CN114938385B - Electric power physical network security situation awareness method, device, equipment and medium - Google Patents
Electric power physical network security situation awareness method, device, equipment and medium Download PDFInfo
- Publication number
- CN114938385B CN114938385B CN202210475954.2A CN202210475954A CN114938385B CN 114938385 B CN114938385 B CN 114938385B CN 202210475954 A CN202210475954 A CN 202210475954A CN 114938385 B CN114938385 B CN 114938385B
- Authority
- CN
- China
- Prior art keywords
- main body
- observation
- communication
- vector
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000004891 communication Methods 0.000 claims abstract description 146
- 239000011159 matrix material Substances 0.000 claims abstract description 84
- 239000013598 vector Substances 0.000 claims abstract description 77
- 238000013135 deep learning Methods 0.000 claims abstract description 19
- 238000013507 mapping Methods 0.000 claims abstract description 17
- 230000000630 rising effect Effects 0.000 claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims description 38
- 238000012549 training Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 16
- 238000012360 testing method Methods 0.000 claims description 13
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 239000003795 chemical substances by application Substances 0.000 claims description 7
- 230000008447 perception Effects 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 4
- 229910002056 binary alloy Inorganic materials 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000013136 deep learning model Methods 0.000 abstract description 6
- 238000012544 monitoring process Methods 0.000 abstract description 4
- 238000012545 processing Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000010801 machine learning Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000013178 mathematical model Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 208000008918 voyeurism Diseases 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E60/00—Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Computational Linguistics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Medical Informatics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a method, a device, equipment and a medium for sensing the security situation of an electric power physical network. The method comprises the following steps: acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body; mapping the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning; selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm. According to the technical scheme provided by the embodiment of the invention, the monitoring of the global security situation of the electric power Internet of things by using the local observation information of part of nodes can be realized through the deep learning model.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a medium for sensing a security situation of an electric power physical network.
Background
The electric power internet of things is a product of combining an electric power technology with the internet of things and advanced technologies such as big data, artificial intelligence, cloud computing and the like, and the electric power internet of things deeply fuses information technologies such as information acquisition, data processing, intelligent control and the like to an electric power physical system so as to realize interconnection of people and objects. One end of the electric power internet of things is connected with electric power energy sources, the other end of the electric power internet of things is connected with important real fields such as finance, traffic and the like, not only is the important role of guaranteeing the information and data safety of electric power energy source users, but also the safe and stable operation of a power grid is maintained, and the influence on the normal operation of the economy and the society is great.
In the prior art, the electric power internet of things is used as a product of the combination of the Internet and the industrial depth, and the problems of data bias, deletion, explosion and the like caused by network attack can directly reach the first line physical layer of the power grid, so that the social economy and national security are greatly lost. Therefore, it is needed to realize comprehensive perception, accurate prediction and intelligent decision-making by applying advanced technology of the internet of things, and establish an active defense method for coping with network security threat of the electric power internet of things.
However, the time-varying nonlinearity, random uncertainty and local observability of the electric power Internet of things make it difficult for the traditional machine learning method to comprehensively reflect the steady state and transient state characteristics of the electric power Internet of things system in a new form, and the difficulty of planning, designing, operating, maintaining and protecting control of the power grid is improved.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for sensing the security situation of an electric power physical network, which are used for solving the problem that the conventional machine learning method is difficult to comprehensively sense the security situation of the electric power Internet of things, and monitoring the global security situation of the electric power Internet of things by using the local observation information of part of nodes through a deep learning model.
According to an aspect of the present invention, there is provided a power physical network security situation awareness method, including:
acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body;
mapping the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning;
selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue;
and returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm.
Optionally, the acquiring the communication matrix of the current observation subject includes:
collecting all communication data packets of the current observation main body in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source;
classifying the communication data packets according to the communication main body vector to obtain packet data packets;
converting each packet data packet into binary system, and sequencing each packet data packet according to time sequence to form an ordered data packet set;
and converting the ordered data packet set into a communication matrix with determined rows and columns.
