Real-time Detection Method and Device for Data Injection Attacks on Wind Turbine Units Based on Physics-Time Constraints
By constructing a dynamic model of a wind turbine and evaluating the achievable speed range based on a physical-temporal constraint method, the problem of detecting data injection attacks on wind turbines was solved, achieving efficient and accurate real-time detection and improving the safety and reliability of wind power systems.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ZHEJIANG UNIV
- Filing Date
- 2025-10-27
- Publication Date
- 2026-06-30
AI Technical Summary
Existing technologies struggle to effectively detect and identify data injection attacks in wind turbines, especially when they do not cause obvious physical anomalies, thus threatening the safety and reliability of wind power systems.
Based on the operating mechanism of wind turbine units, the real physical relationship between speed and drive and damping is established, a system dynamics model is constructed, and the physical reachable range of speed evolution is formed through time constraints and measurement noise assessment. The actual speed measurement value is then compared to trigger an alarm.
It enables real-time detection of data injection attacks, featuring high real-time performance, low computational overhead, significantly reducing false alarm and missed alarm rates, and improving the operational safety of wind turbine units.
Smart Images

Figure CN121396602B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of wind power generation control system security, and in particular to a real-time detection method and device for wind turbine data injection attacks based on physical-temporal constraints. Background Technology
[0002] In recent years, with the accelerating global energy structure transformation, wind power, as a clean energy technology with the greatest carbon reduction potential, has become a key new energy power generation method developed by various countries. Along with the continuous increase in installed capacity, wind turbine units are developing towards larger scale, clustering, and networking, making their internal control and communication systems increasingly complex. However, while this highly interconnected characteristic improves operating efficiency, it also gradually exposes the vulnerabilities of communication links, and wind power systems are facing multiple potential threats from cyberspace. Of particular note is the high security risk of the Ethernet-based communication links commonly used in wind turbine units. Attackers can exploit these vulnerabilities to launch network intrusions, leading to the tampering or misrepresentation of measurement signal transmissions, thereby affecting the normal control and operation of the units.
[0003] Existing research indicates that cyberattacks targeting wind turbines primarily include data injection attacks, denial-of-service attacks, and latency attacks. Among these, data injection attacks, due to their ability to tamper with measurement data without causing obvious physical anomalies, possess high stealth and destructiveness, and have become one of the main attack methods threatening the safe operation of wind power systems. Compared to general passive defense measures, conducting effective detection research against data injection attacks is of greater significance. By promptly identifying and locating anomalous data, not only can the preconditions for subsequent isolation, mitigation, and recovery be provided, but the spread and escalation of attacks can also be effectively prevented.
[0004] Therefore, methods for detecting data injection attacks targeting wind turbines not only have significant theoretical value in academic research but also have outstanding practical significance in engineering practice and industrial applications. The research results will directly relate to the safety, reliability, and sustainable development level of wind power systems, and will play a crucial role in ensuring the stable operation of new energy power systems. Summary of the Invention
[0005] The purpose of this invention is to address the shortcomings of existing technologies by proposing a real-time detection method and device for wind turbine data injection attacks based on physical-temporal constraints.
[0006] The objective of this invention is achieved through the following technical solution: A real-time detection method for wind turbine data injection attacks based on physical-temporal constraints, comprising:
[0007] S1, based on the operating mechanism of wind turbine, under the premise of explicitly considering model noise, establishes a parameterized description of the real physical relationship between speed and drive and damping, obtains the continuous state equation under the combined action of drive torque, aerodynamic damping and mechanical damping, and forms a system dynamic model.
[0008] S2 approximates the difference between aerodynamic torque, damping torque and engine torque in the system dynamics model as a linear change, obtains the upper and lower bounds of this difference based on adjacent sampling points, derives the range of rotor speed change rate between adjacent sampling points, and forms a time-series constraint set for speed evolution accordingly.
[0009] S3. Based on the timing constraints and the rotation speed at the previous sampling time, construct the allowable physical-temporal reachable interval of the rotation speed at the next sampling time. Statistically evaluate the measurement noise from historical operating data, determine the measurement noise boundary, and set a robust margin. Embed the margin into the reachable interval to obtain the final predicted physical reachable interval result.
[0010] S4. Compare the actual rotation speed measurement value of the next sampling point with the physical reachable range. When the measurement value exceeds the reachable range or the evidence of exceeding the boundary meets the preset rules, trigger an alarm and record the alarm event.
[0011] Furthermore, the system dynamics model is specifically as follows:
[0012]
[0013] in Let be the rotor speed as a function of time t. for The derivative, For equivalent rotational inertia, The aerodynamic torque is a function of time t. It is the equivalent damping coefficient. For generator torque, This represents the uncertainty term due to external bounded disturbances and modeling errors.
[0014] Furthermore, the method of approximating the difference between aerodynamic torque, damping torque, and engine torque in the system dynamics model as a linear change, and obtaining the upper and lower bounds of this difference based on adjacent sampling points, is specifically as follows:
[0015] At two adjacent sampling points , ,get The upper and lower bounds of the value, where For aerodynamic torque, For damping torque, Let the generator torque be denoted as . , Approximately: .
[0016] Furthermore, the range of rotor speed change rates between adjacent sampling points is specifically as follows:
[0017] Considering the model uncertainties, the range of rotor speed change rates between adjacent sampling points is:
[0018]
[0019] in, Let be the rotor speed as a function of time t. for The derivative, The equivalent moment of inertia is given by m and n, which are the upper and lower bounds of the difference between aerodynamic torque, damping torque, and engine torque.
[0020] Furthermore, the specific definition of the allowable physical-temporal reachable interval for constructing the rotational speed at the next sampling time is as follows:
[0021]
[0022] Furthermore, the determination of the measurement noise boundary and the setting of the robustness margin specifically involves:
[0023] The boundary is estimated using statistical methods for measurement noise, employing the 3σ criterion. Based on the residual distribution, three times the standard deviation is taken as the limit, expressed as follows: ;
[0024] Considering that the noise at two consecutive sampling points may be in opposite directions, taking the worst-case scenario, we obtain the physical-temporal reachable range of the rotational speed at the next time step after correction:
[0025] .
[0026] On the other hand, this application also provides a real-time detection device for wind turbine data injection attacks based on physical-temporal constraints, including a memory and one or more processors. The memory stores executable code, and when the processor executes the executable code, it implements the aforementioned real-time detection method for wind turbine data injection attacks based on physical-temporal constraints.
[0027] On the other hand, this application also provides a computer-readable storage medium having a program stored thereon, which, when executed by a processor, implements the aforementioned method for real-time detection of wind turbine data injection attacks based on physical-temporal constraints.
[0028] The beneficial effects of this invention are as follows: This invention proposes a real-time detection method for data injection attacks on wind turbines based on physical-temporal constraints, providing an effective solution to the problem of attack detection under the nonlinear characteristics of wind turbines. This method accurately identifies model features and reveals the phenomenon of model constraint failure caused by data injection attacks, thereby overcoming the detection challenge caused by the stealth of the attack. Compared with traditional methods, this invention has significant advantages such as strong real-time performance, low computational overhead, and low false alarm and false alarm rates, significantly improving the operational safety of wind turbines. Attached Figure Description
[0029] Figure 1 A block diagram illustrating a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints, provided as an exemplary embodiment.
[0030] Figure 2 A dynamic model diagram of a wind turbine provided as an exemplary embodiment;
[0031] Figure 3 The detection output results obtained by comparing the physical-temporal detection method provided by the present invention with the traditional observer-based detection method under a continuous data injection attack provided in an exemplary embodiment;
[0032] Figure 4 The detection output results obtained by comparing the physical-temporal detection method provided by the present invention with the traditional observer-based detection method under a continuous data injection attack provided in an exemplary embodiment;
[0033] Figure 5 A structural block diagram of a real-time detection device for wind turbine data injection attacks based on physical-temporal constraints, provided as an exemplary embodiment. Detailed Implementation
[0034] The specific embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
[0035] Figure 1 The following is a block diagram of the real-time detection method for wind turbine data injection attacks based on physical-temporal constraints in this embodiment of the invention. Figure 1 As shown, the real-time detection method for wind turbine data injection attacks based on physical-temporal constraints specifically includes the following steps:
[0036] S1, Constructing the dynamic model of the wind turbine
[0037] Based on the momentum theorem, the torque balance equations are written, and the dynamics of the wind turbine rotor side are derived:
[0038]
[0039] Similarly, the dynamics on the generator side of the unit are derived:
[0040]
[0041] in Let be the rotor speed as a function of time t. The aerodynamic torque is a function of time t. , These are the moments of inertia of the rotor and the generator, respectively. , These are the damping coefficients of the rotor and generator, respectively. , , The low-speed shaft, high-speed shaft, and electromagnetic torque are respectively considered. The dynamic equations of the two parts of the unit and the gear connection relationships satisfy... Considering system model noise, the expression for the overall dynamic model of the wind turbine is obtained as follows:
[0042]
[0043] in For equivalent rotational inertia, It is the equivalent damping coefficient. For generator torque, To represent the uncertainty term of external bounded disturbances and modeling errors, There exists an upper bound. .
[0044] S2, derive the limits of rotor speed variation between adjacent sampling points and form a set of speed timing constraints.
[0045] The overall operating parameters of the unit need to meet the dynamic model of the wind turbine in S1, which represents physical constraints. Therefore, within the sampling period T, the rate of change of speed is limited by the system parameters and the range of aerodynamic torque changes.
[0046] At two adjacent sampling points , Define function ,remember , Due to aerodynamic torque τ a ( t The variation of () is mainly affected by wind speed fluctuations, and the high-frequency component of wind speed has strong continuity in a short period of time. Meanwhile, the damping torque and generator torque The changes are relatively gradual over short timescales, and therefore can be approximated as linear changes:
[0047]
[0048] This means that within the sampling interval, the function g ( t The value of ) is restricted to the range determined by the endpoint values:
[0049]
[0050] Based on the model uncertainties, the range of rotor speed change rates between adjacent sampling points can be obtained as follows:
[0051]
[0052] S3, one-step speed range prediction based on physical time-series reachability range and noise robustness margin:
[0053] Based on the rotational speed at the previous sampling time And the range of rotational speed change rate due to integral relationship We can obtain:
[0054]
[0055]
[0056] The boundary is estimated using statistical methods for measurement noise, employing the 3σ criterion. Based on the residual distribution, three times the standard deviation is taken as the limit, expressed as follows: ;
[0057] Considering that the measurement noise in two adjacent samplings may be in opposite directions, we take the worst-case scenario: the two observation errors contradict each other in sign and both reach their upper limits in amplitude. This is equivalent to imposing a measurement noise upper limit of plus or minus twice the value on the next prediction. Therefore, a robust correction is applied to the physical-temporally reachable set, yielding the rotational speed range for the next sampling time as follows:
[0058]
[0059] S4, compare the actual rotational speed measurement value of the next sampling point with the physical reachable range. If the measurement value exceeds the reachable range or the evidence of exceeding the limit meets the preset rules, an alarm is triggered and the alarm event is recorded; otherwise, it is determined to be normal. Specifically, the following detector is proposed:
[0060]
[0061] Among them when This indicates that an attack has occurred. This indicates no attack.
[0062] The following is a specific example illustrating the real-time detection method for wind turbine data injection attacks based on physical-temporal constraints provided in this embodiment of the invention:
[0063] Step 1, establish the dynamic model of the wind turbine:
[0064] Specifically, Figure 2 The main components of the dynamic model of the wind turbine are shown.
[0065] Step 2, establish a data injection attack model for wind turbine units:
[0066] Example:
[0067] The measured value output by the rotor speed sensor when there is no attack is:
[0068]
[0069] in For measuring noise;
[0070] The sensor output measurement values after the data injection attack occurred are:
[0071]
[0072] in These are injection attack parameters designed by the attacker.
[0073] Attackers intercept rotor speed sensor measurement data and launch a continuous data injection attack within a time window [40 s, 240 s]. Simultaneously, they apply a periodic, intermittent data injection attack within the same [40 s, 240 s] time window. The attack is characterized by periodically switching between injection and shutdown states (20 s each) every 40 s within the attack time window, forming a regular attack pattern with a 50% duty cycle. The attack intensity is... .
[0074] Step 3: Combining the sampling period with the dynamic model parameters, derive the upper and lower bound increments of the rotational speed change between adjacent sampling points, obtain the physical upper and lower bounds of the rotational speed within a unit sampling interval, and form a time-series constraint set for the rotational speed evolution accordingly.
[0075] Step 4: Based on the timing constraints and the rotation speed at the previous sampling time, construct the allowable physical-temporal reachable interval of the rotation speed at the next sampling time, and perform statistical evaluation of the measurement noise from historical operation data to determine the measurement noise boundary and set a robust margin. Embed the margin into the reachable interval to obtain the interval result predicted in the final step.
[0076] Step 5: Compare the rotational speed measurement value at the next sampling point with the physically reachable range. When an attack occurs... An alarm is triggered and the alarm event is recorded when evidence exceeds the reachable range or crosses the boundary and meets preset rules.
[0077] Specifically, Figure 3This demonstrates a continuous data injection attack (attack parameters: attack time interval [40 s, 240 s], attack intensity of...). The detection results of data injection attacks obtained by applying the detection method proposed in this invention show that the traditional observation-based residual estimation detection method cannot continuously alarm after 80 seconds and is almost ineffective, while the detection method proposed in this invention can continuously and effectively detect data injection attacks.
[0078] Figure 4 This demonstrates an intermittent data injection attack (attack parameters: attack time interval [40 s, 240 s], attack intensity of...). The detection results of data injection attacks obtained by applying the detection method proposed in this invention (with a period of 40 seconds) show that the traditional observation-based residual estimation detection method results in continuous alarms and cannot reflect the characteristics of intermittent data injection attacks. However, the detection method proposed in this invention can continuously and effectively track each intermittent attack, identify the attack dynamics, and achieve accurate alarms.
[0079] Corresponding to the aforementioned embodiment of a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints, the present invention also provides an embodiment of a real-time detection device for wind turbine data injection attacks based on physical-temporal constraints.
[0080] See Figure 5 The present invention provides a real-time detection device for wind turbine data injection attacks based on physical-temporal constraints, comprising a memory and one or more processors. The memory stores executable code, and when the processor executes the executable code, it is used to implement a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints as described in the above embodiment.
[0081] The embodiment of the real-time detection device for wind turbine data injection attacks based on physical-temporal constraints provided by this invention can be applied to any device with data processing capabilities, such as a computer. The device embodiment can be implemented in software, hardware, or a combination of both. Taking software implementation as an example, as a logical device, it is formed by the processor of any data processing device loading the corresponding computer program instructions from non-volatile memory into memory for execution. From a hardware perspective, such as... Figure 5 The diagram shown is a hardware structure diagram of any data processing-capable device, which is the real-time detection device for wind turbine data injection attacks based on physical-temporal constraints provided by this invention. (Except for...) Figure 5In addition to the processor, memory, network interface, and non-volatile memory shown, any data processing device in the embodiment may also include other hardware depending on the actual function of the data processing device, which will not be described in detail here.
[0082] The specific implementation process of the functions and roles of each unit in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.
[0083] For the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to in the description of the method embodiments. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of the present invention according to actual needs. Those skilled in the art can understand and implement this without creative effort.
[0084] This invention also provides a computer-readable storage medium storing a program that, when executed by a processor, implements a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints as described in the above embodiments.
[0085] The computer-readable storage medium can be an internal storage unit of any data processing device described in any of the foregoing embodiments, such as a hard disk or memory. The computer-readable storage medium can also be an external storage device of any data processing device, such as a plug-in hard disk, smart media card (SMC), SD card, flash card, etc., equipped on the device. Furthermore, the computer-readable storage medium can include both internal storage units and external storage devices of any data processing device. The computer-readable storage medium is used to store the computer program and other programs and data required by the data processing device, and can also be used to temporarily store data that has been output or will be output.
[0086] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the aforementioned real-time detection method for wind turbine data injection attacks based on physical-temporal constraints.
[0087] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The specification and embodiments are to be considered exemplary only, and the true scope and spirit of this application are indicated by the claims.
[0088] It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this application. This application is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.
Claims
1. A physical-timing constraint based real-time detection method for wind turbine data injection attack, characterized in that, include: S1, based on the operating mechanism of wind turbine, under the premise of explicitly considering model noise, establishes a parameterized description of the real physical relationship between speed and drive and damping, obtains the continuous state equation under the combined action of drive torque, aerodynamic damping and mechanical damping, and forms a system dynamic model. S2 approximates the difference between aerodynamic torque, damping torque and engine torque in the system dynamics model as a linear change, obtains the upper and lower bounds of this difference based on adjacent sampling points, derives the range of rotor speed change rate between adjacent sampling points, and forms a time-series constraint set for speed evolution accordingly. The method of approximating the difference between aerodynamic torque, damping torque, and engine torque in the system dynamics model as a linear change, and obtaining the upper and lower bounds of this difference based on adjacent sampling points, is as follows: At two adjacent sampling points , , the upper and lower bounds of the value of are obtained, wherein is the aerodynamic torque, is the damping torque, is the generator torque; and , , is approximately: ; The specific range of rotor speed change rate between adjacent sampling points is as follows: Considering the model uncertainties, the range of rotor speed change rates between adjacent sampling points is: ; in, Let be the rotor speed as a function of time t. for The derivative, Let m and n be the equivalent moment of inertia. The upper and lower bounds; This is the upper bound of the uncertainty term of external bounded disturbances and modeling errors; S3. Based on the timing constraints and the rotation speed at the previous sampling time, construct the allowable physical-temporal reachable interval of the rotation speed at the next sampling time. Statistically evaluate the measurement noise from historical operating data, determine the measurement noise boundary, and set a robust margin. Embed the margin into the reachable interval to obtain the final predicted physical reachable interval result. The allowed physical-timing reachable interval for constructing the next sampling time rotation speed is specifically: ; ; S4. Compare the actual rotation speed measurement value of the next sampling point with the physical reachable range. When the measurement value exceeds the reachable range or the evidence of exceeding the boundary meets the preset rules, trigger an alarm and record the alarm event.
2. The real-time detection method for wind turbine data injection attacks based on physical-temporal constraints according to claim 1, characterized in that, The specific system dynamics model is as follows: in Let be the rotor speed as a function of time t. for The derivative, For the equivalent moment of inertia, The aerodynamic torque is a function of time t. It is the equivalent damping coefficient. For generator torque, This represents the uncertainty term due to external bounded disturbances and modeling errors.
3. The real-time detection method for wind turbine data injection attacks based on physical-temporal constraints according to claim 1, characterized in that, The specific steps for determining the measurement noise boundary and setting the robustness margin are as follows: The boundary is estimated using statistical methods for measurement noise, employing the 3σ criterion. Based on the residual distribution, three times the standard deviation is taken as the limit, expressed as follows: ; Considering that the noise at two consecutive sampling points may be in opposite directions, taking the worst-case scenario, we obtain the physical-temporal reachable range of the rotational speed at the next time step after correction: 。 4. A real-time detection device for wind turbine data injection attacks based on physical-temporal constraints, comprising a memory and one or more processors, wherein the memory stores executable code, characterized in that... When the processor executes the executable code, it implements a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints as described in any one of claims 1-3.
5. A computer-readable storage medium having a program stored thereon, characterized in that, When the program is executed by the processor, it implements a real-time detection method for wind turbine data injection attacks based on physical-temporal constraints as described in any one of claims 1-3.