A network intrusion detection method, system, device and storage medium based on multi-dimensional features

By employing a multi-dimensional feature fusion method based on an attention mechanism, the problem of insufficient cross-protocol attack detection capability of traditional detection methods in smart substations is solved, achieving efficient intrusion detection in complex protocol interaction environments and improving the security protection level of the industrial internet.

CN121664510BActive Publication Date: 2026-07-07XIJING UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIJING UNIV
Filing Date
2025-12-09
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing industrial internet intrusion detection methods are insufficient to effectively deal with covert attacks in complex protocol interaction environments. In particular, in smart substations, traditional static detection mechanisms cannot dynamically identify abnormal correlation patterns between protocols, resulting in insufficient detection capabilities for cross-protocol attacks.

Method used

A multi-dimensional feature dynamic fusion method based on attention mechanism is adopted. Through data acquisition, preprocessing, multi-dimensional feature extraction, feature fusion and intrusion detection, a multilayer perceptron classifier is used to identify cross-industry protocol attacks in smart substations.

Benefits of technology

It improves the detection capability for complex protocol interaction scenarios, reduces the false alarm rate, enhances the ability to identify new types of attacks, and can adapt to changes in different network environments, ensuring the stability of detection results.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121664510B_ABST
    Figure CN121664510B_ABST
Patent Text Reader

Abstract

The application discloses a network intrusion detection method, system and device based on multi-dimensional features and a storage medium, relates to the technical field of network security, and comprises the following steps: capturing MMS, GOOSE and SV protocol messages from an intelligent substation network and synchronously collecting device state data; preprocessing the collected data; counting time sequence features, analyzing protocol features and calculating behavior features from the device data; dynamically calculating the weights of the three types of features through an attention mechanism network, and performing weighted fusion; inputting the fused features into a multi-layer perception classifier, calculating the probabilities of belonging to various attacks, determining whether an intrusion occurs and the attack type according to a probability threshold; outputting a detection result with a time stamp and a confidence degree, generating an alarm and sending the alarm to a monitoring system, and recording feature weights for analysis and optimization. The application can identify hidden attack behaviors across industrial protocols in the intelligent substation by introducing a multi-dimensional feature dynamic fusion method based on an attention mechanism.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, and in particular relates to a network intrusion detection method, system, device and storage medium based on multi-dimensional features. Background Technology

[0002] The Industrial Internet is a product of the deep integration of industrial systems and internet technology. Through intelligent connectivity, data exchange, and intelligent analysis, it achieves the digitalization, networking, and intelligentization of production processes. It combines traditional industrial infrastructure with advanced computing, sensing, and communication technologies to build an intelligent ecosystem where physical equipment, information systems, and business processes collaborate efficiently. While improving production efficiency and optimizing resource allocation, the Industrial Internet also faces severe cybersecurity challenges. Its complex architecture and diverse protocols expand the attack surface, making traditional security measures ineffective.

[0003] Existing industrial internet intrusion detection methods mainly rely on traffic analysis based on predefined rules, which is insufficient to effectively deal with covert attacks in complex protocol interaction environments. Especially in scenarios such as smart substations, multiple industrial protocols such as MMS, GOOSE, and SV are transmitted in a mixed manner. Traditional static detection mechanisms cannot dynamically identify abnormal correlation patterns between protocols, resulting in insufficient detection capabilities for carefully disguised cross-protocol attacks. This limitation makes the system prone to missed detection when facing composite attacks that conform to single protocol specifications but violate global behavioral logic, seriously threatening the secure operation of critical infrastructure. Therefore, the following solutions are proposed to address the above problems. Summary of the Invention

[0004] The purpose of this invention is to provide a network intrusion detection method, system, device and storage medium based on multi-dimensional features. By introducing a multi-dimensional feature dynamic fusion method based on attention mechanism, it can identify covert attack behaviors across industrial protocols in smart substations, and solve the problem that existing intrusion detection technologies are insufficient in detecting complex protocol interaction scenarios due to their reliance on static rules and single-dimensional analysis.

[0005] To solve the above-mentioned technical problems, the present invention is achieved through the following technical solution:

[0006] This invention relates to a network intrusion detection method based on multi-dimensional features, the detection method comprising the following steps:

[0007] Step S1, Data Acquisition: Capture MMS, GOOSE, and SV protocol messages from the smart substation network, and synchronously collect equipment status data, marking the timestamps;

[0008] Step S2, Data Preprocessing: The collected data is deduplicated and cleaned, continuous features are normalized, discrete features are one-hot encoded, and dimensional differences are eliminated.

[0009] Step S3, Multidimensional Feature Extraction: Extract statistical time-series features from traffic sequences, parse protocol features from protocol messages, and calculate behavioral features such as operation frequency and state consistency from device data;

[0010] Step S4, Feature Fusion: The weights of the three types of features are dynamically calculated through the attention mechanism network, and weighted fusion is performed to generate a unified feature representation that highlights key information;

[0011] Step S5, Intrusion Detection: Input the fused features into the multilayer perceptron classifier, calculate the probability of belonging to each type of attack, and determine whether an intrusion has occurred and the type of attack based on the probability threshold.

[0012] Step S6, Result Output: Output the detection results with timestamps and confidence levels, generate alarms and send them to the monitoring system, and record feature weights for analysis and optimization.

[0013] Furthermore, step S1, data acquisition, specifically includes the following steps:

[0014] Step S11: Capture MMS protocol messages, GOOSE protocol messages, and SV protocol messages using a network packet capture tool, and extract the message headers and payload data;

[0015] Step S12: Collect equipment status data from the station control layer system, including circuit breaker opening and closing status, voltage value, current value, and equipment operation log;

[0016] Step S13: Set the data collection frequency to ensure coverage of real-time communication and event-triggered traffic; temporarily store the collected data in a buffer and mark it with a timestamp.

[0017] Furthermore, step S2, data preprocessing, specifically includes the following steps:

[0018] Step S21: Remove duplicate messages and invalid data;

[0019] Step S22: Perform minimum-maximum normalization on continuous features such as message size, time interval, and voltage value, mapping the values ​​to the [0,1] interval;

[0020] Step S23: Perform one-hot encoding on discrete features, such as protocol type and service type, and convert them into binary vectors.

[0021] Furthermore, step S3, multidimensional feature extraction, specifically includes the following steps:

[0022] Step S31, Time Series Feature Extraction: Calculate statistics based on network traffic time series. For each time window, calculate the following features:

[0023] Average message traffic: ;

[0024] In the formula, For the first Number of bytes per message This represents the total number of messages within the window.

[0025] Message flow variance: ;

[0026] Autocorrelation coefficient: for lags (set up ), calculate the autocorrelation coefficient :

[0027]

[0028] In the formula, It is a time series. The mean of the sequence. The sequence length;

[0029] Step S32, Protocol Feature Extraction: Parse industrial protocol fields and extract attack-related patterns, as follows:

[0030] For the MMS protocol, extract the frequency distribution of service types (such as Read and Write) and abnormal service sequences (such as consecutive Write operations).

[0031] For the GOOSE protocol, extract the changing patterns of the state number (StNum) and sequence number (SqNum) and calculate the state transition frequency;

[0032] For the SV protocol, the deviation of the sampled value sequence is extracted, and the mean absolute error between the sampled value and its expected value is calculated;

[0033] Step S33, Equipment Behavior Feature Extraction: Calculate the following behavioral indicators based on equipment status data:

[0034] Operating frequency: The number of times a circuit breaker is operated per unit time;

[0035] Response time deviation: The difference between the actual time and the expected time for the device to respond to a command, and its standard deviation is calculated;

[0036] Status consistency: Check the consistency between the device status and the protocol messages, such as whether the status in the GOOSE message matches the actual circuit breaker status.

