A method and system for resisting a fake MAC attack of a smart substation

Abstract

The application discloses a kind of method and system of smart substation to resist fake MAC attack, belong to smart substation communication network security technical field.The method includes: after smart device accesses switch, record source MAC address and access port, generate unique time stamp and initialize message counter;In the statistical time window, judge whether to reach binding condition;When reaching binding condition, source MAC address is dynamically bound with access port;In the binding state, the data frame of fake MAC address received from non-binding port is intercepted in real time;Monitoring the state of binding port, when port state changes, unbind and restore dynamic learning function.The application can accurately intercept fake MAC address data frame, prevent address table exception, guarantee the security and stability of smart substation communication network, dynamic adaptability, automation management and resource efficient use Characteristics make it suitable for complex network environment under the smart substation application scene.

Description

Technical Field

[0001] This invention relates to the field of communication network security technology for smart substations, and specifically to a method and system for smart substations to defend against spoofed MAC attacks. Background Technology

[0002] With the rapid development of smart grids, smart substations are gradually adopting the IEC 61850 standard to achieve unified management and control of the station control layer, bay layer, and process layer through network communication. In the network of a smart substation, Ethernet switches serve as core communication devices, establishing a mapping relationship between MAC addresses and ports through a dynamic learning mechanism to complete the reception, forwarding, and management of data packets. However, existing technologies have significant shortcomings in dealing with spoofed MAC address attacks: spoofed MAC address attacks interfere with the normal MAC address learning mechanism of the switch by sending fake Ethernet data frames, leading to anomalies in the MAC address table. For example, an attacker can forge the MAC address of a legitimate device to send data frames, causing the switch to incorrectly forward traffic from the real device to the port of the forged device, potentially even causing the address table to collapse, resulting in network communication interruption and severely impacting the operational stability of the smart substation. While static MAC binding can defend against spoofed MAC attacks, its configuration is complex and cannot dynamically adapt to frequently changing field access requirements. Especially in process layer networks with large data volumes, static binding is difficult to meet business needs and is prone to causing device communication anomalies due to configuration errors. Existing dynamic learning mechanisms lack the ability to detect forged data frames; they can only update the MAC address table in real time but cannot identify and intercept forged data frames. Furthermore, existing technologies lack automation and flexible adjustment capabilities, making it difficult to cope with complex network threats in multi-service scenarios.

[0003] Therefore, how to design a solution that can effectively defend against spoofed MAC attacks while achieving dynamic binding, automated management, and flexible adaptation is an urgent problem to be solved in the communication network security of smart substations. Summary of the Invention

[0004] The purpose of this invention is to provide a method and system for resisting spoofed MAC address attacks in intelligent substations. By dynamically binding MAC addresses to switch ports, the invention enables the detection and interception of spoofed MAC address attacks, while enhancing the automation and adaptability of network management and ensuring the security and stability of the intelligent substation's communication network.

[0005] To achieve the above objectives, the present invention employs the following technical solution:

[0006] A method for protecting smart substations from spoofed MAC attacks includes the following steps:

[0007] After a smart device is connected to the switch, when the switch receives a data frame from the smart device for the first time, it records the source MAC address and access port, generates a unique timestamp to mark the start time of data frame statistics, and initializes the packet counter count to 1 to record the number of data frames from the smart device.

[0008] Count the number of statistical frames and determine whether the binding conditions are met within the statistical time window;

[0009] When the binding conditions are met, the source MAC address will be dynamically bound to the access port.

[0010] While bound to the target device, intercept data frames with forged MAC addresses.

[0011] Monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

[0012] As a preferred embodiment of the present invention, the step of counting the number of statistical frames includes:

[0013] Set the statistical time window T and the trigger threshold COUNT for the number of data frames, which are used to limit the statistical duration of data frame statistics and the number of data frames that trigger dynamic binding, respectively.

[0014] Based on the business cycle t of smart devices cycle and the number of data frames n in each business cycle frame The formula for dynamically adjusting T and COUNT is as follows:

[0015] T = N × t cycle COUNT = N × n frame ;

[0016] Among them, t cycle The business cycle of a smart device represents the time required for the smart device to complete one business operation, in seconds; nf rame The number of data frames in each business cycle; N is the security factor.

[0017] Within each business cycle, update the statistical time window T and the trigger threshold COUNT for the number of data frames to adapt to the current message sending characteristics of smart devices.

