[go: up one dir, main page]

CN110751570A - A method and system for identifying attacks on power service packets based on business logic - Google Patents

A method and system for identifying attacks on power service packets based on business logic Download PDF

Info

Publication number
CN110751570A
CN110751570A CN201910871501.XA CN201910871501A CN110751570A CN 110751570 A CN110751570 A CN 110751570A CN 201910871501 A CN201910871501 A CN 201910871501A CN 110751570 A CN110751570 A CN 110751570A
Authority
CN
China
Prior art keywords
state sequence
current state
sequence set
status
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910871501.XA
Other languages
Chinese (zh)
Other versions
CN110751570B (en
Inventor
周亮
朱朝阳
王海翔
王宇
张锐文
李俊娥
应欢
韩丽芳
朱亚运
缪思薇
李霁远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Wuhan University WHU
State Grid Zhejiang Electric Power Co Ltd
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
State Grid Corp of China SGCC
Wuhan University WHU
State Grid Zhejiang Electric Power Co Ltd
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Wuhan University WHU, State Grid Zhejiang Electric Power Co Ltd, China Electric Power Research Institute Co Ltd CEPRI filed Critical State Grid Corp of China SGCC
Priority to CN201910871501.XA priority Critical patent/CN110751570B/en
Publication of CN110751570A publication Critical patent/CN110751570A/en
Application granted granted Critical
Publication of CN110751570B publication Critical patent/CN110751570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Economics (AREA)
  • General Health & Medical Sciences (AREA)
  • Tourism & Hospitality (AREA)
  • Public Health (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • Water Supply & Treatment (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

The invention discloses a method and a system for identifying electric power service message attack based on service logic, wherein the method comprises the following steps: determining a current state sequence of the power service; respectively determining a dangerous state sequence set and a safe state sequence set corresponding to a current state sequence according to a multipoint signal address sequence of the current state sequence; determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; and when the threat degree of the current state sequence is greater than or equal to a preset safety risk threshold value, determining that the power grid is attacked by the power service message. According to the method, the risk state sequence set and the safety state sequence set of the power service logic are defined, the misuse detection and the abnormity detection method are combined, the threat degree of the power service is evaluated, whether the power grid is attacked by the power service message is determined according to the threat degree, the effective identification of the power service message attack is realized, and the safe and reliable operation of the power service control system is guaranteed.

Description

一种基于业务逻辑的电力业务报文攻击识别方法及系统A method and system for identifying attacks on power service packets based on business logic

技术领域technical field

本发明涉及智能电网安全技术领域,并且更具体地,涉及一种基于业务逻辑的电力业务报文攻击识别方法及系统。The present invention relates to the technical field of smart grid security, and more particularly, to a method and system for identifying attacks on power service packets based on service logic.

背景技术Background technique

随着智能电网信息空间与物理空间耦合的不断加深,近年来,由网络攻击导致的电网物理系统故障愈发常见,严重影响了电力系统的正常运行。如2015年底,攻击者通过获取变电站监控系统服务器操作权限进行了恶意倒闸操作,导致乌克兰电网80000个用户停电;2016年以色列电力供应系统受到重大网络攻击迫使电力供应系统离线运行。电网中,用于一次系统或设备参数测量和控制的各类智能终端和装置(本文统称为测控终端)作为沟通信息系统与物理系统的桥梁,当其遭受通过篡改、伪造与重放电力业务报文实施的攻击时,将直接影响电力一次设备的正常运行,如断路器异常开断、定值修改等,从而引发电力事故。因此,如何有效识别电网测控终端可能遭受的电力业务报文攻击成为亟待解决的问题。With the deepening of the coupling between the information space and the physical space of the smart grid, in recent years, the failure of the power grid physical system caused by network attacks has become more and more common, which seriously affects the normal operation of the power system. For example, at the end of 2015, attackers performed malicious switch-off operations by obtaining the operating authority of the substation monitoring system server, causing power outages to 80,000 users of the Ukrainian power grid. In the power grid, all kinds of intelligent terminals and devices used for the measurement and control of primary system or equipment parameters (collectively referred to as measurement and control terminals in this article) serve as a bridge for communication between information systems and physical systems. The attack carried out by this article will directly affect the normal operation of primary power equipment, such as abnormal opening of circuit breakers, modification of fixed values, etc., thus causing power accidents. Therefore, how to effectively identify the power service packet attacks that the power grid monitoring and control terminal may suffer has become an urgent problem to be solved.

目前针对电网测控终端的网络攻击识别研究主要分为如下两类:1)将传统信息网络的网络攻击识别系统直接应用于电网测控终端网络攻击识别,如一些研究通过对非电力业务报文流量进行异常识别与协议白名单来识别攻击,一些研究提出基于自学习通信模式的未知攻击识别方法;2)利用电力专有协议流量特征、规则或报文不同字段的相关性等方式来实现电网测控终端网络攻击识别,如一些研究提出利用GOOSE报文网络流量特征来进行攻击识别,一些研究提出基于IEC 60870-5-104协议的流量模式检查、各个字段的合法性与相关性检查的攻击识别方法,一些研究通过该方法对使用IEC 61850协议实现的网络攻击进行识别。上述研究能有效识别ARP欺骗、ICMP Flood和SYN Flood等利用通用网络协议脆弱性实施的网络攻击,以及部分使用IEC60870-5-104、IEC 61850等电力专有协议脆弱性实施的网络攻击,如GOOSE畸形报文攻击等,但无法有效识别电力业务报文攻击。电力业务报文攻击指攻击者通过篡改、伪造与重放电网测控终端传输的业务报文导致电力一次设备误动的攻击,这类攻击通常会改变正常的业务逻辑。At present, the research on network attack identification of power grid monitoring and control terminals is mainly divided into the following two categories: 1) The network attack identification system of traditional information network is directly applied to the network attack identification of power grid monitoring and control terminals. Anomaly identification and protocol whitelisting are used to identify attacks. Some researches propose unknown attack identification methods based on self-learning communication mode; 2) The power grid monitoring and control terminal is realized by means of power-specific protocol traffic characteristics, rules, or the correlation of different fields of packets. Network attack identification. For example, some studies propose to use the network traffic characteristics of GOOSE packets to identify attacks, and some studies propose attack identification methods based on IEC 60870-5-104 protocol traffic pattern inspection, and the validity and correlation inspection of each field. Some studies use this method to identify network attacks implemented using the IEC 61850 protocol. The above research can effectively identify ARP spoofing, ICMP Flood and SYN Flood and other network attacks that utilize the vulnerability of general network protocols, as well as some network attacks that use the vulnerabilities of power-specific protocols such as IEC60870-5-104 and IEC 61850, such as GOOSE. Malformed packet attacks, etc., but cannot effectively identify power service packet attacks. Power service packet attack refers to an attack in which an attacker tampers, forges, and re-distributes the service packets transmitted by the network measurement and control terminal, causing the primary power equipment to malfunction. This type of attack usually changes the normal service logic.

发明内容SUMMARY OF THE INVENTION

本发明提出一种基于业务逻辑的电力业务报文攻击识别方法及系统,以解决如何有效地对电力业务报文攻击进行识别,以确定电网的安全状态的问题。The present invention proposes a method and system for identifying an attack on a power service message based on business logic, so as to solve the problem of how to effectively identify the attack on a power service message to determine the security state of the power grid.

为了解决上述问题,根据本发明的一个方面,提供了一种基于业务逻辑的电力业务报文攻击识别方法,所述方法包括:In order to solve the above problems, according to an aspect of the present invention, a method for identifying attacks on power service packets based on service logic is provided, and the method includes:

从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列;Obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determine a control block corresponding to the current state node according to the multipoint signal address sequence, and assign the multipoint signal address sequence to the multipoint signal address sequence. The signal value sequence is added to the state sequence of the control block to obtain the current state sequence;

根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集;Determine the dangerous state sequence set and the safe state sequence set corresponding to the current state sequence respectively according to the multi-point signal address sequence of the current state sequence;

根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度;Determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。The threat degree of the current state sequence is compared with a preset security risk threshold, and when the threat degree of the current state sequence is greater than or equal to the preset security risk threshold, it is determined that the power grid has suffered a power service message attack.

优选地,其中根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, the threat degree of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set, including:

将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1;Matching the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine that the threat degree of the current state sequence is 1;

若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。If the current state sequence is unsuccessfully matched with the dangerous state sequence set, the current state sequence is matched with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, Then it is determined that the threat degree of the current state sequence is 0.

优选地,其中根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, the threat degree of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set, including:

分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离;respectively calculating the first minimum distance between the current state sequence and the dangerous state sequence set, and the second minimum distance between the current state sequence and the safe state sequence set;

根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。The threat degree of the current state sequence is calculated according to the first minimum distance and the second minimum distance.

优选地,其中根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:Preferably, calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance includes:

Figure BDA0002202951790000031
Figure BDA0002202951790000031

其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance.

优选地,其中所述将所述当前状态序列与所述危险状态序列集进行匹配,包括:Preferably, wherein the matching of the current state sequence with the set of dangerous state sequences includes:

步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000032
中,其中,n1的初始值为0,添加后
Figure BDA0002202951790000033
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure BDA0002202951790000032
, where the initial value of n1 is 0, after adding
Figure BDA0002202951790000033

步骤12,顺序遍历危险状态序列集

Figure BDA0002202951790000034
中的所有规则,
Figure BDA0002202951790000035
若满足n2>n-n1and i≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure BDA0002202951790000034
all the rules in
Figure BDA0002202951790000035
If n2>n-n1and i≠t, continue to traverse; if n2>n-n1 and i=t, it means the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n- n1, then go to step 13; otherwise, go to step 14;

步骤13,将

Figure BDA0002202951790000036
的后n2项保留,则
Figure BDA0002202951790000037
Figure BDA0002202951790000038
并将n1置为n-n2,则
Figure BDA0002202951790000039
Figure BDA00022029517900000310
Step 13, will
Figure BDA0002202951790000036
The last n2 items are reserved, then
Figure BDA0002202951790000037
Figure BDA0002202951790000038
and set n1 to n-n2, then
Figure BDA0002202951790000039
Figure BDA00022029517900000310

步骤14,判断

Figure BDA00022029517900000311
是否与Bi相同;其中,若相同,则将
Figure BDA00022029517900000312
只保留最后一项,则
Figure BDA00022029517900000313
同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure BDA00022029517900000311
Is it the same as Bi; where, if it is the same, then
Figure BDA00022029517900000312
keep only the last item, then
Figure BDA00022029517900000313
At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing.

优选地,其中所述将所述当前状态序列与所述安全状态序列集进行匹配,包括:Preferably, the matching of the current state sequence with the security state sequence set includes:

步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态中,其中,n3的初始值为0,添加后

Figure BDA00022029517900000315
Step 21: Add the latest multipoint signal value sequence status n of S′=(status 1 , status 2 , . . . , status n ) in the current status sequence status_sequence now = (S′, pos_sequence now ) to the cache state , where the initial value of n3 is 0, after adding
Figure BDA00022029517900000315

步骤22,顺序遍历安全状态序列集中的所有规则,

Figure BDA0002202951790000041
若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially all the rules in
Figure BDA0002202951790000041
If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24;

步骤23,将

Figure BDA0002202951790000042
的后n4项保留,则
Figure BDA0002202951790000043
Figure BDA0002202951790000044
并将n3置为n-n4,则
Figure BDA0002202951790000045
Figure BDA0002202951790000046
Step 23, will
Figure BDA0002202951790000042
The last n4 items are reserved, then
Figure BDA0002202951790000043
Figure BDA0002202951790000044
and set n3 to n-n4, then
Figure BDA0002202951790000045
Figure BDA0002202951790000046

步骤24,判断

Figure BDA0002202951790000047
是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge
Figure BDA0002202951790000047
Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25;

步骤25,将只保留最后一项,则

Figure BDA0002202951790000049
Figure BDA00022029517900000410
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will keep only the last item, then
Figure BDA0002202951790000049
Figure BDA00022029517900000410
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence;

步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28;

步骤27,init_status为0,判断

Figure BDA00022029517900000411
是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge
Figure BDA00022029517900000411
Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22;

步骤28,判断

Figure BDA00022029517900000412
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure BDA00022029517900000412
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22.

优选地,其中所述方法还包括:Preferably, wherein the method further comprises:

若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。If the threat degree of the current state sequence is less than the preset security risk threshold, it is determined that the power grid is not attacked by the power service message.

根据本发明的另一个方面,提供了一种基于业务逻辑的电力业务报文攻击识别系统,所述系统包括:According to another aspect of the present invention, a service logic-based power service packet attack identification system is provided, the system comprising:

当前状态序列确定单元,用于从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列;The current state sequence determination unit is configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from the power service message, and determine the control corresponding to the current state node according to the multipoint signal address sequence block, and add the multi-point signal value sequence to the state sequence of the control block to obtain the current state sequence;

危险状态序列集和安全状态序列集确定单元,用于根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集;a dangerous state sequence set and a safe state sequence set determining unit, configured to respectively determine a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence;

威胁度确定单元,用于根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度;a threat degree determination unit, configured to determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set;

电力业务报文攻击识别单元,用于将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。A power service message attack identification unit, configured to compare the threat degree of the current state sequence with a preset security risk threshold, and determine when the threat degree of the current state sequence is greater than or equal to the preset security risk threshold The power grid was attacked by power service packets.

优选地,其中所述威胁度确定单元,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, wherein the threat degree determination unit determines the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safety state sequence set, including:

危险状态序列集匹配模块,用于将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1;A dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine the threat of the current state sequence degree is 1;

安全状态序列集匹配模块,用于若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。The safety state sequence set matching module is configured to match the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and if the current state sequence matches the safety state sequence set If the security state sequence set matches successfully, it is determined that the threat degree of the current state sequence is 0.

优选地,其中所述威胁度确定单元,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, wherein the threat degree determination unit determines the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safety state sequence set, including:

第一最小距离和第二最小距离确定模块,用于分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离;A first minimum distance and a second minimum distance determination module, configured to respectively calculate the first minimum distance between the current state sequence and the dangerous state sequence set, and the second minimum distance between the current state sequence and the safe state sequence set shortest distance;

威胁度确定模块,用于根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。A threat level determination module, configured to calculate the threat level of the current state sequence according to the first minimum distance and the second minimum distance.

优选地,其中所述威胁度确定模块,根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:Preferably, wherein the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, including:

Figure BDA0002202951790000051
Figure BDA0002202951790000051

其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance.

优选地,其中所述危险状态序列集匹配模块,将所述当前状态序列与所述危险状态序列集进行匹配,包括:Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:

步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000061
中,其中,n1的初始值为0,添加后
Figure BDA0002202951790000062
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure BDA0002202951790000061
, where the initial value of n1 is 0, after adding
Figure BDA0002202951790000062

步骤12,顺序遍历危险状态序列集

Figure BDA0002202951790000063
中的所有规则,
Figure BDA0002202951790000064
若满足n2>n-n1andi≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure BDA0002202951790000063
all the rules in
Figure BDA0002202951790000064
If n2>n-n1andi≠t, continue to traverse; if n2>n-n1 and i=t are satisfied, it means that the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n-n1 is satisfied , then go to step 13; otherwise, go to step 14;

步骤13,将

Figure BDA0002202951790000065
的后n2项保留,则
Figure BDA0002202951790000066
Figure BDA0002202951790000067
并将n1置为n-n2,则
Figure BDA0002202951790000068
Figure BDA0002202951790000069
Step 13, will
Figure BDA0002202951790000065
The last n2 items are reserved, then
Figure BDA0002202951790000066
Figure BDA0002202951790000067
and set n1 to n-n2, then
Figure BDA0002202951790000068
Figure BDA0002202951790000069

步骤14,判断

Figure BDA00022029517900000610
是否与Bi相同;其中,若相同,则将
Figure BDA00022029517900000611
只保留最后一项,则
Figure BDA00022029517900000612
同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure BDA00022029517900000610
Is it the same as Bi; where, if it is the same, then
Figure BDA00022029517900000611
keep only the last item, then
Figure BDA00022029517900000612
At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing.

优选地,其中所述安全状态序列集匹配模块,将所述当前状态序列与所述安全状态序列集进行匹配,包括:Preferably, wherein the security state sequence set matching module matches the current state sequence with the security state sequence set, including:

步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA00022029517900000613
中,其中,n3的初始值为0,添加后
Figure BDA00022029517900000614
Step 21: Add the latest multipoint signal value sequence status n of S′=(status 1 , status 2 , . . . , status n ) in the current status sequence status_sequence now = (S′, pos_sequence now ) to the cache state
Figure BDA00022029517900000613
, where the initial value of n3 is 0, after adding
Figure BDA00022029517900000614

步骤22,顺序遍历安全状态序列集

Figure BDA00022029517900000615
中的所有规则,若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially
Figure BDA00022029517900000615
all the rules in If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24;

步骤23,将

Figure BDA00022029517900000617
的后n4项保留,则
Figure BDA00022029517900000618
Figure BDA00022029517900000619
并将n3置为n-n4,则
Figure BDA00022029517900000620
Step 23, will
Figure BDA00022029517900000617
The last n4 items are reserved, then
Figure BDA00022029517900000618
Figure BDA00022029517900000619
and set n3 to n-n4, then
Figure BDA00022029517900000620

步骤24,判断

Figure BDA0002202951790000072
是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge
Figure BDA0002202951790000072
Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25;

步骤25,将只保留最后一项,则

Figure BDA0002202951790000074
Figure BDA0002202951790000075
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will keep only the last item, then
Figure BDA0002202951790000074
Figure BDA0002202951790000075
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence;

步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28;

步骤27,init_status为0,判断

Figure BDA0002202951790000076
是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge
Figure BDA0002202951790000076
Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22;

步骤28,判断

Figure BDA0002202951790000077
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure BDA0002202951790000077
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22.

优选地,其中所述电力业务报文攻击识别单元,还用于:Preferably, wherein the power service packet attacks the identification unit, and is further used for:

若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。If the threat degree of the current state sequence is less than the preset security risk threshold, it is determined that the power grid is not attacked by the power service message.

本发明提供了一种基于业务逻辑的电力业务报文攻击识别方法及系统,包括:确定电网的当前状态序列;根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集;根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度;以及当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。本发明通过定义电力业务逻辑的危险状态序列集和安全状态序列集,将误用检测与异常检测方法相结合,对电力业务的威胁度进行评估,并根据威胁度确定电网是否遭受到电力业务报文攻击,实现了对电力业务报文攻击的有效识别,降低了误报率,保障了电力工控系统的安全可靠运行。The present invention provides a method and system for identifying an attack on a power service message based on business logic, including: determining a current state sequence of a power grid; determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the security state sequence set; and when the threat degree of the current state sequence is greater than or equal to the predetermined When the set security risk threshold is exceeded, it is determined that the power grid has been attacked by power service packets. By defining the dangerous state sequence set and the safety state sequence set of the power business logic, the invention combines the misuse detection and the abnormal detection method, evaluates the threat degree of the power business, and determines whether the power grid suffers from the power business report according to the threat degree. It realizes the effective identification of power service packet attacks, reduces the false alarm rate, and ensures the safe and reliable operation of the power industrial control system.

附图说明Description of drawings

通过参考下面的附图,可以更为完整地理解本发明的示例性实施方式:Exemplary embodiments of the present invention may be more fully understood by reference to the following drawings:

图1为根据本发明实施方式的基于业务逻辑的电力业务报文攻击识别方法100的流程图:1 is a flowchart of a method 100 for identifying an attack on a power service packet based on a service logic according to an embodiment of the present invention:

图2为根据本发明实施方式的状态链数据结构图;Fig. 2 is a state chain data structure diagram according to an embodiment of the present invention;

图3为根据本发明实施方式的危险状态序列和安全状态序列的数据结构图;以及FIG. 3 is a data structure diagram of a dangerous state sequence and a safe state sequence according to an embodiment of the present invention; and

图4为根据本发明实施方式的基于业务逻辑的电力业务报文攻击识别系统400的结构示意图。FIG. 4 is a schematic structural diagram of a system 400 for identifying attacks on power service packets based on service logic according to an embodiment of the present invention.

具体实施方式Detailed ways

现在参考附图介绍本发明的示例性实施方式,然而,本发明可以用许多不同的形式来实施,并且不局限于此处描述的实施例,提供这些实施例是为了详尽地且完全地公开本发明,并且向所属技术领域的技术人员充分传达本发明的范围。对于表示在附图中的示例性实施方式中的术语并不是对本发明的限定。在附图中,相同的单元/元件使用相同的附图标记。Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for the purpose of this thorough and complete disclosure invention, and fully convey the scope of the invention to those skilled in the art. The terms used in the exemplary embodiments shown in the drawings are not intended to limit the invention. In the drawings, the same elements/elements are given the same reference numerals.

除非另有说明,此处使用的术语(包括科技术语)对所属技术领域的技术人员具有通常的理解含义。另外,可以理解的是,以通常使用的词典限定的术语,应当被理解为与其相关领域的语境具有一致的含义,而不应该被理解为理想化的或过于正式的意义。Unless otherwise defined, terms (including scientific and technical terms) used herein have the commonly understood meanings to those skilled in the art. In addition, it is to be understood that terms defined in commonly used dictionaries should be construed as having meanings consistent with the context in the related art, and should not be construed as idealized or overly formal meanings.

图1为根据本发明实施方式的基于业务逻辑的电力业务报文攻击识别方法100的流程图。本发明的实施方式提供的基于业务逻辑的电力业务报文攻击识别方法,通过定义电力业务逻辑的危险状态序列集和安全状态序列集,将误用检测与异常检测方法相结合,对电力业务的威胁度进行评估,并根据威胁度确定电网是否遭受到电力业务报文攻击,实现了对电力业务报文攻击的有效识别,降低了误报率,保障了电力工控系统的安全可靠运行。本发明的实施方式提供的基于业务逻辑的电力业务报文攻击识别方法100从步骤101处开始,在步骤101从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列。FIG. 1 is a flowchart of a method 100 for identifying an attack on a power service packet based on a service logic according to an embodiment of the present invention. The business logic-based power service packet attack identification method provided by the embodiment of the present invention combines the misuse detection and anomaly detection methods by defining the dangerous state sequence set and the safe state sequence set of the power service logic. The threat degree is evaluated, and whether the power grid is attacked by power service packets is determined according to the threat degree, which realizes the effective identification of power service packet attacks, reduces the false alarm rate, and ensures the safe and reliable operation of the power industrial control system. The method 100 for identifying an attack on a power service message based on business logic provided by the embodiment of the present invention starts from step 101, and in step 101, a multipoint signal value sequence and a multipoint signal address of a node in a current state are obtained from the power service message. sequence, determining the control block corresponding to the current state node according to the multipoint signal address sequence, and adding the multipoint signal value sequence to the state sequence of the control block to obtain the current state sequence.

在本发明的实施方式中,为了对当前业务逻辑状态进行安全性评估,需要对业务逻辑进行保存,因此提出使用状态链的数据结构来描述电网业务逻辑,包括业务状态及其变化过程。本发明实施方式的状态链数据结构如图2所示,包含以下7个部分。In the embodiment of the present invention, in order to evaluate the security of the current business logic state, the business logic needs to be saved. Therefore, it is proposed to use the data structure of the state chain to describe the power grid business logic, including the business state and its change process. The state chain data structure of the embodiment of the present invention is shown in FIG. 2 and includes the following seven parts.

(1)单点信号值:则图2中的data字段,用于描述单个FCDA(Functionallyconstrained Data Attribute)项的值。在电网中可以理解为刀闸开关信号或电网一个节点的电压或电流值。(1) Single-point signal value: the data field in FIG. 2 is used to describe the value of a single FCDA (Functionally constrained Data Attribute) item. In the power grid, it can be understood as the knife switch signal or the voltage or current value of a node in the power grid.

(2)信号地址:则图2中的pos字段,用于描述一个FCDA项的位置;在电网中可理解为刀闸或节点的逻辑实例名;在实际计算中可理解为一个变量的名称,用于索引该变量。(2) Signal address: the pos field in Figure 2 is used to describe the location of an FCDA item; it can be understood as the logical instance name of a switch or node in the power grid; in actual calculation, it can be understood as the name of a variable, to index the variable.

(3)多点信号地址序列:则图2中的pos_sequence=(pos1,pos2,…,posn)T字段,在本发明的实施方式中用于描述一个控制块上各个单点信号的信号地址序列。(3) Multi-point signal address sequence: the pos_sequence =(pos 1 , pos 2 , . Signal address sequence.

(4)多点信号值序列:则图2中的status=(data1,data2,…,datan)T字段,在本发明中用于描述一个控制块上各个单点信号值序列。在电网中可理解为多个刀闸的位置或多点电压电流值。(4) Multi-point signal value sequence: the status=(data 1 , data 2 , . . . , data n ) T field in FIG. 2 is used to describe each single-point signal value sequence on a control block in the present invention. In the power grid, it can be understood as the position of multiple switches or the voltage and current values at multiple points.

(5)状态节点:定义为Node=(status,pos_sequence)。由多点信号地址序列和多点信号值序列组成,用于描述一个控制块的状态。(5) Status node: defined as Node=(status, pos_sequence). It consists of a multi-point signal address sequence and a multi-point signal value sequence, and is used to describe the state of a control block.

(6)状态改变:用来描述一个控制块状态中的单个或多个单点信号发生变化。在电网中可以理解为一个刀闸或多个刀闸切换、一处或多处电压电流改变、一处或多处定值改变。(6) State change: used to describe the change of single or multiple single-point signals in the state of a control block. In the power grid, it can be understood as one switch or multiple switch switches, one or more voltage and current changes, and one or more setting changes.

(7)定义status_sequence=(status_value,pos_sequence)为状态序列,其中status_value=(status1,status2,…,statusn),由有限个pos_sequence相同的状态节点顺序链接组成,用于描述一个控制块状态改变的逻辑过程。在电网中可以理解为一组开关的操作逻辑关系、一组电压电流改变的逻辑关系。(7) Define status_sequence=(status_value, pos_sequence ) as a status sequence, where status_value=(status 1 , status 2 , . The logical process of change. In the power grid, it can be understood as the operation logic relationship of a group of switches, and the logic relationship of a group of voltage and current changes.

在本发明的实施方式中,为了识别当前电网是否遭受电力业务报文攻击,首先需要对当前业务逻辑进行录入,在基于上述状态链的数据结构的前提下,具体录入过程如下:In the embodiment of the present invention, in order to identify whether the current power grid is attacked by power service packets, it is first necessary to input the current service logic. Under the premise of the data structure based on the above state chain, the specific input process is as follows:

1.1)从电力业务报文的应用层内容中提取出一个状态节点Nodenow=(statusn,pos_sequencenow),其中statusn=(data1,data2,…,datak)T1.1) Extract a status node Node now = (status n , pos_sequence now ) from the application layer content of the power service message, where status n = (data 1 , data 2 , . . . , data k ) T .

1.2)根据状态节点Nodenow中pos_sequencenow找到对应的控制块状态序列status_sequence=(S,pos_sequence),则满足pos_sequence=pos_sequencenow条件的状态序列,其中S=(status1,status2,…,statusn-1)。1.2) Find the corresponding control block status sequence status_sequence=(S, pos_sequence) according to pos_sequence now in the status node Node now , then the status sequence satisfying the condition of pos_sequence=pos_sequence now , where S=(status 1 , status 2 , ..., status n -1 ).

1.3)比较statusn-1是否等于statusn,若相等,过程结束;否则,进入1.4)。1.3) Compare whether status n-1 is equal to status n , if they are equal, the process ends; otherwise, go to 1.4).

1.4)将statusn链入状态序列status_sequence=(S,pos_sequence)中,得到当前状态序列status_sequencenow=(S′,pos_sequencenow),其中S′=(status1,status2,…,statusn)。1.4) Chain status n into the status sequence status_sequence=(S, pos_sequence) to obtain the current status sequence status_sequence now =(S′, pos_sequence now ), where S′=(status 1 , status 2 , . . . , status n ).

在步骤102,根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集。In step 102, a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence are respectively determined according to the multi-point signal address sequence of the current state sequence.

在本发明的实施方式中,为了对当前业务逻辑状态进行安全性评估,需要将当前业务逻辑状态与已知的危险状态序列或安全状态序列进行对比,通过将当前状态序列与危险状态序列和安全状态序列进行比较,可以快速有效地识别出电力业务报文攻击。本发明的实施方式的危险状态序列和安全状态序列中的数据结构如图3所示。危险状态序列集和安全状态序列集中录入以状态序列的结构表示的不同规则。危险状态序列集定义为其中,

Figure BDA0002202951790000102
Figure BDA0002202951790000103
为所有满足pos_sequence=pos_sequence1条件的不合法状态序列集合。危险状态序列集定义为
Figure BDA0002202951790000104
其中,
Figure BDA0002202951790000105
为所有满足pos_sequence=pos_sequence1条件的合法状态序列集合。In the embodiment of the present invention, in order to evaluate the security of the current business logic state, it is necessary to compare the current business logic state with a known sequence of dangerous states or a sequence of safe states, and by comparing the current state sequence with the sequence of dangerous states and the safety state By comparing the status sequence, the attack of power service packets can be quickly and effectively identified. The data structures in the dangerous state sequence and the safe state sequence of the embodiment of the present invention are shown in FIG. 3 . Different rules represented by the structure of the state sequence are entered in the dangerous state sequence set and the safe state sequence set. The dangerous state sequence set is defined as in,
Figure BDA0002202951790000102
Figure BDA0002202951790000103
It is the set of all illegal state sequences that satisfy the condition of pos_sequence=pos_sequence 1 . The dangerous state sequence set is defined as
Figure BDA0002202951790000104
in,
Figure BDA0002202951790000105
is the set of all legal state sequences that satisfy the condition of pos_sequence=pos_sequence 1 .

在步骤103,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度。In step 103, the threat degree of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set.

优选地,其中根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, the threat degree of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set, including:

将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1;Matching the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine that the threat degree of the current state sequence is 1;

若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。If the current state sequence is unsuccessfully matched with the dangerous state sequence set, the current state sequence is matched with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, Then it is determined that the threat degree of the current state sequence is 0.

优选地,其中根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:Preferably, the threat degree of the current state sequence is determined according to the current state sequence, the dangerous state sequence set and the safe state sequence set, including:

分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离;respectively calculating the first minimum distance between the current state sequence and the dangerous state sequence set, and the second minimum distance between the current state sequence and the safe state sequence set;

根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。The threat degree of the current state sequence is calculated according to the first minimum distance and the second minimum distance.

优选地,其中所述计算所述当前状态序列与所述危险状态序列集的第一最小距离,包括:Preferably, wherein the calculating the first minimum distance between the current state sequence and the set of dangerous state sequences includes:

Figure BDA0002202951790000111
Figure BDA0002202951790000111

其中,dblack为第一最小距离;当前状态序列为status_sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn);危险状态序列集为

Figure BDA0002202951790000112
对于
Figure BDA0002202951790000113
如果
Figure BDA0002202951790000114
Figure BDA0002202951790000115
Figure BDA0002202951790000116
Figure BDA0002202951790000117
Figure BDA0002202951790000118
否则
Figure BDA0002202951790000119
columns′表示矩阵S′的列数,Bi(status_value)表示Bi状态序列中status_value值,Bi(status_value)[0,…,columnS′-1]表示Bi(status_value)矩阵的第0列到columnS′-1列;
Figure BDA00022029517900001110
表示
Figure BDA00022029517900001111
矩阵的第i列,函数d(A,B)表示求行向量A=(x1,x2,…,xn)与B=(y1,y2,…,yn)的欧几里得距离,则 Among them, d black is the first minimum distance; the current state sequence is status_sequence now = (S'pos_sequence now ), S'=(status 1 , status 2 , ..., status n ); the dangerous state sequence set is
Figure BDA0002202951790000112
for
Figure BDA0002202951790000113
if
Figure BDA0002202951790000114
but
Figure BDA0002202951790000115
Figure BDA0002202951790000116
Figure BDA0002202951790000117
Figure BDA0002202951790000118
otherwise
Figure BDA0002202951790000119
column s' represents the number of columns of the matrix S', B i (status_value) represents the status_value value in the B i state sequence, B i (status_value)[0,...,column S' -1] represents the first row of the B i (status_value) matrix Column 0 to column S' -1 column;
Figure BDA00022029517900001110
express
Figure BDA00022029517900001111
In the i-th column of the matrix, the function d(A, B) represents the Euclidean calculation of the row vector A=(x 1 , x 2 ,..., x n ) and B=(y 1 , y 2 ,..., y n ) distance, then

优选地,其中所述计算所述当前状态序列与所述安全状态序列集的第二最小距离,包括:Preferably, the calculating the second minimum distance between the current state sequence and the security state sequence set includes:

Figure BDA00022029517900001112
Figure BDA00022029517900001112

其中,dwhite为第二最小距离;当前状态序列为status_sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn);安全状态序列集对于

Figure BDA00022029517900001117
如果
Figure BDA00022029517900001114
Figure BDA00022029517900001115
Figure BDA0002202951790000121
Figure BDA0002202951790000122
Figure BDA0002202951790000123
否则
Figure BDA0002202951790000124
Figure BDA0002202951790000125
columns′表示矩阵S′的列数,Wi(status_value)表示Wi状态序列中status_value值,则Wi(status_value)[0,…,columnS′-1]表示Wi(status_value)矩阵的第0列到columnS′-1列;表示
Figure BDA0002202951790000127
矩阵的第i列,函数d(A,B)表示求行向量A=(x1,x2,…,xn)与B=(y1,y2,…,yn)的欧几里得距离,则
Figure BDA00022029517900001222
Among them, d white is the second minimum distance; the current state sequence is status_sequence now =(S'pos_sequence now ), S'=(status 1 , status 2 , . . . , status n ); the security state sequence set for
Figure BDA00022029517900001117
if
Figure BDA00022029517900001114
but
Figure BDA00022029517900001115
Figure BDA0002202951790000121
Figure BDA0002202951790000122
Figure BDA0002202951790000123
otherwise
Figure BDA0002202951790000124
Figure BDA0002202951790000125
column s' represents the number of columns of the matrix S', Wi ( status_value ) represents the status_value value in the Wi state sequence, then Wi ( status_value )[0,...,column S' -1] represents the value of the Wi ( status_value ) matrix Column 0 to column S' -1 column; express
Figure BDA0002202951790000127
In the i-th column of the matrix, the function d(A, B) represents the Euclidean calculation of the row vector A=(x 1 , x 2 ,..., x n ) and B=(y 1 , y 2 ,..., y n ) distance, then
Figure BDA00022029517900001222

优选地,其中根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:Preferably, calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance includes:

Figure BDA0002202951790000128
Figure BDA0002202951790000128

其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance.

优选地,其中所述将所述当前状态序列与所述危险状态序列集进行匹配,包括:Preferably, wherein the matching of the current state sequence with the set of dangerous state sequences includes:

步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000129
中,其中,n1的初始值为0,添加后
Figure BDA00022029517900001210
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure BDA0002202951790000129
, where the initial value of n1 is 0, after adding
Figure BDA00022029517900001210

步骤12,顺序遍历危险状态序列集

Figure BDA00022029517900001211
中的所有规则,若满足n2>n-n1and i≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure BDA00022029517900001211
all the rules in If n2>n-n1and i≠t, continue to traverse; if n2>n-n1 and i=t, it means the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n- n1, then go to step 13; otherwise, go to step 14;

步骤13,将

Figure BDA00022029517900001213
的后n2项保留,则
Figure BDA00022029517900001214
Figure BDA00022029517900001215
并将n1置为n-n2,则
Figure BDA00022029517900001216
Figure BDA00022029517900001217
Step 13, will
Figure BDA00022029517900001213
The last n2 items are reserved, then
Figure BDA00022029517900001214
Figure BDA00022029517900001215
and set n1 to n-n2, then
Figure BDA00022029517900001216
Figure BDA00022029517900001217

步骤14,判断

Figure BDA00022029517900001218
是否与Bi相同;其中,若相同,则将
Figure BDA00022029517900001219
只保留最后一项,则同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure BDA00022029517900001218
Is it the same as Bi; where, if it is the same, then
Figure BDA00022029517900001219
keep only the last item, then At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing.

优选地,其中所述将所述当前状态序列与所述安全状态序列集进行匹配,包括:Preferably, the matching of the current state sequence with the security state sequence set includes:

步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000131
中,其中,n3的初始值为0,添加后
Figure BDA0002202951790000132
Step 21: Add the latest multipoint signal value sequence status n of S′=(status 1 , status 2 , . . . , status n ) in the current status sequence status_sequence now = (S′, pos_sequence now ) to the cache state
Figure BDA0002202951790000131
, where the initial value of n3 is 0, after adding
Figure BDA0002202951790000132

步骤22,顺序遍历安全状态序列集

Figure BDA0002202951790000133
中的所有规则,
Figure BDA0002202951790000134
若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially
Figure BDA0002202951790000133
all the rules in
Figure BDA0002202951790000134
If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24;

步骤23,将的后n4项保留,则

Figure BDA0002202951790000137
并将n3置为n-n4,则
Figure BDA0002202951790000138
Step 23, will The last n4 items are reserved, then
Figure BDA0002202951790000137
and set n3 to n-n4, then
Figure BDA0002202951790000138

步骤24,判断是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25;

步骤25,将

Figure BDA00022029517900001311
只保留最后一项,则
Figure BDA00022029517900001313
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will
Figure BDA00022029517900001311
keep only the last item, then
Figure BDA00022029517900001313
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence;

步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28;

步骤27,init_status为0,判断是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22;

步骤28,判断

Figure BDA00022029517900001315
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure BDA00022029517900001315
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22.

在本发明的实施方式中,在确定了危险安全状态序列集和安全状态序列集后,确定威胁度的步骤包括:In an embodiment of the present invention, after the dangerous safety state sequence set and the safety state sequence set are determined, the step of determining the threat degree includes:

S1,进行危险状态序列集的匹配,若匹配成功,则确定当前状态序列的威胁度为1;反之,进入S2:S1, carry out the matching of the dangerous state sequence set, if the matching is successful, the threat degree of the current state sequence is determined to be 1; otherwise, enter S2:

S2,进行安全状态序列集的匹配,若匹配成功,则确定当前状态序列的威胁度为0;反之,进入S3:S2, match the security state sequence set, if the match is successful, determine that the threat degree of the current state sequence is 0; otherwise, enter S3:

S3,确定第一最小距离和第二最小距离,并根据所述第一最小距离和第二最小距离确定安全状态序列的威胁度。S3: Determine the first minimum distance and the second minimum distance, and determine the threat degree of the safety state sequence according to the first minimum distance and the second minimum distance.

在步骤104,将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。In step 104, the threat degree of the current state sequence is compared with a preset security risk threshold, and when the threat degree of the current state sequence is greater than or equal to the preset security risk threshold, it is determined that the power grid has suffered from a power service report. text attack.

优选地,其中所述方法还包括:Preferably, wherein the method further comprises:

若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。If the threat degree of the current state sequence is less than the preset security risk threshold, it is determined that the power grid is not attacked by the power service message.

在本发明的实施方式中,基于当前状态序列的威胁度Pthreaten判断当前电网是否遭受攻击。为了降低本发明的误报率,定义安全风险阈值Xsafe,其中,Xsafe默认置为0.25。安全风险阈值Xsafe的值可以根据实际需要进行设定,并不局限于本申请提到的0.25。当Pthreaten>Xsafe时,认为当前状态序列status_sequencenow=(S′,pos_sequencenow)中的pos_sequencenow值对应的电网遭受到了电力业务报文攻击;否则,认为电网处于未遭受电力业务报文攻击,处于安全状态。In the embodiment of the present invention, it is determined whether the current power grid is under attack based on the threat degree P threaten of the current state sequence. In order to reduce the false alarm rate of the present invention, a safety risk threshold X safe is defined, where X safe is set to 0.25 by default. The value of the safety risk threshold X safe can be set according to actual needs, and is not limited to 0.25 mentioned in this application. When P threaten >X safe , it is considered that the power grid corresponding to the value of pos_sequence now in the current state sequence status_sequence now = (S', pos_sequence now ) has suffered an attack by a power service packet; otherwise, it is considered that the power grid is not subject to a power service packet attack , in a safe state.

以下具体举例说明本发明的实施方式The following specific examples illustrate the embodiments of the present invention

假设攻击者攻击的状态块具有三个FCDA,每个FCDA的地址信息如下:Assuming that the state block attacked by the attacker has three FCDAs, the address information of each FCDA is as follows:

pos1=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.1)″,pos 1 = "(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.1)",

pos2=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.2)″,pos 2 = "(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.2)",

pos3=″(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.3)″,pos 3 = "(APPID=0x0001)-(dataset=DeviceF001/LLN0$GOOSE1)-(alldata.3)",

对应的控制块状态为:status1=(0,0,0)T,status2=(0,0,1)T,…,status8=(1,1,1)T。设定入侵检测方法的安全风险阈值Xsafe为0.25。The corresponding control block states are: status 1 =(0, 0, 0) T , status 2 =(0, 0, 1) T , . . . , status 8 =(1, 1, 1) T . The security risk threshold X safe of the intrusion detection method is set to 0.25.

在确定电网遭受电力业务报文攻击时,具体实施方式如下:When it is determined that the power grid is attacked by power service packets, the specific implementation is as follows:

步骤(1),状态链录入:假定已录入的状态序列为status_sequence1=(S1,pos_sequence),其中S1=(status1,status2),pos_sequence=(pos1,pos2,pos3)T,现从应用层报文中提取一个状态节点Nodenow=(status5,pos_sequence),将提取的状态节点加入到已录入的状态序列中,则状态序列由status_sequence1变为status_sequence2=(S2,pos_sequence),其中S2=(status1,status2,status5)。Step (1), state chain entry: assume that the entered state sequence is status_sequence 1 =(S 1 , pos_sequence), where S 1 =(status 1 , status 2 ), pos_sequence=(pos 1 , pos 2 , pos 3 ) T , now extract a status node Node now = (status 5 , pos_sequence) from the application layer message, add the extracted status node to the entered status sequence, then the status sequence changes from status_sequence 1 to status_sequence 2 =(S 2 , pos_sequence), where S 2 =(status 1 , status 2 , status 5 ).

步骤(2),确定当前状态序列的危险状态序列集Ublacklist/pos_sequence={B1},其中B1={status1,status3,status7}和安全状态序列集Uwhitelist/pos_sequence={W1,W2}。Step (2), determine the dangerous state sequence set U blacklist/pos_sequence ={B 1 } of the current state sequence, where B 1 ={status 1 , status 3 , status 7 } and the safe state sequence set U whitelist/pos_sequence ={W 1 , W 2 }.

步骤(3),对当前状态序列进行危险状态序列集的匹配,若匹配,则确定威胁度为1;若发现不匹配,则转入步骤(4)。具体步骤如下:In step (3), the current state sequence is matched with the dangerous state sequence set. If it matches, the threat degree is determined to be 1; Specific steps are as follows:

3.1)将status_sequence2中S2中最新状态status5添加到缓存状态S″blacklist/pos_sequence=(status1,status2)中,添加后S″blacklist/pos_sequence=(status1,status2,status5)。3.1 ) Add the latest status status 5 in S2 in status_sequence 2 to the cached status S″ blacklist/pos_sequence = (status 1 , status 2 ), after adding S″ blacklist/pos_sequence = (status 1 , status 2 , status 5 ) .

3.2)顺序遍历危险状态序列集中具有相同pos_sequence的规则,则遍历Ublacklist/pos_sequence={B1},其中B1具有3个状态,S″blacklist/pos_sequence具有3种状态,转3.3)。3.2) Sequentially traverse the rules with the same pos_sequence in the dangerous state sequence set, then traverse U blacklist/pos_sequence = {B 1 }, where B 1 has 3 states, S″ blacklist/pos_sequence has 3 states, go to 3.3).

3.3)将B1与S2比对,发现不匹配,继续遍历,转3.4)。3.3) Compare B 1 with S 2 , and find that they do not match, continue to traverse, and go to 3.4).

3.4)Ublacklist/pos_sequence遍历结束,转步骤(4)。3.4) U blacklist/pos_sequence traversal ends, go to step (4).

步骤(4),对当前状态序列进行危安全状态序列匹配模式,若匹配,则确定威胁度为0;若不匹配,转入步骤(5)。具体过程如下:In step (4), the current state sequence is subjected to the sequence matching mode of the critical and safe state, and if it matches, the threat degree is determined to be 0; if it does not match, it goes to step (5). The specific process is as follows:

4.1)将当前状态序列status_sequence2中S2中最新状态status5添加到缓存状态S″whitelist/pos_sequence=(status1,status2)中,添加后缓存状态序列为S″whitelist/pos_sequence=(status1,status2,status5)。4.1) Add the latest status status 5 in S 2 in the current status sequence status_sequence 2 to the cache status S″ whitelist/pos_sequence = (status 1 , status 2 ), and the cache status sequence after adding is S″ whitelist/pos_sequence = (status 1 , status 2 , status 5 ).

4.2)遍历危险状态序列集中具有相同pos_sequence的规则,则Uwhitelist/pos_sequence={W1,W2},首先遍历W1={status1,status2,status8},其中W1有3种状态,

Figure BDA0002202951790000151
具有3种状态,转4.3)。4.2) Traverse the rules with the same pos_sequence in the dangerous state sequence set, then U whitelist/pos_sequence = {W 1 , W 2 }, first traverse W 1 ={status 1 , status 2 , status 8 }, where W 1 has 3 states ,
Figure BDA0002202951790000151
With 3 states, go to 4.3).

4.3)S″whitelist/pos_sequence与W1进行规则比对,S″whitelist/pos_sequence与W1不匹配,继续遍历。4.3) S" whitelist/pos_sequence and W 1 perform rule comparison, S" whitelist/pos_sequence does not match with W 1 , and continue to traverse.

4.4)遍历W2,其中W2={status1,status2,status4,status5}有4种状态,S″whitelist/pos_sequence=(status1,status2,status5)具有3种状态,转4.5)。4.4) Traverse W 2 , where W 2 = {status 1 , status 2 , status 4 , status 5 } has 4 states, S″ whitelist/pos_sequence = (status 1 , status 2 , status 5 ) has 3 states, turn 4.5).

4.5)init_status为0(假定为0),则转4.6)。4.5) If init_status is 0 (assuming 0), go to 4.6).

4.6)S″whitelist/pos_sequence与W2进行规则比对,W2不是S″whitelist/pos_sequence子集,遍历结束,转入步骤(5)。4.6) S" whitelist/pos_sequence is compared with W 2 for rules, W 2 is not a subset of S" whitelist/pos_sequence , the traversal is over, and go to step (5).

步骤(5),对该状态序列进行相似度匹配,得到威胁度Pthreaten。具体步骤如下:In step (5), similarity matching is performed on the state sequence to obtain the threat degree P threaten . Specific steps are as follows:

5.1)根据pos_sequence找到对应的控制块的危险状态序列集Ublacklist/pos_seauence={B1}和安全状态序列集Uwhitelist/pos_sequence={W1,W2}。5.1) Find the dangerous state sequence set U blacklist/pos_seauence ={B 1 } and the safe state sequence set U whitelist/pos_sequence ={W 1 , W 2 } of the corresponding control block according to pos_sequence.

5.2)对于B1∈Ublacklist/pos_sequence,其中

Figure BDA0002202951790000161
Figure BDA0002202951790000162
5.2) For B 1 ∈ U blacklist/pos_sequence , where
Figure BDA0002202951790000161
but
Figure BDA0002202951790000162

5.3)计算当前状态序列status_sequence2与危险状态序列集Ublacklist/pos_sequence的最小距离为dblack=1。5.3) Calculate the minimum distance between the current state sequence status_sequence 2 and the dangerous state sequence set U blacklist/pos_sequence as d black =1.

5.4)对于W1∈Uwhitelist/pos_sequence,其中

Figure BDA0002202951790000163
对于W2∈Uwhitelist/pos_sequence,其中
Figure BDA0002202951790000166
5.4) For W 1 ∈ U whitelist/pos_sequence , where
Figure BDA0002202951790000163
but For W 2 ∈ U whitelist/pos_sequence , where but
Figure BDA0002202951790000166

5.5)计算当前状态序列status_sequence与安全状态序列集Uwhitelist/pos_sequence的最小距离为dwhite=2。5.5) Calculate the minimum distance between the current state sequence status_sequence and the safe state sequence set U whitelist/pos_sequence as d white =2.

5.6)计算威胁度

Figure BDA0002202951790000168
转步骤(6)。5.6) Calculate the threat level
Figure BDA0002202951790000168
Go to step (6).

步骤(6),将计算得到的威胁度和预设的安全风险阈值进行比较,Pthreaten>Xsafe,则确定当前状态序列status_sequence中的pos_sequence值对应的电网正在遭受电力业务报文攻击。In step (6), the calculated threat degree is compared with the preset security risk threshold, and if P threaten > X safe , it is determined that the power grid corresponding to the pos_sequence value in the current state sequence status_sequence is under attack by the power service message.

图4为根据本发明实施方式的基于业务逻辑的电力业务报文攻击识别系统400的结构示意图。如图4所示,本发明的实施方式提供的基于业务逻辑的电力业务报文攻击识别系统400,包括:当前状态序列确定单元401、危险状态序列集和安全状态序列集确定单元402、威胁度确定单元403和电力业务报文攻击识别单元404。FIG. 4 is a schematic structural diagram of a system 400 for identifying attacks on power service packets based on service logic according to an embodiment of the present invention. As shown in FIG. 4 , the system 400 for identifying a power service message attack based on business logic provided by an embodiment of the present invention includes: a current state sequence determination unit 401 , a dangerous state sequence set and a safety state sequence set determination unit 402 , a threat level The determination unit 403 and the power service packet attack identification unit 404 are determined.

优选地,所述当前状态序列确定单元401,用于从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列。Preferably, the current state sequence determination unit 401 is configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a node in a current state from an electric power service message, and determine, according to the multipoint signal address sequence, which is the same as the multipoint signal address sequence. The control block corresponding to the current state node, and the multi-point signal value sequence is added to the state sequence of the control block to obtain the current state sequence.

优选地,所述危险状态序列集和安全状态序列集确定单元402,用于根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集。Preferably, the dangerous state sequence set and the safe state sequence set determining unit 402 is configured to respectively determine the dangerous state sequence set and the safe state sequence corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence set.

优选地,所述威胁度确定单元403,用于根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度。Preferably, the threat degree determination unit 403 is configured to determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safety state sequence set.

优选地,其中所述威胁度确定单元403,包括:危险状态序列集匹配模块和安全状态序列集匹配模块。Preferably, the threat determination unit 403 includes: a dangerous state sequence set matching module and a safety state sequence set matching module.

所述危险状态序列集匹配模块,用于将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1。The dangerous state sequence set matching module is used to match the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine the current state sequence The threat level is 1.

所述安全状态序列集匹配模块,用于若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。The safety state sequence set matching module is configured to match the current state sequence with the safety state sequence set if the current state sequence is unsuccessfully matched with the dangerous state sequence set, and if the current state sequence is unsuccessful If the sequence matches the security state sequence set successfully, it is determined that the threat degree of the current state sequence is 0.

优选地,其中所述危险状态序列集匹配模块,将所述当前状态序列与所述危险状态序列集进行匹配,包括:Preferably, the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, including:

步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000171
中,其中,n1的初始值为0,添加后
Figure BDA0002202951790000172
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure BDA0002202951790000171
, where the initial value of n1 is 0, after adding
Figure BDA0002202951790000172

步骤12,顺序遍历危险状态序列集

Figure BDA0002202951790000173
中的所有规则,
Figure BDA0002202951790000174
若满足n2>n-n1and i≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure BDA0002202951790000173
all the rules in
Figure BDA0002202951790000174
If n2>n-n1and i≠t, continue to traverse; if n2>n-n1 and i=t, it means the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n- n1, then go to step 13; otherwise, go to step 14;

步骤13,将

Figure BDA0002202951790000175
的后n2项保留,则
Figure BDA0002202951790000176
并将n1置为n-n2,则
Figure BDA0002202951790000178
Figure BDA0002202951790000179
Step 13, will
Figure BDA0002202951790000175
The last n2 items are reserved, then
Figure BDA0002202951790000176
and set n1 to n-n2, then
Figure BDA0002202951790000178
Figure BDA0002202951790000179

步骤14,判断

Figure BDA0002202951790000181
是否与Bi相同;其中,若相同,则将
Figure BDA0002202951790000182
只保留最后一项,则同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure BDA0002202951790000181
Is it the same as Bi; where, if it is the same, then
Figure BDA0002202951790000182
keep only the last item, then At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing.

优选地,其中所述安全状态序列集匹配模块,将所述当前状态序列与所述安全状态序列集进行匹配,包括:Preferably, wherein the security state sequence set matching module matches the current state sequence with the security state sequence set, including:

步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态

Figure BDA0002202951790000184
中,其中,n3的初始值为0,添加后 Step 21: Add the latest multipoint signal value sequence status n of S′=(status 1 , status 2 , . . . , status n ) in the current status sequence status_sequence now = (S′, pos_sequence now ) to the cache state
Figure BDA0002202951790000184
, where the initial value of n3 is 0, after adding

步骤22,顺序遍历安全状态序列集

Figure BDA0002202951790000186
中的所有规则,若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially
Figure BDA0002202951790000186
all the rules in If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24;

步骤23,将

Figure BDA0002202951790000188
的后n4项保留,则
Figure BDA0002202951790000189
Figure BDA00022029517900001810
并将n3置为n-n4,则
Figure BDA00022029517900001811
Figure BDA00022029517900001812
Step 23, will
Figure BDA0002202951790000188
The last n4 items are reserved, then
Figure BDA0002202951790000189
Figure BDA00022029517900001810
and set n3 to n-n4, then
Figure BDA00022029517900001811
Figure BDA00022029517900001812

步骤24,判断

Figure BDA00022029517900001813
是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge
Figure BDA00022029517900001813
Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25;

步骤25,将只保留最后一项,则

Figure BDA00022029517900001815
Figure BDA00022029517900001816
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will keep only the last item, then
Figure BDA00022029517900001815
Figure BDA00022029517900001816
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence;

步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28;

步骤27,init_status为0,判断

Figure BDA00022029517900001817
是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge
Figure BDA00022029517900001817
Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22;

步骤28,判断

Figure BDA00022029517900001818
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure BDA00022029517900001818
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22.

优选地,其中所述威胁度确定单元403,还包括:第一最小距离和第二最小距离确定模块以及威胁度确定模块。Preferably, the threat degree determination unit 403 further includes: a first minimum distance and a second minimum distance determination module and a threat degree determination module.

所述第一最小距离和第二最小距离确定模块,用于分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离。The first minimum distance and the second minimum distance determination module are used to respectively calculate the first minimum distance between the current state sequence and the dangerous state sequence set, and the difference between the current state sequence and the safe state sequence set. Second minimum distance.

所述威胁度确定模块,用于根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。The threat degree determination module is configured to calculate the threat degree of the current state sequence according to the first minimum distance and the second minimum distance.

优选地,其中所述第一最小距离和第二最小距离确定模块利用如下方式计算所述当前状态序列与所述危险状态序列集的第一最小距离,包括:Preferably, the first minimum distance and the second minimum distance determination module calculate the first minimum distance between the current state sequence and the set of dangerous state sequences in the following manner, including:

Figure BDA0002202951790000191
Figure BDA0002202951790000191

其中,dblack为第一最小距离;当前状态序列为status_sequencenow=(S′pos_sequencenow),S′=(status1,status2,…,statusn);危险状态序列集为

Figure BDA0002202951790000192
对于
Figure BDA0002202951790000193
如果
Figure BDA0002202951790000194
Figure BDA0002202951790000195
Figure BDA0002202951790000196
Figure BDA0002202951790000197
Figure BDA0002202951790000198
否则
Figure BDA0002202951790000199
columns′表示矩阵S′的列数,Bi(status_value)表示Bi状态序列中status_value值,Bi(status_value)[0,…,columns′-1]表示Bi(status_value)矩阵的第0列到columns′-1列;
Figure BDA00022029517900001910
表示
Figure BDA00022029517900001911
矩阵的第i列,函数d(A,B)表示求行向量A=(x1,x2,…,xn)与B=(y1,y2,…,yn)的欧几里得距离,则
Figure BDA00022029517900001912
Among them, d black is the first minimum distance; the current state sequence is status_sequence now = (S'pos_sequence now ), S'=(status 1 , status 2 , ..., status n ); the dangerous state sequence set is
Figure BDA0002202951790000192
for
Figure BDA0002202951790000193
if
Figure BDA0002202951790000194
but
Figure BDA0002202951790000195
Figure BDA0002202951790000196
Figure BDA0002202951790000197
Figure BDA0002202951790000198
otherwise
Figure BDA0002202951790000199
column s' represents the number of columns of the matrix S', Bi(status_value) represents the status_value value in the Bi state sequence, Bi ( status_value )[0,...,column s' -1] represents the 0th of the Bi ( status_value ) matrix column to column s' -1 column;
Figure BDA00022029517900001910
express
Figure BDA00022029517900001911
In the i-th column of the matrix, the function d(A, B) represents the Euclidean calculation of the row vector A=(x 1 , x 2 ,..., x n ) and B=(y 1 , y 2 ,..., y n ) distance, then
Figure BDA00022029517900001912

优选地,其中所述第一最小距离和第二最小距离确定模块,利用如下方式计算所述当前状态序列与所述安全状态序列集的第二最小距离,包括:Preferably, wherein the first minimum distance and the second minimum distance determination module calculate the second minimum distance between the current state sequence and the safety state sequence set in the following manner, including:

Figure BDA0002202951790000201
Figure BDA0002202951790000201

其中,dwhite为第二最小距离当前状态序列为status_sequencenow=(S′,pos_sequencenow),S′=(status1,status2,…,statusn);;安全状态序列集

Figure BDA0002202951790000202
对于
Figure BDA0002202951790000203
如果
Figure BDA0002202951790000204
Figure BDA0002202951790000205
Figure BDA0002202951790000206
Figure BDA0002202951790000208
否则
Figure BDA0002202951790000209
Figure BDA00022029517900002010
columnS′表示矩阵S′的列数,Wi(status_value)表示Wi状态序列中status_value值,则Wi(status_value)[0,…,columns′-1]表示Wi(status_value)矩阵的第0列到columns′-1列;
Figure BDA00022029517900002011
表示
Figure BDA00022029517900002012
矩阵的第i列,函数d(A,B)表示求行向量A=(x1,x2,…,xn)与B=(y1,y2,…,yn)的欧几里得距离,则
Figure BDA00022029517900002014
Figure BDA00022029517900002015
Among them, d white is the second minimum distance. The current state sequence is status_sequence now = (S', pos_sequence now ), S' = (status 1 , status 2 , ..., status n );; security state sequence set
Figure BDA0002202951790000202
for
Figure BDA0002202951790000203
if
Figure BDA0002202951790000204
but
Figure BDA0002202951790000205
Figure BDA0002202951790000206
Figure BDA0002202951790000208
otherwise
Figure BDA0002202951790000209
Figure BDA00022029517900002010
column S' represents the number of columns of the matrix S', Wi ( status_value ) represents the status_value value in the Wi state sequence, then Wi ( status_value )[0,...,column s' -1] represents the value of the Wi ( status_value ) matrix Column 0 to column s' -1 column;
Figure BDA00022029517900002011
express
Figure BDA00022029517900002012
In the i-th column of the matrix, the function d(A, B) represents the Euclidean calculation of the row vector A=(x 1 , x 2 ,..., x n ) and B=(y 1 , y 2 ,..., y n ) distance, then
Figure BDA00022029517900002014
Figure BDA00022029517900002015

优选地,其中所述威胁度确定模块,根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:Preferably, wherein the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, including:

Figure BDA00022029517900002013
Figure BDA00022029517900002013

其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance.

优选地,所述电力业务报文攻击识别单元404,用于将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。Preferably, the power service packet attack identification unit 404 is configured to compare the threat degree of the current state sequence with a preset security risk threshold, and when the threat degree of the current state sequence is greater than or equal to a preset When the security risk threshold is reached, it is determined that the power grid has been attacked by power service packets.

优选地,其中所述电力业务报文攻击识别单元404,还用于:若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。Preferably, the power service packet attack identification unit 404 is further configured to: if the threat degree of the current state sequence is less than a preset security risk threshold, determine that the power grid is not attacked by the power service packet.

本发明的实施例的基于业务逻辑的电力业务报文攻击识别系统400与本发明的另一个实施例的基于业务逻辑的电力业务报文攻击识别方法100相对应,在此不再赘述。The service logic-based power service packet attack identification system 400 of the embodiment of the present invention corresponds to the business logic-based power service packet attack identification method 100 of another embodiment of the present invention, and details are not described herein again.

已经通过参考少量实施方式描述了本发明。然而,本领域技术人员所公知的,正如附带的专利权利要求所限定的,除了本发明以上公开的其他的实施例等同地落在本发明的范围内。The present invention has been described with reference to a few embodiments. However, as is known to those skilled in the art, other embodiments than the above disclosed invention are equally within the scope of the invention, as defined by the appended patent claims.

通常地,在权利要求中使用的所有术语都根据他们在技术领域的通常含义被解释,除非在其中被另外明确地定义。所有的参考“一个/所述/该[装置、组件等]”都被开放地解释为所述装置、组件等中的至少一个实例,除非另外明确地说明。这里公开的任何方法的步骤都没必要以公开的准确的顺序运行,除非明确地说明。Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/the/the [means, component, etc.]" are open to interpretation as at least one instance of said means, component, etc., unless expressly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit them. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: the present invention can still be Modifications or equivalent replacements are made to the specific embodiments of the present invention, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention shall be included within the protection scope of the claims of the present invention.

Claims (14)

1.一种基于业务逻辑的电力业务报文攻击识别方法,其特征在于,所述方法包括:1. a power service message attack identification method based on business logic, is characterized in that, described method comprises: 从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列;Obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, determine a control block corresponding to the current state node according to the multipoint signal address sequence, and assign the multipoint signal address sequence to the multipoint signal address sequence. The signal value sequence is added to the state sequence of the control block to obtain the current state sequence; 根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集;Determine the dangerous state sequence set and the safe state sequence set corresponding to the current state sequence respectively according to the multi-point signal address sequence of the current state sequence; 根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度;Determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; 将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。The threat degree of the current state sequence is compared with a preset security risk threshold, and when the threat degree of the current state sequence is greater than or equal to the preset security risk threshold, it is determined that the power grid has suffered a power service message attack. 2.根据权利要求1所述的方法,其特征在于,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:2. The method according to claim 1, wherein determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safety state sequence set, comprising: 将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1;Matching the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine that the threat degree of the current state sequence is 1; 若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。If the current state sequence is unsuccessfully matched with the dangerous state sequence set, the current state sequence is matched with the safe state sequence set, and if the current state sequence is successfully matched with the safe state sequence set, Then it is determined that the threat degree of the current state sequence is 0. 3.根据权利要求1或2所述的方法,其特征在于,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:3. The method according to claim 1 or 2, wherein determining the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set, comprising: 分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离;respectively calculating the first minimum distance between the current state sequence and the dangerous state sequence set, and the second minimum distance between the current state sequence and the safe state sequence set; 根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。The threat degree of the current state sequence is calculated according to the first minimum distance and the second minimum distance. 4.根据权利要求3所述的方法,其特征在于,根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:4. The method according to claim 3, wherein calculating the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, comprising: 其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance. 5.根据权利要求2所述的方法,其特征在于,将所述当前状态序列与所述危险状态序列集进行匹配,包括:5. The method according to claim 2, wherein matching the current state sequence with the set of dangerous state sequences comprises: 步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态
Figure FDA0002202951780000021
中,其中,n1的初始值为0,添加后
Figure FDA0002202951780000022
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure FDA0002202951780000021
, where the initial value of n1 is 0, after adding
Figure FDA0002202951780000022
 步骤12,顺序遍历危险状态序列集
Figure FDA0002202951780000023
中的所有规则,若满足n2>n-n1 andi≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure FDA0002202951780000023
all the rules in If n2>n-n1 andi≠t, continue to traverse; if n2>n-n1 and i=t are satisfied, it means the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n- n1, then go to step 13; otherwise, go to step 14; 步骤13,将
Figure FDA0002202951780000025
的后n2项保留,则
Figure FDA0002202951780000026
Figure FDA0002202951780000027
并将n1置为n-n2,则
Figure FDA0002202951780000028
Figure FDA0002202951780000029
Step 13, will
Figure FDA0002202951780000025
The last n2 items are reserved, then
Figure FDA0002202951780000026
Figure FDA0002202951780000027
and set n1 to n-n2, then
Figure FDA0002202951780000028
Figure FDA0002202951780000029
 步骤14,判断
Figure FDA00022029517800000210
是否与Bi相同;其中,若相同,则将
Figure FDA00022029517800000211
只保留最后一项,则
Figure FDA00022029517800000212
同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure FDA00022029517800000210
Is it the same as B i ; where, if it is the same, then
Figure FDA00022029517800000211
keep only the last item, then
Figure FDA00022029517800000212
At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing. 6.根据权利要求2所述的方法,其特征在于,所述将所述当前状态序列与所述安全状态序列集进行匹配,包括:6. The method according to claim 2, wherein the matching the current state sequence with the security state sequence set comprises: 步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态
Figure FDA00022029517800000213
中,其中,n3的初始值为0,添加后
Figure FDA00022029517800000214
Step 21: Add the latest multi -point signal value sequence status n of S′=( status1 , status2 , .
Figure FDA00022029517800000213
, where the initial value of n3 is 0, after adding
Figure FDA00022029517800000214
 步骤22,顺序遍历安全状态序列集
Figure FDA00022029517800000215
中的所有规则,
Figure FDA0002202951780000031
若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially
Figure FDA00022029517800000215
all the rules in
Figure FDA0002202951780000031
If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24; 步骤23,将的后n4项保留,则
Figure FDA0002202951780000034
并将n3置为n-n4,则
Figure FDA0002202951780000035
Figure FDA0002202951780000036
Step 23, will The last n4 items are reserved, then
Figure FDA0002202951780000034
and set n3 to n-n4, then
Figure FDA0002202951780000035
Figure FDA0002202951780000036
 步骤24,判断
Figure FDA0002202951780000037
是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge
Figure FDA0002202951780000037
Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25; 步骤25,将
Figure FDA0002202951780000038
只保留最后一项,则
Figure FDA0002202951780000039
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will
Figure FDA0002202951780000038
keep only the last item, then
Figure FDA0002202951780000039
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence; 步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28; 步骤27,init_status为0,判断
Figure FDA00022029517800000310
是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge
Figure FDA00022029517800000310
Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22; 步骤28,判断
Figure FDA00022029517800000311
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure FDA00022029517800000311
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22. 7.根据权利要求1所述的方法,其特征在于,所述方法还包括:7. The method of claim 1, wherein the method further comprises: 若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。If the threat degree of the current state sequence is less than the preset security risk threshold, it is determined that the power grid is not attacked by the power service message. 8.一种基于业务逻辑的电力业务报文攻击识别系统,其特征在于,所述系统包括:8. A power service message attack identification system based on business logic, wherein the system comprises: 当前状态序列确定单元,用于从电力业务报文中获取一个当前状态节点的多点信号值序列和多点信号地址序列,根据所述多点信号地址序列确定与所述当前状态节点对应的控制块,并将所述多点信号值序列添加到所述控制块的状态序列上,获取当前状态序列;The current state sequence determination unit is configured to obtain a multipoint signal value sequence and a multipoint signal address sequence of a current state node from a power service message, and determine the control corresponding to the current state node according to the multipoint signal address sequence block, and add the multi-point signal value sequence to the state sequence of the control block to obtain the current state sequence; 危险状态序列集和安全状态序列集确定单元,用于根据所述当前状态序列的多点信号地址序列分别确定与所述当前状态序列对应的危险状态序列集和安全状态序列集;a dangerous state sequence set and a safe state sequence set determining unit, configured to respectively determine a dangerous state sequence set and a safe state sequence set corresponding to the current state sequence according to the multipoint signal address sequence of the current state sequence; 威胁度确定单元,用于根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度;a threat degree determination unit, configured to determine the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set; 电力业务报文攻击识别单元,用于将所述当前状态序列的威胁度和预设的安全风险阈值进行比较,并当所述当前状态序列的威胁度大于等于预设的安全风险阈值时,确定电网遭受到了电力业务报文攻击。A power service message attack identification unit, configured to compare the threat degree of the current state sequence with a preset security risk threshold, and determine when the threat degree of the current state sequence is greater than or equal to the preset security risk threshold The power grid was attacked by power service packets. 9.根据权利要求8所述的系统,其特征在于,所述威胁度确定单元,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:9. The system according to claim 8, wherein the threat degree determination unit determines the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safety state sequence set, comprising: 危险状态序列集匹配模块,用于将所述当前状态序列与所述危险状态序列集进行匹配,若所述当前状态序列与所述危险状态序列集匹配成功,则确定所述当前状态序列的威胁度为1;A dangerous state sequence set matching module, configured to match the current state sequence with the dangerous state sequence set, and if the current state sequence and the dangerous state sequence set are successfully matched, determine the threat of the current state sequence degree is 1; 安全状态序列集匹配模块,用于若所述当前状态序列与所述危险状态序列集匹配不成功,则将所述当前状态序列与所述安全状态序列集进行匹配,若所述当前状态序列与所述安全状态序列集匹配成功,则确定所述当前状态序列的威胁度为0。The safety state sequence set matching module is configured to match the current state sequence with the safety state sequence set if the current state sequence is unsuccessful in matching with the dangerous state sequence set, and if the current state sequence matches the safety state sequence set If the security state sequence set matches successfully, it is determined that the threat degree of the current state sequence is 0. 10.根据权利要求8或9所述的系统,其特征在于,所述威胁度确定单元,根据所述当前状态序列、危险状态序列集和安全状态序列集确定所述当前状态序列的威胁度,包括:10. The system according to claim 8 or 9, wherein the threat degree determination unit determines the threat degree of the current state sequence according to the current state sequence, the dangerous state sequence set and the safe state sequence set, include: 第一最小距离和第二最小距离确定模块,用于分别计算所述当前状态序列与所述危险状态序列集的第一最小距离,以及所述当前状态序列与所述安全状态序列集的第二最小距离;A first minimum distance and a second minimum distance determination module, configured to respectively calculate the first minimum distance between the current state sequence and the dangerous state sequence set, and the second minimum distance between the current state sequence and the safe state sequence set shortest distance; 威胁度确定模块,用于根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度。A threat level determination module, configured to calculate the threat level of the current state sequence according to the first minimum distance and the second minimum distance. 11.根据权利要求10所述的系统,其特征在于,所述威胁度确定模块,根据所述第一最小距离和第二最小距离计算所述当前状态序列的威胁度,包括:11. The system according to claim 10, wherein the threat degree determination module calculates the threat degree of the current state sequence according to the first minimum distance and the second minimum distance, comprising:
Figure FDA0002202951780000041
Figure FDA0002202951780000041
 其中,Pthreaten为当前状态序列的威胁度;dblack为第一最小距离;dwhite为第二最小距离。Among them, P threaten is the threat degree of the current state sequence; d black is the first minimum distance; d white is the second minimum distance. 12.根据权利要求10所述的系统,其特征在于,所述危险状态序列集匹配模块,将所述当前状态序列与所述危险状态序列集进行匹配,包括:12 . The system according to claim 10 , wherein the dangerous state sequence set matching module matches the current state sequence with the dangerous state sequence set, comprising: 12 . 步骤11,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态
Figure FDA0002202951780000051
中,其中,n1的初始值为0,添加后
Figure FDA0002202951780000052
Step 11 : Add the latest multi-point signal value sequence status n of S =(status 1 , status 2 , .
Figure FDA0002202951780000051
, where the initial value of n1 is 0, after adding
Figure FDA0002202951780000052
 步骤12,顺序遍历危险状态序列集
Figure FDA0002202951780000053
中的所有规则,
Figure FDA0002202951780000054
若满足n2>n-n1 andi≠t,则继续遍历;若满足n2>n-n1 and i=t,则表示匹配结束,遍历结束,继续执行安全状态序列集匹配模式;若满足n2<n-n1,则进入步骤13;否则,进入步骤14;Step 12, traverse the dangerous state sequence set sequentially
Figure FDA0002202951780000053
all the rules in
Figure FDA0002202951780000054
If n2>n-n1 andi≠t, continue to traverse; if n2>n-n1 and i=t are satisfied, it means the matching is over, the traversal is over, and continue to execute the security state sequence set matching mode; if n2<n- n1, then go to step 13; otherwise, go to step 14; 步骤13,将的后n2项保留,则
Figure FDA0002202951780000056
Figure FDA0002202951780000057
并将n1置为n-n2,则
Figure FDA0002202951780000058
Figure FDA0002202951780000059
Step 13, will The last n2 items are reserved, then
Figure FDA0002202951780000056
Figure FDA0002202951780000057
and set n1 to n-n2, then
Figure FDA0002202951780000058
Figure FDA0002202951780000059
 步骤14,判断
Figure FDA00022029517800000510
是否与Bi相同;其中,若相同,则将
Figure FDA00022029517800000511
只保留最后一项,则
Figure FDA00022029517800000512
同时将n1置为n-1,并确定所述当前状态序列与所述危险状态序列集匹配成功,直接确定所述当前状态序列的威胁度为1;否则,返回步骤12继续遍历。Step 14, judge
Figure FDA00022029517800000510
Is it the same as B i ; where, if it is the same, then
Figure FDA00022029517800000511
keep only the last item, then
Figure FDA00022029517800000512
At the same time, n1 is set to n-1, and it is determined that the current state sequence is successfully matched with the dangerous state sequence set, and the threat degree of the current state sequence is directly determined to be 1; otherwise, return to step 12 to continue traversing. 13.根据权利要求10所述的系统,其特征在于,所述安全状态序列集匹配模块,将所述当前状态序列与所述安全状态序列集进行匹配,包括:13. The system according to claim 10, wherein the security state sequence set matching module, which matches the current state sequence with the security state sequence set, comprises: 步骤21,将当前状态序列status_sequencenow=(S′,pos_sequencenow)中S′=(status1,status2,…,statusn)的最新多点信号值序列statusn添加到缓存状态
Figure FDA00022029517800000513
中,其中,n3的初始值为0,添加后 Step 21: Add the latest multipoint signal value sequence status n of S′=(status 1 , status 2 , . . . , status n ) in the current status sequence status_sequence now = (S′, pos_sequence now ) to the cache state
Figure FDA00022029517800000513
, where the initial value of n3 is 0, after adding 步骤22,顺序遍历安全状态序列集中的所有规则,
Figure FDA00022029517800000516
若满足n4>n-n3 and i≠e,则进入步骤26;若满足n4>n-n3 and i=e,则表示匹配失败,遍历结束;若满足n4<n-n3,则进入步骤23;否则,进入步骤24;Step 22, traverse the security state sequence set sequentially all the rules in
Figure FDA00022029517800000516
If n4>n-n3 and i≠e are satisfied, go to step 26; if n4>n-n3 and i=e are satisfied, it means that the matching fails, and the traversal ends; if n4<n-n3 is satisfied, then go to step 23; Otherwise, go to step 24; 步骤23,将
Figure FDA00022029517800000517
的后n4项保留,则
Figure FDA00022029517800000518
并将n3置为n-n4,则
Figure FDA0002202951780000062
Figure FDA0002202951780000063
Step 23, will
Figure FDA00022029517800000517
The last n4 items are reserved, then
Figure FDA00022029517800000518
and set n3 to n-n4, then
Figure FDA0002202951780000062
Figure FDA0002202951780000063
 步骤24,判断
Figure FDA0002202951780000064
是否与Wi相同,若不相同,则返回步骤22,继续遍历;否则,进入步骤25;Step 24, judge
Figure FDA0002202951780000064
Whether it is the same as Wi , if not, return to step 22 and continue to traverse; otherwise, enter step 25; 步骤25,将
Figure FDA0002202951780000065
只保留最后一项,则
Figure FDA0002202951780000066
Figure FDA0002202951780000067
同时将n3置为n-1,将init_status置为1,确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;其中init_status的初始值为0,用于标识是否进行一次安全状态序列完全匹配;Step 25, will
Figure FDA0002202951780000065
keep only the last item, then
Figure FDA0002202951780000066
Figure FDA0002202951780000067
At the same time, set n3 to n-1, set init_status to 1, determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; the initial value of init_status is 0, used to identify whether to perform a complete match of the security state sequence; 步骤26,若init_status为0,则进入步骤27,反之进入步骤28;Step 26, if init_status is 0, go to step 27, otherwise go to step 28; 步骤27,init_status为0,判断
Figure FDA0002202951780000068
是否为Wi的子集,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22;Step 27, init_status is 0, judge
Figure FDA0002202951780000068
Whether it is a subset of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse other security state sequence sets rule, return to step 22; 步骤28,判断
Figure FDA0002202951780000069
是否与Wi的前n-n1项相同,若是,则确定所述当前状态序列与所述安全状态序列集匹配成功,直接确定所述当前状态序列的威胁度为0;否则,继续遍历安全状态序列集中的其他规则,返回步骤22。Step 28, judge
Figure FDA0002202951780000069
Whether it is the same as the first n -n1 items of Wi, if yes, then determine that the current state sequence is successfully matched with the security state sequence set, and directly determine that the threat degree of the current state sequence is 0; otherwise, continue to traverse the security state Other rules in the sequence set, return to step 22. 14.根据权利要求8所述的系统,其特征在于,所述电力业务报文攻击识别单元,还用于:14. The system according to claim 8, wherein the power service message attacks the identification unit, further used for: 若所述当前状态序列的威胁度小于预设的安全风险阈值,则确定电网未遭受到电力业务报文攻击。If the threat degree of the current state sequence is less than the preset security risk threshold, it is determined that the power grid is not attacked by the power service message.
CN201910871501.XA 2019-09-16 2019-09-16 Electric power business message attack identification method and system based on business logic Active CN110751570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910871501.XA CN110751570B (en) 2019-09-16 2019-09-16 Electric power business message attack identification method and system based on business logic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910871501.XA CN110751570B (en) 2019-09-16 2019-09-16 Electric power business message attack identification method and system based on business logic

Publications (2)

Publication Number Publication Date
CN110751570A true CN110751570A (en) 2020-02-04
CN110751570B CN110751570B (en) 2024-09-17

Family

ID=69276463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910871501.XA Active CN110751570B (en) 2019-09-16 2019-09-16 Electric power business message attack identification method and system based on business logic

Country Status (1)

Country Link
CN (1) CN110751570B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615808A (en) * 2020-10-27 2021-04-06 国网浙江省电力有限公司绍兴供电公司 Method, device and equipment for representing white list of process layer messages of intelligent substation
CN115460003A (en) * 2022-09-13 2022-12-09 国网智能电网研究院有限公司 An attack identification method, device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030236995A1 (en) * 2002-06-21 2003-12-25 Fretwell Lyman Jefferson Method and apparatus for facilitating detection of network intrusion
CN106790313A (en) * 2017-03-31 2017-05-31 杭州迪普科技股份有限公司 Intrusion prevention method and device
CN108092948A (en) * 2016-11-23 2018-05-29 中国移动通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN109246027A (en) * 2018-09-19 2019-01-18 腾讯科技(深圳)有限公司 A kind of method, apparatus and terminal device of network operation
CN109586282A (en) * 2018-11-29 2019-04-05 安徽继远软件有限公司 A kind of unknown threat detection system of power grid and method
CN109787960A (en) * 2018-12-19 2019-05-21 中国平安人寿保险股份有限公司 Abnormal flow data identification method, device, medium and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030236995A1 (en) * 2002-06-21 2003-12-25 Fretwell Lyman Jefferson Method and apparatus for facilitating detection of network intrusion
CN108092948A (en) * 2016-11-23 2018-05-29 中国移动通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN106790313A (en) * 2017-03-31 2017-05-31 杭州迪普科技股份有限公司 Intrusion prevention method and device
CN109246027A (en) * 2018-09-19 2019-01-18 腾讯科技(深圳)有限公司 A kind of method, apparatus and terminal device of network operation
CN109586282A (en) * 2018-11-29 2019-04-05 安徽继远软件有限公司 A kind of unknown threat detection system of power grid and method
CN109787960A (en) * 2018-12-19 2019-05-21 中国平安人寿保险股份有限公司 Abnormal flow data identification method, device, medium and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
伊恩泽 等: "Android智能终端二维码安全检测系统的设计与实现", 《电脑知识与技术》, vol. 13, no. 08 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615808A (en) * 2020-10-27 2021-04-06 国网浙江省电力有限公司绍兴供电公司 Method, device and equipment for representing white list of process layer messages of intelligent substation
CN115460003A (en) * 2022-09-13 2022-12-09 国网智能电网研究院有限公司 An attack identification method, device, electronic equipment and storage medium
CN115460003B (en) * 2022-09-13 2024-12-27 国网智能电网研究院有限公司 Attack identification method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110751570B (en) 2024-09-17

Similar Documents

Publication Publication Date Title
Kaur et al. Hybrid intrusion detection and signature generation using deep recurrent neural networks
CN109962891B (en) Method, apparatus, device and computer storage medium for monitoring cloud security
Meng et al. Design of intelligent KNN‐based alarm filter using knowledge‐based alert verification in intrusion detection
WO2019006412A1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN110474885B (en) Alarm correlation analysis method based on time series and IP address
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
JP5832951B2 (en) Attack determination device, attack determination method, and attack determination program
CN106209862A (en) A kind of steal-number defence implementation method and device
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
CN104901971A (en) Method and device for carrying out safety analysis on network behaviors
CN110519276A (en) A method of detection Intranet transverse shifting attack
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
CN108737336A (en) Threat behavior processing method and processing device, equipment and storage medium based on block chain
CN112769833B (en) Method and device for detecting command injection attack, computer equipment and storage medium
Alruwaili Intrusion detection and prevention in industrial iot: A technological survey
KR20200068608A (en) Method of defending an attack to defend against cyber attacks on packet data and apparatuses performing the same
CN110751570A (en) A method and system for identifying attacks on power service packets based on business logic
Surendhar et al. Detection of payload injection in firewall using machine learning
Jain et al. A literature review on machine learning for cyber security issues
CN113709097A (en) Network risk perception method and defense method
CN110881016B (en) Network security threat assessment method and device
CN111935085A (en) Method and system for detecting and protecting abnormal network behaviors of industrial control network
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
CN117411711A (en) Threat blocking method for intrusion detection defense system
KR102022626B1 (en) Apparatus and method for detecting attack by using log analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant