A power monitoring system information network security protection method based on situation awareness
By constructing a multimodal spatiotemporal feature extraction network and quantum attack-resistant identity base encryption parameters, the problems of network security flexibility and data transmission in smart power plants are solved. This enables real-time monitoring of power plant network security situational awareness and secure data transmission, thereby improving the accuracy and reliability of power plant network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SOUTHWEST ELECTRIC POWER DESIGN INST OF CHINA POWER ENG CONSULTING GROUP CORP
- Filing Date
- 2026-03-17
- Publication Date
- 2026-06-09
Smart Images

Figure CN121864498B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of power plant network security technology, and more specifically, to a method for information network security protection of power monitoring systems based on situational awareness. Background Technology
[0002] With the rapid development of artificial intelligence (AI) technology, its application in the industrial field is becoming increasingly widespread, especially in the power industry, where the construction of smart power plants has become an important direction for promoting the industry's intelligent and information-based transformation. Smart power plants, by integrating advanced information and communication technologies, Internet of Things (IoT) technologies, and AI technologies, achieve real-time monitoring, intelligent analysis, and optimized decision-making of power plant operation data, greatly improving the operating efficiency and safety of power plants. However, as the level of intelligence in power plants increases, cybersecurity issues are becoming increasingly prominent, and ensuring the cybersecurity of smart power plants has become an urgent problem to be solved.
[0003] In terms of cybersecurity situational awareness, although some research and technological applications have been conducted, these methods often face the problem of insufficient classification flexibility in practical applications. Traditional cybersecurity situational awareness methods are often based on fixed rules and policies, making it difficult to adapt to the complex and ever-changing network environment of smart power plants. Furthermore, these methods often fail to identify and respond to new types of cyberattacks in a timely and accurate manner, thus threatening the cybersecurity of power plants.
[0004] The transmission of network monitoring data also presents a significant challenge to the cybersecurity of smart power plants. Since power plant operational data often contains a large amount of sensitive information, such as equipment status and production data, the theft or tampering of this data during transmission can severely impact the normal operation of the power plant. However, current network monitoring data transmission processes often lack effective encryption and security measures, making the data vulnerable to attacks during transmission.
[0005] Furthermore, encryption algorithms play a crucial role in the cybersecurity of smart power plants. However, existing encryption algorithms often lack the ability to provide bilateral authentication. This means that during data transmission, although the data itself may be encrypted and protected, the identities of the communicating parties cannot be effectively verified, thus leaving opportunities for cyber attackers.
[0006] More importantly, existing technologies often treat "data transmission security" and "situational awareness" as two isolated issues. However, in a real power plant network environment, if data is tampered with or forged during transmission, even the most advanced situational awareness models will render their analysis meaningless, potentially leading to false alarms or missed alarms and causing erroneous control decisions. Therefore, there is an urgent need for a method that can deeply integrate secure data transmission with intelligent situational awareness to ensure the authenticity and integrity of input data from the source, thereby ensuring the accuracy and reliability of network security monitoring results. Summary of the Invention
[0007] The embodiments of this application provide a method for information network security protection of power monitoring systems based on situational awareness, in order to solve the technical problems existing in the prior art.
[0008] Other features and advantages of this application will become apparent from the following detailed description, or may be learned in part from practice of this application.
[0009] According to a first aspect of the embodiments of this application, a method for information network security protection of a power monitoring system based on situational awareness is provided, comprising:
[0010] Collect data that impacts the network security of power plants to obtain a power plant network security dataset.
[0011] The power plant network security dataset is preprocessed;
[0012] A multimodal spatiotemporal feature extraction network is constructed based on an attention mechanism for power protocol awareness, a graph convolutional network, and a bidirectional long short-term memory network as a deep learning model. The deep learning model introduces a cross-modal attention module to fuse protocol features and graph features, and adopts a temporal attention mechanism to enhance temporal representation.
[0013] The loss function of the deep learning model is optimized by adopting a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning, so that the model can simultaneously learn binary classification tasks of whether there is a threat and multi-classification tasks of threat type, and balance the two tasks through a dynamic task weight adjustment mechanism.
[0014] The preprocessed power plant network security dataset was used for model training to obtain a power plant network security situational awareness model.
[0015] Set quantum-resistant identity base encryption parameters based on dynamic parameters of the power system;
[0016] Collect real-time data from the power plant, and encrypt and decrypt the data using the quantum-resistant identity base encryption parameters during the transmission of the real-time data from the power plant.
[0017] The decrypted real-time data from the power plant is input into the power plant network security situation awareness model to monitor the current network security status of the power plant and output whether there are threats and the specific type of threat.
[0018] In some embodiments of this application, based on the foregoing scheme, the preprocessing of the power plant network security dataset includes:
[0019] The original message is parsed using power protocol analysis to extract key fields of IEC 61850, Modbus / TCP, and DNP3 protocols, generating a protocol enhancement feature matrix. Simultaneously, a device association graph is constructed based on the power plant network topology to obtain graph structure data.
[0020] In some embodiments of this application, based on the foregoing scheme, the construction of the graph convolutional network includes:
[0021] By treating power plant network devices as nodes, an adjacency matrix is constructed based on the network topology and communication relationships. Spatial dependencies between devices are extracted through graph convolution operations to generate a device association feature graph.
[0022] In some embodiments of this application, based on the aforementioned scheme, the process of fusing protocol features and graph features in a cross-modal attention module includes:
[0023] The attention weights of the protocol-enhanced feature matrix and the device-associated feature map are calculated and then summed in a weighted manner to obtain the fused features.
[0024] In some embodiments of this application, based on the foregoing scheme, the step of optimizing the loss function of the deep learning model using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning includes:
[0025] Construct a teacher network to generate soft labels, enabling the student network to fit real hard and soft labels, thereby achieving knowledge distillation;
[0026] A task discriminator is connected after the shared feature extraction layer, and adversarial training is performed through a gradient reversal layer, so that the feature extractor learns a task-independent general representation.
[0027] Introducing learnable parameters based on uncertainty , The weights of the binary classification loss and multi-class classification loss are dynamically adjusted. The loss function expression is as follows:
[0028] ;
[0029] in For binary cross-entropy, The classification cross-entropy is defined as follows:
[0030] ;
[0031] ;
[0032] in, It is the first The probability that a sample is judged as "no threat" by the model. It is the first The probability that a sample is actually "no threat"; This is called the classification cross-entropy, where It is the first The threat types of each sample were classified as follows: The probability, It is the first The actual threat type of each sample is The probability, It represents the total number of threat types; For the number of samples, This is a logarithmic operation.
[0033] In some embodiments of this application, based on the foregoing scheme, setting quantum-resistant identity base encryption parameters based on dynamic parameters of the power system includes:
[0034] Dynamic seeds are generated using the grid frequency, phase, and active power collected by the synchronous phasor measurement unit through a physically non-clonable function.
[0035] Based on the learning problem with errors on rings, a lattice cryptography foundation is constructed, and encryption and decryption keys are generated and bound to a dynamic seed.
[0036] In some embodiments of this application, based on the foregoing scheme, the step of constructing a lattice cryptographic foundation based on the on-ring error learning problem and generating encryption and decryption keys bound to a dynamic seed includes:
[0037] We choose a lattice cryptography system based on the learning problem with errors on rings, and set a polynomial ring. ,in, For model Integer ring, Denotes undetermined variables, randomly selecting a, s∈ Calculate b = a·s + e, where e is the error polynomial, and use (a,b) as a common parameter;
[0038] Define a quantum-resistant hash function The sender's identity ID is concatenated with the dynamic seed and then hashed to obtain the identity polynomial. Where seed = PUF(f, θ, P) is the dynamic seed, f is the grid frequency, θ is the voltage phase, and P is the active power;
[0039] Based on identity polynomial The encryption key is calculated using a lattice cipher trapdoor generation algorithm. ;
[0040] The recipient's identity ID is also generated by combining it with the dynamic seed. Calculate the decryption key using the master key. .
[0041] In some embodiments of this application, based on the foregoing scheme, the encryption and decryption using the quantum-resistant identity base encryption parameters during the transmission of real-time data from the power plant includes:
[0042] Based on the encryption key and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant;
[0043] Based on the decryption key and sender identification code The encrypted real-time data from the power plant is decrypted.
[0044] In some embodiments of this application, based on the foregoing scheme, the step of basing the encryption key... and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant, including:
[0045] After collecting real-time data m from the power plant, specifying the recipient's identity ID', and selecting a random polynomial r, the following calculations are performed to obtain the encrypted real-time data C from the power plant:
[0046]
[0047] ;
[0048] ;
[0049] Where a and b are common parameters, , , For encrypted components, , It is the error polynomial.
[0050] In some embodiments of this application, based on the foregoing scheme, the step of using the decryption key... and sender identification code Decrypting the encrypted real-time data from the power plant includes:
[0051] The receiver uses its own decryption key Using the sender's identity ID, perform the following calculations to recover the power plant's real-time data m:
[0052] m = decode(c2 - dk_ID'·c1).
[0053] According to a second aspect of the embodiments of this application, a situational awareness-based information network security protection device for a power monitoring system is provided, comprising:
[0054] The first data acquisition unit is used to collect data that affects the network security of the power plant and obtain the power plant network security dataset.
[0055] A preprocessing unit is used to preprocess the power plant network security dataset;
[0056] The building unit is used to construct a multimodal spatiotemporal feature extraction network as a deep learning model based on the attention mechanism of power protocol awareness, graph convolutional network and bidirectional long short-term memory network. The deep learning model introduces a cross-modal attention module to fuse protocol features and graph features, and adopts a temporal attention mechanism to enhance temporal representation.
[0057] The optimization unit is used to optimize the loss function of the deep learning model using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning, so that the model can simultaneously learn binary classification tasks of whether there is a threat and multi-classification tasks of threat types, and balance the two tasks through a dynamic task weight adjustment mechanism.
[0058] The training unit is used to train the model using the preprocessed power plant network security dataset to obtain the power plant network security situational awareness model.
[0059] The setting unit is used to set the quantum-resistant identity base encryption parameters based on the dynamic parameters of the power system;
[0060] The second data acquisition unit is used to collect real-time data from the power plant.
[0061] An encryption / decryption unit is used to encrypt and decrypt real-time data from the power plant using the quantum-resistant identity base encryption parameters during the transmission of such data.
[0062] The monitoring unit is used to input the decrypted real-time data of the power plant into the power plant network security situation awareness model, monitor the current network security status of the power plant, and output whether there is a threat and the specific type of threat.
[0063] According to a third aspect of the embodiments of this application, a computer-readable storage medium is provided, the storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the method described in the first aspect above.
