A threat self-awareness and processing method and system for distributed power supply

Abstract

The present application relates to a kind of threat self-sensing and processing method and system for distributed power supply, method includes: connecting distributed power supply threat self-sensing and processing device to the vertical encryption channel between distributed power supply and dispatching master station, communication flow on channel is collected;Obtain the mirror traffic of communication flow, the IP header and TCP header of each data packet in mirror traffic are parsed to carry out preliminary classification to data packet;Based on the protocol type obtained in classification, the preset position field of each data packet in mirror traffic is parsed, to verify the result of preliminary classification and obtain traffic type;According to traffic type, key data in current data packet is extracted, and key data is parsed by predetermined data extraction rule, to obtain the state change of current data packet;Design abnormal traffic model based on state machine, the state change in multiple data packets under the same traffic type is interpreted, the threat state of distributed power supply is judged and threat disposal process is executed.

Description

Technical Field

[0001] This invention relates to the field of power systems, and more specifically, to a method and system for self-sensing and handling threats to distributed power sources. Background Technology

[0002] Vertical encryption devices employ authentication, encryption, and access control technologies to ensure secure data transmission and vertical boundary security in power secondary systems. Generally, vertical encryption devices are deployed at both the master station and substation sides, providing a secure communication tunnel between them.

[0003] Vertical encryption devices enable encrypted data transmission, ensuring information security during transmission and providing authentication and access control for communication devices to prevent unauthorized access and attacks. Furthermore, vertical encryption devices support secure parsing of various power-specific protocols and employ different application strategies for messages with different functions. This means that vertical encryption devices can provide flexible and efficient solutions for diverse power data transmission needs.

[0004] Currently, multi-level blocking schemes within power systems are divided into main station-side blocking and substation-side blocking. Main station-side blocking utilizes Type I network security monitoring devices and a security management platform to perform session blocking, equipment blocking, and area blocking at the main station. Substation-side blocking utilizes Type II monitoring devices and a security management platform to perform session blocking, equipment blocking, and area blocking at the substation. The network security monitoring devices are responsible for collecting operational information and security events from network equipment (such as data network switches and industrial control switches), host equipment (servers and workstations), general security equipment (such as firewalls and intrusion detection / prevention devices), dedicated security equipment (such as network security isolation devices), and databases. This information is then aggregated into alarm messages and reported to the main station platform. The devices also execute various control commands issued by the main station platform. Type I network security monitoring devices are primarily deployed at the main station, responsible for collecting and processing security information there, while Type II network security monitoring devices are primarily deployed at the substation, responsible for collecting and processing security information there. However, blocking of traffic threats at the plant side relies on Type II network security monitoring devices, which are currently only deployed in centralized power plants and substations.

[0005] Background technology document CN115623433A discloses a county-wide photovoltaic data sharing and value-added system and method based on 5G and federated learning. The scheme effectively balances power security protection requirements and costs. Utilizing a 5G power production control private network, photovoltaic data is collected from photovoltaic terminals to a 5G power multi-functional integrated terminal. The multi-functional integrated terminal then uploads the collected data to the power dispatch center, enabling the power dispatch center to monitor and control the photovoltaic terminals. Simultaneously, considering the communication needs and data privacy of various demand parties, the power grid company uniformly constructs a photovoltaic monitoring data sharing and value-added platform, establishing data transmission channels between the data sharing and value-added platform and the management platforms of various parties, achieving multi-party sharing of photovoltaic data. It is known that distributed power plants, limited by investment constraints, cannot deploy Type II monitoring devices or other types of monitoring devices, thus failing to detect network threats to distributed power sources in a timely manner.

[0006] Furthermore, when distributed power plants detect network threats, they cannot promptly isolate them from the dispatch master station to prevent the threat from spreading vertically. The massive influx of distributed power sources significantly increases the data processing pressure on the master station, potentially leading to delayed security alerts. While 5G power all-in-one converged terminals integrate vertical encryption functions, they still prioritize power services and cannot achieve self-awareness capabilities for distributed power plants.

[0007] To address the aforementioned issues, there is an urgent need for a method and system for self-sensing and handling threats to distributed power sources. Summary of the Invention

[0008] To address the shortcomings of existing technologies, this invention provides a method and system for threat self-sensing and handling of distributed power sources. By deploying a threat self-sensing and handling device for distributed power sources on the uplink of the distributed power source plant, the system monitors the traffic information between the distributed power source and the master station, senses whether the distributed power source environment is safe, and handles the threat according to a preset strategy when a security threat occurs.

[0009] The present invention adopts the following technical solution.

[0010] The first aspect of this invention relates to a threat self-sensing and processing method for distributed power sources. The method includes the following steps: connecting a distributed power source threat self-sensing and processing device to a vertical encrypted channel between the distributed power source and a scheduling master station, and collecting communication traffic on the vertical encrypted channel; obtaining mirror traffic of the communication traffic, and parsing the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets; based on the protocol type obtained from the preliminary classification, parsing a preset position field of each data packet in the mirror traffic to verify the result of the preliminary classification and obtain the traffic type; extracting key data from the current data packet according to the traffic type of the current data packet, and parsing the key data according to preset data extraction rules to obtain the state changes of the current data packet; designing an abnormal traffic model based on a state machine to interpret the state changes in multiple data packets under the same traffic type, determine the threat status of the distributed power source, and execute a threat handling process.

[0011] Preferably, the process involves acquiring mirrored traffic of the communication traffic and parsing the IP header and TCP header of each data packet in the mirrored traffic to perform preliminary classification of the data packets. This includes: acquiring mirrored traffic of the communication traffic, where the mirrored traffic consists of multiple independent data packets, each of which is a protocol message sequentially encapsulated in a TCP header and an IP header; extracting the destination port field from the TCP header and the protocol type field from the IP header, and obtaining the protocol type of the data packet through the destination port field and the protocol type field; and performing preliminary classification of the data packets based on the protocol type.

[0012] Preferably, based on the protocol type obtained from the preliminary classification, the preset position field of each data packet in the mirrored traffic is parsed to verify the result of the preliminary classification and obtain the traffic type, including: preset position fields for each protocol type; extracting the preset position fields in the data packets according to the protocol type obtained from the preliminary classification for each data packet; and using the extracted preset position fields of the current data packet to query a preset secondary classification confirmation table to verify the result of the preliminary classification and obtain the traffic type.

[0013] Preferably, the preset location field of the extracted current data packet is used to query a preset secondary classification confirmation table to verify the preliminary classification result and obtain the traffic type. This includes: the preset secondary classification confirmation table includes a one-to-one corresponding protocol type, a preset location field, and a preset location field value; when the preset location field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the preliminary classification result. If so, the preliminary classification result is confirmed to be accurate and the verification is passed; if a corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the preliminary classification result, the preliminary classification result is confirmed to be inaccurate and the verification is not passed; the protocol type in the verified preliminary classification result is used as the traffic type of the current data packet.

[0014] Preferably, key data in the current data packet is extracted according to the traffic type of the current data packet, and the key data is parsed according to the preset data extraction rules to obtain the state changes in the current data packet. This includes: the preset data extraction rules define the location and meaning of the key data to be extracted according to the traffic type of the current data packet; extract key data based on the key data location, and parse the state changes existing in the current data packet according to the meaning of the key data.

[0015] Preferably, the process of parsing the state changes present in the current data packet based on the meaning of key data includes: defining state change rules for each type of traffic, the state change rules including the correspondence between state change types and data examples; and filling one or more extracted key data into a data example template based on their respective key data meanings to generate the state changes of the current data packet containing the inherent logic between one or more key data.

[0016] Preferably, an abnormal traffic model based on a state machine is designed to interpret state changes in multiple data packets of the same traffic type, thereby determining the threat status of the distributed power supply and executing a threat handling process. This includes: the abnormal traffic model based on a state machine includes multiple states and state changes between multiple states; the number of loops for state changes between multiple states in the abnormal traffic model is set, and if the state changes in multiple data packets of the same traffic type exceed the number of loops, it is determined that the service of the current traffic type has abnormal behavior.

[0017] Preferably, the state machine-based abnormal traffic model includes multiple states and state changes between these states. The multiple states include a username verification state, a waiting-for-identity-information state, a login failure state, and a closed state. The model sets the number of loops for state changes between these states, including: if, within a preset time period, the loop count between the waiting-for-identity-information state and the login failure state reaches 4 times, and the loop count between the username verification state and the closed state reaches 5 times, then the current traffic type is considered to have abnormal behavior.

[0018] Preferably, an abnormal traffic model based on a state machine is designed to interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process. This includes: when it is determined that there is abnormal behavior in the current traffic type of service, the traffic type, state change, and number of state changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform to determine the threat status of the distributed power supply and execute the threat handling process.

[0019] The second aspect of this invention relates to a threat self-sensing and processing system for distributed power sources utilizing the method of the first aspect of this invention. The system includes a collection module, a parsing module, a verification module, an extraction module, and a handling module. The collection module connects the distributed power source threat self-sensing and processing device to a vertical encrypted channel between the distributed power source and the scheduling master station, collecting communication traffic on the vertical encrypted channel. The parsing module acquires mirror traffic of the communication traffic and parses the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets. The verification module, based on the protocol type obtained from the preliminary classification, parses a preset position field of each data packet in the mirror traffic to verify the preliminary classification result and obtain the traffic type. The extraction module extracts key data from the current data packet according to its traffic type and parses the key data using preset data extraction rules to obtain the state changes of the current data packet. The handling module designs an abnormal traffic model based on a state machine, interprets the state changes in multiple data packets of the same traffic type, determines the threat status of the distributed power source, and executes a threat handling process.

[0020] Preferably, the acquisition module is used to acquire mirror traffic of communication traffic, and parse the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets, including: acquiring mirror traffic of communication traffic, the mirror traffic being multiple independent data packets, each data packet being a protocol message sequentially encapsulated in the TCP header and IP header; extracting the destination port field in the TCP header and the protocol type field in the IP header, and obtaining the protocol type of the data packet through the destination port field and the protocol type field; and performing preliminary classification of the data packets through the protocol type.

[0021] Preferably, the verification module is used to parse the preset position field of each data packet in the mirrored traffic based on the protocol type obtained from the preliminary classification, so as to verify the result of the preliminary classification and obtain the traffic type. This includes: setting preset position fields for each protocol type; extracting the preset position fields in the data packets according to the protocol type obtained from the preliminary classification for each data packet; and querying a preset secondary classification confirmation table using the extracted preset position fields of the current data packet to verify the result of the preliminary classification and obtain the traffic type.

[0022] Preferably, in the verification module, a preset secondary classification confirmation table is queried using the preset location field of the extracted current data packet to verify the preliminary classification result and obtain the traffic type. This includes: the preset secondary classification confirmation table includes a one-to-one corresponding protocol type, a preset location field, and a preset location field value; when the preset location field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the preliminary classification result. If so, the preliminary classification result is confirmed to be accurate, and the verification is passed; if a corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the preliminary classification result, the preliminary classification result is confirmed to be inaccurate, and the verification is not passed; the protocol type in the verified preliminary classification result is taken as the traffic type of the current data packet.

[0023] Preferably, the extraction module is used to extract key data from the current data packet according to the traffic type of the current data packet, and to parse the key data according to the preset data extraction rules to obtain the state changes in the current data packet, including: the preset data extraction rules define the location and meaning of the key data to be extracted according to the traffic type of the current data packet; extract key data based on the key data location, and parse the state changes existing on the current data packet according to the meaning of the key data.

[0024] Preferably, the extraction module is used to parse the state changes existing on the current data packet according to the meaning of key data, including: defining state change rules for each traffic type, the state change rules including the correspondence between state change types and data examples; the data example fills one or more extracted key data into the data example template based on their respective key data meanings to generate the state changes of the current data packet containing the inherent logic between one or more key data.

[0025] Preferably, the handling module is used to design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process, including: the abnormal traffic model based on a state machine includes multiple states and the state changes between multiple states; setting the number of loops for state changes between multiple states in the abnormal traffic model, if the state changes in multiple data packets under the same traffic type exceed the number of loops, then it is determined that the service of the current traffic type has abnormal behavior.

[0026] Preferably, in the handling module, the abnormal traffic model based on the state machine includes multiple states and state changes between multiple states, including: multiple states including username verification state, waiting for identity information state, login failure state, and closed state; setting the number of loops for state changes between multiple states in the abnormal traffic model, including: in multiple consecutive data packets within a preset time period, if the number of loops between the waiting for identity information state and the login failure state reaches 4 times, and the number of loops between the username verification state and the closed state reaches 5 times, then it is determined that the current traffic type of the service has abnormal behavior.

[0027] Preferably, the handling module is used to design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process, including: when it is determined that there is abnormal behavior in the current traffic type of service, the traffic type, state change, and number of state changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform to determine the threat status of the distributed power supply and execute the threat handling process.

[0028] A third aspect of the present invention relates to a distributed power threat self-sensing and processing device, comprising a processor and a storage medium; the storage medium is used to store instructions; the processor is used to perform operations according to the instructions to execute the steps of the method in the first aspect of the present invention.

[0029] A fourth aspect of the present invention relates to a computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the steps of the method of the first aspect of the present invention.

[0030] The beneficial effect of the present invention is that, compared with the prior art, the threat self-sensing and processing method and system for distributed power sources in the present invention deploys the threat self-sensing and processing device for distributed power sources on the uplink of the distributed power source plant, monitors the traffic information between the distributed power source and the master station, senses whether the distributed power source environment is safe, and processes the threat according to a preset strategy when a security threat occurs. Attached Figure Description

[0031] Figure 1 This is a schematic diagram illustrating the deployment method of the threat self-sensing and processing device for distributed power sources in this invention.

[0032] Figure 2 This is a schematic diagram of threat self-sensing in a method for threat self-sensing and handling of distributed power sources according to the present invention.

[0033] Figure 3 This is a schematic diagram of uplink traffic classification and analysis and event handling in a threat self-sensing and handling method for distributed power sources according to the present invention;

[0034] Figure 4 This is a schematic diagram of downlink traffic classification and analysis and event handling in a threat self-sensing and handling method for distributed power sources according to the present invention;

[0035] Figure 5 This is a schematic diagram of data packet parsing and process handling in a distributed power source threat self-sensing and handling method of the present invention;

[0036] Figure 6 This is a schematic diagram illustrating the preliminary classification of data packets in a threat self-sensing and processing method for distributed power sources according to the present invention.

[0037] Figure 7 This is a schematic diagram illustrating the verification of preliminary data packet classification results in a distributed power source threat self-sensing and processing method according to the present invention.

[0038] Figure 8 This is a schematic diagram related to SSH brute-force attack behavior in the abnormal traffic model based on a state machine in the distributed power supply threat self-sensing and processing method of the present invention.

[0039] Figure 9 This is a schematic diagram of the alarm transmission process in a threat self-sensing and processing method for distributed power sources according to the present invention. Detailed Implementation

[0040] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of this invention. The embodiments described in this invention are merely some embodiments of this invention, and not all embodiments. Based on the spirit of this invention, all other embodiments not described in this invention obtained by those skilled in the art based on the embodiments described in this invention without creative effort should fall within the protection scope of this invention.

[0041] The first aspect of the present invention relates to a method for self-sensing and handling threats to distributed power sources, the method comprising steps 1 to 5.

[0042] Step 1: Connect the distributed power source threat self-sensing and processing device to the vertical encrypted channel between the distributed power source and the dispatch master station, and collect the communication traffic on the vertical encrypted channel.

[0043] Figure 1 This is a schematic diagram illustrating the deployment method of the threat self-sensing and processing device for distributed power sources in this invention. (See diagram below.) Figure 1As shown, the threat self-sensing and processing device for distributed power sources is serially connected to the link between the distributed power source substation and the master station. All traffic between the distributed power source substation and the dispatch master station passes through this device. This device checks the traffic between the substation and the master station, and automatically cuts off the data channel between the substation and the master station when malicious traffic is detected, thereby realizing the threat self-sensing and processing capability of the distributed power source.

[0044] In one embodiment, in a 10(6) kV grid-connected distributed power source, a threat self-sensing and processing device for the distributed power source is deployed on the uplink of the distributed power source substation. A vertical encrypted tunnel is established between this device and the dispatch master station. This invention collects traffic from the distributed power source substation in real time, such as power-related traffic like remote control and other electrical business traffic, security monitoring-related traffic generated by agents deployed on the substation's host equipment, security log information, and operation information. Subsequently, this traffic is classified and matched. For unknown and threatening traffic, threat log information is generated and reported to the master station's security management platform for processing. Simultaneously, the link between the distributed power source substation and the master station is severed, thereby realizing the distributed power source's threat self-sensing and processing capabilities.

[0045] Step 2: Obtain the mirror traffic of the communication traffic, and parse the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets.

[0046] Figure 3 This is a schematic diagram illustrating the uplink traffic classification and analysis and event handling in a distributed power supply threat self-sensing and handling method according to the present invention. Figure 3 As shown, the device detects the upstream flow of the distributed power plant. Figure 4 This is a schematic diagram illustrating downlink traffic classification and event handling in a threat self-sensing and handling method for distributed power sources according to the present invention. Figure 4 As shown, the device detects the downstream flow of the distributed power plant.

[0047] In power systems, the main protocols used by remote terminal units include 104, 101, DNP3, and MODBUS. Furthermore, secondary power equipment should be equipped with security agents to monitor equipment status; the transmission between the agent and the server should use dedicated power protocols.

[0048] The data exchange component copies the original data packet P.ori to obtain a mirror data packet P.mirror, and then sends P.mirror to the service classification component to complete the traffic collection operation. Generally, analyzing the content carried within network data packets requires decapsulating the network data packets layer by layer. This process involves calling various protocol functions in the kernel, and finally, the data is passed to the user-space protocol software for further parsing.

[0049] Figure 5 This is a schematic diagram illustrating the packet parsing and process handling in a distributed power source threat self-sensing and handling method according to the present invention. Figure 5 As shown, under normal circumstances, after the network interface card (NIC) obtains traffic data, it removes the Ethernet header to obtain the communication traffic, which includes the IP header, TCP header, and data content. The data analysis and processing device then parses and classifies the data layer by layer within the system kernel, ultimately obtaining the protocol data. This protocol data content is then parsed by protocol software, such as through pre-set data extraction rules, to ultimately obtain the behavioral content and threat perception of the data packets.

[0050] Figure 5 A simpler and more efficient data processing method is adopted. Detailed protocol information is not required for traffic classification. To achieve rapid traffic classification, the network interface card (NIC) and user-space program are connected through the netmap framework. Data packets processed by the NIC are directly transmitted to the service classification program in user space for service classification. Since the data packets are not parsed by the kernel protocol stack, the service classification program directly operates on the binary code stream.

[0051] Preferably, the process involves acquiring mirrored traffic of communication traffic and parsing the IP header and TCP header of each data packet in the mirrored traffic to perform preliminary classification of the data packets. This includes: acquiring mirrored traffic of communication traffic, where the mirrored traffic consists of multiple independent data packets, each of which is a protocol message sequentially encapsulated in a TCP header and an IP header; extracting the destination port field from the TCP header and the protocol type field from the IP header, and obtaining the protocol type of the data packet through the destination port field and the protocol type field; and performing preliminary classification of the data packets based on the protocol type.

[0052] In power systems, distributed generation devices communicate with different types of other power equipment using various protocols. To ensure standardized network communication among power equipment, the addresses and target ports of auxiliary communication devices are typically allocated based on device type and the functions they provide. Therefore, by analyzing some data from the target port, it is possible to roughly deduce the type of device located at the target port and the communication method between that device and the distributed generation device.

[0053] In actual data transmission, the option fields of both the IP header and the TCP header are empty, therefore the IP header and the TCP header have a fixed length. Figure 6 This is a schematic diagram illustrating the preliminary classification of data packets in a threat self-sensing and processing method for distributed power sources according to the present invention. Figure 6 As shown, in the initial classification process, bits 73-80 (protocol type field in the IP header) of the data packet are extracted as f1, and bits 177-192 (destination port field in the TCP header) are extracted as f2. The feature values ​​of f1 and f2 are calculated using an algorithm for preliminary classification. The algorithm is a commonly used feature extraction algorithm in existing technology. For example, it can be inferred that the method for extracting feature values ​​in Table 1 is a common feature extraction method for data packets, such as CRC checksum. In one embodiment, after extracting protocol feature values ​​for different protocol types and different destination ports of the data packets, the resulting protocol feature value table is shown below:

[0054]

[0055]

[0056] Table 1 Protocol Feature Value Table

[0057] After calculating the feature value of the current data packet using an algorithm, the protocol feature value table is queried to obtain the protocol type in the preliminary classification.

[0058] Step 3: Based on the protocol type obtained from the preliminary classification, parse the preset location field of each data packet in the mirrored traffic to verify the results of the preliminary classification and obtain the traffic type.

[0059] Preferably, based on the protocol type obtained from the preliminary classification, the preset position field of each data packet in the mirrored traffic is parsed to verify the result of the preliminary classification and obtain the traffic type, including: preset position fields for each protocol type; extracting the preset position fields in the data packets according to the protocol type obtained from the preliminary classification for each data packet; and using the extracted preset position fields of the current data packet to query a preset secondary classification confirmation table to verify the result of the preliminary classification and obtain the traffic type.

[0060] After the initial classification, the data packets undergo a secondary classification to confirm the accuracy of the classification results. Based on the initial classification results, different bit values ​​are selected for secondary confirmation. DNP3, 104, and Modbus protocol messages are directly encapsulated in the header format used for the initial classification. Therefore, for different types of protocols, after a fixed-length header, the data packet content typically starts from bit 321, and the content at the beginning of the message is usually fixed. Based on the actual formats of the aforementioned protocols—for example, DNP3 starts with the START identifier, and the 104 protocol starts with a fixed character—preset position fields of different lengths and their standard content are determined.

[0061] Table 2 is a secondary classification confirmation table, which describes the preset location fields and their values ​​for different protocol types.

[0062] Serial Number Protocol type Preset position field Preset location field value 1 DNP3 Protocol 321bit-336bit 0000 0101 0110 0100 2 104 Protocol 321bit-328bit 0110 1000 3 Modbus protocol 325bit-328bit 0000 …… …… …… ……

[0063] Table 2 Secondary Classification Confirmation Form

[0064] Figure 7 This is a schematic diagram illustrating the verification of preliminary data packet classification results in a distributed power source threat self-sensing and processing method according to the present invention. Figure 7 As shown, valid information is extracted from the mirrored traffic. If the length of the mirrored data packet is n bits, then 321 bits - n bits of content are extracted, and the corresponding protocol parsing program is used to parse the protocol according to the traffic classification results in Table 2.

[0065] Preferably, the preset location field of the extracted current data packet is used to query a preset secondary classification confirmation table to verify the preliminary classification result and obtain the traffic type. This includes: the preset secondary classification confirmation table includes a one-to-one corresponding protocol type, a preset location field, and a preset location field value; when the preset location field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the preliminary classification result. If so, the preliminary classification result is confirmed to be accurate and the verification is passed; if a corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the preliminary classification result, the preliminary classification result is confirmed to be inaccurate and the verification is not passed; the protocol type in the verified preliminary classification result is used as the traffic type of the current data packet.

