CN118200019B - Network event safety monitoring method and system - Google Patents

Abstract

The present invention relates to the field of data security technologies, and in particular, to a network event security monitoring method and system. The method comprises the following steps: acquiring power network node data; acquiring power network information data according to the power network node data, thereby acquiring node flow original data; carrying out distributed flow identification on the node flow original data to generate distributed flow identification data; abnormal node detection is carried out on the distributed flow identification data, and abnormal node data of the power network are generated; and carrying out potential threat detection analysis on the power network abnormal node data to generate a power network potential threat event. The invention improves the comprehensiveness and adaptability of network security protection by carrying out abnormal node identification and multi-level attack type defense strategy construction on the network event.

Description

A network event security monitoring method and system

Technical Field

The present invention relates to the field of data security technology, and in particular to a network event security monitoring method and system.

Background Art

With the expansion of the power system, the construction of high-voltage transmission lines and power plants has become a development focus. At this stage, security detection methods began to involve the stability and short-circuit protection of the power system to ensure that the system can operate stably under abnormal conditions. With the continuous development of data mining and artificial intelligence technology, power system security detection has entered a new stage. Data-driven methods have gradually become mainstream, including the use of machine learning and deep learning technologies. These methods can identify patterns and anomalies from a large amount of real-time data, improving the accuracy and efficiency of detection. The application of Internet of Things technology enables the power system to better realize the interconnection between devices. The development of edge computing technology makes data processing faster and more efficient. Security detection methods are gradually developing in the direction of real-time and distributed, and can detect and respond to events at each node of the system. However, traditional methods often use static rules or methods based on historical data for abnormal node detection and threat analysis, which are easily limited by fixed rules and patterns and cannot effectively respond to new threats. At the same time, they often lack comprehensiveness and timeliness in threat event identification and strategy defense, resulting in insufficient overall network protection capabilities.

Summary of the invention

Based on this, it is necessary to provide a network event security monitoring method and system to solve at least one of the above technical problems.

To achieve the above object, a network event security monitoring method is provided, the method comprising the following steps:

Step S1: acquiring power network node data; collecting power network information data according to the power network node data, thereby acquiring node flow original data; performing distributed flow identification on the node flow original data, and generating distributed flow identification data;

Step S2: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network; performing potential threat detection and analysis on the abnormal node data of the power network to generate potential threat events of the power network;

Step S3: Perform threat event identification on potential threat events of the power network and generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategy, phishing defense strategy, Ddos attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy;

Step S4: Collect defense logs for malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data to generate intelligent defense decision plans.

The present invention can realize real-time monitoring and detection of the power network by acquiring the original data of node flow and performing distributed flow identification, which is helpful to timely discover abnormal nodes and potential threat events and improve the security of the network. In step S2, abnormal node detection is performed on the distributed flow identification data, which can effectively identify abnormal behavior nodes in the power network, and help to timely discover existing attacks or abnormal situations. Potential threat detection and analysis are performed based on abnormal node data, which can identify potential threat events of the power network, help to warn network security threats in advance, and prepare for further defense. Potential threat events are distinguished, and corresponding power network threat identification events are generated, such as malware attacks, phishing, DDoS attacks, network intrusions and zero-day vulnerability attacks. At the same time, corresponding defense strategies are generated according to these events to deal with various security threats in a targeted manner. Intelligent defense decisions are made on security defense log data, and intelligent defense decision plans can be generated based on real-time data and historical data through machine learning or artificial intelligence technology, which helps to automate and optimize security defense processes and improve the response speed and efficiency of network security. By generating malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies, a multi-level security defense system is formed, and the multi-dimensional defense capabilities can effectively reduce the risk of the network being threatened by various types of threats. Collecting defense logs for defense strategies helps to record security events and response processes, and provide data support for subsequent security audits and improvements. Therefore, the present invention improves the comprehensiveness and adaptability of network security protection by identifying abnormal nodes for network events and constructing multi-level attack type defense strategies.

In this specification, a network event security detection system is provided, which is used to execute the above-mentioned network event security detection method. The network event security detection system includes:

The distributed identification module is used to obtain power network node data; collect power network information data according to the power network node data, thereby obtaining the original node flow data; perform distributed flow identification on the original node flow data to generate distributed flow identification data;

The potential threat analysis module is used to detect abnormal nodes on the distributed flow identification data and generate abnormal node data of the power network; perform potential threat detection and analysis on the abnormal node data of the power network and generate potential threat events of the power network;

The strategy defense module is used to identify potential threat events of the power network and generate power network threat identification events, where the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies;

The intelligent decision-making module is used to collect defense logs for malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data and generate intelligent defense decision plans.

The beneficial effect of the present invention is that by performing abnormal node detection and potential threat analysis on the distributed traffic identification data, abnormal nodes and potential threat events in the power network can be found, which helps to detect potential attacks or abnormal situations as early as possible and improve the monitoring and response capabilities of network security. For potential threat events in the power network, threat event discrimination is performed and corresponding threat discrimination events are generated, which helps to classify and identify different types of threats, so that specific defense strategies and measures can be taken, such as malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies. Through defense log collection and intelligent defense decision-making, security defense log data can be used to make intelligent defense decisions, which helps to automatically generate targeted and intelligent defense plans and decision-making suggestions for dealing with threat events based on real-time security logs and network status. Therefore, the present invention improves the comprehensiveness and adaptability of network security protection by performing abnormal node identification on network events and constructing multi-level attack type defense strategies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a process flow of a network event security monitoring method;

FIG2 is a schematic diagram of a detailed implementation process of step S2 in FIG1 ;

FIG3 is a schematic diagram of a detailed implementation process of step S24 in FIG2 ;

FIG4 is a schematic diagram of a detailed implementation process of step S3 in FIG1 ;

The realization of the purpose, functional features and advantages of the present invention will be further explained in conjunction with embodiments and with reference to the accompanying drawings.

DETAILED DESCRIPTION

The following is a clear and complete description of the technical method of the present invention in conjunction with the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by technicians in this field without creative work are within the scope of protection of the present invention.

In addition, the accompanying drawings are only schematic illustrations of the present invention and are not necessarily drawn to scale. The same reference numerals in the figures represent the same or similar parts, and their repeated description will be omitted. Some of the block diagrams shown in the accompanying drawings are functional entities and do not necessarily correspond to physically or logically independent entities. The functional entities can be implemented in software form, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor methods and/or microcontroller methods.

It should be understood that, although the terms "first", "second", etc. may be used herein to describe various units, these units should not be limited by these terms. These terms are used only to distinguish one unit from another unit. For example, without departing from the scope of the exemplary embodiments, the first unit may be referred to as the second unit, and similarly the second unit may be referred to as the first unit. The term "and/or" used herein includes any and all combinations of one or more of the listed associated items.

To achieve the above purpose, please refer to Figures 1 to 4, a network event security monitoring method, the method includes the following steps:

Step S1: acquiring power network node data; collecting power network information data according to the power network node data, thereby acquiring node flow original data; performing distributed flow identification on the node flow original data, and generating distributed flow identification data;

Step S2: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network; performing potential threat detection and analysis on the abnormal node data of the power network to generate potential threat events of the power network;

Step S3: Perform threat event identification on potential threat events of the power network and generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategy, phishing defense strategy, Ddos attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy;

Step S4: Collect defense logs for malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data to generate intelligent defense decision plans.

The present invention can realize real-time monitoring and detection of the power network by acquiring the original data of node flow and performing distributed flow identification, which is helpful to timely discover abnormal nodes and potential threat events and improve the security of the network. In step S2, abnormal node detection is performed on the distributed flow identification data, which can effectively identify abnormal behavior nodes in the power network, and help to timely discover existing attacks or abnormal situations. Potential threat detection and analysis are performed based on abnormal node data, which can identify potential threat events of the power network, help to warn network security threats in advance, and prepare for further defense. Potential threat events are distinguished, and corresponding power network threat identification events are generated, such as malware attacks, phishing, DDoS attacks, network intrusions and zero-day vulnerability attacks. At the same time, corresponding defense strategies are generated according to these events to deal with various security threats in a targeted manner. Intelligent defense decisions are made on security defense log data, and intelligent defense decision plans can be generated based on real-time data and historical data through machine learning or artificial intelligence technology, which helps to automate and optimize security defense processes and improve the response speed and efficiency of network security. By generating malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies, a multi-level security defense system is formed, and the multi-dimensional defense capabilities can effectively reduce the risk of the network being threatened by various types of threats. Collecting defense logs for defense strategies helps to record security events and response processes, and provide data support for subsequent security audits and improvements. Therefore, the present invention improves the comprehensiveness and adaptability of network security protection by identifying abnormal nodes for network events and constructing multi-level attack type defense strategies.

In the embodiment of the present invention, referring to FIG. 1 , a schematic diagram of a step flow chart of a network event security monitoring method of the present invention is shown. In this example, the network event security monitoring method includes the following steps:

Step S1: Acquire power network node data; collect power network information data according to the power network node data, thereby acquiring node flow original data; perform distributed flow identification on the node flow original data, and generate distributed flow identification data;

In an embodiment of the present invention, the topological structure of the power network is determined, including the location and connection relationship of each node. Information of power network equipment and sensors, such as substations, distribution stations, power lines, etc., is collected. Real-time monitoring data of the power network, such as current, voltage, power, etc., is obtained. Data acquisition equipment or sensors are deployed to collect real-time data of the power network. Data acquisition equipment is configured and managed to ensure that it can accurately and stably collect node data. Data collection is performed using traditional communication protocols (such as Modbus, DNP3, etc.) or modern communication technologies (such as the Internet of Things, communication satellites, etc.). Node flow data is marked and identified using distributed flow identification technology for subsequent anomaly detection and analysis. Appropriate algorithms and methods are used to divide node flow data into reasonable blocks or flow segments, and a unique identifier is generated for each block or flow segment. The accuracy and effectiveness of distributed flow identification are ensured so that subsequent anomaly detection and security analysis can be performed based on identification data.

Step S2: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network; performing potential threat detection and analysis on the abnormal node data of the power network to generate potential threat events of the power network;

In an embodiment of the present invention, abnormal nodes in the power network are detected by using a suitable anomaly detection algorithm, such as a statistical method, a machine learning method, or a deep learning method. Based on the distributed flow identification data, the flow characteristics of each node are analyzed to identify abnormal nodes that do not conform to normal behavior. Appropriate thresholds or rules are set to determine which nodes are identified as abnormal nodes. Library analysis is performed on the abnormal node data, and the data is compared with known threat libraries or attack patterns to determine potential threat types. Using threat intelligence and the knowledge of security experts, behavioral analysis and pattern recognition are performed to discover unknown or emerging potential threats. Network topology analysis is performed to find the association between abnormal nodes and other nodes to determine potential threat propagation paths. Based on the results of the detected abnormal nodes and potential threat analysis, the relevant abnormal nodes and threat types are integrated to generate potential threat events for the power network. A comprehensive assessment is performed on potential threat events, including assessing the severity, scope of impact, and urgency of the threat to determine response and defense measures.

Step S3: Perform threat event identification on potential threat events of the power network and generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategy, phishing defense strategy, Ddos attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy;

In an embodiment of the present invention, based on the characteristics and behavior patterns of potential threat events, threat event discrimination is performed using machine learning, behavior analysis or rule engines. By using the Yara rule library, it is used to identify malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events. Combined with real-time monitoring and log analysis, the flow, behavior and events of the power network are verified and judged in real time. The identified threat events are matched and updated with the potential threat events of the power network generated in step S2 to ensure accurate threat event discrimination. For different threat discrimination events, corresponding defense strategies are formulated, including malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies. For malware attack events, security protection measures are implemented, such as using anti-virus software, firewalls, anti-malware tools, etc. to detect, isolate and remove malware. For phishing events, network security awareness training is strengthened, and anti-phishing technology and anti-phishing strategies are used to identify and prevent phishing attacks. For Ddos attack events, defense measures such as traffic cleaning, traffic restriction, intrusion detection and load balancing are implemented to mitigate the impact of the attack. In response to network intrusion incidents, we deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block intrusions in a timely manner, and update security patches to fix vulnerabilities in a timely manner. In response to zero-day vulnerability attacks, we establish an emergency response team to track and respond to newly discovered vulnerabilities in a timely manner, and implement patch management and vulnerability repair work.

Step S4: Collect defense logs for malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data to generate intelligent defense decision plans.

In the embodiment of the present invention, by configuring security devices and systems, it is possible to generate corresponding defense log data, specifically firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), security information and event management systems (SIEM), etc. Ensure that the log function of the devices and systems is enabled, and configure the appropriate log level and log format. Set up a log collection server or a central log management system for centralized collection, storage and management of defense log data. For the collected security defense log data, use security analysis and decision support technology for intelligent analysis and decision making. By using IDS systems such as Snort and Suricata and malware feature libraries, it is used to detect and analyze malware behavior, phishing attacks, Ddos attacks, network intrusions and zero-day vulnerability attacks. Based on the analysis results, intelligent defense decision generation is performed, including automated response, alarm generation, isolation of malicious behavior, blocking of attack source IP or coordination of manual intervention. Combined with business needs and security risk assessment, formulate appropriate intelligent defense strategies and decision plans to provide effective security protection and response.

Preferably, step S1 comprises the following steps:

Step S11: Acquire power network node data;

Step S12: deploy distributed sensing nodes according to the power network node data to obtain distributed power network sensing nodes; collect power network information data based on the distributed power network sensing nodes to obtain node flow raw data, wherein the power network information data collection includes data packet parsing, data packet filtering and data packet sniffing;

Step S13: preprocessing the node flow raw data to generate standard node flow raw data, wherein the data preprocessing includes data cleaning, data missing value filling and data standardization;

Step S14: Perform distributed traffic identification on the original data of standard node traffic to generate distributed traffic identification data.

The present invention can realize data collection and monitoring of multiple nodes by deploying distributed sensing nodes in the power network, and can improve the sensing ability and data coverage of the power network. By collecting information data through distributed power network sensing nodes, the original data of node flow can be obtained. The original data includes real-time information of the power network, which is of great significance for the monitoring and analysis of the power system. The original data of node flow is preprocessed, including steps such as data cleaning, missing value filling and data standardization. The preprocessing operation helps to improve the quality and accuracy of the data and provide a reliable data basis for subsequent analysis and processing. The standard node flow original data is distributedly identified to generate distributed flow identification data. The identification can be used to identify and track flow characteristics in the power network, providing support for network performance analysis, anomaly detection and fault diagnosis.

In an embodiment of the present invention, the topological structure and node information of the power network, such as substations, power plants, transmission lines and distribution equipment, are collected. Real-time status data of the nodes, such as current, voltage, power, etc., are obtained. According to the power network node data, the deployment location of the distributed sensing node is determined, taking into account the coverage and data collection requirements. The sensing node is deployed and ensured to be connected to the power network to ensure reliable data collection. The sensing node captures and collects the original data of the node flow from the power network through technologies such as data packet parsing, data packet filtering and data packet sniffing. Data cleaning is performed, including removing outliers, noise data and duplicate data, etc., to ensure the accuracy and consistency of the data. To process missing data values, an interpolation method filling strategy can be used to fill in missing data items. Data standardization is performed to convert the node flow data into a standard data format that meets certain specifications and ranges, which is convenient for subsequent analysis and processing. Based on the standard node flow original data, the Bloom Filter data structure is used to generate distributed flow identification. The distributed flow identification may include information such as flow characteristics, flow behavior and flow attributes, which is used to identify, classify and analyze node flow.

Preferably, step S14 includes the following steps:

Step S141: perform network upload tracing on the original data of standard node flow to obtain the node data of distributed power flow transmission upload; perform upload frequency analysis on the node data of distributed power flow transmission upload to obtain the frequency data of distributed power flow transmission upload;

Step S142: Calculate the shortest transmission path of adjacent nodes for the original data of standard node flow according to the frequency data of uploading the distributed power flow, and obtain the shortest path data of adjacent nodes; construct a transmission closed-loop path for the original data of standard node flow according to the shortest path data of adjacent nodes, and generate a node transmission closed-loop path;

Step S143: Perform node upload activity analysis based on the node transmission closed-loop path and the distributed power flow transmission upload frequency data to generate node upload activity analysis data; compare the node upload activity analysis data with a preset node upload activity threshold, and when the node upload activity analysis data is greater than or equal to the preset node upload activity threshold, perform flow identification on the corresponding standard node flow raw data to generate distributed flow identification data.

The present invention can trace the transmission path of power flow by tracing the original data of standard node flow through network upload, which is helpful to understand the data flow in the power network and discover potential transmission problems or abnormal situations. The frequency information of node data upload can be obtained by analyzing the upload frequency of distributed power flow transmission upload node data. By analyzing the upload frequency data, the activity and data transmission mode of the node can be understood, which is helpful to monitor the data collection and transmission status of the node. According to the distributed power flow upload frequency data, the shortest transmission path of adjacent nodes between nodes can be calculated. By finding the shortest transmission path, the transmission efficiency of data can be optimized, and energy consumption and network delay can be reduced. Based on the shortest path data of adjacent nodes, a node transmission closed-loop path can be constructed. The establishment of a transmission closed-loop path can improve the reliability and security of data transmission and prevent the occurrence of data loopholes and transmission anomalies. Based on the node transmission closed-loop path and the distributed power flow transmission upload frequency data, the node upload activity is analyzed, which can help understand the upload behavior and activity of the node, identify the main traffic transmission nodes, and use them for subsequent data processing and analysis. The node upload activity analysis data is compared with the preset node upload activity threshold. When the node upload activity analysis data reaches or exceeds the threshold, the corresponding standard node traffic raw data is marked with traffic, which can be used to mark important nodes and traffic data, providing a basis for subsequent analysis, monitoring and control.

In an embodiment of the present invention, the original data of standard node traffic is collected and the network upload traceability analysis is performed on it. The analysis can use network monitoring tools or technologies to determine the source and path of data traffic. Through network upload traceability analysis, the node data of distributed power flow transmission upload is obtained. The upload frequency analysis of the node data of distributed power flow transmission upload is performed. The frequency and mode of node data upload can be analyzed by statistical methods or data mining techniques to obtain the distributed power flow transmission upload frequency data. The shortest transmission path of adjacent nodes is calculated for the original data of standard node traffic using the distributed power flow upload frequency data. A graph theory algorithm, such as the shortest path algorithm, can be used to find the shortest transmission path between nodes. According to the shortest path data of adjacent nodes, a transmission closed-loop path is constructed for the original data of standard node traffic. A transmission closed-loop path can be established by determining the closed-loop path between nodes to ensure the cyclic transmission of data in the network. Based on the node transmission closed-loop path and the distributed power flow transmission upload frequency data, the node upload activity analysis is performed. A statistical analysis method can be used to calculate the node upload activity and generate the node upload activity analysis data. The node upload activity analysis data is compared with the preset node upload activity threshold. If the node upload activity analysis data is greater than or equal to the preset node upload activity threshold, the corresponding standard node traffic raw data is subjected to traffic identification, and distributed traffic identification data is generated to identify high-activity nodes and corresponding traffic data.

Preferably, step S2 comprises the following steps:

Step S21: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network;

Step S22: exploring abnormal correlation relationships based on abnormal node data of the power network to generate an abnormal correlation relationship matrix;

Step S23: Modeling a complex network structure through abnormal node data and abnormal correlation matrix of the power network to generate a complex network structure of the power network; embedding the complex network structure of the power network into a low-dimensional vector space to generate an abnormal map of the power network;

Step S24: Utilize the power network anomaly map to perform potential threat detection and analysis on the power network abnormal node data to generate a power network potential threat event.

The present invention can effectively identify nodes with abnormal or abnormal behaviors in the power network by performing abnormal node detection on distributed flow identification data, which helps to discover and respond to faults, attacks or other abnormal situations in the network as early as possible, and prevent potential network threats. According to the abnormal node data of the power network, by analyzing the abnormal association relationship between nodes, an abnormal association relationship matrix can be established, which can help understand the interaction and dependency between nodes in the power network, and further reveal potential abnormal or risk propagation paths. By using the abnormal node data and abnormal association relationship matrix of the power network, a complex network structure of the power network can be constructed, which helps to better understand the overall structure and properties of the power network, identify important nodes and key paths in the network, and provide support for network management and risk assessment. By embedding the complex network structure of the power network into a low-dimensional vector space, the nodes in the network can be mapped to a low-dimensional space, and the relationship and similarity between the nodes can be retained. By generating an abnormal map of the power network, abnormal nodes, abnormal associations and threat events in the network can be more intuitively displayed, helping analysts understand the network status and threat situation. Using the abnormal map of the power network, potential threat detection and analysis can be performed on the abnormal node data of the power network. By identifying potential threat events in the network, network managers can take appropriate measures to mitigate risks, strengthen network security protection, and ensure the normal operation of the power system.

As an example of the present invention, referring to FIG. 2 , in this example, step S2 includes:

Step S21: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network;

In the embodiment of the present invention, by acquiring flow identification data in the power network, the data includes information such as the status, power, voltage, current, etc. of the power equipment, and the data can be acquired through sensors, monitoring equipment or smart meters. Preprocessing the acquired data, including data cleaning, noise removal, missing value processing, etc., helps to improve the quality and accuracy of the data. Useful features are extracted from the preprocessed data. The features are specifically various indicators of the power equipment, such as power factor, frequency, harmonics, etc. Selecting appropriate features can improve the effect of abnormal node detection. Select an abnormal node detection algorithm suitable for the power network. Common algorithms include statistical-based methods (such as mean, standard deviation), machine learning-based methods (such as support vector machines, random forests), and deep learning-based methods (such as autoencoders, deep neural networks), etc. The selected abnormal node detection algorithm is used to analyze and process the data to identify abnormal nodes in the power network. The abnormal nodes are specifically faulty equipment, current, voltage anomalies, etc. The obtained abnormal node identification is matched with the original data to generate abnormal node data of the power network, and the data includes the location, timestamp, abnormal type, etc. of the abnormal node.

Step S22: exploring abnormal correlation relationships based on abnormal node data of the power network to generate an abnormal correlation relationship matrix;

In an embodiment of the present invention, the abnormal node data of the power network generated in step S21 is sorted and prepared. Ensure that the data contains information about the abnormal nodes, such as node identification, abnormal type, timestamp, etc. Clarify the definition of abnormal association relationships. Define the association relationships between abnormal nodes according to the characteristics and requirements of the power network. The association relationship can be a spatial association (such as a physical connection between devices), a temporal association (such as an abnormal event occurring at the same time), a functional association (such as a mutual influence relationship between adjacent devices), etc. Determine the indicators used to measure the strength of the abnormal association relationship, specifically statistical indicators, such as correlation coefficients, mutual information, etc., and indicators based on machine learning or graph theory, such as graph structure similarity, node distance, etc. Selecting appropriate indicators can quantify the strength and relevance of abnormal association relationships. Select algorithms such as correlation analysis, cluster analysis, and association rule mining, which can help discover association patterns and laws between abnormal nodes. According to the exploration results of abnormal association relationships, an abnormal association relationship matrix is constructed. The rows and columns of the matrix represent abnormal nodes in the power network, and the elements of the matrix represent the strength of association between nodes. The matrix can be a two-dimensional matrix or a sparse matrix, which is selected according to the network scale and computing requirements. The generated abnormal correlation matrix is analyzed and interpreted. Through matrix visualization, statistical analysis, graph theory analysis and other methods, the correlation pattern, cluster structure, abnormal propagation path and other information between abnormal nodes can be obtained.

Step S23: Modeling a complex network structure through abnormal node data and abnormal correlation matrix of the power network to generate a complex network structure of the power network; embedding the complex network structure of the power network into a low-dimensional vector space to generate an abnormal map of the power network;

In the embodiment of the present invention, according to the characteristics of the power network, the abnormal nodes are used as nodes in the network, and each node represents an abnormal event or abnormal equipment. The association strength information in the abnormal association relationship matrix is used to convert the association relationship between the nodes into edges in the network. Certain connection conditions can be set according to the threshold of the association strength, and only the edges with an association strength greater than the threshold are retained. According to actual needs, some attributes such as node type and edge weight can be defined for the nodes and edges in the network. The generated complex network structure of the power network is statistically analyzed. Indicators such as the node degree distribution, clustering coefficient, and average path length of the network can be calculated to understand the topological characteristics and structural characteristics of the network. The community structure in the complex network is identified using a community discovery algorithm. The community structure indicates that the internal connection strength between nodes is high, while the connection strength between nodes is low, which can help discover functional modules and abnormal propagation paths in the power network. According to the complex network structure, the features of nodes and edges are extracted. Methods in graph theory, such as node centrality, local and global features, etc., can be used to measure the importance and mutual relationship of nodes and edges in the network. Applying dimensionality reduction techniques, such as principal component analysis (PCA) or t-SNE, to map high-dimensional features to low-dimensional space can reduce the dimensionality of the data and retain the key structural information of the data. Using the embedded low-dimensional features, the abnormal nodes and associations of the power network are visualized as a graph. Nodes can be represented by different shapes, colors, and sizes to reflect the abnormal type or attribute of the node. The thickness and color of the edge can indicate the strength of the association. The generated power network anomaly graph is analyzed and interpreted. By observing the distribution of nodes, cluster structure, abnormal propagation path, etc. in the graph, the overall situation and local details of the abnormal behavior of the power network can be obtained.

Step S24: Utilize the power network anomaly map to perform potential threat detection and analysis on the power network abnormal node data to generate a power network potential threat event.

In an embodiment of the present invention, a node with abnormal characteristics is identified according to the position and connection relationship of the node in the abnormal graph of the power network, and the node is an abnormal node in a key device or system. By analyzing its position in the graph and the relationship between neighboring nodes, its potential threat level can be evaluated. The abnormal nodes are classified and detected by using the feature vector of the abnormal node in the low-dimensional vector space, combined with machine learning or deep learning methods. A supervised learning algorithm, such as a support vector machine (SVM) or a neural network, can be used to train the model to distinguish normal nodes from abnormal nodes. According to the edges and connection relationships in the abnormal graph of the power network, the association paths between the abnormal nodes are extracted, and the shortest path or path features between the abnormal nodes can be obtained by the traversal algorithm in graph theory, such as depth-first search (DFS) or breadth-first search (BFS). The abnormal association relationship is evaluated according to the strength of the abnormal association relationship, such as the weight or association degree of the edge. A threshold can be set or a statistical method, such as a clustering coefficient or a correlation coefficient, can be used to measure the importance of the abnormal association relationship. Combined with the characteristics of abnormal nodes and the analysis results of abnormal associations, the threat assessment of the power network is carried out. Specifically, the severity and potential impact of potential threat events are assessed according to the importance of abnormal nodes, the strength of associations and the characteristics of association paths, and the assessment results are converted into potential threat events of the power network. Potential threat events are classified, marked and described to form a systematic threat event library. The event library includes the cause, scope of impact, consequences and recommended response measures of the event.

Preferably, step S21 includes the following steps:

Step S211: performing a node sending/receiving ratio analysis on the distributed traffic identification data to obtain node sending/receiving ratio data; performing a data packet size analysis on the distributed traffic identification data based on the node sending/receiving ratio to generate node sending data packet size ratio data;

Step S212: performing network transmission flow rate change analysis on the distributed flow identification data based on the node sending and receiving ratio data and the node sending data packet size ratio data, and generating node transmission flow rate change ratio data;

Step S213: Calculate the node traffic characteristic ratio of the node sending and receiving ratio data, the node sending data packet size ratio data and the node transmission flow rate change ratio data using the node traffic characteristic ratio calculation formula to obtain the node traffic characteristic ratio data;

Step S214: Compare the node flow characteristic ratio data with a preset standard node flow characteristic ratio. When the node flow characteristic ratio data is greater than or equal to the preset standard node flow characteristic ratio, abnormal power network node data is generated.

The present invention can obtain node sending and receiving ratio data by performing node sending and receiving ratio analysis on distributed flow identification data, which can help understand the data sending and receiving situation of each node in the power network and identify nodes with abnormal sending and receiving ratios. By performing data packet size analysis on distributed flow identification data based on the node sending and receiving ratio, the data packet size of the node can be further analyzed, which helps to identify nodes with abnormal data packet size. Using node sending and receiving ratio data and node sending data packet size ratio data to perform network transmission flow rate change analysis on distributed flow identification data can help monitor the transmission flow rate change of the node and detect nodes with abnormal flow rate. By analyzing the change of transmission flow rate, abnormal situations can be discovered in time to prevent potential network problems from further expanding. Using the node flow characteristic ratio calculation formula to calculate the node flow characteristic ratio on the node sending and receiving ratio data, the node sending data packet size ratio data and the node transmission flow rate change ratio data, the node flow characteristic ratio data can be comprehensively considered to generate the node flow characteristic ratio data. By calculating the flow characteristic ratio of the node, the flow characteristics of the node can be more comprehensively evaluated and potential abnormalities can be discovered. The node flow characteristic ratio data is compared with the preset standard node flow characteristic ratio. When the node flow characteristic ratio data is greater than or equal to the preset standard node flow characteristic ratio, the power network abnormal node data will be generated, which can automatically identify abnormal nodes, reduce manual subjective judgment, and improve the detection efficiency of abnormal nodes. By timely discovering and identifying abnormal nodes, corresponding repair measures can be taken to prevent abnormal nodes from causing further damage to the power network.

In an embodiment of the present invention, distributed flow identification data is collected, including the amount of data sent and received by the node. The send-receive ratio of the node is analyzed using appropriate algorithms and tools, and the send-receive ratio data of each node is calculated. The send-receive ratio data of the node is used to analyze the data packet size of the distributed flow identification data, and the send data packet size ratio data of the node is generated. Based on the send-receive ratio data and the send data packet size ratio data of the node, the distributed flow identification data is analyzed for network transmission flow rate changes. Appropriate algorithms and tools are used to calculate the transmission flow rate change ratio data of the node. According to the predefined node flow feature ratio calculation formula, the node flow feature ratio is calculated in combination with the send-receive ratio data, the send data packet size ratio data and the transmission flow rate change ratio data of the node. The weights and parameters in the calculation formula are determined to accurately evaluate the flow characteristics of the node. The node flow feature ratio data is compared with the preset standard node flow feature ratio. If the node flow feature ratio data is greater than or equal to the preset standard node flow feature ratio, the node is considered to be an abnormal node of the power network. The abnormal node data of the power network is generated, which can be stored in a database or recorded and processed in other ways.

Preferably, the node traffic characteristic ratio calculation formula in step S213 is as follows:

Where R(t′) is the traffic characteristic ratio of the node at time t′, _Fs (t′) is the ratio of the size of the sent data packet of the node at time t′ to its maximum sent data packet size, _Ds (t′) is the ratio of the change of the transmission flow rate of the sent data packet of the node at time t′ to its maximum transmission flow rate, _Dmax is the maximum transmission flow rate of the node, _Ps (t′) is the send-receive ratio of the node at time t′, _Pmax is the maximum send-receive ratio of the node, _Fr (t′) is the ratio of the size of the received data packet of the node at time t′ to its maximum received data packet size, _Dr (t′) is the ratio of the change of the transmission flow rate of the received data packet of the node at time t′ to its maximum transmission flow rate, t is the upper limit of the node detection time, _Pr (t′) is the send-receive ratio of the received data packet of the node at time t′, and t′ is the time point.

The present invention analyzes and integrates a node traffic characteristic ratio calculation formula, where The influence of the node sending packet size ratio F _s (t′) and the sending packet transmission traffic rate change ratio D _s (t′) on the node traffic characteristic ratio is described. The sending and receiving ratio P _s (t′) is used to balance to ensure that the node's sending packet size ratio and the transmission traffic rate change ratio are properly considered. The division operation is used to normalize the transmission traffic rate change ratio so that it has the same weight as the sending packet size ratio in calculation. The influence of the node received data packet size ratio F _r (t′) and the received data packet transmission flow rate change ratio D _r (t′) on the node flow characteristic ratio is described. By weighing the received data packet send-receive ratio P _r (t′), it is ensured that the node's received data packet size ratio and the transmission flow rate change ratio are properly considered. Similarly, the division operation is used to normalize the transmission flow rate change ratio. The integral of time represents the cumulative impact of these two items on the node flow characteristic ratio within the time range. The formula takes into account the comprehensive impact of various inputs and state changes of the node over a period of time on the flow characteristic ratio, which is closer to the dynamic changes of nodes in the actual network. When using the conventional node flow characteristic ratio calculation formula in the field, the flow characteristic ratio of the node at time t′ can be obtained. By applying the node flow characteristic ratio calculation formula provided by the present invention, the flow characteristic ratio of the node at time t′ can be calculated more accurately. The formula comprehensively considers the characteristics of the node's sending and receiving data packet size ratio, the transmission flow rate change ratio, and the sending and receiving ratio, thereby providing a comprehensive evaluation of the node flow characteristic ratio. By using the send-receive ratio to weigh the ratio of the size of the sent and received packets and the ratio of the change in the transmission flow rate, we ensure that each factor is properly considered in the calculation. By dividing by their respective maximum values, we normalize the ratio of the change in the transmission flow rate so that it has the same weight in the calculation, thus avoiding excessive influence of one factor on the result. By integrating over time, we consider the state changes of the node over a period of time, making the result closer to the changing trend of the characteristic ratio of the node flow in the actual network.

Preferably, step S24 includes the following steps:

Step S241: construct a threat behavior association graph for abnormal node data of the power network using the power network anomaly graph to generate a network threat behavior graph; perform node centrality analysis on the network threat behavior graph to generate a network node centrality index, wherein the network node centrality index includes node degree centrality, node betweenness centrality and node proximity centrality;

Step S242: dividing the power network anomaly map into threat behavior communities according to node degree centrality, node betweenness centrality, and node proximity centrality to generate network threat behavior community identification data; clustering the power network abnormal node data into similar behaviors based on the network threat behavior community identification data to generate abnormal node behavior clustering data;

Step S243: performing threat path identification on the abnormal node behavior clustering data to generate threat behavior path identification data; performing threat behavior strong correlation analysis on the threat behavior path identification data to generate threat behavior key path identification data;

Step S244: performing potential threat correlation analysis on abnormal node data of the power network according to the threat behavior key path identification data, and generating a potential threat event for the power network.

The present invention can generate a network threat behavior map by constructing a threat behavior association graph and a network node centrality analysis, which helps to visualize and understand the threat behavior in the power network, thereby improving the ability to identify and analyze abnormal nodes. According to indicators such as node degree centrality, node betweenness centrality, and node proximity centrality, the power network abnormal map is divided into threat behavior communities. Then, similar behaviors are clustered for abnormal nodes in each community, which can better understand and analyze the threat behaviors of different node clusters and help discover hidden threat patterns and trends. Threat path identification is performed on abnormal node behavior clustering data to identify potential threat behavior paths. Subsequently, a strong correlation analysis of threat behavior is performed to find the key path, that is, the threat behavior path with significant influence and high risk, which helps to focus on key threats and improve the response efficiency and accuracy of network security. Using threat behavior key path identification data, potential threat association analysis is performed on abnormal node data of the power network, which helps to discover hidden threat relationships between abnormal nodes and provide early warning and prevention of potential threat events.

As an example of the present invention, referring to FIG. 3 , in this example, step S24 includes:

Step S241: construct a threat behavior association graph for abnormal node data of the power network using the power network anomaly graph to generate a network threat behavior graph; perform node centrality analysis on the network threat behavior graph to generate a network node centrality index, wherein the network node centrality index includes node degree centrality, node betweenness centrality and node proximity centrality;

In an embodiment of the present invention, by collecting data of abnormal nodes in the power network, data can be obtained through monitoring equipment, sensors or log data. Then, according to the association relationship between abnormal nodes, an abnormal graph of the power network is constructed. The abnormal graph can be represented and processed using graph theory and network analysis techniques and algorithms, such as graph databases or graph analysis tools. Using the abnormal graph of the power network, the threat behavior association relationship between abnormal nodes is added to the graph, which can be completed by representing the threat behavior as the edge (or connection) of the graph. Threat behaviors include malicious access, attacks, data tampering, etc. In the graph, abnormal nodes are represented as nodes of the graph, and threat behaviors are represented as edges between nodes. The generated network threat behavior graph is subjected to node centrality analysis to calculate the centrality index of the node. Commonly used node centrality indicators include: Node degree centrality: Degree centrality refers to the number of connections between a node and other nodes in the graph. Nodes with higher centrality have more connections in the network, and have more influence and criticality. Node betweenness centrality: Betweenness centrality refers to the number of times a node acts as a bridge on the shortest path in the network. Nodes with high betweenness centrality play an important role in information dissemination and influence transfer. Node proximity centrality: proximity centrality refers to the average shortest path distance between a node and other nodes. Nodes with higher proximity centrality are more likely to access other nodes and have greater control in the network.

Step S242: dividing the power network anomaly map into threat behavior communities according to node degree centrality, node betweenness centrality, and node proximity centrality to generate network threat behavior community identification data; clustering the power network abnormal node data into similar behaviors based on the network threat behavior community identification data to generate abnormal node behavior clustering data;

In an embodiment of the present invention, the node degree centrality, node betweenness centrality and node proximity centrality indicators are calculated. According to the previously generated network threat behavior map, the degree centrality, betweenness centrality and proximity centrality of each node are calculated using a suitable algorithm. In combination with these centrality indicators, a community discovery algorithm, such as the Louvain algorithm, the spectral clustering algorithm, etc., can be used to divide the power network abnormality map into communities. The algorithm can cluster nodes with similar centrality characteristics into the same community, thereby forming a threat behavior community. After the community division is completed, a unique identifier is assigned to each community to generate network threat behavior community identification data, which can be used to identify and distinguish different threat behavior communities. The network threat behavior community identification data is used to cluster the abnormal node data of the power network. Each abnormal node is associated with the threat behavior community to which it belongs. Select an appropriate clustering algorithm, such as K-means clustering, hierarchical clustering, density clustering, etc., and cluster according to the characteristics and similarities of the abnormal nodes. According to the clustering results, abnormal node behavior clustering data is generated. Each cluster contains abnormal nodes with similar behavior characteristics.

Step S243: performing threat path identification on the abnormal node behavior clustering data to generate threat behavior path identification data; performing threat behavior strong correlation analysis on the threat behavior path identification data to generate threat behavior key path identification data;

In an embodiment of the present invention, by clustering each abnormal node behavior, the behavior sequence or event sequence therein is analyzed. Use a suitable algorithm, such as a sequence pattern mining algorithm (such as an Apriori algorithm, a GSP algorithm), a Markov model, etc., to mine the behavior sequence in the abnormal node behavior cluster to identify potential threat behavior paths. According to the identified threat behavior path, threat behavior path identification data is generated, and the data includes the starting point, end point, intermediate nodes or behaviors of the path, and the frequency or probability information of the path. Using the threat behavior path identification data as input, an association rule mining algorithm, such as an Apriori algorithm, an FP-Growth algorithm, etc., is used to perform a strong association analysis of threat behavior. The association rules obtained by mining can be evaluated and screened using indicators such as support and confidence, and rules with higher correlation are selected. According to the evaluation results of the association rules, threat behavior critical path identification data is generated, and the data includes information of the critical path or association rules, such as the starting point, end point, conditions and results of the association rules, etc.

Step S244: performing potential threat correlation analysis on abnormal node data of the power network according to the threat behavior key path identification data, and generating a potential threat event for the power network.

In an embodiment of the present invention, by collecting abnormal node data of the power network, including node behavior logs, event records, etc., the data records abnormal behaviors or events in the power network. Acquire threat behavior critical path identification data, including information such as the starting point, end point and association rules of the critical path. According to the critical path information in the threat behavior critical path identification data, match the abnormal node data of the power network with the critical path. For the successfully matched abnormal node data, analyze its correlation with the critical path, and calculate the corresponding correlation index, such as support, confidence, etc. Based on the correlation index, filter out abnormal node data with a higher correlation as a candidate set of potential threat events. Further analyze and filter the candidate set of potential threat events, consider the attributes, timing, frequency and other information of the event, and exclude false alarms or redundant events. According to the analysis results, generate a list of potential threat events for the power network, including a description of the event, associated abnormal nodes or behavior information, and the time window of the event.

Preferably, step S3 comprises the following steps:

Step S31: Perform threat event identification on potential threat events of the power network to generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, DDoS attack events, network intrusion events and zero-day vulnerability attack events;

Step S32: when it is confirmed that the power network threat identification event is a malware attack event, node firewalls are deployed on the abnormal node data of the power network to obtain abnormal node firewalls; intrusion detection and intrusion prevention are performed based on the abnormal node firewalls to obtain network traffic data and abnormal node behavior data; the minimum network control authority of the abnormal nodes of the power network is adjusted according to the network traffic data and the abnormal node behavior data to generate a malware defense strategy;

Step S33: When it is confirmed that the power network threat identification event is a phishing event, an email filter is set for the power network abnormal node data to obtain email filter configuration rule data; based on the email filter configuration rule data, multi-factor authentication is enforced for data upload of the power network abnormal node data to generate a phishing defense strategy;

Step S34: When it is confirmed that the power network threat identification event is a Ddos attack event, the attack period analysis is performed on the power network abnormal node data to generate attack intensive period data; load balancing is performed on the power network abnormal nodes according to the attack intensive period data to generate load balancing data; the load balancing data and the preset standard load balancing threshold are distinguished, and when the load balancing data is greater than the preset standard load balancing threshold, a routing black hole is performed on the excess power network abnormal node data to generate a Ddos attack defense strategy;

Step S35: When the power network threat identification event is confirmed to be a network intrusion event, an intrusion area analysis is performed on the power network abnormal node data to obtain intrusion area analysis data; network isolation is performed based on the intrusion area analysis data to generate network isolation area data; and security repair is performed on the intrusion area using the network isolation area data to generate a network intrusion defense strategy;

Step S36: When it is confirmed that the power network threat identification event is a zero-day vulnerability attack event, threat intelligence analysis is performed on the power network abnormal node data to generate threat intelligence analysis data; zero-day vulnerability patches are applied to the threat intelligence analysis data to generate zero-day vulnerability patch data; traffic rules are filtered on the power network abnormal nodes according to the zero-day vulnerability patch data to generate a zero-day vulnerability attack defense strategy.

The present invention can identify different types of threat events by distinguishing potential threat events of the power network, including malware attacks, phishing, DDoS attacks, network intrusions and zero-day vulnerability attacks, which helps to accurately identify events that threaten the security of the power network. For the case of confirmed malware attack events, deploying abnormal node firewalls and performing intrusion detection and intrusion defense can improve the protection capability against malware. The minimum network control authority adjustment can limit the network access rights of abnormal nodes and enhance the defense strategy against malware. When it is determined to be a phishing event, setting email filters and data upload multi-factor authentication enforcement can help prevent phishing behavior in the power network, and the defense strategy can effectively reduce the delivery of malicious emails and curb social engineering attacks. When it is confirmed to be a DDoS attack event, attack period analysis and load balancing can balance the network load and reduce the pressure on the network. By distinguishing some nodes that exceed the standard load balancing threshold and performing routing black holes, the impact of DDoS attacks on the power network can be effectively prevented. When it is determined to be a network intrusion event, performing intrusion area analysis and network isolation can help identify the intrusion area and isolate it from other networks to curb the spread of the intrusion. Subsequent security repair measures can repair the vulnerabilities in the intrusion area and enhance the defense capability of the power network. When a zero-day vulnerability attack is confirmed, threat intelligence analysis and zero-day vulnerability patch application will help monitor and handle new security threats. Traffic rule filtering can effectively prevent attacks that exploit zero-day vulnerabilities and improve system security.

As an example of the present invention, referring to FIG. 4 , in this example, step S3 includes:

Step S31: Perform threat event identification on potential threat events of the power network to generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, DDoS attack events, network intrusion events and zero-day vulnerability attack events;

In the embodiment of the present invention, various data of the power network are collected, including network traffic, device logs, security event logs, etc. By analyzing these data, any abnormal activities, abnormal traffic patterns or abnormal events can be found and identified as potential threat events. Data comparison and matching are performed with threat intelligence and vulnerability databases to understand known threat events and vulnerability attacks. By comparing the collected data with known patterns, malware attacks, phishing, Ddos attacks, network intrusions and zero-day vulnerability attacks can be quickly identified. By using machine learning and artificial intelligence technology, models and algorithms are built, and the collected data is analyzed and processed, which can automatically learn and identify abnormal behavior patterns in the power network and compare them with known threat patterns, so as to accurately judge potential threat events. By monitoring the abnormal nodes, abnormal traffic and abnormal behavior of the system, malware attacks, phishing, Ddos attacks, network intrusions and zero-day vulnerability attacks can be discovered and identified in a timely manner. Using various technologies, such as intrusion detection systems (IDS) and behavioral analysis systems (BAS), nodes and traffic in the power network can be monitored and detected in real time. Power network security experts can provide professional opinions and judgments by reviewing and analyzing data. They can evaluate potential threat events based on their experience and knowledge to determine whether they are malware attacks, phishing, DDoS attacks, network intrusions or zero-day vulnerability attacks.

Step S32: When it is confirmed that the power network threat identification event is a malware attack event, node firewalls are deployed on the abnormal node data of the power network to obtain abnormal node firewalls; intrusion detection and intrusion prevention are performed based on the abnormal node firewall to obtain network traffic data and abnormal node behavior data; the minimum network control authority of the abnormal node of the power network is adjusted according to the network traffic data and the abnormal node behavior data to generate a malware defense strategy;

In an embodiment of the present invention, by deploying firewalls for the confirmed abnormal nodes in the power network, the firewall can monitor and filter the network traffic related to the node to prevent potential malware attacks. The configuration of the firewall needs to be adjusted according to the specific needs of the power network. The power network is intrusion detected and intrusion prevented by the abnormal node firewall. The intrusion detection system can analyze the network traffic data and the abnormal node behavior data to timely discover the existing malware attack behavior. The intrusion prevention measures include timely response and prevention of intrusion behavior to protect the security of the power network. The network traffic data and the abnormal node behavior data are used for analysis to understand the attacker's behavior pattern and attack method. Through traffic analysis, the characteristics and targets of the malware attack can be determined, so as to formulate an effective defense strategy. According to the network traffic data and the abnormal node behavior data, the minimum network control authority of the abnormal node of the power network is adjusted, including auditing the abnormal node and limiting its network access rights to reduce security risks. Based on the analysis results and the minimum network control authority adjustment, a malware defense strategy is generated, and the strategy includes detection rules, blocking rules and response measures for malware attack behavior.

Step S33: When it is confirmed that the power network threat identification event is a phishing event, an email filter is set for the power network abnormal node data to obtain email filter configuration rule data; based on the email filter configuration rule data, multi-factor authentication is enforced for data upload of the power network abnormal node data to generate a phishing defense strategy;

In an embodiment of the present invention, the emails sent and received in the power network are filtered by determining appropriate email filter software or services. The filter is configured to identify and intercept potential phishing emails, including setting rules, blacklists, whitelists, keyword filtering, etc. The sensitivity and strategy of the filter are adjusted according to the needs and security policies of the power network. When configuring the email filter, the rules and settings used are recorded for subsequent reference and review, and the records include information such as the filter version, rule list, and policy configuration. Confirm that multi-factor authentication technology is used to enhance the login security of abnormal nodes in the power network. Configure multi-factor authentication, such as using multiple authentication factors such as passwords, tokens, and biometrics for login verification. Force all abnormal nodes in the power network to use multi-factor authentication, and strictly limit access to key systems and data only through multi-factor authentication. Generate a phishing defense strategy based on the email filter configuration rule data and data upload multi-factor authentication enforcement, and the strategy includes configuring appropriate filtering rules, perfect multi-factor authentication settings, and corresponding security policy guidelines.

Step S34: When it is confirmed that the power network threat identification event is a Ddos attack event, the attack period analysis is performed on the power network abnormal node data to generate attack intensive period data; load balancing is performed on the power network abnormal nodes according to the attack intensive period data to generate load balancing data; the load balancing data and the preset standard load balancing threshold are distinguished, and when the load balancing data is greater than the preset standard load balancing threshold, a routing black hole is performed on the excess power network abnormal node data to generate a Ddos attack defense strategy;

In an embodiment of the present invention, by analyzing the data of abnormal nodes in the power network, determining the time period in which the DDoS attack occurs, this can be achieved by monitoring network traffic, identifying abnormal data packets, and analyzing attack patterns. The purpose of the attack period analysis is to determine which time periods are most intensively attacked, so as to facilitate subsequent load balancing measures. According to the results of the attack period analysis, attack intensive period data is generated, and the data can identify the time period with high incidence of attack activities, providing a basis for subsequent load balancing. According to the attack intensive period data, load balancing adjustment is performed on the abnormal nodes of the power network. The purpose of load balancing is to balance the network load to reduce the burden on the attacked nodes and ensure the normal operation of the network. According to the results of the load balancing adjustment, load balancing data is generated, and the data describes the load status of each node, including information such as the current load level and processing capacity. The load balancing data is compared with a preset standard load balancing threshold. If the load balancing data of a node exceeds the set threshold, that is, the load is too large, it means that the node is under attack and exceeds the normal load range. A routing black hole measure is taken for some abnormal node data of the power network that exceeds the load balancing threshold. A routing black hole is a measure that directs the traffic of an abnormal node to an invalid address or discards the traffic, thereby effectively preventing the attack traffic from entering the network. According to the implementation results of routing black hole, a DDoS attack defense strategy is generated. This strategy includes specific defense measures against DDoS attacks, such as black hole routing configuration, traffic filtering, attack traffic identification, etc., to protect the power network from DDoS attacks.

Step S35: When the power network threat identification event is confirmed to be a network intrusion event, an intrusion area analysis is performed on the power network abnormal node data to obtain intrusion area analysis data; network isolation is performed based on the intrusion area analysis data to generate network isolation area data; and security repair is performed on the intrusion area using the network isolation area data to generate a network intrusion defense strategy;

In the embodiment of the present invention, the intrusion area analysis is performed on the abnormal node data of the power network, including identifying the intrusion node, analyzing the intrusion path, determining the relationship between the intrusion nodes, etc. The purpose of the intrusion area analysis is to determine the specific area and node that has been invaded, so as to provide a basis for subsequent network isolation. According to the results of the intrusion area analysis, the intrusion area analysis data is generated, and the data describes the area where the intrusion event occurs and the information of the relevant nodes, including the location of the intrusion node, the attack method, etc. Based on the intrusion area analysis data, the network isolation operation is performed. Network isolation can isolate the invaded area or node from other parts to prevent the spread of the intrusion event and affect other parts of the power network. According to the results of the network isolation, the network isolation area data is generated, and the data describes the information of the isolated area or node, including the isolation method, the isolation range, etc. The network isolation area data is used to perform security repair on the intrusion area. The security repair includes measures such as repairing the invaded system, patch installation, and improving the security configuration to restore the normal state of the affected area. According to the results of the security repair, a network intrusion defense strategy is generated. The strategy includes specific defense measures against network intrusion, such as the deployment of intrusion detection system, the optimization of access control strategy, and the strengthening of authentication and authorization, so as to enhance the security of the power network.

Step S36: When it is confirmed that the power network threat identification event is a zero-day vulnerability attack event, threat intelligence analysis is performed on the power network abnormal node data to generate threat intelligence analysis data; zero-day vulnerability patches are applied to the threat intelligence analysis data to generate zero-day vulnerability patch data; traffic rules are filtered on the power network abnormal nodes according to the zero-day vulnerability patch data to generate a zero-day vulnerability attack defense strategy.

In an embodiment of the present invention, by performing threat intelligence analysis on abnormal node data of the power network, including analyzing the characteristics, sources, methods, etc. of the attack events, intelligence information about zero-day vulnerability attacks is obtained. By analyzing the threat intelligence, the attacker's strategy, purpose, and attack method can be understood. According to the results of the threat intelligence analysis, threat intelligence analysis data is generated, and the data includes key information, such as the characteristics of known zero-day vulnerability attacks, attack instructions, and the scope of influence of the vulnerability. For known zero-day vulnerability attacks, corresponding patches are applied according to the threat intelligence analysis data, including downloading and installing repair patches for the vulnerabilities, updating software versions, or making relevant configuration adjustments. According to the results of the zero-day vulnerability patch application, zero-day vulnerability patch data is generated, and the data describes the applied patch information, including the version of the patch, the application time, etc. According to the zero-day vulnerability patch data, traffic rule filtering is performed on abnormal nodes of the power network, involving configuring network devices such as firewalls and intrusion detection systems to screen and filter traffic passing through network nodes, and prevent malicious traffic containing zero-day vulnerability attacks from entering the affected nodes. According to the results of the traffic rule filtering, a defense strategy for zero-day vulnerability attacks is generated. The strategy includes specific blocking rules, application layer filtering rules, traffic monitoring strategies, etc. to mitigate the risk of zero-day vulnerability attacks and protect the security of the power network.

Preferably, step S4 comprises the following steps:

Step S41: integrating malware defense strategy, phishing defense strategy, DDoS attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy to generate a network event defense strategy; using the network event defense strategy to collect defense logs for potential threat events of the power network to obtain security defense log data;

Step S42: divide the security defense log data into data sets to generate a model training set and a model test set; use a decision tree model to perform model training on the model training set to generate an intelligent defense decision training model; use a model test set to perform model testing on the intelligent defense decision training model to generate an intelligent defense decision model;

Step S43: Use the intelligent defense decision model to make intelligent defense decisions on potential threat events in the power network and generate an intelligent defense decision plan.

The present invention can effectively improve the overall security of the power network and ensure comprehensive protection of multiple security aspects by integrating malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies. By using the intelligent defense decision model, intelligent analysis and decision-making of potential threat events in the power network can be achieved, helping network security personnel to respond to threats more quickly and accurately, providing targeted defense measures, reducing the risk of missed reports and missed detections, and strengthening the ability to respond to new and unknown threats. Through the analysis of security defense log data and model training, potential security threats and attack patterns can be discovered, and intelligent defense decision-making plans can be generated, so that defense measures can be taken more promptly and effectively when security incidents occur, thereby improving the security protection capabilities of the power network.

In an embodiment of the present invention, a network event defense strategy is generated by integrating malware defense strategy, phishing defense strategy, DDoS attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy, including specifying specific configuration rules, setting defense parameters, deploying security equipment, etc. Next, the network event defense strategy is used to collect defense logs for potential threat events in the power network to obtain security defense log data. The security defense log data is divided into data sets to generate model training sets and model test sets. The representativeness of the sample distribution of the training set and the test set can be ensured by dividing the data set according to a certain ratio. Then, the model training set is trained using a decision tree model. The decision tree model is a supervised learning method that can classify and predict samples according to input features. The trained decision tree model is used to make intelligent defense decisions for potential threat events in the power network. By using security defense log data and related features as input, the decision tree model can automatically analyze and judge, determine the level, type and response strategy of the threat event, and can generate an intelligent defense decision plan to provide specific defense measures and action suggestions.

In this specification, a network event security detection system is provided, which is used to execute the above-mentioned network event security detection method. The network event security detection system includes:

The distributed identification module is used to obtain power network node data; collect power network information data according to the power network node data, thereby obtaining the original node flow data; perform distributed flow identification on the original node flow data to generate distributed flow identification data;

The potential threat analysis module is used to detect abnormal nodes on the distributed flow identification data and generate abnormal node data of the power network; perform potential threat detection and analysis on the abnormal node data of the power network and generate potential threat events of the power network;

The strategy defense module is used to identify potential threat events of the power network and generate power network threat identification events, where the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies;

The intelligent decision-making module is used to collect defense logs for malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data and generate intelligent defense decision plans.

The beneficial effect of the present invention is that by performing abnormal node detection and potential threat analysis on the distributed traffic identification data, abnormal nodes and potential threat events in the power network can be found, which helps to detect potential attacks or abnormal situations as early as possible and improve the monitoring and response capabilities of network security. For potential threat events in the power network, threat event discrimination is performed and corresponding threat discrimination events are generated, which helps to classify and identify different types of threats, so that specific defense strategies and measures can be taken, such as malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies. Through defense log collection and intelligent defense decision-making, security defense log data can be used to make intelligent defense decisions, which helps to automatically generate targeted and intelligent defense plans and decision-making suggestions for dealing with threat events based on real-time security logs and network status. Therefore, the present invention improves the comprehensiveness and adaptability of network security protection by performing abnormal node identification on network events and constructing multi-level attack type defense strategies.

Therefore, the embodiments should be regarded as illustrative and non-restrictive from all points, and the scope of the present invention is limited by the appended claims rather than the above description, and it is intended that all changes falling within the meaning and range of equivalent elements of the application documents are included in the present invention.

The above description is only a specific embodiment of the present invention, so that those skilled in the art can understand or implement the present invention. Various modifications to these embodiments will be apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown herein, but should conform to the widest scope consistent with the principles and novel features invented herein.

Claims (9)

1. A network event security monitoring method, characterized in that it includes the following steps: Step S1: Acquire power network node data; collect power network information data according to the power network node data, so as to obtain node flow raw data; perform distributed flow identification on the node flow raw data, divide the node flow data into blocks or flow segments, and generate a unique identifier for each block or flow segment, and generate distributed flow identification data; Step S2: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network; performing potential threat detection and analysis on the abnormal node data of the power network to generate potential threat events of the power network; Step S3: Perform threat event identification on potential threat events of the power network, and generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events, and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events, and generate malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies; Step S4: collecting defense logs for malware defense strategies, phishing defense strategies, DDoS attack defense strategies, network intrusion defense strategies, and zero-day vulnerability attack defense strategies to obtain security defense log data; making intelligent defense decisions on the security defense log data to generate intelligent defense decision plans; Step S4 includes the following steps: Step S41: integrating malware defense strategy, phishing defense strategy, DDoS attack defense strategy, network intrusion defense strategy and zero-day vulnerability attack defense strategy to generate a network event defense strategy; using the network event defense strategy to collect defense logs for potential threat events of the power network to obtain security defense log data; Step S42: divide the security defense log data into data sets to generate a model training set and a model test set; use a decision tree model to perform model training on the model training set to generate an intelligent defense decision training model; use a model test set to perform model testing on the intelligent defense decision training model to generate an intelligent defense decision model; Step S43: Use the intelligent defense decision model to make intelligent defense decisions on potential threat events in the power network and generate an intelligent defense decision plan. 2. The network event security monitoring method according to claim 1, characterized in that step S1 comprises the following steps: Step S11: Acquire power network node data; Step S12: deploy distributed sensing nodes according to the power network node data to obtain distributed power network sensing nodes; collect power network information data based on the distributed power network sensing nodes to obtain node flow raw data, wherein the power network information data collection includes data packet parsing, data packet filtering and data packet sniffing; Step S13: preprocessing the node flow raw data to generate standard node flow raw data, wherein the data preprocessing includes data cleaning, data missing value filling and data standardization; Step S14: Perform distributed traffic identification on the original data of standard node traffic to generate distributed traffic identification data. 3. The network event security monitoring method according to claim 2, characterized in that step S14 comprises the following steps: Step S141: perform network upload tracing on the original data of standard node flow to obtain the node data of distributed power flow transmission upload; perform upload frequency analysis on the node data of distributed power flow transmission upload to obtain the frequency data of distributed power flow transmission upload; Step S142: Calculate the shortest transmission path of adjacent nodes for the original data of standard node flow according to the uploaded frequency data of distributed power flow transmission, and obtain the shortest path data of adjacent nodes; construct a transmission closed-loop path for the original data of standard node flow according to the shortest path data of adjacent nodes, and generate a node transmission closed-loop path; Step S143: Perform node upload activity analysis based on the node transmission closed-loop path and the distributed power flow transmission upload frequency data to generate node upload activity analysis data; compare the node upload activity analysis data with a preset node upload activity threshold, and when the node upload activity analysis data is greater than or equal to the preset node upload activity threshold, perform flow identification on the corresponding standard node flow raw data to generate distributed flow identification data. 4. The network event security monitoring method according to claim 1, characterized in that step S2 comprises the following steps: Step S21: performing abnormal node detection on the distributed flow identification data to generate abnormal node data of the power network; Step S22: exploring abnormal correlation relationships based on abnormal node data of the power network to generate an abnormal correlation relationship matrix; Step S23: Modeling a complex network structure through abnormal node data and abnormal correlation matrix of the power network to generate a complex network structure of the power network; embedding the complex network structure of the power network into a low-dimensional vector space to generate an abnormal map of the power network; Step S24: Utilize the power network anomaly map to perform potential threat detection and analysis on the power network abnormal node data to generate a power network potential threat event. 5. The network event security monitoring method according to claim 4, characterized in that step S21 comprises the following steps: Step S211: Perform node sending/receiving ratio analysis on the distributed traffic identification data to obtain node sending/receiving ratio data; perform data packet size analysis on the distributed traffic identification data based on the node sending/receiving ratio to generate node sending data packet size ratio data; Step S212: performing network transmission flow rate change analysis on the distributed flow identification data based on the node sending and receiving ratio data and the node sending data packet size ratio data, and generating node transmission flow rate change ratio data; Step S213: Calculate the node traffic characteristic ratio of the node sending and receiving ratio data, the node sending data packet size ratio data and the node transmission flow rate change ratio data using the node traffic characteristic ratio calculation formula to obtain the node traffic characteristic ratio data; Step S214: Compare the node flow characteristic ratio data with a preset standard node flow characteristic ratio. When the node flow characteristic ratio data is greater than or equal to the preset standard node flow characteristic ratio, abnormal power network node data is generated. 6. The network event security monitoring method according to claim 5, characterized in that the node traffic characteristic ratio calculation formula in step S213 is as follows: ; In the formula, Represented as a node at time The flow characteristic ratio, Represented as a node at time The ratio of the size of the data packet sent to the maximum size of the data packet sent. Represented as a node at time The ratio of the change in the data packet transmission rate to its maximum transmission rate, It is expressed as the maximum transmission flow rate of the node, Represented as a node at time The sending and receiving ratio, Expressed as the maximum sending and receiving ratio of a node, Represented as a node at time The ratio of the received packet size to the maximum received packet size. Represented as a node at time The ratio of the received data packet transmission flow rate change to its maximum transmission flow rate, It represents the upper limit of node detection time. Represented as a node at time The receive packet send-receive ratio, Expressed as a point in time. 7. The network event security monitoring method according to claim 4, characterized in that step S24 comprises the following steps: Step S241: construct a threat behavior association graph for abnormal node data of the power network using the power network anomaly graph to generate a network threat behavior graph; perform node centrality analysis on the network threat behavior graph to generate a network node centrality index, wherein the network node centrality index includes node degree centrality, node betweenness centrality and node proximity centrality; Step S242: dividing the power network anomaly map into threat behavior communities according to node degree centrality, node betweenness centrality, and node proximity centrality to generate network threat behavior community identification data; clustering the power network abnormal node data into similar behaviors based on the network threat behavior community identification data to generate abnormal node behavior clustering data; Step S243: performing threat path identification on the abnormal node behavior clustering data to generate threat behavior path identification data; performing threat behavior strong correlation analysis on the threat behavior path identification data to generate threat behavior key path identification data; Step S244: performing potential threat correlation analysis on abnormal node data of the power network according to the threat behavior key path identification data, and generating a potential threat event for the power network. 8. The network event security monitoring method according to claim 1, characterized in that step S3 comprises the following steps: Step S31: Perform threat event identification on potential threat events of the power network to generate power network threat identification events, wherein the power network threat identification events include malware attack events, phishing events, DDoS attack events, network intrusion events and zero-day vulnerability attack events; Step S32: when it is confirmed that the power network threat identification event is a malware attack event, node firewalls are deployed on the abnormal node data of the power network to obtain abnormal node firewalls; intrusion detection and intrusion prevention are performed based on the abnormal node firewalls to obtain network traffic data and abnormal node behavior data; the minimum network control authority of the abnormal nodes of the power network is adjusted according to the network traffic data and the abnormal node behavior data to generate a malware defense strategy; Step S33: When it is confirmed that the power network threat identification event is a phishing event, an email filter is set for the power network abnormal node data to obtain email filter configuration rule data; based on the email filter configuration rule data, multi-factor authentication is enforced for data upload of the power network abnormal node data to generate a phishing defense strategy; Step S34: When it is confirmed that the power network threat identification event is a Ddos attack event, the attack period analysis is performed on the power network abnormal node data to generate attack intensive period data; load balancing is performed on the power network abnormal nodes according to the attack intensive period data to generate load balancing data; the load balancing data and the preset standard load balancing threshold are distinguished, and when the load balancing data is greater than the preset standard load balancing threshold, a routing black hole is performed on the excess power network abnormal node data to generate a Ddos attack defense strategy; Step S35: When the power network threat identification event is confirmed to be a network intrusion event, an intrusion area analysis is performed on the power network abnormal node data to obtain intrusion area analysis data; network isolation is performed based on the intrusion area analysis data to generate network isolation area data; and security repair is performed on the intrusion area using the network isolation area data to generate a network intrusion defense strategy; Step S36: When it is confirmed that the power network threat identification event is a zero-day vulnerability attack event, threat intelligence analysis is performed on the power network abnormal node data to generate threat intelligence analysis data; zero-day vulnerability patches are applied to the threat intelligence analysis data to generate zero-day vulnerability patch data; traffic rules are filtered on the power network abnormal nodes according to the zero-day vulnerability patch data to generate a zero-day vulnerability attack defense strategy. 9. A network event security monitoring system, characterized in that it is used to execute the network event security monitoring method according to claim 1, and the network event security monitoring system comprises: The distributed identification module is used to obtain power network node data; collect power network information data according to the power network node data, thereby obtaining the original node flow data; perform distributed flow identification on the original node flow data to generate distributed flow identification data; The potential threat analysis module is used to detect abnormal nodes on the distributed flow identification data and generate abnormal node data of the power network; perform potential threat detection and analysis on the abnormal node data of the power network and generate potential threat events of the power network; The strategy defense module is used to identify potential threat events of the power network and generate power network threat identification events, where the power network threat identification events include malware attack events, phishing events, Ddos attack events, network intrusion events and zero-day vulnerability attack events; perform strategy defense on the power network threat identification events and generate malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies; The intelligent decision-making module is used to collect defense logs for malware defense strategies, phishing defense strategies, Ddos attack defense strategies, network intrusion defense strategies and zero-day vulnerability attack defense strategies to obtain security defense log data; make intelligent defense decisions on the security defense log data and generate intelligent defense decision plans.