Power system relay protection method, device and system based on flexible gray scale measurement

By combining flexible grayscale measurement with collaborative verification of network communication and electrical quantity data, the problem of relay protection devices in existing technologies being unable to distinguish between real faults and malicious interference has been solved, thereby achieving safe and stable operation of the power system and improving the accuracy of protection actions.

CN121813271BActive Publication Date: 2026-07-14GUANGXI POWER GRID CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
GUANGXI POWER GRID CORP
Filing Date
2026-03-09
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing relay protection technology relies on local electrical quantity data for fault identification, lacks collaborative verification with adjacent protection devices, and is difficult to effectively distinguish between real faults and malicious interference, leading to misjudgments and missed judgments, which affects the safe and stable operation of the power system.

Method used

A flexible grayscale calculation method is adopted. By acquiring network communication traffic and electrical quantity data, a safe grayscale value is calculated. Combined with local fault criteria and collaborative verification with adjacent devices, it is ensured that the trip command is issued only under real fault scenarios, reducing the risk of false tripping and leakage.

Benefits of technology

It effectively eliminates maliciously injected false fault signals, ensuring that tripping commands are only issued under real faults, thereby improving the accuracy and reliability of protection actions, forming a regional collaborative protection system, and ensuring the safe and stable operation of the power system.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121813271B_ABST
    Figure CN121813271B_ABST
Patent Text Reader

Abstract

The application discloses a power system relay protection method, device and system based on flexible gray scale measurement, and relates to the field of intelligent security and protection of a power system. The method comprises the following steps: acquiring network communication flow of a relay protection device, calculating a first security gray scale value through a flexible gray scale measurement model based on the network communication flow; acquiring electrical quantity data and judging an in-zone fault; when the in-zone fault occurs, selecting an action strategy according to a comparison result of the first security gray scale value and a threshold value: if the first security gray scale value is higher than or equal to the threshold value, executing standard protection tripping; if the first security gray scale value is lower than the threshold value, switching to a defensive protection setting value group with a higher setting value, and starting a cross-device cooperative verification process. Under the defensive setting value group, a tripping command is only sent out when the local fault criterion is met and a cooperative confirmation message of a neighboring device is received. The application combines the local fault criterion with the confirmation message of the neighboring device for double checking, ensures the accuracy of the tripping command, and reduces the risk of misoperation and maloperation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of intelligent security technology for power systems, and in particular to a method, device, and system for power system relay protection based on flexible grayscale calculation. Background Technology

[0002] With the accelerated construction of new power systems and the large-scale integration of new energy sources, the power grid structure is becoming increasingly complex. Relay protection devices are gradually upgrading towards digitalization and networking, relying on communication networks to achieve remote monitoring and collaborative operation. However, network interconnection also introduces new security threats, urgently requiring innovative technologies to enhance the intelligence and security defense capabilities of relay protection.

[0003] Current mainstream relay protection technologies primarily rely on secondary circuit electrical quantity data to independently determine faults and execute actions. With the digitalization and networking of power systems, relay protection devices are widely interconnected through various communication protocols, creating security threats such as malicious interference and the injection of false fault signals in the operating environment. Existing technologies rely solely on local electrical quantity data for fault identification, lacking collaborative verification with adjacent protection devices. This makes it difficult to effectively distinguish between genuine faults and malicious interference, easily leading to misjudgments resulting in false tripping commands or missed faults causing fault escalation, seriously affecting the safe and stable operation of the power system. Summary of the Invention

[0004] To address the problem that existing technologies rely solely on local electrical quantity data for fault identification, lacking collaborative verification with adjacent protection devices and thus failing to effectively distinguish between genuine faults and malicious interference, this invention provides a power system relay protection method, device, and system based on flexible grayscale calculation. By linking adjacent protection devices under defensive protection setting groups for collaborative verification, and combining local fault criteria with dual verification of adjacent device confirmation messages, it ensures that tripping commands are only issued under genuine fault scenarios, reducing the risk of false tripping and missed tripping, and guaranteeing the safe and stable operation of the power system. The specific technical solution is as follows:

[0005] In a first aspect, the present invention provides a power system relay protection method based on flexible grayscale calculation, comprising the following steps:

[0006] Obtain network communication traffic from relay protection devices;

[0007] The first security gray value of the relay protection device is calculated using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value;

[0008] Acquire electrical quantity data of the secondary circuits of the power system;

[0009] Based on the electrical quantity data, determine whether a fault has occurred within the zone;

[0010] When a fault is determined to occur within the designated area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0011] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0012] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0013] Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a cooperative verification confirmation message is received from at least one adjacent protection device.

[0014] Preferably, the cross-device collaborative verification process includes:

[0015] Send a verification request message to at least one predefined adjacent protection device. The verification request message includes at least the fault direction, fault distance, or fault current amplitude information calculated from local electrical quantity data.

[0016] Receive and parse response messages from adjacent protection devices;

[0017] If the response message indicates that the adjacent protection device determines, based on its local electrical quantity data, that the fault is located outside the protection zone of the adjacent protection device, or is physically and logically consistent with the local fault information, then the collaborative verification is deemed successful; otherwise, the collaborative verification is deemed to have failed.

[0018] Preferably, the calculation of the first safe grayscale value of the relay protection device using the flexible grayscale measurement model includes:

[0019] Based on the first analysis path, the network communication traffic is matched in real time according to rules to obtain a first risk score;

[0020] Anomaly analysis is performed on the sequence of operational behaviors in the network communication traffic based on the second analysis path to obtain a second risk score.

[0021] The first risk score and the second risk score are weighted and fused to generate the first safety grayscale value;

[0022] The first risk score includes at least the agreement violation level and feature matching count; the second risk score includes at least the statistical deviation score of the behavior sequence.

[0023] Preferably, the statistical deviation score of the behavioral sequence is obtained in the following manner:

[0024] For a sequence of operation behaviors within a preset time period, extract dimensional features including operation instruction type, execution time interval, and frequency of access to target object;

[0025] Calculate the statistical value of the dimensional feature in the current sequence and compare it with the corresponding historical normal statistical value stored in the operation behavior baseline model; wherein, the operation behavior baseline model is established based on the historical normal operation and maintenance data of the relay protection device;

[0026] Based on the comparison results, a comprehensive statistical deviation score is calculated.

[0027] Preferably, before calculating the first safe grayscale value of the relay protection device using the flexible grayscale measurement model, the method further includes:

[0028] Receive external threat intelligence from the station control layer monitoring system;

[0029] The external threat intelligence is used as an input factor in the flexible grayscale calculation model to calculate the first security grayscale value.

[0030] Preferably, using the external threat intelligence as an input factor in the flexible grayscale calculation model to calculate the first security grayscale value includes:

[0031] Parse the external threat intelligence and extract fields that include at least threat type, threat level, and confidence level;

[0032] According to the predefined mapping rules, the threat type and threat level are mapped to a basic risk value. The confidence level is used as a weighting factor to correct the basic risk value and generate a third risk score.

[0033] The first risk score, the second risk score, and the third risk score are weighted and fused to generate the first security grayscale value.

[0034] Preferably, the automatic switching to the defensive protection setting group includes at least one of the following methods:

[0035] Increase the overcurrent protection setting by a preset percentage;

[0036] Reduce the distance protection impedance setting by a preset percentage;

[0037] Based on the original protection criteria, at least one auxiliary criterion is added, which includes one or more of the following: current change rate criterion, voltage harmonic content criterion, and power direction criterion.

[0038] Secondly, the present invention also provides a relay protection device, including a safety coprocessor, a main protection CPU, and a communication interface module;

[0039] The security coprocessor is configured to execute:

[0040] Obtain network communication traffic from relay protection devices;

[0041] The first security gray value of the relay protection device is calculated using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value;

[0042] The main protection CPU is configured to execute:

[0043] Acquire electrical quantity data of the secondary circuits of the power system;

[0044] Based on the electrical quantity data, it is determined whether a fault has occurred within the zone; when a fault is determined to have occurred within the zone, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0045] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0046] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0047] Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one adjacent protection device is received through the communication interface module.

[0048] Thirdly, the present invention also provides a power system relay protection system, including a first relay protection device and at least one second relay protection device;

[0049] The first relay protection device includes a first main protection CPU, a first security coprocessor, and a first communication interface module;

[0050] The first security coprocessor is configured to execute:

[0051] Obtain the network communication traffic of the first relay protection device;

[0052] The first security grayscale value of the first relay protection device is calculated using a flexible grayscale calculation model; wherein, the flexible grayscale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security grayscale value;

[0053] The first primary protection CPU is configured to execute:

[0054] Acquire electrical quantity data of the secondary circuits of the power system;

[0055] Based on the electrical quantity data, determine whether a fault has occurred within the zone;

[0056] When a fault is determined to occur within the designated area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0057] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0058] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0059] Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one second relay protection device is received through the first communication interface module; otherwise, a blocking signal is generated and an alarm is triggered.

[0060] Preferably, the power system relay protection system of the present invention further includes a station control layer monitoring system, wherein the station control layer monitoring system is configured to send external threat intelligence to the first security coprocessor;

[0061] The first security coprocessor is further configured to: receive the external threat intelligence and use the external threat intelligence as an input factor of the flexible grayscale measurement model to calculate the first security grayscale value.

[0062] Compared with the prior art, the beneficial effects of the present invention are as follows:

[0063] This invention discloses a power system relay protection method based on flexible gray-scale calculation. By linking adjacent protection devices under a defensive protection setting group for collaborative verification, and combining local fault criteria with dual verification of confirmation messages from adjacent devices, it effectively eliminates maliciously injected false fault signals, ensuring that tripping commands are only issued under real fault scenarios, significantly reducing the risk of false tripping and missed tripping. Simultaneously, flexible gray-scale calculation provides sufficient basis for initiating collaborative verification, enabling the adjustment of protection strategies adapted to safety states. This avoids response delays caused by overly conservative risk defense and prevents blind actions that ignore safety threats. This establishes a regional collaborative protection system for relay protection, improving the accuracy and reliability of protection actions in a digital power grid environment, ensuring accurate and rapid isolation of power grid faults, and guaranteeing the safe and stable operation of the power system. Attached Figure Description

[0064] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the accompanying drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. In all the drawings, similar elements or parts are generally identified by similar reference numerals. In the drawings, the elements or parts are not necessarily drawn to scale.

[0065] Figure 1 This is a flowchart of the power system relay protection method based on flexible grayscale calculation according to the present invention.

[0066] Figure 2 This is a schematic diagram of the principle of a relay protection device according to the present invention.

[0067] Figure 3 This is a schematic diagram of a power system relay protection system according to the present invention. Detailed Implementation

[0068] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0069] It should be understood that, when used in this specification, the terms “comprising” and “including” indicate the presence of the described features, integrals, steps, operations, elements and / or components, but do not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or collections thereof.

[0070] It should also be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the invention. As used in this specification, unless the context clearly indicates otherwise, the singular forms “a,” “an,” and “the” are intended to include the plural forms.

[0071] It should also be further understood that the term "and / or" as used in this specification refers to any combination of one or more of the associated listed items, as well as all possible combinations, and includes such combinations.

[0072] Please refer to the following examples. Figures 1 to 3 .

[0073] Please see Figure 1 This invention provides a power system relay protection method based on flexible grayscale calculation, comprising the following steps:

[0074] S1. Obtain the network communication traffic of the relay protection device;

[0075] By deploying a flow mirroring probe at the communication interface of the relay protection device or utilizing the network processing unit integrated within the device, all or specified protocol network messages exchanged between the device and the station control layer, process layer, and other intelligent electronic devices are collected and copied in real time. The captured flow should include, but is not limited to, key protocol data streams such as Manufacturing Message Specification (MMS), General Object-Oriented Substation Events (GOOSE), and Sampled Values ​​(SV).

[0076] S2. Calculate the first security gray value of the relay protection device using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value;

[0077] A flexible grayscale measurement model was built and run. This model executes two core analysis paths in parallel:

[0078] From network traffic, based on source / destination addresses, protocol types, and function codes, specific operational instructions for relay protection devices are parsed and extracted, forming a timestamped, ordered sequence of operational behaviors. By comparing this sequence with a baseline established under historical normal operation and maintenance patterns, anomaly scores are calculated for this sequence in terms of instruction type, frequency, and timing correlation.

[0079] Perform in-depth analysis of protocol messages in the traffic to check whether their frame structure, message content, and state machine transitions strictly follow relevant industry standards, and identify any fields, parameters, or interaction processes that do not conform to the specifications or exceed the preset legal range.

[0080] The anomaly score of the operational behavior sequence and the severity score of protocol violation are calculated using a predefined weighted fusion algorithm to obtain a comprehensive value, namely the first security grayscale value. The higher this value, the more secure and reliable the network environment and behavior pattern of the device's current operation.

[0081] S3. Obtain electrical quantity data of the secondary circuit of the power system;

[0082] Relay protection devices synchronously acquire instantaneous values ​​of secondary current and voltage from current transformers (CTs) and voltage transformers (VTs) via their analog input modules or digital sampling interfaces. These instantaneous values ​​are then processed using digital signal processing algorithms, such as Fourier transform and filtering algorithms, to calculate the basic electrical quantities used for protection criteria, such as fundamental phasor, harmonic content, and sequence components.

[0083] S4. Determine whether a fault has occurred within the zone based on the electrical quantity data;

[0084] The device operates built-in protection algorithms, such as differential protection, distance protection, and overcurrent protection. The electrical quantities calculated by S3 are compared with the threshold values ​​and operating characteristics in the pre-set standard protection settings group. An in-zone fault is determined to have occurred if and only if the measured quantity meets the preset fault logic criteria. For example, if the differential current is greater than the braking current and greater than the operating threshold, or if the measured impedance falls within the operating characteristic zone of distance protection stage I.

[0085] S5. When a fault is determined to occur within the affected area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0086] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0087] If the first security grayscale value is higher than or equal to the first security threshold, the device is considered to be in a high-confidence environment. The protection logic will directly generate and execute a trip command according to the standard protection logic based on the standard fault criterion result of S4, and quickly clear the fault.

[0088] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0089] If the first security grayscale value is lower than the first security threshold, the device is considered to have network risks or abnormal behavior, and its security trust level is reduced. In this case, the currently effective protection settings are immediately switched from the standard setting group to a pre-configured defensive protection setting group. This group of settings is more conservative. Simultaneously, a verification request is sent to predefined adjacent protection devices to initiate collaborative verification.

[0090] It should be noted that the first security threshold is a pre-tuned threshold value. It is used to classify consecutive first security grayscale values ​​into different risk levels and trigger differentiated protection strategies. When the first security grayscale value is greater than or equal to the first security threshold, standard logic is executed; when the first security grayscale value is lower than the first security threshold, enhanced defensive logic is activated.

[0091] Specifically, the cross-device collaborative verification process includes:

[0092] Send a verification request message to at least one predefined adjacent protection device. The verification request message includes at least the fault direction, fault distance, or fault current amplitude information calculated from local electrical quantity data.

[0093] Receive and parse response messages from neighboring protection devices. After sending a request, start a timing window to listen to the network interface. Upon receiving a response message from the target neighboring device, decode and verify it. The key information parsed typically includes the neighboring device identifier, its own judgment result, consistency identifier, and response timestamp.

[0094] If the response message indicates that the adjacent protection device determines, based on its local electrical quantity data, that the fault is located outside the protection zone of the adjacent protection device, or is physically and logically consistent with the local fault information, then the collaborative verification is deemed successful; otherwise, the collaborative verification is deemed to have failed.

[0095] Perform logical analysis on the parsed information to determine whether the collaborative verification passed:

[0096] Scenario 1: The response message indicates that the fault is located outside the protection zone of an adjacent device. For example, for line longitudinal protection, the local end judges it as a fault within the zone, while the remote end's response message explicitly indicates that its starting element has not operated or judges it as a fault in the opposite direction. This conforms to the physical logic of a fault and is judged as a successful collaborative verification.

[0097] Scenario 2: The fault information contained in the response message is consistent with the physical logic of the local information. For example, if the local device determines the direction to be positive, the adjacent device will also determine the same fault to be positive; or if the local distance measurement is X kilometers and the distance measurement of the adjacent device is Y kilometers, the sum of the two should match the total length of the line; or the fault current amplitude reported by both sides should have a reasonable proportional relationship after considering the system impedance and the location of the fault point, etc.

[0098] When the above comparison results support each other within the preset error range and constitute a reasonable fault scenario, the collaborative verification is deemed successful.

[0099] If the response message indicates that the adjacent device determines that the fault is within its protection zone, or the key information is completely contradictory, or no valid response is received within the time limit, then the collaborative verification is deemed to have failed.

[0100] S6. Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message is received from at least one adjacent protection device; otherwise, a blocking signal is generated and an alarm is triggered.

[0101] In practical implementation, when the device operates under the defensive protection setting group, its trip output logic is subject to additional constraints:

[0102] Using the switched, more stringent defensive setting group, re-evaluate the electrical quantity data for fault identification. Only faults meeting the new local fault criteria will be considered. Simultaneously, check if a collaborative verification confirmation message has been received from at least one adjacent protection device. This message indicates that the adjacent device, based on its local information, determines that the fault direction, location, etc., are physically and logically consistent with the local information.

[0103] If the local criteria are met and at least one collaborative verification confirmation is received, the fault is deemed genuine and reliable, and a trip command is generated and executed. If the local criteria are not met or no valid collaborative verification confirmation is received, a high risk or information conflict is identified, a trip command is not generated, a blocking signal is generated instead to prevent possible incorrect actions, a high-level alarm is triggered, and operators are prompted to intervene and check.

[0104] This invention discloses a power system relay protection method based on flexible gray-scale calculation. By linking adjacent protection devices under a defensive protection setting group for collaborative verification, and combining local fault criteria with dual verification of confirmation messages from adjacent devices, it effectively eliminates maliciously injected false fault signals, ensuring that tripping commands are only issued under real fault scenarios, significantly reducing the risk of false tripping and missed tripping. Simultaneously, flexible gray-scale calculation provides sufficient basis for initiating collaborative verification, enabling the adjustment of protection strategies adapted to safety states. This avoids response delays caused by overly conservative risk defense and prevents blind actions that ignore safety threats. This establishes a regional collaborative protection system for relay protection, improving the accuracy and reliability of protection actions in a digital power grid environment, ensuring accurate and rapid isolation of power grid faults, and guaranteeing the safe and stable operation of the power system.

[0105] Specifically, in a preferred embodiment of this application, the calculation of the first safe grayscale value of the relay protection device using a flexible grayscale measurement model includes:

[0106] Based on the first analysis path, the network communication traffic is matched in real time according to rules to obtain a first risk score;

[0107] The first risk score includes at least the protocol violation level and the feature matching count. In this embodiment, the first risk score is calculated using the protocol violation level and the feature matching count. Real-time deep packet inspection is performed on the network communication traffic acquired in S1. A violation level scoring table is set. For example, V=0: The message is fully compliant. V=1: There is a minor format error, such as a non-zero reserved field. V=3: The state machine timing is violated, such as proactively reporting without receiving a query. V=5: A critical violation occurs, such as an unauthorized source address sending a local command GOOSE message. The message is matched with the rule base in real time, and the highest violation level appearing in the current detection window is taken as V.

[0108] The traffic characteristics are matched against the built-in threat signature database. The number of different threat signatures matched within the current detection window is counted as C.

[0109] Calculate the first risk score R1:

[0110]

[0111] in, and For preset weights (e.g.) , This is used to balance the impact of a single serious violation with multiple low-frequency attacks. The higher the value, the greater the risk of direct, rule-based cyberattacks.

[0112] Anomaly analysis is performed on the sequence of operational behaviors in the network communication traffic based on the second analysis path to obtain a second risk score.

[0113] The second risk score includes at least the statistical deviation score of the behavioral sequence. This embodiment uses the statistical deviation score to calculate the second risk score. The statistical deviation score of the behavioral sequence is obtained in the following manner:

[0114] For a sequence of operation behaviors within a preset time period, extract dimensional features including operation instruction type, execution time interval, and frequency of access to target object;

[0115] Calculate the statistical value of the dimensional feature in the current sequence and compare it with the corresponding historical normal statistical value stored in the operation behavior baseline model; wherein, the operation behavior baseline model is established based on the historical normal operation and maintenance data of the relay protection device;

[0116] Based on the comparison results, a comprehensive statistical deviation score is calculated.

[0117] For all operation behavior sequences within a preset time period T, the following feature vectors are extracted. .in, This represents the percentage distribution of various operation commands. The average time interval between adjacent operations and standard deviation , It is actually a subvector containing two statistics. The frequency of access to different target objects is used to measure whether the access is concentrated or dispersed.

[0118] Historical normal statistics for the corresponding time period T are retrieved from the operational behavior baseline model, including the eigenvalue vector. Covariance Matrix .

[0119] The Mahalanobis distance is used to calculate the current feature vector X relative to the historical normal baseline. The degree of deviation. This distance takes into account the correlation between features.

[0120]

[0121] in, This indicates the transpose operation.

[0122] Map the Mahalanobis distance to a second risk score:

[0123]

[0124] in, To adjust the parameters and control the sensitivity of score growth, the function f will... Mapped to the [0,100] interval Follow It increases monotonically and approaches 100.

[0125] The first risk score and the second risk score are weighted and fused to generate the first safety grayscale value; the first safety grayscale value is calculated as follows:

[0126]

[0127] in, and To integrate the weighting coefficients, and The weight can be adjusted according to the actual security strategy; for example, if more emphasis is placed on real-time attacks, the weight can be increased. Paying more attention to behavioral abnormalities increases G represents the first security grayscale value. The higher the G value, the more trustworthy and secure the network security status of the device.

[0128] In this embodiment, the first path achieves deterministic threat perception, enabling the immediate capture of known attack patterns and obvious violations, providing fundamental and critical input for security assessment. The second path detects unknown threats and internal anomalous behaviors. It does not rely on known attack characteristics but rather identifies potential, slow, or well-disguised attacks by recognizing statistical deviations of behavioral patterns from historical norms. This combination of rule-based deterministic detection and behavior-based probabilistic detection constitutes a comprehensive assessment system.

[0129] Specifically, in a preferred embodiment of this application, before calculating the first safe grayscale value of the relay protection device using the flexible grayscale measurement model, the method further includes:

[0130] Receive external threat intelligence from the station control layer monitoring system;

[0131] In practice, relay protection devices receive external threat intelligence from the station control layer monitoring system or the superior security platform in real time or near real time. This intelligence is structured data, containing at least the threat type (e.g., vulnerability scan, malicious IP, abnormal login); threat level (typically low, medium, high, and critical); and confidence level (indicating the reliability of the intelligence source or the degree to which the event is confirmed). The parsed intelligence data is then input into a flexible gray-scale calculation model as an independent risk assessment dimension.

[0132] The external threat intelligence is used as an input factor in the flexible grayscale calculation model to calculate the first security grayscale value.

[0133] The step of using the external threat intelligence as an input factor in the flexible grayscale calculation model to calculate the first security grayscale value includes:

[0134] Parse the external threat intelligence and extract fields that include at least threat type, threat level, and confidence level;

[0135] According to the predefined mapping rules, the threat type and threat level are mapped to a basic risk value. The confidence level is used as a weighting factor to correct the basic risk value and generate a third risk score.

[0136] Based on predefined mapping rules, threat type and threat level are mapped to a numerical base risk value. The calculation formula is:

[0137]

[0138] in, For type weighting functions, such as "malicious instruction injection" = 5, "denial of service" = 4, "vulnerability exploitation" = 3, "scanning and detection" = 1; Threat type; For example, "Urgent" = 2.0, "High" = 1.5, "Medium" = 1.0, and "Low" = 0.5; Threat level,

[0139] By introducing the confidence level of the intelligence as a weighting factor, the base risk value is adjusted to generate a third risk score, R3. The adjustment formula is as follows:

[0140]

[0141] Among them, confidence level The value range is [0, 1]. =0 indicates that the information is completely unreliable. =1 indicates that the intelligence is completely credible. This is a preset risk amplification factor, ranging from [0, 1], used to control the degree of risk amplification for low-confidence intelligence. When When =0, low confidence levels are not amplified; when When =1, low-confidence intelligence is amplified to the maximum extent. The specific value can be configured according to the security policy, for example... =0.5. A lower confidence level (Conf) indicates greater uncertainty about the information. Appropriately increase the risk value.

[0142] In other embodiments, the third risk score R3 can also be calculated in a more linear manner:

[0143]

[0144] The third risk score, R3, is directly proportional to the confidence level, representing an assessment of the reliability of intelligence when it is completely trusted.

[0145] It should be noted that the specific model used can be configured according to the security policy.

[0146] The first risk score, second risk score, and third risk score are weighted and fused to generate the first safety grayscale value. The calculation formula for the first safety grayscale value (G) is updated. The updated fusion formula is as follows:

[0147]

[0148] in, , , The new weighting coefficients satisfy... The coefficient settings determine the relative emphasis the model places on real-time rule matching, internal behavioral anomalies, and external threat intelligence.

[0149] External threat intelligence is often an early indicator of the attack chain. Quantifying and integrating this intelligence allows the first security grayscale value G to change before the attack actually arrives and has an impact. This shortens the time window from threat emergence to defense activation, enabling relay protection to be integrated into the dynamic security defense system of substations and even the entire power network. By incorporating the threat vision of the station control layer and even the wide area network into the assessment, even if a new type of attack has not yet shown obvious characteristics in the device's traffic or has not yet begun substantive operations, as long as the external intelligence system detects and reports the relevant threat, the device can perceive the risk in advance, proactively lower the first security grayscale value G, and enter a defensive state in advance.

[0150] Specifically, in a preferred embodiment of this application, the automatic switching to the defensive protection setting group includes at least one of the following methods:

[0151] (a) Increase the overcurrent protection setting by a preset percentage;

[0152] In practice, when a switching command is triggered, the device automatically increases the overcurrent protection's operating current value by a preset percentage, based on the original standard setting. For example, the standard setting is increased by 20%. Subsequently, the current threshold required to determine a fault becomes correspondingly higher.

[0153] (ii) Reduce the distance protection impedance setting by a preset percentage;

[0154] In addition, the device can automatically adjust the impedance operating boundary of the distance protection by reducing it by a preset percentage based on the original standard setting. For example, the impedance setting range of each segment can be reduced by 15%. This makes the electrical range of the fault zone identified by the distance protection element smaller and more conservative.

[0155] (III) Based on the existing protection criteria, at least one auxiliary criterion shall be added. The auxiliary criterion includes one or more of the following: current change rate criterion, voltage harmonic content criterion, and power direction criterion. Specifically:

[0156] Current change rate criterion: The instantaneous rise rate of the fault current must exceed a set threshold value to distinguish between a true instantaneous fault and some slowly changing abnormal conditions.

[0157] Voltage harmonic content criterion: Analyze the harmonic components in the voltage waveform during a fault, requiring that the total distortion rate or the content of a specific harmonic is below a certain threshold, which helps to identify real short-circuit faults and certain special operating conditions or interferences.

[0158] Power direction criterion: Verify whether the direction of the fault power is consistent with the preset positive direction of the protection, in order to prevent false operation due to abnormal data when there is a fault in the opposite direction.

[0159] This embodiment adds the above three measures, forming a proactive defense mechanism. When the system determines that the current network security status is suspicious, it automatically switches the protection device to a more cautious and conservative operating mode. By increasing the current setting and narrowing the impedance range, malicious data injection attacks must forge false fault signals with larger amplitudes and higher precision to fool the first electrical quantity criterion, increasing the technical difficulty and implementation cost of the attack. The added auxiliary criteria cross-verify the fault from different physical dimensions. Even if the attacker breaks through the main criterion, it is difficult to simultaneously and accurately simulate the complex physical characteristics on which all auxiliary criteria rely, improving the ability to identify and resist covert data tampering attacks.

[0160] Please see Figure 2The present invention also provides a relay protection device, including a safety coprocessor, a main protection CPU, and a communication interface module;

[0161] The security coprocessor is configured to execute:

[0162] Obtain network communication traffic from relay protection devices;

[0163] The first security gray value of the relay protection device is calculated using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value;

[0164] The main protection CPU is configured to execute:

[0165] Acquire electrical quantity data of the secondary circuits of the power system;

[0166] Based on the electrical quantity data, it is determined whether a fault has occurred within the zone; when a fault is determined to have occurred within the zone, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0167] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0168] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0169] Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one adjacent protection device is received through the communication interface module; otherwise, a blocking signal is generated and an alarm is triggered.

[0170] The functional explanations of each unit in this embodiment are the same as those of the power system relay protection method based on flexible grayscale calculation, and the technical effects are the same, so they will not be repeated here.

[0171] Please see Figure 3 The present invention also provides a power system relay protection system, including a first relay protection device and at least one second relay protection device;

[0172] The first relay protection device includes a first main protection CPU, a first security coprocessor, and a first communication interface module;

[0173] The first security coprocessor is configured to execute:

[0174] Obtain the network communication traffic of the first relay protection device;

[0175] The first security grayscale value of the first relay protection device is calculated using a flexible grayscale calculation model; wherein, the flexible grayscale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security grayscale value;

[0176] The first primary protection CPU is configured to execute:

[0177] Acquire electrical quantity data of the secondary circuits of the power system;

[0178] Based on the electrical quantity data, determine whether a fault has occurred within the zone;

[0179] When a fault is determined to occur within the designated area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein...

[0180] If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic;

[0181] If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic.

[0182] Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one second relay protection device is received through the first communication interface module; otherwise, a blocking signal is generated and an alarm is triggered.

[0183] Specifically, when switching to the defensive protection setting group, a verification request containing fault information is sent to the second relay protection device through the dedicated communication link of the first communication interface module; after receiving the verification request, the second relay protection device makes a judgment based on its local electrical quantity data and returns a verification response to the first relay protection device through the first communication interface module; the main protection CPU of the first relay protection device generates a trip command under the defensive protection setting group only when it receives the verification response and its content satisfies physical logic consistency.

[0184] Specifically, embodiments of the present invention also provide a power system relay protection system, which further includes a station control layer monitoring system, wherein the station control layer monitoring system is configured to send external threat intelligence to the first security coprocessor;

[0185] The first security coprocessor is further configured to: receive the external threat intelligence and use the external threat intelligence as an input factor of the flexible grayscale measurement model to calculate the first security grayscale value.

[0186] The functional explanations of each unit in this embodiment are the same as those of the power system relay protection method based on flexible grayscale calculation, and the technical effects are the same, so they will not be repeated here.

[0187] Those skilled in the art will recognize that the units of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of the invention.

[0188] In the embodiments provided by the present invention, it should be understood that the division of units is only a logical functional division. In actual implementation, there may be other division methods, such as multiple units can be combined into one unit, one unit can be split into multiple units, or some features can be ignored.

[0189] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0190] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0191] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention, and they should all be covered within the scope of the specification of the present invention.

Claims

1. A power system relay protection method based on flexible grayscale calculation, characterized in that, Includes the following steps: Obtain network communication traffic from relay protection devices; The first security gray value of the relay protection device is calculated using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value; Acquire electrical quantity data of the secondary circuits of the power system; Based on the electrical quantity data, determine whether a fault has occurred within the zone; When a fault is determined to occur within the designated area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein... If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic; If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic. The automatic switching to the defensive protection setting group includes at least one of the following methods: Increase the overcurrent protection setting by a preset percentage; Reduce the distance protection impedance setting by a preset percentage; Based on the original protection criteria, at least one auxiliary criterion is added, which includes one or more of the following: current change rate criterion, voltage harmonic content criterion, and power direction criterion. The cross-device collaborative verification process includes: Send a verification request message to at least one predefined adjacent protection device. The verification request message includes at least the fault direction, fault distance, or fault current amplitude information calculated from local electrical quantity data. Receive and parse response messages from adjacent protection devices; If the response message indicates that the adjacent protection device determines, based on its local electrical quantity data, that the fault is located outside the protection zone of the adjacent protection device, or is physically and logically consistent with the local fault information, then the collaborative verification is deemed successful; otherwise, the collaborative verification is deemed to have failed. Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a cooperative verification confirmation message is received from at least one adjacent protection device.

2. The method according to claim 1, characterized in that, The calculation of the first safe grayscale value of the relay protection device using the flexible grayscale measurement model includes: Based on the first analysis path, the network communication traffic is matched in real time according to rules to obtain a first risk score; Anomaly analysis is performed on the sequence of operational behaviors in the network communication traffic based on the second analysis path to obtain a second risk score. The first risk score and the second risk score are weighted and fused to generate the first safety grayscale value; The first risk score includes at least the agreement violation level and feature matching count; the second risk score includes at least the statistical deviation score of the behavior sequence.

3. The method according to claim 2, characterized in that, The statistical deviation score of the behavioral sequence is obtained in the following way: For a sequence of operation behaviors within a preset time period, extract dimensional features including operation instruction type, execution time interval, and frequency of access to target object; Calculate the statistical value of the dimensional feature in the current sequence and compare it with the corresponding historical normal statistical value stored in the operation behavior baseline model; wherein, the operation behavior baseline model is established based on the historical normal operation and maintenance data of the relay protection device; Based on the comparison results, a comprehensive statistical deviation score is calculated.

