Search

CN-116707999-B - Attack detection method and device for interaction node of private power network and public power network

CN116707999BCN 116707999 BCN116707999 BCN 116707999BCN-116707999-B

Abstract

The invention provides an attack detection method and device for an interaction node of a private power network and a public power network, which are used for preprocessing flow data acquired from each node to obtain target flow data containing characteristic information, classifying all the target flow data to obtain a plurality of class data sets, sampling and optimizing the target flow data in each class data set to obtain an optimized class data set, carrying out characteristic selection on each characteristic information in the optimized class data set by utilizing a mutual information characteristic selection algorithm to obtain a characteristic selection result, updating the optimized class data set according to the characteristic selection result, reducing the redundancy of the data in the optimized class data set to obtain a finer flow data set to be detected, facilitating shortening the time required by an attack detection classification model for detecting the flow data set to be detected, and improving the classification accuracy of the attack detection classification model.

Inventors

  • YANG KE
  • ZHAO LIHUA
  • ZHOU LEI
  • ZHANG WANGJUN
  • ZHU ZHENG
  • WU YI

Assignees

  • 国网数字科技控股有限公司
  • 国网区块链科技(北京)有限公司
  • 国网上海市电力公司
  • 国家电网有限公司

Dates

Publication Date
20260505
Application Date
20230713

Claims (8)

  1. 1. An attack detection method for an interaction node between a private power network and a public power network is characterized by comprising the following steps: For each piece of flow data acquired from a node, acquiring characteristic information representing the attribute of the flow data from a plurality of fields of the flow data, and generating target flow data containing the characteristic information, wherein the node is an interaction node between a power private network and a public network; Classifying all the target flow data by using a clustering algorithm to obtain a plurality of category data sets, wherein the category data sets comprise a plurality of pieces of target flow data; sampling and optimizing the target flow data in each class data set by using a sampling method to obtain an optimized class data set, wherein the sampling method is obtained by training based on sample flow data in advance; Substituting the characteristic information and the attack category into a conditional entropy formula aiming at each characteristic information in the optimized category data set to obtain a conditional entropy value corresponding to the attack category under the condition that the characteristic information exists, wherein the attack category comprises a public network attack category and a power private network attack category; calculating a probability distribution function value corresponding to the attack category according to a probability distribution function, substituting the probability distribution function value into an information entropy formula, calculating an information entropy value corresponding to the attack category, calculating a difference value between the information entropy value and the conditional entropy value by using a mutual information feature selection algorithm to obtain a correlation degree between current feature information and the attack category, multiplying the correlation degree between the current feature information and the selected feature information by the inverse of the number of the attack category to obtain a redundancy degree between the current feature information and the selected feature information, and determining a feature selection result corresponding to the feature information according to the difference value between the correlation degree and the redundancy degree; updating the optimization class data set according to the feature selection result to obtain a flow data set to be detected; inputting the flow data set to be detected into a pre-trained attack detection classification model to obtain a detection result, wherein the attack detection classification model is obtained by training based on sample flow data in advance; And if the detection result indicates that the current flow data to be detected is attack data, processing the current flow data to be detected according to a preset countermeasure.
  2. 2. The method of claim 1, wherein classifying all of the target traffic data using a clustering algorithm results in a plurality of category data sets, comprising: classifying all the target flow data by using a clustering algorithm to obtain a plurality of initial class data sets, wherein the initial class data sets contain a plurality of pieces of target flow data; Counting the number of the target flow data contained in each initial class data set; And selecting the initial category data sets with preset numbers according to the sequence from the large number to the small number, and marking the initial category data sets as category data sets.
  3. 3. The method of claim 1, wherein said sampling optimization of the target traffic data in each of said class data sets using a sampling method to obtain an optimized class data set comprises: Generating a plurality of sampling proportion groups by using a sampling method, wherein each sampling proportion group comprises sampling proportion parameters corresponding to each category data set; Performing iterative operation, and calculating an adaptive value of each sampling proportion group; adjusting the sampling proportion parameters in the sampling proportion group according to the adaptive value until the current iteration number reaches the preset maximum iteration number, and determining the optimal sampling proportion parameters; And according to the optimal sampling proportion parameters, sampling and optimizing the target flow data in the corresponding class data set to obtain an optimized class data set.
  4. 4. The method of claim 1, wherein training the attack detection classification model based on the sample traffic data comprises: For each piece of flow data acquired from a node, acquiring characteristic information representing the attribute of the flow data from a plurality of fields of the flow data, and generating target flow data containing the characteristic information, wherein the node is an interaction node between a power private network and a public network; Classifying all the target flow data by using a clustering algorithm to obtain a plurality of category data sets, wherein the category data sets comprise a plurality of pieces of target flow data; Sampling and optimizing the target flow data in each class data set by using a genetic algorithm to obtain an optimized class data set; Calculating the correlation between the current feature information and the attack category by utilizing a mutual information feature selection algorithm aiming at each feature information in the optimized category data set, and calculating the redundancy between the current feature information and the selected feature information, wherein the attack category comprises a public network attack category and a power private network attack category; determining a mutual information feature selection value corresponding to the feature information according to the difference between the correlation degree and the redundancy degree; Updating the optimization class data set according to the mutual information characteristic selection value to obtain a sample data set; inputting the sample data set into an attack detection classification model to obtain a sample detection result; judging whether the sample detection result is an expected detection result or not; If the sample detection result is an expected detection result, determining the attack detection classification model as a trained attack detection classification model; and if the sample detection result is not the expected detection result, adjusting parameters of the attack detection classification model, and returning to the step of inputting the sample data set into the attack detection classification model to obtain the sample detection result.
  5. 5. An attack detection device for an interaction node between a private power network and a public power network, the device comprising: The first generation unit is used for acquiring characteristic information representing the attribute of the flow data from a plurality of fields of the flow data aiming at each piece of flow data acquired from the node, and generating target flow data containing the characteristic information, wherein the node is an interaction node between a power private network and a public network; The first classification unit is used for classifying all the target flow data by using a clustering algorithm to obtain a plurality of category data sets, wherein the category data sets comprise a plurality of pieces of target flow data; The first optimizing unit is used for sampling and optimizing the target flow data in each class data set by using a sampling method to obtain an optimized class data set, and the sampling method is obtained by training based on sample flow data in advance; The characteristic selection unit comprises a substitution module, a calculation module, a difference value calculation module, a product calculation module and a second determination module; the substituting module is used for substituting the characteristic information and the attack category into a conditional entropy formula aiming at each characteristic information in the optimized category data set to obtain a conditional entropy value corresponding to the attack category under the condition that the characteristic information exists, wherein the attack category comprises a public network attack category and a power private network attack category; the calculation module is used for calculating a probability distribution function value corresponding to the attack category according to a probability distribution function, substituting the probability distribution function value into an information entropy formula and calculating an information entropy value corresponding to the attack category; The difference calculating module is used for calculating the difference between the information entropy value and the conditional entropy value by using a mutual information feature selection algorithm to obtain the correlation between the current feature information and the attack category; The product obtaining module is used for obtaining redundancy between the current characteristic information and the selected characteristic information by multiplying according to the correlation between the current characteristic information and the selected characteristic information and the inverse of the number of attack categories; The second determining module is used for determining a feature selection result corresponding to the feature information according to the difference between the correlation and the redundancy; The first updating unit is used for updating the optimization class data set according to the feature selection result to obtain a flow data set to be detected; The detection unit is used for inputting the flow data set to be detected into a pre-trained attack detection classification model to obtain a detection result, and the attack detection classification model is obtained by training based on sample flow data in advance; And the processing unit is used for processing the current flow data to be detected according to a preset countermeasure if the detection result indicates that the current flow data to be detected is attack data.
  6. 6. The apparatus of claim 5, wherein the first classification unit comprises: The classification module is used for classifying all the target flow data by using a clustering algorithm to obtain a plurality of initial class data sets, wherein the initial class data sets contain a plurality of pieces of target flow data; the statistics module is used for counting the number of the target flow data contained in each initial class data set; the selecting module is used for selecting the initial category data sets with preset numbers according to the sequence from the large number to the small number, and marking the initial category data sets as category data sets.
  7. 7. The apparatus of claim 5, wherein the first optimizing unit comprises: The generation module is used for generating a plurality of sampling proportion groups by utilizing a sampling method, and each sampling proportion group comprises sampling proportion parameters corresponding to each category data set; The calculation module is used for executing iterative operation and calculating the adaptation value of each sampling proportion group; The first determining module is used for adjusting the sampling proportion parameters in the sampling proportion group according to the adaptive value until the current iteration number reaches the preset maximum iteration number, and determining the optimal sampling proportion parameters; And the optimization module is used for sampling and optimizing the target flow data in the corresponding class data set according to the optimal sampling proportion parameter to obtain an optimized class data set.
  8. 8. The apparatus as recited in claim 5, further comprising: The second generation unit is used for acquiring characteristic information representing the attribute of the flow data from a plurality of fields of the flow data aiming at each piece of flow data acquired from the node, and generating target flow data containing the characteristic information, wherein the node is an interaction node between the power private network and the public network; The second classification unit is used for classifying all the target flow data by using a clustering algorithm to obtain a plurality of class data sets, wherein the class data sets comprise a plurality of pieces of target flow data; The second optimizing unit is used for sampling and optimizing the target flow data in each class data set by utilizing a genetic algorithm to obtain an optimized class data set; The second computing unit is used for computing the correlation between the current characteristic information and the attack category by utilizing a mutual information characteristic selection algorithm aiming at each characteristic information in the optimized category data set, and computing the redundancy between the current characteristic information and the selected characteristic information, wherein the attack category comprises a public network attack category and a power private network attack category; The second determining unit is used for determining a mutual information feature selection value corresponding to the feature information according to the difference between the correlation degree and the redundancy degree; the second updating unit is used for updating the optimization class data set according to the mutual information characteristic selection value to obtain a sample data set; the input unit is used for inputting the sample data set into the attack detection classification model to obtain a sample detection result; the judging unit is used for judging whether the sample detection result is an expected detection result or not; The third determining unit is used for determining the attack detection classification model as a trained attack detection classification model if the sample detection result is an expected detection result; And the adjusting unit is used for adjusting the parameters of the attack detection classification model if the sample detection result is not the expected detection result, and returning to execute the input unit.

Description

Attack detection method and device for interaction node of private power network and public power network Technical Field The invention relates to the technical field of network security, in particular to an attack detection method and device for an interaction node of a private power network and a public power network. Background The electric power industry is closely related to the living standard of people, and the development of the times and the progress of technology enable a large number of novel business forms such as virtual power plants, load aggregators and the like which aim at wind power generation, photovoltaic power generation, electric automobiles, intelligent households, industrial and commercial parks and the like to emerge in recent years, and more distributed terminal resources are accessed into an electric private network by virtue of a public network. However, in the network context where the public network and the private power network communicate frequently, a malicious network attack may seriously damage the private power network through the open path of the public network, which is mainly represented by transmitting abnormal data through an interactive node between the public network and the private power network. Therefore, in order to detect whether the service data at the interaction node is abnormal, the current common detection method specifically divides the data set corresponding to the service data into a plurality of feature subsets, compares the feature subsets with the attack detection threshold value to determine whether the service data is attacked or not, but the detection method has longer detection time and lower detection accuracy because the data set contains massive data. Disclosure of Invention In view of the above, the embodiment of the invention provides an attack detection method and device for an interaction node between a private power network and a public power network, so as to solve the problems of long detection time and low detection accuracy. In order to achieve the above object, the embodiment of the present invention provides the following technical solutions: the first aspect of the embodiment of the invention discloses an attack detection method of an interaction node between a private power network and a public power network, which comprises the following steps: For each piece of flow data acquired from a node, acquiring characteristic information representing the attribute of the flow data from a plurality of fields of the flow data, and generating target flow data containing the characteristic information, wherein the node is an interaction node between a power private network and a public network; Classifying all the target flow data by using a clustering algorithm to obtain a plurality of category data sets, wherein the category data sets comprise a plurality of pieces of target flow data; sampling and optimizing the target flow data in each class data set by using a sampling method to obtain an optimized class data set, wherein the sampling method is obtained by training based on sample flow data in advance; for each piece of characteristic information in the optimization class data set, performing characteristic selection by using a mutual information characteristic selection algorithm to obtain a characteristic selection result; updating the optimization class data set according to the feature selection result to obtain a flow data set to be detected; Inputting the data set to be detected into a pre-trained attack detection classification model to obtain a detection result, wherein the attack detection classification model is obtained by training based on sample flow data in advance; And if the detection result indicates that the current flow data to be detected is attack data, processing the current flow data to be detected according to a preset countermeasure. Preferably, the classifying, by using a clustering algorithm, all the target flow data to obtain a plurality of class data sets includes: classifying all the target flow data by using a clustering algorithm to obtain a plurality of initial class data sets, wherein the initial class data sets contain a plurality of pieces of target flow data; Counting the number of the target flow data contained in each initial class data set; And selecting the initial category data sets with preset numbers according to the sequence from the large number to the small number, and marking the initial category data sets as category data sets. Preferably, the sampling method is used for sampling and optimizing the target flow data in each class data set to obtain an optimized class data set, and the method comprises the following steps: Generating a plurality of sampling proportion groups by using a sampling method, wherein each sampling proportion group comprises sampling proportion parameters corresponding to each category data set; Performing iterative operation, and calculating an adaptive value of