Power grid data security protection method and system

By constructing a semantic association and physical causal relationship graph of power grid data items, identifying derived knowledge and combining it with the power grid operation status for risk assessment, the problem of the inability to defend against indirect inference attacks in existing technologies is solved, and the accuracy and adaptability of power grid data security protection are improved.

CN121770902BActive Publication Date: 2026-06-09BEIJING GUANYU INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING GUANYU INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-03-03
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing power grid data security protection technologies have failed to effectively defend against indirect inference attacks based on multi-source data correlation analysis. Access subjects can infer highly sensitive information by legitimately obtaining low-sensitivity data, thus bypassing access control policies.

Method used

A data inference relationship graph based on semantic associations and physical causal relationships between power grid data items is constructed. The graph identifies the derived knowledge that can be inferred from combinations of data items. A two-dimensional risk assessment is then conducted in conjunction with the power grid operating conditions to generate access control instructions.

Benefits of technology

It enables a systematic characterization of the complex relationships between power grid data items, improves the accuracy and adaptability of data security protection mechanisms, and dynamically adjusts access control strategies to defend against indirect inference attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121770902B_ABST
    Figure CN121770902B_ABST
Patent Text Reader

Abstract

The application provides a power grid data security protection method and system, relates to the technical field of data security, and comprises the following steps: constructing a data inference relation graph, recording historical access information of an access subject, and when an access request is received, performing two-dimensional risk assessment based on a derived knowledge set inferred by combination of target data and historical data, a correlation measurement value of historical access and an operating state parameter, and generating an access control instruction. The application can effectively prevent inference attacks based on historical data correlation analysis and improve the power grid data security protection capability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to data security technology, and more particularly to a method and system for protecting power grid data security. Background Technology

[0002] Existing power grid data security protection technologies mainly focus on traditional security measures such as access control, data encryption, and data anonymization. These existing security mechanisms do not fully consider the semantic relationships and physical causal connections between power grid data items, and cannot effectively defend against indirect inference attacks based on multi-source data correlation analysis. Access subjects can legally obtain multiple low-sensitivity data points, combine them with the physical laws and professional knowledge of specific power grid operating conditions, and infer high-sensitivity information, thereby bypassing access control policies. Summary of the Invention

[0003] The present invention provides a method and system for protecting power grid data security, which can solve the problems in the prior art.

[0004] A first aspect of the present invention provides a method for protecting power grid data security, comprising:

[0005] A data inference relationship graph is constructed based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference.

[0006] Establish an access history set for each accessing entity, recording the historical data items accessed and the historical access time; acquire power grid operation status parameters and receive access requests from accessing entities for target data items;

[0007] By combining the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, the set of derived knowledge that can be inferred from the accessing subject is obtained;

[0008] Obtain historical operation status parameters, calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operation status parameters; perform a two-dimensional risk assessment based on the comprehensive sensitivity of the derived knowledge set and the correlation metric, and generate access control instructions;

[0009] Responding to the access request according to the access control instruction, and adding the target data item and the current time to the access history set when access is granted.

[0010] A data inference relationship graph is constructed based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items, and are associated with the power grid operating state conditions that trigger the inference. The steps include:

[0011] The system collects business association records, physical quantity types, and equipment topology relationships of power grid data items. Based on the co-occurrence frequency and temporal sequence of data items in the business association records, it identifies candidate semantic association relationships. Based on the physical quantity types and equipment topology relationships, it derives candidate physical causal relationships.

[0012] The candidate semantic associations and candidate physical causal relationships are cross-validated, and the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition are retained as confirmed inference relationships;

[0013] Several typical operating modes are obtained by clustering historical operating state parameters, and the feature boundaries of operating state parameters are extracted for each operating mode as state identification conditions;

[0014] The historical success and failure counts of each confirmed inference relationship in each operating mode are statistically analyzed, and the confidence value is calculated. The operating mode status identification condition where the confidence value exceeds the preset confidence threshold is used as the operating status condition that triggers the establishment of the inference relationship. A data inference relationship map is constructed based on the confirmed inference relationship, its corresponding operating status condition, and the confidence value.

[0015] The step of cross-validating the candidate semantic associations and candidate physical causal relationships, and retaining the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition as confirmed inference relationships, includes:

[0016] For each pair of data items in the candidate semantic association, extract their co-occurrence time window sequence in the business association record, calculate the temporal correlation of the changes in data items within the time window, and mark data item pairs with temporal correlation higher than the preset correlation threshold as strong semantic association;

[0017] For each pair of data items in the candidate physical causal relationship, a causal transmission path is constructed based on the physical quantity type. The transmission attenuation coefficient of the physical quantity conversion in the path is calculated. Data item pairs with a transmission attenuation coefficient lower than a preset attenuation threshold are marked as strong physical causality.

[0018] For data item pairs that are simultaneously marked as having strong semantic association and strong physical causality, the temporal correlation direction of the semantic association and the causal transmission direction of the physical causality are extracted. When the two directions are consistent, the directional consistency confidence is calculated. Data item pairs with a directional consistency confidence higher than a preset consistency threshold are confirmed as inference relationships.

[0019] The steps of combining the historical data items with the target data items and inferring the derived knowledge set that the access subject can infer based on the edge relationships in the graph that satisfy the current operating state conditions include:

[0020] The current running state parameters are matched with the state recognition conditions associated with each edge in the graph, and the edges whose state recognition conditions are met are selected as the set of active edges;

[0021] A starting data item is selected from historical data items and target data items. The system traverses the set of activated edges, obtaining confidence values ​​for each edge in the traversal path in traversal order. Each confidence value is then weighted and multiplied by a path length decay factor to obtain the path confidence. The path length decay factor is calculated based on the number of edges traversed and decreases as the number of edges increases. Traversal paths with a path confidence higher than a first preset threshold are recorded as inference chains.

[0022] By combining and analyzing the endpoint data items of multiple inference chains, a composite inference structure is formed by combining the endpoint data items that satisfy the preset physical constraints and their inference chains.

[0023] The semantic representation of the inference relationship in the inference chain and the semantic representation of the association relationship in the composite inference structure constitute the set of derived knowledge that the accessing subject can infer.

[0024] The steps of obtaining historical operating status parameters and calculating the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters include:

[0025] Historical running status parameters are obtained to form a status parameter sequence, and the cumulative number of accessed data items at each historical access time is counted to form a cumulative access sequence;

[0026] A sliding window analysis is performed on the state parameter sequence, and the moment when the change exceeds a preset mutation threshold is taken as the state mutation moment. The parameter change direction and change magnitude corresponding to each state mutation moment are extracted to form a set of state mutation events.

[0027] For each state change event, the peak time of access volume growth in the cumulative access sequence is searched within a preset delay range after the state change time; the time interval between the state change time and the peak time of access volume growth is calculated as the response delay, and the ratio of the access volume growth rate to the change rate of the running state parameters is calculated as the access response intensity.

[0028] For the stationary segments in the state parameter sequence that do not contain state abrupt events, calculate the correlation coefficient between the stationary periods of the state parameter sequence and the cumulative access sequence;

[0029] The correlation coefficient during the mutation period is calculated based on the response delay and access response intensity of each state mutation event. The correlation coefficient during the mutation period is then weighted and fused with the correlation coefficient during the stationary period to obtain a correlation metric.

[0030] The steps for calculating the correlation metric include:

[0031] For each state mutation event, the correlation strength of the individual mutation event is calculated based on its response delay and access response strength, and the correlation coefficient of the mutation period is obtained by averaging the correlation strengths of all state mutation events.

[0032] The weight of the abrupt change period is calculated based on the proportion of abrupt change events in the total duration of the state parameter sequence, and the weight of the stable period is calculated based on the proportion of stable state segments in the total duration.

[0033] The correlation coefficient during the mutation period is multiplied by the weight of the mutation period duration to obtain the weighted value for the mutation period. The correlation coefficient during the stable period is multiplied by the weight of the stable period duration to obtain the weighted value for the stable period. The correlation measure is obtained by summing the weighted values ​​for the mutation period and the stable period.