Optionally, the converting the ordered set of data packets into a communication matrix determined by rows and columns includes:
acquiring the row number and column number of a communication matrix; the row number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and screening and cutting the ordered data packet set of the current observation main body according to the row and column numbers of the communication matrix to generate the communication matrix.
Optionally, before mapping the communication matrix into the situational awareness vector by using a situational awareness model based on deep learning, the method further includes:
acquiring the row number of a communication matrix, and creating an AlexNet model according to the row number of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a testing set;
and training the AlexNet model by using the training set until a loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation awareness model.
Optionally, the loss function of the AlexNet model includes:
wherein F is a loss function,TP is the correct number of model predictions, FP is the number of other class labels mispredicted as the present class label, FN is the number of other class labels mispredicted as the present class label.
Optionally, the selecting a new observation subject in the gradient rising direction of the situational awareness vector, and adding the new observation subject to the observation queue includes:
selecting alternative labels with abnormal weight values larger than a second threshold according to the situation awareness vector;
calculating an abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting an abnormal subject corresponding to the maximum value of the abnormal gradient as a new observation subject, and adding the new observation subject into the observation queue.
According to another aspect of the present invention, there is provided an electric power physical network security situation awareness apparatus, including:
the information acquisition module is used for acquiring a current observation main body from the observation queue and acquiring a communication matrix of the current observation main body;
the vector mapping module is used for performing mapping of the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning;
the queue updating module is used for executing the selection of a new observation main body in the gradient rising direction of the situation awareness vector and adding the new observation main body into the observation queue;
and the loop execution module is used for executing the operation of returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector and giving an alarm.
Optionally, the information acquisition module includes:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through the man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source;
a classification unit, configured to perform classification of the communication data packet according to the communication body vector, to obtain a packet data packet;
the ordering unit is used for converting each packet data packet into binary, and ordering each packet data packet according to time sequence to form an ordered data packet set;
and the conversion unit is used for performing conversion of the ordered data packet set into a communication matrix with determined rows and columns.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of power physical network security posture awareness according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the method for power physical network security posture awareness according to any of the embodiments of the present invention when executed.
According to the technical scheme, a current observation main body is obtained from an observation queue, and a communication matrix of the current observation main body is obtained; mapping the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning; selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue, acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm, thereby solving the problem that the traditional machine learning method is difficult to comprehensively perceive the safety situation of the electric power Internet of things, and achieving the beneficial effect of monitoring the global safety situation of the electric power Internet of things by using the local observation information of part of nodes through the deep learning model.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for sensing security situations of an electric power physical network according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a power physical network security situation awareness apparatus according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device implementing the method for sensing the security situation of the power physical network according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a method for sensing a security situation of an electric power physical network according to an embodiment of the present invention, where the method may be implemented by an electric power physical network security situation sensing device, and the device may be implemented in hardware and/or software, and the device may be configured in an electronic device. As shown in fig. 1, the method includes:
s110, acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body.
According to the method, the single node sensing range in the electric power Internet of things is taken as a cut-in view angle, the local observability of the electric power Internet of things is fully utilized, the whole node state is predicted according to the partial node state, namely, the global accident occurrence point is positioned through the observation of the local node, finally, hidden danger is eliminated through intelligent decision, and the stable and safe operation of the electric power Internet of things service is ensured.
In this embodiment, n nodes may be randomly selected from the electric power internet of things as an initial observation body, and an observation queue queue= [ s ] is added 1 ,s 2 ,…,s n ]Is a kind of medium. The randomly initialized observation body will serve as a seed body for detecting the source of the incident. And taking out a node from the head of the observation queue as a current observation main body, and collecting all data packets passing through the node in a time period through a man-in-the-middle agent network built at the node. The redundant data packets are then filtered out by classifying the data packets. Finally, the data packet is segmented, screened and filled according to a certain rule, converted into bit stream data with equal length, and the direction vector from the data source to the receiving source is combined with the data packet bit stream data to generate the communication matrix of the current observation main body in the period.
Optionally, the acquiring the communication matrix of the current observation subject includes: collecting all communication data packets of the current observation main body in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source; classifying the communication data packets according to the communication main body vector to obtain packet data packets; converting each packet data packet into binary system, and sequencing each packet data packet according to time sequence to form an ordered data packet set; and converting the ordered data packet set into a communication matrix with determined rows and columns.
