CN119652580B - A network security detection method and system during virtual power plant operation and maintenance - Google Patents
A network security detection method and system during virtual power plant operation and maintenanceInfo
- Publication number
- CN119652580B CN119652580B CN202411740555.XA CN202411740555A CN119652580B CN 119652580 B CN119652580 B CN 119652580B CN 202411740555 A CN202411740555 A CN 202411740555A CN 119652580 B CN119652580 B CN 119652580B
- Authority
- CN
- China
- Prior art keywords
- data
- data stream
- anomaly
- format file
- power plant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请涉及网络安全检测技术领域,具体涉及一种虚拟电厂运维过程中的网络安全检测方法及系统,该方法包括:采集虚拟电厂所在电力物联网的网络流量数据;根据虚拟电厂所在的电力物联网在不同网络环境中源IP地址和目的IP地址的分布特征,构建IP异常系数;并结合异常的IP地址模式变化之间的时间分布差异,构建异常流量置信度;提取pcap格式文件中所有数据流的多维统计特征数据,获取每个数据流的异常得分并进行修正,根据异常得分的修正值对虚拟电厂运维过程中的网络安全进行检测。本申请旨在考虑虚拟电厂所在的电力物联网中的网络流量数据之间IP地址的模式变化,提高网络安全检测结果的准确性。
The present application relates to the field of network security detection technology, and specifically to a network security detection method and system during the operation and maintenance of a virtual power plant, the method comprising: collecting network traffic data of the electric power Internet of Things where the virtual power plant is located; constructing an IP anomaly coefficient based on the distribution characteristics of the source IP address and the destination IP address in different network environments of the electric power Internet of Things where the virtual power plant is located; and constructing an abnormal traffic confidence level based on the time distribution differences between abnormal IP address pattern changes; extracting multi-dimensional statistical feature data of all data streams in a pcap format file, obtaining the anomaly score of each data stream and making corrections, and detecting network security during the operation and maintenance of the virtual power plant based on the corrected value of the anomaly score. The present application aims to take into account the pattern changes of IP addresses between network traffic data in the electric power Internet of Things where the virtual power plant is located, and to improve the accuracy of network security detection results.
Description
Technical Field
The application relates to the technical field of network security detection, in particular to a network security detection method and system in the operation and maintenance process of a virtual power plant.
Background
The virtual power plant is based on the Internet of things, and integrates and cooperatively manages scattered power resources (such as a distributed power supply, energy storage equipment, controllable loads and the like) in a power grid to form a uniform and controllable power energy management system. The virtual power plant is used as an advanced form of the electric power Internet of things, network security detection in the operation and maintenance process of the virtual power plant is a part of the safety management of the electric power Internet of things, and the network security detection is very important for guaranteeing the stable operation of the virtual power plant. The network traffic anomaly detection is a part of the network security detection of the virtual power plant, and is helpful for timely finding and responding to potential network attacks or system faults, so that corresponding security measures are taken to ensure the safe operation of the electric power Internet of things where the virtual power plant is located.
The network flow anomaly detection method under the traditional mode generally extracts the multidimensional statistical characteristic data of the network flow data and utilizes an anomaly data detection algorithm, such as a local outlier factor algorithm, to identify the anomaly network flow data in the network flow data, but only takes the numerical distribution characteristic of the multidimensional statistical characteristic data of the network flow data into consideration, but does not take the mode change of the IP address among the network flow data into consideration, which causes that the network flow anomaly detection method cannot distinguish between occasional fluctuation in normal network flow and the anomaly flow generated when the network flow is attacked by malicious flow, thereby increasing the risks of missing report and false report of the anomaly network flow, leading to the failure to accurately find and respond to potential network attack or system fault in the operation and maintenance process of the virtual power plant, and failing to realize effective safety management of the electric power Internet of things where the virtual power plant is located.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a network security detection method and system in the operation and maintenance process of a virtual power plant, so as to solve the above problems.
The first aspect of the application provides a network security detection method in a virtual power plant operation and maintenance process, which comprises the following steps:
the method comprises the steps of obtaining flow data packets of a virtual power plant by using a packet grabbing tool, storing the flow data packets as a pcap format file, taking the pcap format file of each detection moment and a preset number of detection moments as a pcap format file AT, extracting a time stamp and quintuple information of each data packet in the pcap format file AT, and dividing the data packets by using the quintuple as a key to obtain each data stream, wherein the quintuple information AT least comprises a source IP address and a destination IP address;
The method comprises the steps of obtaining IP abnormal coefficients of all data streams in a pcap format file according to the distribution characteristics of destination IP addresses and source IP addresses of all the data streams, equally dividing a time period corresponding to a pcap format file AT into a preset number of time stamp sections, obtaining local IP abnormal coefficients of all the data streams in any time stamp section according to the distribution condition of the source IP addresses and the destination IP addresses of data packets of all the data streams in any time stamp section of the pcap format file AT, and obtaining the abnormal flow confidence of all the data streams based on the IP abnormal coefficients of all the data streams and the local IP abnormal coefficients in all the time stamp sections;
Extracting multidimensional statistical feature data of each data stream in the pcap format file AT, combining an anomaly detection algorithm to obtain anomaly scores of each data stream, correcting the anomaly scores by combining the anomaly flow confidence of each data stream, and carrying out network security detection on all the data streams in the pcap format file AT based on the correction values of the anomaly scores.
The method comprises the steps of obtaining IP anomaly coefficients of each data stream, wherein the IP anomaly coefficients of each data stream are specifically as follows:
in the pcap format file AT, obtaining source IP characteristic values of all data streams according to the distribution uniformity degree of source IP addresses of all data streams with the same destination IP address with all data streams;
Obtaining the destination IP characteristic value of each data stream according to the distribution uniformity degree of the destination IP addresses of all the data streams with the same source IP address with each data stream;
and taking the ratio of the source IP characteristic value to the destination IP characteristic value of each data stream as the IP anomaly coefficient of each data stream.
The source IP characteristic value of each data stream is obtained specifically as follows:
In the pcap format file AT, a set formed by all data streams with the same destination IP address as each data stream is recorded as a first data stream set, and the information entropy of the source IP addresses of all the data streams in the first data stream set is used as the source IP characteristic value of each data stream.
The objective IP characteristic value of each data stream is obtained specifically as follows:
In the pcap format file AT, a set formed by all data streams with the same source IP addresses as each data stream is recorded as a second data stream set, and the information entropy of the destination IP addresses of all the data streams in the second data stream set is used as the destination IP characteristic value of each data stream.
The obtaining the local IP anomaly coefficient of each data stream in the any timestamp interval specifically includes:
The method comprises the steps that a set formed by all data packets of each data stream in any time stamp interval is used as a local data stream of each data stream in any time stamp interval;
forming a data packet set of any time stamp interval by data packets of all local data streams of all data streams in the pcap format file in any time stamp interval;
and acquiring the local IP anomaly coefficients of each data stream in any time stamp interval based on the local data stream and the data packet set by adopting the same calculation method as the IP anomaly coefficients.
The obtaining the abnormal flow confidence coefficient of each data flow specifically comprises the following steps:
And obtaining the negative correlation mapping result of the discrete degree of the local IP anomaly coefficient of each data stream in all time stamp intervals, and taking the fusion result of the negative correlation mapping result and the IP anomaly coefficient of each data stream as the anomaly flow confidence of each data stream.
The obtaining the anomaly score of each data stream specifically comprises the following steps:
After the multidimensional statistical feature data extracted from each data stream is normalized, mapping the multidimensional statistical feature data into each data point in a multidimensional space, and taking all the data points as the input of an anomaly detection algorithm to obtain the anomaly score of each data stream.
The anomaly score is corrected by taking the product of the anomaly score and the anomaly flow confidence coefficient of each data stream as the correction value of the anomaly score of each data stream.
The network security detection for all data streams in the pcap format file AT specifically comprises the following steps:
Obtaining a segmentation threshold value by adopting a threshold value segmentation algorithm according to correction values of abnormal scores of all data streams in the pcap format file AT;
When the ratio of the number of the data packets in all the screened data streams to the number of all the data packets in the pcap format file AT is greater than or equal to a preset threshold value, judging that the destination IP addresses of all the data streams have network security problems, otherwise, judging that the network security problems do not exist.
In a second aspect, an embodiment of the present application further provides a network security detection system in a virtual power plant operation and maintenance process, where the network security detection system includes a memory, a processor, and a computer program stored in the memory and running on the processor, where the processor executes the computer program to implement the steps of any one of the methods described above.
