Power internet of things-oriented high-concealment attack identification method and system, and medium

By constructing dynamic heterogeneous behavior graphs and using graph neural network analysis, the problem of identifying highly covert attacks in the power Internet of Things was solved, achieving accurate identification of highly covert attacks and generating interpretable traceability reports, thus improving detection accuracy and reliability.

CN122348844APending Publication Date: 2026-07-07INFORMATION & COMM BRANCH OF STATE GRID JIANGSU ELECTRIC POWER +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INFORMATION & COMM BRANCH OF STATE GRID JIANGSU ELECTRIC POWER
Filing Date
2026-04-09
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing network security detection technologies cannot effectively identify highly covert attacks in the power Internet of Things, lack interpretability, are difficult to reconstruct attack paths, and are not adapted to the semantics of power business.

Method used

By collecting logs from power IoT devices, a dynamic heterogeneous behavior graph is constructed. Anomaly significance scores are calculated using a graph autoencoder, and combined with graph neural network analysis, a structured traceability report is generated, which includes a timeline, business semantic explanation, and confidence level.

Benefits of technology

It accurately identifies highly covert attacks, generates interpretable and structured attribution reports, improves attack detection accuracy, reduces false positives, and ensures accurate and reliable reconstruction of attack paths.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122348844A_ABST
    Figure CN122348844A_ABST
Patent Text Reader

Abstract

The application discloses a kind of high concealment attack identification method, system and medium for power internet of things.The method comprises: collecting the equipment operation log of power internet of things, extracting interactive data from equipment operation log and structured as five-tuple interactive data, based on five-tuple interactive data to build dynamic heterogeneous behavior graph, input dynamic heterogeneous behavior graph into pre-trained graph auto-encoder, obtain the embedding vector of each node, based on the difference between embedding vector and its reconstruction representation to calculate the abnormal prominence score of each node;Based on abnormal prominence score and preset abnormal threshold value, candidate abnormal nodes are screened, and candidate abnormal nodes form key subgraph based on it;Key subgraph is input into pre-trained graph neural network model, the importance score of each edge in key subgraph is calculated, key edge is screened, and the minimum attack propagation path is constructed in combination with the time stamp of key edge.The application has obtained the beneficial effects of improving high concealment attack detection rate, reducing false positive rate and accurately restoring attack propagation path.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a method, system and medium for identifying highly covert attacks in the power Internet of Things. Background Technology

[0002] With the accelerated construction of new power systems, a massive number of embedded terminals, such as distributed photovoltaics, smart meters, non-industrial air conditioners, and energy storage devices, are widely connected to the power grid, forming a highly open, heterogeneous, and dynamic Power Internet of Things (PIoT). While these systems improve energy efficiency, they also expose serious cybersecurity risks, especially facing highly covert attacks such as advanced persistent threats (APTs), supply chain poisoning, and remote command tampering. Existing cybersecurity detection technologies mainly suffer from the following three shortcomings: 1) Detection results lack interpretability, and alerts are unreliable; 2) Cross-device attack paths are difficult to reconstruct, and there is a lack of structured evidence chains; 3) Existing interpretable AI methods are not adapted to the semantics of power business.

[0003] In summary, there is an urgent need for a technical solution that can automatically reconstruct the real attack path from massive heterogeneous traffic and generate a structured tracing report that includes a timeline, key operations, business semantic explanations, and confidence levels, in order to solve the industry pain point of highly covert attacks being "visible but inaccurate to judge and unclear to trace". Summary of the Invention

[0004] This invention provides a method, system, and medium for identifying highly covert attacks in the power Internet of Things, enabling a leap from anomaly detection to credible evidence generation, and significantly improving the response efficiency and decision reliability of power safety operation and maintenance.

[0005] According to one aspect of the present invention, a method for identifying highly covert attacks in the power Internet of Things is provided, the method comprising: Collect device operation logs from the power Internet of Things, and extract interactive data from the device operation logs; The interaction data is structured into quintuple interaction data, and a dynamic heterogeneous behavior graph is constructed based on the quintuple interaction data. The dynamic heterogeneous behavior graph is input into a pre-trained graph autoencoder to obtain the embedding vector of each node, and the anomaly saliency score of each node is calculated based on the difference between the embedding vector and its reconstructed representation. The dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps. Candidate abnormal nodes are selected based on the anomaly significance score and the preset anomaly threshold, and key subgraphs are constructed based on the candidate abnormal nodes; The key subgraph is input into a pre-trained graph neural network model, and the importance score of each edge in the key subgraph is calculated based on the interpretable graph analysis algorithm of edge masking, mutual information maximization and sparsity regularization. The graph neural network model is obtained by training a pre-built basic graph convolutional network model with normal business traffic data and labeled attack pattern data of the power Internet of Things. Key edges are selected based on the importance scores, and the minimum attack propagation path is constructed by combining the timestamps of the key edges.

[0006] Furthermore, the node is a source entity or target entity in the power Internet of Things, the directed edge is an interaction event in the power Internet of Things, and the five-tuple interaction data includes source entity, target entity, interaction type, timestamp, and payload characteristics.

[0007] Further, the step of constructing a dynamic heterogeneous behavior graph based on the interaction data, determining the embedding vector of each node in the dynamic heterogeneous behavior graph, and calculating the anomaly salience score of each node includes: The dynamic heterogeneous behavior graph is input into a pre-trained graph autoencoder model. The encoder of the graph autoencoder model generates embedding vectors for each node, and the decoder of the graph autoencoder model generates a reconstructed representation corresponding to the embedding vectors. Based on the embedding vector of each node and its corresponding reconstructed representation, the anomaly saliency score of each node is calculated using the vector norm.

[0008] Furthermore, the anomaly significance score for each node is calculated using the following formula: ; in, The abnormal significance score, Represents the embedding vector of a node. This represents the reconstructed representation corresponding to the embedding vector. The norm of a vector Let be the Euclidean distance between the node's embedding vector and its reconstructed vector.

[0009] Furthermore, before inputting the dynamic heterogeneous behavior graph into the pre-trained graph autoencoder model, an unsupervised pre-training step for the graph autoencoder is also included, specifically: The dynamic heterogeneous behavior graph constructed using normal business traffic of the power Internet of Things is used as the training sample; The training samples are input into the graph autoencoder, the encoder outputs node embedding vectors, and the decoder generates a reconstructed representation based on the node embedding vectors. Using mean squared error as the loss function, the mean squared error between the node embedding vector and the corresponding reconstructed representation is minimized to complete unsupervised pre-training, enabling the graph autoencoder to learn the normal behavior patterns of power Internet of Things devices.

[0010] Further, the step of filtering candidate abnormal nodes based on the anomaly significance score and a preset anomaly threshold, and constructing a key subgraph based on the candidate abnormal nodes, includes: The anomaly significance score of each node is compared with a preset anomaly threshold adaptively set based on a sliding time window, and the nodes whose anomaly significance scores exceed the preset anomaly threshold are determined as the candidate anomaly nodes. Centered on the candidate abnormal node, extract all nodes and edges within its preset hop count neighborhood, retain the timestamp, interaction type, and load feature attributes of the edges, and construct the key subgraph.

[0011] Furthermore, the step of filtering key edges based on the importance score and constructing the minimum attack propagation path by combining the timestamps of the key edges includes: Edges whose importance score is higher than a preset importance score threshold are identified as critical edges; wherein, the preset importance score threshold is a fixed value or dynamically set according to the edge importance scores in historical attack events; The key edges are arranged in ascending order by timestamp to construct a minimum set of directed edges that can cover the formation process of the anomaly salience of candidate abnormal nodes. The minimum set of directed edges is then determined as the minimum attack propagation path.

[0012] Furthermore, after constructing the minimum attack propagation path, the method further includes: performing business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule base to generate an attack tracing report. The power business semantic rule base includes technical feature matching conditions, business semantic interpretation templates, and risk level assessment standards.

[0013] Furthermore, the minimum attack propagation path is mapped and interpreted using business semantics based on a predefined power business semantic rule base to generate an attack tracing report, including: The interaction type, load characteristics, timestamp, and importance score of each side in the minimum attack propagation path are matched with the technical feature matching conditions in the power business semantic rule base. The matched rules are filtered by priority, and the corresponding business semantic interpretation template is called to perform business semantic conversion on the key operations in the attack path, and the technical interaction features are converted into natural language interpretation in the power business scenario. The attack risk level is determined based on the preset risk level assessment criteria, and the overall attack confidence score is calculated by combining the importance score and time weight of each propagation jump. Generate a structured and explainable attack attribution report, which includes the attack origin node identifier, a list of propagation paths arranged in ascending order of time, importance scores for each propagation jump, natural language explanation of power business semantics, attack risk level, and overall attack confidence score.

