CN115801560A - Scheduling layer message abnormity positioning method, device and system based on automatic analysis - Google Patents
Scheduling layer message abnormity positioning method, device and system based on automatic analysis Download PDFInfo
- Publication number
- CN115801560A CN115801560A CN202211504469.XA CN202211504469A CN115801560A CN 115801560 A CN115801560 A CN 115801560A CN 202211504469 A CN202211504469 A CN 202211504469A CN 115801560 A CN115801560 A CN 115801560A
- Authority
- CN
- China
- Prior art keywords
- message
- data
- scheduling layer
- protocol
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a scheduling layer message abnormity positioning method, device and system based on automatic analysis, which comprises the steps of automatically classifying captured message data streams according to the characteristics of scheduling layer network messages to obtain a plurality of classification data; modeling, feature extraction and analysis are respectively carried out on each classification data, and a reference library used as an abnormality judgment basis is generated, wherein the reference library comprises data and behaviors; judging the real-time message state based on a reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the occurrence of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generating an alarm signal; and sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption, so that the monitoring terminal performs uniform display and alarm. By analyzing and judging the service data, the invention visually displays the operation condition of the transformer substation scheduling layer network, and is convenient for operation and maintenance personnel to monitor the network security and locate the abnormity of the scheduling layer.
Description
Technical Field
The invention belongs to the message processing technology, and particularly relates to a method, a device and a system for scheduling layer message exception positioning based on automatic analysis.
Background
A communication network of the transformer substation belongs to a local area network, and the only outlet of external communication is a scheduling layer network. Various remote signaling telemetering data in the station can be transmitted to the dispatching through a dispatching layer network, and a control command transmitted by the dispatching is transmitted to the station through the dispatching layer network. As a gateway of the transformer substation for external communication, the security problem of a scheduling layer network is particularly important, and once the scheduling layer network is subjected to intrusion or other malicious threats, the operation of the transformer substation is seriously influenced.
At present, a scheduling layer network is managed and controlled by scheduling, and scheduling often can only obtain some alarms such as illegal connection and the like of the scheduling layer network through the alarm of a longitudinal encryption device, so that the scheduling layer network cannot be monitored from a service perspective.
Disclosure of Invention
Aiming at the problems, the invention provides a scheduling layer message abnormity positioning method, device and system based on automatic analysis, which can visually display the network operation condition of a transformer substation scheduling layer through analysis and judgment of service data, and are convenient for operation and maintenance personnel to monitor the network safety and position abnormity of the scheduling layer.
In order to achieve the technical purpose and achieve the technical effects, the invention is realized by the following technical scheme:
in a first aspect, the present invention provides a method for scheduling layer message exception positioning based on automatic analysis, which includes:
automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classified data;
modeling, feature extraction and analysis are respectively carried out on each classification data to generate a reference library used as an abnormal judgment basis, and the reference library comprises data and behaviors;
judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generating an alarm signal;
and sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption so that the monitoring terminal can carry out uniform display and alarm.
Optionally, the message data stream is a communication protocol of a master station and a slave station, and includes an IEC104 protocol message, an IEC103 protocol message, and an IEC61850 protocol message.
Optionally, each classification data corresponds to a different application layer protocol.
Optionally, the same classified data has the same protocol, destination IP address, source IP address, destination port, and source port.
Optionally, the modeling of each classification data respectively means: and respectively extracting data and behaviors aiming at each classification data.
Optionally, the feature extraction refers to extracting protocol features for different application layer protocols according to the classification result, extracting analysis point numbers for IEC104 protocol messages, group number entry numbers for IEC103 protocol messages, and FCDA for IEC61850 protocol messages.
Optionally, the content of the alarm signal includes: the time when the anomaly occurred, the statistical characteristics of the link, and the anomaly content.
Optionally, the capturing of the message data stream is implemented by packet capturing at a mirror interface of a dispatching layer switch, or implemented by a dedicated device with message capturing and analyzing capabilities, which is connected in series in a channel.
In a second aspect, the present invention provides an automatic analysis-based scheduling layer packet exception positioning apparatus, including:
the data classification module is used for automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classification data;
the benchmark base generation module is used for respectively modeling, extracting and analyzing the characteristics of each classified data to generate a benchmark base used as a basis for judging the abnormity, and the benchmark base comprises data and behaviors;
the abnormal analysis module is used for judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the occurrence of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generates an alarm signal;
and the alarm module is used for sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption, so that the monitoring terminal can carry out uniform display and alarm.
In a third aspect, the invention relates to a scheduling layer message exception positioning system based on automatic analysis, which comprises a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to any one of the first aspects.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, classification and modeling of various application layer protocols are realized from a scheduling network data flow layer, a reference library is generated, and the real-time message is compared with the reference library to find abnormal information, so that the operation condition of a transformer substation scheduling layer network can be visually displayed, and operation and maintenance personnel can conveniently monitor the operation condition; and when the scheduling layer network is abnormal, the abnormal link can be quickly positioned, so that operation and maintenance personnel can quickly process the problem.
Drawings
In order that the present disclosure may be more readily and clearly understood, reference is now made to the following detailed description of the present disclosure taken in conjunction with the accompanying drawings, in which:
fig. 1 is a flowchart illustrating a method for scheduling layer packet exception positioning according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the scope of the invention.
The application of the principles of the present invention will now be described in detail with reference to the accompanying drawings.
Example 1
The embodiment of the invention provides a scheduling layer message abnormity positioning method based on automatic analysis, which comprises the following steps:
(1) Automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classified data;
(2) Modeling, feature extraction and analysis are respectively carried out on each classification data to generate a reference library used as an abnormal judgment basis, and the reference library comprises data and behaviors;
(3) Judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the abnormality occurrence, the statistical characteristics of a link and the abnormal content, and simultaneously generating an alarm signal;
(4) And sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption, so that the monitoring terminal performs uniform display and alarm.
In a specific implementation manner of the embodiment of the present invention, the message data stream is a master-substation communication protocol, and includes an IEC104 protocol message, an IEC103 protocol message, and an IEC61850 protocol message. Each classification data corresponds to different application layer protocols respectively. The same classification data has the same protocol, destination IP address, source IP address, destination port, and source port.
In a specific implementation manner of the embodiment of the present invention, the modeling of each classification data respectively means: and respectively extracting data and behaviors aiming at each classification data. Taking IEC104 as an example, modeling refers to extracting remote signaling and remote measuring values and behavior habits of remote control as a model of the data stream.
In a specific implementation manner of the embodiment of the present invention, the feature extraction refers to performing protocol feature extraction for different application layer protocols according to a classification result, extracting an analysis point number for an IEC104 protocol packet, extracting a group number entry number for an IEC103 protocol packet, and extracting an FCDA for an IEC61850 protocol packet.
In a specific implementation manner of the embodiment of the present invention, the content of the alarm signal includes: the time when the anomaly occurred, the statistical characteristics of the link, and the anomaly content.
In a specific implementation manner of the embodiment of the present invention, the capturing of the packet data stream is implemented by packet capturing at a mirror interface of a scheduling layer switch, or implemented by a dedicated device with packet capturing and analyzing capabilities, which is connected in series in a channel.
In a specific implementation manner of the embodiment of the present invention, the value of the reference library is refreshed according to real-time analysis of a data stream, and the occurring exceptions include: the jump of remote measurement is larger than a preset threshold, the jump of remote signaling without remote control operation, the remote control operation in non-working time, the interruption of TCP connection and the like.
The following describes the scheduling layer message exception positioning method in the embodiment of the present invention in detail with reference to a specific embodiment.
Step 1, automatically classifying and modeling captured message data streams according to the characteristics of scheduling layer network messages; and the pointer is used for carrying out protocol analysis on a communication protocol adopted by the scheduling data network to obtain the characteristics of the scheduling data network message. The captured data flow comprises a main substation communication protocol (such as an IEC104 protocol message, an IEC103 protocol message and an IEC61850 protocol message) commonly used by the transformer substation, and the statistical characteristics of the message data flow are that the message data flow has the same protocol, a destination IP address, a source IP address, a destination port and a source port. The feature extraction of the message data flow is realized by packet capturing at a mirror image port of a dispatching layer switch or by special equipment which is connected in series in a channel and has message capturing and analyzing capabilities. Because the data transmitted by the scheduling layer or the data carried by the protocol are mainly remote signaling, remote measuring and remote control data, the modeling of the data flow refers to the behavior habit of extracting remote signaling, remote measuring values and remote control from the data flow.
Step 2, automatically analyzing through feature extraction and generating a reference library as an abnormal judgment basis, wherein the reference library comprises data and behaviors; the feature extraction is realized by analyzing a specific protocol, the IEC104 protocol message mainly analyzes a point number (corresponding to an information body address in the IEC104 protocol), the IEC103 protocol message mainly analyzes a group number entry number (corresponding to a group and an item in the IEC103 protocol), the IEC61850 protocol message mainly analyzes an FCDA (functional constrained data attribute), and a reference library is established according to a value (e.g., telecommand 0 or 1. Telemetered value, e.g., 245.1.) corresponding to the feature. The remote signaling state is recorded in the remote signaling reference library, and the state is usually divided, combined or invalid. Recorded in the telemetry reference library is the telemetry value, typically a floating point number. The state of the remote control is recorded in a reference library of the remote control, and is usually controlled according to the control division or the control combination. In addition, the reference library should record the timestamp corresponding to the message to determine whether the remote control is performed during the non-working time.
Step 3, monitoring and counting each frame of message in real time, judging the data state, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the occurrence of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generates an alarm signal; the line load may change, so the value of the reference library may also change, the value of the reference library may be refreshed according to the real-time analysis of the data stream, and the exceptions include: the telemetering jump is larger than a preset threshold, and the telemetering jump may mean that the power transmission line is short-circuited; remote signaling jumping without remote control operation is usually generated along with the occurrence of remote control; remote control operation in non-working time, wherein the common remote control operation is planned; a TCP connection interruption may be a failure of communication if the data is not refreshed for a long time. And immediately uploading abnormal information to the monitoring terminal when the abnormity occurs, wherein the abnormal information comprises the time of the abnormity, the statistical characteristics of the link and the abnormal content.
And 4, sending the alarm to the monitoring terminal in real time through a private protocol with authentication and encryption, and carrying out uniform display and alarm on the monitoring terminal. The monitoring terminal here may be a local monitoring environment or a platform environment of a master station. The data transmission is carried out through the private protocol with authentication and encryption, so that eavesdropping on communication can be prevented, and the confidentiality, integrity and non-repudiation of data transmission are ensured.
Example 2
Based on the same inventive concept as embodiment 1, the embodiment of the present invention provides an automatic analysis-based scheduling layer message exception positioning apparatus, including:
the data classification module is used for automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classification data;
the benchmark base generation module is used for respectively modeling, extracting and analyzing the characteristics of each classified data to generate a benchmark base used as a basis for judging the abnormity, and the benchmark base comprises data and behaviors;
the abnormal analysis module is used for judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the occurrence of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generates an alarm signal;
and the alarm module is used for sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption so that the monitoring terminal can carry out uniform display and alarm.
The rest of the process was the same as in example 1.
Example 3
The embodiment of the invention provides a scheduling layer message exception positioning system based on automatic analysis, which comprises a storage medium and a processor, wherein the storage medium is used for storing a scheduling layer message;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to any of embodiment 1.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the present invention has been described with reference to the particular illustrative embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications, equivalent arrangements, and equivalents thereof, which may be made by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
The foregoing shows and describes the general principles and features of the present invention, together with the advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. A scheduling layer message exception positioning method based on automatic analysis is characterized by comprising the following steps:
automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classified data; modeling, feature extraction and analysis are respectively carried out on each classification data to generate a reference library used as an abnormal judgment basis, and the reference library comprises data and behaviors;
judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generating an alarm signal; and sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption so that the monitoring terminal can carry out uniform display and alarm.
2. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the message data flow is a communication protocol of the main station and the sub station and comprises an IEC104 protocol message, an IEC103 protocol message and an IEC61850 protocol message.
3. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: each classification data respectively corresponds to different application layer protocols.
4. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the same classification data has the same protocol, destination IP address, source IP address, destination port, and source port.
5. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the modeling of each classification data respectively means: and respectively extracting data and behaviors aiming at each classification data.
6. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the characteristic extraction refers to extracting protocol characteristics aiming at different application layer protocols according to a classification result, extracting analysis point numbers for IEC104 protocol messages, group number entry numbers for IEC103 protocol messages and FCDA for IEC61850 protocol messages.
7. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the content of the alarm signal comprises: the time when the anomaly occurred, the statistical characteristics of the link, and the anomaly content.
8. The method for scheduling layer message exception positioning based on automatic analysis according to claim 1, characterized in that: the capturing of the message data flow is realized by packet capturing through a mirror image port of a dispatching layer switch or through special equipment which is connected in series in a channel and has message capturing and analyzing capabilities.
9. A scheduling layer message exception positioning device based on automatic analysis is characterized by comprising:
the data classification module is used for automatically classifying the captured message data stream according to the characteristics of the scheduling layer network message to obtain a plurality of classification data;
the benchmark base generation module is used for respectively modeling, extracting and analyzing the characteristics of each classified data to generate a benchmark base used as a basis for judging the abnormity, and the benchmark base comprises data and behaviors;
the abnormal analysis module is used for judging the real-time message state based on the reference library, recording and positioning an abnormal link when an abnormality occurs, wherein the abnormal link comprises the time of the occurrence of the abnormality, the statistical characteristics of a link and the abnormal content, and simultaneously generates an alarm signal;
and the alarm module is used for sending the alarm signal to the monitoring terminal in real time through a private protocol with authentication and encryption so that the monitoring terminal can carry out uniform display and alarm.
10. A dispatch layer message exception positioning system based on automatic analysis is characterized by comprising a storage medium and a processor;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504469.XA CN115801560A (en) | 2022-11-29 | 2022-11-29 | Scheduling layer message abnormity positioning method, device and system based on automatic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504469.XA CN115801560A (en) | 2022-11-29 | 2022-11-29 | Scheduling layer message abnormity positioning method, device and system based on automatic analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801560A true CN115801560A (en) | 2023-03-14 |
Family
ID=85442439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211504469.XA Pending CN115801560A (en) | 2022-11-29 | 2022-11-29 | Scheduling layer message abnormity positioning method, device and system based on automatic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801560A (en) |
-
2022
- 2022-11-29 CN CN202211504469.XA patent/CN115801560A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112799358B (en) | Industrial control safety defense system | |
| CN113055375B (en) | Power station industrial control system physical network oriented attack process visualization method | |
| CN114567463B (en) | Industrial network information safety monitoring and protecting system | |
| CN112612669A (en) | Infrastructure monitoring and early warning method and system based on situation awareness | |
| EP4022405B1 (en) | Systems and methods for enhancing data provenance by logging kernel-level events | |
| CN117061569B (en) | Internet of things-based industrial and social interaction digital information monitoring system | |
| CN112149120A (en) | Transparent transmission type double-channel electric power Internet of things safety detection system | |
| JP4983414B2 (en) | Alarm mask management system and management method for communication network | |
| CN111244806B (en) | Power equipment safety debugging monitoring system and processing method | |
| US20210126932A1 (en) | System for technology infrastructure analysis | |
| CN115310078A (en) | Industrial production line auditing system and application method | |
| CN117833464A (en) | Online operation state safety monitoring method for electricity consumption information acquisition terminal | |
| US11126636B2 (en) | Apparatus and methods for secure data logging | |
| CN117880146A (en) | Gateway all-in-one machine operation environment supervision alarm system based on data analysis | |
| CN117220917A (en) | Network real-time monitoring method based on cloud computing | |
| CN105242655A (en) | Industrial on-site supervising device based on Internet of Things | |
| CN115801560A (en) | Scheduling layer message abnormity positioning method, device and system based on automatic analysis | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN115484326A (en) | Method, system and storage medium for processing data | |
| CN114979268A (en) | Data transmission method, device, server and system for industrial gas enterprise | |
| Gao et al. | SIEM: policy-based monitoring of SCADA systems | |
| JP2004164311A (en) | Apparatus and system for remote monitoring of electronic component manufacturing equipment | |
| CN111146863A (en) | Power safety detection method for transformer substation | |
| CN101567095A (en) | Method and device for managing fire protection data | |
| CN116318904A (en) | Nuclear power network safety protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |