CN118332554A

CN118332554A - Abnormality determination method and device, storage medium and electronic device

Info

Publication number: CN118332554A
Application number: CN202410287835.3A
Authority: CN
Inventors: 胡建强; 王德志; 齐革军; 孙财新; 濮宏达; 申旭辉; 王彦方; 郝健强; 沈聪; 潘霄峰; 付明志; 赫卫国
Original assignee: Zhejiang Canghua Offshore Wind Power Technology Co ltd; Huaneng Zhejiang Energy Sales Co ltd; Huaneng Clean Energy Research Institute; Huaneng Zhejiang Energy Development Co Ltd
Current assignee: Zhejiang Canghua Offshore Wind Power Technology Co ltd; Huaneng Zhejiang Energy Sales Co ltd; Huaneng Clean Energy Research Institute; Huaneng Zhejiang Energy Development Co Ltd
Priority date: 2024-03-13
Filing date: 2024-03-13
Publication date: 2024-07-12

Abstract

The application discloses an anomaly determination method and device, a storage medium and an electronic device, wherein the method comprises the following steps: in the process of executing the target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer larger than 2; detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; and under the condition that the abnormality probability is smaller than the first preset probability, determining that the abnormality exists in the execution process of the instruction jump sequence. The problem that the intelligent ammeter is easy to be externally connected by illegal physics, but the loopholes caused by the illegal physics cannot be accurately and timely detected is solved, and the detection timeliness and the accuracy of the loopholes in the intelligent ammeter are improved.

Description

Abnormality determination method and device, storage medium and electronic device

Technical Field

The present application relates to the field of vulnerability detection technology, and in particular, to a method and apparatus for determining an abnormality, a storage medium, and an electronic apparatus.

Background

In order to measure the energy consumption of the user, the electricity selling company installs one or more intelligent electric meters for the client. The intelligent ammeter can collect the electricity consumption of a user and send the energy consumption information to an electricity selling company through a public network. The intelligent ammeter is generally directly arranged in a power distribution cabinet of a user, a key is stored by the user and is easy to be connected with the outside by illegal physics, and an illegal molecule can initiate attack on the whole monitoring network by operating the intelligent ammeter, so that a series of network security risks are brought.

Specifically, firstly, the prior art generally ensures the transmission safety of information by enabling an SSL transmission protocol and directional IP, ensures the physical safety of equipment by using a key of a power distribution cabinet, and maintains the access safety of an operating system by enabling password login. And lawless persons can connect the intelligent ammeter through the illegal physical external connection (such as a universal protocol interface and the like) by physically damaging the power distribution cabinet, thereby bringing security risks to the intelligent ammeter. Secondly, the intelligent ammeter generally uses a universal Linux operating system, and because the Linux operating system is updated and maintained, professionals are required to debug the intelligent ammeter on site one by one, the disclosed latest loopholes cannot be repaired in time generally and are easy to use. Finally, the protection capability of devices such as routers in the local area network formed by the intelligent electric meters is generally weak, and attacks can be initiated to the inside of the local area network through the weak points.

Aiming at the problem that in the related technology, the intelligent electric meter is easy to be externally connected by illegal physical connection, but the loophole caused by the illegal physical connection cannot be accurately and timely detected, no effective scheme is obtained yet.

Disclosure of Invention

The embodiment of the application provides an anomaly determination method and device, a storage medium and an electronic device, which at least solve the problems that in the prior art, an intelligent ammeter is easy to be connected outside by illegal physics, but a leak caused by the illegal physics outside connection cannot be accurately and timely detected.

According to an embodiment of the present application, there is provided a method for determining an anomaly, including: in the process of executing a target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2; detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is trained according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; and under the condition that the abnormality probability is smaller than a first preset probability, determining that abnormality exists in the execution process of the instruction jump sequence.

In an exemplary embodiment, the obtaining an instruction jump sequence corresponding to K instructions that have been continuously executed in the target program includes: tracking the jump sequence of a program pointer in the first intelligent ammeter among instruction addresses corresponding to the K instructions respectively, and determining the jump sequence as the executed sequence of the K instructions, wherein the program pointer is used for pointing to the instruction address of the next instruction executed after the current instruction under the condition that the execution of the current instruction in the target program is finished; and determining an index of an ith instruction of the K instructions by: determining an instruction address in a program pointer in a first smart meter as the address of an ith instruction in the K instructions under the condition that the ith instruction is being executed; dividing the address of the ith instruction by the block size of the memory block where the ith instruction is located to obtain a calculation result; and performing downward rounding operation on the calculation result to obtain the index of the ith instruction, wherein i is E [1, K ].

In an exemplary embodiment, before detecting the anomaly probability of the instruction jump sequence by the first detection model, the method further comprises: obtaining a plurality of second detection models, wherein the plurality of second detection models comprise second detection models respectively corresponding to a plurality of second smart meters, the second detection models are obtained by training a third detection model constructed by each second smart meter through the plurality of normal instruction jump sequences corresponding to each second smart meter, each second smart meter is a smart meter of the same type as the first smart meter, and the plurality of second smart meters comprise the first smart meter; and combining the plurality of second detection models to obtain the first detection model, and updating the second detection model on each second intelligent ammeter through the first detection model.

In an exemplary embodiment, combining the plurality of second detection models to obtain the first detection model includes: performing summation operation on a fourth detection model and a fifth detection model to obtain a combined model of the fourth detection model and the fifth detection model, and increasing the operation frequency L corresponding to the summation operation by a target value to obtain the current operation frequency N, wherein the fourth detection model is a second detection model obtained from any one of the other intelligent electric meters, the fifth detection model is a second detection model corresponding to the first intelligent electric meter, the other intelligent electric meters are intelligent electric meters except the first intelligent electric meter, and L is a non-negative integer, and N is a positive integer; under the condition that the fourth detection model is not an abnormal model, determining the number M of the electric meters corresponding to the rest intelligent electric meters, wherein M is a positive integer; updating the fifth detection model by the merging model and updating the operation number L by the current operation number N in the case that N is smaller than M; in the case where N is equal to M, the fifth detection model is determined as the first detection model.

In an exemplary embodiment, before determining the number M of meters corresponding to the remaining smart meters, the method further includes: the manner of determining that the fourth detection model is not an anomaly model includes at least one of: calculating the merging probability of a merging matrix corresponding to the merging model; determining that the fourth detection model is not an abnormal model under the condition that the combination probability is greater than or equal to a second preset probability; calculating the similarity of the fourth detection model and the fifth detection model; and determining that the fourth detection model is not an abnormal model under the condition that the similarity is greater than or equal to a preset similarity.

In an exemplary embodiment, after detecting the anomaly probability of the instruction jump sequence by the first detection model, the method further comprises: determining a first detection model which detects the instruction jump sequence as a sixth detection model under the condition that the abnormality probability is greater than or equal to a first preset probability, and updating the first detection model through the sixth detection model; under the condition that the running time of the first detection model on the first intelligent electric meter meets preset time, a seventh detection model corresponding to each of the plurality of second intelligent electric meters is obtained, wherein the seventh detection model is a first detection model running on each second intelligent electric meter at target time, and the target time is determined according to the starting time of the first detection model running on the first intelligent electric meter and the preset time; and combining a plurality of seventh detection models to obtain an eighth detection model, and replacing the seventh detection model on each intelligent electric meter by the eighth detection model.

In an exemplary embodiment, before detecting the anomaly probability of the instruction jump sequence by the first detection model, the method further comprises: acquiring the detection requirement of the application scene of the first intelligent ammeter; in the case that the detection requirement indicates that the first detection needs to be performed on the abnormality, determining a first target probability as the first preset probability; and in the case that the detection requirement indicates that the second detection needs to be performed on the abnormality, determining a second target probability as the first preset probability, wherein the second target probability is smaller than the first target probability.

According to another embodiment of the present application, there is also provided an anomaly determination apparatus including: the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring instruction jump sequences corresponding to K instructions which are continuously executed in a target program in the process of executing the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer larger than 2; the detection module is used for detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; the determining module is used for determining that the executing process of the instruction jump sequence is abnormal under the condition that the abnormal probability is smaller than a first preset probability.

According to a further aspect of embodiments of the present application, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the above method when run.

According to still another aspect of the embodiments of the present application, there is also provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method by the computer program.

According to a further embodiment of the application, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements the steps of any of the method embodiments described above.

In the embodiment of the application, in the process of executing a target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2; detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is trained according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; and under the condition that the abnormal probability of the instruction jump sequences of the K instructions is smaller than the first preset probability, determining that the execution process of the instruction jump sequences is abnormal, so that the loophole in the running process of the target program in the first intelligent electric meter can be determined. Therefore, through the embodiment, the problem that in the prior art, the intelligent electric meter is easily connected by illegal physical connection, but the loopholes caused by the illegal physical connection cannot be accurately and timely detected is solved, and the timeliness and the accuracy of detecting the loopholes in the intelligent electric meter are improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a block diagram showing the hardware configuration of a computer terminal of an abnormality determination method according to an embodiment of the present application;

FIG. 2 is a flow chart of a method of determining anomalies according to an embodiment of the present application;

FIG. 3 is another flow chart of a method of determining anomalies according to an embodiment of the present application;

FIG. 4 is yet another flow chart of a method of determining anomalies according to an embodiment of the present application;

FIG. 5 is a training schematic of a method of anomaly determination according to an embodiment of the present application;

Fig. 6 is a block diagram of a configuration of an abnormality determination apparatus according to an embodiment of the present application.

Detailed Description

In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.

It is noted that the terms "first," "second," and the like in the description and claims of the application and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order, and it should be understood that the data so used may be interchanged, as appropriate, in order that the embodiments of the application described herein may be practiced in other than those illustrated or described. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus; "plurality" means two or more.

The method embodiment provided by the embodiment of the application can be executed in a computer terminal or a smart electric meter or a similar computing device or a cloud platform or an independent physical server or a software platform, wherein the software platform runs through one or more servers. Taking the example of running on a computer terminal, fig. 1 is a block diagram of the hardware structure of the computer terminal of a method for determining an anomaly according to an embodiment of the present application. As shown in fig. 1, the computer terminal may include one or more (only one is shown in fig. 1) processors 102 and a memory 104 for storing data, and in an exemplary embodiment, the computer terminal may further include a transmission device 106 for communication functions and an input-output device 108, where the processor 102 may include, but is not limited to, a microprocessor MCU, a programmable logic device FPGA, or the like. It will be appreciated by those skilled in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the computer terminal described above. For example, a computer terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than the equivalent functions shown in FIG. 1 or more than the functions shown in FIG. 1.

The memory 104 may be used to store computer programs, such as software programs and modules of application software, such as computer programs corresponding to the methods in the embodiments of the present application, and the processor 102 executes the computer programs stored in the memory 104 to perform various functional applications and data processing, i.e., to implement the methods described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of a computer terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.

The embodiment provides an anomaly determination method which is applied to a smart meter. Fig. 2 is a flowchart of a method of determining anomalies according to an embodiment of the application, the flowchart including the steps of:

Step S202, obtaining instruction jump sequences corresponding to K instructions which are continuously executed in a target program in the process of executing the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2;

Step S204, detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K;

Step S206, determining that the execution process of the instruction jump sequence is abnormal under the condition that the abnormal probability is smaller than a first preset probability.

Through the steps, in the process of executing a target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2; detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is trained according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; and under the condition that the abnormal probability of the instruction jump sequences of the K instructions is smaller than the first preset probability, determining that the execution process of the instruction jump sequences is abnormal, so that the loophole in the running process of the target program in the first intelligent electric meter can be determined. Therefore, through the embodiment, the problem that in the prior art, the intelligent electric meter is easily connected by illegal physical connection, but the loopholes caused by the illegal physical connection cannot be accurately and timely detected is solved, and the timeliness and the accuracy of detecting the loopholes in the intelligent electric meter are improved.

For the step S202, in an alternative embodiment, the method includes: tracking the jump sequence of a program pointer in the first intelligent ammeter among instruction addresses corresponding to the K instructions respectively, and determining the jump sequence as the executed sequence of the K instructions, wherein the program pointer is used for pointing to the instruction address of the next instruction executed after the current instruction under the condition that the execution of the current instruction in the target program is finished; and determining an index of an ith instruction of the K instructions by: determining an instruction address in a program pointer in a first smart meter as the address of an ith instruction in the K instructions under the condition that the ith instruction is being executed; dividing the address of the ith instruction by the block size of the memory block where the ith instruction is located to obtain a calculation result; and performing downward rounding operation on the calculation result to obtain the index of the ith instruction, wherein i is E [1, K ].

It can be understood that by tracking and recording the jump condition of the program pointer in the first smart meter when the target program runs, the jump sequence of the program pointer between the instructions continuously running in the target program can be obtained, and the instruction jump sequence can be detected by the target detection model every time the instruction jump sequences of K instructions are obtained. The acquisition mode of the instruction jump sequence of the K instructions comprises the following steps: the first acquisition mode is as follows: acquiring an instruction jump sequence from a1 st instruction to a K th instruction of the target program, acquiring an instruction jump sequence from a2 nd instruction to a P (where P=K+1) th instruction, … …, and so on; the second acquisition mode is as follows: instruction jump order to fetch 1 st instruction to K-th instruction of the target program, instruction jump order to fetch P-th instruction to Q-th (where q=2k) instruction, … …, and so on. And obtaining the index of the ith instruction by calculating the address of the ith instruction in the program pointer and the block size of the memory block where the ith instruction is located and rounding down the calculation result.

Note that, the order of the instructions in the target program is not necessarily consecutive, for example, when K is equal to 4, the obtained order of the instructions in the target program may be 1-2-3-4, 1-3-5-9 (where numbers such as 1-5 and 9 indicate indexes of instructions in the program), and the like, which are related to the jump logic during the actual running of the program.

Optionally, the Program pointer in the embodiment of the present application is a Program Counter (PC) pointer. The program counter PC is used to store the address of the next instruction to be executed, and is a 16-bit special register. When executing an instruction, the instruction is first fetched into the instruction register according to the instruction address stored in the PC, a process called "instruction fetch". Meanwhile, the program for programming the address in the PC carries out automatic 1-jump operation to obtain the address of the next instruction. After the previous instruction is executed, the CPU fetches the address of the next instruction according to the PC, and obtains the address of the next instruction, thereby executing each instruction in turn.

Fig. 3 is another flowchart of a method for determining an abnormality according to an embodiment of the present application, where, as shown in fig. 3, before detecting an abnormality probability of the instruction jump sequence by the first detection model, the first detection model is acquired by:

Step S302, a plurality of second detection models are obtained, wherein the plurality of second detection models comprise second detection models respectively corresponding to a plurality of second smart meters, the second detection models are obtained by training a third detection model constructed by each second smart meter through the plurality of normal instruction jump sequences corresponding to each second smart meter, each second smart meter is a smart meter of the same type as the first smart meter, and the plurality of second smart meters comprise the first smart meter;

step S304, combining the plurality of second detection models to obtain the first detection model, and updating the second detection model on each second intelligent electric meter through the first detection model.

It is understood that the first detection model in the embodiment of the present application is a combined model of a plurality of second detection models. And respectively constructing a third detection model by a plurality of second intelligent electric meters of the same type as the first intelligent electric meters, and training the third detection model through a plurality of normal instruction jump sequences corresponding to each second intelligent electric meter to obtain a plurality of second detection models. The plurality of normal command skip sequences corresponding to each second smart meter are a plurality of normal command skip sequences of a program deployed on each smart meter. The normal command jumps are obtained by tracking a program pointer of each second intelligent ammeter which runs normally and are subjected to manual verification so as to ensure that the sequence is normal; the program deployed on each smart meter includes the target program, and can also be directly understood as the target program. The multiple programs corresponding to the multiple second smart meters may be identical or slightly different.

Optionally, the first smart meter is used as a central device for acquiring a plurality of second detection models corresponding to the plurality of second smart meters; however, other non-ammeter devices may alternatively be used as a central device for acquiring the detection models (including at least the plurality of second detection models) sent by the plurality of second smart meters, merging the detection models sent by the plurality of second smart meters, and distributing the obtained merged detection model (including at least the first detection model) to the plurality of second smart meters. Other non-electricity meter devices such as servers, cloud devices, etc.

Combining the plurality of second detection models to obtain the first detection model according to the step S304, including: performing summation operation on a fourth detection model and a fifth detection model to obtain a combined model of the fourth detection model and the fifth detection model, and increasing the operation frequency L corresponding to the summation operation by a target value to obtain the current operation frequency N, wherein the fourth detection model is a second detection model obtained from any one of the other intelligent electric meters, the fifth detection model is a second detection model corresponding to the first intelligent electric meter, the other intelligent electric meters are intelligent electric meters except the first intelligent electric meter, and L is a non-negative integer, and N is a positive integer; under the condition that the fourth detection model is not an abnormal model, determining the number M of the electric meters corresponding to the rest intelligent electric meters, wherein M is a positive integer; updating the fifth detection model by the merging model and updating the operation number L by the current operation number N in the case that N is smaller than M; in the case where N is equal to M, the fifth detection model is determined as the first detection model.

It can be understood that the second detection model in the embodiment of the present application is a markov chain model, and the first detection model may be obtained by directly adding a plurality of second detection models. The specific adding process is as follows: since each second smart meter transmits the corresponding fourth detection model to the center device at a different time, in the case where the first smart meter is the center device, it is possible to sum the fifth detection model with the received fourth detection model and add 1 (corresponding to the target value) to the number of operations L corresponding to the summation operation. If the obtained current operation times N are smaller than M, determining that the operation times N are not completely combined with the plurality of second detection models, and updating a fifth detection model through the combined model; otherwise, in the case where N is equal to M, the combined model is output as the first detection model.

Optionally, before determining the number M of electric meters corresponding to the remaining intelligent electric meters, the method further includes: the manner of determining that the fourth detection model is not an anomaly model includes at least one of: calculating the merging probability of a merging matrix corresponding to the merging model; determining that the fourth detection model is not an abnormal model under the condition that the combination probability is greater than or equal to a second preset probability; calculating the similarity of the fourth detection model and the fifth detection model; and determining that the fourth detection model is not an abnormal model under the condition that the similarity is greater than or equal to a preset similarity.

That is, it is necessary to determine whether the received fourth detection model is an abnormal model before determining whether the combined model can be output as the first detection model or used to update the fifth detection model. The first mode is that whether the merging probability of the merging matrix corresponding to the calculated merging Markov chain model (equivalent to the merging model) is larger than or equal to a second preset probability, and if the merging probability is smaller than the second preset probability, the merging probability alarms to a target object (a user, a display device, a processing device and the like); mode two: and calculating the similarity between the fourth detection model and the fifth detection model, and alarming the target object under the condition that the similarity is smaller than the preset similarity. The similarity may be cosine similarity, euclidean distance similarity, or the like. After the alarm is given to the target object, the target object determines whether each second intelligent ammeter corresponding to the fourth detection model is abnormal or not, and determines whether a merging model obtained by the fourth detection model is available or not.

Wherein the plurality of seventh detection models includes the sixth detection model.

It may be appreciated that after the above step S204 is performed, if the conclusion is that the anomaly probability is greater than or equal to the first preset probability, the first detection model used in step S204 is updated by the first detection model detected by the instruction jump sequence. That is, the first detection model is updated once every time an instruction jump sequence is detected.

In the case that the running time of the first detection model on the first smart meter meets a preset time (for example, the target time may be equal to the starting time plus the preset time), the plurality of second smart meters may send seventh detection models of each second smart meter to the central device for merging again, and the central device may send eighth detection models obtained by merging to each second smart meter to update the seventh detection models of each second smart meter. It should be noted that, in the embodiment of the present application, the first smart meter is selected as the central device, and the seventh detection model on the first smart meter is directly updated when the eighth detection model is obtained.

Optionally, each preset time interval, the central device (the first smart meter) performs merging and updating replacement operations on the multiple seventh detection models, that is, the embodiment of the application provides a periodical merging and updating scheme of the multiple seventh detection models.

Optionally, before detecting the abnormal probability of the instruction jump sequence by the first detection model, the method further includes: acquiring the detection requirement of the application scene of the first intelligent ammeter; in the case that the detection requirement indicates that the first detection needs to be performed on the abnormality, determining a first target probability as the first preset probability; and in the case that the detection requirement indicates that the second detection needs to be performed on the abnormality, determining a second target probability as the first preset probability, wherein the second target probability is smaller than the first target probability.

In order to better understand the procedure of the method for determining an anomaly, the method for determining an anomaly is described in the following with reference to an alternative embodiment, but is not limited to the technical solution of the embodiment of the present application.

The application provides a distributed lightweight anomaly detection method for a smart meter. The method supports the same type of smart meter (corresponding to a plurality of second smart meters) and starts training one anomaly detection model (corresponding to a third detection model) at the same time based on the locally observed behaviors of the smart meters. These smart meters then share their model with other smart meters of the same type. Next, the center device (equivalent to the first smart meter) merges the received models into a single model (equivalent to the first detection model). Finally, each smart meter uses the combined model (equivalent to the first detection model) as its own local anomaly detection model to filter out potential malicious behaviors.

It will be appreciated that when an application program is executed, the kernel designates a memory area for the program to operate. The region contains program code and data for the program to operate on and space. When the program is running, a program counter (PC pointer) tracks the current location of the instruction currently being executed. Thus, by tracking the location of the PC over the application area in memory, the behavior of the application can be captured. The goal is to model the normal behavior of the application control flow and then detect when the behavior changes.

In the related art, an attacker typically attempts to gain access to a restricted asset using a software vulnerability, or performs other malicious tasks. When a vulnerability is executed on an application, the control flow of the application (the movement pattern of the PC pointer) will deviate from the expected behavior of the application developer; or when an attacker attacks, the attacker can add own codes into the memory or cover the existing codes with own codes, so that the PC does not jump according to the normal flow, and the attack behavior is also detected as abnormal. By detecting such anomalies, the method presented by embodiments of the present application may identify threats. Because the task of the intelligent ammeter is generally single and the code loaded into the memory cannot be changed, an attacker can hardly escape the detection by using the method for detecting the PC pointer control flow provided by the embodiment of the application.

Alternatively, the manner in which different systems track PC pointers is different, and for a typical Linux system, a kernel debugger interface may be used to track PC pointers, executing in parallel with the target program. The system debugger periodically reports the addresses observed since the last report, thereby recording the PC pointer change.

Optionally, the anomaly detection model (corresponding to the first detection model) used in the alternative embodiment of the present application is an extensible markov model (Extensible Markov Model, abbreviated as EMM). Reasons include: 1) Each sub-model of the EMM model may be incrementally updated and combined with other sub-models, may be observed and trained in parallel between multiple devices, and may converge quickly in the event of insufficient prior knowledge. 2) The performance of a processor used by the intelligent ammeter is generally weak, the complexity of updating and predicting the EMM model is O (1), and the intelligent ammeter is light and suitable for the scene.

The steps for implementing the alternative embodiment of the present application are shown in fig. 4, and include:

Step S41: and (3) establishing a Markov Chain Model (MC) to construct a third detection model.

An alternative embodiment of the present application uses a probability model of a Markov chain, represented as a neighbor matrix M _ij, to store the probability of transitioning from state i to state j at any given time t. The present application defines the state with a block of a certain size, i.e., assuming the block size is D, the definition of the current time state is the current PC pointer address divided by D, rounded down.

Formally, if X _t is a random variable representing the state at time t, then there are:

M_ij＝Pr (X_t+1＝j|X_t＝i)； (1)。

Further, the EMM model is an incremental extension of the MC model, let N _ij be the frequency matrix, N _ij be an element in the frequency matrix, represent the number of changes from state i to state j, and N _i be the number of observed state i outgoing. Then there are:

n_i＝∑_jn_ij； (3)。

Further, by maintaining N _ij, the present invention can incrementally update M _ij. The model simply increases the value of n _ij by 1 whenever a transition from i to j is observed. After N _ij is generated using the normal data, the regenerated MC can be used for anomaly detection.

Step S42: sub-model training of a single device.

In the model training stage, n _ij should be generated by using manually-checked non-abnormal data (corresponding to a plurality of normal instruction jump sequences), p _k is set as the last k states observed by the model (the value of k is self-determined by a user and represents the window length of continuous jump of a PC pointer observed once), pr (p _k) represents the probability of occurrence of p _k mode of continuous jump of the PC pointer observed, and the score probability for measuring abnormality is:

Wherein, Representing the probability that the PC pointer will jump from state s _i to s _i+1.

It should be noted that, the states s _i and s _i+1 are two consecutive jump states of the k states, for example, the state s _i may represent the (k-1) th state of the k states, and the state s _i+1 may represent the kth state of the k states.

Optionally, at the end of model training, when the model training is actually used for detecting the instruction jump sequences of the K instructions, a cutoff probability P _t (corresponding to a first preset probability) is set according to the sensitivity requirement (corresponding to the detection requirement) on abnormal detection. When the device loading the model has a single function and the user wants to have high sensitivity of the anomaly detection effect (corresponding to the first detection), P _t should be set to a higher value (corresponding to the first target probability), and conversely set to a lower value (corresponding to the second target probability). When a new change from state i to state j is observed, the model will issue an anomaly alert if Pr (p _k)<P_t).

Step S43: multi-device collaborative model training.

After the single device submodel training is completed, the submodels of the multiple devices may be consolidated. The multi-device co-training of the alternative embodiment of the application has the advantages that: 1) The benign phenomena observed by each sub-model (equivalent to the second detection model or the seventh detection model) can be quickly aggregated, so that the model has better stability; 2) As the number of access devices (equivalent to the second smart meter) increases, the time for training the model is shortened rapidly in equal proportion and converges more rapidly; 3) Rare benign events can be observed.

Let N ^* be the set of EMM models, whereN _ij observed for the a-th sub-model (corresponding to the second detection model, or the seventh detection model). In the alternative embodiment of the application, a plurality of identical devices (equivalent to a plurality of second intelligent devices) are used for collaborative training, so that the frequencies of the observed similar events can be directly added, and different sub-models can be combined into one integrated model. According to the above, the following formula is given:

In addition, when the models are merged, it is necessary to alert the model to abnormal mixture of parts. The two optional detection methods before combination provided by the optional embodiment of the application comprise: 1) Special event alarms: an alternative embodiment of the application sets a minimum probability of occurrence p _prob for the user. The probability is defined by the user based on the smallest occurrence of a tolerable event, and the value can be set higher when the user wishes to detect more sensitively, and lower otherwise. In the model training phase, when Pr (p _k)<p_prob, trainer will alert the user, the user judges if p _k belongs to benign event, can incorporate model.2) matrix similarity, which is derived from the N ^* matrix of the merged model: when N ^a (i.e ) When the matrixes are needed to be combined, similarity parameters q of the two matrixes can be measured based on cosine similarity, euclidean distance similarity and other methods. The minimum similarity value q _t is set by the user. Before the matrix is combined, when q is smaller than q _t, the model gives an alarm to the user, and the user judges whether the equipment where the matrix is located is abnormal or not. Whether the matrix can incorporate a model.

Step S44: and (5) running and detecting.

As shown in fig. 5, after the sub-model training is performed for a period of time (corresponding to a preset time) in the supervised state, one collaborative model training may be performed. The model collaborative training should use a central device designated by the user, and after completion, the collaborative training model (corresponding to the eighth detection model) is distributed to each device to replace the sub-model (corresponding to the seventh detection model) in the device. The time for each round of training and merging is user-defined. After training, the final model is also built in all the devices. The model has a priori knowledge of all devices in the entire training network. When an anomaly is detected, an alarm may be issued.

The method provided by the alternative embodiment of the application can observe benign/malignant behaviors in a larger range along with the increase of the number of the devices, and rapidly share the combined models to all devices in a network so as to complete the automatic upgrading of the models.

From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the various embodiments of the present application.

The embodiment of the application also provides a structural block diagram of an abnormality determining device, and fig. 6 is a structural block diagram of the abnormality determining device according to the embodiment of the application; as shown in fig. 6, includes:

An obtaining module 62, configured to obtain, in a process of executing a target program, an instruction jump sequence corresponding to K instructions that have been continuously executed in the target program, where the instruction jump sequence includes indexes of the K instructions, and is used to indicate an order in which the K instructions are executed, where K is an integer greater than 2;

The detection module 64 is configured to detect an abnormal probability of the instruction jump sequence through a first detection model, where the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K;

And the determining module 66 is configured to determine that an abnormality exists in the execution process of the instruction jump sequence if the abnormality probability is smaller than a first preset probability.

By the device, in the process of executing the target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2; detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is trained according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K; and under the condition that the abnormal probability of the instruction jump sequences of the K instructions is smaller than the first preset probability, determining that the execution process of the instruction jump sequences is abnormal, so that the loophole in the running process of the target program in the first intelligent electric meter can be determined. Therefore, through the embodiment, the problem that in the prior art, the intelligent electric meter is easily connected by illegal physical connection, but the loopholes caused by the illegal physical connection cannot be accurately and timely detected is solved, and the timeliness and the accuracy of detecting the loopholes in the intelligent electric meter are improved.

In an exemplary embodiment, the obtaining module 62 is further configured to track a jump sequence of a program pointer in the first smart meter between instruction addresses corresponding to the K instructions respectively, and determine the jump sequence as an executed sequence of the K instructions, where the program pointer is configured to point to an instruction address of a next instruction executed after a current instruction in the target program if the execution of the current instruction is finished; and determining an index of an ith instruction of the K instructions by: determining an instruction address in a program pointer in a first smart meter as the address of an ith instruction in the K instructions under the condition that the ith instruction is being executed; dividing the address of the ith instruction by the block size of the memory block where the ith instruction is located to obtain a calculation result; and performing downward rounding operation on the calculation result to obtain the index of the ith instruction, wherein i is E [1, K ].

In an exemplary embodiment, the apparatus further includes a merging module, configured to obtain a plurality of second detection models, where the plurality of second detection models include second detection models corresponding to a plurality of second smart meters respectively, the second detection models are obtained by training a third detection model constructed by each second smart meter through the plurality of normal instruction jump sequences corresponding to each second smart meter, each second smart meter is a smart meter of a same type as the first smart meter, and the plurality of second smart meters includes the first smart meter; and combining the plurality of second detection models to obtain the first detection model, and updating the second detection model on each second intelligent ammeter through the first detection model.

In an exemplary embodiment, the merging module is further configured to perform a summation operation on a fourth detection model and a fifth detection model, to obtain a merged model of the fourth detection model and the fifth detection model, and increase an operation number L corresponding to the summation operation by a target value to obtain a current operation number N, where the fourth detection model is a second detection model obtained from any one of remaining smart meters, the fifth detection model is a second detection model corresponding to the first smart meter, and the remaining smart meters are smart meters other than the first smart meter in the plurality of second smart meters, where L is a non-negative integer and N is a positive integer; under the condition that the fourth detection model is not an abnormal model, determining the number M of the electric meters corresponding to the rest intelligent electric meters, wherein M is a positive integer; updating the fifth detection model by the merging model and updating the operation number L by the current operation number N in the case that N is smaller than M; in the case where N is equal to M, the fifth detection model is determined as the first detection model.

In an exemplary embodiment, the apparatus further comprises: the anomaly model determination module is configured to determine that the fourth detection model is not an anomaly model in a manner including at least one of: calculating the merging probability of a merging matrix corresponding to the merging model; determining that the fourth detection model is not an abnormal model under the condition that the combination probability is greater than or equal to a second preset probability; calculating the similarity of the fourth detection model and the fifth detection model; and determining that the fourth detection model is not an abnormal model under the condition that the similarity is greater than or equal to a preset similarity.

In an exemplary embodiment, the apparatus further comprises: the replacing module is used for determining a first detection model which detects the instruction jump sequence as a sixth detection model under the condition that the abnormal probability is greater than or equal to a first preset probability, and updating the first detection model through the sixth detection model; under the condition that the running time of the first detection model on the first intelligent electric meter meets preset time, a seventh detection model corresponding to each of the plurality of second intelligent electric meters is obtained, wherein the seventh detection model is a first detection model running on each second intelligent electric meter at target time, and the target time is determined according to the starting time of the first detection model running on the first intelligent electric meter and the preset time; and combining a plurality of seventh detection models to obtain an eighth detection model, and replacing the seventh detection model on each intelligent electric meter by the eighth detection model.

In an exemplary embodiment, the apparatus further includes a first preset probability adjustment module, configured to obtain a detection requirement of an application scenario of the first smart meter; in the case that the detection requirement indicates that the first detection needs to be performed on the abnormality, determining a first target probability as the first preset probability; and in the case that the detection requirement indicates that the second detection needs to be performed on the abnormality, determining a second target probability as the first preset probability, wherein the second target probability is smaller than the first target probability.

An embodiment of the present application also provides a storage medium including a stored program, wherein the program executes the method of any one of the above.

Alternatively, in the present embodiment, the above-described storage medium may be configured to store program code for performing the steps of:

S1, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in a target program in the process of executing the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2;

S2, detecting abnormal probability of the instruction jump sequences through a first detection model, wherein the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K;

s3, determining that the execution process of the instruction jump sequence is abnormal under the condition that the abnormal probability is smaller than a first preset probability.

An embodiment of the application also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.

Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.

Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:

Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, etc., which can store program codes.

Embodiments of the application also provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of any of the method embodiments described above.

Embodiments of the present application also provide another computer program product comprising a non-volatile computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of any of the method embodiments described above.

Embodiments of the present application also provide a computer program comprising computer instructions stored in a computer-readable storage medium; the processor of the computer device reads the computer instructions from the computer readable storage medium and the embedder executes the computer instructions to cause the computer device to perform the steps of any of the method embodiments described above.

Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments and optional implementations, and this embodiment is not described herein.

It will be appreciated by those skilled in the art that the modules or steps of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module for implementation. Thus, the present application is not limited to any specific combination of hardware and software.

The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present application should be included in the protection scope of the present application.

Claims

1. An anomaly determination method applied to a first intelligent ammeter is characterized by comprising the following steps:

In the process of executing a target program, acquiring instruction jump sequences corresponding to K instructions which are continuously executed in the target program, wherein the instruction jump sequences comprise indexes of the K instructions and are used for indicating the executed sequence of the K instructions, and K is an integer greater than 2;

detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is trained according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K;

And under the condition that the abnormality probability is smaller than a first preset probability, determining that abnormality exists in the execution process of the instruction jump sequence.

2. The method according to claim 1, wherein acquiring instruction jump sequences corresponding to K instructions that have been continuously executed in the target program, comprises:

Tracking the jump sequence of a program pointer in the first intelligent ammeter among instruction addresses corresponding to the K instructions respectively, and determining the jump sequence as the executed sequence of the K instructions, wherein the program pointer is used for pointing to the instruction address of the next instruction executed after the current instruction under the condition that the execution of the current instruction in the target program is finished; and

The index of the ith instruction of the K instructions is determined by:

Determining an instruction address in a program pointer in a first smart meter as the address of an ith instruction in the K instructions under the condition that the ith instruction is being executed;

dividing the address of the ith instruction by the block size of the memory block where the ith instruction is located to obtain a calculation result;

performing a rounding-down operation on the calculation result to obtain an index of the ith instruction, wherein,

i∈[1,K]。

3. The method of determining anomalies according to claim 1, characterized in that before detecting the anomaly probability of the instruction jump sequence by means of a first detection model, the method further comprises:

Obtaining a plurality of second detection models, wherein the plurality of second detection models comprise second detection models respectively corresponding to a plurality of second smart meters, the second detection models are obtained by training a third detection model constructed by each second smart meter through the plurality of normal instruction jump sequences corresponding to each second smart meter, each second smart meter is a smart meter of the same type as the first smart meter, and the plurality of second smart meters comprise the first smart meter;

And combining the plurality of second detection models to obtain the first detection model, and updating the second detection model on each second intelligent ammeter through the first detection model.

4. The method of determining anomalies according to claim 3, wherein combining the plurality of second detection models to obtain the first detection model includes:

Performing summation operation on a fourth detection model and a fifth detection model to obtain a combined model of the fourth detection model and the fifth detection model, and increasing the operation frequency L corresponding to the summation operation by a target value to obtain the current operation frequency N, wherein the fourth detection model is a second detection model obtained from any one of the other intelligent electric meters, the fifth detection model is a second detection model corresponding to the first intelligent electric meter, the other intelligent electric meters are intelligent electric meters except the first intelligent electric meter, and L is a non-negative integer, and N is a positive integer;

Under the condition that the fourth detection model is not an abnormal model, determining the number M of the electric meters corresponding to the rest intelligent electric meters, wherein M is a positive integer;

updating the fifth detection model by the merging model and updating the operation number L by the current operation number N in the case that N is smaller than M;

in the case where N is equal to M, the fifth detection model is determined as the first detection model.

5. The abnormality determination method according to claim 4, characterized in that before determining the number M of meters corresponding to the remaining smart meters, the method further comprises:

The manner of determining that the fourth detection model is not an anomaly model includes at least one of:

Calculating the merging probability of a merging matrix corresponding to the merging model; determining that the fourth detection model is not an abnormal model under the condition that the combination probability is greater than or equal to a second preset probability; calculating the similarity of the fourth detection model and the fifth detection model; and determining that the fourth detection model is not an abnormal model under the condition that the similarity is greater than or equal to a preset similarity.

6. A method of determining an anomaly according to claim 3, wherein after detecting the anomaly probability of the instruction jump sequence by the first detection model, the method further comprises:

determining a first detection model which detects the instruction jump sequence as a sixth detection model under the condition that the abnormality probability is greater than or equal to a first preset probability, and updating the first detection model through the sixth detection model;

Under the condition that the running time of the first detection model on the first intelligent electric meter meets preset time, a seventh detection model corresponding to each of the plurality of second intelligent electric meters is obtained, wherein the seventh detection model is a first detection model running on each second intelligent electric meter at target time, and the target time is determined according to the starting time of the first detection model running on the first intelligent electric meter and the preset time;

And combining a plurality of seventh detection models to obtain an eighth detection model, and replacing the seventh detection model on each intelligent electric meter by the eighth detection model.

7. The method of determining anomalies according to claim 1, characterized in that before detecting the anomaly probability of the instruction jump sequence by means of a first detection model, the method further comprises:

acquiring the detection requirement of the application scene of the first intelligent ammeter;

in the case that the detection requirement indicates that the first detection needs to be performed on the abnormality, determining a first target probability as the first preset probability;

And in the case that the detection requirement indicates that the second detection needs to be performed on the abnormality, determining a second target probability as the first preset probability, wherein the second target probability is smaller than the first target probability.

8. An abnormality determination apparatus, comprising:

An acquisition module, configured to acquire instruction jump sequences corresponding to K instructions that have been continuously executed in a target program during execution of the target program, where the instruction jump sequences include indexes of the K instructions and are used to indicate an order in which the K instructions are executed,

K is an integer greater than 2;

The detection module is used for detecting the abnormal probability of the instruction jump sequence through a first detection model, wherein the first detection model is obtained by training according to a plurality of normal instruction jump sequences, and the number of instructions in each normal instruction jump sequence is K;

The determining module is used for determining that the executing process of the instruction jump sequence is abnormal under the condition that the abnormal probability is smaller than a first preset probability.

9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program when run performs the method of any of the preceding claims 1 to 7.

10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method according to any of the claims 1 to 7 by means of the computer program.

11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method as claimed in any one of claims 1 to 7.