[0034] The steps for generating access control instructions based on a two-dimensional risk assessment using the comprehensive sensitivity of the derived knowledge set and the relevance metric include:

[0035] For each piece of derived knowledge in the derived knowledge set, a sensitivity score is calculated based on the number of data items involved, the inference depth, and the sensitivity level of the edge relationships in the inference chain; all sensitivity scores are then weighted and summed to obtain the comprehensive sensitivity score.

[0036] A two-dimensional risk assessment coordinate system is established based on the comprehensive sensitivity and relevance metrics. The coordinate system is divided into four risk quadrants, and the current access request is located in the corresponding risk quadrant.

[0037] Extract the historical comprehensive sensitivity and historical relevance metrics corresponding to each historical access time from the access history set, and calculate the deviation between the current access and historical access in terms of comprehensive sensitivity and relevance metrics;

[0038] A rejection instruction is generated when the overall sensitivity and relevance metrics of the current access request both exceed the corresponding thresholds and the deviation magnitudes both exceed the preset deviation thresholds; otherwise, an allow instruction is generated.

[0039] A second aspect of the present invention provides a power grid data security protection system, comprising:

[0040] The graph construction module is used to construct a data inference relationship graph based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference.

[0041] The access record module is used to establish an access history set for each access subject, record the historical data items accessed and the historical access time; obtain power grid operation status parameters and receive access requests from access subjects for target data items;

[0042] The knowledge deduction module is used to combine the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, to deduce the set of derived knowledge that can be inferred from the access subject;

[0043] The risk assessment module is used to acquire historical operating status parameters, calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters, perform a two-dimensional risk assessment based on the comprehensive sensitivity of the derived knowledge set and the correlation metric, and generate access control instructions.

[0044] The access control module is used to respond to access requests according to the access control instructions, and add the target data item and the current time to the access history set when access is allowed.

[0045] A third aspect of the present invention provides an electronic device, comprising:

[0046] processor;

[0047] Memory used to store processor-executable instructions;

[0048] The processor is configured to invoke instructions stored in the memory to execute the aforementioned method.

[0049] A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the aforementioned method.

[0050] This invention constructs a data inference relationship graph based on semantic association and physical causality, achieving a systematic characterization of the complex relationships between power grid data items. It accurately identifies derived knowledge from data combinations, avoiding the shortcomings of traditional methods that focus only on single data items while ignoring the risks of combined inference. Innovatively, it links power grid operating conditions with data inference relationships, enabling data security protection mechanisms to dynamically adjust according to real-time power grid operating conditions, thus improving the accuracy and adaptability of protection strategies. Attached Figure Description

[0051] Figure 1 This is a flowchart illustrating the power grid data security protection method according to an embodiment of the present invention;

[0052] Figure 2 Flowchart for constructing a relationship graph based on data inference. Detailed Implementation

[0053] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0054] The technical solution of the present invention will be described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes will not be repeated in some embodiments.

[0055] Figure 1 This is a flowchart illustrating the power grid data security protection method according to an embodiment of the present invention, as shown below. Figure 1 As shown, the method includes:

[0056] A data inference relationship graph is constructed based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference.

[0057] Establish an access history set for each accessing entity, recording the historical data items accessed and the historical access time; acquire power grid operation status parameters and receive access requests from accessing entities for target data items;

[0058] By combining the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, the set of derived knowledge that can be inferred from the accessing subject is obtained;

[0059] Obtain historical operation status parameters, calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operation status parameters; perform a two-dimensional risk assessment based on the comprehensive sensitivity of the derived knowledge set and the correlation metric, and generate access control instructions;

[0060] Responding to the access request according to the access control instruction, and adding the target data item and the current time to the access history set when access is granted.

[0061] The access history set is stored using a relational database table structure. The primary key is a combination of the access subject identifier and the historical access time. Table fields include access subject identifier, historical data item identifier, historical access time, access operation type, and other information. When an access subject initiates an access request for the first time, the system automatically creates the access history set corresponding to that subject, initially in an empty set. Each time an access subject successfully accesses a data item, the identifier of the data item involved in the access and the time of the access are added to the access history set, with a time accuracy of seconds. Grid operation status parameters are obtained in real time through an interface with the grid monitoring system. The interface uses a standard communication protocol, with an acquisition cycle of 5 seconds. Parameters include monitored quantities such as total system load, main grid voltage, and power flow at key sections. Access requests are received through the API interface of the access control system. The request message includes necessary fields such as access subject identifier, target data item identifier, and request timestamp. After format validation, the received request enters the processing flow.

[0062] In one optional implementation, the steps of constructing a data inference relationship graph based on the semantic association and physical causal relationship between power grid data items, wherein the edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with power grid operating state conditions that trigger the inference, include:

[0063] The system collects business association records, physical quantity types, and equipment topology relationships of power grid data items. Based on the co-occurrence frequency and temporal sequence of data items in the business association records, it identifies candidate semantic association relationships. Based on the physical quantity types and equipment topology relationships, it derives candidate physical causal relationships.

[0064] The candidate semantic associations and candidate physical causal relationships are cross-validated, and the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition are retained as confirmed inference relationships;

[0065] Several typical operating modes are obtained by clustering historical operating state parameters, and the feature boundaries of operating state parameters are extracted for each operating mode as state identification conditions;

[0066] The historical success and failure counts of each confirmed inference relationship in each operating mode are statistically analyzed, and the confidence value is calculated. The operating mode status identification condition where the confidence value exceeds the preset confidence threshold is used as the operating status condition that triggers the establishment of the inference relationship. A data inference relationship map is constructed based on the confirmed inference relationship, its corresponding operating status condition, and the confidence value.

[0067] Combination Figure 2The flowchart for constructing the data inference relationship graph is used to illustrate this process, exemplified by collecting relevant data from the power grid management system, data dictionary, and GIS system. Business association records refer to the usage of data items recorded in the power grid management system in actual business scenarios. For example, in the execution of dispatch instructions or fault handling processes, this includes the frequency of simultaneous calls to different data items and their temporal sequence. Physical quantity types are obtained from the power grid data dictionary, including type identifiers such as voltage, current, and power. Equipment topology relationships are extracted from the GIS system or equipment connection relationship database, recording the connection relationships between substations, lines, switches, and other equipment.

[0068] When analyzing business association records, if it is found that the current data item of feeder A and the status data item of circuit breaker B frequently appear in the same business operation, and the current change usually precedes the circuit breaker status change, a candidate semantic association relationship between the two is established. To quantify the strength of this association, firstly, the co-occurrence frequency of these two data items in all business records is counted, and the proportion of the co-occurrence frequency to the total number of business records is calculated to obtain the co-occurrence rate; then, the number of times the two data items maintain a fixed temporal order is counted, and the proportion of this number to the total number of co-occurrences is calculated to obtain the temporal stability; finally, the co-occurrence rate and temporal stability are weighted and summed, with weight coefficients set to 0.4 and 0.6 respectively, to obtain the semantic association strength value.

[0069] At the same time, a causal relationship template between physical quantities is established based on the physical laws of power systems. For example, there is a physical relationship between power, voltage, and current that power equals voltage multiplied by current; there is a constraint relationship of equal voltage between devices connected to the same bus. Combining the equipment topology, when two transformers are found to be operating in parallel, a physical constraint can be deduced between "the low-voltage side voltage of transformer A" and "the low-voltage side voltage of transformer B", thus establishing candidate physical causal relationships.

[0070] For the established candidate relationships, a double verification is required. First, the semantic association strength is checked to see if it exceeds a threshold of 0.7. Second, a physical relationship transmission graph is constructed to verify physical causal reachability. Specifically, starting from data item A, a path search is performed along the conversion relationships of physical quantity types (e.g., current can be converted to power) and the connection relationships of device topology. If data item B can be reached, then the two are considered to have physical causal reachability. Only relationships that pass both of these checks are confirmed as valid inference relationships and saved.

[0071] To differentiate the applicability of inferred relationships under different operating scenarios, it is necessary to analyze the historical operating status of the power grid. Parameters such as load levels, power generation output distribution, and network topology status for historical periods are collected to construct a multi-dimensional operating status sample. The K-means clustering algorithm is used to classify these samples, and the Euclidean distance between samples is calculated to measure similarity. The elbow rule is used to determine an appropriate number of clusters, dividing the historical operating status into five categories, corresponding to typical scenarios such as "peak load mode," "off-peak load mode," and "high output from new energy sources mode."

[0072] For each identified operating mode, the numerical distribution of each operating state parameter under that mode is statistically analyzed, and the boundary values ​​of the 95% confidence interval are extracted as the identification criteria for that mode. Taking the "peak load mode" as an example, the statistical results show that its total system load is concentrated between 8500MW and 9500MW, the main network voltage is stable within the range of 0.95 to 1.05 per unit, and the power flow at key sections is between 2800MW and 3200MW. When the real-time operating parameters of the power grid fall within these ranges, it can be determined that the current operating mode is in that mode.

[0073] After determining the operating modes, it is necessary to verify the reliability of each inference relation under different modes. Data samples for each operating mode are extracted from historical data. For each sample, the inference relation is applied to infer the value of the endpoint data item from the starting data item, and then compared with the actual measured value. If the relative error between the inferred value and the actual value is less than 5%, it is recorded as a successful verification; otherwise, it is recorded as a failed verification. The number of successes and failures for each operating mode is counted, and the confidence score is calculated. For example, if an inference relation is verified 100 times under the "peak load mode" with 92 successes, the confidence score for this mode is 0.92. When the confidence score exceeds 0.9, the identification conditions for this operating mode (i.e., the aforementioned parameter range combination) are associated with this inference relation, indicating that the inference relation is reliable under this operating mode.

[0074] A graph database structure is used to store the constructed data inference relationship graph. Each node in the graph represents a power grid data item, recording attribute information such as the data item's name, physical quantity type, and associated equipment. Edges between nodes represent confirmed inference relationships, with edge attributes including relationship type (labeled as semantic association or physical causality), operating status conditions, and confidence values. The operating status conditions are stored in JSON format, specifying the value range of each status parameter, for example, {"System Load":[8500,9500],"Main Grid Voltage":[0.95,1.05]}. This graph structure facilitates subsequent rapid querying of inference paths and applicable conditions between data items using graph traversal algorithms.

[0075] By constructing a data inference relationship graph, mutual verification and missing data inference can be achieved during power grid operation. When certain data cannot be directly obtained, it can be inferred from other known data based on the inference relationships in the graph and the current operating status, thereby improving the integrity and reliability of power grid data.

[0076] In one optional implementation, the step of cross-validating the candidate semantic associations with the candidate physical causal relationships, and retaining the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition as confirmed inference relationships, includes:

[0077] For each pair of data items in the candidate semantic association, extract their co-occurrence time window sequence in the business association record, calculate the temporal correlation of the changes in data items within the time window, and mark data item pairs with temporal correlation higher than the preset correlation threshold as strong semantic association;

[0078] For each pair of data items in the candidate physical causal relationship, a causal transmission path is constructed based on the physical quantity type. The transmission attenuation coefficient of the physical quantity conversion in the path is calculated. Data item pairs with a transmission attenuation coefficient lower than a preset attenuation threshold are marked as strong physical causality.

[0079] For data item pairs that are simultaneously marked as having strong semantic association and strong physical causality, the temporal correlation direction of the semantic association and the causal transmission direction of the physical causality are extracted. When the two directions are consistent, the directional consistency confidence is calculated. Data item pairs with a directional consistency confidence higher than a preset consistency threshold are confirmed as inference relationships.

[0080] For example, for each pair of data items in the candidate semantic association, a time window sequence of their co-occurrence is extracted from the business association records. The time window length is set to 5 minutes, and the sliding step is 1 minute. Within each time window, the numerical change sequence of the two data items is recorded, and the Pearson correlation coefficient is calculated as a time-series correlation indicator. Specifically, the sampled values ​​of the two data items within the window are constructed into vectors, and the covariance of the two vectors is calculated by dividing the product of their respective standard deviations to obtain the correlation coefficient. When the absolute value of the correlation coefficient is greater than 0.75, the two data items are considered to have a significant time-series correlation within that time window. The percentage of windows with an absolute correlation coefficient greater than 0.75 across all time windows is counted. If the percentage exceeds 60%, the data item pair is marked as having a strong semantic association. For example, in the historical 500 time windows, the absolute value of the correlation coefficient between the feeder current data item and the circuit breaker status data item exceeds 0.75 in 320 windows, accounting for 64%, and is therefore marked as having a strong semantic association.

[0081] For each pair of data items in the candidate physical causal relationship, a causal transmission path is constructed based on the physical quantity type. Starting from the physical quantity type of the initial data item, a path search is performed according to a conversion rule base established based on the physical laws of the power system. The conversion rule base includes conversion rules from voltage to current, current to power, and power transmission rules between devices. Each conversion rule is associated with a transmission attenuation coefficient, characterizing the loss or uncertainty of the physical quantity during the conversion or transmission process. For example, when voltage is converted to current through line impedance, the transmission attenuation coefficient is set to the per-unit value of the line impedance; when power is transmitted between transformers, the transmission attenuation coefficient is set to the reciprocal of the transformer loss rate. The transmission attenuation coefficients of each link along the path are accumulated, and the total transmission attenuation coefficient of the path is calculated by multiplication. When the total transmission attenuation coefficient of the path is less than 0.3, the physical quantity is considered to have excessive loss or uncertainty during transmission, and the path is considered unreliable. If the total transmission attenuation coefficient of the path is not less than 0.3, the data item pair is marked as strong physical causality. For example, the transmission path from the voltage of bus A in substation to the current of feeder B undergoes impedance transformation, and the total transmission attenuation coefficient of the path is 0.42, which is higher than the threshold of 0.3. Therefore, it is marked as strong physical causality.

[0082] For data item pairs simultaneously marked as having strong semantic association and strong physical causality, further verification of their directional consistency is required. The temporal correlation direction of semantic association is extracted by calculating the time difference between the changes of the two data items within a time window. If the change time of data item A is on average earlier than the change time of data item B, then the temporal correlation direction is A to B; otherwise, it is B to A. The time difference is calculated using the peak position of the cross-correlation function; when the cross-correlation function shows a peak at a positive time delay, it indicates that A changes before B. The causal transmission direction of physical causality is extracted, i.e., the direction from the start point to the end point of the causal transmission path. The temporal correlation direction is compared with the causal transmission direction; when they are consistent, the directional consistency confidence score is calculated. The directional consistency confidence score is equal to the weighted average of the stability of the temporal correlation direction determination and the reliability of the causal transmission path, with weights set to 0.5 and 0.5, respectively. The stability of the temporal correlation direction determination is obtained by statistically analyzing the proportion of windows with consistent directions within a time window, and the reliability of the causal transmission path is obtained by normalizing the total transmission attenuation coefficient of the path. When the directional consistency confidence level is higher than 0.8, the data pair is confirmed as an inferred relationship and recorded. For example, in 80% of the time window, feeder current A and circuit breaker state B show A changing before B. The total transmission attenuation coefficient of the physical causal path is 0.42, which is normalized to 0.7. The directional consistency confidence level is 0.8×0.5+0.7×0.5=0.75, which is lower than the threshold of 0.8, so it is not confirmed as an inferred relationship. However, in 85% of the time window, substation voltage C and load power D show C changing before D. The total transmission attenuation coefficient of the physical causal path is 0.68, which is normalized to 0.9. The directional consistency confidence level is 0.85×0.5+0.9×0.5≈0.88, which is higher than 0.8, so it is confirmed as an inferred relationship.

[0083] In the data processing workflow, the time window sequence of business-related records is stored in a time-series database, with each record containing a timestamp, data item identifier, and numerical field. The physical quantity conversion rule base is stored in a relational database, with each rule containing the starting physical quantity type, target physical quantity type, conversion condition, and transmission attenuation coefficient fields. Causal transmission path search employs a depth-first traversal algorithm, with a path depth limited to 5 levels to avoid excessive computational complexity due to overly long paths. The sampling frequency of data items for time-series correlation calculation is required to be no less than once per minute, ensuring sufficient data points within the time window to support correlation coefficient calculation. If fewer than 3 sampling points are found, the window is marked as invalid and excluded from the proportion statistics. The time delay range for cross-correlation function calculation is set to -10 minutes to +10 minutes, with a step size of 1 minute. Peak detection uses a local maximum identification method; when multiple peaks exist, the time delay corresponding to the peak with the largest absolute value is selected as the time difference. The normalization method for the transmission attenuation coefficient is to linearly map the interval from 0.3 to 1.0 to the interval from 0 to 1. During the mapping, the normalized value is obtained by subtracting 0.3 from the original transmission attenuation coefficient and then dividing by 0.7.