[0064] According to a fourth aspect of the embodiments of this application, an electronic device is provided, including a memory and a processor;
[0065] The memory is used to store computer instructions;
[0066] The processor is configured to invoke computer instructions stored in the memory, causing the electronic device to execute the method described in the first aspect above.
[0067] The technical solution of this application can realize binary and multi-class classification assessment of network security situation awareness in smart power plants. At the same time, it can also provide real-time and secure transmission of network monitoring data, realize real-time power plant network security situation awareness, and realize efficient interactive authentication between data sending and receiving ends (that is, by binding the decryption key with the identities of the two communicating parties, two-way authentication is implicitly realized, and no third party can forge the identity, thereby effectively preventing man-in-the-middle attacks and identity forgery), further improving the accuracy of data and the reliability of model prediction results.
[0068] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description
[0069] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. In the drawings:
[0070] Figure 1 A flowchart illustrating a method for protecting the information network security of a power monitoring system based on situational awareness, according to an embodiment of this application, is shown.
[0071] Figure 2 A block diagram of an information network security protection device for a power monitoring system based on situational awareness, according to an embodiment of this application, is shown.
[0072] Figure 3 A block diagram of an electronic device according to one embodiment of this application is shown;
[0073] Figure 4 A schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application is shown. Detailed Implementation
[0074] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided to make this application more comprehensive and complete, and to fully convey the concept of the exemplary embodiments to those skilled in the art.
[0075] Furthermore, the described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. Numerous specific details are provided in the following description to give a thorough understanding of embodiments of this application. However, those skilled in the art will recognize that the technical solutions of this application can be practiced without one or more of the specific details, or other methods, components, apparatuses, steps, etc., can be employed. In other instances, well-known methods, apparatuses, implementations, or operations are not shown or described in detail to avoid obscuring various aspects of this application.
[0076] The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0077] The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations / steps, nor do they necessarily have to be performed in the described order. For example, some operations / steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.
[0078] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such uses of these terms can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described.
[0079] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.
[0080] The following detailed description of some embodiments of this application will be provided in conjunction with the accompanying drawings. Unless otherwise specified, the following embodiments and features can be combined with each other.
[0081] See Figure 1 The diagram illustrates a flowchart of an information network security protection method for a power monitoring system based on situational awareness, according to an embodiment of this application.
[0082] like Figure 1 As shown, a method for information network security protection of power monitoring systems based on situational awareness is demonstrated, which specifically includes steps S100 to S800.
[0083] refer to Figure 1 Step S100: Collect data that affects the power plant's network security. Collect network traffic, device logs, alarm information, etc. from various servers, network switching devices, and security devices (firewalls, intrusion detection systems IDS) in the power plant's production control area (such as distributed control system DCS, data acquisition and monitoring control system SCADA) and management information area through protocols such as Syslog, NetFlow, and SNMP to obtain the power plant network security dataset.
[0084] It should be noted that, in this embodiment, data that affects the network security of the power plant includes, but is not limited to: network traffic from the production control area and the management information area, equipment logs, alarm information, and real-time physical quantities of the power system.
[0085] Understandably, the resulting power plant network security dataset includes a training set and a test set. Specifically, 70% of the samples in the power plant network security dataset are used as the training set, and 30% are used as the test set.
[0086] Continue to refer to Figure 1 Step S200: Preprocess the power plant network security dataset.
[0087] In some feasible embodiments, based on the foregoing scheme, the preprocessing of the power plant network security dataset includes:
[0088] The original message is parsed using power protocol analysis to extract key fields of IEC 61850, Modbus / TCP, and DNP3 protocols, generating a protocol enhancement feature matrix. Simultaneously, a device association graph is constructed based on the power plant network topology to obtain graph structure data.
[0089] Continue to refer to Figure 1 In step S300, a multimodal spatiotemporal feature extraction network is constructed as a deep learning model based on the attention mechanism of power protocol awareness, graph convolutional network and bidirectional long short-term memory network. The deep learning model introduces a cross-modal attention module to fuse protocol features and graph features, and adopts a temporal attention mechanism to enhance temporal representation.
[0090] It should be noted that in this embodiment, the graph convolutional network is used to extract and learn spatially relevant features from the input data; based on spatial relevance, the bidirectional long short-term memory network processes the high temporal relevance of the features extracted by the graph convolutional network. The output of the graph convolutional network serves as the input to the bidirectional long short-term memory network, which is followed by a temporal attention mechanism to assign weights to different time steps, highlighting features at key time points.
[0091] In some feasible embodiments, based on the foregoing scheme, the construction of the graph convolutional network includes:
[0092] By treating power plant network devices as nodes, an adjacency matrix is constructed based on the network topology and communication relationships. Spatial dependencies between devices are extracted through graph convolution operations to generate a device association feature graph.
[0093] In some feasible embodiments, based on the aforementioned scheme, the process of fusing protocol features and graph features in the cross-modal attention module includes:
[0094] The attention weights of the protocol-enhanced feature matrix and the device-associated feature map are calculated and then summed in a weighted manner to obtain the fused features.
[0095] It should be noted that step S300 aims to construct a multi-task deep learning model that can deeply integrate power system-specific protocol semantics, device topology associations, and temporal dependencies, providing rich feature representations for subsequent threat detection.