The application has at least the following beneficial effects:
In the scheme, the packet grabbing tool is utilized to acquire the flow data packet of the virtual power plant and save the flow data packet into a pcap format file, then the pcap format file is intercepted, and the source IP address and the destination IP address of the data packet of the pcap format file after interception are acquired, which is beneficial to judging the network condition according to the distribution characteristics of the source IP address and the destination IP address, the IP abnormal coefficients of all data flows are obtained according to the distribution characteristics of the destination IP address and the source IP address of all data flows, the beneficial effects are that the abnormal flow can be effectively detected, the network flow generated by the electric power Internet of things where the virtual power plant is located under normal conditions and the distribution characteristics of the source IP address and the destination IP address in the abnormal network flow generated by DDoS attack are quantified, the local IP abnormal coefficients of all data flows in any time stamp interval are obtained according to the distribution conditions of the source IP address and the destination IP address of the data packet of the pcap format file AT, the beneficial effects are that the IP address mode change of all data flows in any time stamp interval is analyzed, the beneficial effects are that the IP address mode change of the normal network flow is analyzed and the IP address of the network flow generated by the network flow are obtained, the difference between the network flow of the abnormal flow is detected by the PCP in the network flow, the abnormal flow is taken into account, the error of the data is detected by the error of the network flow in the network flow, the abnormal flow is calculated, the error of the abnormal flow is generated by the error of the data flow of the data in the network flow, and the abnormal flow is calculated, and the error of the abnormal flow is calculated, and the error is calculated by the difference between the abnormal flow of the error of the network flow and the data flow and the abnormal flow is generated by the IP address and the error of the IP address and the abnormal flow, the method has the advantages that the detection accuracy of the abnormal network flow generated when the electric power Internet of things where the virtual power plant is located is subjected to network attack by the abnormal detection method is improved, the risks of missing report and false report of the abnormal network flow are reduced, and further network security management of the electric power Internet of things where the virtual power plant is located is better achieved.
Drawings
FIG. 1 is a flowchart illustrating a method for detecting network security in a virtual power plant operation and maintenance process according to an embodiment of the present application;
fig. 2 is a flowchart for obtaining an abnormal traffic confidence according to an embodiment of the present application.
Detailed Description
In describing embodiments of the present application, words such as "exemplary," "or," "such as," and the like are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary," "or," "such as," and the like are intended to present related concepts in a concrete fashion.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It should be further noted that the terms "first" and "second" in the present disclosure and the accompanying drawings are used to distinguish similar objects from each other, and are not used to describe a specific order or sequence. The method disclosed in the embodiments of the present application or the method shown in the flowchart includes one or more steps for implementing the method, and the execution sequence of the steps may be interchanged with each other, where some steps may be deleted without departing from the scope of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
The application provides a network security detection method and a network security detection system in the operation and maintenance process of a virtual power plant, which are specifically described with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of a network security detection method in a virtual power plant operation and maintenance process according to an embodiment of the application is shown, and the method includes the following steps:
The method comprises the first step of obtaining flow data packets of a virtual power plant by using a packet grabbing tool, storing the flow data packets as a pcap format file, taking the pcap format file of each detection moment and a preset number of detection moments before as a pcap format file AT, extracting time stamp and quintuple information of each data packet in the pcap format file AT, and dividing the data packets by using the quintuple as a key to obtain each data stream.
The method comprises the steps of deploying a Wireshark packet capturing tool on all network equipment or network nodes of the power Internet of things where the virtual power plant is located, capturing a passing flow data packet by the Wireshark packet capturing tool, and storing the captured flow data packet as a pcap format file to complete collection of network flow data of the power Internet of things where the virtual power plant is located.
When the network security detection is carried out on the virtual power plant, taking the T detection time as an example, extracting a time period of 10 minutes from the T detection time in the pcap format file, generating a new pcap format file, and recording the new pcap format file as a pcap format file AT, wherein the length of the time period can be set by an implementer.
And respectively extracting the time stamp of each data packet in the pcap format file AT and five-tuple information by using a Wireshark packet grabbing tool, wherein the five-tuple information is the source IP address, the destination IP address, the source IP port, the destination IP port and the protocol type of the data packet.
The method comprises the steps of dividing data packets in a pcap format file AT according to five-tuple information of the data packets, classifying the data packets in the pcap format file AT into corresponding data streams, wherein each data stream respectively represents a specific communication session and comprises all data exchanges between two endpoints by using a specific protocol and ports within a period of time, so that all data streams of the pcap format file AT are obtained. It should be noted that all packets in the same data stream have the same source IP address and destination IP address.