[0014] Furthermore, the attack attribution report includes the attack origin node identifier, a list of propagation paths arranged in ascending order of time, importance scores for each propagation jump, natural language explanations of key operations in power business semantics, attack risk level, and overall attack confidence score.

[0015] According to another aspect of the present invention, a highly covert attack identification system for the power Internet of Things is provided, the system comprising: An interactive data extraction module is used to collect device operation logs of the power Internet of Things and extract interactive data from the device operation logs. The saliency score calculation module is used to structure the interaction data into quintuple interaction data, construct a dynamic heterogeneous behavior graph based on the quintuple interaction data, input the dynamic heterogeneous behavior graph into a pre-trained graph autoencoder to obtain the embedding vector of each node, and calculate the anomaly saliency score of each node based on the difference between the embedding vector and its reconstructed representation; wherein, the dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps; The key subgraph construction module is used to filter candidate abnormal nodes based on the abnormality significance score and the preset abnormality threshold, and to construct a key subgraph based on the candidate abnormal nodes. The importance score calculation module is used to input the key subgraph into a pre-trained graph neural network model and calculate the importance score of each edge in the key subgraph based on the interpretable graph analysis algorithm of edge masking, mutual information maximization and sparsity regularization; wherein, the graph neural network model is obtained by training a pre-built basic graph convolutional network model with normal business traffic data and labeled attack pattern data of the power Internet of Things. The propagation path construction module is used to filter key edges based on the importance score and construct the minimum attack propagation path by combining the timestamps of the key edges.

[0016] Furthermore, the system also includes: The report generation module is used to perform business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule base after the minimum attack propagation path is constructed, so as to generate an attack tracing report.

[0017] Furthermore, the report generation module includes: The matching unit is used to match the interaction type, load characteristics, timestamp and importance score of each side in the minimum attack propagation path with the technical feature matching conditions in the power business semantic rule base. The semantic conversion unit is used to filter the matched rules according to priority and call the corresponding business semantic interpretation template to perform business semantic conversion on the key operations in the attack path, and convert the technical interaction features into natural language interpretation in the power business scenario. The report generation unit is used to determine the attack risk level based on preset risk level assessment standards, and generate a structured and interpretable attack tracing report that includes the attack starting node identifier, a list of propagation paths arranged in ascending order of time, importance scores for each propagation jump, natural language explanation of power business semantics, attack risk level, and overall attack confidence score.

[0018] According to another aspect of the present invention, an electronic device is provided, the electronic device comprising: At least one processor; and memory that is communicatively connected to at least one processor; The memory stores a computer program that can be executed by at least one processor, which enables the at least one processor to execute the high-coverage attack identification method for the power Internet of Things according to any embodiment of the present invention.

[0019] According to another aspect of the present invention, a computer-readable storage medium is provided, which stores computer instructions for causing a processor to execute and implement a high-coverage attack identification method for the power Internet of Things according to any embodiment of the present invention.

[0020] The beneficial effects of this invention are as follows: Compared with the prior art, this invention, through multi-source data acquisition and five-tuple structured processing, dynamic heterogeneous behavior graph modeling and graph autoencoder anomaly detection, combined with adaptive dynamic threshold filtering, interpretable graph analysis and power business semantic mapping, can accurately identify highly covert attacks in the power Internet of Things and reconstruct the complete attack path. At the same time, it generates a structured traceability report with business interpretability, effectively improving the attack detection accuracy and reducing the false alarm rate. It solves the technical problem of inaccurate identification of highly covert attacks and achieves the beneficial effects of improving the detection rate of highly covert attacks, reducing the false alarm rate, accurately reconstructing the attack propagation path, and providing interpretable technical basis for attack identification.

[0021] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description

[0022] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0023] Figure 1 A flowchart illustrating a method for identifying highly covert attacks in the power Internet of Things, provided as an embodiment of the present invention; Figure 2 A flowchart illustrating another highly covert attack identification method for the power Internet of Things provided in this embodiment of the invention; Figure 3 A schematic diagram of a highly covert attack identification system for the power Internet of Things provided in this embodiment of the invention; Figure 4 A schematic diagram of the structure of an electronic device for implementing a highly covert attack identification method for the power Internet of Things according to an embodiment of the present invention. Detailed Implementation

[0024] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0025] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0026] Figure 1This is a flowchart illustrating a method for identifying highly covert attacks in the power Internet of Things (IoT) according to an embodiment of the present invention. This embodiment is applicable to network security detection in the power IoT. The method can be executed by a highly covert attack identification system for the power IoT, which can be implemented in hardware and / or software and can be configured in an electronic device. Figure 1 As shown, the method specifically includes the following steps: S110. Collect the device operation logs of the power Internet of Things, and extract interactive data from the device operation logs.

[0027] Among them, the equipment operation log can be understood as the full behavioral record data generated by various physical / logical devices in the power Internet of Things during operation, communication and control; the interaction data can be understood as the characteristic data of communication, control and other interactive behaviors between various entities in the power Internet of Things.

[0028] Specifically, the system collects full operational logs from various devices in the power Internet of Things, such as smart meters, edge gateways, and maintenance terminals, covering records of communication operations, status changes, and command transmission and reception. The collected unstructured logs are parsed and cleaned to remove invalid and redundant information and filter out interactive data that characterizes the interaction behavior between devices.

[0029] Optionally, network traffic mirrors and device operation logs of the power IoT are collected. Interaction events are extracted from these data and structured into five-tuple data, including source entity, target entity, interaction type, timestamp, and payload characteristics. Specifically, from the two types of raw data sources—network traffic mirrors and device operation logs—data parsing, feature filtering, and redundancy removal are used to identify and extract a complete communication / control / operation behavior, i.e., an interaction event, between entities in the power IoT. For example, by using traffic packet capture and protocol parsing techniques, behaviors such as instruction sending and receiving, data transmission, and connection establishment between devices are filtered from network layer / application layer traffic, while invalid traffic such as broadcast packets, empty packets, and test packets is removed. Local operation logs of devices such as smart meters, edge gateways, and photovoltaic inverters are parsed to extract behaviors such as device instruction interaction, state change triggering, and remote operation execution, while log records with no interactive meaning, such as device self-checks, log heartbeats, and parameter queries, are removed. Each extracted interaction event is subjected to feature extraction, field mapping, and standardized encoding according to five fixed dimensions: source entity, target entity, interaction type, timestamp, and payload characteristics. This transforms the data into a unified format of five-tuple data, ensuring that interaction events from different protocols, devices, and formats have consistent analysis dimensions and achieving heterogeneous data normalization.

[0030] S120. The interaction data is structured into quintuple interaction data. A dynamic heterogeneous behavior graph is constructed based on the quintuple interaction data. The dynamic heterogeneous behavior graph is input into a pre-trained graph autoencoder to obtain the embedding vector of each node. The anomaly saliency score of each node is calculated based on the difference between the embedding vector and its reconstructed representation.

[0031] Interaction data can be understood as records of inter-device communication, command operations, and status interactions extracted from the operation logs of power IoT devices. Five-tuple interaction data can be understood as standardized data formatted according to source entity, target entity, interaction type, timestamp, and load characteristics. Dynamic heterogeneous behavior graphs can be understood as graph structures that represent temporal and multi-type device interaction relationships, with device entities as nodes and interaction events as directed edges with timestamps and attributes. Graph autoencoders can be understood as neural network models containing encoders and decoders, used for graph data feature learning and reconstruction. Embedding vectors can be understood as low-dimensional numerical vectors output by the encoder, used to represent the structural and behavioral features of nodes. Reconstructed representations can be understood as the node feature prediction results obtained by the decoder based on the embedded vectors. Anomaly significance scores can be understood as scores obtained by quantifying the difference between the embedded vectors and the reconstructed representations, used to measure the degree to which node behavior deviates from the normal pattern.

[0032] Specifically, the extracted interaction data is formatted into standardized quintuple interaction data. A dynamic heterogeneous behavior graph reflecting the temporal interaction relationships between devices is then constructed based on this quintuple data. Using the quintuple data as a basis, power IoT entities are mapped to multiple types of nodes, and interactions between entities are mapped to multiple types of directed edges with timestamps. A time-slot graph snapshot is generated using a sliding time window to construct the dynamic heterogeneous behavior graph. The behavior graph is then input into a graph autoencoder pre-trained with normal data. The encoder outputs node embedding vectors, and the decoder generates corresponding reconstructed representations. This model possesses feature extraction and anomaly detection capabilities. The model consists of a cascaded encoder and decoder. The encoder inputs graph data, performs multi-layer graph convolution operations, and outputs node embedding vectors. The decoder inputs the embedding vectors and outputs reconstructed representations. By calculating the second norm of the embedding vectors and the reconstructed representations, the anomaly significance score of each node is obtained, thus quantifying the degree of node anomaly.

[0033] Optionally, the dynamic heterogeneous behavior graph includes multiple types of nodes and multiple types of directed edges with timestamps. The nodes are source entities or target entities in the power Internet of Things, and the directed edges are interaction events in the power Internet of Things. The quintuple interaction data includes source entity, target entity, interaction type, timestamp, and load characteristics.

[0034] In this context, the source entity can be understood as the physical / logical entity that actively initiates the interaction in the power Internet of Things (IoT); the target entity can be understood as the physical / logical entity that receives the interaction; and the interaction event can be understood as the interaction that occurs between the source entity and the target entity in the power IoT. The source entity can be understood as the device, terminal, or platform that initiates communication, instructions, or operations. The target entity can be understood as the device, terminal, or platform that receives the communication, instructions, or operations. The interaction type can be understood as the protocol type or specific operation type used for communication between devices, used to characterize the intent of the action. The timestamp can be understood as the precise time when the interaction occurred, used to identify the timing of the action. The payload characteristics can be understood as the core business fields or key parameters in the interaction message, used to characterize the specific content of the interaction.

[0035] Specifically, nodes can carry static attributes such as device model and IP (Internet Protocol) address, which are mapped to initial feature vectors. The directed edges of the graph correspond one-to-one with specific interaction events, with each edge carrying an interaction timestamp, interaction type label, and encoded load feature vector, representing the interaction characteristics and temporal evolution patterns across devices and protocols in the power Internet of Things. The quintuple interaction data includes source entity, target entity, interaction type, timestamp, and load features, formatting the chaotic raw interaction behavior between devices into structured data with five standard dimensions.

[0036] Optionally, the step of constructing a dynamic heterogeneous behavior graph based on the interaction data, determining the embedding vector of each node in the dynamic heterogeneous behavior graph, and calculating the anomaly saliency score of each node includes: inputting the dynamic heterogeneous behavior graph into a pre-trained graph autoencoder model, generating the embedding vector of each node through the encoder of the graph autoencoder model, generating the reconstruction representation corresponding to the embedding vector through the decoder of the graph autoencoder model; and calculating the anomaly saliency score of each node by means of the vector norm based on the embedding vector of each node and its corresponding reconstruction representation.

[0037] The graph autoencoder model can be understood as a graph representation learning model consisting of an encoder and a decoder, which is unsupervised pre-trained on normal business traffic data of the power Internet of Things and can realize node embedding and reconstruction. The encoder can be understood as the module in the graph autoencoder that maps nodes to low-dimensional embedding vectors. The decoder can be understood as the module in the graph autoencoder that reconstructs the node embedding vectors into the original feature representation. The reconstructed representation can be understood as the numerical representation corresponding to the original node features obtained by the decoder after reconstructing the node embedding vectors.

[0038] Specifically, the graph autoencoder is an unsupervised pre-trained model. During training, it takes a dynamic heterogeneous behavior graph constructed from normal business traffic as input. The encoder extracts node features through multi-layer graph convolution and outputs low-dimensional dense embedding vectors. The decoder takes the embedding vectors as input and attempts to reconstruct the adjacency relationships and node features of the original graph, outputting a reconstructed representation. The training objective is to minimize the mean squared error between the node embedding vectors and the reconstructed representation. The dynamic heterogeneous behavior graph of the current time window is input into this pre-trained model to generate embedding vectors and a reconstructed representation. An anomaly significance score is calculated based on the difference between the two. It is worth noting that this graph encoding model is the same pre-trained graph autoencoder model as in S120; graph representation learning is the model's feature extraction function. This model also has the function of anomaly detection based on reconstruction error and determining anomaly significance scores.

[0039] Optionally, the anomaly significance score for each node can be calculated using the following formula: ; in, The abnormal significance score, Represents the embedding vector of a node. This represents the reconstructed representation corresponding to the embedding vector. The norm of a vector Let be the Euclidean distance between the node's embedding vector and its reconstructed vector.

[0040] Specifically, the above calculation formula calculates the Euclidean distance between the embedded vector and the reconstructed representation. The larger the distance value, the greater the difference between the node's embedded vector and the reconstructed representation, the higher the degree to which the node's behavior deviates from the normal behavior pattern of the power Internet of Things, and the greater the possibility of participating in highly covert attack behavior.

[0041] Optionally, before inputting the dynamic heterogeneous behavior graph into the pre-trained graph autoencoder model, the method further includes: using a dynamic heterogeneous behavior graph constructed from normal business traffic of the power Internet of Things as a training sample; inputting the training sample into the graph autoencoder, outputting node embedding vectors through the encoder, and generating a reconstructed representation based on the node embedding vectors through the decoder; using mean squared error as the loss function to minimize the mean squared error between the node embedding vectors and the corresponding reconstructed representations, thereby completing unsupervised pre-training and enabling the graph autoencoder to learn the normal behavior patterns of power Internet of Things devices.

[0042] In this invention, training samples can be understood as input data used for model learning; in this invention, they are dynamic heterogeneous behavior graphs constructed using normal business traffic from the power Internet of Things. A graph autoencoder can be understood as an unsupervised neural network model containing an encoder and a decoder, used for feature learning and reconstruction of graph-structured data. The encoder can be understood as the network component in the graph autoencoder used to compress the graph structure and node features into low-dimensional vectors. The decoder can be understood as the network component in the graph autoencoder used to reconstruct node features based on the low-dimensional vectors. The reconstructed representation can be understood as the node feature prediction result obtained by the decoder based on the node embedding vectors. The loss function can be understood as a function used to measure the difference between the model output and the target result; this invention uses the mean squared error loss function. The mean squared error can be understood as the squared mean of the differences between the node embedding vector and the corresponding reconstructed representation, used to quantify the reconstruction error. Unsupervised pre-training can be understood as a training method that optimizes model parameters using normal business data without manual labeling.

[0043] Specifically, a dynamic heterogeneous behavior graph constructed from the normal business traffic of the power Internet of Things (IoT) is used as a training sample. This training sample is then input into a graph autoencoder, which converts the structural and behavioral features of the nodes in the graph into node embedding vectors. The decoder then generates the corresponding reconstructed representation based on these node embedding vectors. Subsequently, the mean squared error is used as the loss function to calculate and minimize the mean squared error between the node embedding vectors and the corresponding reconstructed representations. The model parameters are iteratively optimized to complete unsupervised pre-training, enabling the graph autoencoder to fully learn the normal behavior patterns of power IoT devices.

[0044] S130. Based on the anomaly significance score and the preset anomaly threshold, candidate anomaly nodes are selected, and a key subgraph is constructed based on the candidate anomaly nodes.

[0045] Among them, the preset abnormal threshold can be understood as a numerical limit set based on the normal behavior data of the power Internet of Things to determine whether a node is abnormal. This implementation does not impose specific restrictions on it; the candidate abnormal node can be understood as a node whose abnormality significance score exceeds the preset abnormal threshold and is suspected of abnormal behavior; the key subgraph can be understood as a sub-behavioral graph composed of nodes and edges in the preset range of the candidate abnormal node as the center.

[0046] For example, the preset anomaly threshold is calculated from the mean μ and standard deviation σ of the anomaly significance scores of normal nodes within the 30-300 time windows before the current time. The threshold θ = μ + 3ασ (α is a confidence coefficient of 2.5-3.5). The node anomaly significance scores are compared with this dynamic threshold, and nodes with scores exceeding the threshold are marked as candidate anomaly nodes. Centered on the candidate anomaly node, all nodes and edges in its 1-3 hop neighborhood are extracted and integrated to construct a key subgraph, focusing on the local graph related to anomalies and reducing the amount of data for subsequent analysis.

[0047] Optionally, the step of filtering candidate abnormal nodes based on the abnormality significance score and a preset abnormality threshold, and constructing a key subgraph based on the candidate abnormal nodes, includes: comparing the abnormality significance score of each node with a preset abnormality threshold adaptively set based on a sliding time window, and determining nodes whose abnormality significance scores exceed the preset abnormality threshold as candidate abnormal nodes; taking the candidate abnormal node as the center, extracting all nodes and edges within its preset hop number neighborhood, retaining the timestamp, interaction type, and load feature attributes of the edges, and constructing the key subgraph.

[0048] The preset hop count can be understood as a pre-defined range of nodes and edges to be extracted from the candidate abnormal node, which is a positive integer and no greater than 3; the neighborhood can be understood as a local graph region formed by nodes and edges within the preset hop count range centered on the candidate abnormal node.

[0049] Specifically, firstly, the anomaly significance score of each node is compared with a dynamically preset anomaly threshold that is adaptively set based on a sliding time window. When the anomaly significance score exceeds the dynamically preset threshold, the node is marked as a candidate anomaly node. Then, with the candidate anomaly node as the center, all nodes in its neighborhood and the directed edges connecting the nodes are extracted according to a preset number of hops of 1-3. The extraction process retains all attributes such as edge timestamps, interaction types, and load characteristics. The extracted nodes and edges are integrated to construct a key subgraph focusing on abnormal behavior.

[0050] S140. Input the key subgraph into a pre-trained graph neural network model, and calculate the importance score of each edge in the key subgraph based on the interpretable graph analysis algorithm of edge masking, mutual information maximization and sparsity regularization; wherein, the graph neural network model is obtained by training a pre-built basic graph convolutional network model with normal business traffic data and labeled attack pattern data of the power Internet of Things.

[0051] The graph neural network model can be understood as a graph convolutional network model trained on normal business traffic data and labeled attack pattern data from the power Internet of Things, capable of identifying abnormal behavior patterns in a graph structure. Edge masking can be understood as a matrix used to label key edges and mask non-key edges, filtering out the interaction behaviors that have the greatest impact on the anomaly results. Mutual information maximization can be understood as ensuring maximum information consistency between the masked key subgraph and the original subgraph, guaranteeing that the interpretation results accurately reflect the true causes of anomalies. Sparse regularization can be understood as minimizing the number of selected key edges through constraints, ensuring a concise, refined, and non-redundant interpretation. The interpretable graph analysis algorithm can be understood as an algorithm that calculates the contribution of each edge in the key subgraph to the anomaly determination of candidate anomaly nodes; the importance score can be understood as a normalized value representing the contribution of each edge in the key subgraph to the anomaly determination of a node.

[0052] Specifically, the extracted key subgraphs are input into a pre-trained graph neural network model. An interpretable graph analysis algorithm based on edge masking, mutual information maximization, and sparse regularization is used to quantify the abnormal contribution of each edge within the key subgraph, obtaining an importance score for each edge. The graph neural network model is pre-trained using normal business traffic data from the power IoT as negative samples and labeled attack pattern data as positive samples. Supervised training is performed on the pre-built basic graph convolutional network model, enabling it to effectively learn the characteristic differences between normal and attack behaviors, thus providing reliable model support for edge importance calculation and attack identification.

[0053] Preferably, the graph neural network model uses a basic graph convolutional network architecture. The input layer receives node / edge features of the key subgraph, extracts graph structure features through multiple graph convolutional layers, and the output layer outputs a binary classification result. The model uses normal business traffic subgraphs and subgraphs labeled with attack patterns as training samples, and learns the feature differences between normal and abnormal subgraphs through iterative training. The key subgraph is input into this pre-trained model, and an interpretable graph analysis algorithm based on edge masking, mutual information maximization, and sparse regularization is used. The edge contribution is calculated by optimizing the objective function, which maximizes the mutual information between the masked subgraph and the original key subgraph. At the same time, the edge mask matrix is ​​subjected to first-order norm sparse regularization, and the calculation result is normalized to obtain the edge importance score in the [0,1] interval.

[0054] Optionally, the graph neural network model is trained using binary cross-entropy as the loss function, and the training objective is to minimize the model's classification error between normal and attack subgraphs. During training, key subgraphs constructed from normal business traffic of the power IoT are used as negative samples, and key subgraphs labeled with attack patterns are used as positive samples, which are input into a pre-built basic graph convolutional network model. The model receives node and edge features of the subgraphs through the input layer, extracts structured features across nodes and edges through multiple graph convolutional layers, maps them into a two-dimensional output vector through a fully connected layer, and finally outputs the probability of the subgraph belonging to normal or attack behavior through the Softmax function. The binary cross-entropy loss is calculated based on the output probability and the true label of the sample. The model parameters are iteratively optimized through backpropagation until the loss function converges, ensuring that the model has the ability to accurately identify typical attack patterns of the power IoT.

[0055] For example, the edge importance score is calculated by optimizing the following objective function using an interpretable graph analysis algorithm: ; in, For key subgraphs, The sub-image after masking. For graph neural network encoders, For mutual information, The edge mask matrix, For sparse regularization coefficients, Let be the L1 norm of matrix M.

[0056] S150. Filter key edges based on the importance score, and construct the minimum attack propagation path by combining the timestamps of the key edges.

[0057] Among them, the critical edge can be understood as a directed edge whose importance score exceeds a preset threshold and plays a key role in the abnormal behavior of the candidate abnormal node; the timestamp can be understood as the identification information that records the time when the interaction behavior occurs; the minimum attack propagation path can be understood as the minimum set of directed edges.

[0058] Specifically, a threshold is set for importance scores, which is a fixed value of 0.6 or the 80th percentile of the importance scores of edges in historical attack events. Edges with scores higher than the threshold in the key subgraph are selected as key edges. The timestamp information of all key edges is extracted and the key edges are arranged in ascending order of timestamp. Redundant edges that do not play a core role in the formation of anomalies are removed. The ordered key edges are integrated into a minimum set of directed edges that can completely cover the formation process of the anomaly salience of candidate anomaly nodes, and a minimum attack propagation path that can clearly reflect the attack propagation trajectory is constructed.

[0059] Optionally, the step of filtering key edges based on the importance score and constructing the minimum attack propagation path by combining the timestamps of the key edges includes: determining edges with an importance score higher than a preset importance score threshold as key edges; wherein the preset importance score threshold is a fixed value or dynamically set according to the edge importance scores in historical attack events; arranging the key edges in ascending order by timestamp to construct a minimum set of directed edges that can cover the formation process of the anomaly salience of candidate abnormal nodes, and determining the minimum set of directed edges as the minimum attack propagation path.

[0060] The preset importance score threshold can be understood as the numerical limit of the importance score used to determine whether an edge is a key edge. It can be set as a fixed value or dynamically set according to historical attack data. This embodiment does not impose specific restrictions on it. The minimum directed edge set can be understood as the ordered set of the fewest key edges that completely cover the abnormal salience formation process after being sorted by time.

[0061] Specifically, a preset importance score threshold is set, and the importance score of each edge in the key subgraph is compared with the threshold to determine the edges whose scores exceed the threshold as key edges. Then, the timestamp, source / target node, interaction type and other attributes of the key edges are extracted, and the key edges are arranged in ascending order by timestamp. Redundant edges are removed according to the logical association formed by the anomaly salience. The ordered key edges are combined into a minimum set of directed edges that can completely cover the anomaly salience formation process of candidate anomaly nodes, and this set is determined as the minimum attack propagation path to achieve accurate reconstruction of the attack propagation trajectory.

[0062] Optionally, after constructing the minimum attack propagation path, the method further includes: performing business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule base to generate an attack tracing report. The power business semantic rule base includes technical feature matching conditions, business semantic interpretation templates, and risk level assessment standards.

[0063] Among them, the power business semantic rule base can be understood as a set of rules stored in the system database, using the form of condition-action rules, and adapted to the power Internet of Things business scenario; business semantic mapping and interpretation can be understood as the process of transforming the technical-level interactive behavior in the minimum attack propagation path into natural language interpretation that conforms to the power business scenario; attack tracing report can be understood as a structured report that can clearly present the attack behavior.

[0064] Specifically, the process first calls a predefined power business semantic rule library, which contains three core components: technical feature matching conditions, business semantic interpretation templates, and risk level assessment standards. Technical features such as interaction types, load characteristics, timestamps, and importance scores of key edges in the minimum attack propagation path are precisely matched with the matching conditions in the rule library, and suitable rules are selected according to priority. The interpretation templates corresponding to the rules are then applied to transform the technical interaction operations into natural language interpretations of the power business scenario, ultimately generating a structured attack tracing report containing core attack information.

[0065] Optionally, the step of mapping and interpreting the minimum attack propagation path based on a predefined power business semantic rule base to generate an attack tracing report includes: matching the interaction type, load characteristics, timestamp, and importance score of each side in the minimum attack propagation path with the technical feature matching conditions in the power business semantic rule base; filtering the matched rules by priority and calling the corresponding business semantic interpretation template to perform business semantic conversion on the key operations in the attack path, converting the technical interaction features into natural language interpretations in the power business scenario; determining the attack risk level based on a preset risk level assessment standard, calculating the overall attack confidence score by combining the importance score and time weight of each propagation jump, and generating a structured and interpretable attack tracing report. The attack tracing report includes the attack starting node identifier, a list of propagation paths arranged in ascending order of time, the importance score of each propagation jump, the power business semantic natural language interpretation, the attack risk level, and the overall attack confidence score.

[0066] The power business semantic rule base can be understood as a predefined set of rules used to translate technical attack characteristics into power business language. This includes technical feature matching conditions, business semantic interpretation templates, and risk level assessment standards. Technical feature matching conditions are technical judgment rules used to identify attack behavior, compared and matched with interaction type, load characteristics, timestamps, and importance scores. Business semantic interpretation templates are pre-set natural language description templates used to convert technical attack behavior into understandable explanatory text within the power business context. Priority refers to the execution order of rule matching, used to select the most accurate interpretation rule when multiple rules are matched. Business semantic conversion translates the technical characteristics of device interactions into business meanings that maintenance personnel can directly understand. Risk level assessment standards are pre-set criteria for determining the severity of attacks, classifying attacks into different risk levels. Attack origin node identifiers are unique identifiers for marking the originating device or entity of the attack, including its number, name, or address. The propagation path list records the complete chain of attack behavior as it jumps and propagates between devices in chronological order. A propagation jump can be understood as a single interactive action in which an attack is passed from one node to another. The overall attack confidence score is calculated by combining the importance score and time weight of each propagation jump; this overall attack confidence score can be understood as a quantitative score representing the credibility of the attack detection results. A structured and explainable attack attribution report can be understood as a standardized report that includes the attack path, business explanation, risk level, and credibility, and can be directly used for assessment and resolution.

[0067] Specifically, the interaction type, payload characteristics, timestamp, and importance score of each side in the minimum attack propagation path are matched one by one with the technical feature matching conditions in the power business semantic rule base. Then, the most matching rule is selected according to the preset priority, and the corresponding business semantic interpretation template is called to perform business semantic conversion on the key operations in the attack path, converting the technical features into business-understandable natural language. Next, the risk level of this attack is determined according to the preset risk level assessment standard. Finally, a structured and interpretable attack tracing report is generated, which includes the attack starting node identifier, a propagation path list arranged in ascending time, the importance score of each propagation jump, the power business semantic natural language interpretation, the attack risk level, and the overall attack confidence score.

[0068] Optionally, the attack attribution report includes an attack origin node identifier, a list of propagation paths arranged in ascending order of time, importance scores for each propagation jump, natural language explanations of key operations based on power business semantics, and an overall attack confidence score.

[0069] Among them, the attack origin node identifier can be understood as the characteristic information used to uniquely identify the origin node of a highly covert attack, which may include node number, device IP, entity name, etc.; the propagation path list can be understood as the set of interactive information of each link in the propagation of the attack in the power Internet of Things in chronological order; the importance score of the propagation jump can be understood as the edge importance score corresponding to each interactive jump in the attack propagation path; the overall attack confidence score can be understood as the credibility value of identifying this as a highly covert attack by comprehensively considering the characteristics of each link in the attack propagation path, and the higher the score, the higher the credibility of the attack identification.

[0070] Specifically, based on the completed business semantic mapping and interpretation results, a standardized attack tracing report is generated according to a unified structure. The report first clearly identifies the attack starting point node, accurately locating the origin of the attack. Second, it lists the propagation paths in ascending chronological order, clearly presenting the complete propagation process from the starting point to the candidate abnormal nodes. Each stage includes core interaction information such as the source node, target node, and interaction type. Simultaneously, it assigns a corresponding importance score to each jump in the propagation path, determining the contribution of each stage to the attack. Next, it includes natural language explanations of key operations in the path based on power business semantics, transforming technical-level interaction behaviors into understandable attack behavior descriptions within the power business scenario. Finally, it provides an overall attack confidence score, quantifying the credibility of the attack identification by considering factors such as the abnormal characteristics and importance scores of each stage, providing a complete, intuitive, and interpretable attack tracing basis for emergency response by power safety operation and maintenance personnel.

[0071] The technical solution of this invention involves collecting device operation logs from the power Internet of Things (IoT) and extracting interaction data from them. A dynamic heterogeneous behavior graph is constructed based on this interaction data, and the embedding vector of each node in the graph is determined. An anomaly salience score for each node is calculated. Candidate anomaly nodes are selected based on the anomaly salience score and a preset anomaly threshold, and a key subgraph is constructed based on these candidate nodes. The key subgraph is input into a pre-trained graph neural network model, and an interpretable graph analysis algorithm is used to calculate the importance score of each edge in the key subgraph. The graph neural network model is trained on a pre-constructed basic graph convolutional network model using normal business traffic data and labeled attack pattern data from the power IoT. Key edges are selected based on the importance scores, and the minimum attack propagation path is constructed by combining the timestamps of the key edges. This solution solves the technical problem of inaccurate identification of highly covert attacks, achieving beneficial effects such as improving the detection rate of highly covert attacks, reducing the false alarm rate, accurately reconstructing attack propagation paths, and providing interpretable technical evidence for attack identification.

[0072] Figure 2This is a flowchart illustrating another method for identifying highly covert attacks in the power Internet of Things (IoT) provided by an embodiment of the present invention. Based on the above embodiments, this embodiment represents a further refinement, and its specific implementation can be found in the technical solution of this embodiment. Technical terms that are the same as or corresponding to those in the above embodiments will not be repeated here. Figure 2 As shown, the method specifically includes the following steps: S210. Extract interaction events from the network traffic mirror and device operation logs of the power Internet of Things system, and structure the interaction events into 5-tuple data.

[0073] The quintuple data includes the source entity, target entity, interaction type, timestamp, and payload characteristics.

[0074] Specifically, the source and target entities are any logical or physical nodes participating in the communication or control operations of the power Internet of Things (IoT), including but not limited to smart meters, photovoltaic inverters, energy storage converters, non-industrial air conditioning controllers, electric vehicle charging piles, edge computing gateways, cloud platform microservice instances, operation and maintenance management terminals, or third-party security agent nodes; the interaction type is the communication behavior used for device control, status reporting, or remote management in the power IoT, including but not limited to Modbus_Write, MQTT_Publish, SSH_Login, HTTP_API_Call, CoAP_POST, or IEC 61850-GOOSE messages; the payload characteristics are technical fields that can characterize the semantic content of the interaction, including but not limited to register addresses, function codes, MQTT topic names, message payload digests, API paths, query parameters, authentication tokens, or digital certificate fingerprints.

[0075] S220. Construct a dynamic heterogeneous behavior graph based on quintuples. The dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps, which are used to represent the operation sequence across devices and protocols in the power Internet of Things.

[0076] Specifically, after obtaining the structured quintuple interaction events in step S210, a dynamic heterogeneous behavior graph is further constructed based on the quintuples. The graph is heterogeneous because it contains multiple types of nodes and edges, truly reflecting the hybrid communication mode under the multi-layered architecture of "device-gateway-cloud-person" in the power Internet of Things. Simultaneously, the graph is dynamic because new interaction events continuously arrive, and the graph structure evolves over time. In actual deployment, a sliding time window mechanism (e.g., an analysis window every 5 minutes) can be adopted, constructing a corresponding subgraph snapshot within each window for subsequent anomaly detection and source tracing analysis.

[0077] Dynamic heterogeneous behavior graph ,in The definition is as follows: (1) At time Node set Each node in the diagram This corresponds to a source or target entity identified in step S110. The node has a type attribute. This is used to distinguish different categories of devices or service roles, such as smart meters, photovoltaic inverters, edge gateways, cloud platform microservices, and operation and maintenance user terminals. Different types of nodes can carry different static attributes (such as device model, IP address, and substation ID), which are mapped to the initial feature vectors of the nodes during the graph initialization phase.

[0078] (2) At time edge set Each directed edge represents a node from the source node. To the target node An interaction event. The edge has the following key properties: 1) Interaction type tags : Identifies the semantic category of the interaction, such as Modbus_Write, MQTT_Publish, SSH_Login, HTTP_API_Call, etc., to distinguish different protocols or operation intentions; 2) Timestamp Records the specific moment the interaction occurs, supporting analysis by time window slicing; 3) Load eigenvector The numerical representation formed by encoding the fields such as register address, MQTT topic name, and API path extracted in step S110 is used to capture the semantic differences of the interactive content.

[0079] (3) At time Static image snapshot .

[0080] (4) Discrete set of time points (e.g., a window every 5 minutes) .

[0081] S230. Based on the dynamic heterogeneous behavior graph, the embedding vector of each node is generated through a pre-trained graph representation learning model, and the anomaly saliency score of each node is calculated; wherein, the anomaly saliency score is defined as the Euclidean distance between the embedding vector of the node and its reconstructed representation.

[0082] It is worth noting that the graph representation learning model in this embodiment of the invention is a pre-trained graph autoencoder model, graph representation learning is the feature extraction function of the model, and anomaly detection is the anomaly determination function of the model based on reconstruction error.

[0083] Specifically, after constructing the dynamic heterogeneous behavior graph, representation learning is further performed on the graph to obtain a numerical representation that reflects the evolutionary characteristics of entity behavior, and the degree of anomaly is calculated based on this representation. This step includes the following sub-steps: Step S2301: Construction and pre-training of the graph representation learning model. The graph representation learning model adopts a graph autoencoder architecture, which consists of two parts: an encoder and a decoder. (1) Encoder, receiving dynamic heterogeneous behavior graph As input, each node is processed through multi-layer graph convolution operations. Mapped to a low-dimensional dense vector This refers to the node embedding vector. This embedding integrates the node's own attributes, neighbor structure, and interaction semantic information.

[0084] (2) Decoder, using node embedding vectors Given the input, attempt to reconstruct the adjacency relationships or node features of the original graph, and output the reconstructed representation. .

[0085] The above model is used for unsupervised pre-training on a normal business traffic dataset. The training objective is to minimize the reconstruction error of all nodes, using the mean squared error (MSE) loss function. ; in, For the node embedding generated by the encoder, The representation reconstructed by the decoder, Embedded vector and reconstructed vector The squared Euclidean distance between them. Through this process, the model learns the behavioral patterns of normal power IoT devices, enabling the accurate reconstruction of the embeddings of normal nodes, while abnormal nodes are difficult to reconstruct due to their deviation from normal patterns.

[0086] Step S2302: Calculate the anomaly significance score. During the actual operation phase, the dynamic heterogeneous behavior graph within the current time window is input into the pre-trained graph autoencoder model mentioned above. The encoder generates the embedding vectors for each node. The decoder generates the corresponding reconstructed representation. Calculate the anomaly significance score for each node. : ; This score reflects the degree to which a node’s current behavior deviates from the normal pattern: the higher the score, the more likely the node is to be involved in highly covert attacks (such as illegal register writing, abnormal data reporting, etc.).

[0087] S240. When the anomaly saliency score of any node exceeds a dynamically set threshold based on a sliding time window, the node is marked as a candidate anomaly node. Then, using the candidate anomaly node as the center, all nodes and edges within its k-hop neighborhood are extracted to form a key subgraph; wherein... are positive integers and .

[0088] The dynamic threshold is set in the following way: based on the previous time. The set of significance scores for abnormal normal nodes within a time window is used to calculate the mean. with standard deviation and set dynamic threshold ,in are positive integers and , is the confidence coefficient and .

[0089] S250. Input the key subgraph into the trained graph neural network model, and calculate the contribution of each edge to the anomaly determination of the candidate abnormal node through the interpretable graph analysis algorithm to obtain the importance score of each edge.

[0090] Specifically, the trained graph neural network model is a pre-trained graph classifier using a graph convolutional network. Its input is the key subgraph structure in a dynamic heterogeneous behavior graph, and its output is a binary classification result indicating whether the key subgraph contains anomalous behavior. After training, the model possesses the ability to identify typical attack patterns and can be used for subsequent interpretability analysis. Interpretability analysis employs an interpretable graph analysis algorithm, which calculates edge importance scores by optimizing the following objective function: ; in, For key subgraphs, The sub-image after masking. For graph neural network encoders, For mutual information, The edge mask matrix, is the sparse regularization coefficient.

[0091] Subsequently, the edge importance score is usually normalized, and its value range is [value range missing]. .

[0092] S260. Based on the importance score, key edges with importance higher than a preset threshold are selected, and combined with the timestamps corresponding to each edge, a minimum attack propagation path that can cover the anomaly salience formation process is constructed. The minimum attack propagation path is a minimum set of directed edges used to explain the cause of the anomaly formation.

[0093] Specifically, the preset threshold is 0.6, or it can be dynamically set based on the 80th percentile of the edge importance score in historical attack events.

[0094] S270. Based on the interaction type, load characteristics, timestamp, and importance score corresponding to each edge in the minimum attack propagation path, and in conjunction with a predefined power business semantic rule base, perform business semantic mapping and interpretation on the key operations in the minimum attack propagation path, and generate a structured attack tracing report. The report explicitly includes the following fields: The attack origin node identifier, a list of propagation paths arranged in ascending order of time (including source node, target node, interaction type, payload characteristics and occurrence time), importance scores for each propagation jump, natural language interpretation of key operations based on power business semantics, and overall attack confidence score.

[0095] Specifically, the system first loads a predefined power business semantic rule base, which is stored in the system database and adopts a condition-action rule format. It contains three core components: (1) technical feature matching conditions, (2) business semantic interpretation templates, and (3) risk level assessment standards. For example, rule R-001: Identifying "electricity meter metering function shutdown attack" is as follows: Rule number: R-001 Name: Modbus Register 40001 Write Anomaly Detection (1) Technical feature matching conditions IF interaction type="Modbus_Write" AND Load characteristics.Register address = 40001 AND Source node type = "Edge Gateway" or "Operation and Maintenance Terminal" Target node type="smart meter" Timestamp NOTIN[08:00, 17:00] (outside of working hours) Importance score > 0.6 THEN triggers this rule (2) Business semantic interpretation template Generate natural language interpretations: "A Modbus write operation to the smart meter {target_node_id} was detected. The target register was 40001, and the written value was {value}. This operation occurred during non-working hours, consistent with a typical 'remotely shutting down the meter' attack pattern." Output after variable replacement: "A Modbus write operation was detected on smart meter 00158D0001A56E32. The target register was 40001, and the written value was 0. This operation occurred during non-working hours, which is consistent with a typical 'remotely shutting down the meter' attack pattern." Risk level assessment standards If all conditions are met, it is considered high-risk; if some conditions are met, it is considered medium-risk; otherwise, it is considered low-risk.

[0096] Subsequently, business semantic mapping and interpretation are performed on the key operations in the minimum attack propagation path, and a structured attack attribution report is generated: Extract the interaction type, load characteristics, and context information of the edge; Match all applicable rules in the rule base, sort them by priority, and select the most specific rule. Application business semantic interpretation templates generate natural language descriptions.

[0097] The technical solution of this invention extracts and structures interaction events from network traffic mirrors and device operation logs of the power Internet of Things (IoT), constructs a dynamic heterogeneous behavior graph, quantifies the degree of node anomaly by combining a pre-trained graph representation learning model, filters candidate abnormal nodes and constructs key subgraphs, calculates edge importance scores using a graph neural network model and interpretable graph analysis algorithm, further filters key edges and constructs the minimum attack propagation path by combining timestamps, and finally completes semantic mapping and generates an attack tracing report by combining a power business semantic rule library. This achieves interpretable identification of highly covert attacks in the power IoT and accurate tracing of attack paths, solving the technical problems of lack of interpretability of high-covert attack detection results and difficulty in reconstructing cross-device attack paths in existing technologies. It achieves the technical effects of improving the detection rate of high-covert attacks, reducing the false alarm rate, accurately reconstructing attack propagation paths and giving the detection results interpretability at the power business level, significantly shortening the judgment time of security personnel, and improving the response efficiency and decision reliability of power IoT security operation and maintenance.

[0098] Figure 3 This is a schematic diagram of a highly covert attack identification system for the power Internet of Things, provided as an embodiment of the present invention. Figure 3 As shown, the system includes: an interactive data extraction module 310, a saliency score calculation module 320, a key subgraph construction module 330, an importance score calculation module 340, and a propagation path construction module 350.

[0099] The system includes an interaction data extraction module 310, which collects equipment operation logs from the power Internet of Things (IoT) and extracts interaction data from the logs; a saliency score calculation module 320, which structures the interaction data into quintuple interaction data, constructs a dynamic heterogeneous behavior graph based on the quintuple interaction data, inputs the dynamic heterogeneous behavior graph into a pre-trained graph autoencoder to obtain the embedding vectors of each node, and calculates the anomaly saliency score of each node based on the difference between the embedding vectors and their reconstructed representations; wherein the dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps; and a key subgraph construction module 330, which is used to construct the key subgraph based on the anomaly saliency score. The system filters candidate abnormal nodes based on a preset abnormal threshold and constructs a key subgraph based on these candidate abnormal nodes. An importance score calculation module 340 inputs the key subgraph into a pre-trained graph neural network model and calculates the importance score of each edge in the key subgraph based on an interpretable graph analysis algorithm using edge masking, mutual information maximization, and sparse regularization. The graph neural network model is obtained by training a pre-built basic graph convolutional network model using normal business traffic data and labeled attack pattern data from the power Internet of Things. A propagation path construction module 350 filters key edges based on the importance scores and constructs a minimum attack propagation path by combining the timestamps of the key edges.

[0100] The technical solution of this invention involves collecting device operation logs from the power Internet of Things (IoT) and extracting interaction data from them. A dynamic heterogeneous behavior graph is constructed based on this interaction data, and the embedding vector of each node in the graph is determined. An anomaly salience score for each node is calculated. Candidate anomaly nodes are selected based on the anomaly salience score and a preset anomaly threshold, and a key subgraph is constructed based on these candidate nodes. The key subgraph is input into a pre-trained graph neural network model, and an interpretable graph analysis algorithm is used to calculate the importance score of each edge in the key subgraph. The graph neural network model is trained on a pre-constructed basic graph convolutional network model using normal business traffic data and labeled attack pattern data from the power IoT. Key edges are selected based on the importance scores, and the minimum attack propagation path is constructed by combining the timestamps of the key edges. This solution solves the technical problem of inaccurate identification of highly covert attacks, achieving beneficial effects such as improving the detection rate of highly covert attacks, reducing the false alarm rate, accurately reconstructing attack propagation paths, and providing interpretable technical evidence for attack identification.

[0101] In some optional embodiments, the node is a source entity or a target entity in the power Internet of Things, and the directed edge is an interaction event in the power Internet of Things; the five-tuple interaction data includes source entity, target entity, interaction type, timestamp, and payload characteristics.

[0102] In some optional embodiments, the saliency score calculation module includes: An embedding vector generation unit is used to input the dynamic heterogeneous behavior graph into a pre-trained graph autoencoder model, generate embedding vectors for each node through the encoder of the graph autoencoder model, and generate a reconstructed representation corresponding to the embedding vectors through the decoder of the graph autoencoder model. The saliency score calculation unit calculates the abnormal saliency score of each node based on the embedding vector of each node and its corresponding reconstruction representation.

[0103] In some optional embodiments, the saliency score calculation unit is specifically used for: The anomaly significance score for each node is calculated using the following formula: ; in, The abnormal significance score, Represents the embedding vector of a node. This represents the reconstructed representation corresponding to the embedding vector. The norm of a vector Let be the Euclidean distance between the node's embedding vector and its reconstructed vector.

[0104] In some alternative embodiments, the key subgraph construction module includes: A candidate abnormal node determination unit is used to compare the abnormal significance score of each node with a preset abnormal threshold, and determine the nodes whose abnormal significance scores exceed the preset abnormal threshold as the candidate abnormal nodes. The key subgraph construction unit is used to extract all nodes and edges within the preset number of hops neighborhood of the candidate abnormal node, and retain the timestamp, interaction type, and load feature attributes of the edges to form the key subgraph.

[0105] In some alternative embodiments, the system further includes: The training sample determination module is used to use the dynamic heterogeneous behavior graph constructed from the normal business traffic of the power Internet of Things as training samples before inputting the dynamic heterogeneous behavior graph into the pre-trained graph autoencoder model. The reconstruction vector generation module is used to input the training samples into the graph autoencoder, output node embedding vectors through the encoder, and generate a reconstruction representation based on the node embedding vectors through the decoder. The unsupervised training module is used to minimize the mean square error between the node embedding vector and the corresponding reconstructed representation by using the mean square error as the loss function, thereby completing unsupervised pre-training and enabling the graph autoencoder to learn the normal behavior patterns of power Internet of Things devices.

[0106] In some optional embodiments, the propagation path construction module includes: A critical edge determination unit is used to determine edges whose importance scores are higher than a preset importance score threshold as critical edges; wherein, the preset importance score threshold is a fixed value or dynamically set according to the edge importance scores in historical attack events; The propagation path determination unit is used to sort the key edges in ascending order by timestamp to construct a minimum set of directed edges that can cover the formation process of the anomaly salience of candidate abnormal nodes, and to determine the minimum set of directed edges as the minimum attack propagation path.

[0107] In some alternative embodiments, the system further includes: The report generation module is used to perform business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule library after the minimum attack propagation path is constructed, so as to generate an attack tracing report. The power business semantic rule library includes technical feature matching conditions, business semantic interpretation templates and risk level assessment standards.

[0108] In some optional embodiments, the report generation module includes: The matching unit is used to match the interaction type, load characteristics, timestamp and importance score of each side in the minimum attack propagation path with the technical feature matching conditions in the power business semantic rule base. The semantic conversion unit is used to filter the matched rules according to priority and call the corresponding business semantic interpretation template to perform business semantic conversion on the key operations in the attack path, and convert the technical interaction features into natural language interpretation in the power business scenario. The report generation unit is used to determine the attack risk level based on a preset risk level assessment standard, calculate the overall attack confidence score by combining the importance score and time weight of each propagation jump, and generate a structured and interpretable attack tracing report. The attack tracing report includes the attack starting node identifier, a list of propagation paths arranged in ascending time, the importance score of each propagation jump, a natural language explanation of power business semantics, the attack risk level, and the overall attack confidence score.

[0109] In some optional embodiments, the attack attribution report includes an attack origin node identifier, a list of propagation paths arranged in ascending chronological order, importance scores for each propagation jump, natural language explanations of key operations based on power business semantics, and an overall attack confidence score.

[0110] The high-coverage attack identification system for the power Internet of Things provided in this embodiment of the invention can execute the high-coverage attack identification method for the power Internet of Things provided in any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the method execution.

[0111] Figure 4This is a schematic diagram of an electronic device for implementing a highly covert attack identification method for the power Internet of Things according to embodiments of the present invention. The electronic device is intended to represent various forms of digital computers, such as laptops, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.

[0112] like Figure 4 As shown, the electronic device 10 includes at least one processor 11 and a memory, such as a read-only memory (ROM) 12 or a random access memory (RAM) 13, communicatively connected to the at least one processor 11. The memory stores computer programs executable by the at least one processor. The processor 11 can perform various appropriate actions and processes based on the computer program stored in the ROM 12 or loaded into the RAM 13 from storage unit 18. The RAM 13 can also store various programs and data required for the operation of the electronic device 10. The processor 11, ROM 12, and RAM 13 are interconnected via a bus 14. An input / output (I / O) interface 15 is also connected to the bus 14.

[0113] Multiple components in electronic device 10 are connected to I / O interface 15, including: input unit 16, such as keyboard, mouse, etc.; output unit 17, such as various types of displays, speakers, etc.; storage unit 18, such as disk, optical disk, etc.; and communication unit 19, such as network card, modem, wireless transceiver, etc. Communication unit 19 allows electronic device 10 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0114] Processor 11 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 11 include, but are not limited to, central processing unit (CPU), graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processors (DSPs), and any suitable processor, controller, microcontroller, etc. Processor 11 performs the various methods and processes described above, such as methods for identifying highly covert attacks in the power Internet of Things.

[0115] In some embodiments, the method for identifying highly covert attacks on the power Internet of Things (IoT) can be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program can be loaded and / or installed on electronic device 10 via ROM 12 and / or communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the method for identifying highly covert attacks on the power IoT described above can be performed. Alternatively, in other embodiments, processor 11 can be configured to perform the method for identifying highly covert attacks on the power IoT by any other suitable means (e.g., by means of firmware).

[0116] Various implementations of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), complex programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various implementations may include: implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0117] Computer programs used to implement the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0118] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0119] To provide interaction with a user, the systems and techniques described herein can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the electronic device. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0120] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or middleware components (e.g., application servers), or frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.

[0121] A computing system can include clients and servers. Clients and servers are generally located far apart and typically interact through a communication network. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system to address the shortcomings of traditional physical hosts and VPS services, such as high management difficulty and weak business scalability.

[0122] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this is not limited herein.

[0123] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.

Claims

1. A method for identifying highly covert attacks in the power Internet of Things, characterized in that, include: Collect device operation logs from the power Internet of Things, and extract interactive data from the device operation logs; The interaction data is structured into quintuple interaction data, and a dynamic heterogeneous behavior graph is constructed based on the quintuple interaction data. The dynamic heterogeneous behavior graph is input into a pre-trained graph autoencoder to obtain the embedding vector of each node, and the anomaly saliency score of each node is calculated based on the difference between the embedding vector and its reconstructed representation. The dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps. Candidate abnormal nodes are selected based on the anomaly significance score and the preset anomaly threshold, and key subgraphs are constructed based on the candidate abnormal nodes; The key subgraph is input into a pre-trained graph neural network model, and the importance score of each edge in the key subgraph is calculated based on the interpretable graph analysis algorithm of edge masking, mutual information maximization and sparsity regularization. The graph neural network model is obtained by training a pre-built basic graph convolutional network model with normal business traffic data and labeled attack pattern data of the power Internet of Things. Key edges are selected based on the importance scores, and the minimum attack propagation path is constructed by combining the timestamps of the key edges.

2. The method according to claim 1, characterized in that, The node is the source entity or target entity in the power Internet of Things, the directed edge is the interaction event in the power Internet of Things, and the five-tuple interaction data includes the source entity, target entity, interaction type, timestamp, and payload characteristics.

3. The method according to claim 1, characterized in that, The process of constructing a dynamic heterogeneous behavior graph based on the interaction data, determining the embedding vector of each node in the dynamic heterogeneous behavior graph, and calculating the anomaly salience score of each node includes: The dynamic heterogeneous behavior graph is input into a pre-trained graph autoencoder model. The encoder of the graph autoencoder model generates embedding vectors for each node, and the decoder of the graph autoencoder model generates a reconstructed representation corresponding to the embedding vectors. Based on the embedding vector of each node and its corresponding reconstructed representation, the anomaly saliency score of each node is calculated using the vector norm.

4. The method according to claim 3, characterized in that, The anomaly significance score for each node is calculated using the following formula: ; in, The abnormal significance score, Represents the embedding vector of a node. This represents the reconstructed representation corresponding to the embedding vector. The norm of a vector Let be the Euclidean distance between the node's embedding vector and its reconstructed vector.

5. The method according to claim 3, characterized in that, Before inputting the dynamic heterogeneous behavior graph into the pre-trained graph autoencoder model, an unsupervised pre-training step for the graph autoencoder is also included, specifically: The dynamic heterogeneous behavior graph constructed using normal business traffic of the power Internet of Things is used as the training sample; The training samples are input into the graph autoencoder, the encoder outputs node embedding vectors, and the decoder generates a reconstructed representation based on the node embedding vectors. Using mean squared error as the loss function, the mean squared error between the node embedding vector and the corresponding reconstructed representation is minimized to complete unsupervised pre-training, enabling the graph autoencoder to learn the normal behavior patterns of power Internet of Things devices.

6. The method according to claim 1, characterized in that, The process of filtering candidate abnormal nodes based on the anomaly significance score and a preset anomaly threshold, and constructing a key subgraph based on the candidate abnormal nodes, includes: The anomaly significance score of each node is compared with a preset anomaly threshold adaptively set based on a sliding time window, and the nodes whose anomaly significance scores exceed the preset anomaly threshold are determined as the candidate anomaly nodes. Centered on the candidate abnormal node, extract all nodes and edges within its preset hop count neighborhood, retain the timestamp, interaction type, and load feature attributes of the edges, and construct the key subgraph.

7. The method according to claim 1, characterized in that, The step of filtering key edges based on the importance score and constructing the minimum attack propagation path by combining the timestamps of the key edges includes: Edges whose importance score is higher than a preset importance score threshold are identified as critical edges; wherein, the preset importance score threshold is a fixed value or dynamically set according to the edge importance scores in historical attack events; The key edges are arranged in ascending order by timestamp to construct a minimum set of directed edges that can cover the formation process of the anomaly salience of candidate abnormal nodes. The minimum set of directed edges is then determined as the minimum attack propagation path.

8. The method according to claim 1, characterized in that, After constructing the minimum attack propagation path, the method further includes: performing business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule base to generate an attack tracing report. The power business semantic rule base includes technical feature matching conditions, business semantic interpretation templates, and risk level assessment standards.

9. The method according to claim 8, characterized in that, The predefined power business semantic rule base performs business semantic mapping and interpretation on the minimum attack propagation path to generate an attack tracing report, including: The interaction type, load characteristics, timestamp, and importance score of each side in the minimum attack propagation path are matched with the technical feature matching conditions in the power business semantic rule base. The matched rules are filtered by priority, and the corresponding business semantic interpretation template is called to perform business semantic conversion on the key operations in the attack path, and the technical interaction features are converted into natural language interpretation in the power business scenario. The attack risk level is determined based on the preset risk level assessment criteria. The overall attack confidence score is calculated by combining the importance score and time weight of each propagation jump. A structured and interpretable attack tracing report is generated. The attack tracing report includes the attack starting node identifier, a list of propagation paths arranged in ascending time order, the importance score of each propagation jump, a natural language explanation of power business semantics, the attack risk level, and the overall attack confidence score.

10. A highly covert attack identification system for the power Internet of Things, characterized in that, include: An interactive data extraction module is used to collect device operation logs of the power Internet of Things and extract interactive data from the device operation logs. The saliency score calculation module is used to structure the interaction data into quintuple interaction data, construct a dynamic heterogeneous behavior graph based on the quintuple interaction data, input the dynamic heterogeneous behavior graph into a pre-trained graph autoencoder to obtain the embedding vector of each node, and calculate the anomaly saliency score of each node based on the difference between the embedding vector and its reconstructed representation; wherein, the dynamic heterogeneous behavior graph contains multiple types of nodes and multiple types of directed edges with timestamps; The key subgraph construction module is used to filter candidate abnormal nodes based on the abnormality significance score and the preset abnormality threshold, and to construct a key subgraph based on the candidate abnormal nodes. The importance score calculation module is used to input the key subgraph into a pre-trained graph neural network model and calculate the importance score of each edge in the key subgraph based on the interpretable graph analysis algorithm of edge masking, mutual information maximization and sparsity regularization; wherein, the graph neural network model is obtained by training a pre-built basic graph convolutional network model with normal business traffic data and labeled attack pattern data of the power Internet of Things. The propagation path construction module is used to filter key edges based on the importance score and construct the minimum attack propagation path by combining the timestamps of the key edges.

11. The system according to claim 10, characterized in that, The system also includes: The report generation module is used to perform business semantic mapping and interpretation on the minimum attack propagation path based on a predefined power business semantic rule base after the minimum attack propagation path is constructed, so as to generate an attack tracing report.

12. The system according to claim 11, characterized in that, The report generation module includes: The matching unit is used to match the interaction type, load characteristics, timestamp and importance score of each side in the minimum attack propagation path with the technical feature matching conditions in the power business semantic rule base. The semantic conversion unit is used to filter the matched rules according to priority and call the corresponding business semantic interpretation template to perform business semantic conversion on the key operations in the attack path, and convert the technical interaction features into natural language interpretation in the power business scenario. The report generation unit is used to determine the attack risk level based on preset risk level assessment standards, and generate a structured and interpretable attack tracing report that includes the attack starting node identifier, a list of propagation paths arranged in ascending order of time, importance scores for each propagation jump, natural language explanation of power business semantics, attack risk level, and overall attack confidence score.

13. An electronic device, comprising: At least one processor; and memory that is communicatively connected to at least one processor; The memory stores a computer program that can be executed by at least one processor, which enables the at least one processor to execute the high-coverage attack identification method for the power Internet of Things according to any one of claims 1-9.

14. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that, when executed by a processor, implement the high-coverage attack identification method for the power Internet of Things as described in any one of claims 1-9.