A power information physical system active defense method and system
By acquiring node status information in the power cyber-physical system and dynamically adjusting decoy deployment and operating system diversity configuration, the problem of poor defense effect in existing technologies is solved, and priority protection of key nodes and optimized use of resources are achieved, thereby improving the system's defense capabilities.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY
- Filing Date
- 2026-06-02
- Publication Date
- 2026-07-03
AI Technical Summary
Existing security measures for power cyber-physical systems are ineffective against zero-day vulnerability attacks, advanced persistent threats, and multi-stage penetration attacks. Furthermore, resource-constrained equipment struggles to support large-scale, high-cost security protection, and decoy deployments are easily identifiable. Overall, the effectiveness of the defense needs to be improved.
By acquiring the status information of system nodes, the target defense node set is dynamically determined and decoys are deployed. Combined with the diverse configurations of the operating system, key nodes are prioritized for protection. The decoy deployment strategy is optimized using a node-level Q-network model to reduce vulnerability and achieve dynamic adjustment of the defense strategy.
It improves the ability to lure and capture attackers, reduces the risk of attacks on critical nodes, optimizes the use of defense resources, enhances the adaptability to continuous reconnaissance and multi-round attacks, and improves the overall defense benefits.
Smart Images

Figure CN122339846A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security protection technology, and in particular to a proactive defense method and system for power cyber-physical systems. Background Technology
[0002] With the rapid development of technologies such as sensing, communication, computing, and automation, traditional power systems have gradually evolved into integrated power cyber-physical systems (CPS), which deeply integrate information networks and physical power grids. Through intelligent data acquisition, status monitoring, automated dispatching, and collaborative control, CPS have improved the operational efficiency and management level of power systems, becoming a crucial component of modern society's critical infrastructure. Because they widely serve key aspects such as energy production, transmission and distribution control, and end-user electricity management, cyberattacks can lead to service interruptions, equipment damage, and even widespread power supply anomalies. Therefore, the security protection of CPS is of paramount importance.
[0003] Existing security measures for power cyber-physical systems are typically static and passive, such as firewalls, signature-based intrusion detection systems, and fixed security policy configurations. While these methods are effective against known threats, they are significantly inadequate against zero-day attacks, advanced persistent threats, and multi-stage penetration attacks. Especially when attackers can continuously reconnoiter and analyze the system architecture, fixed defense deployments are easily identified and bypassed, leading to a gradual decline in defensive effectiveness.
[0004] On the other hand, devices in power cyber-physical systems (CPS) are typically characterized by limited resources, high heterogeneity, and large deployment scale. For devices such as smart meters, distribution terminals, and edge gateways, their computing power, storage capacity, bandwidth, and energy consumption budgets are limited, making it difficult to sustain large-scale, high-overhead security protection mechanisms for extended periods. Therefore, how to prioritize the protection of critical nodes, reduce the attack surface, and improve defense benefits under limited defense resources is a pressing issue that needs to be addressed in the proactive defense of power CPS.
[0005] In existing technologies, deception defense attracts attackers by deploying honeypots, decoy nodes, or emulation services, thereby achieving attack monitoring and capture. Mobile target defense, on the other hand, increases the difficulty for attackers to reconnoiter and exploit by dynamically changing system configurations, service attributes, or operating environments. While both methods have some effectiveness in network security protection, existing solutions typically suffer from the following problems: First, decoy deployment is mostly static, allowing attackers to identify and evade fixed decoy locations through long-term reconnaissance. Second, some solutions tend to deploy decoys on a large scale or even across all network nodes, or implement diversified modifications, resulting in high deployment complexity and maintenance costs, making them unsuitable for resource-constrained power cyber-physical systems. Third, existing solutions often fail to fully consider differences in node asset value, node vulnerability, and network topology, preventing limited defense resources from being prioritized for critical nodes requiring protection, thus hindering overall defense effectiveness.
[0006] Therefore, there is an urgent need to provide an active defense method and system for power cyber-physical systems. Under the condition of limited defense resources, it can combine decoy deployment and diverse configuration of operating systems to dynamically adjust the defense strategy according to the node status, improve the attack trapping capability, reduce the risk of attack on critical nodes, and take into account the defense overhead. Summary of the Invention
[0007] To address these issues, this invention provides a proactive defense method and system for power cyber-physical systems, which solves the aforementioned problems.
[0008] In a first aspect, the present invention provides an active defense method for a power cyber-physical system, comprising:
[0009] Obtain the current status information of each node in the power information physical system. The current status information includes at least the node's security status, node vulnerability, node asset value, node type, and node topology connection relationship.
[0010] Based on the current state information of each node, a target set of defense nodes is determined under the constraints of defense resources, and corresponding types of decoys are deployed for the nodes in the target set of defense nodes to lure and capture attack behaviors.
[0011] A target diverse node set is identified from real nodes that have never deployed decoys and are in a safe state, and operating system diversity configurations are implemented on the nodes in the target diverse node set to reduce the vulnerability of the nodes in the target diverse node set;
[0012] After completing the decoy deployment and the operating system diversity configuration, the security status and vulnerability of each node are updated according to the attack results to obtain the system status at the next moment.
[0013] Based on the updated system state, the determination of the target defense node set, decoy deployment, and operating system diversity configuration are repeatedly performed to achieve dynamic and proactive defense of the power cyber-physical system.
[0014] Furthermore, the current status information of each node also includes the type of decoy deployed by the node, the deployment status of the node's operating system, and the set of neighboring nodes; wherein, the node type includes at least one of server, routing and switching equipment, gateway equipment, and power terminal equipment.
[0015] Furthermore, determining the target defense node set based on the current state information of each node under the constraint of defense resources includes: calculating the defense benefit score corresponding to each node, wherein the defense benefit score is related to the asset value, vulnerability and topology parameters of the corresponding node; sorting each node according to the defense benefit score, and selecting a number of nodes with the highest scores as the target defense node set according to a preset number threshold.
[0016] Furthermore, the step of deploying corresponding types of decoys to the nodes in the target defense node set includes: deploying one of light, medium, and heavy decoys to different target defense nodes according to the asset value or importance of the target defense nodes; wherein, different types of decoys correspond to different attack capture capabilities and deployment costs.
[0017] Furthermore, determining the target diverse node set from real nodes that have never deployed decoys and are in a safe state includes: screening candidate nodes from nodes that have never deployed decoys and are in a safe state; calculating a comprehensive score based on the asset value and proximity centrality of the candidate nodes; and selecting several candidate nodes as the target diverse node set according to the comprehensive score.
[0018] Furthermore, implementing operating system diversity configuration for the nodes in the target diverse node set includes switching or replacing at least one of the operating system, kernel, or critical software stack of the target diverse nodes; and after implementing operating system diversity configuration, reducing the vulnerability parameters of the corresponding nodes according to a preset suppression ratio.
[0019] Furthermore, the process of determining the target defense node set is implemented through a reinforcement learning model; the reinforcement learning model takes the system state as input, outputs the defense benefit score corresponding to each node, and selects the target defense node set based on the defense benefit score; wherein, the reinforcement learning model is a node-level Q-network model.
[0020] Secondly, the present invention provides an active defense system for a power cyber-physical system, comprising:
[0021] The status acquisition module is used to acquire the current status information of each node in the power information physical system;
[0022] The decoy deployment decision module is used to determine the target defense node set based on the current status information of each node under the constraints of defense resources, and to deploy decoys of the corresponding type for the nodes in the target defense node set.
[0023] A diversity configuration module is used to determine a target diverse node set from real nodes that have not deployed decoys and are in a safe state, and to implement operating system diversity configuration on the nodes in the target diverse node set;
[0024] The state update module is used to update the security status and vulnerability of each node based on the attack results, and obtain the system state at the next moment.
[0025] The iterative control module is used to repeatedly execute decoy deployment and operating system diversity configuration based on the updated system state in order to achieve dynamic and proactive defense of the power cyber-physical system.
[0026] Thirdly, an electronic device is provided, comprising: at least one processor, and a memory communicatively connected to the at least one processor, wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the steps of the power cyber-physical system active defense method according to any embodiment of the present invention.
[0027] Fourthly, the present invention also provides a computer-readable storage medium having a computer program stored thereon, wherein when the program instructions are executed by a processor, the processor performs the steps of the active defense method for a power cyber-physical system according to any embodiment of the present invention.
[0028] The active defense method and system for power cyber-physical systems disclosed in this application have the following specific beneficial effects:
[0029] 1. This invention does not adopt a fixed and unchanging defense deployment method. Instead, it repeatedly executes target defense node determination, decoy deployment, and operating system diversity configuration based on changes in system state. This allows the defense strategy to be dynamically adjusted with changes in the offensive and defensive situation, enhancing its adaptability to continuous reconnaissance and multiple rounds of attacks.
[0030] 2. This invention does not implement full-coverage decoy deployment or comprehensive heterogeneous transformation of all nodes. Instead, it selects some nodes for priority protection based on node asset value, node vulnerability, and network topology characteristics, so that limited defense resources are prioritized for critical and high-risk nodes, thereby improving the overall defense benefits.
[0031] 3. On the one hand, this invention enhances the ability to lure and capture attackers by deploying different types of decoys on target defense nodes; on the other hand, it reduces node vulnerability and the risk of reusing homogeneous vulnerabilities by implementing diverse configurations of operating systems, kernels or key software stacks on some real nodes, thereby achieving a synergistic enhancement of decoy deployment and attack surface compression.
[0032] 4. When selecting target defense nodes and target diversified nodes, this invention comprehensively considers the node asset value, vulnerability, proximity centrality and topological parameters, so that key nodes are given priority protection, reducing the possibility of attackers carrying out lateral penetration and expanding the scope of attack through key nodes. Attached Figure Description
[0033] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0034] Figure 1 A flowchart illustrating an active defense method for a power cyber-physical system according to an embodiment of the present invention;
[0035] Figure 2 This is a training curve diagram of a defense strategy provided in an embodiment of the present invention;
[0036] Figure 3 This is a performance comparison chart of a defense strategy provided in an embodiment of the present invention.
[0037] Figure 4 A structural block diagram of an active defense system for a power cyber-physical system provided in an embodiment of the present invention;
[0038] Figure 5 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation
[0039] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0040] Please see Figure 1 The diagram illustrates a flowchart of an active defense method for a power cyber-physical system according to this application.
[0041] Example 1: This example provides an active defense method for a power cyber-physical system.
[0042] S101. Obtain the current status information of each node in the power information physical system.
[0043] To facilitate a unified description of the state of each node in the system, the information network of the power information physical system is abstracted as an undirected graph: G = (V, E); where V represents the set of nodes and E represents the set of edges formed by the connections between nodes.
[0044] At any time t, the attributes of node i can be represented as: ;
[0045] in, This represents the safe state of node i at time t; This represents the decoy deployment state of node i at time t; This represents the vulnerability of node i at time t; This represents the operating system deployment status of node i at time t; This represents the asset value of node i; Indicates the node type of node i; Let i represent the set of neighboring nodes of node i.
[0046] The state of the system at time t is composed of the attributes of all nodes, and can be represented as:
[0047] ;
[0048] Each node The attribute consists of two parts. To change dynamic attributes over time, As a relatively stable inherent property,
[0049] In one implementation, node vulnerability can be determined based on one or more of the following: the number of known vulnerabilities, average vulnerability score, exposed services, or historical intrusion records; node asset value can be determined based on the importance level of the power service, control privilege level, service interruption losses, or device role; node security status can be represented using discrete state coding. The aforementioned current status information can be obtained from asset management systems, vulnerability scanning systems, intrusion detection systems, host agents, configuration management systems, and network traffic probes.
[0050] S102. Based on the current state information, determine the set of target defense nodes under the constraints of defense resources.
[0051] When defense resources are limited, instead of deploying decoys on all nodes simultaneously, a subset of nodes is selected from all nodes as the target defense node set.
[0052] Let the action of the defender at time t be , where , is the set of defender actions. The defender selects K nodes to deploy decoys at the current moment, and K < N, that is:
[0053] ;
[0054] For each node , let be the Q-value of node , indicating the expected benefit that can be brought to the defender by selecting this node. The higher the Q-value, the more priority should be given to deploying decoys at this node in the current state. To obtain K < N nodes, the present invention adopts the Top-K rule to select the top K nodes with the highest Q-values to deploy decoys, that is:
[0055] ;
[0056] In one embodiment, it is necessary to calculate the score , that is, the Q-value, of each node i. Therefore, the present invention utilizes the idea of the Node-wise Q-Network model to independently calculate the Q-values of each node, and then uses the Top-K mechanism to select the top K nodes with the largest Q-values to deploy decoys. The advantage of this method is that it can reduce the combined action space to linear complexity. After calculating the scores of each node, the Q-value of the selected action can be defined as the sum of the Q-values of the selected nodes:
[0057] ;
[0058] The present invention adopts the node-wise Q-network to solve the optimal decoy deployment strategy of the defender. Let represent a neural network (online Q-network) with parameters θ, whose input is the current system state and node number, and the output is the Q-value of this node. Thus, the Q-value of the defender action is:
[0059] ;
[0060] According to the DQN algorithm, the loss function for training the neural network is as follows:
[0061] ;
[0062] where D is the experience replay buffer, and y is the target Q-value, which is calculated by the following formula:
[0063] ;
[0064] in For the target Q network. Each time U-step is updated, update once according to the following formula. :
[0065] .
[0066] S103. Deploy decoys of the corresponding type for the nodes in the target defense node set.
[0067] After determining the target set of defense nodes, decoys are deployed for each node in the set. The decoys are used to simulate real nodes, services, or resources to attract attackers to launch attacks and increase the probability of detecting attack behavior.
[0068] In this embodiment, the decoys include light decoys, medium decoys, and heavy decoys, denoted as L, M, and H, respectively. Different types of decoys correspond to different interaction capabilities, attack capture probabilities, and deployment costs.
[0069] In one implementation, based on the asset value of the target defense node Depending on the node's importance, light, medium, or heavy baits are deployed for different nodes. Higher node value results in more complex bait deployments. After deployment, the bait deployment status of node i is determined. Update to the corresponding bait type; when no bait is deployed, =0.
[0070] The probability that an attacker is captured by the decoy when attacking node i is denoted as . It is related to the decoy deployment state and can be represented as:
[0071] ;
[0072] S104. Construct an attacker target selection mechanism.
[0073] To describe the dynamic adversarial relationships during the defense process, an attacker target selection mechanism is constructed. When selecting an attack target, the attacker comprehensively considers the value of node assets, node availability, and network topology characteristics.
[0074] For node i, let This represents the number of vulnerabilities observed by the attacker at time t. Let represent the average of all vulnerability scores for node i, then the exploitability of node i is... It can be represented as:
[0075] ;
[0076] The structural factors of a node in a network topology include node centrality. Value of neighboring nodes Centrality of node i It can be represented as:
[0077] ;
[0078] in, Let i be the degree of node i. These are the weighting coefficients.
[0079] Value of neighboring nodes of node i It can be represented as:
[0080] ;
[0081] in, This represents the number of neighboring nodes of node i. These are the weighting coefficients.
[0082] In one implementation, the attacker constructs the probability of choosing to attack node i∈N based on the node's asset value, availability, centrality, and the value of its neighboring nodes. ;
[0083] To calculate using the Softmax function:
[0084] ;
[0085] in, To explore coefficients, the exploration and utilization of balancing strategies. When When the value approaches 0, the attacker's strategy is to randomly select nodes to attack. The larger the value, the more likely the attacker will choose the optimal attack node.
[0086] S105. Determine the probability of a successful attack and the relationship between node state transitions.
[0087] After an attacker launches an attack on a node, whether they can successfully compromise the target node depends on the node's vulnerability. Decoy deployment status and safety status Related.
[0088] Let the probability of a successful intrusion at time t be: :
[0089] ;
[0090] in, This represents the attacker's attack capability coefficient. Let be the vulnerability factor of node i. These are the decoy factors, and different types of decoys have different decoy factors.
[0091] After the attacker and defender perform their actions, the system updates to the new state. The state transition rules for each node are as follows:
[0092] 1. If node i is selected to deploy a decoy (i∈ Then its decoy deployment state becomes =1 (light bait) =2 (medium-sized bait), or =3 (Heavy Decoy), where the higher the node value, the more complex the decoys need to be deployed, and the stronger their ability to capture attacks. Furthermore, =0 indicates that the node has not yet deployed bait.
[0093] 2. If node i is currently in a safe state =0;
[0094] 2.1 If the node is attacked and no decoy has been deployed, the node will... The probability of becoming a damaged state =-1.
[0095] 2.2 If the node is attacked and a decoy has been deployed on it, the attacker will use... If the probability of being captured is high, the node will remain in a safe state. =0; If the attacker is not captured, it means the attacker has bypassed the decoy and can launch an attack on the real node i, then that node will... The probability of becoming a damaged state =-1.
[0096] 3. If node i is currently in a damaged state =-1 (meaning it has been compromised by an attacker). Due to existing security measures, this node uses p r The probability of returning to a safe state =0.
[0097] S106. Determine the target diverse node set from the real nodes.
[0098] After the decoys were deployed, in order to further reduce the system's attack surface, a selection of real nodes that had not deployed decoys and were in a secure state were configured with diverse operating systems.
[0099] At time t, let... This represents the set of nodes that have not deployed decoys and have not been compromised by attackers, with a selection of 1≤ ≤| Each node implements an operating system diversity strategy (i.e., changes to the operating system, kernel, or critical software stack of these nodes). The node selection strategy is as follows:
[0100] First, for each candidate node i∈ Calculate its overall score:
[0101] ;
[0102] in The value of candidate nodes, The proximity centrality of a node reflects its positional importance in the network topology, and is defined as follows:
[0103] ;
[0104] Where dist(i,j) represents the shortest distance between candidate nodes i and j. Based on the above scoring, the probability of each candidate node being selected is as follows:
[0105] ;
[0106] in Parameters for adjusting selection bias.
[0107] S107. Implement operating system diversity configuration for nodes in the target diverse node set and update node vulnerabilities.
[0108] After determining the target diverse node set, operating system diversity configuration is implemented on the selected nodes. The operating system diversity configuration includes at least one of the following: changing the operating system version, changing the kernel version, changing the critical software stack, or switching to different heterogeneous runtime templates.
[0109] In this implementation, multiple heterogeneous operation templates are pre-established for different types of nodes. For the selected target diversified node, the defense controller selects a target template different from the current configuration from the pre-set heterogeneous operation templates according to its service type, resource conditions, and compatibility requirements, and issues a switching command to the corresponding node.
[0110] After implementing diverse operating system configurations, node vulnerabilities will be suppressed, manifested as a proportional decrease in the vulnerability coefficient. The update rule is as follows:
[0111] .
[0112] S108. Update the system status based on the attack results of the nodes and repeat the active defense process.
[0113] After completing the decoy deployment and operating system diversity configuration, the attacker selects target nodes to launch an attack according to their attack strategy. The system updates the security status and related parameters of each node based on the attack results to obtain the system status at the next moment.
[0114] After obtaining the system state at the next moment, steps S102 to S108 are repeated to dynamically adjust the decoy deployment location and the operating system diversity configuration node according to the changes in system state, so as to realize dynamic active defense for power cyber-physical systems.
[0115] Example 2 further explains step S102 in Example 1, that is, it explains the process of determining the target defense node set.
[0116] Defenders will receive rewards when they perform a defensive action.
[0117] The defender's reward consists of three parts: the reward for capturing the attacker, the penalty for the node being compromised, and the cost of deploying decoys (different types of decoys have different costs), as shown in the following formula:
[0118] ;
[0119] in, , , Both are indicator functions. When the attacker is captured at node i... =1, otherwise, =0; when the attacker successfully compromises node i. =1, otherwise, =0; when the defender deploys a decoy at node i =1, otherwise =0. k, η, and λ are the reward weight coefficients. For the cost of decoy deployment, Depending on the type of bait .
[0120] At the same time, the targets for defenders will be optimized.
[0121] Given the defender's decoy deployment strategy π and the attacker's attack strategy, let ~ Let represent a trajectory (i.e., an episode) of interaction between the defender and the attacker. Then, the expected reward that the defender receives in this interaction is:
[0122] ;
[0123] Here, γ is a discount factor used to weigh the importance of current rewards against future rewards. Therefore, the defender's goal is to find the optimal defense strategy. To maximize the expected return, the objective function is:
[0124] ;
[0125] Here, Π represents the defender's strategy space.
[0126] In addition, attackers are also rewarded.
[0127] The attacker's reward equals the profit gained from successfully compromising the node minus the cost of carrying out the attack, as shown in the following formula:
[0128] ;
[0129] μ is the attack benefit coefficient. The fixed cost required for an attacker to launch an attack.
[0130] Example 3 further explains step S107 in Example 1, that is, it explains the specific implementation method of the operating system's diverse configuration.
[0131] In this embodiment, multiple heterogeneous running templates are pre-established for different types of nodes. These heterogeneous running templates include different operating system versions, different kernel versions, different combinations of key software stacks, or different running environment configurations.
[0132] When a real node is selected as a target diversity node, the defense controller selects a target template different from the current configuration from the preset heterogeneous operation templates based on the node's service type, resource conditions, and compatibility requirements, and issues a switch command to the node. Specific implementation methods include:
[0133] Switch server nodes to different versions of operating system images or kernel images;
[0134] Switch the gateway node to different firmware versions or different middleware combinations;
[0135] Switch containerized deployment nodes to different base images or service images;
[0136] Migrate virtualized nodes to different virtual machine templates.
[0137] After the switchover is complete, update the operating system deployment status of the nodes and update the node vulnerability parameters according to the rules described in step S107. Prioritizing the implementation of operating system diversity configurations on nodes with high asset value and high proximity centrality can reduce the risk of critical nodes suffering from homogeneous attacks and mass exploitation of vulnerabilities, and inhibit attackers from conducting lateral movement through critical nodes.
[0138] To verify the effectiveness of this invention, two strategies were tested in experiments: the node-level DQN strategy adopted in this invention, and a random strategy (i.e., randomly selecting K nodes from N nodes to deploy decoys and randomly selecting...). (Each node implements operating system diversity). Evaluation metrics use the defender's expected return. (Expected Return) A higher expected return indicates a better overall effect in terms of improving attack capture success rate, reducing attack risk, and controlling deployment costs.
[0139] like Figure 2 As shown, Figure 2 The training curves for the defender's strategy are shown. The solid line represents the average value across multiple training iterations, and the shaded area represents the variance across multiple training iterations. As training progresses, the average expected reward continuously increases and gradually converges to a stationary state, indicating that the model can stably learn to "deploy decoys in more suitable locations" to obtain higher expected rewards.
[0140] After completing the training of the defense strategy, the defense strategy is applied to multiple new episodes to obtain... Figure 3 The performance comparison curves are shown in the figure. As can be seen from the figure, the expected return of the node-level DQN strategy is significantly higher than that of the random strategy. This further illustrates that the dynamic adaptive deployment strategy can maintain a stable advantage in multiple rounds of confrontation in terms of improving the success rate of attack capture, reducing the risk of attack, and controlling deployment costs. In contrast, random deployment cannot consistently invest limited resources in the nodes that "most need protection at the current moment", resulting in poor defense performance.
[0141] Please see Figure 4 The diagram shows a structural block diagram of an active defense system for a power cyber-physical system according to this application.
[0142] like Figure 4 As shown, an active defense system for a power cyber-physical system includes: a status acquisition module 200, a decoy deployment decision module 210, a diversity configuration module 220, a status update module 230, and an iterative control module 240.
[0143] Among them, the status acquisition module 200 is used to acquire the current status information of each node in the power information physical system;
[0144] The decoy deployment decision module 210 is used to determine the target defense node set based on the current status information of each node under the constraint of defense resources, and to deploy decoys of the corresponding type for the nodes in the target defense node set.
[0145] The diversity configuration module 220 is used to determine the target diverse node set from real nodes that have not deployed decoys and are in a safe state, and to implement operating system diversity configuration on the nodes in the target diverse node set;
[0146] The state update module 230 is used to update the security status and vulnerability of each node based on the attack results, and obtain the system state at the next moment.
[0147] The iterative control module 240 is used to repeatedly execute decoy deployment and operating system diversity configuration based on the updated system state to achieve dynamic active defense against the power cyber-physical system.
[0148] It should be understood that Figure 4 The modules and references described in the document Figure 1 The steps described in the text correspond to those in the method described above. Therefore, the operations, features, and corresponding technical effects described above also apply to the method described in the text. Figure 4 The various modules in the document will not be described in detail here.
[0149] In other embodiments, the present invention also provides a computer-readable storage medium having a computer program stored thereon, wherein when the program instructions are executed by a processor, the processor performs the active defense method for the power cyber-physical system in any of the above method embodiments.
[0150] Obtain the current status information of each node in the power information physical system. The current status information includes at least the node's security status, node vulnerability, node asset value, node type, and node topology connection relationship.
[0151] Based on the current state information of each node, a target set of defense nodes is determined under the constraints of defense resources, and corresponding types of decoys are deployed for the nodes in the target set of defense nodes to lure and capture attack behaviors.
[0152] A target diverse node set is identified from real nodes that have never deployed decoys and are in a safe state, and operating system diversity configurations are implemented on the nodes in the target diverse node set to reduce the vulnerability of the nodes in the target diverse node set;
[0153] After completing the decoy deployment and the operating system diversity configuration, the security status and vulnerability of each node are updated according to the attack results to obtain the system status at the next moment.
[0154] Based on the updated system state, the determination of the target defense node set, decoy deployment, and operating system diversity configuration are repeatedly performed to achieve dynamic and proactive defense of the power cyber-physical system.
[0155] Computer-readable storage media may include a stored program area and a stored data area, wherein the stored program area may store an operating system and an application program required for at least one function; the stored data area may store data created based on the use of the power cyber-physical system's active defense system, etc. Furthermore, the computer-readable storage medium may include high-speed random access memory, and may also include memory, such as at least one disk storage device, flash memory device, or other non-volatile solid-state storage device. In some embodiments, the computer-readable storage medium may optionally include memory remotely disposed relative to a processor, and these remote memories may be connected to the power cyber-physical system's active defense system via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
[0156] Figure 5 This is a schematic diagram of the structure of the electronic device provided in the embodiment of the present invention, such as... Figure 5 As shown, the device includes a processor 310 and a memory 320. The electronic device may also include an input device 330 and an output device 340. The processor 310, memory 320, input device 330, and output device 340 can be connected via a bus or other means. Figure 5 Taking a bus connection as an example, the memory 320 is the computer-readable storage medium described above. The processor 310 executes various server functions and data processing by running non-volatile software programs, instructions, and modules stored in the memory 320, thereby implementing the active defense method for the power information physical system described in the above embodiment. The input device 330 can receive input digital or character information and generate key signal inputs related to user settings and function control of the power information physical system active defense system. The output device 340 may include a display screen or other display device.
[0157] The aforementioned electronic device can execute the method provided in the embodiments of the present invention, and has the corresponding functional modules and beneficial effects for executing the method. Technical details not described in detail in this embodiment can be found in the method provided in the embodiments of the present invention.
[0158] In one implementation, the above-described electronic device is applied in a power cyber-physical system active defense system for a client, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to:
[0159] Obtain the current status information of each node in the power information physical system. The current status information includes at least the node's security status, node vulnerability, node asset value, node type, and node topology connection relationship.
[0160] Based on the current state information of each node, a target set of defense nodes is determined under the constraints of defense resources, and corresponding types of decoys are deployed for the nodes in the target set of defense nodes to lure and capture attack behaviors.
[0161] A target diverse node set is identified from real nodes that have never deployed decoys and are in a safe state, and operating system diversity configurations are implemented on the nodes in the target diverse node set to reduce the vulnerability of the nodes in the target diverse node set;
[0162] After completing the decoy deployment and the operating system diversity configuration, the security status and vulnerability of each node are updated according to the attack results to obtain the system status at the next moment.
[0163] Based on the updated system state, the determination of the target defense node set, decoy deployment, and operating system diversity configuration are repeatedly performed to achieve dynamic and proactive defense of the power cyber-physical system.
[0164] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.
[0165] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A proactive defense method for a power cyber-physical system, characterized in that, include: Obtain the current status information of each node in the power information physical system. The current status information includes at least the node's security status, node vulnerability, node asset value, node type, and node topology connection relationship. Based on the current state information of each node, a target set of defense nodes is determined under the constraints of defense resources, and corresponding types of decoys are deployed for the nodes in the target set of defense nodes to lure and capture attack behaviors. A target diverse node set is identified from real nodes that have never deployed decoys and are in a safe state, and operating system diversity configurations are implemented on the nodes in the target diverse node set to reduce the vulnerability of the nodes in the target diverse node set; After completing the decoy deployment and the diverse configuration of the operating system, the security status and vulnerability of each node are updated according to the attack results of the nodes to obtain the system status at the next moment. Based on the updated system state, the determination of the target defense node set, decoy deployment, and operating system diversity configuration are repeatedly performed to achieve dynamic and proactive defense of the power cyber-physical system.
2. The active defense method for a power information physical system according to claim 1, characterized in that, The current status information of each node also includes the type of decoy deployed by the node, the deployment status of the node's operating system, and the set of neighboring nodes; The node type includes at least one of server, routing and switching equipment, gateway equipment, and power terminal equipment.
3. The active defense method for a power cyber-physical system according to claim 1, characterized in that, The determination of the target defense node set based on the current state information of each node, under the constraints of defense resources, includes: Calculate the defense benefit score for each node, which is related to the asset value, vulnerability, and topology parameters of the corresponding node. The nodes are sorted according to the defense benefit score, and the nodes with the highest scores are selected as the target defense node set according to a preset number threshold.
4. The active defense method for a power information physical system according to claim 1, characterized in that, Deploying decoys of the corresponding type for nodes in the target defense node set includes: Based on the asset value or importance of the target defense node, deploy one of the following types of decoys: light, medium, and heavy. Different types of decoys correspond to different attack capture capabilities and deployment costs.
5. The active defense method for a power cyber-physical system according to claim 1, characterized in that, The diverse set of target nodes identified from the real nodes that have never deployed decoys and are in a safe state includes: Candidate nodes are selected from those nodes that have never deployed decoys and are in a safe state; A comprehensive score is calculated based on the asset value and proximity centrality of the candidate nodes. Based on the comprehensive score, several candidate nodes are selected as the target diversified node set.
6. The active defense method for a power cyber-physical system according to claim 1, characterized in that, Implementing operating system diversity configuration for nodes in the target diverse node set includes switching or replacing at least one of the operating system, kernel, or key software stack of the target diverse nodes. After implementing the operating system diversity configuration, the vulnerability parameters of the corresponding nodes are reduced according to the preset suppression ratio.
7. The active defense method for a power cyber-physical system according to claim 1, characterized in that, The process of determining the target defense node set is implemented through a reinforcement learning model; The reinforcement learning model takes the system state as input, outputs the defense benefit score corresponding to each node, and selects the target defense node set based on the defense benefit score. The reinforcement learning model is a node-level Q-network model.
8. A power cyber-physical system active defense system, the system being used to implement the method according to any one of claims 1 to 7, characterized in that, include: The status acquisition module is used to acquire the current status information of each node in the power information physical system; The decoy deployment decision module is used to determine the target defense node set based on the current status information of each node under the constraints of defense resources, and to deploy decoys of the corresponding type for the nodes in the target defense node set. A diversity configuration module is used to determine a target diverse node set from real nodes that have not deployed decoys and are in a safe state, and to implement operating system diversity configuration on the nodes in the target diverse node set; The state update module is used to update the security status and vulnerability of each node based on the attack results, and obtain the system state at the next moment. The iterative control module is used to repeatedly execute decoy deployment and operating system diversity configuration based on the updated system state in order to achieve dynamic and proactive defense of the power cyber-physical system.
9. An electronic device, characterized in that, include: At least one processor, and a memory communicatively connected to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method according to any one of claims 1 to 7.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method according to any one of claims 1 to 7.