that:

comprises an information collection system and an APT virus searching system;

the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;

the acquisition module randomly captures a transmission stream in the system to obtain captured packet data and acquire an information stream;

the cryptographic module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;

the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;

the storage module performs backup storage on the encrypted information stream;

the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;

the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;

and the decryption module performs symmetric decryption, asymmetric decryption or hash value decryption on the encrypted information stream transmitted by the communication module. Obtaining a decrypted information stream;

the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;

the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;

and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.

Transport stream S in said system_tra：

Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;

summarizing the data obtained by packet capturing in the system to obtain a transmission stream S_traThe next encryption and analysis process of the packet capturing data is facilitated;

will transmit stream S_traThe elements in the method are divided into three parts, and encryption in different modes is carried out:

first part S₁：

Second part S₂：

Third part S₃：

Will transmit stream S_traThe element in (1) is divided into three parts, and the purpose of the three parts is to transmit the stream S_traDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved;

to S₁Encrypting to obtain a first encrypted value M₁：

M₁＝σS₁*(1-α)

Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;

to S₂Encrypting to obtain a second encrypted value M₂：

M₂＝S₁*C_ode

Wherein, C_odeIs an encryption coefficient;

wherein b is an encryption coefficient C_odeA is the second cryptographic value M₂Number of matrix longitudinally distributed, e being second cryptographic value M₂The number of the matrix is distributed transversely, the numerical value of a is the same as s/3, and the numerical value of e is the same as c;

to S₃Encrypting to obtain a third encrypted value M₃：

M₃＝μS₃*(ω-1)

Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;

said stream of encrypted information J_MComprises the following steps:

J_M＝M₁∩M₂∩M₃

said stream of encrypted information J_MIs a first cryptographic value M₁A second cryptographic value M₂And a third cryptographic value M₃Or the union of (a) encrypted information stream J_MComprising a first cryptographic value M₁A second cryptographic value M₂And a third cryptographic value M₃。

The virus detection module detects whether a virus is input or output in the system or not, and calculates a virus parameter H_M：

Wherein, V_irusA virus sequence database pre-stored for the system;

according to the virus parameter H_MDetermines whether there is a virus input or output within the system:

when H is present_MIf the input is more than 0, the virus input or output is judged to exist in the system;

when H is present_MIf the value is 0, judging that no virus is input or output in the system;

when H is present_MIf the value is less than 0, judging that the parameters are wrong to solve, and re-evaluating;

virus sequence database V pre-stored by system_irusAnd a transport stream S_traComparing the elements in the APT, judging whether coincidence exists or not, and judging whether viruses exist in an APT attack analysis system or not;

if the virus input or output is judged to exist in the system, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result A_SDJudging whether the virus belongs to APT virus:

A_SD＝F(f(S_tra)，f(V_irus))＝∑f(S_tra)*log_e f(S_tra)∪f(V_irus)

wherein, f (S)_tra) Is a transport stream S_traElement set in (1), f (V)_irus) Is a collection of virus sequences pre-stored in the system;

according to the detection result A_SDJudging whether the virus belongs to APT virus:

when A is_SDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;

when A is_SDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;

wherein K is a comparison value;

the detection result A is due to the fact that APT viruses are characterized by large quantity and can initiate continuous attacks_SDGet a transmission stream S_traSet of middle elements ∑ f (S)_tra) And exponential function log_e f(S_tra)∪f(V_irus) Multiplication, log_e f(S_tra)∪f(V_irus) Can represent a transport stream S_traAnd virus sequence database V_irusIf the size of the intersection part is larger than a preset threshold value K, the value of K can be set according to the actual situation, the virus invading into the system belongs to the APT virus, and if the size of the intersection part is smaller than the preset threshold value K, the virus invading into the system does not belong to the APT virus;

the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data; encrypting the information flow to obtain a transmission flow, adopting different encryption modes for different parts of elements in the transmission flow in a system obtained by packet capturing, greatly improving the safety, preventing information from being stolen by APT attack in the packet capturing process, presetting a virus sequence database in the system, comparing the virus sequence database pre-stored in the system with the elements in the transmission flow, judging whether superposition exists, and judging whether viruses exist in the APT attack analysis system or not; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream S_traSet of middle elements ∑ f (S)_tra) And transmissionStream S_traAnd virus sequence database V_irusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.

The system for analyzing the APT attack in the power network comprises a method for analyzing the APT attack in the power network, wherein the method comprises the following steps:

s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;

s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;

s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;

s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;

the modes for sending the result of the APT virus attack detection to the system administrator comprise short message reminding, mail reminding and message reminding.

S500: and judging the mode for processing according to the result of the APT attack detection.

Preferably, the method for analyzing the APT attack in the power network further includes determining whether the APT virus is continuously invading;

the APT virus has the characteristics of continuous invasion, and if the virus continuously invades, the protection level of the system can be improved or the firewall configuration can be improved under the regulation and control of an administrator, so that the operation safety of the power network system is guaranteed.

Preferably, when the virus invading into the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database;

the APT virus sequence is brought into the abnormal database, so that the power network system can be protected, the system can quickly react when the same kind of virus invades next time, and the system operation safety is maintained.