The second step is that in the pcap format file, the IP anomaly coefficients of all the data streams are obtained according to the distribution characteristics of the destination IP addresses and the source IP addresses of all the data streams, the time period corresponding to the pcap format file AT is divided into a preset number of time stamp sections, the local IP anomaly coefficients of all the data streams in any time stamp section are obtained according to the distribution condition of the source IP addresses and the destination IP addresses of the data packets of all the data streams in any time stamp section of the pcap format file AT, and the anomaly flow confidence of all the data streams is obtained based on the IP anomaly coefficients of all the data streams and the local IP anomaly coefficients in all the time stamp sections.
Devices and systems in the power internet of things are normally designed to perform specific monitoring and control tasks, each device having the possibility of initiating communication at any point in time, which means that the source IP addresses in the network traffic of the power internet of things where the virtual power plant is located tend to be randomly distributed, while these network traffic will be evenly distributed to different devices and services according to the service requirements of the virtual power plant, without focusing on a few destination IP addresses. However, when the power internet of things where the virtual power plant is located suffers from a distributed denial of service (Distributed Denial of SERVICE ATTACK, DDOS) attack, since DDoS attacks typically use a large number of hosts (botnets) controlled or IP forgery technology, massive traffic is sent from a large number of source IP addresses to a small number of IP addresses, in this case, the abnormal network traffic generated by the DDoS attack may occur that the source IP addresses are distributed relatively uniformly, and the destination IP addresses have a small number and concentrated distribution characteristic, thereby forming an abnormal IP address pattern change. In the safety management process of the electric power Internet of things where the virtual power plant is located, the following processing is performed in order to timely and accurately discover and respond to potential DDoS network attacks in the electric power Internet of things.
Specifically, taking the ith data stream AT (i) of the pcap format file AT as an example, all data streams with the same destination IP address as the data stream AT (i) are respectively acquired from all data streams of the pcap format file AT to form a first data stream set B1 (i), and all data streams with the same source IP address as the data stream AT (i) are acquired to form a second data stream set B2 (i).
The source IP address of each data stream in the first data stream set B1 (i) is taken as an event, and the ratio of the number of data packets in the data stream where the source IP address is located to the number of all data packets in all data streams in the first data stream set B1 (i) is taken as the event occurrence probability corresponding to each data stream source IP address. The method comprises the steps of calculating a first information entropy H1 (i) of source IP addresses of data flows in a first data flow set B1 (i) according to event occurrence probability, wherein the calculation of the information entropy is a known technology, the detailed process is not repeated, and the obtained first information entropy is used as a source IP characteristic value P1 (i) of the data flow AT (i) and used for representing the relative uniformity degree of source IP address distribution in all data packets with the same destination IP address as the data flow AT (i) in all data packets of a pcap format file AT, and the larger the first information entropy is, namely the larger the source IP characteristic value P1 (i) is.
The second information entropy H2 (i) of the destination IP address of the data stream in the second data stream set B2 (i) is calculated by using the same method as the first information entropy H1 (i), the second information entropy H2 (i) can be obtained by replacing the first data stream set B1 (i) and the source IP address with the second data stream set B2 (i) and the destination IP address respectively, and the destination IP characteristic value P2 (i) recorded as the data stream AT (i) is used for representing the relative uniformity degree of destination IP address distribution in all data packets of the pcap format file AT and all data packets with the same source IP address as the data stream AT (i), and the larger the information entropy is, the larger the relative uniformity degree is, namely the larger the destination IP characteristic value P2 (i) is.
Further, an IP anomaly coefficient P (i) of the data flow AT (i) is calculated, which is used for characterizing IP address mode changes of a source IP address and a destination IP address corresponding to a data packet in the data flow AT (i) in all data packets of the pcap format file AT, and belongs to the possibility of abnormal IP address mode changes formed by abnormal network traffic generated by DDoS attack, wherein the formula is as follows: Wherein P1 (i) and P2 (i) respectively represent the source IP characteristic value and the destination IP characteristic value of the data stream AT (i), alpha represents a constant which is preset to be larger than zero, and in order to prevent the denominator from being 0, the alpha takes a value of 0.01, and the implementation personnel can adjust the value according to the actual situation.
It should be understood that, among all the packets of the pcap format file AT, the more uniform the distribution of the source IP addresses among all the packets having the same destination IP address as the data stream AT (i), i.e., the larger P1 (i), and the more concentrated the distribution of the destination IP addresses among all the packets having the same source IP address as the data stream AT (i), i.e., the smaller P2 (i), the more likely the source IP addresses and destination IP addresses corresponding to the packets in the data stream AT (i) have the same IP address pattern variation among all the packets of the pcap format file AT, i.e., the greater the IP anomaly coefficient P (i), the abnormal network traffic generated by the DDoS attack.
When the electric power internet of things where the virtual power grid is located is subjected to the DDoS attack, a period of time is usually kept to ensure an attack effect, so that abnormal IP address mode changes generated by the DDoS attack can last for a longer time, and under normal conditions, network traffic in the electric power internet of things where the virtual power plant is located usually does not have such continuous abnormal mode changes.
And acquiring the minimum timestamp and the maximum timestamp of the data packet in the pcap format file AT, and equally dividing a section formed by the minimum timestamp and the maximum timestamp into K timestamp sections, wherein the value of K is 100, and the K can be set by an implementer.
Taking the jth time stamp interval Q (j) as an example and taking the data stream AT (i) as an example, the set of all data packets in the data stream AT (i) with time stamps belonging to the time stamp interval Q (j) is marked as a local data stream AT (i, j) of the data stream AT (i) in the time stamp interval Q (j) and is used for characterizing a communication session formed by partial data packets of the data stream AT (i) in a time period of the time stamp interval Q (j). And acquiring a data packet set AT [ j ] formed by all data packets in all local data streams of all data streams of the pcap format file AT in a time stamp interval Q (j), wherein the data packet set AT [ j ] is used for representing a communication session formed by corresponding partial data packets of all data packets in the pcap format file AT in a time period where the time stamp interval Q (j) is positioned.
The same calculation method as the IP anomaly coefficient P (i) is used for obtaining the local IP anomaly coefficient P (i, j) of the local data flow AT (i, j), which is used for representing the IP address mode change of the source IP address and the destination IP address corresponding to the data packet in the local data flow AT (i, j) in all the data packets of the pcap format file AT in the time period of the time stamp interval Q (j), and belongs to the possibility of the anomaly IP address mode change formed by the anomaly network traffic generated by DDoS attack, wherein the pcap format file AT and the data flow AT (i) are replaced by the data packet set AT [ j ] and the local data flow AT (i, j) respectively.
According to the discrete degree of the local IP anomaly coefficient of the data flow AT (i) in all time stamp intervals, combining the IP anomaly coefficient of the data flow AT (i) to obtain an anomaly traffic confidence D (i) of the data flow AT (i), wherein the anomaly traffic confidence D (i) is used for representing the possibility that the data flow AT (i) is the anomaly network traffic generated by DDoS attack, and in the embodiment, the discrete degree among data is measured by standard deviation, namely: Wherein P (i) represents the IP anomaly coefficient of the data flow AT (i), deltaP (i) represents the standard deviation of the local IP anomaly coefficient of the data flow AT (i) in all time stamp intervals, alpha represents a constant which is preset to be larger than zero, in order to prevent the denominator from being 0, wherein the alpha takes a value of 0.01, and norm () is a Min-Max normalization function. In other embodiments, the degree of dispersion between the data may be measured using the quartile range, and in other embodiments, the standard deviation may be replaced with the variance.
The flowchart for obtaining the confidence coefficient of the abnormal flow is shown in fig. 2.
The greater the possibility that the source IP address and the destination IP address corresponding to the data packet in the data flow AT (i) are changed in the IP address pattern in all the data packets of the pcap format file AT, which is an abnormal IP address pattern change formed by abnormal network traffic generated by a DDoS attack, i.e., the greater P (i), and the greater the degree of coincidence of the IP address pattern change in all the data packets of the data flow AT (i) in each time stamp interval, i.e., the smaller Δp (i), the longer the duration of the abnormal IP address pattern change in the data packet in the data flow AT (i), the more likely the data flow AT (i) is an abnormal network traffic generated by a DDoS attack, i.e., the greater the abnormal traffic confidence D (i).
The third step is that multi-dimensional statistical characteristic data of each data stream in the pcap format file AT are extracted, an anomaly score of each data stream is obtained by combining an anomaly detection algorithm, the anomaly score is corrected by combining the anomaly flow confidence of each data stream, and network security detection is carried out on all the data streams in the pcap format file AT based on the correction value of the anomaly score.
The method comprises the steps of respectively extracting multidimensional statistical characteristic data of each data stream of the pcap format file AT, wherein the multidimensional statistical characteristic data comprise connection time, output flow size, output flow peak value, output flow average value, output packet size, output packet peak value, output packet average value, input flow size, input flow peak value, input flow average value, input packet size, input packet peak value and input packet average value of the data streams, and the multidimensional statistical characteristic data can be selected by an implementer, wherein the extraction of the multidimensional statistical characteristic data is a known technology, and specific processes are not repeated.
And respectively carrying out normalization processing on each data in the multidimensional statistical characteristic data of each data stream of the pcap format file AT by using a Min-Max normalization method to eliminate the influence of data dimension, mapping the multidimensional statistical characteristic data of all the data streams of the normalized pcap format file AT in a multidimensional space, wherein each statistical characteristic data in the multidimensional statistical characteristic data is respectively used as one dimension in the multidimensional space, the data points in the multidimensional space obtained by mapping are used as the input of a local outlier factor (Local Outlier Factor, LOF) algorithm, each data point in the multidimensional space is respectively corresponding to one data stream in the pcap format file AT, and the abnormal score of each data point in the multidimensional space is respectively output, so that the abnormal score of each data point in the multidimensional space in each data stream corresponding to the pcap format file AT is obtained, wherein the Min-Max normalization method and the LOF algorithm are known techniques, and specific processes are not repeated.
And taking the product of the normalization result of the anomaly score of each data stream of the pcap format file AT and the anomaly flow confidence of each data stream as a correction value of the anomaly score of each data stream, wherein the normalization adopts a Min-Max normalization method. The greater the confidence of the abnormal flow of the data flow is, the more likely the data flow is the abnormal network flow generated by the DDoS attack, and in order to improve the detection precision of the abnormal network flow generated by the DDoS attack in the safety management process of the electric power internet of things where the virtual power plant is located, the greater the correction value of the abnormal score of the data flow is.
And taking the correction value of the abnormal score of all data streams of the pcap format file AT as the input of a maximum inter-class variance algorithm, outputting a segmentation threshold L, screening all data streams with the correction value of the abnormal score larger than the segmentation threshold L, calculating the ratio of the number of all data packets in all screened data streams to the number of all data packets in the pcap format file AT, and if the ratio is larger than the ratio threshold, setting the value of the ratio threshold to be 0.3 in the embodiment by an implementer, marking the target IP address where all screened data streams are located, and sending an alarm by utilizing a communication module to remind operation and maintenance personnel of a virtual power plant of carrying out network security maintenance processing, wherein the maximum inter-class variance algorithm is known technology, and the specific process is not repeated. And (5) completing network security detection in the operation and maintenance process of the virtual power plant.
Based on the same inventive concept as the above method, the embodiment of the application further provides a network security detection system in the operation and maintenance process of the virtual power plant, which comprises a memory, a processor and a computer program stored in the memory and running on the processor, wherein the processor executes the computer program to realize the steps of any one of the network security detection methods in the operation and maintenance process of the virtual power plant.
In summary, the embodiment of the application acquires the flow data packet of the virtual power plant by using the packet grabbing tool, saves the flow data packet as the pcap format file, intercepts the pcap format file, acquires the source IP address and the destination IP address of the data packet of the intercepted pcap format file, and is beneficial to judging the network condition according to the distribution characteristics of the source IP address and the destination IP address in the follow-up process; according to the distribution characteristics of the destination IP address and the source IP address of all data streams, the IP anomaly coefficient of each data stream is obtained, the method has the advantages of effectively detecting the abnormal flow, quantifying the distribution characteristics of the source IP address and the destination IP address in the network flow generated under normal condition of the electric power Internet of things where a virtual power plant is located and the abnormal network flow generated under DDoS attack, extracting the multidimensional statistical characteristic data of each data stream in the pcap format file AT according to the distribution condition of the source IP address and the destination IP address of the data packet of each data stream in any time stamp interval of the pcap format file AT, obtaining the local IP anomaly coefficient of each data stream in any time stamp interval, analyzing the time distribution difference between the IP address mode change of the normal network flow and the IP address mode change of the abnormal network flow generated under network attack, constructing the abnormal flow confidence, improving the discrimination between the normal data stream in the intercepted pcap format file and the abnormal data flow generated by DDoS attack, combining the multidimensional statistical characteristic data of each data stream in the pcap format file AT, obtaining the local IP anomaly coefficient of each data stream in the data packet in any time stamp interval, correcting the virtual power plant, and taking the internet of things data flow change into consideration, the method has the advantages that the detection accuracy of the abnormal network flow generated when the electric power Internet of things where the virtual power plant is located is subjected to network attack by the abnormal detection method is improved, the risks of missing report and false report of the abnormal network flow are reduced, and further network security management of the electric power Internet of things where the virtual power plant is located is better achieved.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the essential characteristics thereof. Therefore, the above-mentioned embodiments of the present application should be regarded as exemplary and non-limiting in all respects, and modifications of the technical solutions described in the above-mentioned embodiments or equivalent substitutions of some technical features thereof should be included in the protection scope of the present application without making the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present application.
Claims (9)
1. The network security detection method in the operation and maintenance process of the virtual power plant is characterized by comprising the following steps of:
the method comprises the steps of obtaining flow data packets of a virtual power plant by using a packet grabbing tool, storing the flow data packets as a pcap format file, taking the pcap format file of each detection moment and a preset number of detection moments as a pcap format file AT, extracting a time stamp and quintuple information of each data packet in the pcap format file AT, and dividing the data packets by using the quintuple as a key to obtain each data stream, wherein the quintuple information AT least comprises a source IP address and a destination IP address;
The method comprises the steps of obtaining source IP characteristic values of all data streams according to the distribution uniformity degree of source IP addresses of all data streams with the same destination IP address as each data stream in a pcap format file AT, obtaining destination IP characteristic values of all data streams according to the distribution uniformity degree of destination IP addresses of all data streams with the same source IP address as each data stream, taking the ratio of the source IP characteristic values to the destination IP characteristic values of all data streams as IP abnormal coefficients of all data streams, equally dividing a time period corresponding to the pcap format file AT into a preset number of time stamp sections, obtaining local IP abnormal coefficients of all data streams in any time stamp section according to the distribution situation of source IP addresses and destination IP addresses of data packets of all data streams of the pcap format file AT, and obtaining the abnormal flow confidence of all data streams based on the IP abnormal coefficients of all data streams and the local IP abnormal coefficients in all time stamp sections;
Extracting multidimensional statistical feature data of each data stream in the pcap format file AT, combining an anomaly detection algorithm to obtain anomaly scores of each data stream, correcting the anomaly scores by combining the anomaly flow confidence of each data stream, and carrying out network security detection on all the data streams in the pcap format file AT based on the correction values of the anomaly scores.
2. The network security detection method in the operation and maintenance process of a virtual power plant according to claim 1, wherein the obtaining source IP characteristic values of each data stream specifically comprises:
In the pcap format file AT, a set formed by all data streams with the same destination IP address as each data stream is recorded as a first data stream set, and the information entropy of the source IP addresses of all the data streams in the first data stream set is used as the source IP characteristic value of each data stream.
3. The network security detection method in the operation and maintenance process of a virtual power plant according to claim 1, wherein the obtaining the destination IP eigenvalue of each data stream specifically comprises:
In the pcap format file AT, a set formed by all data streams with the same source IP addresses as each data stream is recorded as a second data stream set, and the information entropy of the destination IP addresses of all the data streams in the second data stream set is used as the destination IP characteristic value of each data stream.
4. The method for detecting network security in a virtual power plant operation and maintenance process according to claim 1, wherein the obtaining local IP anomaly coefficients of each data stream in any time stamp interval specifically comprises:
The method comprises the steps that a set formed by all data packets of each data stream in any time stamp interval is used as a local data stream of each data stream in any time stamp interval;
forming a data packet set of any time stamp interval by data packets of all local data streams of all data streams in the pcap format file in any time stamp interval;
and acquiring the local IP anomaly coefficients of each data stream in any time stamp interval based on the local data stream and the data packet set by adopting the same calculation method as the IP anomaly coefficients.
5. The network security detection method in the operation and maintenance process of a virtual power plant according to claim 1, wherein the obtaining the abnormal flow confidence of each data flow specifically comprises:
And obtaining the negative correlation mapping result of the discrete degree of the local IP anomaly coefficient of each data stream in all time stamp intervals, and taking the fusion result of the negative correlation mapping result and the IP anomaly coefficient of each data stream as the anomaly flow confidence of each data stream.
6. The network security detection method in the operation and maintenance process of a virtual power plant according to claim 1, wherein the obtaining of the anomaly score of each data stream specifically comprises:
After the multidimensional statistical feature data extracted from each data stream is normalized, mapping the multidimensional statistical feature data into each data point in a multidimensional space, and taking all the data points as the input of an anomaly detection algorithm to obtain the anomaly score of each data stream.
7. The method for detecting network security in operation and maintenance of a virtual power plant according to claim 1, wherein the anomaly score is corrected by taking a product of the anomaly score and the anomaly flow confidence of each data stream as a correction value of the anomaly score of each data stream.
8. The network security detection method in the operation and maintenance process of a virtual power plant according to claim 1, wherein the network security detection is performed on all data streams in the pcap format file AT, specifically:
Obtaining a segmentation threshold value by adopting a threshold value segmentation algorithm according to correction values of abnormal scores of all data streams in the pcap format file AT;
When the ratio of the number of the data packets in all the screened data streams to the number of all the data packets in the pcap format file AT is greater than or equal to a preset threshold value, judging that the destination IP addresses of all the data streams have network security problems, otherwise, judging that the network security problems do not exist.
9. A network security inspection system in the operation and maintenance of a virtual power plant, comprising a memory, a processor and a computer program stored in the memory and running on the processor, wherein the processor, when executing the computer program, implements the steps of the method according to any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411740555.XA CN119652580B (en) | 2024-11-29 | 2024-11-29 | A network security detection method and system during virtual power plant operation and maintenance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411740555.XA CN119652580B (en) | 2024-11-29 | 2024-11-29 | A network security detection method and system during virtual power plant operation and maintenance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119652580A CN119652580A (en) | 2025-03-18 |
| CN119652580B true CN119652580B (en) | 2025-08-29 |
Family
ID=94939318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411740555.XA Active CN119652580B (en) | 2024-11-29 | 2024-11-29 | A network security detection method and system during virtual power plant operation and maintenance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119652580B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118041636A (en) * | 2024-02-19 | 2024-05-14 | 中国移动通信集团江苏有限公司 | Abnormal flow detection method, device, equipment, storage medium and program product |
| CN118509229A (en) * | 2024-05-31 | 2024-08-16 | 顺通科技发展(山东)有限公司 | Threat behavior analysis method based on big data analysis |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100725179B1 (en) * | 2005-06-28 | 2007-06-04 | 서원대학교산학협력단 | Network Traffic Normal Detection Using Destination Network Distribution Entropy |
| US9210181B1 (en) * | 2014-05-26 | 2015-12-08 | Solana Networks Inc. | Detection of anomaly in network flow data |
| CN109302419A (en) * | 2018-11-21 | 2019-02-01 | 贵州电网有限责任公司 | A kind of network application throat floater detection method of Behavior-based control analysis |
| US20210112091A1 (en) * | 2019-10-10 | 2021-04-15 | Charter Communications Operating, Llc | Denial-of-service detection and mitigation solution |
-
2024
- 2024-11-29 CN CN202411740555.XA patent/CN119652580B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118041636A (en) * | 2024-02-19 | 2024-05-14 | 中国移动通信集团江苏有限公司 | Abnormal flow detection method, device, equipment, storage medium and program product |
| CN118509229A (en) * | 2024-05-31 | 2024-08-16 | 顺通科技发展(山东)有限公司 | Threat behavior analysis method based on big data analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119652580A (en) | 2025-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110336827B (en) | A Fuzzing Test Method for Modbus TCP Protocol Based on Exception Field Location | |
| US20130340079A1 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
| CN113206860B (en) | A DRDoS attack detection method based on machine learning and feature selection | |
| CN105553998A (en) | Network attack abnormality detection method | |
| CN106603326B (en) | A NetFlow Sampling Processing Method Based on Abnormal Feedback | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| JP4324189B2 (en) | Abnormal traffic detection method and apparatus and program thereof | |
| CN108255996A (en) | Safe log analyzing method based on Apriori algorithm | |
| CN119598450B (en) | Dynamic and static fusion detection method for multiple luxes based on network traffic analysis | |
| CN106663040A (en) | Method and system for confident anomaly detection in computer network traffic | |
| Kanna et al. | A defensive mechanism based on PCA to defend denial of-service attack | |
| CN113645215B (en) | Abnormal network traffic data detection method, device, equipment and storage medium | |
| Li et al. | DDoS attack detection algorithms based on entropy computing | |
| CN118573594A (en) | Performance monitoring system based on cloud computing | |
| CN118473777A (en) | A network information security supervision method and system | |
| Hammerschmidt et al. | Behavioral clustering of non-stationary IP flow record data | |
| CN120029857A (en) | A computer security monitoring method and system based on big data | |
| CN110618977B (en) | Login anomaly detection method, device, storage medium and computer equipment | |
| RU2630415C2 (en) | Method for detecting anomalous work of network server (options) | |
| CN119652580B (en) | A network security detection method and system during virtual power plant operation and maintenance | |
| TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection | |
| EP3576365B1 (en) | Data processing device and method | |
| CN112804255A (en) | Network abnormal node detection method based on node multidimensional characteristics | |
| Kasture et al. | DDoS Attack Detection using ML | |
| CN119520042B (en) | A ransomware attack path mining and deep identification method based on multivariate alarm log analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |