CN-122027271-A - Power network abnormal behavior monitoring system and method based on full flow analysis

Abstract

The invention discloses a monitoring system and a method for abnormal behavior of an electric power network based on full flow analysis, which relate to the technical field of network security of the electric power system, wherein the monitoring system is deployed at a core switching node of the electric power monitoring system network and comprises a data acquisition module, a flow preprocessing and analyzing module, a behavior characteristic extraction module, an abnormality detection and analyzing module and an alarm and response module, the flow preprocessing and analyzing module is internally provided with a hardware analyzing unit and a software depth detecting engine, and outputs enhanced flow identification and protocol semantic information, and the anomaly detecting and analyzing module is internally provided with a dynamic baseline model, a machine learning classifying model and an anomaly rule base. According to the invention, the function of deep protocol perception is realized by integrating FPGA hardware acceleration and DPI engine, the main power industrial control protocol is accurately analyzed, the protocol semantics can be understood, a foundation is laid for service layer anomaly detection, and the detection depth and the identification accuracy of advanced directional threat are greatly improved.

Inventors

• Fu Gehua
• LIU FENGZHENG
• HU YIFAN
• LI XUEWU
• Liang Zhanbu
• HE MINGDONG
• LI BO

Assignees

• 广东电网有限责任公司
• 广东电网有限责任公司数智运营中心

Dates

Publication Date

20260512

Application Date

20260205

Claims (10)