Compared with the prior art, the invention has the beneficial effects that:

the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data;

encrypting the information flow to obtain a transmission flow, adopting different encryption modes for different parts of elements in the transmission flow in a system obtained by packet capturing, greatly improving the safety, preventing information from being stolen by APT attack in the packet capturing process, presetting a virus sequence database in the system, comparing the virus sequence database pre-stored in the system with the elements in the transmission flow, judging whether superposition exists, and judging whether viruses exist in the APT attack analysis system or not; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream S_traSet of middle elements ∑ f (S)_tra) And a transport stream S_traAnd virus sequence database V_irusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.

Drawings

FIG. 1 is a schematic diagram of a module distribution structure of an APT attack analysis system in a power network according to the present invention;

fig. 2 is a schematic view of a step structure of an APT attack analysis method in a power network according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example (b): as shown in fig. 1-2, an APT attack analysis system in a power network is characterized in that:

comprises an information collection system and an APT virus searching system;

the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;

the acquisition module randomly captures a transmission stream in the system to obtain packet capturing data and information stream;

the encryption module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;

the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;

the storage module performs backup storage on the encrypted information stream;

the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;

the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;

the decryption module performs symmetric decryption, asymmetric decryption or hash value decryption on the encrypted information stream transmitted by the communication module. Obtaining a decrypted information stream;

the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;

the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;

and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.

Transport stream S in a system_tra：

Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;

summarizing the data obtained by packet capturing in the system to obtain a transmission stream S_traAnd the packet capturing data can be conveniently processed in the next stepAn encryption and analysis process;

will transmit stream S_traThe elements in the method are divided into three parts, and encryption in different modes is carried out:

first part S₁：

Second part S₂：

Third part S₃：

Will transmit stream S_traThe element in (1) is divided into three parts, and the purpose of the three parts is to transmit the stream S_traDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved;

to S₁Encrypting to obtain a first encrypted value M₁：

M₁＝σS₁*(1-α)

Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;

to S₂Encrypting to obtain a second encrypted value M₂：

M₂＝S₁*C_ode

Wherein, C_odeIs an encryption coefficient;

wherein b is an encryption coefficient C_odeA is the second cryptographic value M₂Number of matrix longitudinally distributed, e being second cryptographic value M₂Matrix horizontal divisionThe number of the cloth is the same as s/3, and the number of e is the same as c;

to S₃Encrypting to obtain a third encrypted value M₃：

M₃＝μS₃*(ω-1)

Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;

encryption information stream J_MComprises the following steps:

J_M＝M₁∩M₂∩M₃

encryption information stream J_MIs a first cryptographic value M₁A second cryptographic value M₂And a third cryptographic value M₃Or the union of (a) encrypted information stream J_MComprising a first cryptographic value M₁A second cryptographic value M₂And a third cryptographic value M₃。

The virus detection module detects whether a virus is input or output in the system, and calculates a virus parameter H_M：

Wherein, V_irusA virus sequence database pre-stored for the system;

according to the virus parameter H_MDetermines whether there is a virus input or output within the system:

when H is present_MIf the input is more than 0, the virus input or output is judged to exist in the system;

when H is present_MIf the value is 0, judging that no virus is input or output in the system;

when H is present_MIf the value is less than 0, judging that the parameters are wrong to solve, and re-evaluating;

virus sequence database V pre-stored by system_irusAnd a transport stream S_traComparing the elements in the APT, judging whether coincidence exists or not, and judging whether viruses exist in an APT attack analysis system or not;

if the system is judged to have virus input or output, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result A_SDJudging whether the virus belongs to APT virus:

A_SD＝F(f(S_tra)，f(V_irus))＝∑f(S_tra)*log_e f(S_tra)∪f(V_irus)

wherein, f (S)_tra) Is a transport stream S_traElement set in (1), f (V)_irus) Is a collection of virus sequences pre-stored in the system;

according to the detection result A_SDJudging whether the virus belongs to APT virus:

when A is_SDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;

when A is_SDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;

wherein K is a comparison value;

the detection result A is due to the fact that APT viruses are characterized by large quantity and can initiate continuous attacks_SDGet a transmission stream S_traSet of middle elements ∑ f (S)_tra) And exponential function log_e f(S_tra)∪f(V_irus) Multiplication, log_e f(S_tra)∪f(V_irus) Can represent a transport stream S_traAnd virus sequence database V_irusIf the size of the intersection part is larger than a preset threshold value K, the value of K can be set according to the actual situation, the virus invading into the system belongs to the APT virus, and if the size of the intersection part is smaller than the preset threshold value K, the virus invading into the system does not belong to the APT virus;

the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data; the information stream is encrypted to obtain a transport stream, different encryption modes are adopted for elements of different parts in the transport stream in a system obtained by packet capturing, so that the safety can be greatly improved, and the packet capturing is prevented from being carried outIn the process, information is attacked and stolen by APT, a virus sequence database is preset in the system, the virus sequence database prestored in the system is compared with elements in a transmission stream, whether coincidence exists or not is judged, and whether viruses exist in an APT attack analysis system or not can be judged; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream S_traSet of middle elements ∑ f (S)_tra) And a transport stream S_traAnd virus sequence database V_irusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.

An APT attack analysis system in a power network comprises an APT attack analysis method in the power network, and the method comprises the following steps:

s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;

s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;

s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;

s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;

the modes for sending the result of the APT virus attack detection to the system administrator comprise short message reminding, mail reminding and message reminding.

S500: and judging the mode for processing according to the result of the APT attack detection.

The method for analyzing the APT attack in the power network further comprises the step of judging whether the APT virus is continuously invaded.

The APT virus has the characteristics of continuous invasion, and if the virus continuously invades, the protection level of the system can be improved or the firewall configuration can be improved under the regulation and control of an administrator, so that the operation safety of the power network system is guaranteed.

When the virus invaded in the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database.

The APT virus sequence is brought into the abnormal database, so that the power network system can be protected, the system can quickly react when the same kind of virus invades next time, and the system operation safety is maintained.

The working principle is as follows: the APT attack analysis system randomly grabs the incoming and outgoing transport streams to obtain packet data, acquires information streams, and summarizes the data obtained by packet capturing in the system to obtain a transport stream S_traThe next step of encrypting and analyzing the packet data is facilitated, and the transmission stream S is transmitted_traIs divided into three parts for transmission stream S_traDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved, and the virus sequence database V pre-stored in the system_irusAnd a transport stream S_traComparing the elements in the data, judging whether superposition exists or not, judging whether viruses exist in an APT attack analysis system or not, if the viruses exist, judging whether the attacks initiated by the viruses are APT attacks or not, and finally, according to the transmission stream S_traSet of middle elements ∑ f (S)_tra) And a transport stream S_traAnd virus sequence database V_irusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (8)

1. An APT attack analysis system in a power network is characterized in that:

comprises an information collection system and an APT virus searching system;

the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;

the acquisition module randomly captures a transmission stream in the system to obtain captured packet data and acquire an information stream;

the cryptographic module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;

the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;

the storage module performs backup storage on the encrypted information stream;

the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;

the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;

the decryption module decrypts the encrypted information stream transmitted by the communication module to obtain a decrypted information stream;

the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;

the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;

and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.

2. The system according to claim 1, wherein the system comprises: transport stream S in said system_tra：

Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;

will transmit stream S_traThe elements in the method are divided into three parts, and encryption in different modes is carried out:

first part S₁：

Second part S₂：

Third part S₃：

To S₁Encrypting to obtain a first encrypted value M₁：

M₁＝σS₁*(1-α)

Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;

to S₂Encrypting to obtain a second encrypted value M₂：

M₂＝S₁*C_ode

Wherein, C_odeIs an encryption coefficient;

wherein b is an encryption coefficient C_odeA is the second cryptographic value M₂Number of matrix longitudinally distributed, e being second cryptographic value M₂The number of the matrix is distributed transversely, the numerical value of a is the same as s/3, and the numerical value of e is the same as c;

to S₃Encrypting to obtain a third encrypted value M₃：

M₃＝μS₃*(ω-1)

Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;

said stream of encrypted information J_MComprises the following steps:

J_M＝M₁∩M₂∩M₃。

3. the system according to claim 1, wherein the system comprises: the virus detection module detects whether a virus is input or output in the system or not, and calculates a virus parameter H_M：

Wherein, V_irusA virus sequence database pre-stored for the system;

according to the virus parameter H_MDetermines whether there is a virus input or output within the system:

when H is present_MIf the input is more than 0, the virus input or output is judged to exist in the system;

when H is present_MIf the value is 0, judging that no virus is input or output in the system;

when H is present_MIf the value is less than 0, the parameter solving error is judged, and the value is re-evaluated.

4. The system according to claim 1, wherein the system comprises: if the virus input or output is judged to exist in the system, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result A_SDJudging whether the virus belongs to APT virus:

A_SD＝F(f(S_tra),f(V_irus))＝∑f(S_tra)*log_ef(S_tra)∪f(V_irus)

wherein, f (S)_tra) Is a transport stream S_traElement set in (1), f (V)_irus) Is a collection of virus sequences pre-stored in the system;

according to the detection result A_SDJudging whether the virus belongs to APT virus:

when A is_SDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;

when A is_SDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;

wherein K is a comparative value.

5. The system according to claim 1, wherein the system comprises: the system for analyzing the APT attack in the power network comprises a method for analyzing the APT attack in the power network, wherein the method comprises the following steps:

s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;

s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;

s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;

s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;

s500: and judging the mode for processing according to the result of the APT attack detection.

6. The APT attack analysis system in the power network according to claim 5, wherein: the method for analyzing the APT attack in the power network further comprises the step of judging whether the APT virus is continuously invaded.

7. The APT attack analysis system in the power network according to claim 5, wherein: when the virus invaded in the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database.

8. The APT attack analysis system in the power network according to claim 5, wherein: in step S400, the modes of sending the result of the APT virus attack detection to the system administrator include short message reminding, mail reminding, and message reminding.

Images