A malicious control instruction interception method for power industrial control protocol

By calculating message parameters and constructing dynamic compensation coefficients in the power industrial control network, the problem of existing technologies being unable to identify covert low-frequency attacks and network jitter is solved, achieving accurate interception and adaptive protection against malicious control commands.

CN122226519BActive Publication Date: 2026-07-14SHANGHAI KUAN YU IND NETWORK EQUIP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHANGHAI KUAN YU IND NETWORK EQUIP CO LTD
Filing Date
2026-05-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing power control protocol interception technologies are unable to effectively identify covert low-frequency attacks or decouple network jitter from legitimate emergency services, leading to misjudgments and the failure of prevention mechanisms.

Method used

By calculating parameters such as the timestamps of adjacent messages, payload size, and register address deviation, and combining them with the exponential decay function and the natural constant, a dynamic compensation coefficient and threshold baseline are constructed to achieve precise interception of malicious control commands.

Benefits of technology

It achieves accurate identification of covert low-frequency attacks and network jitter, decouples emergency services, eliminates computational blind spots under extreme operations, and provides adaptive deep security protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122226519B_ABST
    Figure CN122226519B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of industrial control safety, and discloses a malicious control instruction interception method for an electric power industrial control protocol, which comprises the following steps: firstly, extracting a message timestamp, a payload size and a priority parameter, combining a basic delay to calculate instruction structure momentum; then, introducing a historical sliding window mechanism, calculating an anti-congestion time damping factor to suppress network jitter; then, extracting a register address topology deviation of adjacent instructions, injecting a preservation micro-perturbation quantity, and calculating a micro-perturbation semantic correlation degree without a blind area; further, fusing the damping factor and the correlation degree to generate a dynamic compensation coefficient, and then calculating a compensation state impact energy of a single message; finally, dynamically generating an adaptive threshold baseline according to historical energy distribution, and outputting a deterministic interception or release decision quantity by comparing the current impact energy with the baseline. The application can realize unsupervised extraction and adaptive accurate interception of malicious features in an industrial control network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of industrial control security technology, specifically a method for intercepting malicious control commands in power industrial control protocols. Background Technology

[0002] In typical application scenarios such as substations or large power plants, core communication equipment relies on dedicated industrial control protocols for data flow. With increasingly sophisticated network attack methods, traditional control command interception technologies have exposed numerous deep security blind spots. Currently, common interception schemes mainly rely on fixed traffic threshold detection or matching with known attack signature databases. However, these existing technologies have significant limitations in the complex and ever-changing power network communication environment. First, existing fixed threshold detection technologies struggle to handle low-frequency, slow attacks. Attackers often break down high-risk control operations into small byte fragments that perfectly conform to protocol specifications. These commands are injected into the network at extremely low frequencies. Existing single-pass traffic threshold detection mechanisms simply cannot detect such subtle traffic anomalies. This allows malicious control behavior to remain hidden for extended periods, ultimately causing serious damage. Second, industrial Ethernet inevitably experiences physical network jitter. This jitter causes normally issued periodic commands to accumulate at the receiving end. Existing interception systems often misjudge these false traffic peaks caused by network congestion as high-frequency malicious attacks. This triggers incorrect security interception actions, severely disrupting the normal operation of the power system. Furthermore, existing technologies are prone to mistakenly rejecting legitimate commands when attempting to address network congestion misjudgment. When a real emergency occurs in the power grid, industrial control equipment needs to issue high-frequency burst control commands promptly. For example, emergency linkage of multiple circuit breakers for concurrent tripping. Such legitimate service bursts are remarkably similar in network time characteristics to pure network latency stacking. Existing traffic suppression algorithms cannot effectively decouple service logic bursts from network physical latency. This ultimately leads to legitimate emergency commands being over-suppressed and rendered ineffective by the prevention mechanism. Finally, some advanced technologies attempt to introduce device access address correlation analysis to identify legitimate burst flows. However, when legitimate burst commands involve consecutive forced bit-setting operations on the same critical high-risk register address, the address topology distance between commands is zero. Existing algorithms are highly susceptible to computational singularities or feature collapse in such extreme business scenarios. This can cause the overall burst compensation mechanism to completely fail.

[0003] In summary, there is a need for a method to intercept malicious control commands of power control protocols that can accurately identify hidden traffic, effectively remove network jitter, and also take into account extreme legitimate emergencies. Summary of the Invention

[0004] This invention provides a method for intercepting malicious control commands in power industrial control protocols, thereby helping to solve the problems mentioned in the background art.

[0005] This invention provides the following technical solution: a method for intercepting malicious control commands in power industrial control protocols, comprising:

[0006] The arrival time interval is calculated based on the timestamps of adjacent messages, and the equivalent data quality is obtained by multiplying the payload size by the priority coefficient.

[0007] The sum of the time interval and the preset hardware delay is calculated, the equivalent data quality is divided by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum.

[0008] The time damping factor is calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window.

[0009] Calculate the absolute deviation of the register addresses of adjacent messages, and use this deviation and a fixed constant to calculate the normalized instruction semantic association coefficient;

[0010] By combining equivalent data quality with preset mathematical constants, a logarithmic basis compensation term is constructed, and it is added to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree.

[0011] The dynamic compensation coefficient is obtained by integrating the time damping factor and the perturbation correlation, and then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy.

[0012] The baseline energy upper limit is derived from the mean and standard deviation of historical impact energies within a statistical window. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length.

