Search

CN-116260647-B - Bidirectional generation countermeasure network steam turbine network intrusion detection method based on bilateral characteristics

CN116260647BCN 116260647 BCN116260647 BCN 116260647BCN-116260647-B

Abstract

The invention discloses a network intrusion detection method of a bidirectional generation countermeasure network steam turbine based on bilateral features, which combines physical side and network side data of the steam turbine, and judges whether network intrusion behavior exists in a steam turbine system by adopting a bidirectional generation countermeasure network algorithm. The method comprises the steps of screening and extracting physical side and network layer characteristics by adopting a data analysis method to construct an intrusion detection characteristic set, generating a bidirectional generation countermeasure network with average sliding indexes based on the generation countermeasure network, training the bidirectional generation countermeasure network based on the intrusion detection characteristic set, and detecting the intrusion behavior of the steam turbine network based on the trained bidirectional generation countermeasure network. The method has the advantages that the network intrusion detection accuracy of the steam turbine is high, potential network attack behaviors in the steam turbine system can be detected, and certain theoretical value and engineering value are realized.

Inventors

  • XIE YUNYUN
  • Zhao Chengchong
  • LIU AIJING
  • Yan Ziao
  • YAN HUIXIN
  • SHEN YU

Assignees

  • 南京理工大学

Dates

Publication Date
20260512
Application Date
20230309

Claims (9)

  1. 1. A network intrusion detection method for a bidirectional generation countermeasure network turbine based on bilateral features, which is characterized by comprising the following steps: step 1, screening and extracting features of a physical side and a network layer of a steam turbine by adopting a data analysis method, and constructing an intrusion detection feature set; step 2, generating a bidirectional generation countermeasure network based on generation countermeasure network generation sliding index average, wherein the specific process comprises the following steps: Step 2-1, constructing a bidirectional generation countermeasure network model as follows: Wherein G represents a generator network, E represents an encoder network, D represents a discriminator network, G (x) represents a generator network forward computation, E (x) represents an encoder network forward computation, D (x) represents a discriminator network forward computation, x represents neural network raw input data, p (x) represents a probability distribution of the raw input data, and z represents generator input data, i.e., hidden space data; representing the probability distribution of the encoder output under the condition of original input data and encoder network parameter determination; a probability distribution representing hidden space data; The probability distribution of the generator output under the condition of determining the generator input data and the generator network parameters is represented; loss function in iterative optimization of D-network parameters The method comprises the following steps: Wherein, the In the formula, Is an activation function; An output of the generator input/output data pair calculated by the discriminator; In the formula, Input and output data pairs for the encoder, the output calculated by the arbiter; the loss functions when the parameters of the G network and the E network are optimized in an iterative way are respectively as follows 、 : Step 2-2, adding an exponential moving average EMA on a time axis when training the bidirectional generation countermeasure network: In the formula, Take the value for the nth data of the sequence; for the period of the exponential sliding average, 、 Respectively calculating results of exponential moving average at the N-1 th and N-th data of the sequence by taking N as a calculation period; Meanwhile, in the bidirectional generation countermeasure network training process, a shadow variable is created Smoothing neural network model parameters; the update and change modes of the neural network weight and the bias parameter are as follows: In the formula, 、 The values of the variables to be subjected to the sliding average at the time step t and the time step t-1 are respectively represented; The weight is represented by a weight that, The larger the value representing the value after the moving average is more relevant to the historical value, and conversely, the more relevant to the current value; Representing the value of the variable at the time step t when the moving average model is not used; Step 3, training the bidirectional generation of an countermeasure network based on the intrusion detection feature set; and 4, detecting the intrusion behavior of the steam turbine network based on the trained bidirectional generation countermeasure network.
  2. 2. The method for detecting network intrusion of a bidirectional generating countermeasure network turbine based on bilateral features according to claim 1, wherein in step 1, features of a physical side and a network layer of the turbine are screened and extracted by adopting a data analysis method, and intrusion detection feature sets are constructed, and the specific process comprises: step 1-1, selecting the physical side characteristics of the steam turbine as shown in Table 1 below: table 1 physical side data characteristics table Sequence number Label name Meaning of physics 1 AGC_b Boiler master control instruction 2 P_main Main steam pressure 3 P_dr Drum pressure 4 BR_b Boiler firing rate command 5 St_f Steam flow rate 6 f Frequency of 7 AGC_t Steam turbine master control instruction 8 P Output power 9 Cmd_valve Steam turbine valve opening control instruction 10 Valve_op Valve opening degree 11 St_f_H High pressure cylinder steam inlet flow 12 St_f_M Steam inlet flow rate of medium pressure cylinder 13 St_f_L Low pressure cylinder steam inlet flow Step 1-2, selecting the characteristics of the steam turbine network side as shown in the following table 2: table 2 network side data characteristics table Label (Label) Attribute meaning Label (Label) Attribute meaning tf_pk Total number of forward packets p_l_avg Average length of flow tb_pk Reverse total number of packets p_l_std Standard deviation length of flow tf_l_pkt Forward packet total size p_l_va Packet minimum interval time fp_l_max Forward packet maximum size fin_cnt Number of packets with FIN fp_l_min Forward packet minimum size syn_cnt With SYN packet number fp_l_avg Forward packet averaging rst_cnt With RST packet count fp_l_std Standard deviation of forward packet pst_cnt Packet number of PUSH Bp_l_max Reverse packet maximum size ack_cnt With number of ACK packets Bp_l_min Reverse packet minimum size urg_cnt With number of URG packets Bp_l_avg Reverse packet averaging cwe_cnt With CWE number of packets Bp_l_std Reverse packet standard deviation ece_cnt With ECE packet number fb_s Stream byte rate du_rat Download upload ratio fp_s Stream packet rate p_si_avg Average size of data packet fli_avg Time for two leveling operations fseg_avg Average size in forward direction fli_std Standard deviation time of two streams bseg_avg Average size of reverse direction fli_max Maximum time of two streams fb_b_avg Forward average byte batch rate fli_min Two streams for minimum time fp_b_avg Forward average block rate fwi_tot Total time of two packets in forward direction fb_r_avg Forward average bulk rate fwi_avg Forward two packet average time bb_b_avg Reverse average byte batch rate fwi_std Forward two packet standard deviation time bp_b_avg Reverse average block rate fwi_max Forward two packet maximum time bb_r_avg Reverse average bulk rate fwi_min Forward two packets shortest time subfl_fp Forward flow average wrap number of the dough bwi_tot Reverse total two packet time subfl_fb Forward sub-level average byte number bwi_avg Reverse two packet average time subfl_bp Reverse flow average wrap number bwi_std Reverse two packet standard deviation time subfl_bb Reverse sub-level average byte number bwi_max Reverse two packet maximum time fw_w_byt Forward initial window byte count bwi_min Reversing two packets for a minimum time bw_w_byt Reverse initial window byte count fp_flag Forward packet PSH times Fw_a_pkt Front TC payload packet number bp_flag Reverse packet PSH times fseg_min Forward minimum segment size fu_flag Forward packet URG times atv_avg Average time before idle of stream bu_flag Reverse packet URG times atv_std Standard deviation time before idle of stream fh_len Total number of bytes of forward header atv_max Maximum time before stream idle bh_len Total number of bytes of reverse header atv_min The shortest time before the stream is idle fpkt_s Forward data packets per second idl_avg Average time before stream activity bpkt_s Reverse data packets per second idl_std Standard deviation time before stream activity p_l_min Minimum length of flow idl_max Maximum time before stream activity p_l_max Maximum length of flow idl_min The shortest time before streaming activity Step 1-3, collecting actual data of each characteristic of the table 1 and the table 2; Step 1-4, obtaining the correlation among the data in the step 1-3, and screening and removing the characteristics with the similarity higher than a preset threshold value in the characteristic table; and step 1-5, normalizing the feature data screened in the step 1-4, and screening out features conforming to normal distribution to form a final intrusion detection feature set.
  3. 3. The bi-directional generation opposing network turbine network intrusion detection method based on the bilateral features of claim 2 wherein the correlation in steps 1-4 is measured by pearson correlation.
  4. 4. The network intrusion detection method for the bidirectional generating opposing network steam turbine based on the bilateral features according to claim 2, wherein in the step 1-5, each feature data screened in the step 1-4 is normalized by Yeo-Johnson normal transformation, and features conforming to normal distribution are screened out by K-S inspection.
  5. 5. The method for detecting network intrusion of a bidirectional generating opposing network turbine based on bilateral features as set forth in claim 2, wherein the training of the bidirectional generating opposing network based on the intrusion detection feature set in step 3 comprises the following specific steps: step 3-1, acquiring a characteristic data set of the steam turbine during normal communication based on the intrusion detection characteristic set obtained in the step 1; Step 3-2, training the bidirectional generation countermeasure network in the step 2 by using the characteristic data set obtained in the step 3-1 as input and adopting a self-adaptive gradient algorithm to obtain a bidirectional generation countermeasure network with neural network parameters meeting network intrusion detection requirements; Step 3-3, based on the intrusion detection feature set obtained in the step 1, obtaining the normal communication of the steam turbine and a feature data set containing network intrusion; Step 3-4, taking the characteristic data set obtained in the step 3-3 as the input of the bidirectional generation countermeasure network trained in the step 3-2, obtaining the output of the network and calculating the abnormal score of the input, wherein the calculation formula is as follows: Wherein A represents an abnormality score, As the weight of the material to be weighed, And The error score and the discriminant score are reconstructed for the generator respectively, and the expressions are as follows: Step 3-5, repeatedly executing the steps 3-3 to 3-4 to obtain a plurality of groups of abnormal scores; step 3-6, calculating the recall rate of anomaly detection: In the formula, Representing the input itself as an abnormal traffic and being correctly classified in the abnormal traffic; indicating that the input itself is normal traffic and is misclassified in abnormal traffic; and 3-7, obtaining an abnormality score with the highest recall rate, and taking the abnormality score as an abnormality detection threshold.
  6. 6. The method for detecting network intrusion of a turbine based on two-sided feature bi-directional generation countermeasure network according to claim 5, wherein the training-based bi-directional generation countermeasure network in step 4 detects network intrusion behavior of the turbine, and the specific process includes: Step 4-1, acquiring a feature data set of the steam turbine during communication in real time based on the intrusion detection feature set obtained in the step 1; step 4-2, taking the characteristic data set obtained in the step 4-1 as input of a bidirectional generation countermeasure network, and calculating an anomaly score in a mode of the step 3-4; And 4-3, judging the relation between the abnormality score of the step 4-2 and the abnormality detection threshold of the step 3-7, if the abnormality score is larger than the abnormality detection threshold, indicating that the turbine network intrusion behavior exists, otherwise, indicating that the turbine network intrusion behavior does not exist.
  7. 7. A bi-directional generation countermeasure network turbine network intrusion detection system based on the double-sided feature of any one of claims 1 to 6, the system comprising: the first module is used for screening and extracting the physical side and network layer characteristics of the steam turbine by adopting a data analysis method and constructing an intrusion detection characteristic set; a second module for generating a bi-directional generation of an antagonism network based on the generation of an antagonism network generation sliding exponential average; A third module for training bi-directional generation of an countermeasure network based on the intrusion detection feature set; And the fourth module is used for detecting the intrusion behavior of the steam turbine network based on the trained bidirectional generation countermeasure network.
  8. 8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 6 when the computer program is executed by the processor.
  9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 6.

Description

Bidirectional generation countermeasure network steam turbine network intrusion detection method based on bilateral characteristics Technical Field The invention belongs to the technical field of power grids, in particular to a bidirectional generation counternetwork steam turbine network intrusion detection method based on bilateral characteristics in steam turbine network safety. Background With the wide application of communication equipment in steam turbines of thermal power plants, the steam turbines gradually become an information physical system (Cyber-PHYSICAL SYSTEM, CPS) integrating communication and control. However, various communication devices improve the control performance of the steam turbine, and simultaneously, the communication devices become targets of network attack, so that the safe operation of the steam turbine is threatened. Various types of network attack behaviors start to invade a steam turbine control system, and potential threats are caused to safe and stable operation of a power plant and even a power grid. Due to these potential attacks from network space, a series of safety issues may be presented to the turbine system. Thus, it is necessary to study a turbine network security anomaly detection algorithm. The existing methods for processing the abnormality detection problem include a local abnormality factor method, an isolated forest method, a self-encoder method and the like. However, all detection methods all need operation data in an actual power plant, and meanwhile, the existing methods only consider network side data and neglect physical data of operation of a steam turbine, so that the accuracy of detection is greatly reduced. Disclosure of Invention The invention aims to solve the problems of the prior art and provides a network intrusion detection method of a bidirectional generation countermeasure network steam turbine based on bilateral characteristics. The technical scheme for realizing the aim of the invention is that the network intrusion detection method of the bidirectional generation countermeasure network steam turbine based on the bilateral characteristics comprises the following steps: step 1, screening and extracting features of a physical side and a network layer of a steam turbine by adopting a data analysis method, and constructing an intrusion detection feature set; Step2, generating a bidirectional generation countermeasure network based on generation countermeasure network generation sliding index average; Step 3, training the bidirectional generation of an countermeasure network based on the intrusion detection feature set; and 4, detecting the intrusion behavior of the steam turbine network based on the trained bidirectional generation countermeasure network. Further, in the step 1, the data analysis method is adopted to screen and extract the features of the physical side and the network layer of the steam turbine, and the intrusion detection feature set is constructed, and the specific process comprises: step 1-1, selecting the physical side characteristics of the steam turbine as shown in Table 1 below: table 1 physical side data characteristics table Step 1-2, selecting the characteristics of the steam turbine network side as shown in the following table 2: Table 2 network side data characteristics table Step 1-3, collecting actual data of each characteristic of the table 1 and the table 2; Step 1-4, obtaining the correlation among the data in the step 1-3, and screening and removing the characteristics with the similarity higher than a preset threshold value in the characteristic table; and step 1-5, normalizing the feature data screened in the step 1-4, and screening out features conforming to normal distribution to form a final intrusion detection feature set. Further, in step 2, a bidirectional generation countermeasure network based on generation countermeasure network generation sliding index average is generated, and the specific process includes: Step 2-1, constructing a bidirectional generation countermeasure network model as follows: Wherein G represents a generator network, E represents an encoder network, D represents a discriminator network, G represents a generator network forward computation, E represents an encoder network forward computation, D represents a discriminator network forward computation, x represents neural network original input data, p (x) represents probability distribution of the original input data, z represents generator input data, namely hidden space data, p E (|x) represents probability distribution of encoder output under the condition that the original input data and encoder network parameters are determined, p (z) represents probability distribution of hidden space data, and p G (|z) represents probability distribution of generator output under the condition that the generator input data and generator network parameters are determined; The loss function D loss when iteratively optimizing the D networ