[0018] As a preferred embodiment of the present invention, the binding conditions specifically include the following two items:

[0019] Within the statistical time window T, the message counter count value reaches the trigger threshold COUNT for the number of data frames;

[0020] The port status of the access port remained UP, and through real-time comparison, no data frame corresponding to the source MAC address was found to be received from other ports.

[0021] In a preferred embodiment of the present invention, the switch operates through the following steps in the step of intercepting data frames with forged MAC addresses:

[0022] In the bound state, the MAC address of the received data frame is compared with the source MAC address bound in the MAC address table in real time;

[0023] If the MAC address of a data frame received on a non-bound port is the same as the source MAC address, then the MAC address is a forged MAC address. The data frame is immediately discarded, and the access port and reception time of the data frame with the forged MAC address are recorded to trace the source of the attack. Normal communication of newly received data frames is restored first.

[0024] In a preferred embodiment of the present invention, in the step of monitoring the port status of the bound port, when the port status of the bound port becomes DOWN, after the switch releases the dynamic binding relationship between the source MAC address and the access port, the following steps are performed:

[0025] Clear the bound source MAC address records and release the corresponding address table resources;

[0026] The source MAC address and access port of newly received data frames are recorded in real time, and a statistical time window is initialized at the same time.

[0027] A method and system for protecting smart substations from spoofed MAC attacks, comprising:

[0028] The switch module is used to connect to smart devices and receive data frames from smart devices;

[0029] The recording module is used to record the source MAC address and access port when the switch first receives a data frame from a smart device, and to generate a unique timestamp to mark the start time of data frame statistics.

[0030] The counter module is used to initialize the message counter count to 1 and record the number of data frames from the smart device;

[0031] The statistics module is used to determine whether the binding conditions have been met within the statistical time window;

[0032] The dynamic binding module is used to dynamically bind the source MAC address to the access port when the binding conditions are met.

[0033] The defense module is used to intercept data frames with forged MAC addresses while the device is bound to another device.

[0034] The monitoring module is used to monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

[0035] As a preferred embodiment of the present invention, the statistical module includes:

[0036] The threshold setting unit is used to set the statistical time window T and the trigger threshold COUNT for the number of data frames;

[0037] The dynamic adjustment unit is used to adjust according to the business cycle t of the smart device. cycle and the number of data frames n in each business cycle frame The formula for dynamically adjusting T and COUNT is as follows:

[0038] T = N × t cycle COUNT = N × n frame ;

[0039] Where N is the safety factor.

[0040] As a preferred embodiment of the present invention, the dynamic binding module includes:

[0041] The port status monitoring unit is used to monitor in real time whether the status of the access port is continuously UP;

[0042] The source address verification unit is used to confirm that no corresponding data frame has been received from other ports by comparing the source MAC address in real time, and to trigger dynamic binding when the value of the packet counter reaches the trigger threshold within the statistical time window.

[0043] As a preferred embodiment of the present invention, the defense module includes:

[0044] The spoofed MAC address identification unit is used to compare the MAC address of the received data frame with the bound source MAC address in real time under the bound state. If the MAC address of the data frame received by the unbound port is the same as the source MAC address, then the MAC address is a spoofed MAC address.

[0045] A data frame discarding unit is used to discard data frames with forged MAC addresses.

[0046] The attack recording unit is used to record the access port and reception time of the forged MAC address data frame, and to perform tracking processing.

[0047] Compared with existing technologies, the advantages of this invention are as follows: This invention, through a mechanism of dynamically binding source MAC addresses to switch ports, can accurately identify forged MAC address data frames. In the bound state, it intercepts and discards forged data frames entering from unbound ports in real time, thereby preventing address table disorder or abnormal updates and ensuring the security of the intelligent substation communication network. By determining the binding conditions through the number of data frames within a statistical time window, it achieves automatic binding of MAC addresses to access ports without manual intervention. It can adjust binding conditions according to the communication characteristics and service cycles of devices, adapting to network environments with frequent device access and dynamic service changes. When the bound port status changes, this invention can promptly unbind the relationship and restore the dynamic learning function, supporting device re-access and avoiding communication problems caused by port anomalies. This invention simplifies traditional static binding operations through an automated dynamic binding and unbinding mechanism, reducing the risk of configuration errors and promptly releasing address table resources, ensuring efficient utilization of switch resources. It is suitable for intelligent substation networks with high service traffic. This invention can flexibly adapt to multiple service scenarios, supporting device access requirements at different levels such as the station control layer, bay layer, and process layer, providing a secure and stable guarantee for the expansion of intelligent substation networks, and has significant practical application value. Attached Figure Description

[0048] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0049] in:

[0050] Figure 1 This is a flowchart of the method of the present invention;

[0051] Figure 2 This is a schematic diagram of the modular structure of the system of the present invention;

[0052] Figure 3 This is a schematic diagram of the network layered structure according to an embodiment of the present invention;

[0053] Figure 4 This is a schematic diagram illustrating the changes in the MAC address table of the switch according to an embodiment of the present invention. Detailed Implementation

[0054] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. All other embodiments obtained by those skilled in the art based on the described embodiments of the present invention are within the scope of protection of the present invention.

[0055] like Figure 1 As shown, this is an embodiment of the present invention, which provides a method for a smart substation to resist spoofed MAC attacks, including:

[0056] Step S1: After the smart device is connected to the switch, when the switch receives a data frame from the smart device for the first time, it records the source MAC address and access port, generates a unique timestamp to mark the start time of data frame statistics, and initializes the packet counter count to 1 to record the number of data frames from the smart device.

[0057] After a smart device connects to the switch, upon receiving the first data frame from that device, the switch records the source MAC address and access port of the data frame as a unique identifier for the device. Simultaneously, a unique timestamp is generated to mark the start time of data frame statistics. The switch also initializes a packet counter (count) and sets it to 1 to record the number of data frames received from that device. This process ensures that the switch can accurately identify and manage the communication information of each access device.

[0058] Step S2: Count the number of statistical frames and determine whether the binding conditions have been met within the statistical time window;

[0059] The step of counting the number of data frames includes:

[0060] Set the statistical time window T and the trigger threshold COUNT for the number of data frames, which are used to limit the statistical duration of data frame statistics and the number of data frames that trigger dynamic binding, respectively.

[0061] Based on the business cycle t of smart devices cycle and the number of data frames n in each business cycle frame The formula for dynamically adjusting T and COUNT is as follows:

[0062] T = N × t cycle COUNT = N × n frame ;

[0063] Among them, t cycle The business cycle of a smart device represents the time required for the smart device to complete one business operation, in seconds; nf rameThe number of data frames in each business cycle; N is the security factor.

[0064] Within each business cycle, update the statistical time window T and the trigger threshold COUNT for the number of data frames to adapt to the current message sending characteristics of smart devices.

[0065] Step S3: When the binding conditions are met, dynamically bind the source MAC address to the access port;

[0066] In this embodiment, the binding conditions specifically include the following two items:

[0067] Within the statistical time window T, the message counter count value reaches the trigger threshold COUNT for the number of data frames;

[0068] The port status of the access port remained UP, and through real-time comparison, no data frame corresponding to the source MAC address was found to be received from other ports.

[0069] The switch enters statistical mode and counts data frames from the smart device within a preset statistical time window. For each received data frame, the counter `count` increments by 1. Simultaneously, the switch checks in real-time whether the statistical time exceeds the statistical time window. When the statistical time reaches the set window and the value of the counter `count` reaches a preset binding condition (e.g., the number of data frames exceeds a specific threshold), the device's communication behavior is determined to conform to the binding rules. The statistical time window and counting threshold in this step can be dynamically adjusted according to the smart device's service characteristics to adapt to different business scenarios.

[0070] Step S4: In the bound state, intercept data frames with forged MAC addresses;

[0071] Specifically, in the process of intercepting data frames with forged MAC addresses, the switch operates through the following steps:

[0072] In the bound state, the MAC address of the received data frame is compared with the source MAC address bound in the MAC address table in real time;

[0073] If the MAC address of a data frame received on a non-bound port is the same as the source MAC address, then the MAC address is a forged MAC address. The data frame is immediately discarded, and the access port and reception time of the data frame with the forged MAC address are recorded to trace the source of the attack. Normal communication of newly received data frames is restored first.

[0074] When the switch determines that the binding condition is met, it dynamically binds the source MAC address of the smart device to the access port and records this binding relationship as static MAC address information in the switch's address table. In the bound state, the source MAC address can only send and receive data through the bound port; other ports will be unable to learn or forward data frames associated with the source MAC address, thus ensuring the security of device communication and the uniqueness of data streams.

[0075] In dynamic binding mode, the switch continuously monitors the source MAC address of all received data frames. If a forged MAC address is detected (i.e., a data frame with the same MAC address as the bound MAC address is received from an unbound port), the switch immediately discards the forged data frame and records relevant information (such as the source port and reception time of the forged data frame). This process effectively defends against MAC address forgery attacks and prevents forged data frames from disrupting the switch's address table, thereby ensuring the stability of the smart substation network.

[0076] Step S5: Monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

[0077] Specifically, in the step of monitoring the port status of the bound port, when the port status of the bound port changes to DOWN, the switch releases the dynamic binding relationship between the source MAC address and the access port, and then performs the following steps:

[0078] Clear the bound source MAC address records and release the corresponding address table resources;

[0079] The source MAC address and access port of newly received data frames are recorded in real time, and a statistical time window is initialized at the same time.

[0080] The switch continuously monitors the status of bound ports. When the status of a bound port changes (e.g., from UP to DOWN), the switch promptly unbinds the source MAC address from that port and removes the source MAC address from its static address table. After unbinding, the switch resumes dynamic learning mode, allowing other ports to relearn the source MAC address. This process ensures that devices can flexibly reconnect to the network while freeing up switch resources and avoiding communication interruptions caused by binding restrictions.

[0081] In practical applications, the business characteristics of smart devices may vary, such as data frame transmission frequency or business cycle. To address this, this invention provides a dynamic adjustment mechanism for the statistical time window and binding condition thresholds. For example, the statistical time window can be set as an integer multiple of the smart device's business cycle, and the trigger threshold for the number of data frames can be dynamically set based on the average number of frames within each business cycle, ensuring that the binding conditions can flexibly adapt to different business needs.

[0082] Through the above embodiments, the dynamic binding method of the present invention can effectively defend against spoofed MAC address attacks, improve the security and stability of the communication network of smart substations, and at the same time realize the automation and efficiency of equipment access management.

[0083] like Figure 2 As shown, another embodiment of the present invention provides a system for a smart substation to resist spoofed MAC attacks, comprising:

[0084] The switch module is used to connect to smart devices and receive data frames from smart devices;

[0085] The recording module is used to record the source MAC address and access port when the switch first receives a data frame from a smart device, and to generate a unique timestamp to mark the start time of data frame statistics.

[0086] The counter module is used to initialize the message counter count to 1 and record the number of data frames from the smart device;

[0087] The statistics module is used to determine whether the binding conditions have been met within the statistical time window;

[0088] The dynamic binding module is used to dynamically bind the source MAC address to the access port when the binding conditions are met.

[0089] The defense module is used to intercept data frames with forged MAC addresses while the device is bound to another device.

[0090] The monitoring module is used to monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

[0091] In this embodiment, the statistics module includes:

[0092] The threshold setting unit is used to set the statistical time window T and the trigger threshold COUNT for the number of data frames;

[0093] The dynamic adjustment unit is used to adjust according to the business cycle t of the smart device. cycle and the number of data frames n in each business cycle frame The formula for dynamically adjusting T and COUNT is as follows:

[0094] T = N × t cycle COUNT = N × n frame ;

[0095] Where N is the safety factor.

[0096] Preferably, the dynamic binding module includes:

[0097] The port status monitoring unit is used to monitor in real time whether the status of the access port is continuously UP;

[0098] The source address verification unit is used to confirm that no corresponding data frame has been received from other ports by comparing the source MAC address in real time, and to trigger dynamic binding when the value of the packet counter reaches the trigger threshold within the statistical time window.

[0099] Preferably, the defense module includes:

[0100] The spoofed MAC address identification unit is used to compare the MAC address of the received data frame with the bound source MAC address in real time under the bound state. If the MAC address of the data frame received by the unbound port is the same as the source MAC address, then the MAC address is a spoofed MAC address.

[0101] A data frame discarding unit is used to discard data frames with forged MAC addresses.

[0102] The attack recording unit is used to record the access port and reception time of the forged MAC address data frame, and to perform tracking processing.

[0103] like Figure 3 As shown, the network structure of a smart substation is divided into a station control layer, a bay layer, and a process layer. Each layer achieves data communication and management through switches.

[0104] Station control layer: The station control layer includes the monitoring backend and application server, which are responsible for the data monitoring and management of the entire station. It usually communicates with the interval layer and process layer through switches.