[0013] The decision quantity is output by subtracting the compensated state impact energy from the dynamic threshold baseline and taking the sign of the difference. If the difference is positive, the message is intercepted and discarded; otherwise, it is allowed and the historical window is updated.

[0014] Optionally, the step of calculating the arrival time interval based on adjacent message timestamps and multiplying the payload size by the priority coefficient to obtain the equivalent data quality includes:

[0015] Deploy traffic acquisition probes in a bypass configuration on the mirror port of the core switch in the power industrial control network;

[0016] The flow acquisition probe is used to continuously parse industrial control protocol messages;

[0017] Get the absolute arrival timestamp of the current message, the absolute arrival timestamp of the previous message, the payload size of the current message, and the instruction priority coefficient mapped by the protocol header;

[0018] Subtract the absolute arrival timestamp of the previous message from the absolute arrival timestamp of the current message to obtain the time interval between the arrival of adjacent industrial control commands.

[0019] Multiply the payload size of the current message by the instruction priority coefficient to obtain the equivalent data quality of the current industrial control instruction.

[0020] Optionally, the sum of the calculation time interval and the preset hardware delay, the equivalent data quality divided by the sum to obtain the velocity, and the equivalent data quality multiplied by the velocity to obtain the instruction structure momentum, including:

[0021] Obtain the reference delay time constant for photoelectric conversion and interrupt response processing of industrial control network card hardware;

[0022] The hardware base delay time is obtained by adding the time interval between the arrival of the adjacent industrial control commands to the reference delay time constant.

[0023] Divide the equivalent data quality by the hardware-based latency to obtain the instantaneous destruction speed of the instruction.

[0024] Multiplying the equivalent data quality by the instantaneous destruction rate of the instruction yields the instruction structure momentum carried by the instruction.

[0025] Optionally, the calculation of the time damping factor based on the ratio of the current time interval to the average interval of historical messages within the window using an exponential decay function includes:

[0026] Set the length of the sliding window;

[0027] Obtain the time interval of each historical message within the sliding window in the historical cache queue;

[0028] The average time interval of historical messages is obtained by summing all the time intervals within the sliding window and dividing by the length of the sliding window.

[0029] Divide the time interval between the arrival of the adjacent industrial control commands by the average time interval of the historical messages to obtain the time dispersion ratio.

[0030] Extract the negative of the time discrete ratio as a negative exponent, and calculate the natural exponent value corresponding to the negative exponent.

[0031] Subtracting the natural exponent value from the natural number 1 yields the congestion time damping factor.

[0032] Optionally, the step of calculating the absolute deviation of adjacent message operation register addresses and using this deviation and a fixed constant to calculate a normalized instruction semantic association coefficient includes:

[0033] Get the decimal address of the target operand register corresponding to the current instruction;

[0034] Get the decimal address of the register corresponding to the previous instruction;

[0035] The difference between the decimal address value corresponding to the current instruction and the decimal address value corresponding to the previous instruction is calculated, and the absolute value of the calculation result is extracted as the register address topology deviation.

[0036] Add the natural number one to the register address topology deviation to obtain the smoothing correction deviation term;

[0037] Divide the register address topology deviation by the smoothing correction deviation term to obtain the normalized instruction semantic association coefficient.

[0038] Optionally, the step of constructing a logarithmic basis compensation term by combining equivalent data quality with a preset mathematical constant, and adding it to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree, includes:

[0039] Add the base of the natural logarithm to the equivalent data quality to obtain the logarithmic truth term;

[0040] Calculate the natural logarithm of the true logarithmic term to obtain the denominator of the natural series;

[0041] The set Euler-Mascheroni constant is extracted as the numerator of the natural series;

[0042] Dividing the numerator of the natural series by the denominator of the natural series yields the background perturbation compensation term;

[0043] The semantic correlation coefficient of the instruction is added to the background perturbation compensation term to obtain the semantic correlation degree of the maintenance perturbation.

[0044] Optionally, the dynamic compensation coefficient is derived from the fusion time damping factor and the perturbation correlation, and multiplied by the command structure momentum and time interval to obtain the compensated state impact energy, including:

[0045] Subtract the anti-congestion time damping factor from the natural number one to obtain the damping complement value;

[0046] Multiply the damping complementarity value by the semantic correlation degree of the maintenance perturbation to obtain the spatial takeover weight;

[0047] The dynamic compensation coefficient is obtained by adding the spatial takeover weight to the anti-congestion time damping factor.

[0048] The compensated impact energy is obtained by multiplying the momentum of the instruction structure, the dynamic compensation coefficient, and the time interval between the arrival of adjacent industrial control instructions.

[0049] Optionally, the mean and standard deviation of historical impact energies within the statistical window are used to derive the upper limit of the base energy. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length, including:

[0050] Retrieve all compensated state impact energy records within the historical window in the historical cache queue;

[0051] Calculate the arithmetic mean of all compensated-state impact energy records within the sliding window;

[0052] Calculate the standard deviation of all compensated-state impact energy records within the sliding window;

[0053] The arithmetic mean and the standard deviation are added together to obtain the upper limit of the basic statistical energy.

[0054] Add the natural number one to the length of the sliding window, and calculate the natural logarithm of the sum;

[0055] Divide the natural logarithm by the sliding window length and add the natural number one to obtain the adaptive fault-tolerant multiplier.

[0056] Multiplying the adaptive fault-tolerant multiplier by the basic statistical energy upper limit yields the adaptive dynamic energy threshold baseline.

