CN-122027297-A - Time-lapse power grid attack detection method, device and equipment

Abstract

The invention provides a time-lapse power grid attack detection method, device and equipment, and relates to the technical field of intelligent power grid information security. The method comprises the steps of obtaining real-time upper-bound estimation and real-time lower-bound estimation of a system state based on a preset interval observer, obtaining the preset interval observer according to a time-lag state space model of a power grid to be detected, forming a real-time interval residual vector according to the real-time upper-bound estimation and the real-time lower-bound estimation of the system state and a sensor measurement output vector of the system state of the power grid to be detected, performing smoothing and safety margin adjustment on the real-time interval residual vector to generate an interval residual upper-bound threshold and an interval residual lower-bound threshold, and comparing the real-time interval residual vector with the interval residual upper-bound threshold and the interval residual lower-bound threshold to obtain an attack detection result. The method and the device can solve the problem that the reliability and the robustness of false data injection attack detection are insufficient due to the fact that the smart grid has time lag characteristics, model uncertainty, unknown disturbance and the like.

Inventors

• WANG XINYU
• HAN WANJUN
• LUO XIAOYUAN
• LI SHAOBAO

Assignees

• 燕山大学

Dates

Publication Date

20260512

Application Date

20260225

Claims (10)

1. 1. The time-lapse power grid attack detection method is characterized by comprising the following steps of: Acquiring real-time upper bound estimation and real-time lower bound estimation of a system state of a power grid to be detected based on a preset interval observer designed for the power grid to be detected, wherein the preset interval observer is obtained according to a state space model of the power grid to be detected, and the state space model comprises a system input time lag matrix of the power grid to be detected and a system state after subtracting communication time delay; calculating a real-time residual upper bound and a real-time residual lower bound of the system state according to the real-time upper bound estimation and the real-time lower bound estimation of the system state and a sensor measurement output vector of the system state of the power grid to be detected to form a real-time interval residual vector; performing exponential moving average smoothing on the real-time interval residual vector, and adjusting the real-time interval residual vector subjected to exponential moving average smoothing according to an adjustable safety margin to generate an interval residual upper boundary threshold value and an interval residual lower boundary threshold value; And comparing the real-time interval residual vector with the interval residual upper boundary threshold value and the interval residual lower boundary threshold value, and obtaining an attack detection result according to a comparison result.
2. 2. The time-lapse power grid attack detection method according to claim 1, wherein the state space model further comprises known system disturbance and unknown bounded system disturbance of the power grid to be detected; The determining process of the preset interval observer comprises the following steps: Determining a time lag compensation term according to a system input time lag matrix of the power grid to be detected and a system state after subtracting the communication time lag; determining disturbance compensation items according to known system disturbance and unknown bounded system disturbance of a power grid to be detected; and determining a preset interval observer according to the state space model, the time lag compensation term and the disturbance compensation term.
3. 3. The time-lapse grid attack detection method according to claim 2, wherein the state space model is: ; Wherein, the Is the input state of the ith monitoring node in the power grid to be detected at the moment t, , For the power angle of the ith monitoring node at time t, For the angular velocity of the ith monitoring node at time t, A i is the first input matrix of the ith monitoring node, B i is the second input matrix of the ith monitoring node, A time lag matrix is input for the system of the ith monitoring node, , , , For the damping coefficient of the ith monitoring node, For the moment of inertia of the ith monitor node, Is the system input identity matrix of the ith monitoring node, The input coupling time lag coefficient for the ith monitor node, Is the time delay of the communication and, A known system perturbation matrix for the ith monitoring node, For the observation matrix of the i-th monitoring node, For the noise matrix of the ith monitoring node, For an unknown bounded system disturbance of the ith monitoring node at time t, For unknown bounded measurement noise of the ith monitoring node at time t, u i (t) is the control input of the ith monitoring node at time t, , For the mechanical power input of the ith monitoring node, The output active power for the ith monitoring node, The output vector is measured for the sensor of the ith monitoring node at time t.
4. 4. The time-lapse power grid attack detection method according to claim 2, wherein the preset interval observer is: ; Wherein, the The derivative estimated for the upper state bound of the ith monitoring node at time t, The derivative estimated for the state lower bound of the ith monitoring node at time t, For the upper bound estimate of the state of the ith monitoring node at time t, For the state lower bound estimation of the ith monitoring node at time t, The output vector is measured for the sensor of the ith monitoring node at time t, For the control input of the ith monitoring node at time t, The upper bound of the observer gain matrix for the ith monitoring node, The observer gain matrix lower bound for the ith monitoring node, The upper bound of the disturbance compensation term for the ith monitoring node, The lower bound of the disturbance compensation term for the ith monitoring node, , , A known system perturbation matrix for the ith monitoring node, 、 Is that Two nonnegative matrices of decomposition, and , For an unknown bounded system disturbance of the ith monitoring node, The upper bound of the skew compensation term for the ith monitoring node, The lower bound of the skew compensation term for the ith monitoring node, , , A time lag matrix is input for the system of the ith monitoring node, 、 Is that Two nonnegative matrices of decomposition, and , A first input matrix for the ith monitoring node, A second input matrix for the ith monitoring node, Is the observation matrix of the ith monitoring node.
