A method for detecting PTP protocol attacks, an electronic device and a storage medium

By constructing a Kalman filter state-space model and a bidirectional cumulative bias mechanism, the PTP message timestamp list is analyzed to identify PTP protocol attacks, solving the problem of insufficient identification of delay attacks in existing technologies and achieving high-precision attack detection.

CN122247746APending Publication Date: 2026-06-19HANGZHOU GUYI NETWORK TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU GUYI NETWORK TECH CO LTD
Filing Date
2026-04-28
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies cannot effectively identify PTP protocol attacks that do not modify message content, especially delay attacks, resulting in low detection accuracy.

Method used

By constructing a Kalman filter state space model, parsing the PTP packet timestamp list, obtaining the Kalman filter residuals, and using a bidirectional cumulative bias mechanism to determine attacks, the attack type is identified by combining path delay and time bias thresholds.

Benefits of technology

It achieves highly sensitive attack identification of the PTP protocol, reduces the false negative rate, improves detection accuracy, and identifies multiple attack types without relying on message content modification.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247746A_ABST
    Figure CN122247746A_ABST
Patent Text Reader

Abstract

This invention provides a PTP protocol attack detection method, electronic device, and storage medium, relating to the Internet of Things (IoT) field. The method involves parsing the PTP message corresponding to the current synchronization cycle to obtain a timestamp list; defining a system state vector and establishing state transition equations and observation matrix equations to construct a Kalman filter state-space model; obtaining the Kalman filter residuals using actual observations based on the timestamp list and theoretical observations predicted based on the Kalman filter state-space model, and calculating positive and negative cumulative biases; determining that the current PTP protocol is under attack when the positive cumulative bias is greater than a preset cumulative bias threshold or the negative cumulative bias is less than a negative preset cumulative bias threshold. This method can identify various attack types, including delay attacks, without relying on message content modification, reducing the false negative rate and significantly improving the overall detection accuracy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of the Internet of Things, and in particular to a PTP protocol attack detection method, electronic device, and storage medium. Background Technology

[0002] In critical infrastructures such as smart grids, 5G communications, and industrial automation, microsecond or even nanosecond-level time synchronization is crucial. The Precision Time Protocol (PTP, IEEE 1588v2 standard) is widely used due to its high-precision synchronization capabilities. PTP achieves synchronization by exchanging timestamped messages between the master and slave clocks to calculate time deviations and path delays. With the evolution of network attack methods, attacks against the PTP protocol are becoming increasingly frequent and covert, mainly including: master clock spoofing attacks (attackers send higher-priority Announce messages, illegally seizing the master clock position and distributing incorrect time information), delay attacks (attackers intercept legitimate PTP messages and introduce artificial physical delays, creating asymmetric network transmission delays, causing slave clocks to calculate incorrect time deviations, thereby disrupting physical-level system synchronization), and transparent clock manipulation (attackers tamper with correction fields in switches, interfering with path delay calculations).

[0003] In existing technologies, security protection for the PTP protocol mainly relies on cryptographic-based security authentication mechanisms. By adding an authentication field to the PTP message, the receiving end performs integrity verification and identity comparison on the message. If the verification fails, it is determined that an attack has occurred and the message is discarded.

[0004] However, the above method also has the following technical problems: The above methods can only identify attacks where the message content has been tampered with or the source is illegal, such as a spoofed master clock attack. For delay attacks, attackers only need to intercept and delay legitimate messages without modifying the message content or signature. In this case, the receiver's identity verification can still pass, but the synchronization time calculated from the clock based on the delayed timestamp is incorrect. Therefore, the above methods cannot effectively identify attacks that do not modify the message content, resulting in a high false negative rate and consequently low overall detection accuracy. Summary of the Invention

[0005] To address the aforementioned technical problems, the technical solution adopted by this invention is as follows: According to a first aspect of the present invention, a method for detecting PTP protocol attacks is provided, the method comprising the following steps: S1. Parse the PTP message corresponding to the current synchronization period k and obtain the timestamp list L corresponding to k. k .

[0006] S2. Construct the Kalman filter state-space model.

[0007] S3, based on L k Using the Kalman filter state-space model, obtain the final time t corresponding to k. k The corresponding Kalman filter residual γ k .

[0008] S4. If S 1 k >U or S 2 k <-U indicates that the current PTP protocol is under attack; S 1 k For t k The corresponding positive cumulative deviation, S 2 k For t k The corresponding negative cumulative deviation, U is the preset cumulative deviation threshold; S 1 k =max(0, S) 1 k-1 +γ k -p); S 2 k =min(0,S) 2 k-1 +γ k +p); p is the preset drift tolerance parameter.

[0009] S5. When it is determined that the current PTP protocol is under attack, if Q 2 k -Q 2 k-1 >Y 1 If Q, then the attack type is determined to be a delayed attack; if Q 2 k -Q 2 k-1 ≤Y 1 And |Q 1 k |>Y 2 If the packet frequency is abnormal, the attack type is determined to be a timestamp forgery attack; if the packet frequency is abnormal, the attack type is determined to be a distributed denial-of-service attack; otherwise, the attack type is determined to be a slow-gradient attack. 2 k-1 Y is the path delay corresponding to the previous synchronization cycle of k; 1 Y is the preset delay detection threshold. 2 The preset time deviation threshold; Q 1 k Q represents the time deviation corresponding to k. 2 k The path delay is k.

[0010] According to a second aspect of the present invention, a storage medium is provided, wherein a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the aforementioned method.

[0011] According to a third aspect of the present invention, an electronic device is provided, comprising: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the aforementioned method.

[0012] The present invention has at least the following beneficial effects: This invention provides a PTP protocol attack detection method, electronic device, and storage medium. The method involves parsing the PTP packets corresponding to the current synchronization period to obtain a timestamp list; defining a system state vector and establishing state transition equations and observation matrix equations to construct a Kalman filter state-space model; obtaining the Kalman filter residual corresponding to the end time of the current synchronization period using actual observations based on the timestamp list and theoretical observations predicted based on the Kalman filter state-space model; further, calculating the positive and negative cumulative deviations corresponding to the end time of the current synchronization period based on the Kalman filter residuals; and determining that the current PTP protocol is under attack when the positive cumulative deviation is greater than a preset cumulative deviation threshold or the negative cumulative deviation is less than a negative preset cumulative deviation threshold. As can be seen, this invention achieves dynamic tracking and noise filtering of PTP time series by constructing a Kalman filter state space model, effectively separating normal network jitter from malicious attack deviations; combined with a bidirectional cumulative deviation mechanism, it can keenly capture and accumulate small, continuous asymmetric delays, thereby enabling the identification of various attack types, including delay attacks, without relying on packet content modification, reducing the false negative rate and significantly improving the overall detection accuracy. Attached Figure Description

[0013] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0014] Figure 1 A flowchart of a PTP protocol attack detection method provided in an embodiment of the present invention. Detailed Implementation

[0015] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0016] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar tasks and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or server that comprises a series of steps or units is not necessarily limited to those explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or devices.

[0017] Embodiments of the present invention provide a PTP protocol attack detection method, the method comprising the following steps, such as... Figure 1 As shown: S1. Parse the PTP message corresponding to the current synchronization period k and obtain the timestamp list L corresponding to k. k This includes: the time point when the master clock sends the Sync message, the time point when the slave clock receives the Sync message, the time point when the slave clock sends the Delay_Req message, and the time point when the master clock receives the Delay_Req message; the PTP message is obtained based on the PTP traffic captured by the physical layer.

[0018] Specifically, the PTP message includes: Sync message, Follow_Up message, Delay_Req message, and Delay_Resp message; wherein, the time point at which the master clock sends the Sync message is derived from the Follow_Up message, and the time point at which the master clock receives the Delay_Req message is derived from the Delay_Resp message.

[0019] Furthermore, the timing of receiving the Sync message from the clock and the timing of sending the Delay_Req message from the clock both originate from the physical layer hardware registers local to the clock.

[0020] Specifically, PTP traffic can be captured in real time at the physical layer using a field-programmable gate array (FPGA) or a high-performance network interface card that supports hardware timestamps.

[0021] Furthermore, a finite state machine (FSM) is used to parse the captured PTP traffic, identify and extract Sync, Follow_Up, Delay_Req and Delay_Resp packets to obtain the PTP packet corresponding to k.

[0022] Specifically, the Sync message is a synchronization message, the Follow_Up message is a follow message, the Delay_Req message is a delayed request message, and the Delay_Resp message is a delayed response message.

[0023] S2. Construct the Kalman filter state-space model, including: Define the system state vector X corresponding to k. k =[θ k α k ] T ;θ k The end time t corresponding to k k The true time deviation, α k For t k The relative frequency drift; Establish the state transition equation X k =F×X k-1 +W k F is the state transition matrix, X k-1 Let W be the system state vector corresponding to the previous synchronization cycle of k. k The process noise corresponding to k; Establish the observation matrix equation Z k =H×X k +V k Z k For t k The corresponding theoretical observations, where H is the observation matrix and V is the theoretical observations. k Let k be the measurement noise.

[0024] Specifically, the true time difference is the actual time difference between the master clock and the slave clock. It can be understood as the time difference that is not affected by measurement noise, network jitter, etc., and is used to reflect the objective and true level of clock synchronization.

[0025] Specifically, relative frequency drift, also known as crystal oscillator aging rate, is the rate of deviation of the local crystal oscillator frequency from the master clock reference frequency. It characterizes the slow frequency shift trend of the slave clock crystal oscillator caused by hardware and environmental factors such as physical aging, temperature drift, and voltage fluctuations, and is used to reflect the degree of physical aging of the crystal oscillator.

[0026] Specifically, F meets the following conditions: Where △t is the synchronization period of the PTP protocol; it can be understood as the time interval between two synchronization operations performed by the master and slave clocks in the PTP protocol.

[0027] Specifically, X k-1 =[θ k-1 α k-1 ] T ;θ k-1 Let t be the end time corresponding to the previous synchronization period of k. k-1 The true time deviation, α k-1 For t k-1 The relative frequency drift.

[0028] Furthermore, if k is the first synchronization period, then let θ k-1 =0, α k-1 =0.

[0029] Specifically, process noise is a random two-dimensional column vector characterizing the physical random noise generated by the local clock crystal oscillator during the synchronization period; wherein, the physical random noise generated by the local clock crystal oscillator during the synchronization period can be understood as: tiny random fluctuations that cannot be completely eliminated during the operation of the crystal oscillator; the tiny random fluctuations will have a slight impact on the clock state prediction.

[0030] In one specific embodiment, the process noise is obtained based on the frequency stability index provided in the datasheet of the local clock crystal.

[0031] Specifically, the observation matrix is ​​the mapping matrix in the Kalman filter state-space model, used to map the system state vector to a directly measurable observation space, thereby establishing a mathematical relationship between the system state vector and the theoretical observation value.

[0032] Specifically, the measurement noise is the random interference component caused by network delay jitter; it can be understood as: random interference generated during PTP message transmission due to factors such as network congestion and link fluctuations, used to characterize the random deviation between the actual observations obtained based on the timestamp list and the theoretical observations predicted based on the Kalman filter state-space model.

[0033] Through the above steps, a Kalman filter state-space model is constructed based on the inherent physical law that "the drift of the physical crystal oscillator is continuous and slow, without abrupt changes." By accurately decoupling network random jitter (measurement noise) from the physical characteristics of the crystal oscillator (process noise), the Kalman filter state-space model can still adaptively filter normal fluctuations and reduce the false alarm rate even in harsh environments where network jitter fluctuates drastically due to extremely high network load (such as severe congestion). At the same time, by utilizing the characteristic that abnormal delays introduced by attacks can cause drastic jumps in the calculated frequency drift that violate physical laws, a significant residual anomaly is generated between the actual observed value and the theoretical prediction value. This enables highly sensitive identification of various covert attacks, including delay attacks that do not tamper with the message content, significantly reducing the false alarm rate and improving the overall detection accuracy.

[0034] S3, based on L k Using the Kalman filter state-space model, obtain t k The corresponding Kalman filter residual γ k , where γ k =Z 1 k -Z 2 k Z 1 k For L-based k The obtained t k The corresponding actual observed value, Z 2 k t predicted based on Kalman filter state-space model k The corresponding theoretical observation value.

[0035] Specifically, Z 1 k Meets the following conditions: Z 1 k =[(L k2 -L k1 )-(L k4 -L k3 ] / 2; where L k1 For L k The time point at which the master clock sends the Sync message, L k2 For L k The time point at which the Sync message is received from the clock, L k3 For L k The time point at which the Delay_Req message is sent from the clock, L k4 For L k The time point at which the master clock receives the Delay_Req message.

[0036] Specifically, Z 2k Meets the following conditions: Z 2 k = ;in, The prior state estimate of k is obtained based on the system state vector and state transition equation corresponding to the previous synchronization period of k.

[0037] S4. If S 1 k >U or S 2 k <-U indicates that the current PTP protocol is under attack; S 1 k For t k The corresponding positive cumulative deviation, S 2 k For t k The corresponding negative cumulative deviation, where U is the preset cumulative deviation threshold.

[0038] Specifically, S 1 k =max(0, S) 1 k-1 +γ k -p); S 2 k =min(0,S) 2 k-1 +γ k +p); p is the preset drift tolerance parameter; S 1 k-1 For t k-1 The corresponding positive cumulative deviation, S 2 k-1 For t k-1 The corresponding negative cumulative deviation; where max() is the maximum value acquisition function and min() is the minimum value acquisition function.

[0039] Specifically, the preset drift tolerance parameter is a residual noise suppression threshold pre-set by those skilled in the art according to actual needs. It is used to characterize the maximum normal residual fluctuation amplitude that the PTP synchronization system can tolerate in the current network environment; for example, 0.303 microseconds, or 0.5 times, 1 times, or 1.5 times the standard deviation of several Kalman filter residuals obtained in a normal network environment without attacks.

[0040] Specifically, the preset drift tolerance parameter is used to determine that when the Kalman filter residual is not greater than the preset drift tolerance parameter, it is a systematic background noise caused by normal aging of the crystal oscillator, temperature drift or network micro-jitter, and is not accumulated or directly cleared to zero, thereby effectively shielding normal fluctuation interference and fundamentally avoiding false alarms triggered by the accumulation of environmental noise.

[0041] Specifically, before the start of the first synchronization cycle, the initial values ​​of both the positive and negative cumulative deviations are set to 0; this can be understood as, if k is the first synchronization cycle, then let S... 1 k-1 =0, S 2 k-1 =0.

[0042] Specifically, step S4 also includes: if S 1 k ≤U and S 2 k If the value is ≥-U, then the PTP protocol is determined not to be under attack.

[0043] Specifically, the method further includes the following steps for obtaining U: S001. Obtain a list of standard Kalman filter residuals, which includes several standard Kalman filter residuals obtained under normal network conditions without attacks.

[0044] Specifically, the standard Kalman filter residual can be obtained experimentally.

[0045] S002. Obtain the standard deviation B of all standard Kalman filter residuals in the standard Kalman filter residual list.

[0046] S003. Obtain U based on B, where U satisfies the following conditions: U = D × B, where D is the preset threshold adjustment coefficient.

[0047] Specifically, the range of values ​​for D is [3, 5].

[0048] Specifically, p < U.

[0049] Through the above steps, the Kalman filter residuals are calculated based on the actual observations obtained from the timestamp list and the theoretical observations predicted based on the Kalman filter state-space model. Furthermore, the positive and negative cumulative biases are calculated based on these Kalman filter residuals. The biggest source of interference in the PTP protocol is network latency jitter. Under normal conditions without attacks, the Kalman filter residuals theoretically follow a Gaussian distribution with a zero mean and a defined variance, exhibiting random network jitter, whose positive and negative fluctuations tend to cancel each other out during accumulation. However, when subjected to a latency attack, the systematic bias introduced by the attack causes a shift in the residual mean, resulting in a change in the cumulative bias. The method exhibits a unidirectional linear growth trend. When the positive cumulative deviation exceeds the preset cumulative deviation threshold or the negative cumulative deviation is less than the negative preset cumulative deviation threshold, it indicates that the positive or negative cumulative deviation has exceeded several times the standard deviation confidence interval. This suggests that the problem is highly likely not caused by random network jitter but by human interference. Therefore, it is determined that the current PTP protocol is under attack. Furthermore, the method implements attack detection based on the CUSUM concept. Through the cumulative amplification effect of small, persistent deviations, it can accurately identify slow, gradual attacks and sub-microsecond-level micro-delay attacks that are difficult to detect with a single residual. This significantly reduces the false negative rate and false positive rate.

[0050] Specifically, the following steps are included after step S4: S5. When it is determined that the current PTP protocol is under attack, if Q 2 k -Q 2 k-1 >Y 1 If Q, then the attack type is determined to be a delayed attack; if Q 2 k -Q 2 k-1 ≤Y 1 And |Q 1 k |>Y 2 If the packet frequency is abnormal, the attack type is determined to be a timestamp forgery attack; if the packet frequency is abnormal, the attack type is determined to be a distributed denial-of-service attack; otherwise, the attack type is determined to be a slow-gradient attack. 2 k-1 Y is the path delay corresponding to the previous synchronization cycle of k; 1 Y is the preset delay detection threshold. 2 The preset time deviation threshold; Q 1 k Q represents the time deviation corresponding to k. 2 k The path delay is k.

[0051] Specifically, the preset delay detection threshold is a threshold pre-set by those skilled in the art based on actual needs to determine whether there are abnormalities in the amount of change in path delay. For example, for a local area network, the threshold is set to Y. 1 The time intervals are 0.587 microseconds, 5 microseconds, 10 microseconds, 20 microseconds, or 50 microseconds; for wide area networks or more complex networks, set Y... 1 The values ​​are 100 microseconds, 300 microseconds, or 500 microseconds; these will not be elaborated upon here.

[0052] Specifically, the preset time deviation threshold is a threshold set by those skilled in the art based on actual needs to determine whether there is an abnormality in the time deviation, such as 1.820 microseconds, 5 microseconds, 10 microseconds, which will not be elaborated here.

[0053] Specifically, Q 1 K and Q 2 K They each meet the following conditions: Q 1 k =[(L k2 -L k1 )-(L k4 -L k3 )] / 2;Q 2 k =[(L k2 -L k1 )+(L k4 -L k3 )] / 2.

[0054] Specifically, a slow-gradient attack can be understood as sending or receiving data at a rate lower than the normal threshold, deliberately prolonging the connection keep-alive time, thereby occupying the server's concurrent connection resources or thread resources, resulting in legitimate requests being unable to be processed.

[0055] Through the above steps, when it is determined that the current PTP protocol is under attack, delay attacks are identified by comparing the path delay change with the preset delay detection threshold, and spoofed timestamp attacks are identified by combining the absolute value of the time deviation with the preset time deviation threshold. Furthermore, distributed denial-of-service attacks are effectively identified through abnormal message frequency monitoring. This not only enables the determination of the existence of attacks, but also completes the refined identification of attack types through multi-dimensional feature mapping, which can provide key decision-making basis for implementing differentiated proactive defense strategies.

[0056] Specifically, the following steps are included before step S5: S01. Obtain the current message arrival time interval queue, which includes the actual arrival time intervals of the N most recently received Announce messages; the actual arrival time interval of an Announce message is the time interval between the time when the Announce message is received and the time when the previous Announce message is received; N is a preset queue length; wherein, the preset queue length is the length of the queue preset by those skilled in the art according to actual needs, for example: 10, 15, 20, which will not be elaborated here.

[0057] Specifically, the Announce message is a notification message.

[0058] S02. Obtain the average value μ and standard deviation σ of all actual arrival time intervals in the message arrival time interval queue.

[0059] S03. When |μ-G|>R×σ, the message frequency is determined to be abnormal; G is the preset expected arrival time interval, R is the preset confidence coefficient, and the value range of R is [3, 5]; whereby those skilled in the art know that the preset expected arrival time interval is the arrival time interval preset by those skilled in the art according to actual needs, for example: making the preset expected arrival time interval consistent with the duration of the sending period of the Announce message, which will not be elaborated here.

[0060] Specifically, step S03 also includes: when |μ-G|≤R×σ, it is determined that there is no abnormality in the message frequency.

[0061] Through the above steps, compared with the fixed threshold method, a dynamic confidence interval is constructed based on the mean and standard deviation of the arrival interval of N consecutively received Announce messages, which realizes adaptive detection of abnormal message frequency. It can not only keenly capture various DDoS attacks that cause the message frequency to speed up, slow down or fluctuate drastically, but also effectively shield random interference in normal network environments, significantly improving the accuracy of identifying complex attack patterns.

[0062] Specifically, the following steps are included after step S4: If it is determined that the current PTP protocol is under attack, a timekeeping control command is generated and sent to the slave clock device.

[0063] Specifically, the timekeeping control command is used to trigger the slave clock device to disconnect from the master clock and control the slave clock device to switch to timekeeping mode. In timekeeping mode, the slave clock device maintains the time output based on the local crystal oscillator frequency parameters before the attack, preventing the tampered time signal from contaminating the downstream physical process.

[0064] Through the above steps, after detecting an attack on the PTP protocol, a timekeeping control command is issued to immediately disconnect the slave clock from the suspected master clock and switch to timekeeping mode. The time output is maintained by using the trusted crystal oscillator parameters before the attack, which effectively prevents the spread and contamination of erroneous time signals to downstream physical processes and ensures the continuity and security of critical services during the attack.

[0065] Specifically, the following steps are included after step S4: If it is determined that the current PTP protocol is under attack, the SDN controller or firewall will be activated to issue ACL rules for the MAC address of the attack source, thereby blocking malicious PTP packets; including: Parse the current attack packet to extract the attack source feature identifier, which includes at least the attack source MAC address; the attack source MAC address is the source media access control address carried in the header of the PTP packet that is determined to be a malicious attack. Construct ACL rules that include the attack source signature identifiers; The ACL rules are issued through the SDN controller or firewall so that the SDN controller or firewall can identify and discard subsequent PTP packets originating from the attack source signature at the data forwarding layer, thereby cutting off the attack link and blocking malicious PTP packets.

[0066] Through the above steps, after detecting an attack on the PTP protocol, the source MAC address of the attack packets is automatically extracted and ACL rules are dynamically issued by linking the SDN controller or firewall. At the data forwarding level, subsequent malicious packets originating from the attack source are accurately identified and discarded. When attacked, the attack link can be actively cut off, significantly shortening the time window for the system to be exposed to the attack.

[0067] Embodiments of the present invention also provide a storage medium that can be disposed in an electronic device to store a computer program related to implementing a method in the method embodiments, the computer program being loaded and executed by the processor to implement the method provided in the above embodiments.

[0068] Embodiments of the present invention also provide an electronic device, including: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the method provided in the above embodiments.

[0069] Embodiments of the present invention also provide a computer program product including program code, which, when the program product is run on an electronic device, causes the electronic device to perform the steps of the methods described above in various exemplary embodiments of the present invention.

[0070] This invention provides a PTP protocol attack detection method, electronic device, and storage medium. The method involves parsing the PTP packets corresponding to the current synchronization period to obtain a timestamp list; defining a system state vector and establishing state transition equations and observation matrix equations to construct a Kalman filter state-space model; obtaining the Kalman filter residual corresponding to the end time of the current synchronization period using actual observations based on the timestamp list and theoretical observations predicted based on the Kalman filter state-space model; further, calculating the positive and negative cumulative deviations corresponding to the end time of the current synchronization period based on the Kalman filter residuals; and determining that the current PTP protocol is under attack when the positive cumulative deviation is greater than a preset cumulative deviation threshold or the negative cumulative deviation is less than a negative preset cumulative deviation threshold. As can be seen, this invention achieves dynamic tracking and noise filtering of PTP time series by constructing a Kalman filter state space model, effectively separating normal network jitter from malicious attack deviations; combined with a bidirectional cumulative deviation mechanism, it can keenly capture and accumulate small, continuous asymmetric delays, thereby identifying various attack types, including delay attacks, without relying on packet content modification, reducing the false negative rate and significantly improving the overall detection accuracy; furthermore, this invention does not require any hardware modification or firmware upgrade of infrastructure such as switches, master clocks, and slave clocks, significantly reducing deployment costs.

[0071] While specific embodiments of the invention have been described in detail by way of examples, those skilled in the art should understand that the examples are for illustrative purposes only and are not intended to limit the scope of the invention. Those skilled in the art should also understand that various modifications can be made to the embodiments without departing from the scope and spirit of the invention.

Claims

1. A method for detecting PTP protocol attacks, characterized in that, The method includes the following steps: S1, parse the PTP message corresponding to the current synchronization period k to obtain the timestamp list L corresponding to k k ; S2. Construct the Kalman filter state-space model; S3, based on L k and Kalman filter state space model, obtain the end time t corresponding to k k corresponding Kalman filter residual error γ k ; S4, if S 1 k > U or S 2 k < U, determine that the current PTP protocol is under attack; S 1 k for t k a corresponding positive cumulative deviation, S 2 k for t k a corresponding negative cumulative deviation, U is a preset cumulative deviation threshold; S 1 k = max(0, S 1 k-1 + γ k - p); S 2 k = min(0, S 2 k-1 + γ k + p); p is a preset drift tolerance parameter; S5. When it is determined that the current PTP protocol is under attack, if Q 2 k -Q 2 k-1 >Y 1 If Q, then the attack type is determined to be a delayed attack; if Q 2 k -Q 2 k-1 ≤Y 1 And |Q 1 k |>Y 2 If the packet frequency is abnormal, the attack type is determined to be a timestamp forgery attack; if the packet frequency is abnormal, the attack type is determined to be a distributed denial-of-service attack; otherwise, the attack type is determined to be a slow-gradient attack. 2 k-1 Y is the path delay corresponding to the previous synchronization cycle of k; 1 Y is the preset delay detection threshold. 2 The preset time deviation threshold; Q 1 k Q represents the time deviation corresponding to k. 2 k The path delay is k.

2. The PTP protocol attack detection method according to claim 1, characterized in that, The PTP message includes: Sync message, Follow_Up message, Delay_Req message, and Delay_Resp message; wherein, the time point at which the master clock sends the Sync message is derived from the Follow_Up message, and the time point at which the master clock receives the Delay_Req message is derived from the Delay_Resp message; L k This includes: the time point when the master clock sends the Sync message, the time point when the slave clock receives the Sync message, the time point when the slave clock sends the Delay_Req message, and the time point when the master clock receives the Delay_Req message; among which, the PTP message is obtained based on the PTP traffic captured by the physical layer.

3. The PTP protocol attack detection method according to claim 1, characterized in that, Step S2 includes: Define the system state vector X corresponding to k. k =[θ k α k ] T ;θ k For t k The true time deviation, α k For t k The relative frequency drift; Establish the state transition equation X k =F×X k-1 +W k F is the state transition matrix, X k-1 Let W be the system state vector corresponding to the previous synchronization cycle of k. k The process noise corresponding to k; Establish the observation matrix equation Z k =H×X k +V k Z k For t k The corresponding theoretical observations, where H is the observation matrix and V is the theoretical observations. k Let k be the measurement noise.

4. The PTP protocol attack detection method according to claim 3, characterized in that, γ k =Z 1 k -Z 2 k Z 1 k For L-based k The obtained t k The corresponding actual observed value, Z 2 k t predicted based on Kalman filter state-space model k The corresponding theoretical observation value.

5. The PTP protocol attack detection method according to claim 4, characterized in that, Z 1 k and Z 2 k It meets the following conditions: Z 1 k =[(L k2 -L k1 )-(L k4 -L k3 ] / 2; where L k1 For L k The time point at which the master clock sends the Sync message, L k2 For L k The time point at which the Sync message is received from the clock, L k3 For L k The time point at which the Delay_Req message is sent from the clock, L k4 For L k The time point at which the master clock receives the Delay_Req message; Z 2 k = ;in, The prior state estimate of k is obtained based on the system state vector and state transition equation corresponding to the previous synchronization period of k.

6. The PTP protocol attack detection method according to claim 3, characterized in that, F meets the following conditions: Where △t is the synchronization period of the PTP protocol.

7. The PTP protocol attack detection method according to claim 5, characterized in that, Q 1 K and Q 2 K They each meet the following conditions: Q 1 k =[(L k2 -L k1 )-(L k4 -L k3 )] / 2;Q 2 k =[(L k2 -L k1 )+(L k4 -L k3 )] / 2。 8. The PTP protocol attack detection method according to claim 1, characterized in that, The following steps are included before step S5: S01. Obtain the current message arrival time interval queue, which includes the actual arrival time intervals of the N most recently received Announce messages; the actual arrival time interval of an Announce message is the time interval between the time when the Announce message is received and the time when the previous Announce message is received; N is the preset queue length. S02. Obtain the average value μ and standard deviation σ of all actual arrival time intervals in the message arrival time interval queue; S03. When |μ-G|>R×σ, the message frequency is determined to be abnormal; G is the preset expected arrival time interval, R is the preset confidence coefficient, and the value range of R is [3, 5].

9. A storage medium, characterized in that, The storage medium stores a computer program, which is loaded and executed by a processor to implement the PTP protocol attack detection method as described in any one of claims 1-8.

10. An electronic device, comprising: A processor, a memory, and a computer program stored in the memory and executable on the processor, characterized in that, when the processor executes the computer program, it implements the PTP protocol attack detection method as described in any one of claims 1-8.