[0105] Bay Layer: The bay layer includes protection and monitoring / control equipment, used for data aggregation, equipment protection, and issuing control commands to the process layer. The bay layer interacts with the station control layer and the process layer via switches.

[0106] Process layer: The process layer includes intelligent terminals and merging units, which are mainly responsible for data interaction with primary equipment, such as acquiring analog and digital signals and issuing control commands.

[0107] In this invention, to defend against spoofed MAC attacks in the communication network of smart substations, switches play a crucial role in forwarding and defending communication data between layers. The method and system for resisting spoofed MAC attacks of this invention are primarily applied to the security management of switches in this network architecture.

[0108] like Figure 4 The diagram illustrates the MAC address and port mappings of the switch in its initial, dynamically bound, and unbound states. Specifically:

[0109] PORT1 to PORT7 represent the various ports of the switch;

[0110] MAC1 to MACn represent the MAC addresses of the access devices.

[0111] Initial state:

[0112] Initially, the switch operates in dynamic learning mode, dynamically recording the mapping between source MAC addresses and access ports based on received data frames. For example, when a smart device connects to PORT1 of the switch, the switch records the device's source MAC address MAC1 and associates it with PORT1. When other devices connect to different ports (such as PORT7), the switch similarly records the mapping between these devices' source MAC addresses (such as MACn) and the corresponding ports.

[0113] In this state, the switch allows all ports to learn new MAC addresses. However, if an attacker sends a forged data frame with the same MAC address (e.g., MAC1) through another port (e.g., PORT2), the switch will update its MAC address table, incorrectly associating MAC1 with PORT2, causing the data traffic to be forwarded incorrectly.

[0114] Dynamic binding status:

[0115] When the dynamic binding conditions are met, the switch binds the source MAC address to the access port as a static MAC address. For example, when device MAC1 accesses through port PORT1 and the binding conditions are met, the switch binds MAC1 to PORT1, and other ports can no longer learn MAC1's information. At this time, the information in the switch's address table becomes: source MAC address MAC1 can only be forwarded through PORT1, and other ports cannot associate MAC1 with themselves.

[0116] In dynamic binding mode, if an attacker sends a forged data frame with MAC1 through an unbound port (such as PORT2), the switch can detect and determine that the data frame is forged in real time, and then discard the data frame, effectively preventing abnormal updates to the address table and ensuring the security and stability of data communication.

[0117] Unbound status:

[0118] When the switch detects a change in the status of a bound port (such as PORT1) (e.g., from UP to DOWN), the switch automatically unbinds the source MAC address from the port and releases the static MAC address record. After unbinding, the switch reverts to dynamic learning mode, allowing other ports to relearn new MAC addresses. For example, if MAC1, previously bound to PORT1, is unbound, device MAC1 can access the switch through other ports, and the switch will re-record the association between MAC1 and the new access port.

[0119] By unbinding, the switch can quickly adapt to changes in the status of network devices, ensuring normal communication when devices reconnect to the network, while also achieving efficient management and utilization of address table resources.

[0120] This invention effectively defends against MAC address forgery attacks through a dynamic binding mechanism, ensuring the communication security and stability of the smart substation network. It also has the ability to flexibly adapt to changes in device access, improving the efficient utilization of switch resources.

[0121] In summary, this invention effectively defends against spoofed MAC address attacks and ensures the security and stability of intelligent substation communication networks by recording the source MAC address and access port of intelligent devices, statistically analyzing frame counts and determining binding conditions, implementing dynamic binding, intercepting spoofed MAC address data frames, monitoring port status, and unbinding. Combining dynamic binding and spoofed data frame detection technologies, this invention not only accurately identifies and intercepts spoofed MAC address attacks but also flexibly adjusts binding conditions and statistical parameters according to the service characteristics of the devices, adapting to the complex network environment of multi-layered, multi-device systems in intelligent substations. This invention is simple to operate, achieving automated management without manual intervention, while simultaneously freeing up switch resources and improving network operating efficiency. It significantly enhances the adaptability and security of intelligent substation communication networks, possessing broad application prospects and significant practical value.

[0122] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this application. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of those different embodiments or examples.

[0123] Any process or method description in the flowchart or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing a particular logical function or process. Furthermore, the scope of the preferred embodiments of this application includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functionality involved.

[0124] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any person skilled in the art can easily conceive of various variations or substitutions within the technical scope disclosed in this application, and these should all be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for defending smart substations against spoofed MAC attacks, characterized in that, Includes the following steps: After a smart device is connected to the switch, when the switch receives a data frame from the smart device for the first time, it records the source MAC address and access port, generates a unique timestamp to mark the start time of data frame statistics, and initializes the packet counter count to 1 to record the number of data frames from the smart device. Count the number of statistical frames and determine whether the binding conditions are met within the statistical time window; The steps for calculating the number of statistical frames include: Set statistical time window Trigger threshold for the number of data frames These are used to limit the statistical duration of data frame statistics and the number of data frames that trigger dynamic binding, respectively. Based on the business cycle of smart devices and the number of data frames in each business cycle Dynamic adjustment and The formula is: ， ； in, The business cycle of a smart device represents the time required for the smart device to complete one business transaction, expressed in seconds. The number of data frames in each business cycle; For safety factor; Update the statistical time window within each business cycle. Trigger threshold for the number of data frames To adapt to the message sending characteristics of current smart devices; The binding conditions specifically include the following two items: Within the statistical time window Within this timeframe, the message counter count value reaches the trigger threshold for the number of data frames. ; The port status of the access port remained UP, and through real-time comparison, no data frame corresponding to the source MAC address was found to be received from other ports. When the binding conditions are met, the source MAC address will be dynamically bound to the access port. While bound to the target device, intercept data frames with forged MAC addresses. Monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

2. The method for resisting spoofed MAC attacks in a smart substation according to claim 1, characterized in that, In the step of intercepting data frames with forged MAC addresses, the switch operates through the following steps: In the bound state, the MAC address of the received data frame is compared with the source MAC address bound in the MAC address table in real time; If the MAC address of a data frame received on a non-bound port is the same as the source MAC address, then the MAC address is a forged MAC address. The data frame is immediately discarded, and the access port and reception time of the data frame with the forged MAC address are recorded to trace the source of the attack. Normal communication of newly received data frames is restored first.

3. The method for resisting spoofed MAC attacks in a smart substation according to claim 1, characterized in that, In the step of monitoring the port status of the bound port, when the port status of the bound port changes to DOWN, the switch releases the dynamic binding relationship between the source MAC address and the access port, and then performs the following steps: Clear the bound source MAC address records and release the corresponding address table resources; The source MAC address and access port of newly received data frames are recorded in real time, and a statistical time window is initialized at the same time.

4. A system for protecting intelligent substations from spoofed MAC attacks, characterized in that, include: The switch module is used to connect to smart devices and receive data frames from smart devices; The recording module is used to record the source MAC address and access port when the switch first receives a data frame from a smart device, and to generate a unique timestamp to mark the start time of data frame statistics. The counter module is used to initialize the message counter count to 1 and record the number of data frames from the smart device; The statistics module is used to determine whether the binding conditions have been met within the statistical time window; The statistics module includes: The threshold setting unit is used to set the statistical time window. Trigger threshold for the number of data frames ; The dynamic adjustment unit is used to adjust according to the business cycle of the smart device. and the number of data frames in each business cycle Dynamic adjustment and The formula is: ， ； in, For safety factor; The dynamic binding module is used to dynamically bind the source MAC address to the access port when the binding conditions are met. The dynamic binding module includes: The port status monitoring unit is used to monitor in real time whether the status of the access port is continuously UP; The source address verification unit is used to confirm that no corresponding data frame has been received from other ports by comparing the source MAC address in real time, and to trigger dynamic binding when the value of the packet counter reaches the trigger threshold within the statistical time window. The defense module is used to intercept data frames with forged MAC addresses while the device is bound to another device. The monitoring module is used to monitor the port status of the bound port, and unbind and resume dynamic learning when the port status changes.

5. A system for resisting spoofed MAC attacks in an intelligent substation according to claim 4, characterized in that, The defense module includes: The spoofed MAC address identification unit is used to compare the MAC address of the received data frame with the bound source MAC address in real time under the bound state. If the MAC address of the data frame received by the unbound port is the same as the source MAC address, then the MAC address is a spoofed MAC address. A data frame discarding unit is used to discard data frames with forged MAC addresses. The attack recording unit is used to record the access port and reception time of the forged MAC address data frame, and to perform tracking processing.

Images