1. 1. The power network abnormal behavior monitoring system based on full flow analysis is characterized by being deployed at a core switching node of a power monitoring system network and comprising a data acquisition module, a flow preprocessing and analyzing module, a behavior feature extraction module, an abnormal detection and analyzing module and an alarm and response module, wherein the data acquisition module captures a network full flow original data packet, the flow preprocessing and analyzing module is connected with the data acquisition module and internally provided with a hardware analyzing unit and a deep packet detecting engine to conduct high-speed analysis, flow recombination and industrial control protocol deep analysis on the original data packet and output enhanced flow identification and protocol semantic information, the behavior feature extraction module is connected with the flow preprocessing and analyzing module and calculates behavior feature vectors of network sessions in real time according to the flow identification and semantic information, the abnormality detecting and analyzing module is connected with the behavior feature extraction module and internally provided with a dynamic baseline model, a machine learning classification model and an abnormal rule base, and the alarm and response module is connected with the abnormality detecting and analyzing module to generate visual alarm and support linkage response.
2. 2. The system for monitoring abnormal behavior of a power network based on full traffic analysis according to claim 1, wherein the data acquisition module comprises an industrial Ethernet switch with a port mirroring function, an input end of the data acquisition module is physically connected to a mirroring port of a core switching node of a monitored network through an optical fiber, a full traffic original data packet of the network is captured and forwarded by the data acquisition module without interruption, and an output end of the data acquisition module is connected to an input end of the traffic preprocessing and analyzing module through a high-speed data bus.
3. 3. The system for monitoring abnormal behavior of an electric power network based on full traffic analysis as set forth in claim 1, wherein the traffic preprocessing and analyzing module comprises a hardware analyzing unit based on a field programmable gate array and a deep packet inspection engine based on a general purpose processor, the hardware analyzing unit solidifies a data packet analyzing logic circuit, the logic circuit performs link layer decapsulation, network layer protocol identification and transport layer flow reorganization on a received original data packet and outputs quintuple information composed of a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol type, and the hardware analyzing unit solidifies a traffic statistics logic circuit to count the number of packets, bytes and newly-built connection rates of the port level and the stream level in real time; The deep packet inspection engine is loaded with an electric industrial control protocol feature library, the electric industrial control protocol feature library comprises message structure feature codes of IEC 60870-5-104, IEC 61850 MMS and Modbus TCP protocol, receives the recombined application layer load corresponding to quintuple information, identifies specific industrial control protocol types through feature code matching, deeply analyzes function code fields, data object address fields and operation data content comprising telemetry values, remote signaling states and remote control commands in the application layer message according to identified protocol specifications, and further comprises a protocol fingerprint library, and identifies industrial control protocol flow carried by a nonstandard port by matching the distribution feature of N bytes before the load with a fixed value.
4. 4. The system for monitoring the abnormal behavior of the power network based on full traffic analysis of claim 1, wherein the behavior feature extraction module comprises a streaming session tracking unit and a multidimensional feature calculation unit, the streaming session tracking unit maintains an active streaming session table according to quintuple information and industrial control protocol types output by the hardware analysis unit, and the active streaming session table records session identifiers, time stamps and analyzed application layer transaction sequences in the session; The multidimensional feature calculation unit receives the output of the flow preprocessing and analyzing module in real time, and periodically calculates the following feature vectors, namely, the duration of the session, the number ratio of uplink data packets and downlink data packets in the session, the mean value and variance of the payload size of the data packets in the session, the occurrence frequency of messages with specific function codes in a preset time window, the access sequence mode of data object addresses in continuous application layer transactions and the change rate of telemetry data in adjacent sampling periods, for each active flow session.
5. 5. The power network abnormal behavior monitoring system based on full flow analysis according to claim 4, wherein the multi-dimensional feature calculation unit is used for specifically calculating the semantic features of an industrial control protocol, namely calculating the frequency and response integrity of a total call command according to an IEC 60870-5-104 protocol, judging whether an address range of register operation is out of range according to a Modbus TCP protocol, and constructing a mode of a service access path according to an IEC 61850 MMS protocol.
6. 6. The power network abnormal behavior monitoring system based on full-flow analysis according to claim 1, wherein the abnormality detection and analysis module comprises a dynamic baseline modeling unit, a machine learning classifier unit, a rule matching unit and an association analysis unit; The dynamic baseline modeling unit adopts a time sequence analysis method to learn the historical feature vectors output by the behavior feature extraction module, and establishes a multidimensional behavior baseline model comprising a normal range of feature values, a periodic mode and an association relation for different streaming session types; the machine learning classifier unit uses a feature vector sample set marked with normal and abnormal types in advance for training, the classifier adopts a gradient lifting decision tree model, inputs real-time feature vectors and outputs the probability that the feature vectors belong to a predefined abnormal type; The rule matching unit stores and matches a group of deterministic exception rules, and the exception rules define specific behavior patterns violating the safety regulations of the power network; The association analysis unit analyzes the time sequence, IP and logic association among the abnormal events and aggregates the discrete events into a complex attack scene.
7. 7. The power network abnormal behavior monitoring system based on full-flow analysis of claim 1, wherein the alarm and response module comprises an alarm generating unit, a visual interface unit and a linkage interface unit; the alarm generation unit receives an abnormality judgment result output by the abnormality detection and analysis module, wherein the judgment result comprises an abnormal flow session identifier, specific feature dimensions of triggering abnormality, amplitude and classification probability deviating from a base line and a triggering certainty rule number, and allocates threat level to each abnormal event according to a preset threat level matrix and generates a structured alarm log; the visual interface unit graphically displays network flow topology, real-time flow statistics, abnormal event list and details, and provides a query and traceability analysis interface of historical alarms; And the linkage interface unit sends an instruction to an original intrusion prevention system in the power monitoring system network through a standard API interface according to the generated alarm and the threat level thereof, wherein the instruction comprises blocking a specific IP address, closing a specific network port and temporarily modifying an access control strategy.
8. 8. The power network abnormal behavior monitoring method based on full flow analysis is suitable for the power network abnormal behavior monitoring system based on full flow analysis according to any one of claims 1 to 7, and is characterized by comprising the following specific steps: S1, full-flow data acquisition, namely, lossless capturing of original data packets of bidirectional network flow through mirror image ports deployed on core network nodes, and real-time transmission of the data packets to a processing system; s2, flow deep analysis and identification, namely, carrying out high-speed analysis, flow recombination and industrial control protocol deep analysis on the data packet by utilizing a hardware acceleration and deep packet detection technology, and extracting enhanced flow identification and semantic information; S3, extracting multidimensional behavior features in real time, namely maintaining an active session state based on the enhanced stream identification, and calculating network layer flow features, transmission layer interaction features and application layer industrial control business semantic features in real time for each session to generate feature vectors; s4, dynamic baseline modeling and anomaly detection are carried out, namely a dynamic baseline model, a pre-training machine learning model and a deterministic rule base are utilized, the feature vectors are comprehensively compared and matched, and anomaly behaviors are judged; S5, alarm generation and threat response are carried out, namely, potential threat levels are evaluated according to the abnormal behavior, a structural alarm event is generated, the structural alarm event is displayed through a visual interface, and active defense measures at the network level can be triggered through a linkage interface.
9. 9. The method for monitoring abnormal behavior of a power network based on full-flow analysis of claim 8, wherein the S2 flow deep analysis and identification is specifically as follows: s21, analyzing a hardware layer, namely decapsulating the Ethernet frame through an FPGA logic circuit, identifying an IP header, extracting a source IP address and a destination IP address, identifying a TCP and UDP header, extracting a source port number and a destination port number, finishing transport layer stream recombination, and outputting continuous application layer data load; S22, protocol identification and deep analysis, namely sending the application layer load into a deep packet inspection engine, and sequentially matching with a pre-stored industrial control protocol feature library to determine the protocol type; s23, for encrypted or private protocol traffic, performing protocol fingerprint matching and recording session basic characteristics, and still extracting the behavior characteristics of a network layer and a transmission layer after marking as an unknown protocol.
10. 10. The method for monitoring abnormal behavior of a power network based on full-flow analysis of claim 8, wherein the S4 dynamic baseline modeling and abnormality detection are specifically as follows: s41, a baseline learning stage, namely collecting historical feature vector data in a preset learning period, dividing a flow session into different categories according to access modes by adopting a time sequence clustering method, and establishing a seasonal baseline model for each feature dimension of each category; S42, detecting the real-time deviation, namely determining the session category according to the flow identification for the real-time feature vector, and acquiring a base line expected value and a fluctuation range corresponding to the current moment; S43, machine learning classification, namely inputting a real-time feature vector into a trained gradient lifting classifier, outputting probability distribution of the vector belonging to a preset category by the classifier, taking a maximum probability value and a corresponding category, and triggering model classification alarm if the probability is an abnormal category and exceeds a confidence threshold value; S44, rule judgment, namely matching the streaming session information with a predefined deterministic safety rule base, and if the conditions of the rules are completely matched, immediately triggering rule alarms, wherein the alarms have the highest priority.

Description

Power network abnormal behavior monitoring system and method based on full flow analysis Technical Field The invention relates to the technical field of network security of power systems, in particular to a system and a method for monitoring abnormal behaviors of a power network based on full-flow analysis. Background With the deep advancement of smart grids and digital transformation, the closure of the power monitoring system network is broken, and the system is faced with increasingly severe network security threats, advanced Persistent Threats (APT), luxury software, internal personnel illegal operations and specific attacks against industrial control protocols, which become important risks affecting the safe and stable operation of the power system; At present, traditional boundary protection devices such as a firewall, an Intrusion Detection System (IDS) and the like are commonly deployed in a power network, however, the devices have obvious limitations that the protocol perception capability lacks deep analysis capability on semantics, function codes and data objects of a power industrial control protocol, malicious instruction injection or data theft which are pseudo-installed under a legal protocol cannot be identified, a detection view angle is on one hand, a detection means based on logs or sampling cannot acquire complete network session context, low-frequency, slow and continuous APT attacks and transverse movement behaviors are difficult to find, dynamic adaptability is lacking, the power production service has strong periodicity and time sequence, static detection rules are difficult to adapt to the normal service fluctuation, a large number of false alarms or false alarms are easy to generate, alarm fragmentation is that alarms generated by different security devices are mutually isolated, the correlation analysis capability based on full-flow data is lacking, a complete attack chain is difficult to restore, and a great burden is brought to event study and judgment of security maintenance personnel. Patent document CN118200019B discloses a network event security monitoring method and system, which implements the monitoring and response capability of improving network security, discovers abnormal nodes and potential threat events existing in the power network, is helpful for early discovery of potential attacks or abnormal conditions, performs threat event discrimination and generates corresponding threat discrimination events for potential threat events of the power network, and is helpful for classifying and identifying different types of threats. The above patent improves the comprehensiveness and adaptability of network security protection by carrying out abnormal node identification and multi-level attack type defense strategy construction on network events, but the protocol perception capability of a monitoring system is still insufficient. Therefore, the application provides a system and a method for monitoring abnormal behaviors of a power network based on full-flow analysis, which can model multi-dimensional behaviors. Disclosure of Invention The invention aims to provide a system and a method for monitoring abnormal behaviors of a power network based on full-flow analysis, which are used for solving the technical problems of insufficient protocol perception capability and detection of visual angle facets in the background technology. The invention provides a power network abnormal behavior monitoring system based on full flow analysis, which is deployed at a core switching node of a power monitoring system network and comprises a data acquisition module, a flow preprocessing and analyzing module, a behavior feature extraction module, an abnormal detection and analyzing module and an alarm and response module, wherein the data acquisition module captures a network full flow original data packet, the flow preprocessing and analyzing module is connected with the data acquisition module and internally provided with a hardware analyzing unit and a deep packet detecting engine, the original data packet is subjected to high-speed analysis, flow recombination and industrial control protocol deep analysis, enhanced flow identification and protocol semantic information are output, the behavior feature extraction module is connected with the flow preprocessing and analyzing module, a behavior feature vector of a network session is calculated in real time according to the flow identification and the semantic information, the abnormality detection and analyzing module is connected with the behavior feature extraction module and internally provided with a dynamic baseline model, a machine learning classification model and an abnormal rule base, and the alarm and response module is connected with the alarm and analysis module, and the alarm and response module are used for generating visualization and supporting linkage. Preferably, the data acquisition module comprises an industrial ethernet swit