[0084] After cross-validation, the confirmed inference relationships are stored in the graph database. Each edge records attribute fields such as the starting data item identifier, the ending data item identifier, the relationship type identifier, the proportion of temporal correlation, the total path propagation attenuation coefficient, and the directional consistency confidence level. The relationship type identifier distinguishes between semantically related inference relationships and physically causally related inference relationships. When a pair of data items simultaneously satisfies both strong semantic association and strong physical causality conditions, the relationship type identifier is a composite inference relationship. The storage structure supports fast querying of relevant inference relationships by data item identifier.

[0085] By employing cross-validation mechanisms, inference relationships that possess both business semantic relevance and conform to physical causal laws are effectively selected, thereby enhancing the reliability and applicability of these relationships and providing a high-quality knowledge foundation for subsequent graph-based data inference and risk assessment.

[0086] In one optional implementation, the step of combining the historical data items with the target data items and inferring the derived knowledge set that the access subject can infer based on the edge relationships in the graph that satisfy the current operating state conditions includes:

[0087] The current running state parameters are matched with the state recognition conditions associated with each edge in the graph, and the edges whose state recognition conditions are met are selected as the set of active edges;

[0088] A starting data item is selected from historical data items and target data items. The system traverses the set of activated edges, obtaining confidence values ​​for each edge in the traversal path in traversal order. Each confidence value is then weighted and multiplied by a path length decay factor to obtain the path confidence. The path length decay factor is calculated based on the number of edges traversed and decreases as the number of edges increases. Traversal paths with a path confidence higher than a first preset threshold are recorded as inference chains.

[0089] By combining and analyzing the endpoint data items of multiple inference chains, a composite inference structure is formed by combining the endpoint data items that satisfy the preset physical constraints and their inference chains.

[0090] The semantic representation of the inference relationship in the inference chain and the semantic representation of the association relationship in the composite inference structure constitute the set of derived knowledge that the accessing subject can infer.

[0091] For example, after receiving an access request from the accessing entity for the target data item, the current power grid operating status parameters are obtained, including real-time monitoring values ​​such as total system load, main grid voltage, and power flow at key sections. These current operating status parameters are then matched one by one with the state identification conditions associated with each edge in the data inference relationship graph. The state identification conditions are stored in the form of parameter ranges; for example, the state identification condition for a certain edge is that the total system load is between 8500MW and 9500MW and the main grid voltage is between 0.95 and 1.05 per-unit values. The matching process uses interval judgment; when each value of the current operating status parameter falls within the interval specified by the corresponding state identification condition, the edge is determined to have met the state identification condition. All edges that meet the conditions are added to the active edge set and stored in an in-memory hash table structure. The key is the edge identifier, and the value is the edge attribute object, containing fields such as the starting data item identifier, the ending data item identifier, and the confidence value. The time complexity of constructing the active edge set is linearly related to the total number of edges in the graph; in a graph with 10,000 edges, the construction time is approximately 100 milliseconds.

[0092] The historical data items visited by the accessing subject are extracted from the access history set and merged with the target data item of the current access request to form a candidate starting data item set. The traversal process uses a breadth-first search strategy, starting from each data item in the candidate starting data item set and expanding along the set of active edges. For each edge traversed during the traversal, its confidence value is obtained sequentially according to the traversal order. The path confidence is calculated by multiplying the confidence values ​​of each edge on the path together, and then multiplying by the path length decay factor. The path length decay factor is calculated based on the number of edges traversed, n, specifically 0.9 to the power of n. For example, if a path traverses 3 edges with confidence values ​​of 0.92, 0.88, and 0.85 respectively, and the path length decay factor is 0.9 to the power of 3, approximately equal to 0.729, the path confidence is calculated as 0.92 × 0.88 × 0.85 × 0.729 ≈ 0.496. A first preset threshold of 0.5 is set. When the path confidence is higher than 0.5, the traversal path is recorded as an inference chain. The storage structure includes the starting data item identifier, the ending data item identifier, the sequence of edge identifiers traversed, and the path confidence field. The traversal depth is limited to 5 levels to avoid excessive computational resource consumption due to excessively long paths. When the path length reaches 5, the path is stopped from being further expanded. In a scenario containing 500 historical data items and 1 target data item, the number of candidate paths generated by the traversal is approximately 2000, and approximately 300 inference chains are retained after filtering by path confidence.

[0093] The process extracts the endpoint data items from all inference chains, groups and statistically analyzes them by data item identifier, and identifies endpoint data items pointed to by multiple inference chains. For the same endpoint data item, it extracts all inference chains pointing to it and analyzes whether the starting data items of these inference chains satisfy preset physical constraints. Preset physical constraints are based on the physical laws of power systems and include power balance constraints, voltage-current relationship constraints, and equipment capacity constraints. For example, when two inference chains infer the substation bus voltage from the active power and reactive power of feeder A, respectively, it checks whether the apparent power S calculated from the active power P and reactive power Q satisfies the condition that the square of S equals the square of P plus the square of Q, with an allowable error range of 5%. Physical constraint verification uses a constraint checking engine with a built-in constraint rule library. Each rule in the rule library defines the combination of physical quantity types of the data items involved in the constraint, the constraint relationship expression, and the allowable error range. When the endpoint data item and its associated inference chain satisfy at least one physical constraint rule, the endpoint data item and its inference chain are combined to form a composite inference structure. The composite inference structure is stored as a structured object containing the endpoint data item identifier, a list of inference chain identifiers, and the identifiers of the satisfied physical constraint rules. Of the aforementioned 300 inference chains, approximately 80 composite inference structures are formed after combination analysis.

[0094] For each inference chain, the semantic representation of the inference relationship associated with the edges traversed in the inference chain is extracted and stored in the edge attributes. This semantic representation describes the association between the starting data item and the ending data item. For example, a feeder current changing before the circuit breaker state indicates that the feeder overload triggers the circuit breaker operation. The semantic representations of each inference relationship along the inference chain path are concatenated in traversal order to form the complete semantic description of the inference chain. For composite inference structures, the semantic representations of multiple associated inference chains are extracted and combined with the semantic descriptions of the satisfied physical constraint rules to form the semantic representation of the composite inference structure. For example, inferring the bus voltage from both active and reactive power and satisfying the apparent power constraint indicates the comprehensive impact of load changes on the bus voltage. The semantic descriptions of all inference chains and the semantic representations of composite inference structures are summarized, and semantically redundant descriptions are removed to form a set of derived knowledge that the access subject can infer. The set of derived knowledge is stored as a list of knowledge items, each containing a knowledge description text, a list of associated data item identifiers, an inference path identifier, and a confidence value field. In the aforementioned case, the derived knowledge set contains approximately 150 knowledge items, with each knowledge item involving an average of 3.2 data items.

[0095] During data inference, a Bloom filter is used to accelerate edge lookup and reduce memory access overhead for edge matching in the activated edge set. The filter's false positive rate is set to 0.01%. The traversal process employs multi-threaded parallel processing with four threads. Each thread handles a portion of the candidate starting data items, and intermediate results are passed between threads via a lock-free queue to avoid performance degradation caused by lock contention. The physical constraint checking engine uses a rule caching mechanism, loading frequently used constraint rules into memory. The cache hit rate is approximately 85%. When a rule is not found, it is queried from the constraint rule database, with a query latency of approximately 10 milliseconds. Deduplication of the derived knowledge set uses a fast hash-based comparison. A hash value is calculated for the knowledge description text, and knowledge items with the same hash value undergo a detailed text comparison, with deduplication taking approximately 30 milliseconds.

[0096] This inference mechanism effectively combines access history with current access intent, and accurately identifies the derived knowledge that can be inferred from the access subject based on the inference relationships applicable to the current operating state in the graph.

[0097] In one optional implementation, the steps of obtaining historical operating status parameters and calculating the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters include:

[0098] Historical running status parameters are obtained to form a status parameter sequence, and the cumulative number of accessed data items at each historical access time is counted to form a cumulative access sequence;

[0099] A sliding window analysis is performed on the state parameter sequence, and the moment when the change exceeds a preset mutation threshold is taken as the state mutation moment. The parameter change direction and change magnitude corresponding to each state mutation moment are extracted to form a set of state mutation events.

[0100] For each state change event, the peak time of access volume growth in the cumulative access sequence is searched within a preset delay range after the state change time; the time interval between the state change time and the peak time of access volume growth is calculated as the response delay, and the ratio of the access volume growth rate to the change rate of the running state parameters is calculated as the access response intensity.

[0101] For the stationary segments in the state parameter sequence that do not contain state abrupt events, calculate the correlation coefficient between the stationary periods of the state parameter sequence and the cumulative access sequence;

[0102] The correlation coefficient during the mutation period is calculated based on the response delay and access response intensity of each state mutation event. The correlation coefficient during the mutation period is then weighted and fused with the correlation coefficient during the stationary period to obtain a correlation metric.

[0103] For example, historical operating status parameters are obtained from the historical data storage system, including historical records of monitoring quantities such as total load of the power grid system, main grid voltage amplitude, and power flow at key sections. These historical operating status parameters are arranged by timestamps to form a status parameter sequence. Each sequence element contains a timestamp field and a parameter value field. The timestamp precision is in the second range, and the parameter value precision is to three decimal places. The time span of the status parameter sequence is set to the past 30 days, with a sampling interval of 5 minutes, resulting in a sequence length of 8640 data points over the 30-day span. The cumulative number of access data items for each historical access time is extracted from the access log database. The cumulative number of access data items is defined as the total number of different data items accessed by the accessing subject from the statistical start time to the current time, and is sorted by access time to form a cumulative access sequence. The cumulative access sequence uses the same time precision and sampling interval as the status parameter sequence. For times when no access behavior occurs, the cumulative number of access data items remains unchanged from the previous time. Both the status parameter sequence and the cumulative access sequence are stored in a time-series database.

[0104] A sliding window analysis was performed on the state parameter sequence, with a window length of 12 data points corresponding to a 1-hour time span and a sliding step of 1 data point. The standard deviation of the parameter values ​​was calculated within each window; a significant change was considered to exist when the standard deviation exceeded 15% of the parameter mean. For windows with significant changes, the magnitude of parameter change between adjacent data points within the window was further examined. The magnitude of change was calculated by subtracting the parameter value from the previous time point, taking the absolute value of this difference, and then dividing it by the previous time point's parameter value. A preset mutation threshold of 0.08 was set; when the magnitude of change exceeded 0.08, the moment was marked as a state mutation moment. The direction of parameter change corresponding to the state mutation moment was extracted. The direction of parameter change was determined by comparing the parameter values ​​before and after the mutation; an increase in parameter value indicated a positive direction, and a decrease in parameter value indicated a negative direction. The magnitude of change was extracted as a quantitative feature of the state mutation event. State mutation events were stored as structured objects containing fields such as mutation moment, parameter identifier, direction of change, and magnitude of change, forming a set of state mutation events. In 30 days of historical data, approximately 45 state change events were identified in typical scenarios, with the identification process taking about 300 milliseconds.

[0105] For each event in the set of state change events, the peak time of access volume growth in the cumulative access sequence is searched within a preset time delay range after the state change time. The preset time delay range is set to 2 hours after the state change time, corresponding to 24 data points. Within this range, the increment between adjacent data points in the cumulative access sequence is calculated, where the increment is the number of cumulative access data items at the later time minus the number of cumulative access data items at the previous time. The time with the largest increment is marked as the peak time of access volume growth, and the increment value is taken as the access volume growth rate. The time interval between the state change time and the peak time of access volume growth is calculated, in minutes, as the response delay. The ratio of the access volume growth rate to the change rate of the running state parameters is calculated as the access response intensity, which typically ranges from 0.5 to 5. If there is no time with a access volume increment greater than zero within the preset time delay range, the state change event is not included in subsequent calculations. Among the 45 identified state change events, approximately 38 events found corresponding peak times of access volume growth within the preset time delay range, with a median response delay of 35 minutes and an average access response intensity of 1.8.

[0106] A stable state period is defined as a time interval within 60 consecutive data points where no abrupt changes occur and the standard deviation of parameter values ​​is less than 5% of the parameter mean. State parameter sequence segments and cumulative access sequence segments corresponding to the stable state periods are extracted, and their Pearson correlation coefficient is calculated as the stationary period correlation coefficient. The correlation coefficient is calculated using standard statistical methods, treating the state parameter sequence segment and the cumulative access sequence segment as two samples, and calculating the sample covariance divided by the product of the standard deviations of the two samples. The stationary period correlation coefficient ranges from -1 to +1, with values ​​close to zero indicating no correlation, close to +1 indicating a positive correlation, and close to -1 indicating a negative correlation. In 30 days of historical data, approximately 12 stable state periods were identified, and the average correlation coefficient for these periods was 0.32, indicating a weak positive correlation between cumulative access and operating state parameters during the stable period.

[0107] The correlation coefficient during the mutation period is calculated by comprehensively considering both the response latency and the intensity of the access response. A shorter response latency and a stronger access response result in a higher correlation coefficient. Specifically, the reciprocal of the response latency for all valid state mutation events is taken and linearly normalized to the range of 0 to 1. The access response intensity is also linearly normalized so that its maximum value maps to 1. The reciprocal of the normalized response latency and the normalized access response intensity are multiplied and then averaged to obtain the correlation coefficient during the mutation period. In the aforementioned case of 38 valid state mutation events, the average value of the normalized reciprocal of the response latency is 0.65, the average value of the normalized access response intensity is 0.54, and the correlation coefficient during the mutation period is approximately 0.65 × 0.54 ≈ 0.35.

[0108] The correlation coefficients of the mutation period and the stability period are weighted and fused to obtain the correlation metric. The weights are set based on the proportions of the mutation and stability periods within the historical time span. The mutation period proportion is defined as the cumulative duration of all valid state mutation events within a preset delay range divided by the historical time span; the stability period proportion is defined as the cumulative duration of all stable state segments divided by the historical time span. The correlation metric is obtained by multiplying the mutation period correlation coefficient by the mutation period proportion and then adding the stability period correlation coefficient by the stability period proportion. In the aforementioned case, the cumulative duration of the mutation period is 76 hours, accounting for 10.6% of the 30-day historical time span, and the cumulative duration of the stability period is 300 hours, accounting for 41.7%. The weighted fusion calculation is 0.35×0.106+0.32×0.417≈0.17, which serves as the correlation metric between the cumulative access process of historical data items and the temporal changes of historical operating state parameters. The correlation metric is stored in the analysis results database and associated with the corresponding historical data item identifier and access subject identifier for subsequent sensitivity assessment module calls.

[0109] This correlation measurement mechanism quantifies the temporal correlation strength between access behavior and changes in power grid operating status, distinguishes different response patterns during periods of sudden changes and periods of stability, and provides accurate data support for determining the dependency relationship between access intentions and operating status.

[0110] In one alternative implementation, the step of calculating the correlation metric includes:

[0111] For each state mutation event, the correlation strength of the individual mutation event is calculated based on its response delay and access response strength, and the correlation coefficient of the mutation period is obtained by averaging the correlation strengths of all state mutation events.

[0112] The weight of the abrupt change period is calculated based on the proportion of abrupt change events in the total duration of the state parameter sequence, and the weight of the stable period is calculated based on the proportion of stable state segments in the total duration.

[0113] The correlation coefficient during the mutation period is multiplied by the weight of the mutation period duration to obtain the weighted value for the mutation period. The correlation coefficient during the stable period is multiplied by the weight of the stable period duration to obtain the weighted value for the stable period. The correlation measure is obtained by summing the weighted values ​​for the mutation period and the stable period.

[0114] For example, for each state mutation event in the set of state mutation events, the correlation strength of a single mutation event is calculated based on its response latency and access response intensity. Response latency, in minutes, represents the time interval between the state mutation moment and the peak moment of access volume growth. Access response intensity is the ratio of the access volume growth rate to the change rate of the running state parameters. The correlation strength of a single mutation event is calculated by multiplying the reciprocal of the response latency by the access response intensity. The reciprocal of the response latency reflects the response speed; the shorter the response latency, the larger the reciprocal, indicating a more timely response to state changes. To avoid instability caused by excessively large reciprocals due to excessively small response latency, a lower limit of 5 minutes is set for the response latency; when the actual response latency is less than 5 minutes, it is calculated as 5 minutes. Access response intensity reflects the degree of matching between the magnitude of access behavior changes and the magnitude of state changes; a larger access response intensity indicates a stronger response to state changes. The correlation strength of a single mutation event typically ranges from 0.01 to 2. When the response delay is 30 minutes and the access response strength is 1.5, the correlation strength is (1 ÷ 30) × 1.5 = 0.05. A set of state mutation events contains multiple mutation events; the arithmetic mean of the correlation strengths of all state mutation events yields the mutation-period correlation coefficient. In the case containing 38 valid state mutation events, the sum of the correlation strengths of all events is 1.9, and the mutation-period correlation coefficient is 1.9 ÷ 38 = 0.05.

[0115] The total duration of the state parameter sequence is equal to the time difference between the start and end times of the sequence. In the case of a 30-day historical data span, the total duration is 720 hours. The duration occupied by state mutation events is accumulated by adding the preset delay range corresponding to all state mutation events. The preset delay range is set to 2 hours after the state mutation time, and the duration occupied by a single state mutation event is 2 hours. When the set of state mutation events contains 38 valid events, the total duration occupied by state mutation events is 76 hours. The weight of the mutation period duration is the total duration occupied by state mutation events divided by the total duration of the state parameter sequence, i.e., 76 ÷ 720 ≈ 0.106. The cumulative duration of the stable state segments is obtained by traversing all stable state segments in the state parameter sequence and accumulating the time span of each segment. In the aforementioned case, 12 stable state segments were identified, with a cumulative duration of 300 hours, and the weight of the stable period duration is 300 ÷ 720 ≈ 0.417. The sum of the weights for the duration of the mutation period and the duration of the stationary period is usually less than 1, because there are transition periods in the state parameter sequence that are neither mutation periods nor stationary periods, and these transition periods are not included in the calculation of the correlation metric.

[0116] The weighted value for the mutation period reflects the contribution of the mutation period to the overall correlation. In the aforementioned case, the correlation coefficient for the mutation period is 0.05, the weight for the mutation period duration is 0.106, and the weighted value for the mutation period is 0.05 × 0.106 ≈ 0.0053. The correlation coefficient for the stationary period is the Pearson correlation coefficient between the state parameter sequence segment corresponding to the stationary state segment and the cumulative access sequence segment. In the aforementioned case, the correlation coefficient for the stationary period is 0.32, the weight for the stationary period duration is 0.417, and the weighted value for the stationary period is 0.32 × 0.417 ≈ 0.1334. The correlation measure comprehensively reflects the temporal correlation strength between access behavior and operating state parameters during the mutation and stationary periods, calculated as 0.0053 + 0.1334 ≈ 0.14. This value serves as the correlation measure between the cumulative access process of historical data items and the temporal changes of historical operating state parameters.

[0117] The data structure for the relevance metric includes a visitor identifier field, a historical data item identifier field, a relevance metric value field, a weighted value field for abrupt changes, a weighted value field for stable periods, and a calculation timestamp field, stored in a relational database. The database table uses a combination of the visitor identifier and the historical data item identifier as the primary key, supporting fast queries based on either the visitor or the historical data item. The relevance metric is updated daily, triggering the calculation task after updates to the access logs and runtime status parameters. The calculation task uses batch processing, with each calculation covering all active visitors and relevant historical data items.

[0118] When the set of state change events is empty, the weight of the change period duration is zero, and the correlation metric is composed only of the weighted value of the stable period. When the set of stable periods is empty, the weight of the stable period duration is zero, and the correlation metric is composed only of the weighted value of the change period. When the sum of the weights of the change period duration and the stable period duration is less than 0.5, it indicates that most of the historical time span is in a transitional state, the reliability of the correlation metric is reduced, and the system adds a reliability flag of low reliability to the correlation metric field. When the correlation metric of a historical data item changes by more than 50% within 7 consecutive days, an anomaly alarm is triggered, indicating a change in access mode or an anomaly in the operation status monitoring. The alarm information is sent to the security management module for manual review.

[0119] The accuracy of the correlation metric was validated using the hold-out method. Historical data was divided into training and test sets chronologically. 80% of the training set was used to calculate the correlation metric, and 20% was used to validate the prediction accuracy. The validation metric was the error between the correlation metric and the observed correlation between visiting behavior and state changes in the test set. The error was calculated as the absolute value of the difference between the predicted and actual correlation strengths. In validation cases involving multiple visiting subjects, the mean error was 0.08, and the standard deviation was 0.05, indicating that the correlation metric has high accuracy in predicting the correlation between future visiting behavior and state changes.

[0120] This weighted fusion mechanism integrates different correlation patterns during the mutation and stability periods, determines the contribution weight of each stage by combining the duration proportion, and accurately quantifies the overall temporal correlation between access behavior and changes in operating status.

[0121] In one optional implementation, the step of generating access control instructions by performing a two-dimensional risk assessment based on the comprehensive sensitivity of the derived knowledge set and the relevance metric includes:

[0122] For each piece of derived knowledge in the derived knowledge set, a sensitivity score is calculated based on the number of data items involved, the inference depth, and the sensitivity level of the edge relationships in the inference chain; all sensitivity scores are then weighted and summed to obtain the comprehensive sensitivity score.

[0123] A two-dimensional risk assessment coordinate system is established based on the comprehensive sensitivity and relevance metrics. The coordinate system is divided into four risk quadrants, and the current access request is located in the corresponding risk quadrant.

[0124] Extract the historical comprehensive sensitivity and historical relevance metrics corresponding to each historical access time from the access history set, and calculate the deviation between the current access and historical access in terms of comprehensive sensitivity and relevance metrics;

[0125] A rejection instruction is generated when the overall sensitivity and relevance metrics of the current access request both exceed the corresponding thresholds and the deviation magnitudes both exceed the preset deviation thresholds; otherwise, an allow instruction is generated.

[0126] For example, in this embodiment, a sensitivity score is calculated for each derived knowledge in the derived knowledge set. The sensitivity score of a derived knowledge is determined by three factors: the number of data items involved, the inference depth, and the sensitivity level of the edge relationships in the inference chain. The number of data items involved is obtained by counting the total number of data items corresponding to all nodes in the inference chain, and the number of data items involved in a single derived knowledge typically ranges from 2 to 15. The inference depth is the total number of edge relationships in the inference chain, representing the number of inference steps required to derive the target derived knowledge from the initial data items, and the inference depth typically ranges from 1 to 5. The sensitivity level of the edge relationships in the inference chain is read from the edge relationship attributes of the knowledge graph, and the sensitivity level is divided into three levels: low, medium, and high, corresponding to values ​​of 1, 2, and 3, respectively. The sensitivity score is calculated by multiplying the number of data items involved by the inference depth and then by the arithmetic mean of the sensitivity levels of all edge relationships in the inference chain. In a case involving derived knowledge, there are 6 data items, an inference depth of 3, and three edge relationships with sensitivity levels of 2, 3, and 3 respectively. The average sensitivity level of these edge relationships is (2+3+3)÷3≈2.67, and the sensitivity score is 6×3×2.67≈48.06. The derived knowledge set contains multiple derived knowledge items. The comprehensive sensitivity score is obtained by weighted summation of the sensitivity scores of all derived knowledge. The weighting coefficient is set according to the inference depth; the greater the inference depth, the higher the weight in the comprehensive sensitivity calculation. The weighting coefficient for derived knowledge with an inference depth of 1 is 0.2, for 2 it is 0.3, for 3 it is 0.5, and for inference depths greater than 3 it is uniformly 0.6. In the case containing 5 derived knowledge points, the sensitivity scores for each derived knowledge point were 20.5, 35.8, 48.06, 52.3, and 18.2, respectively, corresponding to inference depths of 1, 2, 3, 3, and 1. The weighted summation is 20.5×0.2+35.8×0.3+48.06×0.5+52.3×0.5+18.2×0.2=4.1+10.74+24.03+26.15+3.64≈68.66, and the overall sensitivity is 68.66.

[0127] A two-dimensional risk assessment coordinate system is established, with the horizontal axis representing comprehensive sensitivity and the vertical axis representing the correlation metric. The origin of the coordinate system is set at the intersection of the comprehensive sensitivity threshold and the correlation metric threshold. The comprehensive sensitivity threshold is set to 50 by default, and the correlation metric threshold is set to 0.15 by default. The coordinate system is divided into four risk quadrants, with the following quadrant division rules: the area where the comprehensive sensitivity is less than or equal to the threshold and the correlation metric is less than or equal to the threshold is the low-risk quadrant; the area where the comprehensive sensitivity is greater than the threshold and the correlation metric is less than or equal to the threshold is the medium-risk quadrant I; the area where the comprehensive sensitivity is less than or equal to the threshold and the correlation metric is greater than the threshold is the medium-risk quadrant II; and the area where the comprehensive sensitivity is greater than the threshold and the correlation metric is greater than the threshold is the high-risk quadrant. The current access request is located in the coordinate system based on its comprehensive sensitivity and correlation metric. In the aforementioned case, the comprehensive sensitivity is 68.66 and the correlation metric is 0.14. This access request is located in the medium-risk quadrant I because the comprehensive sensitivity of 68.66 is greater than the threshold of 50, while the correlation metric of 0.14 is less than the threshold of 0.15.

[0128] The access history set stores historical access records of the same historical data item by the accessing subject within the past 30 days. Each historical access record includes fields for historical access time, historical overall sensitivity, and historical relevance measure. The historical overall sensitivity and historical relevance measure corresponding to each historical access time in the access history set are extracted, and the deviation magnitude between the current access and historical accesses in both dimensions is calculated. The overall sensitivity deviation magnitude is calculated as the maximum absolute value of the difference between the current access's overall sensitivity and the overall sensitivity of each historical access, divided by the arithmetic mean of the historical overall sensitivity values. In the aforementioned example, the access history set contains 8 historical access records with historical overall sensitivities of 45.2, 48.5, 46.8, 50.1, 47.3, 49.6, 48.9, and 47.5, respectively. The average historical overall sensitivity is (45.2 + 48.5 + 46.8 + 50.1 + 47.3 + 49.6 + 48.9 + 47.5) ÷ 8 = 48.0. The current overall sensitivity is 68.66. The absolute values ​​of the differences between the current overall sensitivity and historical values ​​are 23.46, 20.16, 21.86, 18.56, 21.36, 19.06, 19.76, and 21.16, respectively. The largest absolute difference is 23.46, and the overall sensitivity deviation is approximately 0.489 (23.46 ÷ 48.0). The deviation of the relevance measure is calculated using the same method. The historical relevance measure values ​​are 0.12, 0.14, 0.13, 0.15, 0.13, 0.14, 0.13, and 0.12, respectively, with an average value of approximately 0.133. The current relevance measure value is 0.14, and the largest absolute value of the difference between the current relevance measure and historical values ​​is 0.02. The relevance measure deviation is approximately 0.15 (0.02 ÷ 0.133).

[0129] The preset deviation thresholds are set separately for the overall sensitivity and relevance metrics. The default preset deviation threshold for overall sensitivity is 0.3, and the default preset deviation threshold for relevance metrics is 0.2. The logic for generating access control instructions is as follows: when the overall sensitivity of the current access request is greater than the overall sensitivity threshold and the relevance metric is greater than the relevance metric threshold, and simultaneously the deviation of both the overall sensitivity and relevance metric is greater than the preset deviation threshold for both, a denial instruction is generated. In the aforementioned example, the overall sensitivity of 68.66 is greater than the threshold of 50, but the relevance metric of 0.14 is less than the threshold of 0.15, which does not meet the condition of simultaneously exceeding the thresholds; therefore, a permit instruction is generated. In the comparison case, the current access request has a comprehensive sensitivity of 72.5, a relevance metric of 0.18, a historical average comprehensive sensitivity of 48.0, a historical average relevance metric of 0.133, a comprehensive sensitivity deviation of (72.5-48.0)÷48.0≈0.51, and a relevance metric deviation of (0.18-0.133)÷0.133≈0.35. Both the comprehensive sensitivity and relevance metric of this access request exceed their respective thresholds, and the deviations of 0.51 and 0.35 exceed the preset deviation thresholds of 0.3 and 0.2, respectively. Therefore, the system generates a rejection command and records the reason for rejection as abnormal access behavior.

[0130] The data structure of access control instructions includes the following fields: access subject identifier, historical data item identifier, instruction type, overall sensitivity, relevance metric, overall sensitivity deviation range, relevance metric deviation range, and generation timestamp. The instruction type field takes the value "allow" or "deny." Deny instructions include a denial reason code, which can be categorized into four types: risk quadrant anomaly, overall sensitivity anomaly, relevance anomaly, and overall deviation anomaly. Access control instructions are sent to the access control module for execution immediately after generation, with an execution response time required to be within 50 milliseconds. The access control module determines whether to allow the access request based on the instruction type. Deny instructions trigger access blocking and record a security event log. The log includes fields such as access subject identifier, access time, accessed data item, denial reason, overall sensitivity, and relevance metric. The log is retained for 180 days.

[0131] The threshold deviation from the preset threshold can be dynamically adjusted based on actual operational data, with an adjustment cycle of once a week. The adjustment strategy is based on historical rejection rate statistics. When the rejection rate is below 5%, the threshold is lowered to increase security protection strength; when the rejection rate is above 20%, the threshold is raised to reduce false alarms. The threshold adjustment range does not exceed 10% of the current value each time to avoid drastic fluctuations affecting the access experience. Differentiated thresholds can be set for different access subject roles, with higher-privilege roles having higher thresholds than lower-privilege roles, ensuring a balance between flexibility and security in access control policies.

[0132] Upon receiving an instruction, the value of the instruction type field is determined. If the instruction type is "Allow," a permission signal is sent to the data access interface, granting the accessing subject read access to the target data item. The data access interface then returns the content of the target data item. After granting access, the target data item identifier and the current time are added to the access history set. This addition operation uses a database insert statement, and the inserted record includes fields such as the accessing subject identifier, the target data item identifier, and the current time (the time the access control instruction was generated). When the instruction type is "Deny," the access control module returns a denial response to the accessing subject. The response message includes a denial reason code, preventing the accessing subject from obtaining the target data item content. The denial event is recorded in the security event log but not added to the access history set.

[0133] This invention uses a two-dimensional risk assessment that integrates sensitivity and relevance metrics, combined with historical access behavior deviation detection, to accurately identify abnormally high-risk access requests and generate rejection instructions, effectively preventing the risk of sensitive data leakage.

[0134] A second aspect of the present invention provides a power grid data security protection system, comprising:

[0135] The graph construction module is used to construct a data inference relationship graph based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference.

[0136] The access record module is used to establish an access history set for each access subject, record the historical data items accessed and the historical access time; obtain power grid operation status parameters and receive access requests from access subjects for target data items;

[0137] The knowledge deduction module is used to combine the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, to deduce the set of derived knowledge that can be inferred from the access subject;

[0138] The risk assessment module is used to acquire historical operating status parameters, calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters, perform a two-dimensional risk assessment based on the comprehensive sensitivity of the derived knowledge set and the correlation metric, and generate access control instructions.

[0139] The access control module is used to respond to access requests according to the access control instructions, and add the target data item and the current time to the access history set when access is allowed.

[0140] A third aspect of the present invention provides an electronic device, comprising:

[0141] processor;

[0142] Memory used to store processor-executable instructions;

[0143] The processor is configured to invoke instructions stored in the memory to execute the aforementioned method.

[0144] A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the aforementioned method.

[0145] This invention can be a method, apparatus, system, and / or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for performing various aspects of the invention.

[0146] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for protecting power grid data security, characterized in that, include: A data inference relationship graph is constructed based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference. Establish an access history set for each accessing entity, recording the historical data items accessed and the historical access time; Acquire power grid operating status parameters and receive access requests from accessing entities for target data items; By combining the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, the set of derived knowledge that can be inferred from the accessing subject is obtained; Obtain historical operating status parameters, and calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters; A two-dimensional risk assessment is performed based on the comprehensive sensitivity of the derived knowledge set and the relevance metric, and access control instructions are generated. Responding to the access request according to the access control instruction, when access is granted, the target data item and the current time are added to the access history set; The steps of obtaining historical operating status parameters and calculating the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters include: Historical running status parameters are obtained to form a status parameter sequence, and the cumulative number of accessed data items at each historical access time is counted to form a cumulative access sequence; A sliding window analysis is performed on the state parameter sequence, and the moment when the change exceeds a preset mutation threshold is taken as the state mutation moment. The parameter change direction and change magnitude corresponding to each state mutation moment are extracted to form a set of state mutation events. For each state change event, search for the peak time of access volume growth in the cumulative access sequence within a preset time delay after the state change time. The time interval between the moment of a sudden change in state and the moment of peak access volume growth is calculated as the response latency, and the ratio of the increase in access volume to the change in operating state parameters is calculated as the access response intensity. For the stationary segments in the state parameter sequence that do not contain state abrupt events, calculate the correlation coefficient between the stationary periods of the state parameter sequence and the cumulative access sequence; The correlation coefficient during the mutation period is calculated based on the response delay and access response intensity of each state mutation event. The correlation coefficient during the mutation period is then weighted and fused with the correlation coefficient during the stationary period to obtain a correlation metric.

2. The method according to claim 1, characterized in that, A data inference relationship graph is constructed based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items, and are associated with the power grid operating state conditions that trigger the inference. The steps include: The system collects business association records, physical quantity types, and equipment topology relationships of power grid data items. Based on the co-occurrence frequency and temporal sequence of data items in the business association records, it identifies candidate semantic association relationships. Based on the physical quantity types and equipment topology relationships, it derives candidate physical causal relationships. The candidate semantic associations and candidate physical causal relationships are cross-validated, and the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition are retained as confirmed inference relationships; Several typical operating modes are obtained by clustering historical operating state parameters, and the feature boundaries of operating state parameters are extracted for each operating mode as state identification conditions; The historical success and failure counts of each confirmed inference relationship in each operating mode are statistically analyzed, and the confidence value is calculated. The operating mode status identification condition where the confidence value exceeds the preset confidence threshold is used as the operating status condition that triggers the establishment of the inference relationship. A data inference relationship graph is constructed based on the confirmed inference relationships and their corresponding operational status conditions and confidence values.

3. The method according to claim 2, characterized in that, The step of cross-validating the candidate semantic associations and candidate physical causal relationships, and retaining the associations that simultaneously satisfy the semantic association strength threshold and the physical causal reachability condition as confirmed inference relationships, includes: For each pair of data items in the candidate semantic association, extract their co-occurrence time window sequence in the business association record, calculate the temporal correlation of the changes in data items within the time window, and mark data item pairs with temporal correlation higher than the preset correlation threshold as strong semantic association; For each pair of data items in the candidate physical causal relationship, a causal transmission path is constructed based on the physical quantity type. The transmission attenuation coefficient of the physical quantity conversion in the path is calculated. Data item pairs with a transmission attenuation coefficient lower than a preset attenuation threshold are marked as strong physical causality. For data item pairs that are simultaneously marked as having strong semantic association and strong physical causality, the temporal correlation direction of the semantic association and the causal transmission direction of the physical causality are extracted. When the two directions are consistent, the directional consistency confidence is calculated. Data item pairs with a directional consistency confidence higher than a preset consistency threshold are confirmed as inference relationships.

4. The method according to claim 2, characterized in that, The steps of combining the historical data items with the target data items and inferring the derived knowledge set that the access subject can infer based on the edge relationships in the graph that satisfy the current operating state conditions include: The current running state parameters are matched with the state recognition conditions associated with each edge in the graph, and the edges whose state recognition conditions are met are selected as the set of active edges; Select a starting data item from the historical data items and the target data items, traverse along the set of activated edges, obtain the confidence value of each edge on the traversal path in the traversal order, and perform a weighted product operation on each confidence value and the path length decay factor to obtain the path confidence. The path length decay factor is calculated based on the number of edges that have been traversed and decreases as the number of edges increases; Traversal paths with a confidence level higher than a first preset threshold are recorded as inference chains; By combining and analyzing the endpoint data items of multiple inference chains, a composite inference structure is formed by combining the endpoint data items that satisfy the preset physical constraints and their inference chains. The semantic representation of the inference relationship in the inference chain and the semantic representation of the association relationship in the composite inference structure constitute the set of derived knowledge that the accessing subject can infer.

5. The method according to claim 1, characterized in that, The steps for calculating the correlation metric include: For each state mutation event, the correlation strength of the individual mutation event is calculated based on its response delay and access response strength, and the correlation coefficient of the mutation period is obtained by averaging the correlation strengths of all state mutation events. The weight of the abrupt change period is calculated based on the proportion of abrupt change events in the total duration of the state parameter sequence, and the weight of the stable period is calculated based on the proportion of stable state segments in the total duration. The correlation coefficient during the mutation period is multiplied by the weight of the mutation period duration to obtain the weighted value for the mutation period. The correlation coefficient during the stable period is multiplied by the weight of the stable period duration to obtain the weighted value for the stable period. The correlation measure is obtained by summing the weighted values ​​for the mutation period and the stable period.

6. The method according to claim 1, characterized in that, The steps for generating access control instructions based on a two-dimensional risk assessment using the comprehensive sensitivity of the derived knowledge set and the relevance metric include: For each piece of derived knowledge in the derived knowledge set, a sensitivity score is calculated based on the number of data items involved, the inference depth, and the sensitivity level of the edge relationships in the inference chain. The overall sensitivity score is obtained by weighted summation of all sensitivity scores. A two-dimensional risk assessment coordinate system is established based on the comprehensive sensitivity and relevance metrics. The coordinate system is divided into four risk quadrants, and the current access request is located in the corresponding risk quadrant. Extract the historical comprehensive sensitivity and historical relevance metrics corresponding to each historical access time from the access history set, and calculate the deviation between the current access and historical access in terms of comprehensive sensitivity and relevance metrics; A rejection instruction is generated when the overall sensitivity and relevance metrics of the current access request both exceed the corresponding thresholds and the deviation magnitudes both exceed the preset deviation thresholds; otherwise, an allow instruction is generated.

7. A power grid data security protection system, used to implement the method of any one of claims 1-6, characterized in that, include: The graph construction module is used to construct a data inference relationship graph based on the semantic associations and physical causal relationships between power grid data items. The edges of the graph represent the derived knowledge that can be inferred from the combination of data items and are associated with the power grid operating state conditions that trigger the inference. The access record module is used to establish an access history set for each access subject, recording the historical data items accessed and the historical access time; Acquire power grid operating status parameters and receive access requests from accessing entities for target data items; The knowledge deduction module is used to combine the historical data items with the target data items, and based on the edge relationships in the graph that satisfy the current operating state conditions, to deduce the set of derived knowledge that can be inferred from the access subject; The risk assessment module is used to obtain historical operating status parameters and calculate the correlation metric between the cumulative access process of the historical data items and the time-series changes of the historical operating status parameters; A two-dimensional risk assessment is performed based on the comprehensive sensitivity of the derived knowledge set and the relevance metric, and access control instructions are generated. The access control module is used to respond to access requests according to the access control instructions, and add the target data item and the current time to the access history set when access is allowed.

8. An electronic device, characterized in that, include: processor; Memory used to store processor-executable instructions; The processor is configured to invoke instructions stored in the memory to execute the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having computer program instructions stored thereon, characterized in that, When the computer program instructions are executed by the processor, they implement the method described in any one of claims 1 to 6.