[0066] Step 4: Extract key data from the current data packet based on its traffic type, and parse the key data using preset data extraction rules to obtain the status changes of the current data packet.

[0067] Preferably, key data in the current data packet is extracted according to the traffic type of the current data packet, and the key data is parsed according to the preset data extraction rules to obtain the state changes in the current data packet. This includes: the preset data extraction rules define the location and meaning of the key data to be extracted according to the traffic type of the current data packet; extract key data based on the key data location, and parse the state changes existing in the current data packet according to the meaning of the key data.

[0068] Given that different types of protocols use different methods to extract key data related to state changes, it is necessary to extract key fields from data packets and understand the meaning of these key fields to obtain the actual state changes related to traffic threats expressed in the data packets.

[0069] For each different protocol, its inherent data content can characterize the communication connection method between the packet sender and packet receiver, whether there is a communication failure, and whether data transmission is normal. Data packets under each protocol support descriptions of various communication states; here, SSH is used as an example to illustrate various state changes. Table 3 shows the data content related to SSH state changes. In Table 3, different state changes can be described using pre-designed data example templates. The template extracts data from one or more fields in the protocol to characterize the actual state of the packet. The process of filling different fields into the data example template is implemented according to data extraction rules. To implement data extraction rules, it is necessary to define the location of key data, such as the position from mbit to nbit in the packet, and also to understand the substantial meaning of this key data. This requires a simple definition of the meaning of key data, such as the target port mentioned earlier. For the data content of the protocol transport layer and application layer, this may include username, port number, etc.

[0070] On one hand, key data is filled into the corresponding example templates according to data extraction rules. On the other hand, the key data is analyzed simply based on its value, and then mapped to a specific example template. For example, if a certain bit in the message represents a value of 1 for successful user authentication and a value of 0 for failed authentication, then the corresponding example template will be invoked.

[0071] Preferably, the process of parsing the state changes present in the current data packet based on the meaning of key data includes: defining state change rules for each type of traffic, the state change rules including the correspondence between state change types and data examples; and filling one or more extracted key data into a data example template based on their respective key data meanings to generate the state changes of the current data packet containing the inherent logic between one or more key data.

[0072] Table 3 shows the state changes of messages under the SSH protocol. Table 3 describes how the key data extraction methods for state changes differ for different protocol types.

[0073]

[0074]

[0075] Table 3 SSH Status Changes

[0076] Clearly, not all state changes can describe problems such as traffic threats in protocol messages or communication connection errors. Therefore, the SSH state change table needs to be simplified. Table 4 shows threat-related state changes in SSH.

[0077]

[0078] Table 4. Threat-Related SSH Status Changes

[0079] Step 5: Design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, determine the threat status of the distributed power source, and execute the threat handling process.

[0080] After protocol parsing is completed, abnormal behavior models are matched based on the protocol content. According to their purpose, protocol models can be divided into two types: business models and security models. Business models mainly include three types: 104 protocol abnormal traffic model, DNP3 protocol abnormal traffic model, and Modbus protocol abnormal traffic model. Security models mainly include terminal security traffic models, which, based on the content of security monitoring, include login behavior abnormal models, trust behavior abnormal models, etc.

[0081] This invention uses a state machine mechanism to construct the model. Preferably, a state machine-based abnormal traffic model is designed to interpret state changes in multiple data packets of the same traffic type, thereby determining the threat status of the distributed power supply and executing a threat handling process. This includes: the state machine-based abnormal traffic model includes multiple states and state changes between the multiple states; a set number of loops for state changes between the multiple states in the abnormal traffic model is set; if the state changes in multiple data packets of the same traffic type exceed the number of loops, it is determined that the service of the current traffic type has abnormal behavior.

[0082] Since the abnormal traffic model based on state machines in this invention is actually divided into several different models depending on the protocol, this invention only describes one model as an example. Figure 8This diagram illustrates the relationship between SSH brute-force attack behavior and the state machine-based abnormal traffic model in the distributed power supply threat self-awareness and handling method of this invention. Taking the SSH program as an example, an abnormal behavior model of an SSH program is as follows: Figure 8 , where ×4 represents 4 cycles and ×5 represents 5 cycles.

[0083] After the data rules in step 4 are established, the state changes of data packets can be collected and compared with the abnormal traffic model. If they match completely, for example, the state changes can be matched from the entry point to the exit point of the abnormal model, then it is determined that there is abnormal behavior in the data traffic, the threat handling process is executed, and the corresponding alarm information is generated and sent to the main station.

[0084] In this process, the parsed data packets are first sorted according to the timestamp or counter information in the protocol; based on the sorted order, the state changes corresponding to each data packet are analyzed, and the multiple state changes in the order are compared with the abnormal traffic model to analyze whether the multiple state changes constitute an abnormal behavior.

[0085] In the SSH implementation, multiple states include username verification state, waiting for identity information state, login failure state, and closed state. In a series of consecutive data packets within a preset time period, if the number of loops between the waiting for identity information state and the login failure state reaches 4 times, and the number of loops between the username verification state and the closed state reaches 5 times, then it is determined that the current traffic type of the service has abnormal behavior.

[0086] Preferably, an abnormal traffic model based on a state machine is designed to interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process. This includes: when it is determined that there is abnormal behavior in the current traffic type of service, the traffic type, state change, and number of state changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform to determine the threat status of the distributed power supply and execute the threat handling process.

[0087] Figure 9 This is a schematic diagram of the alarm transmission process in a threat self-sensing and processing method for distributed power sources according to the present invention. Figure 9 As shown, after a business classification error or an abnormal model match is successful, the device generates alarm information for these threat information and sends the alarm information to the main station security management platform through the vertical encryption component. After receiving the threat handling request from the traffic classification component and the model matching component, the threat handling component sends a command to cut off the encryption channel to the vertical encryption component through an internal interface. After receiving the command, the vertical encryption component cuts off the vertical encryption channel with the main station by deleting the tunnel, thus completing the threat handling process.

[0088] When the device detects a security threat and disconnects the vertical encryption channel, the terminal needs to request restoration from the master station to restore the channel. After the master station confirms that the threat to the terminal has been eliminated, it can proactively initiate a vertical encryption connection with the terminal, thereby restoring communication between the terminal and the master station. To prevent malicious connections from terminals, terminals whose connections have been disconnected by this device will be marked on the master station. The vertical encryption device on the master station will not accept connection requests initiated by marked terminals.

[0089] As mentioned above, the traffic classification and protocol parsing methods based on binary code streams skip IP and TCP parsing steps, extracting features and matching models from the binary code streams of data packets, saving system resources while improving traffic classification efficiency. The state machine-based abnormal behavior model matching method constructs an abnormal state model of the application using a state machine approach, which is more refined and has higher matching efficiency compared to decision tree models. Furthermore, by constructing data extraction rules and extracting key data content of state transitions, the collected data is simplified, further improving the matching efficiency of abnormal state models. The method uses traffic replication and collaborative processing for state awareness and threat handling, requiring no additional settings for connected terminal devices. In the distributed threat discovery and handling architecture, distributed computing is used to process relevant information. The device, as a distributed computing node, directly perceives and handles threats locally within the distributed power supply, while simultaneously reporting unknown threat information to the main station via threat logs, where the main station performs threat analysis and model iteration.

[0090] Figure 2 This is a schematic diagram illustrating the threat self-sensing aspect of a distributed power source threat self-sensing and handling method according to the present invention. (See diagram below.) Figure 2As shown, in a second aspect, this invention relates to a threat self-sensing and processing system for distributed power sources using the method of the first aspect of this invention. The system includes a collection module, a parsing module, a verification module, an extraction module, and a handling module. The collection module connects the distributed power source threat self-sensing and processing device to a vertical encrypted channel between the distributed power source and the scheduling master station, collecting communication traffic on the vertical encrypted channel. The parsing module acquires mirror traffic of the communication traffic and parses the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets. The verification module, based on the protocol type obtained from the preliminary classification, parses a preset position field of each data packet in the mirror traffic to verify the preliminary classification result and obtain the traffic type. The extraction module extracts key data from the current data packet according to its traffic type and parses the key data using preset data extraction rules to obtain the state changes of the current data packet. The handling module designs an abnormal traffic model based on a state machine, interprets the state changes in multiple data packets of the same traffic type, determines the threat status of the distributed power source, and executes a threat handling process.

[0091] Compared to multi-level power grid blocking technology, this device features highly integrated functionality. Due to investment constraints, most distributed power sources do not deploy Type II network security monitoring devices. To address this, the device highly integrates some functions of the Type II network security monitoring device with vertical encryption equipment and adds model matching capabilities. The device can perceive the status of distributed power source terminals through preset models and sever the connection with the main station when a security threat is detected. Compared to multi-level blocking schemes that centrally process security log information at the main station, this device uses distributed computing to process relevant information. Through various preset security models and traffic replication, threat detection can be performed locally. Simultaneously, the abnormal data reporting function reports abnormal data packets to the main station, enabling iterative iteration of the monitoring model.

[0092] Since the number of distributed power sources is far greater than that of centralized power sources, centrally processing all security logs on the main station would place extremely high demands on its computing resources, potentially leading to delayed threat detection and long response times. The device's binary stream-based traffic classification method, protocol reassembly method, and state machine-based abnormal behavior model matching method significantly reduce the pressure on the main station's computing resources, making it more suitable for resource-constrained scenarios.

[0093] In addition, the safety functions in the device are separated from the business functions, and all safety capabilities are highly integrated. Since it does not involve functions related to power business, it has a wider range of applications.

[0094] Preferably, the acquisition module acquires mirror traffic of the communication traffic, and parses the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets, including: acquiring mirror traffic of the communication traffic, the mirror traffic being multiple independent data packets, each data packet being a protocol message encapsulated sequentially in the TCP header and IP header; extracting the destination port field in the TCP header and the protocol type field in the IP header, and obtaining the protocol type of the data packet through the destination port field and the protocol type field; and performing preliminary classification of the data packets through the protocol type.

[0095] Preferably, the verification module is used to parse the preset position field of each data packet in the mirrored traffic based on the protocol type obtained from the preliminary classification, so as to verify the result of the preliminary classification and obtain the traffic type. This includes: setting preset position fields for each protocol type; extracting the preset position fields in the data packets according to the protocol type obtained from the preliminary classification for each data packet; and querying a preset secondary classification confirmation table using the extracted preset position fields of the current data packet to verify the result of the preliminary classification and obtain the traffic type.

[0096] Preferably, in the verification module, a preset secondary classification confirmation table is queried using the preset location field of the extracted current data packet to verify the preliminary classification result and obtain the traffic type. This includes: the preset secondary classification confirmation table includes a one-to-one corresponding protocol type, a preset location field, and a preset location field value; when the preset location field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the preliminary classification result. If so, the preliminary classification result is confirmed to be accurate, and the verification is passed; if a corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the preliminary classification result, the preliminary classification result is confirmed to be inaccurate, and the verification is not passed; the protocol type in the verified preliminary classification result is taken as the traffic type of the current data packet.

[0097] Preferably, the extraction module is used to extract key data from the current data packet according to the traffic type of the current data packet, and to parse the key data according to the preset data extraction rules to obtain the state changes in the current data packet, including: the preset data extraction rules define the location and meaning of the key data to be extracted according to the traffic type of the current data packet; extract key data based on the key data location, and parse the state changes existing on the current data packet according to the meaning of the key data.

[0098] Preferably, the extraction module is used to parse the state changes existing on the current data packet according to the meaning of key data, including: defining state change rules for each traffic type, the state change rules including the correspondence between state change types and data examples; the data example fills one or more extracted key data into the data example template based on their respective key data meanings to generate the state changes of the current data packet containing the inherent logic between one or more key data.

[0099] Preferably, the handling module is used to design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process, including: the abnormal traffic model based on a state machine includes multiple states and the state changes between multiple states; setting the number of loops for state changes between multiple states in the abnormal traffic model, if the state changes in multiple data packets under the same traffic type exceed the number of loops, then it is determined that the service of the current traffic type has abnormal behavior.

[0100] Preferably, in the handling module, the abnormal traffic model based on the state machine includes multiple states and state changes between multiple states, including: multiple states including username verification state, waiting for identity information state, login failure state, and closed state; setting the number of loops for state changes between multiple states in the abnormal traffic model, including: in multiple consecutive data packets within a preset time period, if the number of loops between the waiting for identity information state and the login failure state reaches 4 times, and the number of loops between the username verification state and the closed state reaches 5 times, then it is determined that the current traffic type of the service has abnormal behavior.

[0101] Preferably, the handling module is used to design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, thereby determining the threat status of the distributed power supply and executing the threat handling process, including: when it is determined that there is abnormal behavior in the current traffic type of service, the traffic type, state change, and number of state changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform to determine the threat status of the distributed power supply and execute the threat handling process.

[0102] A third aspect of the present invention relates to a distributed power threat self-sensing and processing device, comprising a processor and a storage medium; the storage medium is used to store instructions; the processor is used to perform operations according to the instructions to execute the steps of the method in the first aspect of the present invention.

[0103] A fourth aspect of the present invention relates to a computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the steps of the method of the first aspect of the present invention.

[0104] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the protection scope of the claims of the present invention.

Claims

1. A method for threat self-sensing and handling of distributed power sources, characterized in that, The method includes the following steps: Connect the distributed power source threat self-sensing and processing device to the vertical encrypted channel between the distributed power source and the dispatch master station, and collect the communication traffic on the vertical encrypted channel; Obtain the mirror traffic of the communication traffic, and parse the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets; The mirror traffic of the communication traffic is collected. The mirror traffic consists of multiple independent data packets, each of which is a protocol message encapsulated in the TCP header and IP header in sequence. Extract the destination port field from the TCP header and the protocol type field from the IP header, and obtain the protocol type of the data packet through the destination port field and the protocol type field; The data packets are initially classified according to the protocol type. Based on the protocol type obtained from the preliminary classification, the preset location field of each data packet in the mirrored traffic is parsed to verify the result of the preliminary classification and obtain the traffic type; A preset location field is set for each protocol type, and the preset location field in the data packet is extracted based on the protocol type obtained in the initial classification of each data packet; Using the preset location field of the extracted current data packet, query the preset secondary classification confirmation table to verify the result of the preliminary classification and obtain the traffic type; When the preset position field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the result of the preliminary classification. If so, the result of the preliminary classification is confirmed to be accurate and the verification is passed. If the corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the result of the preliminary classification, then the result of the preliminary classification is confirmed to be inaccurate and the verification is not passed. The protocol type in the results of the preliminary classification that has passed verification will be used as the traffic type of the current data packet; Based on the traffic type of the current data packet, key data is extracted from the current data packet, and the key data is parsed according to preset data extraction rules to obtain the state changes of the current data packet; The design incorporates a state machine-based abnormal traffic model to interpret state changes in multiple data packets of the same traffic type, determine the threat status of the distributed power source, and execute threat handling procedures.

2. The threat self-sensing and handling method for distributed power sources according to claim 1, characterized in that: The step of extracting key data from the current data packet based on the traffic type of the current data packet, and parsing the key data according to preset data extraction rules to obtain the state changes in the current data packet includes: The preset data extraction rules define the location and meaning of key data to be extracted based on the traffic type of the current data packet. The key data is extracted based on the key data location, and the state changes existing on the current data packet are analyzed according to the meaning of the key data.

3. The threat self-sensing and handling method for distributed power sources according to claim 2, characterized in that: The step of parsing the state changes present in the current data packet based on the meaning of the key data includes: For each type of traffic, define the state change rules for data packets, including the correspondence between state change types and data examples; The data example will populate the extracted key data into the data example template based on the meaning of each key data, so as to generate the state change of the current data packet containing the inherent logic between the one or more key data.

4. The threat self-sensing and handling method for distributed power sources according to claim 1, characterized in that: The design is based on a state machine-based abnormal traffic model, which interprets state changes in multiple data packets of the same traffic type to determine the threat status of the distributed power supply and execute threat handling procedures, including: The state machine-based abnormal traffic model includes multiple states and state changes between these states; The abnormal traffic model sets the number of loops for state changes between multiple states. If the state changes in multiple data packets of the same traffic type exceed the number of loops, it is determined that the service of the current traffic type has abnormal behavior.

5. A threat self-sensing and handling method for distributed power sources according to claim 4, characterized in that: The state machine-based abnormal traffic model includes multiple states and state transitions between these states, including: The multiple states include username verification state, waiting for identity information state, login failure state, and closed state; Setting the number of loops for state changes between multiple states in the abnormal traffic model includes: If, within a preset time period, the number of cycles between the waiting identity information status and the login failure status reaches 4 times, and the number of cycles between the username verification status and the closed status reaches 5 times, then it is determined that the current traffic type of the business has abnormal behavior.

6. The threat self-sensing and handling method for distributed power sources according to claim 5, characterized in that: The design is based on a state machine-based abnormal traffic model, which interprets state changes in multiple data packets of the same traffic type to determine the threat status of the distributed power supply and execute threat handling procedures, including: When it is determined that there is abnormal behavior in the current traffic type of the service, the traffic type, status change and number of status changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform in order to determine the threat status of the distributed power supply and execute the threat handling process.

7. A threat self-sensing and processing system for distributed power sources, characterized in that: The system is implemented using any one of the threat self-sensing and processing methods for distributed power sources according to any one of claims 1-6; The system includes a data acquisition module, a parsing module, a verification module, an extraction module, and a processing module; wherein, The acquisition module is used to connect the distributed power source threat self-sensing and processing device to the vertical encrypted channel between the distributed power source and the dispatch master station, and to acquire the communication traffic on the vertical encrypted channel. The parsing module is used to obtain the mirror traffic of the communication traffic, and parse the IP header and TCP header of each data packet in the mirror traffic to perform preliminary classification of the data packets; The verification module is used to parse the preset position field of each data packet in the mirrored traffic based on the protocol type obtained from the preliminary classification, so as to verify the result of the preliminary classification and obtain the traffic type; The extraction module is used to extract key data from the current data packet according to the traffic type of the current data packet, and to parse the key data according to the preset data extraction rules to obtain the state change of the current data packet. The handling module is used to design an abnormal traffic model based on a state machine, interpret the state changes in multiple data packets under the same traffic type, determine the threat status of the distributed power supply, and execute the threat handling process.

8. The threat self-sensing and processing system for distributed power sources according to claim 7, characterized in that: The acquisition module is used to acquire mirrored traffic of the communication traffic, and parse the IP header and TCP header of each data packet in the mirrored traffic to perform preliminary classification of the data packets, including: The mirror traffic of the communication traffic is collected. The mirror traffic consists of multiple independent data packets, each of which is a protocol message encapsulated in the TCP header and IP header in sequence. Extract the destination port field from the TCP header and the protocol type field from the IP header, and obtain the protocol type of the data packet through the destination port field and the protocol type field; The data packets are initially classified based on the protocol type.

9. A threat self-sensing and processing system for distributed power sources according to claim 7, characterized in that: The verification module is used to parse a preset location field of each data packet in the mirrored traffic based on the protocol type obtained from the preliminary classification, in order to verify the result of the preliminary classification and obtain the traffic type, including: A preset location field is set for each protocol type, and the preset location field in the data packet is extracted based on the protocol type obtained in the initial classification of each data packet; Using the preset location field of the extracted current data packet, a preset secondary classification confirmation table is queried to verify the result of the preliminary classification and obtain the traffic type.

10. A threat self-sensing and processing system for distributed power sources according to claim 9, characterized in that: In the verification module, a preset secondary classification confirmation table is queried using the preset location field of the extracted current data packet to verify the result of the preliminary classification and obtain the traffic type, including: The preset secondary classification confirmation table includes a one-to-one corresponding protocol type, preset location field, and preset location field value; When the preset position field of the extracted current data packet is used to query the secondary classification confirmation table, if a corresponding result is obtained, it is determined whether the corresponding protocol type is consistent with the result of the preliminary classification. If so, the result of the preliminary classification is confirmed to be accurate and the verification is passed. If the corresponding result cannot be obtained or the corresponding protocol type is inconsistent with the result of the preliminary classification, then the result of the preliminary classification is confirmed to be inaccurate and the verification is not passed. The protocol type from the verified preliminary classification results is used as the traffic type for the current data packet.

11. A threat self-sensing and processing system for distributed power sources according to claim 7, characterized in that: The step of extracting key data from the current data packet based on the traffic type of the current data packet, and parsing the key data according to preset data extraction rules to obtain the state changes in the current data packet includes: The preset data extraction rules define the location and meaning of key data to be extracted based on the traffic type of the current data packet. The key data is extracted based on the key data location, and the state changes existing on the current data packet are analyzed according to the meaning of the key data.

12. A threat self-sensing and processing system for distributed power sources according to claim 11, characterized in that: The extraction module is used to parse the state changes present in the current data packet based on the meaning of the key data, including: For each type of traffic, define the state change rules for data packets, including the correspondence between state change types and data examples; The data example will populate the extracted key data into the data example template based on the meaning of each key data, so as to generate the state change of the current data packet containing the inherent logic between the one or more key data.

13. A threat self-sensing and processing system for distributed power sources according to claim 7, characterized in that: The design is based on a state machine-based abnormal traffic model, which interprets state changes in multiple data packets of the same traffic type to determine the threat status of the distributed power supply and execute threat handling procedures, including: The state machine-based abnormal traffic model includes multiple states and state changes between these states; The abnormal traffic model sets the number of loops for state changes between multiple states. If the state changes in multiple data packets of the same traffic type exceed the number of loops, it is determined that the service of the current traffic type has abnormal behavior.

14. A threat self-sensing and processing system for distributed power sources according to claim 13, characterized in that: In the handling module, the abnormal traffic model based on a state machine includes multiple states and state changes between these states, including: The multiple states include username verification state, waiting for identity information state, login failure state, and closed state; Setting the number of loops for state changes between multiple states in the abnormal traffic model includes: If, within a preset time period, the number of cycles between the waiting identity information status and the login failure status reaches 4 times, and the number of cycles between the username verification status and the closed status reaches 5 times, then it is determined that the current traffic type of the business has abnormal behavior.

15. A threat self-sensing and processing system for distributed power sources according to claim 14, characterized in that: The design is based on a state machine-based abnormal traffic model, which interprets state changes in multiple data packets of the same traffic type to determine the threat status of the distributed power supply and execute threat handling procedures, including: When it is determined that there is abnormal behavior in the current traffic type of the service, the traffic type, status change and number of status changes corresponding to the abnormal behavior are sent as alarm information to the main station security management platform in order to determine the threat status of the distributed power supply and execute the threat handling process.

16. A distributed power source threat self-sensing and processing device, characterized in that: Including processor and storage media; Storage media are used to store instructions; The processor is configured to operate according to instructions to perform the steps of the method of any one of claims 1-6.

17. A computer-readable storage medium, characterized in that: The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method of any one of claims 1-6.

Images