Search

CN-122001682-A - Centralized control station network security situation awareness method and system

CN122001682ACN 122001682 ACN122001682 ACN 122001682ACN-122001682-A

Abstract

The application provides a centralized control station network security situation awareness method and system, and belongs to the technical field of network security communication. The method comprises the steps of obtaining a multi-source operation data set corresponding to each sensing node in a sensing node set of a centralized control station, extracting multi-dimensional feature vectors of each sensing node, carrying out feature offset analysis to obtain multi-dimensional offset feature vectors, calculating a new degree index of each sensing node, grading the sensing node set by analyzing the new degree index to obtain multi-stage sensing layers, constructing a corresponding multi-stage attack behavior detection model, and calling the multi-stage attack behavior detection model to execute attack behavior risk detection of the sensing node of each stage of sensing layer. By carrying out self-adaptive hierarchical modeling according to the newly increased degree of the sensing nodes, a targeted attack behavior detection strategy is adopted for the sensing nodes with different newly increased degrees, so that accuracy and timeliness of network security situation sensing of the centralized control station in a node dynamic expansion scene are improved.

Inventors

  • GAO HONGXIA
  • Li Lideng
  • HE XIN
  • QIN KEYUAN
  • HOU XIAOLIN
  • MA XIAOLONG
  • KOU FENG
  • WU WENJUN
  • LIU YANG
  • LIANG LEI
  • CUI LIJUN
  • LIANG JIANTAO
  • ZHANG CHENGLIANG

Assignees

  • 北京科东电力控制系统有限责任公司
  • 国网山西省电力有限公司技能培训中心
  • 国网山西省电力有限公司大同供电分公司

Dates

Publication Date
20260508
Application Date
20260408

Claims (10)

  1. 1. A centralized control station network security situation awareness method, the method comprising: acquiring a multi-source operation data set corresponding to each sensing node in a sensing node set of a centralized control station, and extracting multi-dimensional feature vectors of each sensing node according to the multi-source operation data set, wherein the multi-dimensional feature vectors comprise structural features, behavioral features and safety features; performing characteristic offset analysis on the multidimensional characteristic vectors of each sensing node to obtain multidimensional offset characteristic vectors; calculating the new degree index of each sensing node according to the multidimensional offset characteristic vector; And grading the sensing node set by analyzing the newly increased degree index to obtain a multi-level sensing layer, constructing a multi-level attack behavior detection model corresponding to the multi-level sensing layer, and calling the multi-level attack behavior detection model to execute attack behavior risk detection of sensing nodes of each level of sensing layer.
  2. 2. The centralized control station network security situation awareness method of claim 1, wherein a multi-level attack behavior detection model corresponding to the multi-level awareness layer is constructed, and the multi-level awareness layer at least comprises a stable node awareness layer, a transition node awareness layer and a newly added node awareness layer; defining an initialized attack behavior detection model, and performing differential model training on the initialized attack behavior detection model according to the stable node perception layer, the transition node perception layer and the newly added node perception layer to obtain a corresponding multi-stage attack behavior detection model.
  3. 3. The centralized control station network security posture awareness method of claim 2, wherein the multi-level awareness layer is communicatively coupled to a node level state transition model, the method comprising: the node grade state transition model is used for carrying out multidimensional offset feature vector time sequence analysis on each sensing node of the current multi-grade sensing layer to obtain a grade state transition instruction; and performing level transfer on the sensing nodes belonging to the multi-level sensing layer according to the level state transfer instruction, and updating the multi-level sensing layer in real time.
  4. 4. The centralized control station network security situation awareness method of claim 1, wherein the feature offset analysis is performed on the multidimensional feature vectors of each awareness node to obtain multidimensional offset feature vectors, and the method comprises: Performing historical operation stability evaluation on the sensing node set to screen a reference node set, and extracting a multidimensional reference feature vector corresponding to the reference node set; And carrying out characteristic offset analysis on the multidimensional characteristic vectors of each sensing node according to the multidimensional reference characteristic vector corresponding to the reference node set to obtain multidimensional offset characteristic vectors, wherein the multidimensional offset characteristic vectors comprise structural characteristic offset vectors, behavior characteristic offset vectors and safety characteristic offset vectors.
  5. 5. The method for sensing network security situations of a centralized control station according to claim 4, wherein calculating the degree of addition index of each sensing node according to the multidimensional offset feature vector comprises: Performing offset nonlinear enhancement processing on the multidimensional offset feature vector to obtain a processed multidimensional offset feature vector; configuring multidimensional offset weights by analyzing historical attack distribution weights of all sensing nodes; And carrying out weight weighted calculation on the processed multidimensional migration feature vector according to the multidimensional migration weight to obtain the newly added degree index of each perception node.
  6. 6. The centralized control station network security situation awareness method of claim 2, wherein the initializing attack behavior detection model is trained according to the stable node awareness layer, the transition node awareness layer and the newly added node awareness layer, and the method comprises: Constructing a corresponding multi-level training data set according to the historical attack behavior event of the multi-level perception layer, wherein the multi-level training data set comprises a stable node training data set formed by a labeling attack sample and a normal sample, a transition node training data set formed by the labeling attack sample and the normal sample, and a newly added node training data set formed by the labeling attack sample and the normal sample; Performing attack behavior feature space alignment on the stable node training data set, the transition node training data set and the newly added node training data set to obtain a multi-stage alignment training data set; And respectively carrying out differential model training on the initialized attack behavior detection model according to the multi-stage alignment training data set to obtain a corresponding multi-stage attack behavior detection model.
  7. 7. The centralized control station network security situation awareness method of claim 6, wherein the steady node training data set, the transition node training data set, and the newly added node training data set are aligned in an attack behavior feature space, the attack behavior feature space including attack behavior occurrence frequency, attack type distribution, and attack time fluctuation feature.
  8. 8. The centralized control station network security situation awareness method of claim 6, wherein the initializing attack behavior detection model is differentially model trained according to the multi-level alignment training data set, respectively, the method comprising: According to the stable node training data set, a low-frequency steady-state constraint mechanism is introduced to train the initialized attack behavior detection model, and a stable node attack behavior detection model is obtained; According to the transition node training data set, a distributed fluctuation self-adaptive mechanism is introduced to train the initialized attack behavior detection model, and a transition node attack behavior detection model is obtained; and according to the newly added node training data set, introducing a high-frequency sensitivity enhancement mechanism to train the initialized attack behavior detection model to obtain the newly added node attack behavior detection model.
  9. 9. The centralized control station network security situation awareness method of claim 1, wherein the awareness node set is ranked by analyzing the freshness index to obtain a multi-level awareness layer, the method comprising: The sensing nodes smaller than the first newly increased degree index threshold are divided into stable node sensing layers, the sensing nodes larger than or equal to the first newly increased degree index threshold and smaller than or equal to the second newly increased degree index threshold are divided into transition node sensing layers, and the sensing nodes larger than the second newly increased degree index threshold are divided into newly increased node sensing layers.
  10. 10. A centralized control station network security posture awareness system for implementing the centralized control station network security posture awareness method according to any one of claims 1 to 9, the system comprising: The multi-dimensional feature extraction module is used for acquiring multi-source operation data sets corresponding to all sensing nodes in the sensing node set of the centralized control station, and extracting multi-dimensional feature vectors of all sensing nodes according to the multi-source operation data sets, wherein the multi-dimensional feature vectors comprise structural features, behavioral features and safety features; The characteristic offset analysis module is used for carrying out characteristic offset analysis on the multidimensional characteristic vectors of each sensing node to obtain multidimensional offset characteristic vectors; The index calculation module is used for calculating the newly-increased degree index of each sensing node according to the multidimensional offset characteristic vector; The classification detection module is used for classifying the sensing node set by analyzing the newly increased degree index to obtain a multi-stage sensing layer, constructing a multi-stage attack behavior detection model corresponding to the multi-stage sensing layer, and calling the multi-stage attack behavior detection model to execute attack behavior risk detection of sensing nodes of each stage of sensing layer.

Description

Centralized control station network security situation awareness method and system Technical Field The invention relates to the technical field of network security communication, in particular to a centralized control station network security situation awareness method and system. Background The centralized control station is used as a core hub for regional power grid dispatching and monitoring, and the network architecture of the centralized control station is increasingly complex. In the actual operation process, the centralized control station can continuously generate new sensing nodes due to the reasons of new equipment access, new service online, new communication connection establishment and the like, and the dynamic expansion of the sensing nodes is a normal characteristic of the network operation of the centralized control station. However, each newly added sensing node means an increase of potential attack entries, and the network attack surface of the centralized control station is continuously enlarged. Currently, the mainstream method for network security situation awareness of a centralized control station generally carries out unified security situation assessment on all awareness nodes based on a single pre-trained detection model. The method can obtain a better detection effect under the condition that the network topology structure of the centralized control station is relatively stable, but the limitation of the method is gradually revealed when the method faces the actual scene of continuous dynamic expansion of the sensing nodes. On one hand, the newly-added sensing nodes have obvious differences between the behavior mode and risk characteristics of the newly-added sensing nodes and the existing nodes which stably run for a long time due to short access time, insufficient accumulation of historical operation data and imperfect safety management and control strategies, and on the other hand, a single detection model adopts a unified detection standard to carry out indiscriminate analysis on all the nodes, so that the safety situation differences among the nodes with different degrees of the newly-added sensing nodes are difficult to consider, and abnormal behavior omission of the newly-added nodes or normal behavior false alarm of the existing nodes are easily caused. Therefore, in the prior art, the attack surface is continuously enlarged due to the dynamic expansion of the sensing nodes of the centralized control station, and the traditional single detection model cannot sense the differential security situation of the sensing nodes with different newly increased degrees. Disclosure of Invention Aiming at the technical problem that in the prior art, the attack surface is continuously enlarged due to the dynamic expansion of sensing nodes of a centralized control station, but the traditional single detection model cannot sense the differential security situation of sensing nodes with different newly added degrees, the invention provides a centralized control station network security situation sensing method and system for solving the technical problem. The technical scheme for solving the technical problems is as follows: The invention provides a centralized control station network security situation sensing method, which comprises the steps of obtaining a multi-source operation data set corresponding to each sensing node in a centralized control station sensing node set, extracting multi-dimensional feature vectors of each sensing node according to the multi-source operation data set, wherein the multi-dimensional feature vectors comprise structural features, behavior features and security features, carrying out feature offset analysis on the multi-dimensional feature vectors of each sensing node to obtain multi-dimensional offset feature vectors, calculating a newly increased degree index of each sensing node according to the multi-dimensional offset feature vectors, grading the sensing node set through analyzing the newly increased degree index to obtain multi-stage sensing layers, constructing a multi-stage attack behavior detection model corresponding to the multi-stage sensing layers, and calling the multi-stage attack behavior detection model to execute attack behavior risk detection of the sensing node of each stage of sensing layer. The invention provides a centralized control station network security situation sensing system which comprises a multi-dimensional feature extraction module, a feature offset analysis module, an index calculation module and a classification detection module, wherein the multi-dimensional feature extraction module is used for obtaining a multi-source operation data set corresponding to each sensing node in a centralized control station sensing node set, extracting multi-dimensional feature vectors of each sensing node according to the multi-source operation data set, the multi-dimensional feature vectors comprise structural features, behavior feature