[0057] Optionally, the step of subtracting the compensated-state impact energy from the dynamic threshold baseline and outputting a decision value, where a positive difference indicates packet rejection and discard, and a negative difference indicates packet release and updating of the historical window, includes:

[0058] Subtracting the adaptive dynamic energy threshold baseline from the compensated state impact energy yields the energy excess value.

[0059] Extract the step sign output result where the energy exceeds the difference as the control command interception decision variable;

[0060] When the control command interception decision variable is determined to be positive one, an interception action is issued on the device port and the data packet of the current message is directly discarded;

[0061] When the control command interception decision variable is determined to be negative one or zero, the current message is allowed to pass, and the compensated state impact energy value of the current message is pushed into the historical sliding window to update the basic record.

[0062] The present invention has the following beneficial effects:

[0063] 1. By deploying probes in bypass mode on the power industrial control network to continuously parse packets, the extracted basic parameters are converted into command structure momentum. The time damping factor and the semantic correlation of perturbations are then fused to derive the compensated-state impact energy, which is then compared with a dynamic baseline to achieve interception. This solution effectively addresses covert low-frequency attacks and industrial Ethernet network jitter issues. While decoupling network congestion from legitimate emergency surges, it completely eliminates computational blind spots under extreme operating conditions, achieving fully adaptive deep security protection.

[0064] 2. By extracting message timestamps, payload size, and priority coefficients, the instruction arrival time interval is calculated, and the equivalent data quality is obtained. This method transforms the underlying communication attributes of network packets into standardized parameters with physical meaning, accurately extracting the temporal density characteristics of injected instructions. It overcomes the limitations of traditional monitoring, which only analyzes the surface of the protocol, and lays a highly structured underlying data foundation for revealing low-frequency, covert sabotage behaviors.

[0065] 3. By introducing a hardware baseline delay constant, the instantaneous destruction rate is obtained by dividing the equivalent data quality by the sum of the time interval and the delay, and then the momentum of the instruction structure is calculated. This step uses the lower limit of the absolute physical delay as a buffer to avoid the division-to-zero singularity during extremely high concurrency; at the same time, with the help of the momentum accumulation mechanism, it accurately exposes the substantial destructive kinetic energy generated by the deliberate slowing down of the attacker, thus penetrating the blind spot of traditional fixed-time-window security defenses.

[0066] 4. By comparing the current adjacent time interval with the historical average time interval within the sliding window, the congestion damping factor is calculated using a negative exponential decay function. This dynamic evaluation method endows the defense system with intelligent discrimination capabilities. When normal instructions experience severe time stacking due to network jitter, the damping factor rapidly converges to zero, applying flexible suppression to false momentum peaks and solving the problem of misjudging network lag and congestion as high-frequency attacks.

[0067] 5. By calculating the absolute topological deviation of adjacent control instruction operation register addresses and mapping it to normalized semantic correlation coefficients using a smoothing term, this spatial topology resolution mechanism can identify the operational continuity of consecutive tripping instructions when a real emergency fault occurs in the power grid. It effectively rescues legitimate emergency response messages that are mistakenly killed by time damping, and achieves decoupling of legitimate sudden states and pure network physical delay stacking in the mathematical model.

[0068] 6. By combining equivalent data quality and the base of the natural logarithm to construct the denominator of a natural series, and extracting the Euler constant as the numerator to obtain the perturbation term, the perturbation semantic correlation degree is obtained by adding it to the semantic correlation coefficient. This mechanism overcomes the singularity problem caused by continuous operation of the same high-risk register in emergency commands leading to zero distance and computational collapse. It fills the legality guarantee energy in the blind zone and realizes feature preservation under extreme spatial aggregation conditions.

[0069] 7. By fusing the time damping factor and the semantic correlation of the perturbation, a dynamic compensation coefficient is synthesized, and the compensation state impact energy is calculated by multiplying it with the instruction structure momentum and time interval. This processing architecture takes over the evaluation by semantic correlation during congestion and maintains trust in the time domain during stability; and in the multiplication, the influence of the time interval is canceled out, stripping away the hacker's time disguise and directly exposing the physical-level absolute attack energy that reflects the degree of malicious damage.

[0070] 8. A basic upper limit is derived by statistically analyzing the mean and standard deviation of historical window impact energies. A natural logarithm fault-tolerant multiplier based on the window length is then introduced, and multiplied to generate an adaptive dynamic energy threshold baseline. This endogenous evolutionary design utilizes the normal fluctuation rhythm of equipment for probabilistic extension, eliminating the reliance on manually static hard-coded thresholds, closely aligning with real power grid operating conditions, and achieving self-learning and smooth correction of the safety tolerance upper limit.

[0071] 9. By subtracting the compensated-state impact energy from the dynamic threshold baseline, the step sign of the difference is extracted and the final control command is output to intercept the decision variable. This decision mechanism instantly collapses the high-dimensional complex data stream into a deterministic control signal, ensuring zero execution hysteresis; at the same time, it seamlessly backfills the safe flow energy value, driving the benchmark to absorb the latest healthy samples for continuous fine-tuning, thus constructing a defense line with self-verification and evolutionary capabilities. Attached Figure Description

[0072] Figure 1 This is a schematic diagram of the basic process of the present invention.

[0073] Figure 2 This is a flowchart of the semantic correlation calculation and singularity elimination process for maintenance perturbation in this invention.

[0074] Figure 3 This is a flowchart of the adaptive dynamic energy threshold baseline generation mechanism of the present invention.

[0075] Figure 4 This is a flowchart of the closed-loop process for multidimensional feature orthogonal fusion and adaptive interception decision-making in this invention. Detailed Implementation

[0076] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0077] Example 1, refer to Figure 1 A method for intercepting malicious control commands in power industrial control protocols, comprising:

[0078] The arrival time interval is calculated based on the timestamps of adjacent messages, and the equivalent data quality is obtained by multiplying the payload size by the priority coefficient.

[0079] The sum of the time interval and the preset hardware delay is calculated, the equivalent data quality is divided by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum.

[0080] The time damping factor is calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window.

[0081] Calculate the absolute deviation of the register addresses of adjacent messages, and use this deviation and a fixed constant to calculate the normalized instruction semantic association coefficient;

[0082] By combining equivalent data quality with preset mathematical constants, a logarithmic basis compensation term is constructed, and it is added to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree.

[0083] The dynamic compensation coefficient is obtained by integrating the time damping factor and the perturbation correlation, and then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy.

[0084] The baseline energy upper limit is derived from the mean and standard deviation of historical impact energies within a statistical window. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length.

[0085] The decision quantity is output by subtracting the compensated state impact energy from the dynamic threshold baseline and taking the sign of the difference. If the difference is positive, the message is intercepted and discarded; otherwise, it is allowed and the historical window is updated.

[0086] The step of calculating the arrival time interval based on adjacent message timestamps and multiplying the payload size by the priority coefficient to obtain the equivalent data quality includes:

[0087] Deploy traffic acquisition probes in a bypass configuration on the mirror port of the core switch in the power industrial control network;

[0088] The flow acquisition probe is used to continuously parse industrial control protocol messages;

[0089] Get the absolute arrival timestamp of the current message, the absolute arrival timestamp of the previous message, the payload size of the current message, and the instruction priority coefficient mapped by the protocol header;

[0090] Subtract the absolute arrival timestamp of the previous message from the absolute arrival timestamp of the current message to obtain the time interval between the arrival of adjacent industrial control commands.

[0091] Multiply the payload size of the current message by the instruction priority coefficient to obtain the equivalent data quality of the current industrial control instruction.

[0092] The sum of the calculation time interval and the preset hardware delay is used to divide the equivalent data quality by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum, including:

[0093] Obtain the reference delay time constant for photoelectric conversion and interrupt response processing of industrial control network card hardware;

[0094] The hardware base delay time is obtained by adding the time interval between the arrival of the adjacent industrial control commands to the reference delay time constant.

[0095] Divide the equivalent data quality by the hardware-based latency to obtain the instantaneous destruction speed of the instruction.

[0096] Multiplying the equivalent data quality by the instantaneous destruction rate of the instruction yields the instruction structure momentum carried by the instruction.

[0097] The time damping factor, calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window, includes:

[0098] Set the length of the sliding window;

[0099] Obtain the time interval of each historical message within the sliding window in the historical cache queue;

[0100] The average time interval of historical messages is obtained by summing all the time intervals within the sliding window and dividing by the length of the sliding window.

[0101] Divide the time interval between the arrival of the adjacent industrial control commands by the average time interval of the historical messages to obtain the time dispersion ratio.

[0102] Extract the negative of the time discrete ratio as a negative exponent, and calculate the natural exponent value corresponding to the negative exponent.

[0103] Subtracting the natural exponent value from the natural number 1 yields the congestion time damping factor.

[0104] The calculation of the absolute deviation of adjacent message operation register addresses, and the calculation of a normalized instruction semantic association coefficient using this deviation and a fixed constant, includes:

[0105] Get the decimal address of the target operand register corresponding to the current instruction;

[0106] Get the decimal address of the register corresponding to the previous instruction;

[0107] The difference between the decimal address value corresponding to the current instruction and the decimal address value corresponding to the previous instruction is calculated, and the absolute value of the calculation result is extracted as the register address topology deviation.

[0108] Add the natural number one to the register address topology deviation to obtain the smoothing correction deviation term;

[0109] Divide the register address topology deviation by the smoothing correction deviation term to obtain the normalized instruction semantic association coefficient.

[0110] The process of constructing a logarithmic basis compensation term by combining equivalent data quality with preset mathematical constants, and adding it to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree, includes:

[0111] Add the base of the natural logarithm to the equivalent data quality to obtain the logarithmic truth term;

[0112] Calculate the natural logarithm of the true logarithmic term to obtain the denominator of the natural series;

[0113] The set Euler-Mascheroni constant is extracted as the numerator of the natural series;

[0114] Dividing the numerator of the natural series by the denominator of the natural series yields the background perturbation compensation term;

[0115] The semantic correlation coefficient of the instruction is added to the background perturbation compensation term to obtain the semantic correlation degree of the maintenance perturbation.

[0116] The fusion time damping factor and perturbation correlation yield a dynamic compensation coefficient, which is then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy, including:

[0117] Subtract the anti-congestion time damping factor from the natural number one to obtain the damping complement value;

[0118] Multiply the damping complementarity value by the semantic correlation degree of the maintenance perturbation to obtain the spatial takeover weight;

[0119] The dynamic compensation coefficient is obtained by adding the spatial takeover weight to the anti-congestion time damping factor.

[0120] The compensated impact energy is obtained by multiplying the momentum of the instruction structure, the dynamic compensation coefficient, and the time interval between the arrival of adjacent industrial control instructions.

[0121] The mean and standard deviation of historical impact energies within the statistical window are used to derive the baseline energy upper limit. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length, including:

[0122] Retrieve all compensated state impact energy records within the historical window in the historical cache queue;

[0123] Calculate the arithmetic mean of all compensated-state impact energy records within the sliding window;

[0124] Calculate the standard deviation of all compensated-state impact energy records within the sliding window;

[0125] The arithmetic mean and the standard deviation are added together to obtain the upper limit of the basic statistical energy.

[0126] Add the natural number one to the length of the sliding window, and calculate the natural logarithm of the sum;

[0127] Divide the natural logarithm by the sliding window length and add the natural number one to obtain the adaptive fault-tolerant multiplier.

[0128] Multiplying the adaptive fault-tolerant multiplier by the basic statistical energy upper limit yields the adaptive dynamic energy threshold baseline.

[0129] The step of subtracting the compensated impact energy from the dynamic threshold baseline and outputting a decision value, where a positive difference indicates packet rejection and discard, and a negative difference indicates packet passage and updating of the historical window, includes:

[0130] Subtracting the adaptive dynamic energy threshold baseline from the compensated state impact energy yields the energy excess value.

[0131] Extract the step sign output result where the energy exceeds the difference as the control command interception decision variable;

[0132] When the control command interception decision variable is determined to be positive one, an interception action is issued on the device port and the data packet of the current message is directly discarded;

[0133] When the control command interception decision variable is determined to be negative one or zero, the current message is allowed to pass, and the compensated state impact energy value of the current message is pushed into the historical sliding window to update the basic record.

[0134] Example 2, based on Example 1, provides a detailed explanation of the method for intercepting malicious control commands in the power industrial control protocol, using specific mathematical calculation formulas. The specific process is as follows:

[0135] First, the arrival time interval is calculated based on the timestamps of adjacent messages, and the equivalent data quality is obtained by multiplying the payload size by the priority coefficient, including:

[0136] The purpose of this step is to perform physical dimension conversion on the unstructured chemical control protocol data captured by the traffic probe, transforming network packets into standardized parameters that can be used for physical modeling;

[0137] Traffic acquisition probes are deployed in bypass mode on the mirror port of the core switch of the power industrial control network. The probes continuously parse industrial control protocol (such as IEC104 or MMS) messages to provide the basic physical layer and data link layer raw data streams for parameter acquisition in subsequent algorithm steps.

[0138] Get the current number The absolute arrival timestamp of each message , No. The absolute arrival timestamp of each message The effective payload size of the current message and the instruction priority coefficient mapped by the protocol header. ;

[0139] First, the time interval between the arrival of adjacent industrial control commands is calculated using the following formula, which is used to characterize the temporal density of command injection:

[0140]

[0141] In the formula, Indicates the first The time interval between each message and the previous message; Indicates the first The absolute arrival timestamp of each message; Indicates the first The absolute arrival timestamp of each message;

[0142] Next, the equivalent data quality of the current industrial control instruction is calculated. The abstract priority is transformed into a multiplier amplifier with physical meaning. The equivalent data quality of the current industrial control instruction is calculated using the following formula:

[0143]

[0144] In the formula, Indicates the first Equivalent data quality of each instruction; Indicates the first The payload size of each message; This represents the instruction priority coefficient, which is directly mapped by the priority flag in the message header; 1 for low priority, 2 for medium priority, and 3 for high priority.

[0145] By extracting message timestamps, payload size, and priority coefficients, the instruction arrival time interval is calculated, and the equivalent data quality is derived. This method transforms the underlying communication attributes of network packets into standardized parameters with physical meaning, accurately extracting the temporal density characteristics of injected instructions. It overcomes the limitations of traditional monitoring, which only analyzes the surface of the protocol, and lays a highly structured foundation of underlying data support for revealing low-frequency, covert sabotage behaviors.

[0146] The sum of the calculation time interval and the preset hardware delay is used to divide the equivalent data quality by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum, including:

[0147] This step aims to address the issue of low-frequency covert attack evasion thresholds. It calculates the structural impact momentum generated by a single instruction within the protocol stack by combining equivalent data quality with arrival time intervals.

[0148] Obtain the reference delay time constant for photoelectric conversion and interrupt response processing of industrial control network card hardware. ;

[0149] Next, the instantaneous rate of destruction of the instruction during network transmission and protocol parsing is calculated, and hardware-based latency is introduced to avoid mathematical errors caused by dividing by zero. The instantaneous rate of destruction of the instruction during network transmission and protocol parsing is calculated using the following formula:

[0150]

[0151] In the formula, Indicates the first The instantaneous destructive speed of an instruction; For the first Equivalent data quality of each instruction; For the first The time interval between each message and the previous message; The photoelectric conversion and interrupt response processing baseline delay time constant of industrial control network card hardware, based on the physical limits of gigabit Ethernet cards, is typically set to [value missing]. The larger the value of s, the more it will mask the true characteristics of high-frequency attacks; the smaller the value, the more susceptible it is to interference from small fluctuations in the system bus current.

[0152] The instruction structure momentum carried by the instruction is calculated using the following formula:

[0153]

[0154] In the formula, Indicates the first Instruction structure momentum of an instruction; For the first Equivalent data quality of each instruction; For the first The instantaneous destruction speed of each instruction.

[0155] By introducing a hardware baseline latency constant, the instantaneous destruction rate is obtained by dividing the equivalent data quality by the sum of the time interval and latency, and then the momentum of the instruction structure is calculated. This step uses the lower limit of absolute physical latency as a buffer to avoid the division-to-zero singularity during extremely high concurrency; at the same time, by leveraging the momentum accumulation mechanism, it accurately exposes the substantial destructive kinetic energy generated by a covert attacker deliberately slowing down the pace, thus penetrating the blind spot of traditional fixed-time-window security defenses.

[0156] The time damping factor, calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window, includes:

[0157] This step aims to address the issue of artificially high momentum caused by normal instruction stacking due to network congestion. By introducing exponentially decaying time damping, it dynamically suppresses stacking traffic that deviates from the historical average period.

[0158] Set the length of the sliding window The value is the number of historical messages in a complete control cycle of the industrial control system, usually taken as... Retrieve the historical message time interval within the sliding window from the historical cache queue. ;

[0159] Next, the congestion-resistant time damping factor is directly calculated. This factor reflects the network jitter state by comparing the current time interval with the average time interval within the sliding window. The congestion-resistant time damping factor is calculated using the following formula:

[0160] ;

[0161] In the formula, Indicates the congestion time damping factor; For the first The time interval between each message and the previous message; The initial set length of the sliding window; For the first in the sliding window The time interval of each historical message; when congestion stacking occurs. Minimal, exponential term approaches 1, damping factor It approaches 0, thus forming a strong inhibition.

[0162] By comparing the current adjacent time interval with the historical average time interval within the sliding window, the congestion-resistant time damping factor is calculated using a negative exponential decay function. This dynamic evaluation method endows the defense system with intelligent discrimination capabilities. When normal instructions experience severe time stacking due to network jitter, the damping factor rapidly converges to zero, applying flexible suppression to false momentum peaks and solving the problem of misjudging network lag and congestion as high-frequency attacks.

[0163] Reference Figure 2 The step of calculating the absolute deviation of adjacent message operation register addresses, and using this deviation and a fixed constant to calculate the normalized instruction semantic association coefficient, includes:

[0164] This step aims to identify "legitimate emergency traffic" that has been mistakenly blocked by congestion damping. The continuity of the business logic is measured by calculating the jump range between adjacent instruction accesses to register addresses.

[0165] The first one is obtained directly from the message payload parsing result. The decimal address value of the target operand register extracted from each instruction. and the decimal address value of the register from the previous instruction. ;

[0166] The absolute topological deviation between two adjacent control instructions in the industrial computer's memory space or register mapping table can be calculated using the following formula:

[0167]

[0168] In the formula, Indicates register address topology deviation; Indicates the first The decimal address value of the target operation register extracted from each instruction; This represents the decimal address value of the register from the previous instruction;

[0169] The absolute deviation is mapped to a normalized instruction semantic association coefficient using the following formula:

[0170]

[0171] In the formula, Indicates the semantic association coefficient of the instruction; This refers to the register address topology deviation.

[0172] By calculating the topological absolute deviation of adjacent control instruction operation register addresses and mapping it to normalized semantic correlation coefficients using a smoothing term, this spatial topology resolution mechanism can identify the operational coherence of consecutive tripping instructions when a real emergency fault occurs in the power grid. It effectively rescues legitimate emergency response messages that are mistakenly killed by time damping, and achieves decoupling of legitimate emergency states from the stacking of pure network physical delays in the mathematical model.

[0173] Continue to refer to Figure 2 The step of constructing a logarithmic basis compensation term by combining equivalent data quality with preset mathematical constants, and adding it to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree, includes:

[0174] This step aims to resolve issues caused by consecutive operations on the same register. This leads to the problem of correlation failure, so a natural constant is introduced to compensate for the background energy.

[0175] The semantic relevance of maintenance perturbation is calculated using the following formula:

[0176]

[0177] In the formula, Indicates the semantic relevance of maintenance perturbation; The semantic association coefficient of the instruction; It is the Euler-Mascheroni constant; It is the base of the natural logarithm; For the first The formula ensures that even if the same address is accessed repeatedly, the correlation will not fall below the minimum effective physical boundary determined by its own data quality.

[0178] By combining equivalent data quality and the base of the natural logarithm to construct the denominator of a natural series, and extracting the Euler constant as the numerator to obtain the perturbation term, the perturbation semantic correlation degree is obtained by adding it to the semantic correlation coefficient. This mechanism overcomes the singularity problem caused by continuous operation of the same high-risk register in emergency commands leading to zero distance and computational collapse. It fills the legality guarantee energy in the blind zone and realizes feature preservation under extreme spatial aggregation conditions.

[0179] Reference Figure 4 The fusion of the time damping factor and the perturbation correlation yields a dynamic compensation coefficient, which is then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy, including:

[0180] The purpose of this step is to orthogonally fuse the extracted momentum, damping, and maintenance semantic correlation to calculate the compensated state impact energy that truly reflects the degree of malicious damage.

[0181] The dynamic compensation coefficient is calculated using the following formula:

[0182]

[0183] In the formula, Indicates the dynamic compensation coefficient; This is the congestion time damping factor; To preserve the semantic relevance of the perturbation; this structure makes it possible when the damping is extremely strong ( When the value is extremely small, the compensation right is entirely taken over by the semantic relevance.

[0184] The compensated-state impact energy is calculated using the following formula:

[0185]

[0186] In the formula, Indicates the first The compensated state impact energy generated by each message; For the first Instruction structure momentum of an instruction; For dynamic compensation coefficients; For the first The time interval between each message and the previous message.

[0187] By fusing the time damping factor and the semantic correlation of perturbations to synthesize dynamic compensation coefficients, and multiplying them with the momentum of the instruction structure and the time interval, the compensation-state impact energy is calculated. This processing architecture takes over the evaluation by semantic correlation during congestion and maintains trust in the time domain during stable conditions; in the multiplication, the influence of the time interval is canceled out, stripping away the hacker's time disguise and directly exposing the physical-level absolute attack energy that reflects the degree of malicious damage.

[0188] Reference Figure 3The baseline energy upper limit is derived from the historical impact energy mean and standard deviation within the statistical window. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length, including:

[0189] This step does not rely on any externally set empirical thresholds. It directly utilizes the energy distribution characteristics of normal services within the sliding window to dynamically calculate the maximum safe energy tolerance limit under the current network condition.

[0190] Retrieve the compensated state impact energy record value extracted within the historical window from the historical cache queue. ;

[0191] The upper limit of the basic statistical energy within the window is calculated using the following formula:

[0192] ;

[0193] In the formula, Indicates the first The upper limit of basic statistical energy at any given moment; The length of the sliding window; The compensated-state impact energy record value extracted within the historical window; This is the arithmetic mean of the impact energies within the historical window;

[0194] The adaptive dynamic energy threshold baseline is calculated using the following formula:

[0195]

[0196] In the formula, Indicates the first The adaptive dynamic energy threshold baseline at each moment; The length of the sliding window; This is the upper limit of the basic statistical energy obtained in the previous step; As a self-derived fault-tolerant multiplier, the larger the window, the higher the statistical confidence, and the fault tolerance produces a stable micro-amplification mathematically.

[0197] The baseline upper limit is derived by statistically analyzing the mean and standard deviation of historical window impact energies. A natural logarithm-based fault-tolerant multiplier, constructed based on the window length, is then introduced, and multiplied to generate an adaptive dynamic energy threshold baseline. This endogenous evolutionary design utilizes the normal fluctuation rhythm of equipment for probabilistic extension, eliminating reliance on manually statically hard-coded thresholds. It closely aligns with real-world power grid conditions, achieving self-learning and smooth correction of the safety tolerance upper limit.

[0198] Continue to refer to Figure 4 The step of subtracting the compensated-state impact energy from the dynamic threshold baseline and outputting a decision value, where a positive difference indicates packet rejection and discard, and a negative difference indicates packet release and historical window update, includes:

[0199] The purpose of this step is to compare the currently calculated target quantity with the dynamic baseline and output the direct interception judgment command result, thus forming a closed-loop control.

[0200] The control command interception decision variable is calculated using the following formula:

[0201]

[0202] In the formula, This indicates that the control command intercepts the decision variable; For the first The compensated state impact energy generated by each message; For the first The adaptive dynamic energy threshold baseline at each moment;

[0203] when When the current command's impact energy exceeds the dynamic baseline, the system determines that it has been attacked by malicious control commands and directly issues an interception action to discard the data packet on the firewall or switch port.

[0204] when or When the flow is deemed safe, it is allowed to pass and its energy value is pushed into the historical sliding window to update the baseline.

[0205] By subtracting the compensated-state impact energy from the dynamic threshold baseline, the step sign of the difference is extracted and the final control command is output to intercept the decision variable. This decision mechanism instantly collapses the high-dimensional complex data stream into a deterministic control signal, ensuring zero execution hysteresis; at the same time, it seamlessly backfills the safe flow energy value, driving the benchmark to absorb the latest healthy samples for continuous fine-tuning, thus constructing a defense line with self-verification and evolutionary capabilities.

[0206] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0207] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A method for intercepting malicious control commands in power industrial control protocols, characterized in that, include: The arrival time interval is calculated based on the timestamps of adjacent messages, and the equivalent data quality is obtained by multiplying the payload size by the priority coefficient. The sum of the time interval and the preset hardware delay is calculated, the equivalent data quality is divided by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum. The time damping factor is calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window. Calculate the absolute deviation of the register addresses of adjacent messages, and use this deviation and a fixed constant to calculate the normalized instruction semantic association coefficient; By combining equivalent data quality with preset mathematical constants, a logarithmic basis compensation term is constructed, and it is added to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree. The dynamic compensation coefficient is obtained by integrating the time damping factor and the perturbation correlation, and then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy. The baseline energy upper limit is derived from the mean and standard deviation of historical impact energies within a statistical window. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length. The decision quantity is output by subtracting the compensated state impact energy from the dynamic threshold baseline and taking the sign of the difference. If the difference is positive, the message is intercepted and discarded; otherwise, it is allowed and the historical window is updated.

2. The method for intercepting malicious control commands in a power industrial control protocol according to claim 1, characterized in that, The step of calculating the arrival time interval based on adjacent message timestamps and multiplying the payload size by the priority coefficient to obtain the equivalent data quality includes: Deploy traffic acquisition probes in a bypass configuration on the mirror port of the core switch in the power industrial control network; The flow acquisition probe is used to continuously parse industrial control protocol messages; Get the absolute arrival timestamp of the current message, the absolute arrival timestamp of the previous message, the payload size of the current message, and the instruction priority coefficient mapped by the protocol header; Subtract the absolute arrival timestamp of the previous message from the absolute arrival timestamp of the current message to obtain the time interval between the arrival of adjacent industrial control commands. Multiply the payload size of the current message by the instruction priority coefficient to obtain the equivalent data quality of the current industrial control instruction.

3. The method for intercepting malicious control commands in a power industrial control protocol according to claim 2, characterized in that, The sum of the calculation time interval and the preset hardware delay is used to divide the equivalent data quality by the sum to obtain the speed, and the equivalent data quality is multiplied by the speed to obtain the instruction structure momentum, including: Obtain the reference delay time constant for photoelectric conversion and interrupt response processing of industrial control network card hardware; The hardware base delay time is obtained by adding the time interval between the arrival of the adjacent industrial control commands to the reference delay time constant. Divide the equivalent data quality by the hardware-based latency to obtain the instantaneous destruction speed of the instruction. Multiplying the equivalent data quality by the instantaneous destruction rate of the instruction yields the instruction structure momentum carried by the instruction.

4. The method for intercepting malicious control commands in a power industrial control protocol according to claim 3, characterized in that, The time damping factor, calculated using an exponential decay function based on the ratio of the current time interval to the average interval of historical messages within the window, includes: Set the length of the sliding window; Obtain the time interval of each historical message within the sliding window in the historical cache queue; The average time interval of historical messages is obtained by summing all the time intervals within the sliding window and dividing by the length of the sliding window. Divide the time interval between the arrival of the adjacent industrial control commands by the average time interval of the historical messages to obtain the time dispersion ratio. Extract the negative of the time discrete ratio as a negative exponent, and calculate the natural exponent value corresponding to the negative exponent. Subtracting the natural exponent value from the natural number 1 yields the congestion time damping factor.

5. A method for intercepting malicious control commands in a power control protocol according to claim 4, characterized in that, The calculation of the absolute deviation of adjacent message operation register addresses, and the calculation of a normalized instruction semantic association coefficient using this deviation and a fixed constant, includes: Get the decimal address of the target operand register corresponding to the current instruction; Get the decimal address of the register corresponding to the previous instruction; The difference between the decimal address value corresponding to the current instruction and the decimal address value corresponding to the previous instruction is calculated, and the absolute value of the calculation result is extracted as the register address topology deviation. Add the natural number one to the register address topology deviation to obtain the smoothing correction deviation term; Divide the register address topology deviation by the smoothing correction deviation term to obtain the normalized instruction semantic association coefficient.

6. A method for intercepting malicious control commands in a power control protocol according to claim 5, characterized in that, The process of constructing a logarithmic basis compensation term by combining equivalent data quality with preset mathematical constants, and adding it to the instruction semantic correlation coefficient to obtain the maintenance perturbation correlation degree, includes: Add the base of the natural logarithm to the equivalent data quality to obtain the logarithmic truth term; Calculate the natural logarithm of the true logarithmic term to obtain the denominator of the natural series; The set Euler-Mascheroni constant is extracted as the numerator of the natural series; Dividing the numerator of the natural series by the denominator of the natural series yields the background perturbation compensation term; The semantic correlation coefficient of the instruction is added to the background perturbation compensation term to obtain the semantic correlation degree of the maintenance perturbation.

7. A method for intercepting malicious control commands in a power control protocol according to claim 6, characterized in that, The fusion time damping factor and perturbation correlation yield a dynamic compensation coefficient, which is then multiplied by the command structure momentum and time interval to obtain the compensated state impact energy, including: Subtract the anti-congestion time damping factor from the natural number one to obtain the damping complement value; Multiply the damping complementarity value by the semantic correlation degree of the maintenance perturbation to obtain the spatial takeover weight; The dynamic compensation coefficient is obtained by adding the spatial takeover weight to the anti-congestion time damping factor. The compensated impact energy is obtained by multiplying the momentum of the instruction structure, the dynamic compensation coefficient, and the time interval between the arrival of adjacent industrial control instructions.

8. A method for intercepting malicious control commands in a power control protocol according to claim 7, characterized in that, The mean and standard deviation of historical impact energies within the statistical window are used to derive the baseline energy upper limit. A dynamic threshold baseline is generated by multiplying the upper limit by a constant multiplier constructed using the window length, including: Retrieve all compensated state impact energy records within the historical window in the historical cache queue; Calculate the arithmetic mean of all compensated-state impact energy records within the sliding window; Calculate the standard deviation of all compensated-state impact energy records within the sliding window; The arithmetic mean and the standard deviation are added together to obtain the upper limit of the basic statistical energy. Add the natural number one to the length of the sliding window, and calculate the natural logarithm of the sum; Divide the natural logarithm by the sliding window length and add the natural number one to obtain the adaptive fault-tolerant multiplier. Multiplying the adaptive fault-tolerant multiplier by the basic statistical energy upper limit yields the adaptive dynamic energy threshold baseline.

9. A method for intercepting malicious control commands in a power control protocol according to claim 8, characterized in that, The step of subtracting the compensated impact energy from the dynamic threshold baseline and outputting a decision value, where a positive difference indicates packet rejection and discard, and a negative difference indicates packet passage and updating of the historical window, includes: Subtracting the adaptive dynamic energy threshold baseline from the compensated state impact energy yields the energy excess value. Extract the step sign output result where the energy exceeds the difference as the control command interception decision variable; When the control command interception decision variable is determined to be positive one, an interception action is issued on the device port and the data packet of the current message is directly discarded; When the control command interception decision variable is determined to be negative one or zero, the current message is allowed to pass, and the compensated state impact energy value of the current message is pushed into the historical sliding window to update the basic record.