Search

CN-122019237-A - Asset operation baseline line crossing detection method and system for power monitoring

CN122019237ACN 122019237 ACN122019237 ACN 122019237ACN-122019237-A

Abstract

The invention discloses an asset operation baseline line crossing detection method and system for electric power monitoring, which relate to the technical field of line crossing detection, ensure accurate depiction of a baseline to a business normal state through dynamic adjustment of a statistical period and automatic modeling, avoid model lag, fundamentally eliminate human configuration errors, enable a detection result to be completely driven by real data, remarkably improve accuracy and objectivity, integrate a statistical distribution, a sequence rule and a multidimensional analysis model of a relation topology at a detection level, deeply identify composite threats from numerical value abnormality, flow violation to relation invasion, combine a periodic behavior template and refined feature processing, effectively filter environmental noise, greatly reduce false alarm, lighten operation and maintenance burden, immediately generate a structured line crossing label fused with multi-dimensional evidence once detecting behavior deviation, automatically trigger preset response, and provide intelligent response defending capability for an electric power key infrastructure.

Inventors

  • LI XIN
  • WANG QINGXIAN

Assignees

  • 北京国泰网信科技股份有限公司
  • 成都国泰网信科技有限公司

Dates

Publication Date
20260512
Application Date
20260209

Claims (8)

  1. 1. An asset operation baseline line crossing detection method for power monitoring, the method comprising the steps of: S1, connecting a system equipment flow acquisition port with a switch mirror image port, acquiring behavior data of various assets in a network through the acquisition port, receiving operation data reported by the various assets by using a Syslog log, and analyzing the various data into behavior event streams with fixed field structures; s2, after behavior event streams of various assets in the network are read, analyzing event data in a statistical period, and storing generated baseline data in a JSON format; S3, when the real-time event occurs, comparing the real-time event with the generated baseline data by using a rule analysis engine, and when the line crossing occurs, generating a corresponding line crossing label; And S4, sending the event content and the line-crossing label to a monitoring platform through a safety channel, and sending a corresponding notification prompt according to the configuration.
  2. 2. The asset operation baseline crossing detection method for power monitoring of claim 1, wherein S1 comprises the following steps: S101, after a mirror image port of a network switch where key system equipment is located is connected with a flow acquisition port, acquiring network communication behavior data of all assets in a network by using the acquisition port in a non-invasive bypass monitoring mode; s102, acquiring operation and state event data of various assets by receiving Syslog logs actively reported by the various assets; S103, preprocessing network communication behavior data, operation and state event data to obtain multi-source heterogeneous data, utilizing a deep packet analysis engine to disassemble data packets in the heterogeneous data layer by layer according to standard specifications of a special protocol of the power monitoring system, accurately extracting core fields in protocol frames, carrying out pattern matching on unstructured log texts through a preset regular expression on a received Syslog log, and extracting time, a host, a user, an operation object and result state key attributes.
  3. 3. The asset operation baseline crossing detection method for power monitoring of claim 2, wherein S1 specifically further comprises the steps of: S104, fusing all bottom data fields and key attributes in the heterogeneous data, combining the data fields into a high-level behavior event with definite business semantics through a behavior abstraction engine, reconstructing discrete events into a behavior sequence by adopting a session recombination and causal reasoning technology, and automatically inquiring business dimension metadata of the supplementary related assets from an asset library so as to output a behavior event tuple with business context; S105, carrying out serialization encapsulation on all behavior events in the event tuple, and definitely defining a corresponding fixed field structure for each type of event, wherein the fixed field structure comprises a globally unique event ID, a standard time stamp accurate to milliseconds, detailed information of a behavior initiator and a receiver, a behavior type, a related protocol, specific operation actions, key parameters and an execution result.
  4. 4. The asset operation baseline crossing detection method for power monitoring of claim 1, wherein S2 comprises the steps of: s201, reading a behavior event stream which is continuously collected and standardized, periodically dividing the behavior event stream, dividing the event stream into independent observation time windows according to a predefined statistical period, and taking data in the windows as training samples for representing steady-state operation of a system; S202, carrying out multi-scale sliding window segmentation on a training sample, establishing three parallel processing channels, namely a millisecond channel, an operation channel and a session channel, wherein after receiving an event, the millisecond channel uses PrefixSpan algorithm to mine an atomic operation sequence, the operation channel identifies an operation unit formed by aggregation of the atomic operation sequence after determining the operation unit, a complete operation chain is obtained, the session channel receives the complete operation chain set, analyzes the time sequence distribution rule of an operation mode, and finally outputs a frequent mode rule set with time sequence causal constraint; S203, performing fast Fourier transform on the time stamp sequence of each behavior event, identifying significant periodic components in a frequency domain, calculating phase distribution of event occurrence for each periodic component, performing distribution fitting on time intervals of continuous periodic events, describing statistical characteristics of the intervals, and outputting a periodic behavior template.
  5. 5. The asset operation baseline crossing detection method for power monitoring of claim 4, wherein S2 specifically further comprises the steps of: s204, extracting continuous feature vectors from the event stream, and establishing a multi-element statistical baseline for the continuous feature vectors, wherein the baseline describes a normal interval and association constraint of each feature; S205, after the event stream is subjected to aggregation processing, discrete and graph structure data are obtained, embedding learning is carried out through a temporal graph neural network, node characteristics are fused with equipment static properties and behavior patterns dynamically extracted from the event stream, and an edge weight matrix quantifies interaction strength and patterns under a plurality of time dimensions, so that an asset community with tight functional coupling is automatically identified, and graph structure parameters comprising node embedding vectors, edge weight tensors and community division results are output; S206, converting an original identifier in the event stream into a multi-layer semantic vector containing a physical position, a service role and a security level by using an adaptive feature encoder, carrying out intention encoding on a protocol instruction by using an attention mechanism, distinguishing the operation critical level, and outputting a feature vector subjected to time sequence smoothing and normalization processing; S207, packaging all output results, and storing the generated baseline data into a baseline library in a JSON format.
  6. 6. The asset operation baseline crossing detection method for power monitoring of claim 1, wherein S3 comprises the steps of: S301, performing online anomaly detection on asset behavior events acquired in real time, extracting multi-dimensional feature vectors of the events, and inputting the multi-dimensional feature vectors into a rule analysis engine; s302, the engine executes multi-level comparison analysis to check whether the real-time feature vector falls in a reference interval preset by a statistical baseline, if the real-time feature vector does not fall in the interval, the event is judged to be statistically abnormal in the current continuous feature dimension, a line-crossing tag is immediately generated, specific features, deviation directions and degrees of deviation are recorded in the tag, and if the real-time feature vector falls in the interval, the event is judged to be statistically normal in the current continuous feature dimension.
  7. 7. The asset operation baseline crossing detection method for power monitoring of claim 6, wherein S3 further comprises the steps of: S303, placing the current event in a short sequence formed by recent events, verifying whether the current event accords with a frequent mode and causal constraint which are excavated by a base line library, if so, judging that the event is normal logically in the context of the current sequence, if not, judging that the event is abnormal logically, immediately generating a line-crossing tag, and clearly indicating a specific mode and constraint which are violated; S304, calculating an abnormal score of an asset node related to the event in real time through a graph neural network, judging whether the abnormal score deviates from a learned normal communication community and a connection mode, if the abnormal score does not deviate from the normal communication community and the connection mode, judging that the event is normal in structure on a relational topology level, if the abnormal score deviates from the normal communication community and the connection mode, judging that the event is abnormal in topology, generating a line-crossing tag, and recording a deviation point accurately described by the tag.
  8. 8. An asset operation baseline line crossing detection system for power monitoring, which is characterized in that the asset operation baseline line crossing detection system is applicable to the asset operation baseline line crossing detection method for power monitoring according to any one of claims 1 to 7, and comprises a data acquisition unit, a baseline generation unit, a line crossing detection unit and a response processing unit; the data acquisition unit is used for connecting a system equipment flow acquisition port with a switch mirror image port, acquiring behavior data of various assets in a network through the acquisition port, receiving operation data reported by the various assets by using a Syslog log, and analyzing the various data into behavior event streams with fixed field structures; after the baseline generation unit reads the behavior event streams of various assets in the network, analyzing event data in a statistical period, and storing the generated baseline data in a JSON format; When the real-time event occurs, the line-crossing detection unit compares the real-time event with the generated baseline data by using a rule analysis engine, and when the line-crossing occurs, a corresponding line-crossing label is generated; and the response processing unit sends the event content and the line-crossing label to the monitoring platform through the safety channel, and sends a corresponding notification prompt according to the configuration.

Description

Asset operation baseline line crossing detection method and system for power monitoring Technical Field The invention relates to the technical field of line crossing detection, in particular to an asset operation baseline line crossing detection method and system for electric power monitoring. Background Currently, an electric power monitoring system faces serious network security challenges, a traditional defense system mainly depends on boundary protection based on fixed rules and intrusion detection matched with known features, and is difficult to cope with advanced persistent threats and internal violation operations which utilize legal protocols and imitate normal behaviors, the attacks are often hidden in massive business data, and the traditional method is low in detection rate, high in false alarm rate and lag in response due to lack of accurate cognition on the normal behavior mode of the system; With the promotion of smart grid construction, the types of equipment accessed in a monitoring network are various, protocols are special and interaction is complex, the safety situation of the intelligent power grid is characterized by dynamic and concealed, most of existing safety products are generally designed, the special periodic operation mode of a power industrial control scene, strict operation sequence logic and the established communication topology among the equipment are not fully considered, and effective scene adaptation is difficult to realize; Therefore, a set of intelligent detection system capable of deeply understanding the electric power monitoring service characteristics and having self-adaptive learning capability is needed, and the system is needed to automatically learn the behavior rules of various assets under normal working conditions, form an accurate running base line, and detect abnormal behaviors deviating from the base line in real time, so that accurate early warning of unknown threats, abnormal operations and potential risks is realized. Disclosure of Invention The invention aims to provide an asset operation baseline line crossing detection method and system for power monitoring so as to solve the problems in the background technology. In order to achieve the purpose, the invention provides the following technical scheme that the asset operation baseline line crossing detection method for power monitoring comprises the following steps: S1, connecting a system equipment flow acquisition port with a switch mirror image port, acquiring behavior data of various assets in a network through the acquisition port, receiving operation data reported by the various assets by using a Syslog log, and analyzing the various data into behavior event streams with fixed field structures; s2, after behavior event streams of various assets in the network are read, analyzing event data in a statistical period, and storing generated baseline data in a JSON format; S3, when the real-time event occurs, comparing the real-time event with the generated baseline data by using a rule analysis engine, and when the line crossing occurs, generating a corresponding line crossing label; And S4, sending the event content and the line-crossing label to a monitoring platform through a safety channel, and sending a corresponding notification prompt according to the configuration. Preferably, the step S1 specifically includes the following steps: S101, after a mirror image port of a network switch where key system equipment is located is connected with a flow acquisition port, acquiring network communication behavior data of all assets in a network by using the acquisition port in a non-invasive bypass monitoring mode; s102, acquiring operation and state event data of various assets by receiving Syslog logs actively reported by the various assets; S103, preprocessing network communication behavior data, operation and state event data to obtain multi-source heterogeneous data, utilizing a deep packet analysis engine to disassemble data packets in the heterogeneous data layer by layer according to standard specifications of a special protocol of the power monitoring system, accurately extracting core fields in protocol frames, carrying out pattern matching on unstructured log texts through a preset regular expression on a received Syslog log, and extracting time, a host, a user, an operation object and result state key attributes. Preferably, the step S1 specifically further includes the following steps: S104, fusing all bottom data fields and key attributes in the heterogeneous data, combining the data fields into a high-level behavior event with definite business semantics through a behavior abstraction engine, reconstructing discrete events into a behavior sequence by adopting a session recombination and causal reasoning technology, and automatically inquiring business dimension metadata of the supplementary related assets from an asset library so as to output a behavior event tuple with business context; S