4. The method according to claim 2, characterized in that, Before calculating the first safe grayscale value of the relay protection device using the flexible grayscale measurement model, the method further includes: Receive external threat intelligence from the station control layer monitoring system; The external threat intelligence is used as an input factor in the flexible grayscale measurement model to calculate the first security grayscale value.

5. The method according to claim 4, characterized in that, Using the external threat intelligence as an input factor in the flexible grayscale measurement model to calculate the first security grayscale value includes: Parse the external threat intelligence and extract fields that include at least threat type, threat level, and confidence level; According to the predefined mapping rules, the threat type and threat level are mapped to a basic risk value. The confidence level is used as a weighting factor to correct the basic risk value and generate a third risk score. The first risk score, the second risk score, and the third risk score are weighted and fused to generate the first security grayscale value.

6. A relay protection device, characterized in that, Includes a security coprocessor, main protection CPU, and communication interface module; The security coprocessor is configured to execute: Obtain network communication traffic from relay protection devices; The first security gray value of the relay protection device is calculated using a flexible gray-scale calculation model; wherein, the flexible gray-scale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security gray value; The main protection CPU is configured to execute: Acquire electrical quantity data of the secondary circuits of the power system; Based on the electrical quantity data, it is determined whether a fault has occurred within the zone; when a fault is determined to have occurred within the zone, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein... If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic; If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic. The automatic switching to the defensive protection setting group includes at least one of the following methods: Increase the overcurrent protection setting by a preset percentage; Reduce the distance protection impedance setting by a preset percentage; Based on the original protection criteria, at least one auxiliary criterion is added, which includes one or more of the following: current change rate criterion, voltage harmonic content criterion, and power direction criterion. The cross-device collaborative verification process includes: Send a verification request message to at least one predefined adjacent protection device. The verification request message includes at least the fault direction, fault distance, or fault current amplitude information calculated from local electrical quantity data. Receive and parse response messages from adjacent protection devices; If the response message indicates that the adjacent protection device determines, based on its local electrical quantity data, that the fault is located outside the protection zone of the adjacent protection device, or is physically and logically consistent with the local fault information, then the collaborative verification is deemed successful; otherwise, the collaborative verification is deemed to have failed. Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one adjacent protection device is received through the communication interface module; otherwise, a blocking signal is generated and an alarm is triggered.

7. A power system relay protection system, characterized in that, It includes a first relay protection device and at least one second relay protection device; The first relay protection device includes a first main protection CPU, a first security coprocessor, and a first communication interface module; The first security coprocessor is configured to execute: Obtain the network communication traffic of the first relay protection device; The first security grayscale value of the first relay protection device is calculated using a flexible grayscale calculation model; wherein, the flexible grayscale calculation is based on the network communication traffic, operation behavior sequence, and protocol compliance to calculate the first security grayscale value; The first primary protection CPU is configured to execute: Acquire electrical quantity data of the secondary circuits of the power system; Based on the electrical quantity data, determine whether a fault has occurred within the zone; When a fault is determined to occur within the designated area, a corresponding protection action strategy is generated based on the first safety grayscale value; wherein... If the first security grayscale value is higher than or equal to the first security threshold, a trip command is generated based on the standard protection logic; If the first security grayscale value is lower than the first security threshold, the system automatically switches to the defensive protection setting group and initiates a cross-device collaborative verification process; the defensive protection setting group is higher than the standard setting group corresponding to the standard protection logic. The automatic switching to the defensive protection setting group includes at least one of the following methods: Increase the overcurrent protection setting by a preset percentage; Reduce the distance protection impedance setting by a preset percentage; Based on the original protection criteria, at least one auxiliary criterion is added, which includes one or more of the following: current change rate criterion, voltage harmonic content criterion, and power direction criterion. The cross-device collaborative verification process includes: Send a verification request message to at least one predefined adjacent protection device. The verification request message includes at least the fault direction, fault distance, or fault current amplitude information calculated from local electrical quantity data. Receive and parse response messages from adjacent protection devices; If the response message indicates that the adjacent protection device determines, based on its local electrical quantity data, that the fault is located outside the protection zone of the adjacent protection device, or is physically and logically consistent with the local fault information, then the collaborative verification is deemed successful; otherwise, the collaborative verification is deemed to have failed. Under the defensive protection setting group, a trip command is generated only when the local fault criterion is met and a collaborative verification confirmation message from at least one second relay protection device is received through the first communication interface module.

8. The system according to claim 7, characterized in that, It also includes a station control layer monitoring system, which is configured to send external threat intelligence to the first security coprocessor; The first security coprocessor is further configured to: receive the external threat intelligence and use the external threat intelligence as an input factor of the flexible grayscale measurement model to calculate the first security grayscale value.