[0037] Furthermore, step S4, feature fusion, specifically includes the following steps:

[0038] Step S41, Feature Embedding: Input each type of feature into the fully connected layer for embedding to obtain a feature vector; let the temporal feature vector be... The protocol feature vector is The device behavior feature vector is Map it to the same dimension through a linear transformation. :

[0039]

[0040] In the formula, For the first The embedding vector obtained after linear transformation and biasing of class features. For the index of the feature type, For the corresponding to the first The weight matrix of class features, For the corresponding to the first The bias vector of class features, output ;

[0041] Step S42, Attention Weight Calculation: For each embedded feature vector Calculate their attention score :

[0042]

[0043] In the formula, This is the weight matrix. For bias vectors, This is the attention vector;

[0044] The attention weights are then obtained by normalization using the softmax function. :

[0045]

[0046] In the formula, For the first Normalized attention weights for class features For the first Unnormalized attention scores for class features The index variable for the summation loop is used to iterate through all three types of features;

[0047] Step S43, Weighted Fusion: The embedded feature vectors are weighted and summed using attention weights to obtain the fused feature vector. :

[0048]

[0049] In the formula, This is the final fused feature vector;

[0050] Furthermore, step S5, the intrusion detection, specifically includes the following steps:

[0051] Step S51: Input the fused feature vector into the classifier for intrusion detection. The classifier uses a multilayer perceptron (MLP) and outputs the probability distribution of attack types.

[0052] The MLP contains two hidden layers. The first hidden layer uses the ReLU activation function, and the second hidden layer uses the softmax function. The calculation process is as follows:

[0053]

[0054]

[0055]

[0056] In the formula, Both are weight matrices. For bias vectors, The probability vector represents the probability of a normal state or various attacks;

[0057] Step S52: Based on the probability vector The category with the highest probability is taken as the detection result. When the highest probability exceeds the preset threshold, it is judged as an intrusion; otherwise, it is judged as normal.

[0058] Furthermore, step S6, the result output, specifically includes the following steps:

[0059] Step S61: Output the detection results, which include attack type, confidence level, timestamp, and associated device identifier;

[0060] Step S62: Generate alarm information. The alarm information is sent to the security information and event management system through a standard interface for real-time monitoring and response. At the same time, the fused feature vector and attention weight are recorded for subsequent analysis and model optimization.

[0061] A network intrusion detection system based on multidimensional features includes:

[0062] Data acquisition module: responsible for collecting raw network traffic data and equipment status data from the smart substation network environment, including MMS, GOOSE, SV protocol messages, as well as circuit breaker status, voltage and current values;

[0063] Data preprocessing module: Cleans and normalizes the collected raw data, removes duplicate and invalid data, maps continuous features to a unified interval, and encodes and transforms discrete features;

[0064] Multidimensional feature extraction module: Extracts time-series features, protocol features, and device behavior features in parallel, calculates flow statistics, parses industrial protocol fields, and analyzes device behavior patterns, respectively;

[0065] Feature fusion module: Uses attention mechanism to dynamically and weightedly fuse three types of features, and generates a unified feature representation through feature embedding, attention calculation and weighted summation;

[0066] Intrusion detection module: Intrusion detection is performed based on fused features. The attack probability is calculated through a multilayer perceptron classifier, and the intrusion and attack type are determined based on the threshold.

[0067] Results output module: Outputs detection results and generates alarm information, which is sent to the monitoring system through a standard interface. It also records feature data and detection logs for subsequent analysis.

[0068] A computer device, comprising:

[0069] Memory, used to store computer programs;

[0070] A processor for implementing the steps of any of the methods described above when executing the computer program.

[0071] A computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform any of the methods described above.

[0072] The present invention has the following beneficial effects:

[0073] This invention improves the accuracy and adaptability of intrusion detection in industrial internet scenarios by introducing an attention mechanism to achieve dynamic fusion of multi-dimensional features. The method can automatically identify and enhance the feature dimensions most relevant to the current attack, improving the detection performance of traditional methods in complex industrial protocol mixed traffic. Simultaneously, this technology reduces the false alarm rate and enhances the ability to identify new types of attacks. The system's adaptive characteristics enable it to adapt to changes in different network environments, ensuring the stability of detection results. Furthermore, the entire processing flow achieves automated analysis, reducing reliance on professional security personnel and allowing seamless integration with existing security protection facilities, thereby improving the overall security level of the industrial internet.

[0074] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description

[0075] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0076] Figure 1 This is a flowchart illustrating a network intrusion detection method based on multidimensional features according to the present invention.

[0077] Figure 2 This is a schematic diagram of the structure of a network intrusion detection system based on multidimensional features according to the present invention. Detailed Implementation

[0078] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0079] Please see Figure 1 As shown, this invention is a network intrusion detection method based on multi-dimensional features, comprising:

[0080] Step S1, Data Acquisition: Capture MMS, GOOSE, and SV protocol messages from the smart substation network, and synchronously collect equipment status data, marking the timestamps;

[0081] Step S2, Data Preprocessing: The collected data is deduplicated and cleaned, continuous features are normalized, discrete features are one-hot encoded, and dimensional differences are eliminated.

[0082] Step S3, Multidimensional Feature Extraction: Extract statistical time-series features from traffic sequences, parse protocol features from protocol messages, and calculate behavioral features such as operation frequency and state consistency from device data;

[0083] Step S4, Feature Fusion: The weights of the three types of features are dynamically calculated through the attention mechanism network, and weighted fusion is performed to generate a unified feature representation that highlights key information;

[0084] Step S5, Intrusion Detection: Input the fused features into the multilayer perceptron classifier, calculate the probability of belonging to each type of attack, and determine whether an intrusion has occurred and the type of attack based on the probability threshold.

[0085] Step S6, Result Output: Output the detection results with timestamps and confidence levels, generate alarms and send them to the monitoring system, and record feature weights for analysis and optimization.

[0086] Step S1, data collection specifically includes the following steps:

[0087] Step S11: Capture MMS protocol messages, GOOSE protocol messages, and SV protocol messages using a network packet capture tool, and extract the message headers and payload data;

[0088] Step S12: Collect equipment status data from the station control layer system, including circuit breaker opening and closing status, voltage value, current value, and equipment operation log;

[0089] Step S13: Set the data collection frequency to ensure coverage of real-time communication and event-triggered traffic; temporarily store the collected data in a buffer and mark it with a timestamp.

[0090] Step S2, data preprocessing specifically includes the following steps:

[0091] Step S21: Remove duplicate messages and invalid data;

[0092] Step S22: Perform minimum-maximum normalization on continuous features such as message size, time interval, and voltage value, mapping the values ​​to the [0,1] interval;

[0093] Step S23: Perform one-hot encoding on discrete features, such as protocol type and service type, and convert them into binary vectors.

[0094] Step S3, multidimensional feature extraction specifically includes the following steps:

[0095] Step S31, Time Series Feature Extraction: Calculate statistics based on network traffic time series. For each time window, calculate the following features:

[0096] Average message traffic: ;

[0097] In the formula, For the first Number of bytes per message This represents the total number of messages within the window.

[0098] Message flow variance: ;

[0099] Autocorrelation coefficient: for lags (set up ), calculate the autocorrelation coefficient :

[0100]

[0101] In the formula, It is a time series. The mean of the sequence. The sequence length;

[0102] Step S32, Protocol Feature Extraction: Parse industrial protocol fields and extract attack-related patterns, as follows:

[0103] For the MMS protocol, extract the frequency distribution of service types (such as Read and Write) and abnormal service sequences (such as consecutive Write operations).

[0104] For the GOOSE protocol, extract the changing patterns of the state number (StNum) and sequence number (SqNum) and calculate the state transition frequency;

[0105] For the SV protocol, the deviation of the sampled value sequence is extracted, and the mean absolute error between the sampled value and its expected value is calculated;

[0106] Step S33, Equipment Behavior Feature Extraction: Calculate the following behavioral indicators based on equipment status data:

[0107] Operating frequency: The number of times a circuit breaker is operated per unit time;

[0108] Response time deviation: The difference between the actual time and the expected time for the device to respond to a command, and its standard deviation is calculated;

[0109] Status consistency: Check the consistency between the device status and the protocol messages, such as whether the status in the GOOSE message matches the actual circuit breaker status.

[0110] Step S4, feature fusion specifically includes the following steps:

[0111] Step S41, Feature Embedding: Input each type of feature into the fully connected layer for embedding to obtain a feature vector; let the temporal feature vector be... The protocol feature vector is The device behavior feature vector is Map it to the same dimension through a linear transformation. :

[0112]

[0113] In the formula, For the first The embedding vector obtained after linear transformation and biasing of class features. For the index of the feature type, For the corresponding to the first The weight matrix of class features, For the corresponding to the first The bias vector of class features, output ;

[0114] Step S42, Attention Weight Calculation: For each embedded feature vector Calculate their attention score :

[0115]

[0116] In the formula, This is the weight matrix. For bias vectors, This is the attention vector;

[0117] The attention weights are then obtained by normalization using the softmax function. :

[0118]

[0119] In the formula, For the first Normalized attention weights for class features For the first Unnormalized attention scores for class features The index variable for the summation loop is used to iterate through all three types of features;

[0120] Step S43, Weighted Fusion: The embedded feature vectors are weighted and summed using attention weights to obtain the fused feature vector. :

[0121]

[0122] In the formula, This is the final fused feature vector;

[0123] Step S5, intrusion detection specifically includes the following steps:

[0124] Step S51: Input the fused feature vector into the classifier for intrusion detection. The classifier uses a multilayer perceptron (MLP) and outputs the probability distribution of attack types.

[0125] The MLP contains two hidden layers. The first hidden layer uses the ReLU activation function, and the second hidden layer uses the softmax function. The calculation process is as follows:

[0126]

[0127]

[0128]

[0129] In the formula, Both are weight matrices. For bias vectors, The probability vector represents the probability of a normal state or various attacks;

[0130] Step S52: Based on the probability vector The category with the highest probability is taken as the detection result. When the highest probability exceeds the preset threshold, it is judged as an intrusion; otherwise, it is judged as normal.

[0131] Step S6, the result output specifically includes the following steps:

[0132] Step S61: Output the detection results, which include attack type, confidence level, timestamp, and associated device identifier;

[0133] Step S62: Generate alarm information. The alarm information is sent to the security information and event management system through a standard interface for real-time monitoring and response. At the same time, the fused feature vector and attention weight are recorded for subsequent analysis and model optimization.

[0134] Please see Figure 2 As shown, the present invention is a network intrusion detection system based on multi-dimensional features, comprising:

[0135] Data acquisition module: responsible for collecting raw network traffic data and equipment status data from the smart substation network environment, including MMS, GOOSE, SV protocol messages, as well as circuit breaker status, voltage and current values;

[0136] Data preprocessing module: Cleans and normalizes the collected raw data, removes duplicate and invalid data, maps continuous features to a unified interval, and encodes and transforms discrete features;

[0137] Multidimensional feature extraction module: Extracts time-series features, protocol features, and device behavior features in parallel, calculates flow statistics, parses industrial protocol fields, and analyzes device behavior patterns, respectively;

[0138] Feature fusion module: Uses attention mechanism to dynamically and weightedly fuse three types of features, and generates a unified feature representation through feature embedding, attention calculation and weighted summation;

[0139] Intrusion detection module: Intrusion detection is performed based on fused features. The attack probability is calculated through a multilayer perceptron classifier, and the intrusion and attack type are determined based on the threshold.

[0140] Results output module: Outputs detection results and generates alarm information, which is sent to the monitoring system through a standard interface. It also records feature data and detection logs for subsequent analysis.

[0141] A computer device, comprising:

[0142] Memory, used to store computer programs;

[0143] A processor is used to implement any of the above methods when executing a computer program.

[0144] A computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform any of the methods described above.

[0145] One specific application of this embodiment is:

[0146] Implementation Scenario: This embodiment takes the station control layer network of a 330kV smart substation as a specific application scenario. The station control layer network adopts the IEC 61850 standard architecture and includes bay layer equipment (protection and control devices) and station control layer equipment (monitoring host, engineering station). The network traffic mainly includes MMS protocol (manufacturing message specification, used for equipment configuration and monitoring), GOOSE protocol (general object-oriented substation event, used for real-time event transmission) and SV protocol (sampled value, used for current and voltage sampled value transmission).

[0147] Implementation steps:

[0148] Step S1, Data Acquisition

[0149] Deploy traffic mirroring ports on the station control layer network switches and collect actual operational data from 09:00:00 to 09:05:00 on October 15, 2024:

[0150] MMS protocol data: Read and Write service messages were captured between the monitoring host (IP: 192.168.1.10) and the protection and control device (IP: 192.168.1.101), with a total of 12,450 MMS messages collected;

[0151] GOOSE protocol data: Status change messages are collected from the circuit breaker protection device (IP: 192.168.1.201), including StNum (status number) and SqNum (sequence number) fields, totaling 8,920 GOOSE messages;

[0152] SV protocol data: Sampled value packets are collected from the merging unit (IP: 192.168.1.301) at a sampling rate of 4000Hz, totaling 240,000 SV packets;

[0153] Equipment status data: The circuit breaker QF1's open / close status, A-phase current value (unit: A), and operation timestamp are read from the SCADA system's real-time database, with a sampling interval of 10ms;

[0154] All data is added with millisecond-level timestamps and stored in a temporary buffer to form the original dataset.

[0155] Step S2: Data Preprocessing

[0156] The raw data is cleaned and standardized:

[0157] Remove invalid data: Discard 12 GOOSE messages with failed CRC checks and 5 SV messages with abnormal lengths;

[0158] Continuous feature normalization:

[0159] Message size normalization: Original message length range [64, 1500] bytes, normalization formula:

[0160]

[0161] Current value normalization: The range of the collected current value is [0, 1250] A, and the normalization formula is:

[0162]

[0163] Discrete feature encoding: One-hot encoding is performed on the protocol type. MMS is encoded as [1,0,0], GOOSE is encoded as [0,1,0], and SV is encoded as [0,0,1].

[0164] Step S3: Multidimensional Feature Extraction

[0165] Using a 1-second time window, three types of features were extracted respectively:

[0166] Temporal feature extraction (based on MMS protocol traffic):

[0167] Calculate the average number of messages within the window: ;

[0168] Calculate the variance of message count: ;

[0169] Calculate the autocorrelation coefficient (lag k=1): ;

[0170] Protocol feature extraction:

[0171] MMS service type distribution: Read operations account for 85%, Write operations account for 12%, and others account for 3%;

[0172] GOOSE state transition detection: StNum abnormally increased 3 times (normally it should increase monotonically);

[0173] SV sampling deviation: Calculate the root mean square error between the actual sampled value and the standard sine wave. ;

[0174] Device behavior feature extraction:

[0175] Circuit breaker operation frequency: Abnormal operation detected twice within 5 minutes (normally it should be ≤1 time);

[0176] Response time deviation: The standard deviation of the actual response time of the protection device from the standard value. ;

[0177] State consistency check: The number of times the GOOSE message state does not match the actual state of the circuit breaker is 1.

[0178] Step S4, Feature Fusion

[0179] Applying attention mechanisms for weighted feature fusion:

[0180] Feature embedding:

[0181] Temporal feature vector: ;

[0182] Protocol feature vector: ;

[0183] Device behavior feature vector: ;

[0184] Mapped to a uniform dimension (d=8) via linear transformation:

[0185]

[0186]

[0187] Attention weight calculation:

[0188] Calculate attention score:

[0189]

[0190]

[0191]

[0192] Normalization yields the weights:

[0193]

[0194]

[0195]

[0196] Weighted fusion:

[0197]

[0198]

[0199] Step S5, Intrusion Detection

[0200] Input the fused features into the MLP classifier:

[0201] First hidden layer calculation:

[0202]

[0203] Second hidden layer calculation:

[0204]

[0205] Output layer probability calculation:

[0206]

[0207] The probability vector corresponds to the following categories: [Normal, Protocol Abuse, Device Status Forgery, Other Attacks]. The maximum probability of 0.81 corresponds to the "Device Status Forgery" attack.

[0208] Step S6, Result Output

[0209] Generate detection results:

[0210] Attack type: Device status spoofing;

[0211] Confidence level: 81%;

[0212] Timestamp: 2024-10-15 09:03:27.345;

[0213] Associated device: Circuit breaker QF1 (identifier: CB-QF1-001);

[0214] Alarm message: "Device status spoofing attack detected. The GOOSE status of circuit breaker QF1 is inconsistent with the physical status."

[0215] Alarms are sent to the SIEM system at the station control layer via the Syslog protocol, and the fused feature vector and attention weights are recorded simultaneously. (For further analysis.)

[0216] This embodiment successfully detected a device status spoofing attack targeting circuit breakers in a smart substation, proving the effectiveness of the method in real industrial scenarios. By automatically assigning the highest weight to device behavior features through an attention mechanism, it accurately identified state inconsistencies and anomalies, demonstrating its adaptability to the special security needs of the Industrial Internet.

[0217] In the description of this specification, references to terms such as "an embodiment," "example," "specific example," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0218] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to the specific implementations described. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims

1. A network intrusion detection method based on multi-dimensional features, characterized in that, The detection method specifically includes the following steps: Step S1, Data Acquisition: Capture MMS, GOOSE, and SV protocol messages from the smart substation network, and synchronously collect equipment status data, marking the timestamps; Step S2, Data Preprocessing: The collected data is deduplicated and cleaned, continuous features are normalized, discrete features are one-hot encoded, and dimensional differences are eliminated. Step S3, Multidimensional Feature Extraction: Extract statistical time-series features from the traffic sequence, parse protocol features from the protocol message, and calculate behavioral features including operation frequency and state consistency from the device data; Step S4, Feature Fusion: The weights of the three types of features are dynamically calculated through the attention mechanism network, and weighted fusion is performed to generate a unified feature representation that highlights key information; Step S5, Intrusion Detection: Input the fused features into the multilayer perceptron classifier, calculate the probability of belonging to each type of attack, and determine whether an intrusion has occurred and the type of attack based on the probability threshold. Step S6, Result Output: Output the detection results with timestamps and confidence levels, generate alarms and send them to the monitoring system, and record the feature weights for analysis and optimization. Step S3, multidimensional feature extraction, specifically includes the following steps: Step S31, Time Series Feature Extraction: Calculate statistics based on network traffic time series. For each time window, calculate the following features: Average message traffic: ; In the formula, For the first Number of bytes per message This represents the total number of messages within the window. Message flow variance: ; Autocorrelation coefficient: for lags ,set up Calculate the autocorrelation coefficient : In the formula, It is a time series. The mean of the sequence. The sequence length; Step S32, Protocol Feature Extraction: Parse industrial protocol fields and extract attack-related patterns, as follows: For the MMS protocol, extract the frequency distribution of service types and the abnormal service sequences; For the GOOSE protocol, extract the changing patterns of the state number and sequence number, and calculate the state transition frequency; For the SV protocol, the deviation of the sampled value sequence is extracted, and the mean absolute error between the sampled value and its expected value is calculated; Step S33, Equipment Behavior Feature Extraction: Calculate the following behavioral indicators based on equipment status data: Operating frequency: The number of times a circuit breaker is operated per unit time; Response time deviation: The difference between the actual time and the expected time for the device to respond to a command, and its standard deviation is calculated; Status consistency: Check the consistency between the device status and the protocol messages.

2. The network intrusion detection method based on multi-dimensional features according to claim 1, characterized in that, Step S1, data acquisition, specifically includes the following steps: Step S11: Capture MMS protocol messages, GOOSE protocol messages, and SV protocol messages using a network packet capture tool, and extract the message headers and payload data; Step S12: Collect equipment status data from the station control layer system, including circuit breaker opening and closing status, voltage value, current value, and equipment operation log; Step S13: Set the data collection frequency to ensure coverage of real-time communication and event-triggered traffic; temporarily store the collected data in a buffer and mark it with a timestamp.

3. The network intrusion detection method based on multi-dimensional features according to claim 1, characterized in that, Step S2, data preprocessing, specifically includes the following steps: Step S21: Remove duplicate messages and invalid data; Step S22: Perform min-max normalization on continuous features to map values ​​to the [0,1] interval; Step S23: Perform one-hot encoding on the discrete features and convert them into binary vectors.

4. The network intrusion detection method based on multi-dimensional features according to claim 1, characterized in that, Step S4, feature fusion, specifically includes the following steps: Step S41, Feature Embedding: Input each type of feature into the fully connected layer for embedding to obtain a feature vector; let the temporal feature vector be... The protocol feature vector is The device behavior feature vector is Map it to the same dimension through a linear transformation. : In the formula, For the first The embedding vector obtained after linear transformation and biasing of class features. For the index of the feature type, For the corresponding to the first The weight matrix of class features, For the corresponding to the first The bias vector of class features, output ; Step S42, Attention Weight Calculation: For each embedded feature vector Calculate their attention score : In the formula, This is the weight matrix. For bias vectors, This is the attention vector; The attention weights are then obtained by normalization using the softmax function. : In the formula, For the first Normalized attention weights for class features For the first Unnormalized attention scores for class features The index variable for the summation loop is used to iterate through all three types of features; Step S43, Weighted Fusion: The embedded feature vectors are weighted and summed using attention weights to obtain the fused feature vector. : In the formula, This represents the final fused feature vector.

5. The network intrusion detection method based on multi-dimensional features according to claim 4, characterized in that, Step S5, the intrusion detection, specifically includes the following steps: Step S51: Input the fused feature vector into the classifier for intrusion detection. The classifier uses a multilayer perceptron (MLP) and outputs the probability distribution of attack types. The MLP contains two hidden layers. The first hidden layer uses the ReLU activation function, and the second hidden layer uses the softmax function. The calculation process is as follows: In the formula, Both are weight matrices. For bias vectors, The probability vector represents the probability of a normal state or various attacks; Step S52: Based on the probability vector The category with the highest probability is taken as the detection result. When the highest probability exceeds the preset threshold, it is judged as an intrusion; otherwise, it is judged as normal.

6. The network intrusion detection method based on multi-dimensional features according to claim 1, characterized in that, Step S6, the result output specifically includes the following steps: Step S61: Output the detection results, which include attack type, confidence level, timestamp, and associated device identifier; Step S62: Generate alarm information. The alarm information is sent to the security information and event management system through a standard interface for real-time monitoring and response. At the same time, the fused feature vector and attention weight are recorded for subsequent analysis and model optimization.

7. A network intrusion detection system based on multi-dimensional features, characterized in that, include: Data acquisition module: responsible for collecting raw network traffic data and equipment status data from the smart substation network environment, including MMS, GOOSE, SV protocol messages, as well as circuit breaker status, voltage and current values; Data preprocessing module: Cleans and normalizes the collected raw data, removes duplicate and invalid data, maps continuous features to a unified interval, and encodes and transforms discrete features; Multidimensional feature extraction module: Extracts time-series features, protocol features, and device behavior features in parallel, calculates flow statistics, parses industrial protocol fields, and analyzes device behavior patterns, respectively; In the multidimensional feature extraction module, the time-series feature extraction method is as follows: based on the network traffic time series, statistical measures are calculated, and for each time window, the following features are calculated: Average message traffic: ; In the formula, For the first Number of bytes per message This represents the total number of messages within the window. Message flow variance: ; Autocorrelation coefficient: for lags ,set up Calculate the autocorrelation coefficient : In the formula, It is a time series. The mean of the sequence. The sequence length; In the multi-dimensional feature extraction module, the protocol feature extraction method is as follows: parsing industrial protocol fields and extracting attack-related patterns, as detailed below: For the MMS protocol, extract the frequency distribution of service types and the abnormal service sequences; For the GOOSE protocol, extract the changing patterns of the state number and sequence number, and calculate the state transition frequency; For the SV protocol, the deviation of the sampled value sequence is extracted, and the mean absolute error between the sampled value and its expected value is calculated; In the multi-dimensional feature extraction module, the device behavior feature extraction method is as follows: the following behavior indicators are calculated based on the device status data: Operating frequency: The number of times a circuit breaker is operated per unit time; Response time deviation: The difference between the actual time and the expected time for the device to respond to a command, and its standard deviation is calculated; State consistency: Check the consistency between the device state and the protocol messages; Feature fusion module: Uses attention mechanism to dynamically and weightedly fuse three types of features, and generates a unified feature representation through feature embedding, attention calculation and weighted summation; Intrusion detection module: Intrusion detection is performed based on fused features. The attack probability is calculated through a multilayer perceptron classifier, and the intrusion and attack type are determined based on the threshold. Results output module: Outputs detection results and generates alarm information, which is sent to the monitoring system through a standard interface. It also records feature data and detection logs for subsequent analysis.

8. A computer device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the method as claimed in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that, when executed on a computer, cause the computer to perform the method as described in any one of claims 1-6.