Search

CN-122001615-A - Power grid terminal zero trust access control method based on double-domain graph learning

CN122001615ACN 122001615 ACN122001615 ACN 122001615ACN-122001615-A

Abstract

A power grid terminal zero trust access control method and system based on double-domain graph learning comprises the steps of collecting multi-dimensional data of a power grid, preprocessing, constructing a variation self-encoder model, fusing preprocessed data features to obtain fused feature vectors, constructing a double-domain neural network model, constructing a topological domain graph according to a communication relation among devices, constructing a feature domain graph through dynamic weights generated by aggregating real-time monitoring indexes, inputting the fused feature vectors into the double-domain neural network model, generating fused embedded vectors through double-domain message cross transfer and aggregation, performing trust level division on the fused embedded vectors of the terminal, determining risk levels of the fused embedded vectors by combining with preset thresholds, and automatically executing corresponding authority allocation strategies according to the risk levels to realize dynamic access control. The method can comprehensively describe the safety state of the terminal, effectively identify the cooperative attack, and is suitable for intelligent safety protection of the distributed terminal in a complex power grid environment.

Inventors

  • Chen cen
  • Ming Xinlei
  • LI JUNCHEN
  • ZHANG YING
  • SONG YUBO
  • KONG XIANGCHEN
  • ZHAO DI
  • GUO LIN
  • LAN JINGHONG
  • Lv zhuo
  • CAI JUNFEI
  • ZHANG ZHENG
  • LI NUANNUAN
  • WANG YI
  • YANG WEN
  • LI MINGYAN

Assignees

  • 国网河南省电力公司电力科学研究院
  • 东南大学
  • 国网河南省电力公司商丘供电公司
  • 国网河南省电力公司周口供电公司
  • 国网河南省电力公司焦作供电公司

Dates

Publication Date
20260508
Application Date
20251223

Claims (13)

  1. 1. A power grid terminal zero trust access control method based on double-domain graph learning is characterized by comprising the following steps: Step 1, collecting and preprocessing multi-dimensional data of a power grid, wherein the collected multi-dimensional data comprises network flow data, running environment data and hardware kernel event data of a distributed terminal of the power grid; step 2, constructing a variation self-encoder model, and carrying out fusion processing on the preprocessed data features to obtain fusion feature vectors; Step 3, constructing a two-domain neural network model, constructing a topological domain diagram according to the communication relation among devices, constructing a characteristic domain diagram through dynamic weights generated by aggregating real-time monitoring indexes, inputting a fusion characteristic vector into the two-domain neural network model, and generating a fusion embedded vector through cross transfer and aggregation of two-domain messages; And 4, carrying out trust level division on the fusion embedded vector of the terminal, determining the risk level of the terminal by combining with a preset threshold value, and automatically executing a corresponding authority allocation strategy according to the risk level to realize dynamic access control.
  2. 2. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 1, wherein, The network flow data comprises a source IP address, a destination IP address, a port number, a protocol type, a data packet size, a transmission rate and a session duration; The running environment data are collected through the system resource use condition of the power grid distributed terminal, and the running environment data comprise the occupancy rate of a central processing unit, the occupancy rate of a memory, the reading and writing speed of a hard disk and the reading of a temperature sensor; The hardware kernel event data is collected through a key event log at the bottom layer of a terminal operating system, and the key event log comprises system call frequency, cache hit rate, interrupt times and abnormal error codes; The preprocessing of the multidimensional data comprises data cleaning and numerical conversion of the collected original data, and conversion of all non-numerical data into numerical data to obtain a high-dimensional feature matrix.
  3. 3. A power grid terminal zero-trust access control method based on double-domain graph learning as claimed in claim 2, wherein, The data cleaning and the numerical conversion specifically comprise: judging the data type of each collected original data item, wherein the data type comprises a numerical value type, a classification type and a text type; if the data type is numerical, normalizing the data to a range of 0 to 1; if the data type is classified, adopting tag coding to map the class into continuous integers; if the data type is text, mapping each unique text value into a unique binary vector by adopting single-hot coding; The converted data form a high-dimensional characteristic matrix composed of numerical values, and the high-dimensional characteristic matrix is used as the input of subsequent processing.
  4. 4. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 1, wherein, The step 2 specifically includes: step 2.1, constructing a variation self-encoder model, wherein the encoder and the decoder both adopt a basic symmetrical network architecture formed by full connection layers, the hidden layer dimension of the encoding end is gradually decreased, and the hidden layer dimension of the decoding end is gradually increased; Step 2.2, extracting the preprocessed data features to obtain numerical features for describing the behavior mode of the terminal, sorting the numerical features into multi-source behavior feature vectors, and organizing the multi-source behavior feature vectors according to the terminal and a time window to obtain sample vectors serving as input of an encoder; step 2.3, compressing the multisource behavior feature vector into a potential vector through an encoder, and reconstructing original input features of the potential vector through a decoder to obtain a feature subset; And 2.4, selecting behavior features with importance higher than a threshold value from the feature subsets according to the feature importance scores and the preset threshold value to obtain behavior feature vectors, inputting the behavior feature vectors into the encoder in the mode of step 2.2 to obtain feature vectors, and taking potential vectors output by the encoder as fusion feature vectors of the terminal.
  5. 5. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 1, wherein, The step 3 specifically includes: step 3-1, constructing a feature domain graph, namely calculating the similarity between any two terminals according to the fused trust perception vector, and when the similarity is higher than a preset threshold value, establishing an undirected edge between the two terminal nodes to form the feature domain graph; step 3-2, constructing a topological domain diagram based on the actual network connection relation between the terminals, wherein nodes in the topological domain diagram represent the terminals, and edges represent direct communication links between the terminals; Step 3-3, constructing a two-domain graph neural network model, wherein the model comprises a characteristic domain graph rolling network and a topological domain graph rolling network, the characteristic domain graph rolling network takes a characteristic domain graph as input, and the topological domain graph rolling takes a topological domain graph as input; Step 3-4, the two-domain map neural network model carries out two-domain message cross transfer and aggregation on the input characteristic domain map and topology domain map to respectively obtain node embedding of the characteristic domain and the topology domain; and 3.5, performing weighted fusion on node embedding of the feature domain and the topology domain based on a dynamic inter-domain attention mechanism and a structure priori mode to obtain a fusion embedding vector.
  6. 6. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 5, wherein, The calculating the similarity between any two terminal vectors specifically comprises the following steps: the terminals are used as nodes, and the similarity between the nodes i and j is calculated The formula of (2) is as follows: Wherein, the Is a similar function, aij represents the original connection between nodes i, j, The comprehensive threat index T (T) generated by aggregating a plurality of real-time monitoring indexes is mapped to the [0,1] interval through normalization to obtain a weight parameter changing along with time; The comprehensive threat index T (T) is calculated as follows: Wherein, the 、 、 Respectively the adjustable weight coefficients of the safety indexes, wherein the safety indexes comprise the alarm number, the network average trust degree and the attack activity degree, For the number of alarms in the time window t-deltat, t, For the absolute amount of change in the average confidence level of the network between times t and t-1, For attack liveness within a time window t-deltat, t, , , The normalization constants of the corresponding indexes are respectively obtained.
  7. 7. The method for constructing and training a step 3 two-domain map neural network of claim 5, The dual-domain map neural network model carries out dual-domain message cross transfer and aggregation on the input characteristic domain map and topology domain map to respectively obtain node embedding of the characteristic domain and the topology domain, and specifically comprises the following steps: Receiving the current node embedding of the characteristic domain graph S, and obtaining the node embedding of the topological domain through a graph attention network by utilizing the adjacency relation of the topological domain graph A; and receiving the current node embedding of the topological domain diagram A, and calculating the node embedding of the characteristic domain by using the adjacency relation of the characteristic domain diagram S through the diagram attention network.
  8. 8. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 5, wherein, The method for obtaining the fusion embedded vector by fusing the output of the two-domain graph neural network model specifically comprises the following steps: node embedding for topology domain graph rolling network output Computing raw importance scores for topological and feature domains, respectively, through a learnable attention network And : Wherein, the As a matrix of weights, the weight matrix, As a result of the offset vector, And In order for the attention vector to be of interest, Is a nonlinear activation function.
  9. 9. Introducing the prior processing of the graph structure, comprising calculating the importance score of the structure according to the degree centrality of the node i in the topological domain graph Score structural importance Mapping to the space with the same dimension as the attention score, and fusing with the obtained original importance score to obtain a fused importance score And : Wherein, the Is a learnable parameter for adjusting the importance influence of the structure prior to the topology domain and the feature domain. Then, normalizing the fused importance scores to obtain the attention weight of the node i on the topological domain and the feature domain And : Wherein, the Weighting and summing node embedding of the topology domain and the feature domain according to the attention weight of the node i on the topology domain and the feature domain to obtain a final fusion embedding vector of the node i : 。
  10. 10. The power grid terminal zero-trust access control method based on the double-domain graph learning according to claim 8, wherein, The trust grading of the fusion embedded vector of the terminal specifically comprises the following steps: Embedding the final fusion into vectors Inputting the classifier, obtaining probability distribution vectors of the node i belonging to four trust levels through linear transformation and softmax operation : Wherein, the And In order to classify the weight and bias of the head, The probability that the terminal belongs to four levels of high trust, medium and low trust is respectively represented, and the level with the highest probability in the trust levels is selected as the trust level of the node i.
  11. 11. A power grid terminal zero-trust access control system based on dual-domain graph learning, for implementing the power grid terminal zero-trust access control method based on dual-domain graph learning as set forth in any one of claims 1 to 9, comprising: The data acquisition module is used for acquiring multidimensional data of the power grid, wherein the acquired multidimensional data comprises network flow data, running environment data and hardware kernel event data of a distributed terminal of the power grid The preprocessing module is used for preprocessing the collected multi-dimensional data of the power grid; The fusion feature vector generation module is used for constructing a variation self-encoder model to fuse the preprocessed data features to obtain fusion feature vectors; the fusion embedded vector generation module is used for constructing a two-domain neural network model, constructing a topological domain diagram according to the communication relation among devices, constructing a characteristic domain diagram through dynamic weights generated by aggregating real-time monitoring indexes, inputting the fusion characteristic vector into the two-domain neural network model, and generating the fusion embedded vector through cross transfer and aggregation of the two-domain information; the access control module is used for carrying out trust level division on the fusion embedded vector of the terminal, determining the risk level of the fusion embedded vector by combining with a preset threshold value, and automatically executing a corresponding permission allocation strategy according to the risk level to realize dynamic access control.
  12. 12. A terminal comprises a processor and a storage medium, and is characterized in that: The storage medium is used for storing instructions; The processor being operative according to the instructions to perform the steps of the method according to any one of claims 1-9.
  13. 13. Computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1-9.

Description

Power grid terminal zero trust access control method based on double-domain graph learning Technical Field The invention belongs to the technical field of power network safety, and particularly relates to a power grid terminal zero-trust access control method based on double-domain graph learning. Background With the development of a novel power system, massive distributed terminal equipment is connected into a power grid, so that a complex Internet of things environment is formed. These devices not only take on the task of energy production and consumption, but their own safety conditions directly affect the stable operation of the whole power grid. The traditional "border guard" security model assumes that the internal network is trusted, but this assumption is no longer true in a highly interconnected distributed environment. Once a terminal is hacked, it may become a springboard for an attacker to penetrate the grid. Therefore, the security concept of zero trust has been developed, and the core of the security concept is never trust, and the security concept is always verified, so that all devices are required to be subjected to continuous identity authentication and permission evaluation. However, the existing trust evaluation method for the distributed terminal has obvious defects that on one hand, a plurality of methods only depend on network flow data and cannot comprehensively reflect the real running state of equipment to cause evaluation on the one hand, on the other hand, the existing model mostly regards the terminal as an isolated individual, the complex association relationship existing between the terminals is ignored, and group threats such as cooperative attack and the like are difficult to discover. Therefore, how to construct an intelligent trust evaluation system capable of comprehensively sensing, deeply correlating and realizing scientific decisions becomes a key challenge for guaranteeing the safety of the power grid. Disclosure of Invention In order to solve the defects in the prior art, the invention provides a power grid terminal zero-trust access control method based on double-domain graph learning, which can solve the defects of the existing method in terms of single evaluation dimension and lack of global associated modeling. The invention adopts the following technical scheme. A power grid terminal zero trust access control method based on double-domain graph learning comprises the following steps: Step 1, collecting and preprocessing multi-dimensional data of a power grid, wherein the collected multi-dimensional data comprises network flow data, running environment data and hardware kernel event data of a distributed terminal of the power grid; step 2, constructing a variation self-encoder model, and carrying out fusion processing on the preprocessed data features to obtain fusion feature vectors; Step 3, constructing a two-domain neural network model, constructing a topological domain diagram according to the communication relation among devices, constructing a characteristic domain diagram through dynamic weights generated by aggregating real-time monitoring indexes, inputting a fusion characteristic vector into the two-domain neural network model, and generating a fusion embedded vector through cross transfer and aggregation of two-domain messages; And 4, carrying out trust level division on the fusion embedded vector of the terminal, determining the risk level of the terminal by combining with a preset threshold value, and automatically executing a corresponding authority allocation strategy according to the risk level to realize dynamic access control. Preferably, the network traffic data includes a source IP address, a destination IP address, a port number, a protocol type, a packet size, a transmission rate, and a session duration; The running environment data are collected through the system resource use condition of the power grid distributed terminal, and the running environment data comprise the occupancy rate of a central processing unit, the occupancy rate of a memory, the reading and writing speed of a hard disk and the reading of a temperature sensor; The hardware kernel event data is collected through a key event log at the bottom layer of a terminal operating system, and the key event log comprises system call frequency, cache hit rate, interrupt times and abnormal error codes; The preprocessing of the multidimensional data comprises data cleaning and numerical conversion of the collected original data, and conversion of all non-numerical data into numerical data to obtain a high-dimensional feature matrix. Preferably, the data cleaning and the digital conversion specifically include: judging the data type of each collected original data item, wherein the data type comprises a numerical value type, a classification type and a text type; if the data type is numerical, normalizing the data to a range of 0 to 1; if the data type is classified, adopting tag codin