[0096] (1) Power protocol parsing and structured embedding
[0097] First, deep protocol parsing is performed on the raw packets in the collected power plant network security dataset to identify the packet structures of power-specific protocols such as IEC 61850, Modbus / TCP, and DNP3, extracting key fields such as protocol type, function code, register address, and data value. These key fields are then converted into structured feature vectors and concatenated with the original traffic features (such as packet length, port, and flag bits) to form a protocol-enhanced feature matrix. ,in The number of samples within the time window. For feature dimensions.
[0098] (2) Local feature extraction of convolutional layers
[0099] After obtaining the protocol-enhanced feature matrix, local spatial features are first extracted through two consecutive 2D convolutional layers. For each 2D convolutional layer, 16 convolutional kernels act as filters to extract 16 individual feature maps from the input matrix. Each feature map is generated by a convolutional kernel based on the following convolution operation:
[0100] ;
[0101] in and These are the extracted feature maps and matrices, respectively. Each item, It is each term of the kernel function. It is the bias of the kernel function. It's the size of the core, set. This indicates that each core is 4×4 in size. This indicates the activation function.
[0102] It should be noted that, in this embodiment, the convolutional neural network model includes at least two consecutive two-dimensional convolutional layers;
[0103] Each of the two-dimensional convolutional layers is provided with an adaptive piecewise linear unit;
[0104] Each of the two-dimensional convolutional layers is filled with 0s.
[0105] Understandably, setting adaptive piecewise linear units can optimize performance.
[0106] It is understandable that padding each of the two-dimensional convolutional layers with zeros can keep the size of each feature map consistent with the mapping matrix.
[0107] For example, the convolutional neural network model includes two consecutive two-dimensional convolutional layers, a max pooling layer, and a vectorization layer.
[0108] Activation function Adaptive piecewise linear units are used to optimize performance:
[0109] ;
[0110] in For the number of hinges, set to , To control the variable of slope, This is the variable that determines the hinge position. and As weights learned during the training process.
[0111] Each convolutional layer is zero-padding to ensure the feature map size remains unchanged. The output of the convolutional layer is a local feature map. .
[0112] (3) Graph convolutional network modeling device association
[0113] Each device in the power plant network (such as intelligent electronic devices (IEDs), remote terminal units (RTUs), PLCs, switches, etc.) is treated as a node, and an adjacency matrix is constructed based on the network topology and communication relationships. (n is the number of devices). The original characteristics of the devices (such as IP address, device type, historical alarm count, etc.) are used as the initial characteristics of the nodes. Spatial dependencies between devices are extracted using graph convolutional networks:
[0114]
[0115] in , for The degree matrix, For the first Layer trainable weights The ReLU activation function is used. After L layers of graph convolution, the device association feature map is obtained. To align with convolutional features, pooling or interpolation is used to... Adjusted to be with Same size.
[0116] (4) Attention mechanism integrates multimodal features
[0117] Design a cross-modal attention module to integrate local features from convolution. Convolutional features of graphs Adaptive weighted fusion is performed. First, the attention weight matrix is calculated:
[0118]
[0119] in This is a learnable mapping matrix. Then, the fused features are obtained through weighted summation:
[0120]
[0121] in This is a value mapping matrix. This mechanism enables the model to dynamically focus on equipment association information strongly related to power business and suppress noise.
[0122] (5) Temporal feature extraction
[0123] The fused feature sequence (Sorted by time) Input is an improved bidirectional long short-term memory network (BiLSTM). The BiLSTM consists of a forward LSTM and a backward LSTM, capturing past and future contextual information respectively. A temporal attention mechanism is introduced after the BiLSTM layers to automatically assign weights to different time steps, highlighting moments crucial for threat assessment.
[0124]
[0125] in Let be the hidden state of BiLSTM at time step t. These are learnable parameters. The final weighted spatiotemporal joint feature vector is obtained. = .
[0126] (6) Multi-task output layer
[0127] Spatiotemporal joint feature vector The data is fed into two fully connected layers, one for binary classification (threat presence / absence) and the other for multi-class classification (threat type). The binary classification output layer uses the sigmoid activation function.
[0128]
[0129] The multi-class output layer uses the softmax activation function:
[0130]
[0131] Both tasks share all the underlying feature extraction network parameters, which are then optimized using a subsequent joint loss function.
[0132] In some feasible embodiments, based on the foregoing scheme, the bidirectional long short-term memory network includes at least: an LSTM layer and a drop-out layer deployed after the LSTM layer.
[0133] Understandably, the deployed dropout layer is used to reduce overfitting and improve the model's generalization ability.
[0134] In some feasible embodiments, based on the aforementioned scheme, the LSTM layer is provided with LSTM cells, and the LSTM cells use the sigmoid function and the hyperbolic tangent function as the activation functions for the gate and cell entry / exit, respectively.
[0135] It is understandable that the sigmoid function and the hyperbolic tangent function are used to accomplish two different classification tasks.
[0136] For example, a Long Short-Term Memory (LSTM) network model includes an LSTM layer and a dropout layer deployed after the LSTM layer.
[0137] The LSTM layer, as the first and main part of the Long Short-Term Memory network model, is used to process the input time series and learn the implicit correlations between each time slice. The LSTM unit is the core unit of the LSTM layer. In this example, 200 neurons are deployed in the LSTM unit, and a dropout layer with a dropout rate of 50% is deployed after the LSTM layer to reduce overfitting and improve the model's generalization ability.
[0138] For the activation of LSTM units, the following sigmoid function is selected ( The hyperbolic tangent function (tanh) and the hyperbolic tangent function are used as activation functions for gate and cell input / output, respectively.
[0139] ;
[0140] ;
[0141] Subsequently, the two activation functions are used to perform two different classification tasks. In the first classification task, a fully connected layer with 100 neurons and an output layer with softmax activation are used for binary classification, i.e., predicting whether the power plant currently faces a cybersecurity threat. The second classification task consists of another fully connected layer and an output layer, each with 100 neurons and softmax activation, supporting multi-class classification, i.e., identifying the specific type of cybersecurity threat. Furthermore, both softmax activations have the following functional form, which is the original... dimensional vector Each element in the algorithm generates a probability, and the sum of all probabilities is 1.
[0142] ;
[0143] Among them, subscript Values .
[0144] Continue to refer to Figure 1 In step S400, the loss function of the deep learning model is optimized using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning, so that the model can simultaneously learn binary classification tasks of whether there is a threat and multi-classification tasks of threat types, and balance the two tasks through a dynamic task weight adjustment mechanism.
[0145] It should be noted that this step introduces a co-evolutionary multi-task learning framework and mechanism based on knowledge distillation and task adversarial learning:
[0146] (1) Teacher-student knowledge distillation structure: Construct a deeper teacher network (which can be pre-trained on a large-scale general network security dataset) to generate soft labels for binary and multi-class classification tasks respectively. The student network is the multi-task model of this invention, which not only fits the real hard labels during training, but also fits the soft labels of the teacher network, thereby transferring general knowledge.
[0147] (2) Task adversarial training: A gradient reversal layer is introduced to enable the model to learn features that are discriminative for both tasks in the shared feature extraction part, while preventing features from overfitting to a single task. Specifically, a task discriminator is connected after the feature extractor. Through adversarial training, the feature extractor cannot distinguish which task the current feature is used for, thereby forcing the feature extractor to learn a task-independent general representation and improving generalization ability.
[0148] (3) Dynamic task weight adjustment: Design an automatic learning mechanism for task weights based on uncertainty. The loss weights of the two tasks are dynamically adjusted through trainable parameters σ1 and σ2. The dynamic task weight adjustment mechanism is introduced so that the model can adaptively balance the contributions of the two tasks during training.
[0149] (4) Co-evolutionary iteration: During the training process, the prediction results of binary classification and multi-class classification tasks are exchanged as pseudo-labels every certain number of rounds to enhance the information interaction between the two tasks, so that the progress of one task can drive the improvement of the other task.
[0150] In some feasible embodiments, based on the foregoing scheme, the optimization of the loss function of the deep learning model using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning includes:
[0151] Construct a teacher network to generate soft labels, enabling the student network to fit real hard and soft labels, thereby achieving knowledge distillation;
[0152] A task discriminator is connected after the shared feature extraction layer, and adversarial training is performed through a gradient reversal layer, so that the feature extractor learns a task-independent general representation.
[0153] Introducing learnable parameters based on uncertainty The weights of the binary classification loss and multi-class classification loss are dynamically adjusted. The loss function expression is as follows:
[0154] ;
[0155] in For binary cross-entropy, The classification cross-entropy is defined as follows:
[0156] ;
[0157] ;
[0158] in, It is the first The probability that a sample is judged as "no threat" by the model. It is the first The probability that a sample is actually "no threat"; This is called the classification cross-entropy, where It is the first The threat types of each sample were classified as follows: The probability, It is the first The actual threat type of each sample is The probability, It represents the total number of threat types; For the number of samples, This is a logarithmic operation.
[0159] Continue to refer to Figure 1 Step S500: Use the preprocessed power plant network security dataset to train the model and obtain the power plant network security situation awareness model.
[0160] It should be noted that in this embodiment, the preprocessed power plant network security dataset is used to train the model according to the above framework, ultimately resulting in a power plant network security situational awareness model. This model can not only accurately determine the presence of threats and identify threat types, but also the two tasks complement each other, resulting in overall performance significantly better than any single-task model or simple multi-task model.
[0161] For example, the training set obtained in step S100 is input into the deep learning model after optimizing the loss function for training, and the power plant network security situation awareness model is obtained after training is completed.
[0162] It is understandable that the power plant network security situational awareness model obtained in this implementation is essentially a multi-task learning model. Through the aforementioned joint loss function `L`, the model forces the sharing of parameters from the underlying feature extraction networks (CNN and LSTM) during training, simultaneously optimizing both binary classification (threat presence or absence) and multi-classification (threat type) tasks. This design yields significant synergistic effects: on the one hand, the fine-grained threat type information provided by the multi-classification task helps the model more accurately determine the presence of threats (binary classification). Experimental results show that, compared to a binary classification model trained separately, the multi-task learning model of this invention reduces the false positive rate by more than 30% on the same test set. On the other hand, the loss gradient of the binary classification task also helps the model learn more discriminative general features, improving its ability to identify unknown threat types. For novel attacks not present in the training set, the identification accuracy is improved by approximately 25%. Ultimately, this model can not only determine whether the network has been attacked, but also identify the specific attack type in real time, providing security operations personnel with more comprehensive and accurate decision support. Ultimately, the model can not only determine whether a network has been attacked, but also identify the specific type of attack in real time, providing security operations personnel with more comprehensive and accurate decision support.
[0163] It is worth noting that this application adopts an end-to-end joint training strategy, where the updates of the entire model (CNN feature extraction, LSTM temporal modeling, binary classification and multi-class output) are uniformly guided by the joint loss function L, rather than being trained in stages or simply combined. This integrated training approach ensures that the underlying features serve both tasks simultaneously, thereby generating a true synergistic effect.
[0164] Continue to refer to Figure 1 Step S600: Set the quantum-resistant identity base encryption parameters based on the dynamic parameters of the power system.
[0165] In some feasible embodiments, based on the foregoing scheme, setting quantum-resistant identity base encryption parameters based on dynamic parameters of the power system includes:
[0166] Dynamic seeds are generated using the grid frequency, phase, and active power collected by the synchronous phasor measurement unit through a physically non-clonable function.
[0167] Based on the learning problem with errors on rings, a lattice cryptography foundation is constructed, and encryption and decryption keys are generated and bound to a dynamic seed.
[0168] For example, this step introduces a lattice cryptography system based on Ring-LWE and combines it with dynamic parameters of the power system.
[0169] (1) Dynamic parameter extraction: Real-time acquisition of physical quantities such as grid frequency f, voltage phase θ, and active power P from the power plant synchronous phasor measurement unit (PMU), and generation of dynamic seed value seed = PUF(f, θ,P) through physical unclonable function (PUF). This seed value changes in real time with the grid status and has physical unclonability.
[0170] (2) Lattice cryptography foundation construction: A lattice cryptography system based on the Ring-LWE problem is selected, and a polynomial ring is set. , where n is a power of 2 (e.g., n=256) and q is the modulus (e.g., q=12289). For model Integer ring, Let represent undetermined variables. Two polynomials a and s ∈ [the range] are randomly selected. ,calculate , where e is the error polynomial. a and b are included as part of the common parameters.
[0171] (3) Dynamic identity hashing: Define a quantum-resistant hash function The sender's identity ID is concatenated with the dynamic seed and then hashed to obtain the identity polynomial. .
[0172] (4) Encryption key generation: based on identity polynomial The encryption key is calculated using a trapdoor generation algorithm for lattice ciphers. The encryption key is bound to the current dynamic state of the power grid and has a time limit.
[0173] (5) Decryption key generation: The receiver's identity ID is also combined with the dynamic seed to generate the identity polynomial. The decryption key is calculated using the master key (i.e., the trapdoor information). .
[0174] Continue to refer to Figure 1 Step S700: Collect real-time data from the power plant, and encrypt and decrypt the data using the quantum-resistant identity base encryption parameters during the transmission of the real-time data.
[0175] In some feasible embodiments, based on the foregoing scheme, based on the encryption key and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant;
[0176] Based on the decryption key and sender identification code The encrypted real-time data from the power plant is decrypted.
[0177] In some feasible embodiments, based on the foregoing scheme, the step of basing the encryption key... and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant, including:
[0178] After collecting real-time data m from the power plant, specifying the recipient's identity ID', and selecting a random polynomial r, the following calculations are performed to obtain the encrypted real-time data C from the power plant:
[0179]
[0180] ;
[0181] ;
[0182] Where a and b are common parameters, , , For encrypted components, , It is the error polynomial.
[0183] In some feasible embodiments, based on the foregoing scheme, the step of using the decryption key... and sender identification code Decrypting the encrypted real-time data from the power plant includes:
[0184] The receiver uses its own decryption key Using the sender's identity ID, perform the following calculations to recover the power plant's real-time data m:
[0185] m = decode(c2 - dk_ID'·c1).
[0186] Because the decryption key is bound to the sender's identity and the dynamic seed, it can only be decrypted correctly by a legitimate receiver and when the current dynamic parameters match, thus implicitly verifying the identities of both parties.
[0187] Therefore, the encryption scheme of this application requires both the sender's identity ID and the receiver's private key 'dkID' to be provided during decryption, ensuring that only the designated receiver holding the legitimate private key can decrypt. Furthermore, successful decryption depends on the binding of the encryption key 'ekID' used by the sender during encryption to the sender's identity ID. This mechanism differs from traditional authentication methods that require multiple handshakes to exchange certificates (such as SSL / TLS). It implicitly completes two-way authentication during a single encryption / decryption operation. In real-time power plant monitoring scenarios, control commands and monitoring data often require transmission and response within milliseconds or even microseconds. Traditional multiple-handshake authentication methods introduce intolerable latency. This application, by embedding identity authentication into encryption / decryption primitives, completely eliminates authentication interaction rounds, reducing end-to-end latency to less than one-third of traditional methods, thus perfectly meeting the stringent ultra-low latency requirements of real-time power plant monitoring. Simultaneously, it simplifies key management complexity, achieving lightweight and efficient interactive authentication while ensuring high security, effectively preventing security threats such as man-in-the-middle attacks and identity forgery.
[0188] Continue to refer to Figure 1 In step S800, the decrypted real-time data of the power plant is input into the power plant network security situation awareness model to monitor the current network security status of the power plant and output whether there is a threat and the specific threat type.
[0189] For example, the decrypted real-time data of the power plant The data is input into the power plant network security situation awareness model for processing. Based on the output of the power plant network security situation awareness model, the current network security status of the power plant is determined, thus realizing real-time monitoring of the power plant network security.
[0190] In summary, the technical solution of this application solves the systemic technical problem of the disconnect between data transmission security and situational awareness in power plant monitoring by organically combining three major technical means: mapping one-dimensional data into a two-dimensional matrix, constructing a multi-task end-to-end joint learning model, and designing an implicit two-way authentication encryption mechanism. This achieves a deep integration of security protection and intelligent analysis.
[0191] The following describes an embodiment of the apparatus described in this application, which can be used to execute a situational awareness-based information network security protection device for a power monitoring system as described in the above embodiments of this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the method described in this application.
[0192] Reference Figure 2 As shown, a situational awareness-based information network security protection device 200 for a power monitoring system according to an embodiment of this application includes:
[0193] The first acquisition unit 201 is used to collect data that affects the power plant network security and obtain the power plant network security dataset.
[0194] Preprocessing unit 202 is used to preprocess the power plant network security dataset;
[0195] Building unit 203 is used to construct a multimodal spatiotemporal feature extraction network as a deep learning model based on the attention mechanism of power protocol awareness, graph convolutional network and bidirectional long short-term memory network. The deep learning model introduces a cross-modal attention module to fuse protocol features and graph features, and adopts a temporal attention mechanism to enhance temporal representation.
[0196] The optimization unit 204 is used to optimize the loss function of the deep learning model using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning, so that the model can simultaneously learn binary classification tasks of whether there is a threat and multi-classification tasks of threat types, and balance the two tasks through a dynamic task weight adjustment mechanism.
[0197] Training unit 205 is used to train the model using the preprocessed power plant network security dataset to obtain the power plant network security situation awareness model.
[0198] Setting unit 206 is used to set quantum attack resistant identity base encryption parameters based on dynamic parameters of the power system;
[0199] The second acquisition unit 207 is used to acquire real-time data from the power plant.
[0200] Encryption and decryption unit 208 is used to encrypt and decrypt the real-time data of the power plant using the quantum attack-resistant identity base encryption parameters during the transmission process;
[0201] The monitoring unit 209 is used to input the decrypted real-time data of the power plant into the power plant network security situation awareness model, monitor the current network security status of the power plant, and output whether there is a threat and the specific threat type.
[0202] like Figure 3 As shown, this application embodiment also provides an electronic device 300, including a memory 310, a processor 320, and a computer program 311 stored in the memory 310 and executable on the processor. When the processor 320 executes the computer program 311, it implements the steps of the above-mentioned information network security protection method for a power monitoring system based on situational awareness.
[0203] Since the electronic device described in this embodiment is the device used to implement the information network security protection device for a power monitoring system based on situational awareness in this application embodiment, those skilled in the art can understand the specific implementation method and various variations of the electronic device in this embodiment based on the method described in this application embodiment. Therefore, how the electronic device implements the method in this application embodiment will not be described in detail here. Any device used by those skilled in the art to implement the method in this application embodiment is within the scope of protection of this application.
[0204] In practice, when the computer program 311 is executed by the processor, it can implement any of the embodiments corresponding to the first aspect.
[0205] Figure 4 A schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application is shown.
[0206] It should be noted that, Figure 4 The computer system 400 of the electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.
[0207] like Figure 4 As shown, the computer system 400 includes a central processing unit 401, which can perform various appropriate actions and processes based on a program stored in read-only memory 402 or a program loaded from storage section 408 into random access memory 403, such as performing the methods described in the above embodiments. The random access memory 403 also stores various programs and data required for system operation. The central processing unit 401, read-only memory 402, and random access memory 403 are interconnected via bus 404. Input / output interface 405 is also connected to bus 404.
[0208] The following components are connected to the input / output interface 405: an input section 406 including a keyboard, mouse, etc.; an output section 407 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 408 including a hard disk, etc.; and a communication section 409 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 409 performs communication processing via a network such as the Internet. A drive 410 is also connected to the input / output interface 405 as needed. A removable medium 411, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 410 as needed so that computer programs read from it can be installed into the storage section 408 as needed.
[0209] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 409, and / or installed from removable medium 411. When the computer program is executed by central processing unit 401, it performs various functions defined in the system of this application.
[0210] It should be noted that the computer-readable medium shown in the embodiments of this application can be a computer-readable signal medium, a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such transmitted data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.
[0211] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0212] The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.
[0213] In another aspect, this application also provides a computer program product or computer program that includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the situational awareness-based information network security protection method for a power monitoring system described in the above embodiments.
[0214] In another aspect, this application also provides a computer-readable medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to implement the situational awareness-based information network security protection method for power monitoring systems described in the above embodiments.
[0215] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to the embodiments of this application, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0216] Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, touch terminal, or network device, etc.) to execute the methods according to the embodiments of this application.
[0217] Other embodiments of this application will readily conceive of by those skilled in the art upon consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. It should be understood that this application is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.
Claims
1. A method for information network security protection of a power monitoring system based on situational awareness, characterized in that, include: Collect data that impacts the network security of power plants to obtain a power plant network security dataset. The power plant network security dataset is preprocessed; A multimodal spatiotemporal feature extraction network is constructed based on an attention mechanism for power protocol awareness, a graph convolutional network, and a bidirectional long short-term memory network as a deep learning model. The deep learning model introduces a cross-modal attention module to fuse protocol features and graph features, and adopts a temporal attention mechanism to enhance temporal representation. The loss function of the deep learning model is optimized by adopting a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning, so that the model can simultaneously learn binary classification tasks of whether there is a threat and multi-classification tasks of threat type, and balance the two tasks through a dynamic task weight adjustment mechanism. The preprocessed power plant network security dataset was used for model training to obtain a power plant network security situational awareness model. Set quantum-resistant identity base encryption parameters based on dynamic parameters of the power system; Collect real-time data from the power plant, and encrypt and decrypt the data using the quantum-resistant identity base encryption parameters during the transmission of the real-time data from the power plant. The decrypted real-time data of the power plant is input into the power plant network security situation awareness model to monitor the current network security status of the power plant and output whether there is a threat and the specific type of threat. The process of constructing a multimodal spatiotemporal feature extraction network includes: Generate protocol-enhanced feature matrices based on raw messages from power plant network security datasets; Based on the enhanced feature matrix of the protocol, local spatial features are extracted through two consecutive two-dimensional convolutional layers; Spatial dependencies between devices in a power plant network are extracted using graph convolutional networks. Design a cross-modal attention module to adaptively weight and fuse convolutional local features with graph convolutional features; The fused feature sequences are arranged chronologically and input into an improved bidirectional long short-term memory network. The bidirectional long short-term memory network consists of a forward LSTM and a backward LSTM, which capture past and future contextual information, respectively. A time attention mechanism is introduced after the bidirectional long short-term memory network layer to automatically assign weights to different time steps, highlighting the critical moments for threat determination. The optimization of the loss function of the deep learning model using a co-evolutionary multi-task learning framework based on knowledge distillation and task adversarial learning includes: Construct a teacher network to generate soft labels, enabling the student network to fit real hard and soft labels, thereby achieving knowledge distillation; A task discriminator is connected after the shared feature extraction layer, and adversarial training is performed through a gradient reversal layer, so that the feature extractor learns a task-independent general representation. Introducing learnable parameters based on uncertainty , The weights of the binary classification loss and multi-class classification loss are dynamically adjusted. The loss function expression is as follows: ; in For binary cross-entropy, The classification cross-entropy is defined as follows: ; ; in, It is the first The probability that a sample is judged as "no threat" by the model. It is the first The probability that a sample is actually "no threat"; This is called the classification cross-entropy, where It is the first The threat types of each sample were classified as follows: The probability, It is the first The actual threat type of each sample is The probability, It represents the total number of threat types; For the number of samples, This is a logarithmic operation.
2. The method according to claim 1, characterized in that, The preprocessing of the power plant network security dataset includes: The original message is parsed using power protocol analysis to extract key fields of IEC 61850, Modbus / TCP, and DNP3 protocols, generating a protocol enhancement feature matrix. Simultaneously, a device association graph is constructed based on the power plant network topology to obtain graph structure data.
3. The method according to claim 2, characterized in that, The construction of the graph convolutional network includes: By treating power plant network devices as nodes, an adjacency matrix is constructed based on the network topology and communication relationships. Spatial dependencies between devices are extracted through graph convolution operations to generate a device association feature graph.
4. The method according to claim 3, characterized in that, The process of fusing protocol features and graph features in a cross-modal attention module includes: The attention weights of the protocol-enhanced feature matrix and the device-associated feature map are calculated and then summed in a weighted manner to obtain the fused features.
5. The method according to claim 1, characterized in that, The setting of quantum-resistant identity base encryption parameters based on dynamic parameters of the power system includes: Dynamic seeds are generated using the grid frequency, phase, and active power collected by the synchronous phasor measurement unit through a physically non-clonable function. Based on the learning problem with errors on rings, a lattice cryptography foundation is constructed, and encryption and decryption keys are generated and bound to a dynamic seed.
6. The method according to claim 5, characterized in that, The method for constructing a lattice cryptography foundation based on the on-ring error learning problem and generating encryption and decryption keys bound to a dynamic seed includes: We choose a lattice cryptography system based on the learning problem with errors on rings, and set a polynomial ring. ,in, For model Integer ring, Denotes undetermined variables, randomly selecting a, s∈ Calculate b = a·s + e, where e is the error polynomial, and use (a,b) as a common parameter; Define a quantum-resistant hash function The sender's identity ID is concatenated with the dynamic seed and then hashed to obtain the identity polynomial. Where seed = PUF(f, θ, P) is the dynamic seed, f is the grid frequency, θ is the voltage phase, and P is the active power; Based on identity polynomial The encryption key is calculated using a lattice cipher trapdoor generation algorithm. ; The recipient's identity ID is also generated by combining it with the dynamic seed. Calculate the decryption key using the master key. .
7. The method according to claim 6, characterized in that, The encryption and decryption using the quantum-resistant identity base encryption parameters during the transmission of real-time data from the power plant includes: Based on the encryption key and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant; Based on the decryption key and sender identification code The encrypted real-time data from the power plant is decrypted.
8. The method according to claim 7, characterized in that, Based on the encryption key and recipient identification code The collected real-time data from the power plant is encrypted to obtain encrypted real-time data of the power plant, including: After collecting real-time data m from the power plant, specifying the recipient's identity ID', and selecting a random polynomial r, the following calculations are performed to obtain the encrypted real-time data C from the power plant: ; ; Where a and b are common parameters, , , For encrypted components, , It is the error polynomial.
9. The method according to claim 8, characterized in that, Based on the decryption key and sender identification code Decrypting the encrypted real-time data from the power plant includes: The receiver uses its own decryption key Using the sender's identity ID, perform the following calculations to recover the power plant's real-time data m: m=decode(c2 - ·c1)。