CN-122027296-A - Safety situation awareness method for power grid communication network

Abstract

The invention relates to the technical field of situation awareness and discloses a method for perceiving the security situation of a power grid communication network, which comprises the steps of carrying out time sequence normalization processing on multi-source heterogeneous security logs and flow data of the power grid network to obtain a multi-source security data set; the method comprises the steps of carrying out power protocol association analysis on a multi-source safety data set to obtain a safety event sequence, constructing a power grid attack knowledge graph, carrying out association matching on the safety event sequence and the power grid attack knowledge graph, carrying out self-adaptive sensitivity weight assessment on running state information of a power grid network to obtain threat judgment results and confidence, carrying out situation analysis quantification on asset importance and real-time load level of the power grid network to obtain comprehensive safety situation indexes, mapping the comprehensive safety situation indexes to a preset early warning strategy response library to obtain early warning signals and protection strategies, and improving the safety situation perception efficiency of the power grid communication network.

Inventors

• CAO MING
• ZHOU XIUMING
• MA WANGUO
• Weng Jiale

Assignees

• 南京方能自动化设备有限公司

Dates

Publication Date

20260512

Application Date

20260224

Claims (10)

1. 1.A method for sensing security situations of a power grid communication network, the method comprising: s1, performing time sequence normalization processing on multi-source heterogeneous security logs and flow data of a power grid network to obtain a multi-source security data set of the power grid network; S2, carrying out power protocol association analysis on the multi-source security data set based on the network topological relation and the power business logic of the power grid network to obtain a security event sequence of the power grid network; S3, based on a general network security framework, performing entity association analysis on the historical attack case log, the network topology structure and the asset list of the power grid network to construct a power grid attack knowledge graph of the power grid network; S4, carrying out association matching on the security event sequence and the power grid attack knowledge graph, and carrying out self-adaptive sensitivity weight evaluation on the running state information of the power grid network based on an association matching result so as to obtain a threat judgment result and a confidence coefficient of the running state information; s5, carrying out situation analysis quantification on the asset importance and the real-time load level of the power grid network based on the threat judgment result and the confidence level to obtain a comprehensive security situation index of the power grid network; And S6, mapping the comprehensive security situation index to a preset early warning strategy response library to obtain an early warning signal and a protection strategy of the power grid network.
2. 2. The method for sensing the security situation of the power grid communication network according to claim 1, wherein the performing time sequence normalization processing on the multi-source heterogeneous security log and the flow data of the power grid network to obtain the multi-source security data set of the power grid network comprises: extracting multi-source heterogeneous security logs of security probes in a power grid network and flow data in a flow mirror port; Performing field protocol analysis on the multi-source heterogeneous security log and the flow data to obtain standard security log entries and standard flow data records of the power grid network; based on a preset time axis, aligning the standard safety log entry with a standard flow data record in time sequence to obtain a safety event data stream and a network flow data stream of the power grid network; Performing event type feature coding on the security event data stream, and performing session-level flow feature statistics on the network flow data stream to obtain an event feature vector sequence and a flow feature vector sequence of the power grid network; and according to the time axis, fusing and splicing the event feature vector sequence and the flow feature vector sequence to obtain a multi-source safety data set of the power grid network.
3. 3. The method for sensing the security situation of the power grid communication network according to claim 1, wherein the performing power protocol association analysis on the multi-source security data set based on the network topology relationship and the power business logic of the power grid network to obtain the security event sequence of the power grid network comprises: Reading a network topology relation of equipment connection relation in the power grid network and power service logic of a power grid service scheduling rule; based on the power service logic, carrying out logic consistency recognition on a data packet of a special communication protocol of the power communication network in the multi-source safety data set, and carrying out deep analysis on the data packet to obtain protocol characteristics of the data packet; Mapping the protocol characteristics to source equipment and destination equipment in the power grid network according to the network topological relation, and combining the power service logic and the power grid service scheduling rule to perform compliance judgment on interaction between the source equipment and the destination equipment, which is characterized by the protocol characteristics, so as to obtain an initial association event of the power grid network; Coupling analysis is carried out on the causality and the time sequence of the initial association event to obtain an atomic security event of the initial association event; And sequencing and numbering according to the occurrence time stamp of the atomic security event to obtain the security event sequence of the power grid network.
4. 4. The method for sensing the security situation of the power grid communication network according to claim 3, wherein the performing logic consistency recognition on the data packet of the special communication protocol of the power grid communication network in the multi-source security data set based on the power service logic, and performing deep analysis on the data packet to obtain the protocol characteristics of the data packet includes: Based on a preset frame structure of the special communication protocol of the power communication network, carrying out format compliance verification on the data packet to obtain a compliance data packet of the multi-source safety data set; Performing function code validity check on the compliance data packet, and screening out valid data packets in the function code, wherein the valid data packets belong to an allowable range in the power service logic; Extracting and analyzing the message header field of the effective data packet according to the message definition of the special communication protocol of the power communication network to obtain the message header characteristic information of the effective data packet; Based on the data domain structure corresponding to the function code, carrying out data analysis on the load data of the effective data packet to obtain load characteristic information of the effective data packet; And forming the protocol characteristic of the data packet by the message header characteristic information and the load characteristic information together.
5. 5. The method for sensing the security situation of the power grid communication network according to claim 1, wherein the performing entity association analysis on the historical attack case log, the network topology and the asset list of the power grid network based on the general network security framework to construct the power grid attack knowledge graph of the power grid network comprises: Carrying out structured data extraction on the historical attack case log, the network topology structure and the asset list of the power grid network to obtain attack case data, node connection relation data and asset attribute data of the power grid network; Based on entity types defined by the general network security framework, respectively extracting an attack behavior entity and a vulnerability entity in the attack case data, wherein the nodes are connected with network equipment entities in the relational data, and the business asset entities in the asset attribute data; establishing a correlation relationship set among the attack behavior entity, the vulnerability entity, the network equipment entity and the business asset entity according to the correlation record in the historical attack case log, the connection relationship in the network topology structure and the belonging relationship in the asset list; and carrying out consistency check and redundancy combination on the association relation set, and combining the attack behavior entity, the vulnerability entity, the network equipment entity and the business asset entity to construct a power grid attack knowledge graph of the power grid network.
6. 6. The method of claim 5, wherein the establishing the set of association relationships among the offending entity, the vulnerability entity, the network equipment entity, and the business asset entity based on the association records in the historical attack case log, the connection relationships in the network topology, and the affiliation relationships in the asset list comprises: establishing causal association between the attack behavior entity and the vulnerability entity and influence path association between the attack behavior entity and the network equipment entity according to the association record in the historical attack case log; based on the connection relation in the network topology structure, establishing a physical logic connection association relation between the network equipment entities; establishing a home bearer association relationship between the network equipment entity and the business asset entity according to the belonging relationship in the asset list; and carrying out logic integration and conflict resolution on the causal association relationship, the influence path association relationship, the physical logic connection association relationship and the attribution bearing association relationship to obtain an association relationship set among the attack behavior entity, the vulnerability entity, the network equipment entity and the business asset entity.
7. 7. The method for sensing the security situation of the power grid communication network according to claim 1, wherein the steps of performing association matching on the security event sequence and the power grid attack knowledge graph, and performing adaptive sensitivity weight evaluation on the operation state information of the power grid network based on the association matching result to obtain threat determination results and confidence coefficients of the operation state information include: Traversing and extracting event types and related asset information of security events in the security event sequence; Based on the event type and the related asset information, performing entity association retrieval in the power grid attack knowledge graph to obtain a graph substructure of the security event; according to the integrity and threat level of the map substructure, and in combination with the real-time running state information of the power grid network, sensitivity weight coefficients of different evaluation dimensions in the real-time running state information are dynamically adjusted; Based on the adjusted sensitivity weight coefficient, weighting, fusing and judging the threat level of the running state information to obtain a threat judgment result of the running state information; based on the power grid attack knowledge graph, performing reliability calculation on the threat judgment result to obtain the confidence coefficient of the threat judgment result, wherein the confidence coefficient has the following calculation formula: ; In the formula, For the degree of confidence that the confidence level is, In order to match the dynamic weight coefficients of the coverage, For the number of successful matches of event attributes in the security event sequence with entity nodes in the graph substructure, For the total number of event attributes in the security event sequence that attempt to match, Is a natural constant which is used for the production of the high-temperature-resistant ceramic material, As a dynamic weight coefficient for the average degree of matching, For an arithmetic average of the similarity between all successful matching event attributes and the graph nodes, For the dynamic weighting coefficients of the aging integrity composite term, For the information integrity index in the real-time running state information, For a predetermined time-decay factor, And the time difference between the current time and the average occurrence time of the related historical attack cases in the map substructure.
8. 8. The method for sensing the security situation of the power grid communication network according to claim 7, wherein the dynamically adjusting the sensitivity weight coefficients of different evaluation dimensions in the real-time operation state information according to the integrity and threat level of the map substructure and in combination with the real-time operation state information of the power grid network comprises: performing collaborative evaluation on entity coverage rate and relation completeness in the map substructure to obtain an integrity evaluation value of the map substructure; determining threat level evaluation values of the map substructure according to historical hazard levels of the aggressive entity in the map substructure; analyzing the real-time running state information of the power grid network to obtain the current service load level and the network key node state of the power grid network; Performing multidimensional weight evaluation on the integrity evaluation value, the threat level evaluation value, the current service load level and the network key node state to obtain weight adjustment amount of the real-time running state information; And based on the weight adjustment quantity, adjusting and updating a basic sensitivity weight coefficient preset in the power grid network to obtain a sensitivity weight coefficient of the power grid network.
9. 9. The method for sensing the security situation of the power grid communication network according to claim 1, wherein the performing situation analysis quantization on the asset importance and the real-time load level of the power grid network based on the threat determination result and the confidence level to obtain the comprehensive security situation index of the power grid network comprises: acquiring the threat judgment result, the confidence coefficient corresponding to the threat judgment result, importance level data of the assets in the power grid network and real-time load level data of key nodes in the power grid network; carrying out standardized processing on the threat judgment result, the importance level data and the real-time load level data to obtain a standardized threat value, a standardized asset importance value and a standardized load level value; based on the confidence, carrying out weighted correction on the threat judgment result to obtain corrected threat information of the threat judgment result; carrying out quantitative fusion analysis on the corrected threat information, the asset importance value and the load level value to obtain a multi-dimensional situation quantized value of the power grid network; And performing risk assessment on the multidimensional situation quantized value to obtain a comprehensive security situation index of the power grid network.
10. 10. The method for sensing the security situation of the power grid communication network according to claim 1, wherein mapping the comprehensive security situation index to a preset early warning strategy response library to obtain the early warning signal and the protection strategy of the power grid network comprises: Performing deviation comparison on the comprehensive security situation indexes and a preset security situation grade threshold value to obtain security situation grading results of the comprehensive security situation indexes; Based on the security situation grading result, searching and matching in a preset early warning strategy response library to obtain a preliminary early warning signal and a preliminary protection strategy of the security situation grading result; performing logic conflict verification and priority sequencing on the preliminary early warning signals and the preliminary protection strategies to obtain a candidate early warning signal set and a candidate protection strategy set of the security situation grading result; And synchronously screening the candidate early warning signal set and the candidate protection strategy set according to the current running mode and the strategy execution history of the power grid network to obtain early warning signals and protection strategies of the power grid network.

Description

Safety situation awareness method for power grid communication network Technical Field The invention relates to the technical field of situation awareness, in particular to a security situation awareness method for a power grid communication network. Background In the running process of the power grid communication network, massive heterogeneous safety logs and flow data can be generated, the existing safety situation awareness method lacks an efficient time sequence normalization processing scheme, and can not convert data with different formats and different sources into a unified standard analysis basis, so that the data integration time is long, and potential association information among the data is difficult to mine. Meanwhile, when the special communication protocol of the power is analyzed, the special network topological relation and the special power business logic of the power grid are not fully combined, the protocol feature extraction of the data packet is not accurate enough, the compliance operation and the abnormal behavior cannot be effectively distinguished, the omission or misjudgment of the safety event extraction is caused, and the basic data reliability of situation awareness is seriously affected. In the links of attack knowledge graph construction and threat assessment, the prior art has obvious short plates. On one hand, the correlation analysis of the historical attack cases, the network topology structures and the entity of the asset list is not deep enough, the complete correlation chain among the attack behaviors, the vulnerabilities, the network equipment and the business assets is not built, the correlation and the integrity of the knowledge graph are insufficient, the matching precision of the security events and the attack knowledge is low, on the other hand, the threat assessment process lacks an adaptive sensitivity weight adjustment mechanism, the assessment dimension cannot be dynamically optimized according to the real-time running state of the power grid, the business load level and the key node state, the confidence of the threat judgment result is insufficient, and the quantification of the comprehensive security situation index lacks scientificity. The problems in the two aspects jointly cause that the early warning signal of the existing method is not issued timely, the pertinence of the protection strategy is not strong, and the requirements of the power grid communication network on high precision and instantaneity of safety situation perception are difficult to meet. Disclosure of Invention The invention provides a power grid communication network security situation awareness method for solving the problems in the background technology. In order to achieve the above object, the present invention provides a method for sensing security situation of a power grid communication network, including: s1, performing time sequence normalization processing on multi-source heterogeneous security logs and flow data of a power grid network to obtain a multi-source security data set of the power grid network; S2, carrying out power protocol association analysis on the multi-source security data set based on the network topological relation and the power business logic of the power grid network to obtain a security event sequence of the power grid network; S3, based on a general network security framework, performing entity association analysis on the historical attack case log, the network topology structure and the asset list of the power grid network to construct a power grid attack knowledge graph of the power grid network; S4, carrying out association matching on the security event sequence and the power grid attack knowledge graph, and carrying out self-adaptive sensitivity weight evaluation on the running state information of the power grid network based on an association matching result so as to obtain a threat judgment result and a confidence coefficient of the running state information; s5, carrying out situation analysis quantification on the asset importance and the real-time load level of the power grid network based on the threat judgment result and the confidence level to obtain a comprehensive security situation index of the power grid network; And S6, mapping the comprehensive security situation index to a preset early warning strategy response library to obtain an early warning signal and a protection strategy of the power grid network. In a preferred embodiment, the performing time sequence normalization processing on the multi-source heterogeneous security log and the flow data of the power grid network to obtain a multi-source security data set of the power grid network includes: extracting multi-source heterogeneous security logs of security probes in a power grid network and flow data in a flow mirror port; Performing field protocol analysis on the multi-source heterogeneous security log and the flow data to obtain standard security log entries and standa