In this embodiment, a man-in-the-middle proxy network is built at each node of the electric power internet of things, and all communication data packets at each node are collected through the man-in-the-middle proxy network. The broker network does not have a communication certificate, and thus cannot parse the collected communication data packet, but can record the data flow of the communication data packet and the communication body thereof. For example, let the time period be T, the collection of communication data packets of node i collected by the broker network is DataPacket T The communication body vector of each group of data flows in the communication data packet isWhere k is the identity of the data transmission source and j is the identity of the reception source.
Due to DataPacket T The communication data packets are unordered, and the communication data packets can be normalized and converted into a structured bit stream data set in order to provide an information processing basis for subsequent processing. Specifically, the broker network uses a communication body vector from a transmission source to a reception sourceAll communication data packets of the current observation main body i in the time period T are classified to obtain packet data packets. For example, assume that there are currently n subjects communicating with the current observation subject i, and the current observation subject i is to the communication subject j, j e [1, n communication packetThe set of (a) is denoted-> Wherein (1)>Is a vector +.>Corresponding packet data packet,/>Converting each vector in each packet data packet into binary, letting the communication body vector +.>And->The corresponding set of packet data packets is dp= { DataPacket i1 ,…,DataPacket ij ,DataPacket 1i ,…,DataPacket ji And (3) ordering the elements in the set DP according to the time sequence, generating an ordered data packet set DP ', and converting the set DP' into a communication matrix determined by the rows and the columns.
Optionally, the converting the ordered set of data packets into a communication matrix determined by rows and columns includes: acquiring the row number and column number of a communication matrix; the row number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number; and screening and cutting the ordered data packet set of the current observation main body according to the row and column numbers of the communication matrix to generate the communication matrix.
In this embodiment, the broker network counts all the ordered packet sets DP 'within periods 1-T' o ,o∈[1,T]A packet number distribution and a packet length distribution of (a),let the upper quartile of the data packet number value be the row number rows of the communication matrix and let the upper quartile of the data packet length value be the column number columns of the communication matrix. When converting the ordered data packet set DP 'into a communication matrix, the number of rows and columns of the communication matrix may be obtained first, and then rows data packet vectors in the ordered data packet set DP' may be randomly selected. If the number of lines of the set DP' is larger than rows, discarding the rest elements; if the number of collective lines is less than rows, then use [0 ]]* The column vector complements the row rows. Meanwhile, all elements with lengths larger than columns in the selected data packet vector are truncated, and [0, columns-1 ] is reserved]If the length is smaller than column, 0 is complemented, so that the ordered set DP' with different length and number of elements is converted into a communication matrix COM with determined rows and columns rows×columns . Wherein, the upper quartile is the value at 75% after all values are arranged from small to large.
In this embodiment, by collecting and processing observation data of a single node in the electric power internet of things, the situation awareness model obtains the global capability of point, surface and local peeping. From a local view point, the communication data of a single node in the electric power Internet of things is processed by a low-load and high-aging method, and an information processing basis is provided for the follow-up.
S120, mapping the communication matrix into a situation awareness vector by using a situation awareness model based on deep learning.
In this embodiment, since the deep learning technology can understand and predict the development trend of each factor that can cause the system situation change in a specific time and space, that is, the deep learning technology has situation awareness capability. Therefore, the deep learning technology is introduced into the electric power Internet of things, and the security situation in the network structure and the running state is comprehensively analyzed based on the situation-aware scene demand under the electric power Internet of things. On one hand, the method can excavate and extract features of high-dimensional complex data of the electric power Internet of things, on the other hand, the problems of insufficient training data, poor generalization capability and the like in practical application of a traditional machine learning method can be solved, so that the operation and control capability of the electric power Internet of things is improved, and accurate prediction and intelligent decision making are performed when safety threat in the field of the electric power Internet of things is met.
In this embodiment, a mapped mathematical model, that is, a transformation model directly mapped by communication data and situation awareness gradient, may be constructed first, a deep learning target may be determined, and the transformation model may be calculated by using a deep learning algorithm to generate a situation awareness model. The high-dimensional matrix is converted into the weight vector with the corresponding direction by utilizing the convolutional neural network, so that the situation perception technical target of the point and the plane is realized under the condition of no need of expert participation.
