Search

CN-116204816-B - Thermal power plant replay attack detection method based on system identification and noise coding

CN116204816BCN 116204816 BCN116204816 BCN 116204816BCN-116204816-B

Abstract

The invention discloses a thermal power plant replay attack detection method based on system identification and noise coding, which applies a residual error card method detection method based on Kalman filtering and a noise coding method to network attack detection of a unit coordinated control system through a system identification principle, can meet the actual false alarm rate and detection rate of network attack by setting a proper alarm threshold and Gaussian noise variance, realizes replay attack detection, ensures stable operation of a control system, provides a detection means of network attack of the coordinated control system, and provides a certain basis for identifying replay attack aiming at a sensor. The invention can detect the change condition of residual distribution when the sensor of the coordination control system of the unit set is attacked by replay and judge whether the sensor is attacked by replay or not. The network attack detection which does not influence the normal operation of the coordination control system and does not depend on a network flow analysis means is realized.

Inventors

  • XIE YUNYUN
  • SHEN YU
  • Yan Ziao
  • LIU AIJING
  • YAN HUIXIN
  • Zhao Chengchong

Assignees

  • 南京理工大学

Dates

Publication Date
20260505
Application Date
20230307

Claims (8)

  1. 1. A thermal power plant replay attack detection method based on system identification and noise coding is characterized by comprising the following steps: Step 1, for a certain working condition of a thermal power generating unit, a particle swarm algorithm is adopted to identify a MIMO (multiple input multiple output) model of a coordination control system, and a Kalman filtering model is established; Step 2, determining an alarm threshold and Gaussian noise variance according to the false alarm rate and the detection rate requirements; Step 3, off-line sharing of Gaussian noise signals at the controller side and the sensor side; step 4, adding Gaussian noise signals into the sensor feedback signals for coding, and subtracting the Gaussian noise signals from the signals received by the controller for decoding; step 5, forming residual signals by the Kalman filtering priori estimation result and the decoding result in the step 4; Step 6, constructing a detection signal according to the residual signal, comparing the detection signal with the alarm threshold in the step 2, if the detection signal is larger than the alarm threshold, indicating that replay attack exists, otherwise, not existing; In step 2, the alarm threshold value and Gaussian noise variance of each sensor are determined according to the requirements of the false alarm rate and the detection rate, which are respectively 、 : In the formula, Obtained from the chi-square distribution table, the degree of freedom is t, and the area of the right tail end is the false alarm rate ; Is also obtained by a chi-square distribution table, the degree of freedom is t, and the area of the right tail end is the detection rate ; Representing the observer residual covariance under normal conditions; Is the minimum gaussian noise signal variance.
  2. 2. The replay attack detecting method of a thermal power plant based on system identification and noise coding according to claim 1, wherein in step 1, the coordinated control system MIMO model is a transfer function defined according to a thermal process and including unknown parameters, a boiler fuel amount command and a turbine valve opening command are used as input amounts, and a boiler main steam pressure and a unit output power are used as output amounts.
  3. 3. The method for detecting replay attack of a thermal power plant based on system identification and noise coding according to claim 2, wherein the step 1 adopts a particle swarm algorithm to identify a MIMO model of a coordinated control system, and specifically comprises: the following two fitness functions are adopted to identify a multi-input multi-output MIMO model of the coordination control system: In the formula, A fitness function representing a primary steam pressure identification process; a fitness function representing an output power identification process; 、 、 、 A system transfer function for a MIMO model, specifically: representing a system transfer function from a throttle opening command to a main vapor pressure; A system transfer function from the opening command of the regulating valve to the output power of the unit; a system transfer function representing a command from the fuel quantity to the main vapor pressure; a system transfer function representing the power from the fuel quantity command to the unit output; a steam turbine valve opening instruction at the moment i is represented; A boiler fuel quantity command indicating a time i; Representing the system transfer function G for the input signal Response value of (2); A sensor measurement representing the main steam pressure at time i; The summation from k1 to k2 represents the error accumulation sum of the predicted output of the recognition model and the actual measured value in the period.
  4. 4. The method for detecting replay attack from a thermal power plant based on system identification and noise coding according to claim 3, wherein the establishing a kalman filter model in step1 specifically includes: step 1-1, based on the identified parameters of the MIMO model, establishing a system state equation: In the formula, An m-dimensional system state vector at time k, An m-dimensional system state vector at time k+1, Is an m-dimensional real number vector; The output vector is n-dimensional at the moment k, namely the actual measurement value of the sensor, Is an n-dimensional real number vector; a, B, C represents a system matrix, a control matrix and an observation matrix respectively; And System noise and sensor noise representing time k respectively; step 1-2, based on the system state equation, establishing a Kalman filtering model: In the formula, And A priori estimates of the system state at time k+1 and k, respectively; the system state posterior estimation value at the moment k; A Kalman filtering gain at time k; And A priori covariance estimated values at the k and k+1 times are respectively represented; Representing the posterior covariance estimate at time k, Q represents the system noise variance, i.e R represents the observer noise variance, i.e The superscript T denotes the transpose process.
  5. 5. The method for detecting replay attack of a thermal power plant based on system identification and noise coding according to claim 4, wherein the detection signal constructed according to the residual signal in step 6 is: wherein t represents the size of the detection window; An observer residual signal representing the instant i, T representing the transposition process, a detection signal for an n-dimensional measurement signal Obeying chi-square distribution with a degree of freedom nt.
  6. 6. A thermal power plant replay attack detection system based on system identification and noise coding according to any one of claims 1 to 5, the system comprising: The first module is used for identifying a MIMO (multiple input multiple output) model of the coordination control system by adopting a particle swarm algorithm for a certain working condition of the thermal power generating unit, and establishing a Kalman filtering model; The second module is used for determining an alarm threshold and Gaussian noise variance according to the false alarm rate and detection rate requirements; A third module for offline sharing of controller-side and sensor-side gaussian noise signals; a fourth module, configured to add a gaussian noise signal to the sensor feedback signal for encoding, and subtract the gaussian noise signal from the received signal of the controller for decoding; A fifth module, configured to form a residual signal from the kalman filter a priori estimation result and the decoding result; and a sixth module, configured to construct a detection signal according to the residual signal, compare the detection signal with the alarm threshold, and if the detection signal is greater than the alarm threshold, indicate that a replay attack exists, otherwise, not exist.
  7. 7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 5 when the computer program is executed by the processor.
  8. 8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 5.

Description

Thermal power plant replay attack detection method based on system identification and noise coding Technical Field The invention belongs to the technical field of coordination control of unit units of a thermal power plant, and particularly relates to a thermal power plant replay attack detection method based on system identification and noise coding. Background With the development of information communication technology, industrial control systems widely apply computer and network communication technology to improve control level, so that power plants develop into information physical systems capable of realizing real-time sensing, dynamic control and information service fusion, and meanwhile, various network security problems are brought to the power plants. In order to realize the control of the steam pressure and the load, the unit coordinated control system collects the actual steam pressure and the load through a sensor, compares the target steam pressure and the load, adopts a classical PI control algorithm to cooperatively control the boiler and the steam turbine, and rapidly adjusts the load under the condition of keeping the fluctuation of the steam pressure smaller. Network attacks can disrupt the closed-loop control of the system, degrading or even collapsing the system's stability. Existing network security monitoring algorithms are generally based on network traffic analysis, and have high false alarm rates and false miss rates. In addition, since real historical data is used for the malicious replay attack of the sensor, analysis cannot be performed through network traffic, and thus a new detection algorithm is required to realize the identification of the malicious replay attack of the sensor. Disclosure of Invention The invention aims to provide a thermal power plant replay attack detection algorithm based on system identification and noise coding, which can detect the change condition of residual distribution when a unit coordinated control system sensor is subjected to replay attack and judge whether the unit coordinated control system sensor is subjected to replay attack. The network attack detection which does not influence the normal operation of the coordination control system and does not depend on a network flow analysis means is realized. The technical scheme for realizing the aim of the invention is that the thermal power plant replay attack detection method based on system identification and noise coding comprises the following steps: Step 1, for a certain working condition of a thermal power generating unit, a particle swarm algorithm is adopted to identify a MIMO (multiple input multiple output) model of a coordination control system, and a Kalman filtering model is established; Step 2, determining an alarm threshold and Gaussian noise variance according to the false alarm rate and the detection rate requirements; Step 3, off-line sharing of Gaussian noise signals at the controller side and the sensor side; step 4, adding Gaussian noise signals into the sensor feedback signals for coding, and subtracting the Gaussian noise signals from the signals received by the controller for decoding; step 5, forming residual signals by the Kalman filtering priori estimation result and the decoding result in the step 4; And 6, constructing a detection signal according to the residual signal, comparing the detection signal with the alarm threshold in the step 2, and if the detection signal is larger than the alarm threshold, indicating that replay attack exists, otherwise, judging that the replay attack does not exist. Further, in the step 1, the multiple-input multiple-output MIMO model of the coordination control system is a transfer function containing unknown parameters and defined according to a thermal process, a boiler fuel quantity instruction and a steam turbine valve opening instruction are used as input quantities, and a boiler main steam pressure and unit output power are used as output quantities. Further, in step 1, a particle swarm algorithm is adopted to identify a MIMO model of the coordination control system, which specifically includes: the following two fitness functions are adopted to identify a multi-input multi-output MIMO model of the coordination control system: In the formula, A fitness function representing a primary steam pressure identification process; a fitness function representing an output power identification process; 、、、 A system transfer function for a MIMO model, specifically: representing a system transfer function from a throttle opening command to a main vapor pressure; A system transfer function from the opening command of the regulating valve to the output power of the unit; a system transfer function representing a command from the fuel quantity to the main vapor pressure; a system transfer function representing the power from the fuel quantity command to the unit output; a steam turbine valve opening instruction at the moment i is represented