Search

CN-122001966-A - Intelligent analysis method for power terminal protocol

CN122001966ACN 122001966 ACN122001966 ACN 122001966ACN-122001966-A

Abstract

The invention relates to the technical field of communication of the Internet of things, in particular to an intelligent analysis method of an electric power terminal protocol, which comprises the steps of inputting communication flow data into a detection model to obtain a corresponding active detection message under the condition that semantic feature extraction of communication flow data to be analyzed fails by a feature extraction model; and under the condition that the semantic features are checked through a simulation operation mode, the semantic features are used as analysis results of the communication flow data, historical communication data are updated, and the detection model is subjected to reinforcement training. The method solves the technical problem that the non-standard power terminal protocol in the related technology is difficult to realize effective analysis in semantic analysis due to the frame structure difference with the standard terminal protocol.

Inventors

  • MA ZHENHUA
  • LU LEI
  • LIU HONGLING
  • ZHAO RUI
  • TIAN FANG
  • WEI JICHAO
  • Pan Jingni
  • YAN LONG
  • ZHANG QINQIN
  • Bu Ziqi
  • WU WENLI
  • SONG WENLONG
  • YANG LONGYU
  • ZHANG FURONG
  • BAI TAO
  • CHEN PENG
  • MA JING
  • WANG RONGRONG
  • WU MIN

Assignees

  • 国网宁夏电力有限公司石嘴山供电公司
  • 国网宁夏电力有限公司

Dates

Publication Date
20260508
Application Date
20260205
Priority Date
20251209

Claims (10)

  1. 1. An intelligent analysis method of an electric power terminal protocol is characterized by comprising the following steps: Extracting semantic features in the communication flow data to be analyzed according to a pre-trained bit level feature extraction model; under the condition that the feature extraction model fails to extract the semantic features, the communication flow data is input into a detection model, and an active detection message corresponding to the communication flow data is output through the detection model, wherein the detection model is a reinforcement learning model trained according to historical communication data; Under the condition that the active detection message passes the security verification, the active detection message is sent to the terminal equipment of the communication flow data, and the physical response data of the terminal equipment is obtained; comparing the physical response data with a preset physical semantic mapping relation to determine corresponding semantic features; And checking the semantic features in a simulation operation mode to obtain a checking result, taking the semantic features as analysis results of the communication flow data and updating the historical communication data under the condition that the checking result is characterized and checked, and performing reinforcement training on the detection model or the feature extraction model.
  2. 2. The method according to claim 1, wherein in the case that the active probe message is subjected to security verification, the active probe message is sent to the terminal device of the communication traffic data, and before the physical response data of the terminal device is obtained, the method further comprises: Transmitting the active detection message to a behavior simulation model of the terminal equipment, wherein the behavior simulation model is obtained by training according to historical communication data of the terminal equipment; Simulating the physical response of the terminal equipment to the active detection message through the behavior simulation model; Under the condition that the physical response characterizes the fault of the terminal equipment, determining that the safety verification of the active detection message is not passed; and under the condition that the physical response characterizes the safety of the terminal equipment, determining that the safety verification of the active detection message passes.
  3. 3. The method of claim 2, wherein after determining that the security verification of the active probe message is not passed in the event that the physical response characterizes the terminal device failure, the method further comprises: intercepting the active detection message and generating a punishment signal; Sending the punishment signal to the detection model, and generating a new active detection message by the detection model according to the punishment signal; And carrying out security verification again on the new active detection message until the security verification of the active detection message passes or iteration is stopped.
  4. 4. The method according to claim 1, wherein before inputting the communication traffic data into a probe model and outputting an active probe message corresponding to the communication traffic data through the probe model, the method further comprises: The method comprises the steps of taking historical communication data as sample data, screening state parameters which meet Markov and are strongly related to a detection target based on measurable parameters at different time points in the sample data, constructing a state space, and constructing an action space according to executable detection action parameters and constraint conditions of the state parameters; according to different historical states, under different detection actions, the state transition probability of transition to a new state is increased; Constructing a reward function according to the information gain, risk penalty and detection cost of the detection action; setting different solving algorithms according to the complexity of the protocol scene; And constructing the detection model according to the solving algorithm, the state space, the action space, the state transition probability and the rewarding function.
  5. 5. The method of claim 4, wherein the reward function is: Wherein, the To detect the amount of state space information entropy reduction caused by an action, For the probability of an abnormal response of the terminal device, In order to detect the cost of the time, Respectively corresponding weight coefficients.
  6. 6. The method of claim 1, wherein determining corresponding semantic features based on the comparison of the physical response data with a predetermined physical semantic mapping relationship comprises: Extracting multi-dimensional features from the physical response data, wherein the multi-dimensional features comprise at least one of binary features, digital features, time sequence features and context features; searching similar protocol fragments in a big data set as contexts according to the multidimensional features; Inputting the multi-dimensional features and the context into a large language model, and reasoning the large language model through a thinking chain to obtain corresponding semantic features.
  7. 7. The method according to claim 1, wherein verifying the semantic features by means of a simulation run to obtain a verification result comprises: combining the semantic features with the corresponding analysis driving codes to determine the corresponding communication protocol types; According to the historical semantic features of the historical communication data of the communication protocol type, comparing and checking with the semantic features; and under the condition that the consistency degree of the historical semantic features and the semantic features reaches a preset similarity threshold, determining that the semantic feature verification passes.
  8. 8. The method of claim 1, wherein prior to extracting semantic features in the communication traffic data to be parsed according to the pre-trained bit-level feature extraction model, the method further comprises: acquiring unmarked communication data of the existing industrial protocol, and creating a large data set; byte masking is carried out through the large data set without marking communication data, and a training sample is formed by the byte masking and the corresponding masking data; byte masking is carried out through different positions of the non-marked communication data in the big data set, and a training sample set is generated; And training the bit-level feature extraction model according to the training sample set until the cross entropy loss of the bit-level feature extraction model reaches a preset threshold.
  9. 9. The method of claim 8, wherein the semantic features include semantic feature vectors and frame structure features, the bit-level feature extraction model is a self-supervised training model of a transducer architecture, and extracting semantic features in communication traffic data to be parsed according to the pre-trained bit-level feature extraction model comprises: Preprocessing the communication flow data to be analyzed to obtain corresponding input vectors; Inputting the input vector into a transducer encoder of a multi-head self-attention mechanism to obtain a dependency relationship between any two byte units; determining frame structure characteristics of the communication traffic data according to the dependency relationship; analyzing the communication traffic data according to the frame structure features to obtain semantic feature vectors, wherein the semantic features comprise the frame structure features and the semantic feature vectors; and confirming that the semantic feature extraction fails under the condition that the integrity of the frame structure features does not exceed a preset integrity threshold value and/or the confidence of the semantic feature vectors does not exceed a preset confidence threshold value.
  10. 10. The method of claim 9, wherein preprocessing the traffic data to be parsed to obtain corresponding input vectors comprises: processing the communication flow data to be analyzed into a byte sequence with a preset length; mapping byte units in the byte sequence into continuous vectors through an embedding layer of the bit level feature extraction model; Determining an input vector corresponding to the byte unit according to the continuous vector and the position code of the byte unit; and/or the number of the groups of groups, Extracting metadata sequences of encrypted traffic data under the condition that the communication traffic data is the encrypted traffic data, wherein the metadata sequences comprise at least one of a data packet length sequence, an arrival time interval sequence and a transmission direction sequence; And inputting the metadata sequence into the bit-level feature extraction model, and identifying the business behavior mode of the encrypted traffic.

Description

Intelligent analysis method for power terminal protocol Technical Field The invention relates to the technical field of Internet of things communication, in particular to an intelligent analysis method of an electric power terminal protocol. Background Along with the construction of a novel power system and an energy internet, a power distribution network side and a user side are connected with mass heterogeneous terminal equipment, such as a smart meter, a photovoltaic inverter, an energy storage controller, a microcomputer protection device and the like. Communication access for these devices faces a significant challenge. The prior art has the following remarkable problems: Communication protocols exhibit extreme fragmentation and privatization. In addition to the standard Modbus, DLT645-1997/2007, IEC 60870-5-101/103/104, MQTT, etc. protocols, a number of devices employ vendor proprietary, non-standard communication protocols. The Modbus protocol, although defining the underlying communication frame format, does not define the specific meaning of the register address (point table), resulting in a wide variety of device point tables for different vendors. In addition, an Application Service Data Unit (ASDU) of the IEC 104 protocol has a complex structure, various types of identification and transmission reasons exist, and different manufacturers implement different standards. For various devices lacking technical documents, the existing parsing method (such as a Wireshark plug-in or Nmap fingerprint library) based on rule matching or feature fingerprint library is often invalid, and cannot realize semantic level parsing. Aiming at the technical problems that the non-standard power terminal protocol in the related technology is difficult to realize effective analysis in semantic analysis due to the frame structure difference with the standard terminal protocol, no effective solution is proposed at present. Disclosure of Invention The intelligent analysis method of the power terminal protocol at least solves the technical problem that the effective analysis is difficult to realize in semantic analysis due to the fact that a frame structure of a non-standard power terminal protocol is different from that of a standard terminal protocol in the related technology. The embodiment of the invention provides an intelligent analysis method of an electric power terminal protocol, which comprises the steps of extracting semantic features in communication flow data to be analyzed according to a pre-trained bit-level feature extraction model, inputting the communication flow data into a detection model under the condition that the feature extraction model fails to extract the semantic features, outputting an active detection message corresponding to the communication flow data through the detection model, wherein the detection model is a reinforcement learning model trained according to historical communication data, sending the active detection message to terminal equipment of the communication flow data under the condition that the active detection message is subjected to security verification to obtain physical response data of the terminal equipment, comparing the physical response data with a preset physical semantic mapping relation to determine corresponding semantic features, checking the semantic features through a simulation operation mode to obtain a checking result, taking the semantic features as a result of the communication flow data under the condition that the checking result characterization check is passed, updating the historical communication data, and training the detection model or the feature extraction reinforcement analysis model. As an alternative scheme, the method further comprises the steps of sending the active detection message to a behavior simulation model of the terminal equipment before obtaining physical response data of the terminal equipment under the condition that the active detection message is subjected to security verification, simulating physical response of the terminal equipment to the active detection message through the behavior simulation model, determining that the security verification of the active detection message is not passed under the condition that the physical response represents the fault of the terminal equipment, and determining that the security verification of the active detection message is passed under the condition that the physical response represents the security of the terminal equipment. As an alternative scheme, after determining that the safety verification of the active detection message is not passed under the condition that the physical response characterizes the fault of the terminal device, the method further comprises the steps of intercepting the active detection message, generating a punishment signal, sending the punishment signal to the detection model, generating a new active detection message according to the punishment signal by the