Optionally, before mapping the communication matrix into the situational awareness vector by using a situational awareness model based on deep learning, the method further includes: acquiring the row number of a communication matrix, and creating an AlexNet model according to the row number of the communication matrix; acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a testing set; and training the AlexNet model by using the training set until a loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation awareness model.
In this embodiment, to generate a situation awareness model, a mapped mathematical model may be constructed first, and a deep learning target may be determined. That is, a mathematical model AlexNet (COM) rows×columns ) Pos, where pos is a one-dimensional array of 0,1, of length rows. Then, an AlexNet convolutional neural network model is created according to the communication matrix size rows×columns, and a 5-layer convolutional pooling network thereof is constructed and initialized. Next, a training set, a test set, may be constructed to train model parameters. The communication matrix generation process can be repeated for p times to generate a communication matrix set data= { COM 1 ,COM 2 ,…,COM p Finding the nearest s abnormal subjects { u } of subject i from the marked historical training model dataset 1 ,u 2 ,…,u s And an anomaly weight tag label of the anomaly subject and subject i. Wherein,,a value greater than 0.5 indicates the subject u s There is an abnormal situation in communication with the subject i, and the greater the value, the greater the likelihood that the subject is abnormal. If it isThe data set of the unlabeled historical training model is manually labeled. Repeating the process of generating the communication matrix set for k times to obtain a Data set data= } Data 1 ,data 2 ,…,data k Label = { Label of corresponding abnormal weight Label = { Label 1 ,Lable 2 ,…,Lable k -according to 2:8 proportion is randomly divided into a test set and a training set, and is recorded as Data test &Label test And Data train &Label train . Training model parameters of the AlexNet model by using a training set until a loss function of the AlexNet model in a test set reaches a first threshold, for example, 0.9, so as to obtain a situation awareness model, and mapping from a communication matrix to an awareness direction is realized.
Optionally, the loss function of the AlexNet model includes:wherein F is a loss function, ">TP is the correct number of model predictions, FP is the number of other class labels mispredicted as the present class label, FN is the number of other class labels mispredicted as the present class label.
In the embodiment, the local observation information acquired by a single node is converted into the situation awareness vector with guidance, so that the global situation can be monitored locally. The computing capability of the deep learning model on the high-dimensional matrix is utilized, the point-to-point communication matrix and the communication vector are converted into weight values of the moving direction of the point-to-point communication matrix and the communication vector, and the situation awareness vector is formed through the multi-dimensional weight values to guide the awareness direction.
S130, selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue.
In this embodiment, in order to find other observation subjects close to the safety accident source from the current observation subject, the observation points are connected to form an observation line, the gradient of the multidimensional situation awareness vector of the current observation subject can be calculated, the moving direction of the observation subject is determined according to the gradient rising direction, and a new observation subject is determined.
Optionally, the selecting a new observation subject in the gradient rising direction of the situational awareness vector, and adding the new observation subject to the observation queue includes: selecting alternative labels with abnormal weight values larger than a second threshold according to the situation awareness vector; calculating an abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body; and selecting an abnormal subject corresponding to the maximum value of the abnormal gradient as a new observation subject, and adding the new observation subject into the observation queue.
In this embodiment, the current observation subject s is obtained i Is a situational awareness vector of (1)Then, the observation path can be detected by adopting a breadth-first method, and the observation path gradually approaches to the safety accident source. Select->Candidate labels with an anomaly weight value greater than a second threshold, e.g., 0.5, and find a body s corresponding to each candidate label q ,s q+1 ,…,s q+i Wherein i is the number of main bodies with label larger than 0.5, and q is epsilon n. The main body s q ,s q+1 ,…,s q+i As an abnormality subject, the degree Σ|pos of abnormality thereof is calculated q I, and according to s q →s i Calculating the variation trend of the degree of abnormality, and calculating the abnormal subjects s respectively q To the current observation subject s i Abnormal gradient +.>Selecting an abnormal subject s with the highest abnormal gradient ′ And will be abnormal subject s ′ The tail of the observation queue is added as a new observation body.
And S140, returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm.
In this embodiment, after a new observation main body is added to an observation queue, a node is continuously taken out from the head of the observation queue as a current observation main body, and a data packet is collected and processed to obtain a communication matrix of the node in a time period through a man-in-the-middle proxy network built at the current observation main body. Detecting the local perception gradient direction of the current observation main body through a deep learning model, gradually positioning the observation point to a local maximum value point representing a suspected safety accident outbreak point by moving the observation point to the gradient rising direction, and sending out a warning.
In this embodiment, the local situation observed by the node in the electric power internet of things moves along the gradient rising direction of the local situation, and the observation points are connected into the observation line, so that the function of finding the security accident source in the electric power internet of things and giving an alarm through a small number of the observation points is realized. The fixed local observation points are changed into dynamic forms, so that the global security situation of the electric power Internet of things is monitored while a large amount of resources are saved.
According to the technical scheme, a current observation main body is obtained from an observation queue, and a communication matrix of the current observation main body is obtained; mapping the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning; selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue; and returning to execute the operation of acquiring the current observation main body from the observation queue, acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm, thereby solving the problem that the traditional machine learning method is difficult to comprehensively perceive the safety situation of the electric power Internet of things, and achieving the beneficial effect of monitoring the global safety situation of the electric power Internet of things by using the local observation information of part of nodes through the deep learning model.
Example two
Fig. 2 is a schematic structural diagram of a power physical network security situation awareness device according to a second embodiment of the present invention. As shown in fig. 2, the apparatus includes: an information acquisition module 210, a vector mapping module 220, a queue update module 230, and a loop execution module 240.
An information obtaining module 210, configured to obtain a current observation subject from an observation queue, and obtain a communication matrix of the current observation subject;
a vector mapping module 220, configured to perform mapping the communication matrix into a situational awareness vector using a situational awareness model based on deep learning;
a queue updating module 230, configured to perform selecting a new observation subject in a gradient rising direction of the situation awareness vector, and add the new observation subject to the observation queue;
and the loop execution module 240 is configured to execute the operation of returning to execute the operation of acquiring the current observation subject from the observation queue and acquiring the communication matrix of the current observation subject until the safety accident occurrence point is located according to the situation awareness vector, and send out an alarm.
Optionally, the information acquisition module includes:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through the man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source;
a classification unit, configured to perform classification of the communication data packet according to the communication body vector, to obtain a packet data packet;
the ordering unit is used for converting each packet data packet into binary, and ordering each packet data packet according to time sequence to form an ordered data packet set;
and the conversion unit is used for performing conversion of the ordered data packet set into a communication matrix with determined rows and columns.
Optionally, the conversion unit is configured to perform obtaining a rank number of the communication matrix; the row number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and screening and cutting the ordered data packet set of the current observation main body according to the row and column numbers of the communication matrix to generate the communication matrix.
Optionally, the method further comprises: a model training module for executing the method, before using a situation awareness model based on deep learning to map the communication matrix into a situation awareness vector,
acquiring the row number of a communication matrix, and creating an AlexNet model according to the row number of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a testing set;
and training the AlexNet model by using the training set until a loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation awareness model.
Optionally, the loss function of the AlexNet model includes:
wherein F is a loss function,TP is the correct number of model predictions, FP is the number of other class labels mispredicted as the present class label, FN is the number of other class labels mispredicted as the present class label.
Optionally, the queue updating module 230 is configured to perform:
selecting alternative labels with abnormal weight values larger than a second threshold according to the situation awareness vector;
calculating an abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting an abnormal subject corresponding to the maximum value of the abnormal gradient as a new observation subject, and adding the new observation subject into the observation queue.
The power physical network security situation awareness device provided by the embodiment of the invention can execute the power physical network security situation awareness method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 3 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the power physical network security posture awareness method.
In some embodiments, the power physical network security posture awareness method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the power physical network security posture awareness method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the power physical network security posture awareness method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (9)
1. The utility model provides a power physical network security situation perception method which is characterized in that the method comprises the following steps:
acquiring a current observation main body from an observation queue, and acquiring a communication matrix of the current observation main body;
mapping the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning;
selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue;
returning to execute the operation of acquiring the current observation main body from the observation queue and acquiring the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector, and sending out an alarm;
selecting a new observation main body in the gradient rising direction of the situation awareness vector, and adding the new observation main body into the observation queue, wherein the method comprises the following steps:
selecting alternative labels with abnormal weight values larger than a second threshold according to the situation awareness vector;
calculating an abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting an abnormal subject corresponding to the maximum value of the abnormal gradient as a new observation subject, and adding the new observation subject into the observation queue.
2. The method of claim 1, wherein the obtaining the communication matrix of the current observation subject comprises:
collecting all communication data packets of the current observation main body in a period through a man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source;
classifying the communication data packets according to the communication main body vector to obtain packet data packets;
converting each packet data packet into binary system, and sequencing each packet data packet according to time sequence to form an ordered data packet set;
and converting the ordered data packet set into a communication matrix with determined rows and columns.
3. The method of claim 2, wherein converting the ordered set of data packets into a row-column determined communication matrix comprises:
acquiring the row number and column number of a communication matrix; the row number is determined according to the data packet number distribution and the data packet length distribution of the ordered data packet set with the specified number;
and screening and cutting the ordered data packet set of the current observation main body according to the row and column numbers of the communication matrix to generate the communication matrix.
4. The method of claim 1, further comprising, prior to mapping the communication matrix into a situational awareness vector using a situational awareness model based on deep learning:
acquiring the row number of a communication matrix, and creating an AlexNet model according to the row number of the communication matrix;
acquiring a preset number of communication matrix sets and corresponding abnormal weight label sets, and constructing a training set and a testing set;
and training the AlexNet model by using the training set until a loss function of the AlexNet model in the test set reaches a first threshold value, so as to obtain a situation awareness model.
5. The method of claim 4, wherein the loss function of the AlexNet model comprises:
wherein F is a loss function,TP is the correct number of model predictions, FP is the number of other class labels mispredicted as the present class label, FN is the number of other class labels mispredicted as the present class label.
6. The utility model provides an electric power physical network security situation perception device which characterized in that includes:
the information acquisition module is used for acquiring a current observation main body from the observation queue and acquiring a communication matrix of the current observation main body;
the vector mapping module is used for performing mapping of the communication matrix into situation awareness vectors by using a situation awareness model based on deep learning;
the queue updating module is used for executing the selection of a new observation main body in the gradient rising direction of the situation awareness vector and adding the new observation main body into the observation queue;
the circulation execution module is used for executing the operation of returning to execute the current observation main body obtained from the observation queue and obtaining the communication matrix of the current observation main body until the safety accident occurrence point is positioned according to the situation awareness vector and giving an alarm;
the queue updating module is further configured to perform:
selecting alternative labels with abnormal weight values larger than a second threshold according to the situation awareness vector;
calculating an abnormal gradient from the abnormal main body corresponding to each alternative label to the current observation main body;
and selecting an abnormal subject corresponding to the maximum value of the abnormal gradient as a new observation subject, and adding the new observation subject into the observation queue.
7. The apparatus of claim 6, wherein the information acquisition module comprises:
the acquisition unit is used for acquiring all communication data packets of the current observation main body in one period through the man-in-the-middle agent network; the communication data packet comprises a data stream and a communication main body vector, and the communication main body vector points to a receiving source end from a sending source;
a classification unit, configured to perform classification of the communication data packet according to the communication body vector, to obtain a packet data packet;
the ordering unit is used for converting each packet data packet into binary, and ordering each packet data packet according to time sequence to form an ordered data packet set;
and the conversion unit is used for performing conversion of the ordered data packet set into a communication matrix with determined rows and columns.
8. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform a method of power physical network security posture awareness according to any one of claims 1-5.
9. A computer readable storage medium, characterized in that the computer readable storage medium stores computer instructions for causing a processor to implement a method for security posture awareness of an electrical physical network according to any of claims 1-5 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210475954.2A CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210475954.2A CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114938385A CN114938385A (en) | 2022-08-23 |
| CN114938385B true CN114938385B (en) | 2023-10-24 |
Family
ID=82865198
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210475954.2A Active CN114938385B (en) | 2022-04-29 | 2022-04-29 | Electric power physical network security situation awareness method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114938385B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106953862A (en) * | 2017-03-23 | 2017-07-14 | 国家电网公司 | The cognitive method and device and sensor model training method and device of network safety situation |
| WO2019161076A1 (en) * | 2018-02-19 | 2019-08-22 | Digital Global Systems, Inc. | Systems, methods, and devices for unmanned vehicle detection and threat management |
| CN110728457A (en) * | 2019-10-17 | 2020-01-24 | 广西电网有限责任公司电力科学研究院 | Operation risk situation perception method considering multi-level weak links of power distribution network |
| CN111582571A (en) * | 2020-04-30 | 2020-08-25 | 中国电力科学研究院有限公司 | Power grid operation situation sensing method and system with model driving and data driving integrated |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
-
2022
- 2022-04-29 CN CN202210475954.2A patent/CN114938385B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106953862A (en) * | 2017-03-23 | 2017-07-14 | 国家电网公司 | The cognitive method and device and sensor model training method and device of network safety situation |
| WO2019161076A1 (en) * | 2018-02-19 | 2019-08-22 | Digital Global Systems, Inc. | Systems, methods, and devices for unmanned vehicle detection and threat management |
| CN110728457A (en) * | 2019-10-17 | 2020-01-24 | 广西电网有限责任公司电力科学研究院 | Operation risk situation perception method considering multi-level weak links of power distribution network |
| CN111582571A (en) * | 2020-04-30 | 2020-08-25 | 中国电力科学研究院有限公司 | Power grid operation situation sensing method and system with model driving and data driving integrated |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114938385A (en) | 2022-08-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Huong et al. | Detecting cyberattacks using anomaly detection in industrial control systems: A federated learning approach | |
| CN114358106A (en) | System anomaly detection method and device, computer program product and electronic equipment | |
| Li et al. | Transmission line ice coating prediction model based on EEMD feature extraction | |
| Nasridinov et al. | Event detection in wireless sensor networks: Survey and challenges | |
| CN112862005A (en) | Video classification method and device, electronic equipment and storage medium | |
| CN116489038A (en) | Network traffic prediction method, device, equipment and medium | |
| CN112668773A (en) | Method and device for predicting warehousing traffic and electronic equipment | |
| JP7304223B2 (en) | Methods and systems for generating hybrid learning techniques | |
| CN117156442A (en) | Cloud data security protection method and system based on 5G network | |
| CN114938385B (en) | Electric power physical network security situation awareness method, device, equipment and medium | |
| CN113657468A (en) | Pre-training model generation method and device, electronic equipment and storage medium | |
| CN117009903A (en) | Data anomaly detection method, device, equipment and storage medium | |
| CN116522750A (en) | Tile temperature prediction and abnormality determination method, device, equipment and medium | |
| CN115563507A (en) | Generation method, device and equipment for renewable energy power generation scene | |
| CN114120180A (en) | Method, device, equipment and medium for generating time sequence nomination | |
| CN114254650A (en) | Information processing method, device, equipment and medium | |
| CN114118562A (en) | Flow prediction method, model training method and device and electronic equipment | |
| Bielinskyi et al. | The lack of reversibility during financial crisis and its identification | |
| CN116842837A (en) | Transformer fault diagnosis method and device, electronic equipment and storage medium | |
| Bouzeraa et al. | Pre-disaster Management based Machine Learning, IoT and Big Data: Survey and future direction | |
| Han et al. | Diagnosis method of abnormal fluctuation of CPU usage based on iForest-Bi-LSTM | |
| CN117251809A (en) | Power grid time sequence data anomaly detection method, device, equipment and storage medium | |
| Liu et al. | Large-Scale Network Lifetime Inference Based on Universal Scaling Function | |
| CN116665823A (en) | Crystal structure prediction method, crystal structure prediction device, electronic equipment and storage medium | |
| Zheng et al. | EHMM-CT: an online method for failure prediction in cloud computing systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |