[go: up one dir, main page]

CN114825607B - Attack behavior monitoring method and device for relay protection information processing system - Google Patents

Attack behavior monitoring method and device for relay protection information processing system Download PDF

Info

Publication number
CN114825607B
CN114825607B CN202111675512.4A CN202111675512A CN114825607B CN 114825607 B CN114825607 B CN 114825607B CN 202111675512 A CN202111675512 A CN 202111675512A CN 114825607 B CN114825607 B CN 114825607B
Authority
CN
China
Prior art keywords
message
attack
relay protection
determined
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111675512.4A
Other languages
Chinese (zh)
Other versions
CN114825607A (en
Inventor
刘绚
王文博
张博
宋宇飞
于宗超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202111675512.4A priority Critical patent/CN114825607B/en
Publication of CN114825607A publication Critical patent/CN114825607A/en
Application granted granted Critical
Publication of CN114825607B publication Critical patent/CN114825607B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00002Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by monitoring
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00028Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment involving the use of Internet protocols
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00032Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00032Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for
    • H02J13/00036Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for the elements or equipment being or involving switches, relays or circuit breakers
    • H02J13/0004Systems characterised by the controlled or operated power network elements or equipment, the power network elements or equipment not otherwise provided for the elements or equipment being or involving switches, relays or circuit breakers involved in a protection system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种继电保护信息处理系统攻击行为监测方法及装置,对实时捕获的继电保护信息处理系统的流量数据进行应用层报文提取,并按照IEC 60870‑5‑103规约解析。其次对报文进行时钟篡改攻击检测。然后根据规约要求针对报文格式进行畸形报文攻击检测。最后建立各类系统业务的正常行为模型,依据正常行为模型对系统流量数据进行应用层的攻击行为检测。本发明克服了现有继电保护信息处理系统攻击行为检测方法侧重于继电保护装置测量点的数据分析,缺乏针对流量数据应用层报文进行攻击行为检测的不足,提升了继电保护信息处理系统攻击行为检测的精准性。

The present invention discloses a method and device for monitoring attack behavior of a relay protection information processing system, which extracts application layer messages from the flow data of the relay protection information processing system captured in real time and parses the data according to the IEC 60870‑5‑103 protocol. Secondly, the message is detected for clock tampering attacks. Then, according to the protocol requirements, the message format is detected for attacks on deformed messages. Finally, normal behavior models for various types of system services are established, and application layer attack behavior detection is performed on the system flow data based on the normal behavior models. The present invention overcomes the shortcomings of the existing attack behavior detection methods of relay protection information processing systems, which focus on data analysis of measurement points of relay protection devices and lack attack behavior detection on application layer messages of flow data, thereby improving the accuracy of attack behavior detection of relay protection information processing systems.

Description

Method and device for monitoring attack behaviors of relay protection information processing system
Technical Field
The invention relates to the technical field of information security of power systems, in particular to a method and a device for monitoring attack behaviors of a relay protection information processing system.
Background
With the continuous improvement of the automation level and the dispatching automation level of the transformer substation, the informatization and the intelligent degree of the power system are gradually enhanced. The relay protection information processing system consisting of the relay protection device, the safety automatic device and the fault recorder has become an important component of the power system. The relay protection information processing system can collect action information and running state information of the relay protection device in real time, automatically and deeply analyze the action information of the protection device, and assist power dispatching personnel in quickly judging protection action, positioning faults, making decisions and handling accidents. Therefore, reliable transmission and correct processing of relay protection information are of great significance for safe and stable operation of the power system.
The relay protection information processing system adopts IEC 60870-5-103 protocol to transmit information, and because the protocol is designed to have vulnerability of lacking authentication mechanism, lacking authorization mechanism and lacking encryption mechanism, network attacks such as message theft, interception, tampering and the like are faced. However, the existing network attack detection method of the relay protection system focuses on data analysis of the measurement points of the relay protection device, so that the problems of false alarm, missing report and the like are easy to occur, and meanwhile, the detection of the attack behavior on the message layer aiming at the specific relay protection service is lacking. Therefore, a new method for monitoring the attack behavior of the relay protection information processing system is needed to be invented, the accuracy of detecting the attack behavior is improved, and the network security defense capability of the power system is enhanced.
Disclosure of Invention
The technical problem to be solved by the invention is to provide the attack behavior monitoring method and the attack behavior monitoring device for the relay protection information processing system aiming at the defects of the prior art, so that the limitation that the existing detection method cannot detect the attack behavior of the relay protection system service in an application layer is effectively solved, and the safety and the reliability of the relay protection information processing system are improved.
In order to solve the technical problems, the invention adopts the following technical scheme: a method for monitoring attack behavior of a relay protection information processing system comprises the following steps:
s1, capturing a relay protection information processing system flow data packet in real time, and extracting an application layer message of current frame flow data;
S2, carrying out field level analysis on the application layer message;
S3, carrying out clock tampering attack detection on the analyzed message, if the clock range, the clock logic, the clock synchronization and the clock delay of the message do not accord with the normal clock characteristics, judging that the clock tampering attack exists, otherwise, entering the step S4;
S4, carrying out malformed message attack detection on the analyzed message, judging that malformed message attack exists if the length field, the type identifier, the transmission reason, the information sequence number value and the protocol requirement of the message are not in accordance, otherwise, entering step S5;
S5, according to the service system to which the analyzed message belongs, carrying out attack detection on the analyzed message, if the analyzed message does not accord with the normal service model, judging that service logic attack exists, otherwise, judging that the current frame flow data is normal flow.
The invention analyzes the application layer message of the flow data of the relay protection information processing system (analyzes the message according to the IEC60870-5-103 protocol), and performs clock tampering attack detection, malformed message attack detection and service logic attack detection on the analyzed message, thereby effectively solving the limitation that the existing detection method can not detect the attack behavior of the service of the relay protection system at the application layer and improving the safety and reliability of the relay protection information processing system.
In step S3, the specific implementation process of clock tampering attack detection on the parsed packet includes:
1) Judging whether a formula Y t epsilon [1970,2069] is true, if not, judging that the clock is tampered with, otherwise, entering a step 2); wherein, Y t represents the year of the time stamp, Y t represents the year identification byte value of the time stamp;
2) Judgment formula Whether the clock is established or not, if not, judging that the clock is tampered with, otherwise, entering the step 3); wherein, The full-scale word is expressed as 'arbitrary', P is an application layer message after the analysis in the step S2, P DS is an IEC 60870-5-103 time synchronization message, A g (P) is a value of 8 bits higher than an ASDU address of the message, F is 15 in 16 scale, and H is 16 scale;
3) Judgment formula Whether the clock is established or not, if not, judging that the clock is tampered with, otherwise, entering the step 4); wherein P DZ represents one of IEC 60870-5-103 alarm, remote signaling deflection and action event data report, T js (P) represents event substation receiving time, and T sj (P) represents event actual occurrence time;
4) Detecting whether the time period of uploading the historical fault information by the substation is consistent with the time period of calling the historical fault information by the master station, if not, judging that the substation is attacked by clock tampering, otherwise, entering step 5);
5) Judgment formula If not, judging that the clock is tampered, otherwise, entering step S4; wherein, P XC represents IEC 60870-5-103 main-substation information transmission message, T cs (P) represents information transmission time, T max represents maximum delay time, P 1 represents relay protection device action information transmission message, P 2 represents relay protection device analog measurement value transmission message, P 3 represents relay protection device running state transmission message, and P 4 represents relay protection device fixed value transmission message.
According to the invention, through clock tampering attack detection on the flow data of the relay protection information processing system, the attack behaviors aiming at clock characteristics such as clock range, clock logic, clock synchronization, clock delay and the like can be identified, and the defect that the existing detection method focuses on numerical analysis of time marks and can not carry out abnormal detection aiming at the characteristics such as the time mark logic and the like is overcome. The clock tampering attack detection effectively avoids the occurrence of abnormal working conditions of various relay protection devices caused by abnormal clocks, and meanwhile, the attacker can be prevented from maliciously expanding the time range of information uploading to illegally acquire the system information, so that the capability of the relay protection information processing system for coping with non-numerical time scale tampering attacks is improved.
The specific implementation process for carrying out malformed message attack detection on the parsed message comprises the following steps:
I) Judgment formula If not, judging that the malformed message attacks are true, otherwise, entering the step II); wherein P IEC103 represents IEC 60870-5-103 message, F l (P) represents message theoretical length, and L s (P) represents message actual length;
II) judgment formula If not, judging that the malformed message attacks are true, otherwise, entering a step III);
III) judgment formula If not, judging that the malformed message attacks are true, otherwise, entering the step IV); wherein F t (P) represents a message type identification field value;
IV) judgment formula If not, judging that the malformed message attacks are true, otherwise, entering the step V); wherein F c (P) represents a message transmission reason field value;
V) judgment formula If not, judging that the malformed message attacks are true, otherwise, entering step S5; f i (P) represents the message information sequence number field value.
The malformed message attack detection process can identify malformed messages under the condition that the message format is correct, including message length malformed, message segment threshold malformed and the like, and overcomes the limitation that the conventional method can only perform validity check on the message format. Meanwhile, the malformed message attack detection finds the malformed position of the specific service to which the message belongs before the specific service is not executed, so that the abnormal position is quickly reacted to a dispatching center, the communication process of the service in the relay protection information processing system is reestablished, normal service messages are sent, abnormal situation of the malformed message after the abnormal operation is avoided, and the execution process of the normal service is further influenced.
In step S5, when the message is a reading substation configuration service, a specific implementation process for performing attack detection on the parsed message includes:
judgment formula Whether the configuration data is established or not is judged, if the configuration data is not established, the malicious interception attack of the configuration data is judged, otherwise, a formula is judgedIf not, judging that the data tampering attack exists, otherwise, judging that the current frame flow data is normal flow; wherein, P BT represents a read substation configuration service message in the relay protection information processing system, B n (P) represents the number of headers sent by the substation, B s represents the number of all headers configured by the substation, B zh (P) represents the group number of each item of the same group of header information, and C zh represents the group number of the current group of header information.
The detection of the configuration business logic attack behavior of the reading substation can realize the detection of whether the configuration information is completely uploaded and whether the item of the configuration information is consistent with the group number. The detection method overcomes the defect that the existing detection method for the attack behavior of the relay protection information processing system focuses on the data analysis of the measurement points of the relay protection device, lacks the detection of the attack behavior aiming at the business logic of the flow data application layer message, and effectively avoids the risk of interception and tampering of the configuration information.
In step S5, when the message is a protection event service, the specific implementation process for attack detection on the parsed message includes:
A) Judgment formula If not, judging that the double-point information malicious tampering attack exists, otherwise, entering the step B); wherein P BH represents a protection event report message in the relay protection information processing system, and D pi (P) represents a double-point information value;
B) Detecting whether the message logic of the frame before and after the switch value deflection, the action signal and the pressing plate state is correct or not, if the previous frame of the switch value deflection is on/off, the next frame is still on/off; the former frame of the action signal is reset/action, and the latter frame is still reset/action; c), judging that malicious opening and closing attack exists if the former frame is not put into/put into the state of the pressing plate and the latter frame is still not put into/put into the state, otherwise, entering the step C);
C) Judgment formula If not, judging that an illegal uploading attack of an action event exists, otherwise, judging that the current frame flow data is normal flow; wherein, L bh (P) represents a protection event message type identifier, P 5 represents an alarm or switching value deflection event message, and P 6 represents an action event message.
The protection event uploading business logic attack behavior detection can realize malicious tampering attack detection and illegal uploading attack detection of various protection events in the relay protection information processing system. The service logic attack behavior of the protection event can be highly hidden in normal flow data, and the high-energy stealth attack behavior is difficult to detect by the existing method only by analyzing the data of the measurement point of the relay protection device. The invention further merges the uploading business logic of the protection event in the flow data application layer message, thereby improving the accuracy of the attack behavior of the relay protection information processing system.
In step S5, the specific implementation process for attack detection on the parsed message when the message is the service for reporting the recorded wave briefing includes:
i) Judgment formula If not, judging that the trip-out phase malicious tampering attack exists, otherwise, entering step ii); wherein P LB represents a wave recording brief report service message in the relay protection information processing system, G xb (P) represents a fault phase, and Z xb (P) represents a tripping phase;
ii) judgment formula If not, judging that the ground fault zone bit data tampering attack exists, otherwise, entering step iii); wherein D 3 represents a short-circuit ground fault flag bit value of the message, D 0 represents a short-circuit fault flag bit value of the a-phase of the message, D 1 represents a short-circuit fault flag bit value of the B-phase of the message, and D 2 represents a short-circuit fault flag bit value of the C-phase of the message;
iii) Detecting whether reclosing in the wave recording brief report is abnormal, if the reclosing exists after the fault occurs, the reclosing time is 0, or the reclosing time is not 0, if the reclosing time is not 0, judging that the reclosing time is tampered, otherwise, judging that the current frame flow data is normal flow.
The detection of the service logic attack behavior of the wave recording briefing can judge the trip phase malicious tampering attack, the ground fault zone bit data tampering attack and the reclosing time tampering attack. The information of the wave recording briefing and sending service such as trip phase, fault sign, reclosing time and the like is required to be extracted through field-level deep analysis of a relay protection information system flow data application layer message, and the attack behavior cannot be identified only through the format verification of the message. The attack behavior detection method provided by the invention overcomes the limitation that the existing detection method can not detect the time sequence and the context logic of the recording briefing, and improves the capability of protecting the integrity and the accuracy of the recording briefing data.
In step S5, when the message is a fixed value operation service, a specific implementation process for attack detection on the parsed message includes:
Judging whether the logic X g1→Xg2→Xg3→Xg4→Xg5→Xg6→Xg7→Xg8 is established or not, if not, judging that malicious tampering attack exists on the setting value of the relay protection device, otherwise, judging the current frame flow data as normal flow; wherein, X g1 represents a current operation fixed value area code message of the calling device, X g2 represents a current operation fixed value area code message of the substation uploading device, X g3 represents a fixed value message of the main station calling device, X g4 represents a fixed value message of the substation uploading device, X g5 represents a fixed value message installed under a substation, X g6 represents a fixed value message installed under a response substation, X g7 represents an execution fixed value modification message, and X g8 is a response fixed value modification message.
According to the fixed value operation business logic attack behavior detection method, the malicious tampering attack of the set value of the relay protection device can be judged in the fixed value modification process according to the normal fixed value modification logic, and the attack behavior of the malicious tampering fixed value can be actively blocked. The existing method for analyzing the measured point data of the relay protection device can only detect the measured value after the fixed value is tampered, and cannot monitor and block the modification of the fixed value in time. The method for detecting the fixed value operation business logic attack behavior provided by the invention goes deep into the application layer of the flow data, can effectively prevent the set value of the relay protection device from being tampered maliciously, and has important significance on the correct action of the relay protection device.
In step S5, when the message is a total calling service, a specific implementation process for attack detection on the parsed message includes:
Judging whether the logic Z h1→Zh2→Zh3 is established, if not, judging that an illegal general call attack exists, otherwise, judging the formula If not, judging that illegal total call attack exists, otherwise, judging the current frame flow data as normal flow; wherein, Z h1 represents a master station starting total call message, Z h2 represents a message sent by a substation, Z h3 represents a total call ending message, P ZH represents a total call service of the relay protection information processing system, Z hn represents the number of messages sent by the substation, Z hs represents the number of substation devices, A s represents a message ASDU address, and H represents a value of 16.
The detection of the total summoning business logic attack behavior can judge illegal total summoning attack according to the normal business logic of the total summoning. The illegal general calling attack can combine the constructed general calling service message with the normal general calling service message in a falsification or injection mode, thereby carrying out illegal acquisition of data. The attack can not be identified only by the validity check of the message field and the consistency analysis of the telemetry data, and the attack must be identified by going deep into the business logic level of the message. The detection of the total calling service logic attack behavior provided by the invention can effectively identify the attack behavior aiming at the total calling service by detecting the logic and the range of the total calling service, and prevent redundant uploading and incomplete uploading of information.
In step S5, when the message is a general file transfer service, a specific implementation process for performing attack detection on the parsed message includes: detecting whether the file name only comprises a directory name and a wild card, if so, judging that an illegal file uploading attack exists, otherwise, judging a formulaIf not, judging that the file clock tampering attack exists, otherwise, judging that the current frame flow data is normal flow; wherein, P WJ represents a file list uploading message of the relay protection information processing system, T lb (P) represents a file list uploading time, C q represents a query start time when the file list is displayed, and C z represents a query end time when the file list is displayed.
The detection of the general file transmission service logic attack behavior can judge illegal file uploading attack and file clock tampering attack. Once the illegal file containing the attack code is sent to the master station, the master station loses control authority; the file clock tampering attack illegally steals information by tampering with the time of uploading the list to the file. The detection of the general file transmission service logic attack behavior overcomes the limitation that the existing method focuses on the flow statistics analysis of the network layer, and can effectively prevent the occurrence of the conditions that a master station crashes and files are stolen due to the fact that an attacker uploads malicious file data or tampers with the file.
A computer device comprising a memory, a processor, and a computer program stored on the memory; the processor executes the computer program to implement the steps of the method of the invention.
Compared with the prior art, the invention has the following beneficial effects:
(1) Aiming at network attack risks such as message stealing, interception and tampering faced by a relay protection information processing system, the invention provides an attack behavior detection method of a flow data application layer message, and overcomes the limitation that the existing attack detection method focuses on the analysis of the data of the measuring point of the relay protection device.
(2) The invention provides clock tampering attack and malformed message attack detection aiming at a relay protection information processing system flow data application layer message, and overcomes the defects of lack of authentication mechanism, lack of authorization mechanism and lack of encryption mechanism of IEC 60870-5-103 protocol.
(3) According to the invention, the normal behavior model of the power service is established according to the service characteristics of the relay protection information processing system, and the attack behavior detection is carried out on the application layer message of the traffic data, so that the active defense of the attack behavior of the traffic data of the relay protection information processing system in the application layer is realized, and the safety of the information transmission of the service system is improved.
Drawings
Fig. 1 is a flowchart of a method for monitoring attack behaviors of a relay protection information processing system according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of an attack behavior monitoring system of a relay protection information processing system according to an embodiment of the present invention.
Fig. 3 is a system unit diagram of a clock tampering attack detection module in an embodiment of the invention.
Fig. 4 is a system unit diagram of a malformed packet attack detection module in an embodiment of the present invention.
Fig. 5 is a system unit diagram of a service logic attack detection module in an embodiment of the present invention.
Detailed Description
Fig. 1 is a flowchart of a method for monitoring attack behaviors of a relay protection information processing system according to an embodiment of the present invention, and specifically implemented steps are as follows:
Step S1: capturing a relay protection information processing system flow data packet in real time, and extracting an application layer message of current frame flow data;
step S2: performing field-level analysis on the message according to IEC 60870-5-103 protocol, obtaining specific values and clock characteristics of message length fields, type identifiers, transmission reasons and information sequence numbers, and determining the system service to which the message belongs;
step S3: performing clock tampering attack detection on the message analyzed in the step S2, if the clock range, the clock logic, the clock synchronization and the clock delay of the message do not accord with the normal clock characteristics, judging that the clock tampering attack exists, otherwise, entering the step S4;
Step S4: carrying out malformed message attack detection on the message analyzed in the step S2, judging that malformed message attack exists if the length field, the type identifier, the transmission reason, the information sequence number value and the protocol requirement of the message are not consistent, otherwise, entering the step S5;
Step S5: and establishing a normal behavior model according to the system service to which the message belongs, carrying out attack detection on the message according to the normal behavior model, judging that a service logic attack exists if the message does not accord with the normal service model, and otherwise, judging that the current frame flow data is normal flow.
Further, step S3 includes:
S3-1: and detecting whether the Wen Shibiao year is in a normal range, if the time scale year is out of limit, namely violating the formula (1), judging that the clock is tampered, otherwise, entering the step S3-2.
Yt∈[1970,2069] (1)
Where Y t represents the year of the time stamp and Y t represents the year identification byte value of the time stamp.
S3-2: and detecting whether the time pair message is a broadcasting time pair. The master station issues a broadcast time setting command, which is to set time for all devices, and at this time, the high 8 bits of the public address (ASDU address for short) of the application service data unit of the message is FFH, which means that all devices in the slave station broadcast, if the device is illegal, the device is judged to be a clock tampering attack, otherwise, the step S3-3 is entered.
Wherein, The full-scale word "arbitrary" is represented, P is an application layer message after the analysis in the step S2, P DS is represented by IEC60870-5-103 time synchronization message, A g (P) is represented by a value of 8 bits higher than an ASDU address of the message, F is represented by 15 in 16 system, and H is represented by 16 system.
S3-3: detecting whether the logic of the actual occurrence time of the alarm, the remote signaling deflection and the action event and the receiving time of the substation is correct. The relay protection device records the actual occurrence time of the event after the alarm, the remote signaling shift and the action event occur, and the substation receives the fault information with a certain delay, so that the substation receiving time is larger than the actual occurrence time, if the failure is the reverse (4), the clock tampering attack is judged, and otherwise, the step S3-4 is carried out.
Wherein P DZ represents one of IEC 60870-5-103 alarm, remote signaling deflection and action event data report, T js (P) represents event substation receiving time, and T sj (P) represents event actual occurrence time.
S3-4: detecting whether the time period of uploading the historical fault information by the substation is consistent with the time period of calling the historical fault information by the master station, if not, judging that the substation is attacked by clock tampering, otherwise, entering step S3-5.
S3-5: it is detected whether the master-slave station information transfer times out. If the information transfer time exceeds the maximum delay time required by the protocol, i.e. the formula (5) is violated, it is determined as a clock tampering attack, otherwise step S4 is entered.
Wherein, P XC represents IEC 60870-5-103 main-substation information transmission message, T cs (P) represents information transmission time, T max represents maximum delay time, P 1 represents relay protection device action information transmission message, P 2 represents relay protection device analog measurement value transmission message, P 3 represents relay protection device running state transmission message, and P 4 represents relay protection device fixed value transmission message.
Further, step S4 includes:
s4-1: and (3) detecting whether the message theoretical length calculated by the length field is equal to the actual length of the message analyzed in the step (S2), if not, namely, violating the formula (7), judging that the message is a malformed message attack, otherwise, entering the step (S4-2).
Wherein P IEC103 represents IEC 60870-5-103 message, F l (P) represents message theoretical length, and L s (P) represents message actual length.
S4-2: and (4) detecting whether the actual length of the message is larger than 2048 bytes, if so, violating the formula (8), judging that the message is a malformed message attack, otherwise, entering the step S4-3.
S4-3: and (4) detecting whether the type identification field value of the message is valid, if not, namely, violating the formula (9), judging that the message is a malformed message attack, otherwise, entering a step S4-4.
Wherein F t (P) represents the message type identification field value.
S4-4: and (4) detecting whether a transmission reason field value of the message is valid, if not, namely, violating the formula (10), judging that the message is a malformed message attack, otherwise, entering a step S4-5.
Wherein F c (P) represents a message transmission reason field value.
S4-5: and (5) detecting whether the information sequence number field value of the message is valid, if not, namely, violating the formula (11), judging that the message is a malformed message attack, otherwise, entering step S5.
Wherein F i (P) represents the message information sequence number field value.
Further, step S5 includes:
s5-1: performing classified detection of attack behaviors aiming at the service to which the message obtained in the step S2 belongs, and entering the step S5-2 if the message is a reading substation configuration service; if the message is the service of the protection event uploading, entering step S5-3; if the message is the record briefing service, entering step S5-4; if the message is a fixed value operation service, entering step S5-5; if the message is the total calling service, entering step S5-6; if the message is a general file transmission service, entering step S5-7;
S5-2: analyzing normal logic of the reading substation configuration service according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the reading substation configuration service based on the normal service logic, detecting attack behaviors of traffic data of the service in the relay protection information processing system according to the normal behavior model, judging that the reading substation configuration service logic attack exists if the message does not accord with the normal behavior model, and otherwise judging that the current frame traffic data is normal traffic.
S5-3: analyzing normal logic of the protection event uploading business according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the protection event uploading business based on the normal business logic, detecting attack behaviors of traffic data of the business in the relay protection information processing system according to the normal behavior model, judging that the protection event uploading business logic attack exists if the message does not accord with the normal behavior model, and otherwise judging that the current frame traffic data is normal traffic.
S5-4: analyzing normal logic of the recording briefing sending service according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the recording briefing sending service based on the normal service logic, carrying out attack behavior detection on traffic data of the service in the relay protection information processing system according to the normal behavior model, judging that the recording briefing sending service logic attack exists if the message does not accord with the normal behavior model, and otherwise, judging that the current frame traffic data is normal traffic.
S5-5: analyzing normal logic of the fixed value operation service according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the fixed value operation service based on the normal service logic, detecting attack behaviors of flow data of the service in the relay protection information processing system according to the normal behavior model, judging that the fixed value operation service logic attack exists if the message does not accord with the normal behavior model, and otherwise, judging the current frame flow data as normal flow.
S5-6: analyzing normal logic of the total calling service according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the total calling service based on the normal service logic, detecting attack behaviors of traffic data of the service in the relay protection information processing system according to the normal behavior model, judging that the total calling service logic attack exists if the message does not accord with the normal behavior model, and otherwise, judging that the current frame traffic data is normal traffic.
S5-7: analyzing normal logic of the universal file transmission service according to the technical specification of the relay protection information processing system, establishing a normal behavior model of the universal file transmission service based on the normal service logic, detecting attack behaviors of traffic data of the service in the relay protection information processing system according to the normal behavior model, judging that the universal file transmission service logic attack exists if the message does not accord with the normal behavior model, and otherwise, judging that the current frame traffic data is normal traffic.
Further, the step S5-2 includes:
S5-2-1: detecting whether the number of headers sent by the substation is complete when the relay protection information processing system reads each group of headers configured by the substation, if not, namely violating a formula (12), judging that malicious interception attack of configuration data exists, otherwise, entering a step S5-2-2.
Wherein P BT represents a read substation configuration service message in the relay protection information processing system, B n (P) represents the number of headers sent by the substation, and B s represents the number of all headers configured by the substation.
S5-2-2: detecting whether the group numbers of all items of the same group of header information are consistent, if not, namely violating a formula (13), judging that data tampering attack exists, otherwise, judging the current frame flow data as normal flow.
Where B zh (P) denotes the group number of each item of the same group header information, and C zh denotes the group number of the current group header information.
Further, the step S5-3 includes:
S5-3-1: detecting whether the double-point information uploading of the protection event is abnormal or not, if the state of the double-point information is not in a specified range, namely, the formula (14) is violated, judging that the malicious tampering attack of the double-point information exists, and otherwise, entering the step S5-3-2.
Wherein P BH represents a protection event report message in the relay protection information processing system, and D pi (P) represents a double-point information value.
S5-3-2: detecting whether the message logic of the frame before and after the switch value deflection, the action signal and the pressing plate state is correct or not, if the previous frame of the switch value deflection is on/off, the next frame is still on/off; the former frame of the action signal is reset/action, and the latter frame is still reset/action; and if the former frame is not put into or put into, the latter frame is still not put into or put into, judging that malicious opening and closing attack exists, and otherwise, entering the step S5-3-3.
S5-3-3: detecting whether the type identifier adopted by the uploading of the protection event is correct or not, wherein the alarming and switching value displacement event can only adopt the type identifier 1 for uploading, the action event can only adopt the type identifier 2 for uploading, if the formula (15) is violated, the illegal uploading attack of the action event is judged, otherwise, the current frame flow data is judged to be normal flow.
Wherein, L bh (P) represents a protection event message type identifier, P 5 represents an alarm or switching value deflection event message, and P 6 represents an action event message.
Further, step S5-4 includes:
S5-4-1: detecting whether the fault phase in the wave recording brief report is consistent with the tripping phase or not, if not, namely violating a formula (16), judging that the tripping phase malicious tampering attack exists, otherwise, entering a step S5-4-2.
Wherein P LB represents a wave recording brief report service message in the relay protection information processing system, G xb (P) represents a fault phase, and Z xb (P) represents a tripping phase.
S5-4-2: and detecting whether the short-circuit ground fault zone bit in the wave recording brief report is correct, if not, namely violating a formula (17), judging that the ground fault zone bit is tampered with and attacked, otherwise, entering a step S5-4-3.
Wherein D 3 represents a short-circuit ground fault flag bit value of the message, D 0 represents a short-circuit fault flag bit value of the a-phase of the message, D 1 represents a short-circuit fault flag bit value of the B-phase of the message, and D 2 represents a short-circuit fault flag bit value of the C-phase of the message.
S5-4-3: and detecting whether reclosing in the wave recording brief report is abnormal or not. If the reclosing time is 0 or no reclosing is carried out after the fault occurs, and the reclosing time is not 0, judging that the reclosing time tamper attack exists, otherwise, judging that the current frame flow data is normal flow.
Further, the step S5-5 includes:
s5-5-1: detecting whether the fixed value modification logic of the relay protection device is correct, if yes, violating a formula (18), judging that malicious tampering attack exists on the fixed value of the relay protection device, otherwise, judging that the current frame flow data is normal flow.
Xg1→Xg2→Xg3→Xg4→Xg5→Xg6→Xg7→Xg8(18)
Wherein, X g1 represents a current operation fixed value area code message of the calling device, X g2 represents a current operation fixed value area code message of the substation uploading device, X g3 represents a fixed value message of the main station calling device, X g4 represents a fixed value message of the substation uploading device, X g5 represents a fixed value message installed under a substation, X g6 represents a fixed value message installed under a response substation, X g7 represents an execution fixed value modification message, and X g8 is a response fixed value modification message.
Further, the step S5-6 includes:
S5-6-1: detecting whether the total calling business flow is abnormal, if the actual total calling business flow is not consistent with the normal flow, namely, the formula (19) is violated, judging that illegal total calling attack exists, otherwise, entering step S5-6-2.
Zh1→Zh2→Zh3 (19)
Wherein, Z h1 represents a master station starting total call message, Z h2 represents an information message sent on a substation, and Z h3 represents a total call ending message.
S5-6-2: it is detected whether the number of messages sent by the substation is correct. The substation replies appointed information according to the ASDU address in the message after receiving the total calling command of the main station, and replies switching value information of a specific device when the ASDU address is not equal to zero; the communication state of each device of the substation and the operation state of each device are answered when the ASDU address is equal to zero. If the formula (20) is violated, judging that illegal total call attack exists, otherwise, judging the current frame traffic data as normal traffic.
Wherein, P ZH represents the total calling service of the relay protection information processing system, Z hn represents the number of information sent on the substation, Z hs represents the number of substation devices, A s represents the address of a message ASDU, and H represents the value of 16.
Further, the step S5-7 includes:
S5-7-1: detect if the file name contains only directory names and wildcards (? if other illegal characters are contained, judging that illegal file uploading attacks exist, otherwise, entering step S5-7-2.
S5-7-2: it is detected whether the file list upload is within the query time range. When the master station calls the file list, the inquiry start time and the inquiry end time are given, the file list uploaded by the substation needs to be in the time range, if the file list exceeds the time range, namely, the formula (21) is violated, the file clock tampering attack is judged to exist, and otherwise, the current frame flow data is judged to be normal flow.
Wherein, P WJ represents a file list uploading message of the relay protection information processing system, T lb (P) represents a file list uploading time, C q represents a query start time when the file list is displayed, and C z represents a query end time when the file list is displayed.
The invention relies on the flow data of a mass relay protection information processing system, and obtains the specific numerical value of the characteristic field of the message and the system service to which the message belongs by extracting the application layer message of the flow data and analyzing the message according to the IEC 60870-5-103 protocol. And secondly, carrying out clock tampering attack detection and malformed message attack detection according to the specific value of the message characteristic field. And finally, establishing a normal service model according to the specific system service to which the message belongs, and carrying out service logic attack detection according to the normal service model, so that the comprehensive monitoring of the attack behavior of the relay protection information processing system is realized, and the safe and reliable operation of the power system is ensured.
Fig. 2 is a schematic structural diagram of an attack behavior monitoring system of a relay protection information processing system according to an embodiment of the present invention, where the system is adapted to execute a method provided by any embodiment of the present invention, and includes: the system comprises a flow data acquisition module 100, an application layer message analysis module 200, a clock tampering attack detection module 300, a malformed message attack detection module 400 and a service logic attack detection module 500.
The flow data acquisition module 100 is configured to acquire flow data of the relay protection information processing system, and extract an application layer message.
The application layer message analysis module 200 is configured to perform field level analysis on the application layer message according to IEC 60870-5-103 protocol, and obtain a specific relay protection service represented by the message.
The clock tampering attack detection module 300 is configured to detect a clock range, clock logic, clock synchronization, and clock delay of a packet, and determine whether a clock tampering attack exists.
The malformed message attack detection module 400 is configured to verify the message format according to the protocol requirement, and determine whether a malformed message attack exists.
The service logic attack detection module 500 is configured to establish a normal behavior model for a system service to which the message belongs, and detect according to the normal behavior model to determine whether a service logic attack exists.
The output end of the flow data acquisition module 100 is connected with the input end of the application layer message analysis module 200, and is used for inputting the extracted application layer message.
The output end of the application layer message parsing module 200 is connected to the input end of the clock tampering attack detection module 300, and is used for inputting the application layer message and the parsing result thereof.
The output end of the clock tampering attack detection module 300 is connected to the input end of the malformed message attack detection module 400, and is used for inputting the application layer message and the analysis result thereof.
The output end of the malformed message attack detection module 400 is connected to the input end of the service logic attack detection module 500, and is used for inputting the application layer message and the analysis result thereof.
As shown in fig. 3, further, the clock tampering attack detection module 300 includes: a data acquisition unit 301, a first detection unit 302, a second detection unit 303, a third detection unit 304, a fourth detection unit 305, and a fifth detection unit 306.
The output end of the data acquisition unit 301 is connected to the input end of the first detection unit 302, and is used for inputting an application layer message and an analysis result thereof.
The output end of the first detection unit 302 is connected to the input end of the second detection unit 303, the output end of the second detection unit 303 is connected to the input end of the third detection unit 304, the output end of the third detection unit 304 is connected to the input end of the fourth detection unit 305, and the output end of the fourth detection unit 305 is connected to the input end of the fifth detection unit 306.
In one embodiment, the data obtaining unit 301 reads an application layer packet of the traffic data and its analysis result, and the unit transfers the read information to the first detecting unit 302, the second detecting unit 303, the third detecting unit 304, the fourth detecting unit 305, and the fifth detecting unit 306.
The first detecting unit 302 is configured to detect whether the Wen Shibiao year is within a normal range, and if the time scale year is out of limit, determine that the clock tampering attack is performed.
The second detecting unit 303 is configured to detect whether the time alignment message is a broadcast time alignment, and if not, determine that the time alignment message is a clock tampering attack.
The third detecting unit 304 is configured to detect whether the alarm, the remote signaling shift, the action event data uploading actual occurrence time and the substation receiving time logic are correct, and if not, determine that the clock tampering attack is performed.
The fourth detecting unit 305 is configured to detect whether the time period of sending the historical fault information by the substation is consistent with the time period of calling the historical fault information by the master station, and if not, determine that the substation is under clock tampering attack.
The fifth detecting unit 306 is configured to determine whether the transmission of the master-slave station information is overtime, if yes, it is a clock tampering attack.
As shown in fig. 4, further, the malformed packet attack detection module 400 includes: a data acquisition unit 401, a message length field detection unit 402, a message length threshold detection unit 403, a type identification field detection unit 404, a transmission reason field detection unit 405, and an information sequence number field detection unit 406.
The output end of the data acquisition unit 401 is connected to the input end of the message length field detection unit 402, and is used for inputting an application layer message and its analysis result.
The output end of the message length field detecting unit 402 is connected to the input end of the message length threshold detecting unit 403, the output end of the message length threshold detecting unit 403 is connected to the input end of the type identifier field detecting unit 404, the output end of the type identifier field detecting unit 404 is connected to the input end of the transmission reason field detecting unit 405, and the output end of the transmission reason field detecting unit 405 is connected to the input end of the information sequence number field detecting unit 406.
In one embodiment, the data obtaining unit 401 reads the traffic data application layer message and its parsing result, and the unit passes the read information to the message length field detecting unit 402, the message length threshold detecting unit 403, the type identification field detecting unit 404, the transmission reason field detecting unit 405, and the information sequence number field detecting unit 406.
The message length field detecting unit 402 is configured to detect whether the message theoretical length calculated by the length field is equal to the actual length, and if not, determine that the message attack is malformed.
The message length threshold detecting unit 403 is configured to detect whether the actual length of the message is greater than 2048 bytes, and if so, determine that the message is a malformed message attack.
The type identifier field detecting unit 404 is configured to detect whether the type identifier field value of the message is valid, and if not, determine that the message is a malformed message attack.
The transmission reason field detection unit 405 is configured to detect whether the transmission reason field value of the message is valid, and if not, determine that the message is malformed.
The information sequence number field detecting unit 406 is configured to detect whether the information sequence number field value of the message is valid, and if not, determine that the message is malformed.
As shown in fig. 5, further, the service logic attack detection module 500 includes: the system comprises a data acquisition unit 501, a substation configuration service detection unit 502, a protection event uploading service detection unit 503, a recording brief uploading service detection unit 504, a custom operation service detection unit 505, a general calling service detection unit 506 and a general file transmission service detection unit 507.
The output end of the data acquisition unit 501 is connected to the input end of the reading substation configuration service detection unit 502, and is used for inputting relay protection service to which the message belongs.
The output end of the reading substation configuration service detection unit 502 is connected with the input end of the protection event sending service detection unit 503, the output end of the protection event sending service detection unit 503 is connected with the input end of the recording briefing sending service detection unit 504, the output end of the recording briefing sending service detection unit 504 is connected with the input end of the custom operation service detection unit 505, the output end of the custom operation service detection unit 505 is connected with the input end of the general calling service detection unit 506, and the output end of the general calling service detection unit 506 is connected with the input end of the general file transmission service detection unit 507.
In one embodiment, the data obtaining unit 501 obtains a specific relay protection service to which the message belongs, and the unit transmits the read information to the reading substation configuration service detecting unit 502, the protection event uploading service detecting unit 503, the recording briefing uploading service detecting unit 504, the custom operation service detecting unit 505, the general calling service detecting unit 506 and the general file transmission service detecting unit 507.
The reading substation configuration service detection unit 502 is configured to detect whether an attack exists in the reading substation configuration service in the relay protection information processing system.
In one embodiment, a normal behavior model of the configuration service of the reading substation is established, attack behavior detection is performed on traffic data of the service in the relay protection information processing system according to the normal behavior model, if the message does not accord with the normal behavior model, it is determined that a service logic attack of the configuration service of the reading substation exists, and the unit takes the detection result as an output end of the service logic attack detection module 500.
The protection event upload service detection unit 503 is configured to detect whether an attack exists in the protection event upload service.
In one embodiment, a normal behavior model of the service sent by the protection event is established, attack behavior detection is performed on the traffic data of the service in the relay protection information processing system according to the normal behavior model, if the message does not accord with the normal behavior model, it is determined that the service logic attack sent by the protection event exists, and the unit takes the detection result as an output end of the service logic attack detection module 500.
The recording briefing sending service detecting unit 504 is configured to detect whether an attack exists in the recording briefing sending service.
In one embodiment, a normal behavior model of the service for sending the record briefing is established, attack behavior detection is performed on the traffic data of the service in the relay protection information processing system according to the normal behavior model, if the message does not accord with the normal behavior model, it is determined that the record briefing sends the service logic attack, and the unit takes the detection result as an output end of the service logic attack detection module 500.
The customized operation service detection unit 505 is configured to detect whether an attack behavior exists in the fixed value operation service.
In one embodiment, a normal behavior model of a fixed-value operation service is established, attack behavior detection is performed on traffic data of the service in the relay protection information processing system according to the normal behavior model, if a message does not accord with the normal behavior model, it is determined that a customized operation service logic attack exists, and the unit takes a detection result as an output end of the service logic attack detection module 500.
The total call service detection unit 506 is configured to detect whether an attack exists in the total call service.
In one embodiment, a normal behavior model of the total calling service is established, attack behavior detection is performed on traffic data of the service in the relay protection information processing system according to the normal behavior model, if the message does not accord with the normal behavior model, it is determined that a total calling service logic attack exists, and the unit takes the detection result as an output end of the service logic attack detection module 500.
The universal file transmission service detection unit 507 is configured to detect whether an attack exists in the universal file transmission service.
In one embodiment, a normal behavior model of the general file transmission service is established, attack behavior detection is performed on traffic data of the service in the relay protection information processing system according to the normal behavior model, if the message does not accord with the normal behavior model, it is determined that a general file transmission service logic attack exists, and the unit takes the detection result as an output end of the service logic attack detection module 500.

Claims (9)

1.一种继电保护信息处理系统攻击行为监测方法,其特征在于,包括以下步骤:1. A method for monitoring attack behavior of a relay protection information processing system, characterized in that it comprises the following steps: S1、实时捕获继电保护信息处理系统流量数据包,并提取出当前帧流量数据的应用层报文;S1, real-time capture of relay protection information processing system traffic data packets, and extraction of the application layer message of the current frame traffic data; S2、对所述应用层报文进行字段级解析;S2. Performing field-level analysis on the application layer message; S3、对解析后的报文进行时钟篡改攻击检测,若报文的时钟范围、时钟逻辑、时钟同步、时钟延时不符合正常时钟特征,则判定存在时钟篡改攻击,否则进入步骤S4;S3, perform clock tampering attack detection on the parsed message. If the clock range, clock logic, clock synchronization, and clock delay of the message do not meet the normal clock characteristics, it is determined that a clock tampering attack exists, otherwise proceed to step S4; S4、对解析后的报文进行畸形报文攻击检测,若报文的长度字段、类型标识、传送原因、信息序号值与规约要求不符,则判定存在畸形报文攻击,否则进入步骤S5;S4, perform malformed message attack detection on the parsed message. If the length field, type identifier, transmission reason, and information sequence number value of the message do not meet the protocol requirements, it is determined that a malformed message attack exists, otherwise proceed to step S5; S5、按照解析后的报文所属的业务系统,对解析后的报文进行攻击检测,若解析后的报文不符合正常业务模型,则判定存在业务逻辑攻击,否则将当前帧流量数据判定为正常流量;S5. Perform attack detection on the parsed message according to the service system to which the parsed message belongs. If the parsed message does not conform to the normal service model, it is determined that there is a service logic attack. Otherwise, the current frame traffic data is determined to be normal traffic. 步骤S3中,对解析后的报文进行时钟篡改攻击检测的具体实现过程包括:In step S3, the specific implementation process of performing clock tampering attack detection on the parsed message includes: 1)判断公式Yt∈[1970,2069]是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤2);其中,Yt表示时标年份,1) Determine whether the formula Y t ∈[1970,2069] holds. If not, it is determined to be a clock tampering attack. Otherwise, go to step 2); where, Yt represents the time scale year, yt表示时标的年份标识字节数值;y t represents the year identification byte value of the time stamp; 2)判断公式是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤3);其中,表示全称量词“任意”,P为步骤S2解析后的应用层报文,PDS表示IEC60870-5-103对时报文,Ag(P)表示报文ASDU地址高8位的值,F表示16进制的15,H表示数值为16进制;2) Judgment formula Is it established? If not, it is determined to be a clock tampering attack. Otherwise, go to step 3); where, represents the universal quantifier "any", P is the application layer message after parsing in step S2, P DS represents the IEC60870-5-103 synchronization message, Ag (P) represents the value of the high 8 bits of the message ASDU address, F represents 15 in hexadecimal, and H represents the value in hexadecimal; 3)判断公式是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤4);其中,PDZ表示IEC 60870-5-103告警、遥信变位、动作事件数据上送报文中的一种,Tjs(P)表示事件子站接收时间,Tsj(P)表示事件实际发生时间;3) Judgment formula Is it established? If not, it is determined to be a clock tampering attack. Otherwise, go to step 4); wherein, P DZ represents one of the IEC 60870-5-103 alarm, remote signal change, and action event data transmission messages, T js (P) represents the event substation receiving time, and T sj (P) represents the actual event occurrence time; 4)检测子站上送历史故障信息时间段与主站召唤故障历史信息时间段是否一致,若两者时间不一致,则判定为时钟篡改攻击,否则进入步骤5);4) Check whether the time period of the substation sending historical fault information is consistent with the time period of the main station calling fault historical information. If the two times are inconsistent, it is determined to be a clock tampering attack, otherwise go to step 5); 5)判断公式是否成立,若否,则判定为时钟篡改攻击,否则,进入步骤S4;其中,PXC表示IEC 60870-5-103主-子站信息传送报文,Tcs(P)表示信息传送时间,Tmax表示最大延迟时间,P1表示继电保护装置动作信息传送报文,P2表示继电保护装置模拟量测量值传送报文,P3表示继电保护装置运行状态传送报文,P4表示继电保护装置定值传送报文。5) Judgment formula Is it established? If not, it is determined to be a clock tampering attack. Otherwise, go to step S4; wherein, P XC represents the IEC 60870-5-103 master-slave information transmission message, T cs (P) represents the information transmission time, T max represents the maximum delay time, P 1 represents the relay protection device action information transmission message, P 2 represents the relay protection device analog measurement value transmission message, P 3 represents the relay protection device operation status transmission message, and P 4 represents the relay protection device setting transmission message. 2.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,对解析后的报文进行畸形报文攻击检测的具体实现过程包括:2. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that the specific implementation process of performing abnormal message attack detection on the parsed message includes: I)判断公式是否成立,若否,则判定为畸形报文攻击,否则进入步骤II);其中,PIEC103表示IEC 60870-5-103报文,Fl(P)表示报文理论长度,Ls(P)表示报文实际长度;I) Judgment formula Is it established? If not, it is determined to be a malformed message attack, otherwise it goes to step II); wherein P IEC103 represents the IEC 60870-5-103 message, F l (P) represents the theoretical length of the message, and L s (P) represents the actual length of the message; II)判断公式是否成立,若否,则判定为畸形报文攻击,否则进入步骤III);II) Judgment formula Is it established? If not, it is determined to be a malformed message attack, otherwise go to step III); III)判断公式是否成立,若否,判定为畸形报文攻击,否则进入步骤IV);其中,Ft(P)表示报文类型标识字段值;III) Judgment formula Is it true? If not, it is determined to be a malformed message attack, otherwise it goes to step IV); where F t (P) represents the message type identification field value; IV)判断公式是否成立,若否,判定为畸形报文攻击,否则进入步骤V);其中,Fc(P)表示报文传送原因字段值;IV) Judgment formula Is it true? If not, it is determined to be a malformed message attack, otherwise it goes to step V); wherein F c (P) represents the value of the message transmission reason field; V)判断公式是否成立,若否,判定为畸形报文攻击,否则进入步骤S5;Fi(P)表示报文信息序号字段值。V) Judgment formula Is it established? If not, it is determined to be a malformed message attack, otherwise it goes to step S5; Fi (P) represents the message information sequence number field value. 3.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为读取子站配置业务时,对解析后的报文进行攻击检测的具体实现过程包括:3. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a substation configuration reading service, the specific implementation process of performing attack detection on the parsed message includes: 判断公式是否成立,若否,则判定存在配置数据恶意拦截攻击,否则,判断公式是否成立,若否,则判定存在数据篡改攻击,否则将当前帧流量数据判定为正常流量;其中,PBT表示继电保护信息处理系统中读取子站配置业务报文,Bn(P)表示子站上送标题数目,Bs表示子站配置的所有标题数目,Bzh(P)表示同一组标题信息的各个条目的组号,Czh表示当前组标题信息的组号。Judgment formula Is it true? If not, it is determined that there is a malicious interception attack on the configuration data. Otherwise, the judgment formula Is it established? If not, it is determined that there is a data tampering attack, otherwise the current frame traffic data is determined to be normal traffic; wherein, P BT represents the reading of the substation configuration service message in the relay protection information processing system, B n (P) represents the number of headers sent by the substation, B s represents the number of all headers configured by the substation, B zh (P) represents the group number of each item of the same group of header information, and C zh represents the group number of the current group header information. 4.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为保护事件上送业务,对解析后的报文进行攻击检测的具体实现过程包括:4. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a protection event uploading service, the specific implementation process of performing attack detection on the parsed message includes: A)判断公式是否成立,若否,则判定存在双点信息恶意篡改攻击,否则,进入步骤B);其中,PBH表示继电保护信息处理系统中保护事件上送报文,Dpi(P)表示双点信息数值;A) Judgment formula Is it established? If not, it is determined that there is a malicious tampering attack on the dual-point information. Otherwise, it goes to step B); wherein P BH represents the protection event sent message in the relay protection information processing system, and D pi (P) represents the value of the dual-point information; B)检测开关量变位、动作信号、压板状态前后帧报文逻辑是否正确,若开关量变位前一帧为开/合,后一帧仍为开/合;动作信号前一帧为复归/动作,后一帧仍为复归/动作;压板状态前一帧为未投入/投入,后一帧仍为未投入/投入,则判定存在恶意开合攻击,否则进入步骤B) Check whether the message logic of the previous and next frames of the switch position change, action signal, and pressure plate status is correct. If the switch position change is open/closed in the previous frame and is still open/closed in the next frame; the action signal is reset/action in the previous frame and is still reset/action in the next frame; the pressure plate status is not engaged/engaged in the previous frame and is still not engaged/engaged in the next frame, it is determined that there is a malicious opening and closing attack, otherwise enter step C);C); C)判断公式是否成立,若否,则判定存在动作事件非法上送攻击,否则将当前帧流量数据判定为正常流量;其中,Lbh(P)表示保护事件报文类型标识,P5表示告警或开关量变位事件报文,P6表示动作事件报文。C) Judgment formula Is it established? If not, it is determined that there is an illegal action event sending attack, otherwise the current frame traffic data is determined to be normal traffic; where L bh (P) represents the protection event message type identifier, P 5 represents the alarm or switch change event message, and P 6 represents the action event message. 5.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为录波简报上送业务时对解析后的报文进行攻击检测的具体实现过程包括:5. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a recording briefing uploading service, the specific implementation process of performing attack detection on the parsed message includes: i)判断公式是否成立,若否,则判定存在跳闸相别恶意篡改攻击,否则进入步骤ii);其中,PLB表示继电保护信息处理系统中录波简报业务报文,Gxb(P)表示故障相别,Zxb(P)表示跳闸相别;i) Judgment formula Is it established? If not, it is determined that there is a malicious tampering attack on the trip phase, otherwise it goes to step ii); wherein P LB represents the recording briefing service message in the relay protection information processing system, G xb (P) represents the fault phase, and Z xb (P) represents the trip phase; ii)判断公式是否成立,若否,则判定存在接地故障标志位数据篡改攻击,否则进入步骤iii);其中,D3表示报文短路接地故障标志位数值,D0表示报文A相短路故障标志位数值,D1表示报文B相故短路障标志位数值,D2表示报文C相短路故障标志位数值;ii) Judgment formula Is it established? If not, it is determined that there is a ground fault flag data tampering attack, otherwise it goes to step iii); wherein D3 represents the value of the message short circuit ground fault flag, D0 represents the value of the message A phase short circuit fault flag, D1 represents the value of the message B phase short circuit fault flag, and D2 represents the value of the message C phase short circuit fault flag; iii)检测录波简报中的重合闸是否异常,若故障发生后有重合闸,但重合闸时间为0,或者没有重合闸,但重合闸时间不为0,则判定存在重合闸时间篡改攻击,否则将当前帧流量数据判定为正常流量。iii) Check whether the reclosing in the recording briefing is abnormal. If there is a reclosing after the fault occurs, but the reclosing time is 0, or there is no reclosing but the reclosing time is not 0, it is determined that there is a reclosing time tampering attack, otherwise the current frame traffic data is determined to be normal traffic. 6.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为定值操作业务时,对解析后的报文进行攻击检测的具体实现过程包括:6. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a fixed value operation service, the specific implementation process of performing attack detection on the parsed message includes: 判断逻辑Xg1→Xg2→Xg3→Xg4→Xg5→Xg6→Xg7→Xg8是否成立,若否,则判定存在继电保护装置整定值恶意篡改攻击,否则将当前帧流量数据判定为正常流量;其中,Xg1表示召唤装置当前运行定值区号报文,Xg2表示子站上传装置当前运行定值区号报文,Xg3表示主站召唤装置定值报文,Xg4表示子站上传装置定值报文,Xg5表示向子站下装定值报文,Xg6表示响应子站下装定值报文,Xg7表示执行定值修改报文,Xg8子站响应定值修改报文。 Determine whether the logic Xg1 →Xg2 →Xg3 →Xg4 →Xg5 →Xg6 Xg7 Xg8 is established . If not, it is determined that there is a malicious tampering attack on the setting value of the relay protection device. Otherwise, the current frame traffic data is determined to be normal traffic. Among them, Xg1 represents the message of the current running set value area code of the calling device, Xg2 represents the message of the current running set value area code of the substation uploading device, Xg3 represents the message of the main station calling device set value, Xg4 represents the message of the substation uploading device set value, Xg5 represents the downloading of the set value message to the substation, Xg6 represents the response substation downloading of the set value message, Xg7 represents the execution of the set value modification message, and Xg8 substation responds to the set value modification message. 7.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为总召唤业务时,对解析后的报文进行攻击检测的具体实现过程包括:7. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a general call service, the specific implementation process of performing attack detection on the parsed message includes: 判断逻辑Zh1→Zh2→Zh3是否成立,若否,则判定存在非法总召攻击,否则判断公式是否成立,若否,则判定存在非法总召攻击,否则将当前帧流量数据判定为正常流量;其中,Zh1表示主站启动总召唤报文,Zh2表示子站上送信息报文,Zh3表示总召唤结束报文,PZH表示继电保护信息处理系统总召唤业务,Zhn表示子站上送信息数目,Zhs表示子站装置数量,As表示报文ASDU地址,Determine whether the logic Z h1 →Z h2 →Z h3 is established. If not, it is determined that there is an illegal general call attack. Otherwise, the judgment formula Is it established? If not, it is determined that there is an illegal general call attack, otherwise the current frame traffic data is determined to be normal traffic; where Z h1 indicates that the master station starts the general call message, Z h2 indicates that the substation sends the information message, Z h3 indicates the general call end message, P ZH indicates the general call service of the relay protection information processing system, Z hn indicates the number of substations sending information, Z hs indicates the number of substation devices, As indicates the message ASDU address, H表示数值为16进制。H indicates that the value is in hexadecimal. 8.根据权利要求1所述的继电保护信息处理系统攻击行为监测方法,其特征在于,步骤S5中,当报文为通用文件传输业务,对解析后的报文进行攻击检测的具体实现过程包括:8. The attack behavior monitoring method of the relay protection information processing system according to claim 1 is characterized in that, in step S5, when the message is a general file transfer service, the specific implementation process of performing attack detection on the parsed message includes: 检测文件名称是否只包含目录名和通配符,若含有其他的非法字符,则判定存在非法文件上送攻击,否则判断公式是否成立,若否,则判定存在文件时钟篡改攻击,否则将当前帧流量数据判定为正常流量;其中,PWJ表示继电保护信息处理系统文件列表上传报文,Tlb(P)表示文件列表上传时间,Cq表示文件列表时查询起始时间,Cz表示文件列表时查询终止时间。Check whether the file name contains only directory names and wildcards. If it contains other illegal characters, it is determined that there is an illegal file upload attack. Otherwise, the judgment formula Is it established? If not, it is determined that there is a file clock tampering attack, otherwise the current frame traffic data is determined to be normal traffic; wherein, P WJ represents the file list upload message of the relay protection information processing system, T lb (P) represents the file list upload time, C q represents the start time of the file list query, and C z represents the end time of the file list query. 9.一种计算机装置,包括存储器、处理器及存储在存储器上的计算机程序;其特征在于,所述处理器执行所述计算机程序,以实现权利要求1~8之一所述方法的步骤。9. A computer device comprising a memory, a processor and a computer program stored in the memory; wherein the processor executes the computer program to implement the steps of the method according to any one of claims 1 to 8.
CN202111675512.4A 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system Active CN114825607B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111675512.4A CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111675512.4A CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Publications (2)

Publication Number Publication Date
CN114825607A CN114825607A (en) 2022-07-29
CN114825607B true CN114825607B (en) 2024-11-26

Family

ID=82527096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111675512.4A Active CN114825607B (en) 2021-12-31 2021-12-31 Attack behavior monitoring method and device for relay protection information processing system

Country Status (1)

Country Link
CN (1) CN114825607B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913784B (en) * 2023-01-05 2023-08-08 阿里巴巴(中国)有限公司 Network attack defense system, method and device and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN210578609U (en) * 2019-10-25 2020-05-19 国网湖北省电力有限公司电力科学研究院 Ethernet photoelectric digital signal detection device based on real-time clock

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8666801B2 (en) * 2006-06-06 2014-03-04 ErgonoTech, Inc. Long-range location-specific menu-driven mobile payment platform mounted on vehicle dashtop

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN210578609U (en) * 2019-10-25 2020-05-19 国网湖北省电力有限公司电力科学研究院 Ethernet photoelectric digital signal detection device based on real-time clock

Also Published As

Publication number Publication date
CN114825607A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
CN114124478B (en) Method and system for abnormal detection of industrial control flow in electric power system
CN114362368B (en) Intelligent substation network flow abnormal behavior monitoring method and system
CN107241224A (en) The network risks monitoring method and system of a kind of transformer station
CN105429977A (en) Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN114825607B (en) Attack behavior monitoring method and device for relay protection information processing system
CN110224889B (en) A business monitoring method for electricity meters based on business logic consistency
CN112149120A (en) Transparent transmission type double-channel electric power Internet of things safety detection system
CN112383509A (en) Internet of things equipment safety monitoring system and method based on data flow
CN104464114A (en) System and method for managing and monitoring safety of application of financial terminals
CN113778054A (en) Double-stage detection method for industrial control system attack
CN114938287B (en) A method and device for detecting abnormal behavior of electric power network by integrating service characteristics
CN106685928A (en) Applicable to digital substation compartment layer SMV network attack classification detection method
CN114697081A (en) Intrusion detection method and system based on IEC61850 SV message operation situation model
CN118200025B (en) Transmission security analysis system and method based on environment simulation data
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
CN108737210A (en) It is a kind of based on the intelligent substation configuration file check method monitored in real time
CN114745152B (en) Intrusion detection method and system based on IEC61850 GOOSE message operation situation model
CN113194135A (en) Thing networking information protection architecture based on block chain technique
CN110311361B (en) Method for protecting trip message acquisition based on keyword fuzzy matching and overtime judgment
Hoeve Detecting intrusions in encrypted control traffic
CN108206826B (en) A Lightweight Intrusion Detection Method for Integrated Electronic Systems
CN117560196A (en) Intelligent substation secondary system testing system and method
CN108809955A (en) A kind of power consumer behavior depth analysis method based on hidden Markov model
CN215344085U (en) System for modbus protocol realizes platform district electricity stealing discernment environmental monitoring

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant