Zero-trust dynamic access control protection method and system for power edge side

By performing initial trust assessment and feature extraction at the power edge, combined with verification and fault determination at the master station, zero-trust dynamic access control at the power edge is achieved. This solves the problem that traditional static boundary protection is unable to cope with security risks at the edge, and improves the overall security protection level of the power Internet of Things.

CN122247764APending Publication Date: 2026-06-19GUANGZHOU ZHAO NENG CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGZHOU ZHAO NENG CO LTD
Filing Date
2026-05-21
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Traditional power systems, with their numerous and scattered edge nodes and complex access scenarios, struggle to cope with the security challenges posed by attackers who can forge identities and tamper with data. Furthermore, existing zero-trust solutions are not optimized for processing multimodal heterogeneous data at the power edge, thus failing to meet the zero-trust protection requirements in power scenarios.

Method used

By adopting a zero-trust access approach, the initial trust assessment and feature extraction tasks are devolved to the power edge, while high-computing-power-requirement tasks such as identity verification and fault determination are deployed on the main station side, thereby achieving dynamic permission control throughout the entire process from access request to operation control.

Benefits of technology

It reduces the computational burden on the edge side, meets the constraints of limited computing power, and effectively prevents attackers from unauthorized access to the core network by dynamically reassessing trust levels to adjust access permissions, thereby improving the security protection capabilities of the power Internet of Things edge side.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247764A_ABST
    Figure CN122247764A_ABST
Patent Text Reader

Abstract

This invention discloses a zero-trust dynamic access control protection method and system for the power edge, relating to the field of IoT access control technology. The method includes the following steps: the power edge performs an initial trust assessment on multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal; the power master station terminal verifies the access request, and if the verification is successful, generates a communication connection authorization command and sends it to the power edge; the power edge establishes a communication connection based on the communication connection authorization command and sends the multimodal heterogeneous feature data to the power master station terminal; the power master station terminal performs fault type determination on the multimodal heterogeneous feature data and generates a control command, which is sent to the power edge; the power edge performs corresponding operations based on the control command. This achieves a significant improvement in the security protection capabilities of the power edge by adopting a zero-trust access method that never trusts and always verifies, thereby ensuring the safe and stable operation of the power system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of Internet of Things (IoT) access control technology, and in particular to a zero-trust dynamic access control protection method and system for the power edge. Background Technology

[0002] Currently, with the continuous advancement of the construction of the power Internet of Things (IoT), a large number of sensing, computing, and control devices are being deployed at the power edge, extending the data collection and local management capabilities at the end of the power system. However, this also brings new cybersecurity risks. Traditional power systems mostly adopt boundary-based static access control strategies, assuming that all devices within the area are trustworthy. This is insufficient to address the security challenges of a large number of edge nodes, their scattered distribution, and complex access scenarios. Once attackers breach boundary protection, they can easily gain unauthorized access to the core power control network by forging identities and tampering with data, potentially causing large-scale power supply security incidents. Furthermore, power edge devices have limited computing power, making it difficult to support complex full-scale secure computations. Existing zero-trust access solutions are mostly designed for the main station side and are not optimized for the processing flow of multimodal heterogeneous data at the power edge. They cannot meet the zero-trust protection requirements of "verification before connection and dynamic continuous evaluation" in power scenarios. Therefore, there is an urgent need for a zero-trust dynamic access control protection solution adapted to the characteristics of power edge scenarios. Summary of the Invention

[0003] To overcome the shortcomings of existing technologies, this invention provides a zero-trust dynamic access control protection method and system for the power edge. By adopting a zero-trust access approach of "never trusting, always verifying," lightweight computing tasks such as initial trust assessment and feature extraction are offloaded to the edge, while high-computing-power tasks such as identity verification and fault determination are deployed on the master station. This reduces the computing burden on the edge and enables dynamic permission control throughout the entire process from access request initiation and communication connection establishment to operation control. It effectively solves the problem that traditional static boundary protection is unable to cope with edge security risks and improves the overall security protection capability of the power edge Internet of Things.

[0004] To achieve the above-mentioned objectives, the present invention adopts the following technical solution:

[0005] The first aspect of this application provides a zero-trust dynamic access control protection method for the power edge side, including the following steps: S101. The power edge side performs an initial trust assessment on the multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal. S102. The power master station terminal verifies the access request. If the verification is successful, it generates a communication connection authorization instruction and sends it to the power edge side. S103. The power edge side establishes a communication connection based on the communication connection authorization command and sends multimodal heterogeneous feature data to the power master station terminal. S104. The power master station terminal performs fault type determination processing on the multimodal heterogeneous characteristic data and generates control commands to send to the power edge side. S105, the power edge side performs corresponding operations based on control commands.

[0006] Furthermore, the power edge performs an initial trust assessment on the multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal, including the following steps: Trust assessment is performed on multimodal heterogeneous data at the power edge to obtain the trust level of each modality. The overall initial trust level of the power edge side is determined based on the trust level of each modality of data; If the initial trust level of the power edge is greater than the set trust threshold, feature extraction processing is performed on the multimodal heterogeneous data, and an access request is generated and sent to the power master station; otherwise, feature extraction processing and access request generation are not performed on the multimodal heterogeneous data.

[0007] Furthermore, when the initial overall trust level at the power edge exceeds a set trust threshold, the feature extraction process for multimodal heterogeneous data at the power edge includes the following steps: Key features were extracted from various types of preprocessed heterogeneous data. For electrical operation monitoring data such as voltage, current, and power, extract statistical characteristics of amplitude fluctuation, harmonic ratio, and power deviation; For environmental monitoring data such as temperature, humidity, and abnormal gas concentration, extract the trend characteristics of parameter change rate, duration of exceeding limits, and degree of deviation from the benchmark value; For equipment vibration monitoring data, extract the proportion of vibration energy and fault correlation features of characteristic frequency amplitude under different frequency bands; For equipment appearance images and infrared images, lightweight convolutional neural networks are used to extract image features of equipment appearance deformation and temperature anomaly distribution. The extracted multimodal key features are fused and stitched together to obtain multimodal heterogeneous feature data of the power edge side.

[0008] Furthermore, when the initial overall trust level at the power edge exceeds a set trust threshold, the power edge generates an access request based on the multimodal heterogeneous data feature extraction processing results and sends it to the power master station, including the following steps: Access requests are generated by encapsulating multimodal heterogeneous feature data. The access requests carry the unique identity of the edge node, the comprehensive initial trust value, and the extracted multimodal feature data set. The encapsulated access request is sent to the power master station terminal through the dedicated power dispatch transmission channel, and the system waits for verification feedback from the master station.

[0009] Furthermore, the power master station terminal verifies the access request. If the verification is successful, it generates a communication connection authorization command and sends it to the power edge side, including the following steps: Based on the full-dimensional status feature set carried in the access request, the system matches the preset power edge node identity verification rules and abnormal risk level classification standards to complete the dual verification of identity legitimacy and risk level. If the verification is successful, a dynamic connection authorization with corresponding permissions will be generated according to the judgment requirements applied for by the edge node, and the communication connection authorization instruction will be sent to the power edge side to establish an on-demand encrypted communication connection between the edge node and the main station. If the verification fails, a connection rejection command will be returned directly, blocking the current communication.

[0010] Furthermore, the power edge side establishes a communication connection based on the communication connection authorization command and sends multimodal heterogeneous feature data to the power master station terminal, including the following steps: Receive and parse the communication connection authorization command sent by the power master station terminal to obtain the authorized access scope and encrypted communication key; Based on the obtained key and permission information, establish an encrypted communication connection with the power master station terminal with corresponding permissions; The preprocessed and fused multimodal heterogeneous feature data of the power edge side is encapsulated in a format and then sent to the power master station terminal through an encrypted channel. During the communication connection maintenance period, at each preset dynamic evaluation cycle, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal for the master station to dynamically adjust access permissions. If the overall trust level after synchronization and update is lower than the preset threshold, the power edge side will automatically terminate the current communication connection and actively disconnect the encrypted channel to avoid the risk of unauthorized access.

[0011] Furthermore, during the communication connection maintenance period, at each preset dynamic evaluation cycle, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal for the master station to dynamically adjust access permissions, including the following steps: Within each dynamic assessment cycle, the latest multimodal heterogeneous data from the power edge side of the current cycle is re-collected; the trust level of each modality data is recalculated according to the same rules as the initial trust level assessment, thereby obtaining the updated comprehensive trust level of the power edge side. The updated overall trust level is compared with the preset threshold. If the updated overall trust level is still higher than the threshold, the current communication connection and access permissions are maintained, and the update result is synchronized to the main station terminal. If the updated overall trust level is lower than the threshold, immediately send a disconnection request to the main station terminal, then actively terminate the current encrypted communication connection, close the data transmission channel, and record the dynamic assessment disconnection event log for future reference.

[0012] Furthermore, the power master station terminal performs fault type determination processing on the multimodal heterogeneous characteristic data and generates control commands to send to the power edge, including the following steps: Based on the fault type comparison library, fault feature comparison processing is performed on multimodal heterogeneous feature data, and the results of fault location, fault type and fault risk level are output. Based on the obtained fault determination results, a preset fault handling strategy library is matched to generate control instructions for the corresponding handling actions; Control commands are sent to the power edge via the established encrypted communication channel, and the power edge performs the corresponding control operations. If the fault determination confirms that there is no abnormal fault, a control command to maintain the current operating state is generated and returned to the power edge side.

[0013] Furthermore, the corresponding operations performed by the power edge based on control commands include the following steps: Receive and parse control commands sent by the power master station terminal, and extract the corresponding control operation type and parameter requirements of the commands; According to the instructions, the corresponding control module on the edge side is invoked to perform the specified operation: if it is a load reduction instruction, the load power is reduced by adjusting the transformer tap position or cutting off the load through the voltage regulation module; if it is a heat dissipation instruction, the auxiliary heat dissipation device of the equipment is started to improve the heat dissipation efficiency; if it is a power failure control instruction, the power supply switch of the corresponding equipment is disconnected to isolate the fault; if it is a maintain operation instruction, the existing operating parameters are not changed. After the corresponding operation is performed, multimodal monitoring data is collected, the overall trust level is recalculated, and the operation results and the updated trust level are fed back to the power master station terminal to complete the closed loop of this handling process.

[0014] The second aspect of this application provides a zero-trust dynamic access control protection system for the power edge, including: On the power edge side, it performs initial trust assessment on multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal; it establishes a communication connection based on communication connection authorization instructions and sends the multimodal heterogeneous feature data to the power master station terminal; the power edge side performs corresponding operations based on control instructions. The power master station terminal is used to verify access requests. If the verification is successful, it generates a communication connection authorization command and sends it to the power edge side. It also performs fault type determination processing on multimodal heterogeneous feature data and generates control commands to send to the power edge side.

[0015] The beneficial effects of this application are as follows: It realizes zero-trust dynamic access control adapted to power edge scenarios, adopting a "never trust, always verify" zero-trust access method, which solves the problem that traditional static boundary access control cannot cope with the risk of access from dispersed nodes on the edge. By completing the initial trust assessment and multimodal feature extraction at the power edge, only the processed feature data, rather than the full amount of raw data, is uploaded to the main station, significantly reducing the computing power consumption and transmission bandwidth consumption of edge devices, and meeting the constraint of limited computing power of edge devices. By periodically and dynamically reassessing the comprehensive trust level, and dynamically adjusting access permissions based on the trust results, and promptly disconnecting low-trust connections, dynamic security protection is achieved throughout the entire process. This effectively avoids the risk of attackers gaining unauthorized access to the core network after breaching the boundary, improves the overall security protection level of the power Internet of Things edge, and ensures the operational safety of the power system. Attached Figure Description

[0016] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 This is a schematic diagram illustrating the steps of the zero-trust dynamic access control protection method for the power edge side of the present invention. Detailed Implementation

[0018] The embodiments of the present invention will now be described in detail with reference to the accompanying drawings.

[0019] The following specific examples illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. The present invention can also be implemented or applied through other different specific embodiments, and the details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that, in the absence of conflict, the following embodiments and features in the embodiments can be combined with each other. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention.

[0020] Example 1 A zero-trust dynamic access control protection method for the power edge includes the following steps: S101. The power edge side performs an initial trust assessment on the multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal. The system acquires multimodal heterogeneous data from the power edge, including electrical operation monitoring data, environmental monitoring data, equipment vibration monitoring data, and visual monitoring image data. Electrical operation monitoring data includes voltage, current, and power monitoring data; environmental monitoring data includes temperature, humidity, and abnormal gas concentration monitoring data; and visual monitoring image data includes equipment appearance images and infrared images. The power edge performs feature recognition processing on the multimodal heterogeneous data and conducts confidence assessment processing to obtain the confidence assessment result. Based on the confidence assessment result, it determines whether to generate an access request. The power edge sends the generated access request to the power master station terminal to establish a communication connection with the power master station terminal.

[0021] The power edge performs an initial trust assessment on multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal, including the following steps: Trust assessment is performed on multimodal heterogeneous data at the power edge to obtain the trust level of each modality. The overall initial trust level of the power edge side is determined based on the trust level of each modality of data; If the initial trust level of the power edge is greater than the set trust threshold, feature extraction processing is performed on the multimodal heterogeneous data, and an access request is generated and sent to the power master station; otherwise, feature extraction processing and access request generation are not performed on the multimodal heterogeneous data.

[0022] When the initial overall trust level at the power edge exceeds a set trust threshold, the feature extraction process for multimodal heterogeneous data at the power edge includes the following steps: Key features were extracted from various types of preprocessed heterogeneous data. For electrical operation monitoring data such as voltage, current, and power, statistical characteristics such as amplitude fluctuation, harmonic ratio, and power deviation are extracted; For environmental monitoring data such as temperature, humidity, and abnormal gas concentration, extract trend characteristics such as parameter change rate, duration of exceeding limits, and degree of deviation from benchmark values; For equipment vibration monitoring data, extract fault-related features such as the proportion of vibration energy and the amplitude of characteristic frequencies under different frequency bands; For equipment appearance images and infrared images, lightweight convolutional neural networks are used to extract image features such as equipment appearance deformation and abnormal temperature distribution. The extracted multimodal key features are fused and stitched together to obtain multimodal heterogeneous feature data of the power edge side.

[0023] When the initial trust level of the power edge side exceeds the set trust threshold, the power edge side generates an access request based on the multimodal heterogeneous data feature extraction processing results and sends it to the power master station, including the following steps: Access requests are generated by encapsulating multimodal heterogeneous feature data. The access requests carry the unique identity of the edge node, the comprehensive initial trust value, and the extracted multimodal feature data set. The encapsulated access request is sent to the power master station terminal through the dedicated power dispatch transmission channel, and the system waits for verification feedback from the master station.

[0024] For example, when an edge node in a distribution area detects a localized hotspot in the infrared image of a 10kV transformer, and the amplitude of the local discharge vibration characteristic frequency at the corresponding location is abnormal, and the acetylene gas concentration in the environment deviates from the baseline value, while electrical operation data shows that the three-phase current imbalance at this node exceeds the normal range, the confidence level of all single-mode data is higher than the set single-mode threshold, and the calculated overall initial confidence level is also greater than the preset overall confidence level threshold. The edge node then automatically extracts and fuses the key features corresponding to each mode, generating an access request for multimodal heterogeneous feature data from the power edge side, which is sent to the power master station terminal to request authorization from the master station to further retrieve all raw data for in-depth fault determination. If the confidence level of any two or more single modes is lower than the threshold, resulting in the overall initial confidence level not meeting the requirements, the edge node will directly intercept the access request generation process to avoid invalid data uplink consuming communication and master station computing resources.

[0025] S102. The power master station terminal verifies the access request. If the verification is successful, it generates a communication connection authorization instruction and sends it to the power edge side. The power master station terminal receives access requests sent from the power edge side and verifies them. The verification process includes confirming the legitimacy of the device identity on the power edge side, the completeness of the fused feature set, and a review of the initial trust level. If all verification items pass, a valid communication connection authorization command is generated and sent to the power edge side, establishing a secure transmission channel between the edge side and the master station. If any verification fails, the access request is rejected, and the request is logged for subsequent abnormal behavior tracing and analysis.

[0026] The power master station terminal verifies the access request. If the verification is successful, it generates a communication connection authorization command and sends it to the power edge side, including the following steps: Based on the full-dimensional status feature set carried in the access request, the system matches the preset power edge node identity verification rules and abnormal risk level classification standards to complete the dual verification of identity legitimacy and risk level. If the verification is successful, a dynamic connection authorization with corresponding permissions will be generated according to the judgment requirements applied for by the edge node, and the communication connection authorization instruction will be sent to the power edge side to establish an on-demand encrypted communication connection between the edge node and the main station. If the verification fails, a connection rejection command will be returned directly, blocking the current communication.

[0027] For example, after receiving an access request from the 10kV transformer edge node, the main station terminal first verifies the device identity identifier pre-assigned to the edge node to confirm that the node is a legally registered on-network device. Then, it reviews the data integrity of the fusion feature set and the overall initial trust degree calculation process. After confirming that all verifications meet the requirements, it opens the computing power and storage access permissions of the corresponding fault analysis module according to the application requirements for deep fault determination, and generates a dynamic encrypted connection authorization to send to the edge node. If the identity identifier does not match the registration information during verification, it directly returns a connection rejection instruction, records the IP address, device identifier, and other information corresponding to the request in the abnormal behavior log, and completes the access interception.

[0028] S103. The power edge side establishes a communication connection based on the communication connection authorization command and sends multimodal heterogeneous feature data to the power master station terminal. The power edge device receives a communication connection authorization command from the power master station terminal to establish a communication connection. The power edge device then sends multimodal heterogeneous feature data to the power master station terminal. Upon receiving the authorization command, the power edge device parses the authorized permission scope contained within the command, establishes an encrypted communication channel with the power master station terminal corresponding to the permissions, and sends the obtained multimodal heterogeneous feature data from the power edge device to the power master station terminal. During the communication establishment period, the edge device continuously performs dynamic trust assessment on the real-time monitoring data of its local nodes, updates the comprehensive trust level at set intervals, and synchronizes the updated trust level to the power master station terminal.

[0029] The power edge side establishes a communication connection based on a communication connection authorization command and sends multimodal heterogeneous feature data to the power master station terminal, including the following steps: Receive and parse the communication connection authorization command sent by the power master station terminal to obtain the authorized access scope and encrypted communication key; Based on the obtained key and permission information, establish an encrypted communication connection with the power master station terminal with corresponding permissions; The preprocessed and fused multimodal heterogeneous feature data of the power edge side is encapsulated in a format and then sent to the power master station terminal through an encrypted channel. During the communication connection period, at each preset dynamic evaluation cycle, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal for the master station to dynamically adjust access permissions.

[0030] If the overall trust level after synchronization and update is lower than the preset threshold, the power edge side will automatically terminate the current communication connection and actively disconnect the encrypted channel to avoid the risk of unauthorized access.

[0031] During the communication connection maintenance period, at each preset dynamic evaluation cycle, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal. This is used by the master station to dynamically adjust access permissions, including the following steps: Within each dynamic assessment cycle, the latest multimodal heterogeneous data from the power edge side of the current cycle is re-collected; the trust level of each modality data is recalculated according to the same rules as the initial trust level assessment, thereby obtaining the updated comprehensive trust level of the power edge side. The updated overall trust level is compared with the preset threshold. If the updated overall trust level is still higher than the threshold, the current communication connection and access permissions are maintained, and the update result is synchronized to the main station terminal. If the updated overall trust level is lower than the threshold, immediately send a disconnection request to the main station terminal, then actively terminate the current encrypted communication connection, close the data transmission channel, and record the dynamic assessment disconnection event log for future reference.

[0032] For example, taking a 10kV transformer edge node as an example, after establishing an encrypted communication connection, the edge node re-collects the current multimodal monitoring data every 5 minutes and recalculates the comprehensive trust level. If the fault characteristics further develop at this time, the confidence level of some monitoring parameters decreases, and the final updated comprehensive trust level is lower than the threshold, the edge node will actively disconnect the encrypted connection to terminate the data transmission, avoid the security risks to the main station caused by abnormal links, and record the disconnection event in the local log, while synchronizing it to the main station to complete the filing, so as to avoid additional security risks caused by changes in node status during the fault handling process.

[0033] S104. The power master station terminal performs fault type determination processing on the multimodal heterogeneous characteristic data and generates control commands to send to the power edge side. The power master station terminal receives multimodal heterogeneous feature data transmitted from the power edge side. Based on the fault type comparison library, the power master station terminal performs fault feature comparison processing on the multimodal heterogeneous feature data to determine the fault type. Based on the fault feature comparison processing results, it generates control commands and sends the control commands to the power edge side.

[0034] The power master station terminal performs fault type determination processing on multimodal heterogeneous characteristic data and generates control commands to send to the power edge side, including the following steps: Based on the fault type comparison library, fault feature comparison processing is performed on multimodal heterogeneous feature data, and the results of fault location, fault type and fault risk level are output. Based on the obtained fault determination results, a preset fault handling strategy library is matched to generate control instructions for the corresponding handling actions; Control commands are sent to the power edge via the established encrypted communication channel, and the power edge performs the corresponding control operations. If the fault determination confirms that there is no abnormal fault, a control command to maintain the current operating state is generated and returned to the power edge side.

[0035] For example, based on the multimodal heterogeneous characteristic data of the 10kV transformer, after the fault judgment model is trained, the output is an early insulation fault caused by local overheating, with a risk level of level two. The corresponding matching disposal strategy is "reduce load power and start real-time monitoring". The master station will generate the corresponding control command and send it to the edge node through an encrypted channel, and the edge node will execute the corresponding voltage regulation and load reduction operation.

[0036] S105, The power edge side performs corresponding operations based on control commands; The power edge device receives control commands from the power master station terminal. These commands include heat dissipation commands, power outage control commands, and load reduction commands. The edge device executes the corresponding operations based on the control commands to complete the corresponding fault management and handling. If the control command is to maintain the current operating state, the original operating parameters remain unchanged, and daily monitoring and trust assessment continue to be performed periodically. After this step is completed, the dynamic access control and fault handling process based on the zero-trust mechanism for the power edge device ends, awaiting the next monitoring cycle to trigger a new initial trust assessment process, thus achieving full-cycle dynamic security management and control of the power edge device. Through the above-mentioned dynamic trust assessment and on-demand authorization access control mechanism, invalid data uplinks from the power edge device can be effectively reduced, reducing the computing power and communication resource consumption of the power master station. At the same time, a zero-trust protection system is built from access access, dynamic management and handling to the entire process, avoiding power system security risks caused by unauthorized access and abnormal links, and improving the overall security protection capability of the power energy system.

[0037] The power edge side performs corresponding operations based on control commands, including the following steps: Receive and parse control commands sent by the power master station terminal, and extract the corresponding control operation type and parameter requirements of the commands; According to the instructions, the corresponding control module on the edge side is invoked to perform the specified operation: if it is a load reduction instruction, the load power is reduced by adjusting the transformer tap position or cutting off the load through the voltage regulation module; if it is a heat dissipation instruction, the auxiliary heat dissipation device of the equipment is started to improve the heat dissipation efficiency; if it is a power failure control instruction, the power supply switch of the corresponding equipment is disconnected to isolate the fault; if it is a maintain operation instruction, the existing operating parameters are not changed. After the corresponding operation is executed, multimodal monitoring data is collected, the overall trust level is recalculated, and the operation result and the updated trust level are fed back to the power master station terminal.

[0038] For example, after receiving a load reduction command from the master station, the edge node parses the target load power parameters, calls the voltage regulation module to adjust the transformer tap position, and reduces the load power to the set range. Then, it re-collects the transformer's electrical operation, environmental, vibration, and image multimodal monitoring data, calculates the updated comprehensive trust level, and feeds the operation execution result and the updated trust level back to the power master station terminal through an encrypted channel. The master station records the handling result and completes the closed loop of this fault control.

[0039] Example 2 The above is the zero-trust dynamic access control protection method for the power edge side provided in the embodiments of this application. The following is the zero-trust dynamic access control protection system for the power edge side provided in the embodiments of this application.

[0040] A zero-trust dynamic access control protection system for the power edge includes: On the power edge side, it performs initial trust assessment on multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal; it establishes a communication connection based on communication connection authorization instructions and sends the multimodal heterogeneous feature data to the power master station terminal; the power edge side performs corresponding operations based on control instructions. The power master station terminal is used to verify access requests. If the verification is successful, it generates a communication connection authorization command and sends it to the power edge side. It also performs fault type determination processing on multimodal heterogeneous feature data and generates control commands to send to the power edge side.

[0041] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the system and unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0042] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A zero-trust dynamic access control protection method for power edge side, characterized in that, Includes the following steps: S101. The power edge side performs an initial trust assessment on the multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal. S102. The power master station terminal verifies the access request. If the verification is successful, it generates a communication connection authorization instruction and sends it to the power edge side. S103. The power edge side establishes a communication connection based on the communication connection authorization command and sends multimodal heterogeneous feature data to the power master station terminal. S104. The power master station terminal performs fault type determination processing on the multimodal heterogeneous characteristic data and generates control commands to send to the power edge side. S105, the power edge side performs corresponding operations based on control commands.

2. The power edge side oriented zero trust dynamic access control protection method according to claim 1, characterized in that, Step S101 includes the following steps: Trust assessment is performed on multimodal heterogeneous data at the power edge to obtain the trust level of each modality. The overall initial trust level of the power edge side is determined based on the trust level of each modality of data; If the initial trust level of the power edge is greater than the set trust threshold, feature extraction processing is performed on the multimodal heterogeneous data, and an access request is generated and sent to the power master station; otherwise, feature extraction processing and access request generation are not performed on the multimodal heterogeneous data.

3. The zero-trust dynamic access control protection method for the power edge side according to claim 2, characterized in that, When the initial overall trust level at the power edge exceeds a set trust threshold, the power edge performs feature extraction processing on the multimodal heterogeneous data, including the following steps: Key features were extracted from various types of preprocessed heterogeneous data. For voltage, current, and power electrical operation monitoring data, extract statistical characteristics such as amplitude fluctuation, harmonic ratio, and power deviation; For environmental monitoring data on temperature, humidity, and abnormal gas concentration, extract the trend characteristics of parameter change rate, duration of exceeding limits, and degree of deviation from the benchmark value; For equipment vibration monitoring data, extract the proportion of vibration energy and fault correlation features of characteristic frequency amplitude under different frequency bands; For equipment appearance images and infrared images, lightweight convolutional neural networks are used to extract image features of equipment appearance deformation and temperature anomaly distribution. The extracted multimodal key features are fused and stitched together to obtain multimodal heterogeneous feature data of the power edge side.

4. The zero-trust dynamic access control protection method for the power edge side according to claim 2, characterized in that, When the initial trust level of the power edge side is greater than the set trust threshold, the power edge side generates an access request based on the multimodal heterogeneous data feature extraction processing results and sends it to the power master station, including the following steps: Access requests are generated by encapsulating multimodal heterogeneous feature data. The access requests carry the unique identity of the edge node, the comprehensive initial trust value, and the extracted multimodal feature data set. The encapsulated access request is sent to the power master station terminal through the dedicated power dispatch transmission channel, and the system waits for verification feedback from the master station.

5. The zero-trust dynamic access control protection method for the power edge side according to claim 1, characterized in that, Step S102 includes the following steps: Based on the full-dimensional status feature set carried in the access request, the system matches the preset power edge node identity verification rules and abnormal risk level classification standards to complete the dual verification of identity legitimacy and risk level. If the verification is successful, a dynamic connection authorization with corresponding permissions will be generated according to the judgment requirements applied for by the edge node, and the communication connection authorization instruction will be sent to the power edge side to establish an on-demand encrypted communication connection between the edge node and the main station. If the verification fails, a connection rejection command will be returned directly, blocking the current communication.

6. The zero-trust dynamic access control protection method for the power edge side according to claim 1, characterized in that, Step S103 includes the following steps: Receive and parse the communication connection authorization command sent by the power master station terminal to obtain the authorized access scope and encrypted communication key; Based on the obtained key and permission information, establish an encrypted communication connection with the power master station terminal with corresponding permissions; The preprocessed and fused multimodal heterogeneous feature data of the power edge side is encapsulated in a format and then sent to the power master station terminal through an encrypted channel. During the communication connection maintenance period, at each preset dynamic evaluation cycle, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal for the master station to dynamically adjust access permissions. If the overall trust level after synchronization and update is lower than the preset threshold, the power edge side will automatically terminate the current communication connection and actively disconnect the encrypted channel to avoid the risk of unauthorized access.

7. The zero-trust dynamic access control protection method for the power edge side according to claim 6, characterized in that, During the communication connection maintenance period, at preset dynamic evaluation intervals, the comprehensive trust level of the latest multimodal heterogeneous data is recalculated, and the updated comprehensive trust level is synchronously sent to the power master station terminal for the master station to dynamically adjust access permissions. This includes the following steps: Within each dynamic assessment cycle, the latest multimodal heterogeneous data from the power edge side of the current cycle is re-collected; the trust level of each modality data is recalculated according to the same rules as the initial trust level assessment, thereby obtaining the updated comprehensive trust level of the power edge side. The updated overall trust level is compared with the preset threshold. If the updated overall trust level is still higher than the threshold, the current communication connection and access permissions are maintained, and the update result is synchronized to the main station terminal. If the updated overall trust level is lower than the threshold, immediately send a disconnection request to the main station terminal, then actively terminate the current encrypted communication connection, close the data transmission channel, and record the dynamic assessment disconnection event log for future reference.

8. The zero-trust dynamic access control protection method for the power edge side according to claim 1, characterized in that, Step S104 includes the following steps: Based on the fault type comparison library, fault feature comparison processing is performed on multimodal heterogeneous feature data, and the results of fault location, fault type and fault risk level are output. Based on the obtained fault determination results, a preset fault handling strategy library is matched to generate control instructions for the corresponding handling actions; Control commands are sent to the power edge via the established encrypted communication channel, and the power edge performs the corresponding control operations. If the fault determination confirms that there is no abnormal fault, a control command to maintain the current operating state is generated and returned to the power edge side.

9. The zero-trust dynamic access control protection method for the power edge side according to claim 1, characterized in that, Step S105 includes the following steps: Receive and parse control commands sent by the power master station terminal, and extract the corresponding control operation type and parameter requirements of the commands; According to the instructions, the corresponding control module on the edge side is invoked to perform the specified operation: if it is a load reduction instruction, the load power is reduced by adjusting the transformer tap position or cutting off the load through the voltage regulation module; if it is a heat dissipation instruction, the auxiliary heat dissipation device of the equipment is started to improve the heat dissipation efficiency; if it is a power failure control instruction, the power supply switch of the corresponding equipment is disconnected to isolate the fault; if it is a maintain operation instruction, the existing operating parameters are not changed. After the corresponding operation is performed, multimodal monitoring data is collected, the overall trust level is recalculated, and the operation results and the updated trust level are fed back to the power master station terminal to complete the closed loop of this handling process.

10. A zero-trust dynamic access control protection system for the power edge, used to implement the zero-trust dynamic access control protection method for the power edge as described in any one of claims 1-9, characterized in that, include: On the power edge side, it is used to perform initial trust assessment processing on multimodal heterogeneous data to determine whether to generate an access request and send it to the power master station terminal; Communication connection is established based on communication connection authorization instructions, and multimodal heterogeneous feature data is sent to the power station terminal; The power edge performs corresponding operations based on control commands; The power master station terminal is used to verify access requests. If the verification is successful, it generates a communication connection authorization command and sends it to the power edge side. The fault type is determined from the multimodal heterogeneous characteristic data, and control commands are generated and sent to the power edge.