5. 5. The method for detecting a time-lapse power grid attack according to claim 1, wherein calculating the upper and lower real-time residual boundaries of the system state according to the real-time upper and lower boundary estimates of the system state and the sensor measurement output vector of the system state of the power grid to be detected to form a real-time interval residual vector comprises: According to Constructing a real-time interval residual error vector; Wherein, the Real-time interval residual vector for ith monitoring node at t moment Is defined by the upper bound of (c), Real-time interval residual vector for ith monitoring node at t moment Is defined by the lower boundary of the (c), The output vector is measured for the sensor of the ith monitoring node at time t, For the observation matrix of the i-th monitoring node, For the upper bound estimate of the state of the ith monitoring node at time t, For the state lower bound estimation of the ith monitoring node at time t, For the noise matrix of the ith monitoring node, 、 Is that Two nonnegative matrices of decomposition, and , For the unknown bounded measurement noise of the ith monitoring node at time t, Is that Is defined by the upper bound of (c), Is that Is defined below.
6. 6. The method for detecting a time-lapse power grid attack according to claim 1, wherein the performing an exponential moving average smoothing on the real-time interval residual vector and adjusting the real-time interval residual vector after the exponential moving average smoothing according to an adjustable safety margin to generate an interval residual upper boundary threshold and an interval residual lower boundary threshold comprises: carrying out index moving average processing on the real-time interval residual vector; And calculating the product of the real-time interval residual vector and the safety margin weight after the exponential moving average processing, and respectively adding the product with the upper bound of the safety margin deviation and the lower bound of the safety margin deviation to generate an interval residual upper bound threshold value and an interval residual lower bound threshold value.
7. 7. The time-lapse grid attack detection method according to claim 6, wherein the interval residual upper bound threshold and the interval residual lower bound threshold are: ; Wherein, the An upper boundary threshold value of the interval residual error of the ith monitoring node at the moment t, The interval residual error lower threshold value of the ith monitoring node at the moment t, Representing an upper bound to real-time residuals in the real-time interval residual vector Is a moving average of the indices of (a), Representing a real-time residual lower bound in the real-time interval residual vector Is a moving average of the indices of (a), Real-time interval residual vector for ith monitoring node at t moment Is defined by the upper bound of (c), Real-time interval residual vector for ith monitoring node at t moment Is defined by the lower boundary of the (c), As an upper bound for the safety margin weight, For the lower bound of the safety margin weight, As an upper bound for the safety margin deviation, Is the lower bound of the safety margin deviation.
8. 8. The time-lapse power grid attack detection method according to claim 1, wherein comparing the real-time interval residual vector with the interval residual upper bound threshold and the interval residual lower bound threshold, and obtaining an attack detection result according to the comparison result comprises: comparing an upper real-time residual error boundary in the real-time interval residual error vector with the interval residual error upper boundary threshold value, and comparing a lower real-time residual error boundary in the real-time interval residual error vector with the interval residual error lower boundary threshold value; if the upper boundary of the real-time residual error in the real-time interval residual error vector is larger than the upper boundary threshold of the interval residual error, or the lower boundary of the real-time residual error in the real-time interval residual error vector is smaller than the lower boundary threshold of the interval residual error, judging that a false data injection attack exists at the corresponding monitoring node.
9. 9. A time-lapse grid attack detection device, comprising: the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for obtaining real-time upper bound estimation and real-time lower bound estimation of the system state of the power grid to be detected based on a preset interval observer designed for the power grid to be detected, the preset interval observer is obtained according to a state space model of the power grid to be detected, and the state space model comprises a system input time lag matrix of the power grid to be detected and a system state after subtracting communication time delay; The second processing module is used for calculating the real-time residual upper bound and the real-time residual lower bound of the system state according to the real-time upper bound estimation and the real-time lower bound estimation of the system state and the sensor measurement output vector of the system state of the power grid to be detected to form a real-time interval residual vector; The third processing module is used for carrying out exponential moving average smoothing on the real-time interval residual vector, and adjusting the real-time interval residual vector subjected to exponential moving average smoothing according to the adjustable safety margin to generate an interval residual upper boundary threshold value and an interval residual lower boundary threshold value; And the fourth processing module is used for comparing the real-time interval residual vector with the interval residual upper-bound threshold value and the interval residual lower-bound threshold value, and obtaining an attack detection result according to a comparison result.
10. 10. A time lapse grid attack detection device comprising a memory and a processor, the memory storing a computer program, the processor implementing the method of any of claims 1 to 8 when executing the computer program.

Description

Time-lapse power grid attack detection method, device and equipment Technical Field The invention relates to the technical field of intelligent power grid information security, in particular to a time-lapse power grid attack detection method, device and equipment. Background With the large-scale deployment of advanced measurement systems, wide-area measurement systems and state sensing systems based on distributed sensing networks in smart grids, the dependence of grid operation on the instantaneity and accuracy of information systems is increasingly enhanced. However, in an actual smart grid, due to the fact that delay problems such as measurement signal transmission delay, controller execution delay and wide area communication delay are common, dynamic characteristics of a grid system show significant time-lag characteristics, and the smart grid actually shows a time-lag grid. Due to the existence of time lag characteristics of a time lag power grid, a multiplicable machine is provided for malicious attack. For example, a false data Injection Attack (FALSE DATA Injection attach, FDIA) can utilize the time lag uncertainty of the power grid system, measure data or state estimation data by using a malicious tampering sensor, and bypass a traditional bad data detection mechanism based on residual analysis by precisely matching the dynamic response characteristic of the time lag system, so that a control center can misjudge the running state of the power grid. The misjudgment can directly cause serious consequences such as scheduling instruction deviation, misoperation or refusal of a relay protection device, and the like, even induces systematic safety events such as large-area power failure, equipment damage and the like of a power grid, and forms a serious challenge for safe and stable operation of the intelligent power grid. In order to cope with FDIA threats, various attack detection schemes have been proposed in the prior art, wherein detection methods based on state estimation are most widely used, and typical techniques include kalman filters and various improved variants thereof (such as extended kalman filters, unscented kalman filters, etc.). The core thought of the method is to construct a state estimator based on a power grid system model, and judge whether data tampering behavior exists or not by comparing the estimated value with the residual error of the actual measured value. However, most of the existing detection schemes are built on ideal non-time-lapse system model assumptions, and are dependent on known noise statistics, so that the existing detection schemes are significantly disjointed from the actual running environment of the smart grid, and therefore have a plurality of limitations on detection performance. On one hand, the existing method fails to fully consider the transmission delay, dynamic time lag and time lag randomness which are commonly existing in an actual power grid, when the time lag exists in the system, the state estimation precision is greatly reduced, the reliability of residual analysis is seriously weakened, and the false alarm rate of attack detection are obviously increased. On the other hand, complex model errors (such as power grid parameter perturbation and topological structure dynamic change) and unknown perturbations (such as load random fluctuation and external interference) exist in the actual running process of the smart power grid, and the existing detection method has weak robustness on the uncertainty factors, so that the detection effect is difficult to stably play under the complex working condition. In addition, the traditional detection method adopts a point observer architecture, only a single state estimation value can be output, a state estimation uncertainty boundary caused by the combined action of model uncertainty, unknown input and time-lag effect in a time-lag system cannot be quantized, a reliable residual error evaluation interval is difficult to construct, so that an attack detection criterion lacks strict theoretical support, attack behaviors cannot be effectively distinguished from normal disturbance, and the application effect of the attack detection criterion in an actual smart grid is further limited. Therefore, development of a technical scheme capable of explicitly processing system time lag, having strong robustness to unknown input and model uncertainty and outputting a time lag system state estimation feasible interval and providing reliable criterion support for attack detection is urgently needed, so that the blank of the prior art is filled, and the defensive capability of a smart power grid to FDIA is improved. Disclosure of Invention The embodiment of the invention provides a time-lapse power grid attack detection method, device and equipment, which are used for solving the problems of insufficient reliability and robustness of false data injection attack detection caused by time-lapse characteristics, model uncertainty,