A power monitoring security emergency response dispatching system combined with attack chain restoration

By deploying data acquisition and attack chain analysis modules in the power monitoring system, attack chains can be blocked and redirected to backup networks in real time. This solves the problem of untimely data processing and attack chain blocking in existing technologies, enabling rapid interception and efficient emergency response, and ensuring the safe and stable operation of the power monitoring system.

CN122247694APending Publication Date: 2026-06-19GUIZHOU POWER GRID CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUIZHOU POWER GRID CO LTD
Filing Date
2026-03-26
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing power monitoring systems are not well-suited for timely blocking of attack chains during data processing, leading to further losses.

Method used

A power monitoring and security emergency response scheduling system combining attack chain reconstruction was designed, including a data acquisition module, an attack chain analysis module, a security emergency backup network module, an emergency strategy generation module, and a scheduling execution module. Through distributed data acquisition and machine learning algorithms, the system analyzes the attack chain, blocks attacks in real time, and redirects them to the backup network for in-depth analysis to generate targeted defense strategies.

Benefits of technology

It enables rapid interception of attack chains in the early stages of an attack, reducing system losses, ensuring the basic safe operation of the power monitoring system, providing additional security, and quickly analyzing and generating defense strategies to improve emergency response efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247694A_ABST
    Figure CN122247694A_ABST
Patent Text Reader

Abstract

This invention discloses a power monitoring security emergency response and dispatching system that combines attack chain reconstruction, comprising: a data acquisition module connected to a main data processing module; the main data processing module connected to a security emergency backup network module, an attack chain analysis module, an emergency strategy generation module, and a dispatch execution module via the main network of the power monitoring system; the attack chain analysis module is signal-connected to an attack blocking module that blocks attack data and a guiding module that directs attacks to the backup data network for security processing; the security emergency backup network module is internally equipped with an emergency processing unit for analyzing and processing attack information; it can quickly process and analyze attack chain information and generate targeted defense strategies; improve the efficiency of the entire system in responding to attacks; and solve the technical problems of existing emergency response and dispatching systems that are inconvenient to block attack chain intrusions in a timely manner during data processing, leading to further expansion of losses.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of power monitoring technology, and in particular relates to a power monitoring security emergency response and dispatching system that combines attack chain reconstruction. Background Technology

[0002] In the digital age, power monitoring systems, as critical infrastructure in the power industry, play a vital role in ensuring the safe and stable operation of the power system. With the rapid development of information technology and the increasing sophistication of cyberattack methods, power monitoring systems face severe security threats. An attack could lead to serious consequences such as power outages and equipment damage, disrupting normal societal operations and people's daily lives. Therefore, establishing an efficient power monitoring and security emergency response and dispatch system has become an urgent priority.

[0003] In the process of reconstructing the attack chain and taking targeted defensive measures, the emergency response dispatch system faces challenges due to the complex network environment of the power monitoring system, the variety of equipment, and the wide range of data sources and formats. This process requires a considerable amount of time for data processing, which makes it difficult to promptly block the intrusion of the attack chain, leading to further losses. Summary of the Invention

[0004] The technical problem to be solved by this invention is to provide a power monitoring security emergency response and dispatch system that combines attack chain reconstruction, so as to solve the problem that the existing emergency response and dispatch system is not convenient to block the intrusion of the attack chain in time during the data processing process, which leads to further expansion of losses.

[0005] Technical solution of the present invention:

[0006] A power monitoring security emergency response and dispatching system combining attack chain reconstruction is disclosed. The system includes: a data acquisition module connected to a main data processing module; the main data processing module is connected to a security emergency backup network module, an attack chain analysis module, an emergency strategy generation module, and a dispatch execution module through the main network of the power monitoring system; the attack chain analysis module is signal-connected to an attack blocking module that blocks attack data and a guiding module that directs attacks to the backup data network for security processing; the security emergency backup network module is internally equipped with an emergency processing unit for analyzing and processing attack information.

[0007] The data acquisition module is used to collect data from various devices in the power monitoring system network environment. The data acquisition module adopts a distributed architecture, deploying lightweight acquisition agents at each key node of the power monitoring system. The acquisition agents are connected to the devices at their respective nodes through network interfaces to obtain network traffic data, device log data, and system operating status data generated by the devices in real time.

[0008] The data acquisition agent internally includes a data acquisition unit, a data preprocessing unit, and a data transmission unit. The data acquisition unit reads raw data from a specific interface or file system of the device. The data preprocessing unit performs preliminary screening and formatting on the raw data to remove redundant information. The data transmission unit sends the processed data to the central data storage server through an encrypted network channel.

[0009] When the main system suffers a severe attack, the security emergency backup network module takes over some critical power monitoring tasks according to a preset switching mechanism, and obtains the operating parameters of critical power equipment through remote control technology. The security emergency backup network module is equipped with independent data processing capabilities and a security protection system, which processes and analyzes the attack chain information from the main system, reconstructs the full picture of the attack chain, generates targeted defense strategies, and feeds them back to the main system. When the main system suffers a severe attack and cannot work normally, it temporarily takes over some critical power monitoring tasks.

[0010] The attack chain analysis module includes a data parsing submodule, a correlation analysis submodule, and a model training submodule. The data parsing submodule receives various types of data from the data acquisition module and parses them into structured data that can be analyzed. The correlation analysis submodule uses a preset correlation analysis algorithm to perform in-depth analysis on the structured data, mining the time series relationships, event correlation relationships, and data features between the data, thereby constructing an attack chain model. The model training submodule uses machine learning algorithms to train and optimize the model of the correlation analysis submodule using historical attack data and normal behavior data.

[0011] The emergency response strategy generation module includes a strategy matching unit, a strategy adjustment unit, and a strategy library management unit. The strategy matching unit searches for matching emergency response strategies in a pre-defined security strategy library based on the attack chain analysis module's results. The strategy adjustment unit adjusts and optimizes the matched strategies according to the actual situation. The strategy library management unit maintains and updates the security strategy library, including adding new strategies, deleting outdated strategies, and adjusting existing strategies based on the effectiveness of emergency response. Based on the attack chain analysis results, it generates emergency response strategies that conform to the actual situation and dynamically manages the security strategy library to continuously adapt to new security threats.

[0012] The scheduling and execution module includes a resource scheduling unit, an execution control unit, and a feedback unit. The resource scheduling unit allocates network equipment, security protection software, and human resources based on the emergency response strategy formulated by the emergency strategy generation module. The execution control unit controls and executes the allocation of resources and emergency handling operations. The feedback unit collects execution data in real time during the emergency handling process and feeds this data back to the emergency strategy generation module. Through the feedback mechanism, it provides a basis for optimizing the emergency strategy, continuously improves the emergency strategy, and enhances the system's emergency response capability.

[0013] The attack blocking module monitors the network traffic of the power monitoring system in real time, analyzes the traffic data through a preset attack signature database, and immediately activates the interception mechanism when it detects traffic data that matches the attack signature database. The attack blocking module blocks attacks through network access control lists and firewall rules.

[0014] Once the attack chain is detected, the guidance module directs the attack chain information to the standby idle network. The standby idle network is an independent network environment physically isolated from the main power monitoring network. Through a dedicated information transmission channel, the traffic data and attack characteristic information of the attack chain are completely transmitted to the standby idle network.

[0015] The emergency response unit employs distributed computing and parallel processing of attack-related data to shorten the overall data processing time.

[0016] The beneficial effects of this invention are:

[0017] This invention, through its attack chain interception module, enables rapid interception at the initial stage of an attack chain intrusion, preventing further escalation of the attack and reducing the time the system is under attack, thereby minimizing losses. By directing attack chain information to a backup idle network, it not only allows for in-depth attack analysis but also effectively isolates the attack, preventing continued damage to the main system. The security emergency backup network module provides additional security, capable of taking over critical tasks when the main system malfunctions, ensuring the basic safe operation of the power monitoring system. The backup network possesses independent data processing capabilities, enabling rapid processing and analysis of attack chain information, generating targeted defense strategies and feeding them back to the main system, thus improving the overall system's efficiency in responding to attacks.

[0018] It solves the technical problems of existing emergency response and dispatch systems, such as the inability to promptly block attack chains during data processing, which leads to further losses. Attached Figure Description

[0019] Figure 1 This is a schematic diagram of the system structure of the present invention. Detailed Implementation

[0020] A power monitoring security emergency response and dispatch system combining attack chain reconstruction includes a data acquisition module for collecting data from various sources and in diverse formats from various devices in the complex network environment of the power monitoring system. The data acquisition module is signal-connected to a main data processing module for processing the acquired data. The main data processing module is signal-connected to a security emergency backup network module, which is independent of the main network of the power monitoring system and is used for secure data processing. It also includes an attack chain analysis module, an emergency strategy generation module for emergency processing, and a scheduling execution module for resource scheduling. The attack chain analysis module is signal-connected to an attack blocking module for blocking attack data and a guidance module for guiding attacks to the backup data network for secure processing. The security emergency backup network module is internally equipped with an emergency processing unit for analyzing and processing attack information.

[0021] The data acquisition module adopts a distributed architecture, deploying lightweight acquisition agents at key nodes of the power monitoring system, such as the monitoring host in substations, the control server in power plants, and the core equipment in the power dispatch center. These acquisition agents connect to the devices at their respective nodes via network interfaces, acquiring network traffic data, device log data, and system operating status data generated by the devices in real time. Each acquisition agent contains a data acquisition unit, a data preprocessing unit, and a data transmission unit. The data acquisition unit is responsible for reading raw data from specific interfaces or file systems of the devices. The data preprocessing unit performs preliminary filtering and formatting of the raw data, removing redundant information. The data transmission unit sends the processed data to the central data storage server through an encrypted network channel, achieving real-time and comprehensive acquisition of various security-related data across the entire power monitoring system network. This provides a sufficient data foundation for subsequent attack chain analysis. The distributed acquisition method reduces data omissions and bottlenecks that may arise from single-point acquisition, ensuring data integrity and timeliness. Comprehensive and accurate data acquisition enables the attack chain analysis module to obtain richer information, thereby more accurately reconstructing the attack chain and providing a reliable basis for the formulation of subsequent emergency strategies. Real-time acquisition ensures that the system can promptly detect security threats, buying time for rapid response.

[0022] When the main system suffers a severe attack, the security emergency backup network module takes over some critical power monitoring tasks according to a preset switching mechanism. It obtains the operating parameters of critical power equipment through remote control technology. The security emergency backup network module has independent data processing capabilities and a security protection system. It can process and analyze the attack chain information from the main system, reconstruct the full picture of the attack chain, generate targeted defense strategies and feed them back to the main system. Furthermore, when the main system suffers a severe attack and cannot work normally, it temporarily takes over some critical power monitoring tasks.

[0023] The attack chain analysis module mainly consists of a data parsing submodule, a correlation analysis submodule, and a model training submodule. The data parsing submodule receives various types of data from the data acquisition module and parses them into structured data suitable for analysis. The correlation analysis submodule uses preset correlation analysis algorithms to perform in-depth analysis of the structured data, mining time-series relationships, event correlations, and data features to construct an attack chain model. The model training submodule employs machine learning algorithms, such as decision tree algorithms or support vector machine algorithms, to train and optimize the model in the correlation analysis submodule using historical attack data and normal behavior data, improving the accuracy of attack chain reconstruction. Based on the collected data, the module accurately reconstructs the complete process of attack behavior, clarifying the attack's starting point, path, and target, providing a clear direction for emergency response strategy formulation. Through continuous training with machine learning algorithms, the system can adapt to constantly changing attack patterns, improving its detection and analysis capabilities. Accurately reconstructing the attack chain helps to deeply understand the attacker's intentions and methods, enabling targeted emergency response strategies to address security issues. Continuously optimized analysis models can promptly detect new attacks, improving the overall security of the system.

[0024] The emergency strategy generation module includes a strategy matching unit, a strategy adjustment unit, and a strategy library management unit. The strategy matching unit searches for matching emergency strategies in a pre-defined security strategy library based on the attack chain analysis module's results. The strategy adjustment unit adjusts and optimizes the matched strategies according to actual conditions, such as the current operating status of the power monitoring system and available resources. The strategy library management unit is responsible for maintaining and updating the security strategy library, including adding new strategies, deleting outdated strategies, and adjusting existing strategies based on emergency response effectiveness. Based on the attack chain analysis results, it generates emergency response strategies that conform to the actual situation, ensuring the effectiveness and feasibility of the strategies. Simultaneously, it can dynamically manage the security strategy library, allowing it to continuously adapt to new security threats. The generated emergency strategies are highly targeted, enabling rapid and effective resolution of security incidents and reducing the impact of attacks on the power monitoring system. The dynamically updated strategy library gives the system better adaptability and the ability to cope with constantly changing network threats.

[0025] The scheduling and execution module consists of a resource scheduling unit, an execution control unit, and a feedback unit. The resource scheduling unit allocates network equipment, security software, and human resources according to the emergency response strategy formulated by the emergency strategy generation module. The execution control unit is responsible for the specific control and execution of resource allocation and emergency handling operations, ensuring that all operations are carried out accurately and without error according to the strategy requirements. The feedback unit collects execution data in real time during the emergency handling process, including whether resource allocation was successful and whether the emergency operation achieved the expected results, and feeds this data back to the emergency strategy generation module, which is responsible for the specific implementation of the emergency response strategy. By rationally allocating resources, it can quickly and effectively respond to security incidents in the power monitoring system. Simultaneously, the feedback mechanism provides a basis for optimizing the emergency strategy. Efficient scheduling and execution can quickly mitigate security threats, reduce downtime and losses in the power monitoring system, and the feedback mechanism helps to continuously improve the emergency strategy and enhance the system's emergency response capabilities.

[0026] The attack blocking module monitors the network traffic of the power monitoring system in real time. It analyzes the traffic data using a pre-set attack signature database. When traffic matching the database is detected, an interception mechanism is immediately activated. For example, for common malicious IP address access, the network connection to that IP address is directly severed, preventing further attack traffic from entering the system. Its design principle is based on feature extraction of known attack patterns, achieving real-time identification and interception of attack behavior through rapid comparison. This effectively blocks attacks in their early stages, preventing their continuation and spread, and reducing potential losses. The guidance module, once an attack chain is detected, directs the relevant information to a backup idle network. This backup idle network is a network connected to... The main power monitoring network is physically isolated from the main network environment. Through a dedicated information transmission channel, the attack chain traffic data, attack characteristics, and other information are completely transmitted to the backup idle network. The purpose of this is twofold: firstly, to continue in-depth analysis of the attack chain without interference from the main system; and secondly, to redirect the attack to the backup network, preventing continuous damage to the main power monitoring system. For example, when a new type of ransomware attack is detected, all information such as the virus propagation path and the characteristics of infected files is redirected to the backup idle network, while the main system continues to operate normally without affecting the normal operation of power monitoring. The emergency processing unit uses distributed computing and parallel processing to quickly process attack-related data, shortening the overall data processing time.

[0027] All electrical components mentioned in the text are connected to an external main controller and 220V AC mains power, and the main controller can be a conventional known device such as a computer for control.

[0028] In operation, the data acquisition module collects network traffic, equipment logs, and system operating status data in real time at various nodes of the power monitoring system through a distributed acquisition agent. This multi-source heterogeneous data is then transmitted to the main data processing module for preprocessing. The main data processing module synchronously coordinates with the attack chain analysis module, the security emergency backup network module, the emergency strategy generation module, and the scheduling execution module. The attack chain analysis module employs machine learning algorithms such as decision trees and support vector machines, as well as correlation analysis algorithms, to deeply mine the data, reconstructing the starting point, path, and target of the attack chain. The analysis results trigger the attack blocking module to block attacks through network access control lists, firewall rules, and other methods, while simultaneously guiding the module... By leveraging network address translation and traffic redirection technologies, attacks are directed to the security emergency backup network module. The emergency processing unit within the security emergency backup network module uses distributed computing and parallel processing to quickly analyze attack data, generate defense strategies, and feed them back to the main system. If the main system is severely damaged, it takes over critical monitoring tasks according to a preset switching mechanism. The emergency strategy generation module combines the attack chain analysis results with the security policy library to generate targeted emergency plans. The scheduling and execution module allocates network devices, security software, and human resources to execute the strategies and provides real-time feedback on the execution status through a feedback mechanism. The emergency strategy generation module updates the security policy library accordingly, achieving dynamic optimization and efficient emergency response throughout the entire process.

[0029] In summary, this invention deploys acquisition agents at various nodes of the power monitoring system through a data acquisition module. This distributed, real-time acquisition of multi-source data, including network traffic, device logs, and system operating status, is preprocessed by the main data processing module and then synchronously distributed to related modules. The attack chain analysis module utilizes machine learning algorithms such as decision trees and support vector machines, along with correlation analysis algorithms, to deeply mine time series, event correlations, and feature information within the data, accurately reconstructing the entire attack chain. The analysis results trigger an attack blocking module that quickly blocks attacks using network access control lists and firewall rules. Simultaneously, a guidance module uses network address translation and traffic redirection technologies to redirect attacks towards secure emergency backup. The network module's internal emergency response unit employs distributed computing and parallel processing to rapidly analyze attack data and generate defense strategies. The emergency strategy generation module combines attack chain analysis results with a security policy library to generate targeted solutions. The scheduling and execution module allocates network devices, security software, and human resources to execute the strategies and provides real-time feedback on the execution status through a feedback mechanism, driving the emergency strategy generation module to dynamically update the security policy library. If the main system is severely damaged, the security emergency backup network module takes over critical monitoring tasks according to a preset switching mechanism. The entire process, through the coordinated linkage of all modules, achieves rapid attack interception, in-depth analysis, and efficient response, ensuring the safe and stable operation of the power monitoring system.

Claims

1. A power monitoring and security emergency response dispatch system combining attack chain reconstruction, characterized in that: The system includes: a data acquisition module connected to the main data processing module; the main data processing module is connected to the power monitoring system main network, a security emergency backup network module, an attack chain analysis module, an emergency strategy generation module, and a scheduling execution module; the attack chain analysis module is signal-connected to an attack blocking module that blocks attack data and a guiding module that directs attacks to the backup data network for security processing; the security emergency backup network module has an emergency processing unit internally configured to analyze and process attack information.

2. The power monitoring and security emergency response dispatch system combining attack chain reconstruction according to claim 1, characterized in that: The data acquisition module is used to collect data from various devices in the power monitoring system network environment; The data acquisition module adopts a distributed architecture, deploying lightweight acquisition agents at each key node of the power monitoring system. The acquisition agents are connected to the devices at their respective nodes through network interfaces to acquire network traffic data, device log data, and system operating status data generated by the devices in real time.

3. The power monitoring and security emergency response dispatch system combining attack chain reconstruction according to claim 2, characterized in that: The data acquisition agent internally includes a data acquisition unit, a data preprocessing unit, and a data transmission unit; the data acquisition unit reads raw data from a specific interface or file system of the device; the data preprocessing unit performs preliminary screening and formatting on the raw data to remove redundant information; The data transmission unit sends the processed data to the central data storage server through an encrypted network channel.

4. The power monitoring and security emergency response dispatch system combining attack chain reconstruction according to claim 1, characterized in that: When the main system suffers a severe attack, the security emergency backup network module takes over some critical power monitoring tasks according to a preset switching mechanism, and obtains the operating parameters of critical power equipment through remote control technology. The security emergency backup network module is equipped with independent data processing capabilities and a security protection system, which processes and analyzes the attack chain information from the main system, reconstructs the full picture of the attack chain, generates targeted defense strategies, and feeds them back to the main system. When the main system suffers a severe attack and cannot work normally, it temporarily takes over some critical power monitoring tasks.

5. A power monitoring and security emergency response dispatch system combining attack chain reconstruction as described in claim 1, characterized in that: The attack chain analysis module includes a data parsing submodule, a correlation analysis submodule, and a model training submodule; the data parsing submodule receives various types of data from the data acquisition module and parses them into structured data that can be analyzed. The correlation analysis submodule uses a preset correlation analysis algorithm to perform in-depth analysis on structured data, mining the time series relationships, event correlation relationships and data characteristics between data, thereby constructing an attack chain model; The model training submodule uses machine learning algorithms to train and optimize the model in the correlation analysis submodule using historical attack data and normal behavior data.

6. A power monitoring and security emergency response dispatch system combining attack chain reconstruction as described in claim 1, characterized in that: The emergency response strategy generation module includes a strategy matching unit, a strategy adjustment unit, and a strategy library management unit. The strategy matching unit searches for matching emergency response strategies in a pre-defined security strategy library based on the attack chain analysis module's results. The strategy adjustment unit adjusts and optimizes the matched strategies according to the actual situation. The strategy library management unit maintains and updates the security strategy library, including adding new strategies, deleting outdated strategies, and adjusting existing strategies based on the effectiveness of emergency response. Based on the attack chain analysis results, it generates emergency response strategies that conform to the actual situation and dynamically manages the security strategy library to continuously adapt to new security threats.

7. A power monitoring and security emergency response dispatch system combining attack chain reconstruction as described in claim 1, characterized in that: The scheduling and execution module includes a resource scheduling unit, an execution control unit, and a feedback unit. The resource scheduling unit allocates network equipment, security protection software, and human resources based on the emergency response strategy formulated by the emergency strategy generation module. The execution control unit controls and executes the allocation of resources and emergency handling operations. The feedback unit collects execution data in real time during the emergency handling process and feeds this data back to the emergency strategy generation module. Through the feedback mechanism, it provides a basis for optimizing the emergency strategy, continuously improves the emergency strategy, and enhances the system's emergency response capability.

8. A power monitoring and security emergency response dispatch system combining attack chain reconstruction as described in claim 1, characterized in that: The attack blocking module monitors the network traffic of the power monitoring system in real time, analyzes the traffic data through a preset attack signature database, and immediately activates the blocking mechanism when it detects traffic data that matches the attack signature database. The attack blocking module blocks attacks through network access control lists and firewall rules.

9. A power monitoring and security emergency response dispatch system combining attack chain reconstruction as described in claim 1, characterized in that: Once the attack chain is detected, the guidance module directs the attack chain information to the standby idle network. The standby idle network is an independent network environment physically isolated from the main power monitoring network. Through a dedicated information transmission channel, the traffic data and attack characteristic information of the attack chain are completely transmitted to the standby idle network.

10. A power monitoring security emergency response and dispatching system combining attack chain reconstruction according to claim 1, characterized in that: The emergency response unit employs distributed computing and parallel processing of attack-related data to shorten the overall data processing time.