A portable safety data quantification evaluation method and system based on power monitoring

By performing redundant filtering and event paradigm reconstruction on multi-source heterogeneous security logs of the power monitoring network, combined with proactive fingerprint detection and field-level correlation fusion, the problems of standardization of security event data and timeliness of equipment status data in the power monitoring network are solved, and accurate security situation analysis and global risk visualization are realized.

CN122372275APending Publication Date: 2026-07-10GANSU ELECTRIC POWER TIANSHUI POWER SUPPLY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GANSU ELECTRIC POWER TIANSHUI POWER SUPPLY
Filing Date
2026-04-16
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies lack efficient redundancy filtering mechanisms and standardized event paradigm reconstruction methods in power monitoring networks, resulting in low efficiency in extracting effective information from security event data, insufficient timeliness and completeness of equipment status data, and difficulty in achieving accurate analysis of security events and visualization of global risks.

Method used

By performing redundant filtering and event paradigm reconstruction on multi-source heterogeneous security logs, and combining proactive fingerprinting technology to obtain real-time device status data, and performing field-level correlation and fusion, tactical intent annotation and attack link topology reconstruction are carried out. Based on the quantitative health index, hierarchical situation aggregation and visualization rendering are performed.

Benefits of technology

It has achieved standardized processing of security incident data, improved the timeliness and completeness of equipment status data, accurately mined the correlation characteristics of attack events, enhanced the hierarchy and visualization of security situation analysis, and strengthened the security risk perception and management capabilities of power monitoring networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372275A_ABST
    Figure CN122372275A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of power safety, and discloses a portable safety data quantitative evaluation method and system based on power monitoring, which comprises the following steps: performing redundant data filtering and event paradigm reconstruction on original multi-source heterogeneous safety logs to obtain standardized safety events; performing active fingerprint detection on heterogeneous devices to obtain real-time state data; performing field-level association and fusion on the standardized safety events and the real-time state data to obtain enriched safety events; performing tactical intention labeling and attack link topology reconstruction on the enriched safety events to obtain fusion attack events; performing health degree evaluation on the safety states of the heterogeneous devices to obtain quantitative health indexes; performing hierarchical situation aggregation and visual rendering on the regional attributes and scheduling levels of a target power monitoring network to construct a global safety risk graph of the target power monitoring network; and the application can improve the efficiency of the portable safety data quantitative evaluation based on power monitoring.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of power safety technology, and in particular to a portable method and system for quantitative evaluation of safety data based on power monitoring. Background Technology

[0002] Power monitoring networks contain a large amount of multi-source, heterogeneous security log data. Existing technologies lack efficient redundancy filtering mechanisms and standardized event paradigm reconstruction methods for processing this type of data. This results in low efficiency in extracting effective information from log data, inconsistent representation of security events, and difficulty in forming a standardized security event data base. At the same time, for heterogeneous devices within the power monitoring network, existing technologies mostly use passive acquisition methods to obtain device status, which cannot detect the actual operating attributes and port status of devices in real time and comprehensively. This leads to insufficient timeliness and completeness of device status data, creating data-level risks for subsequent security analysis.

[0003] Existing technologies in power monitoring security data assessment cannot achieve deep field-level correlation and fusion of standardized security events and real-time equipment status data. They lack precise annotation methods for identifying the tactical intent of security events, and the accuracy of attack link topology reconstruction is insufficient, making it difficult to fully uncover the correlation characteristics of attack events. Furthermore, the assessment of the security status of heterogeneous devices lacks scientific quantitative calculation models, relying primarily on qualitative judgments. It also fails to achieve hierarchical aggregation of security posture based on the regional attributes and scheduling levels of the power monitoring network, resulting in poor visualization. Consequently, security assessment results cannot accurately reflect the overall network security risks, making it difficult to provide effective guidance for the security protection of power monitoring networks. Therefore, improving the accuracy and real-time performance of quantitative assessment of power monitoring security data, while simultaneously achieving a visualized presentation of overall network security risks, has become an urgent problem to be solved. Summary of the Invention

[0004] This invention provides a portable method and system for quantitative evaluation of safety data based on power monitoring, in order to solve the problems mentioned in the background art.

[0005] To achieve the above objectives, this invention provides a portable security data quantification and evaluation method based on power monitoring, comprising:

[0006] P1. Redundant data filtering is performed on the original multi-source heterogeneous security logs of the target power monitoring network, and the event paradigm is reconstructed on the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network.

[0007] P2. Actively detect the heterogeneous devices of the target power monitoring network to obtain the real-time status data of the heterogeneous devices;

[0008] P3. Perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network;

[0009] P4. Tactical intent labeling is performed on the enriched security events, and attack link topology reconstruction is performed on the labeled tactical tag events to obtain the fusion attack events of the target power monitoring network.

[0010] P5. Based on the aforementioned fusion attack event, the security status of the heterogeneous device is assessed to obtain a quantitative health index of the heterogeneous device.

[0011] P6. Using the quantitative health index as the data base, perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and visualize and render the security situation data obtained after aggregation to construct a global security risk map of the target power monitoring network.

[0012] In a preferred embodiment, the process of filtering redundant data from the original multi-source heterogeneous security logs of the target power monitoring network and reconstructing the event paradigm of the filtered original multi-source heterogeneous security logs to obtain standardized security events of the target power monitoring network includes:

[0013] Collect raw multi-source heterogeneous security logs from the target power monitoring network. These raw multi-source heterogeneous security logs include substation station control layer firewall filtering logs, remote communication gateway operation and maintenance audit records, and power dispatch data network router session logs.

[0014] The original multi-source heterogeneous security log is segmented by protocol fields to obtain a log tuple to be parsed. The log tuple to be parsed includes a log timestamp, source media access control address, and original event description text.

[0015] Redundancy filtering is performed on the original event description text to obtain a simplified event text.

[0016] Perform syntactic dependency parsing on the simplified event text to obtain the event behavior triplet of the simplified event text;

[0017] Based on the log timestamp and the source media access control address, the event behavior triples are aggregated using a time-series paradigm to obtain standardized security events for the target power monitoring network.

[0018] In a preferred embodiment, the step of actively fingerprinting the heterogeneous devices of the target power monitoring network to obtain real-time status data of the heterogeneous devices includes:

[0019] Send probe messages to heterogeneous devices in the target power monitoring network. The probe messages contain protocol stack feature probe payloads and service port scanning instructions, and capture the original response messages of the heterogeneous devices.

[0020] The original response message is parsed using protocol stack features to obtain the protocol stack fingerprint feature vector of the original response message;

[0021] Based on the protocol stack fingerprint feature vector, fingerprint matching and identification are performed on the heterogeneous device to obtain the device attribute label of the heterogeneous device;

[0022] The device attribute tags are associated and encapsulated with the open status of the service port corresponding to the probe message to obtain the real-time status data of the heterogeneous device.

[0023] In a preferred embodiment, the step of parsing the protocol stack features of the original response message to obtain the protocol stack fingerprint feature vector of the original response message includes:

[0024] The network layer header fields of the original response message are read to obtain the network layer characteristics of the original response message;

[0025] The transport layer header fields of the original response message are decoded to obtain the transport layer characteristics of the original response message;

[0026] The application layer load feature of the original response message is sampled to obtain the application layer feature scalar of the original response message.

[0027] The network layer features, transport layer features, and application layer features are normalized and fused to obtain the protocol stack fingerprint feature vector of the original response message.

[0028] In a preferred embodiment, the step of performing field-level correlation and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network includes:

[0029] Key fields are extracted from the standardized security events to obtain event-related key-value pairs.

[0030] Based on the event-related key-value pairs, device fingerprint matching is performed on the real-time status data to obtain the status records of the heterogeneous devices;

[0031] The state record and the event behavior triple are time-series aligned and verified. Based on the verification result, the state field is injected into the standardized security event to obtain the temporary security event of the standardized security event.

[0032] Based on the state record, the temporary security event is semantically completed to obtain the enhanced security event of the target power monitoring network;

[0033] The enhanced security events are assessed for threat levels, and risk labels are attached to the enhanced security events based on the assessment results to obtain the enriched security events of the target power monitoring network.

[0034] In a preferred embodiment, the step of labeling the enriched security events with tactical intent and reconstructing the attack link topology of the labeled tactical events to obtain the fused attack events of the target power monitoring network includes:

[0035] The attack behavior features of the enrichment security event are traversed, and the sequence of operation instructions obtained by the traversal is encoded with temporal features to obtain the initial tactical label of the enrichment security event.

[0036] The initial tactical labels are filtered by confidence threshold, and the filtered initial tactical labels are clustered and merged by tactical phase to obtain the tactical intent labels of the enriched security events.

[0037] Based on the tactical intent tag, the enriched security events are associated with a topology mapping to obtain the attack event node pairs of the enriched security events;

[0038] The attack event node pairs are fused and optimized to obtain the fused attack events of the target power monitoring network.

[0039] In a preferred embodiment, the step of assessing the security status of the heterogeneous device based on the fusion attack event to obtain a quantitative health index for the heterogeneous device includes:

[0040] The attack elements of the fusion attack event are analyzed to obtain the attack exposure vector of the heterogeneous device;

[0041] The attack exposure vector is quantified to obtain the attack scalar of the heterogeneous device.

[0042] Obtain the device attribute tags from the real-time status data, wherein the device attribute tags include the device type code and the operating system version identifier;

[0043] The device type code is weighted to obtain the device type weight value of the heterogeneous device;

[0044] The security level of the operating system version identifier is assessed to obtain the operating system security baseline value of the heterogeneous device;

[0045] The attack severity scalar, the device type weight value, and the operating system security baseline value are merged and combined to obtain the quantitative health index of the heterogeneous device. The formula for calculating the quantitative health index is as follows:

[0046] ;

[0047] in, This indicates the quantitative health index. This indicates the weight value of the device type. This represents a scalar measure of the severity of the attack. This represents the operating system's security baseline value. This represents an exponential function.

[0048] In a preferred embodiment, the step of using the quantified health index as a data base to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and visualizing and rendering the aggregated security situation data to construct a global security risk map of the target power monitoring network includes:

[0049] Regional attribute indexing is performed on the target power monitoring network to obtain the regional indexing device of the target power monitoring network;

[0050] Hierarchical coding is attached to the regional indexing equipment to obtain the hierarchical coding equipment of the target power monitoring network;

[0051] Based on the hierarchical coding device, the quantitative health index is subjected to hierarchical quantization mapping to obtain the regional hierarchical situation vector of the hierarchical coding device;

[0052] Anchor the regional-level situation vector in a spatial coordinate system to obtain the situation nodes of the regional-level situation vector;

[0053] Risk topology construction is performed on the aforementioned situation nodes to obtain the risk situation topology map of the target power monitoring network;

[0054] The risk situation topology map is globally fused and rendered to obtain the global security risk map of the target power monitoring network.

[0055] In a preferred embodiment, the step of performing hierarchical quantization mapping on the quantized health index based on the hierarchical coding device to obtain the regional hierarchical situation vector of the hierarchical coding device includes:

[0056] A device-level topology is constructed for the hierarchical coding device to obtain a hierarchical topology diagram of the hierarchical coding device;

[0057] By embedding node health indices into the hierarchical topology graph, the node health feature vector of the hierarchical topology graph is obtained.

[0058] Based on the node health feature vector, hierarchical attention aggregation is performed on the hierarchical topology graph to obtain the hierarchical health aggregation vector of the hierarchical topology graph;

[0059] The hierarchical health aggregation vector is dimensionally reduced and encoded to obtain the regional hierarchical situation vector of the hierarchical encoding device.

[0060] To address the aforementioned problems, the present invention also provides a portable security data quantification and evaluation system based on power monitoring, the system comprising:

[0061] The log standardization module is used to filter redundant data from the original multi-source heterogeneous security logs of the target power monitoring network, and to reconstruct the event paradigm from the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network.

[0062] The fingerprint detection module is used to actively detect the heterogeneous devices of the target power monitoring network and obtain the real-time status data of the heterogeneous devices.

[0063] The event enrichment module is used to perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network.

[0064] The attack topology reconstruction module is used to label the enriched security events with tactical intent and reconstruct the attack link topology of the labeled tactical events to obtain the fused attack events of the target power monitoring network.

[0065] The health index calculation module is used to assess the security status of the heterogeneous device based on the fusion attack event, and obtain the quantitative health index of the heterogeneous device.

[0066] The situation aggregation module is used to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network based on the quantitative health index, and to visualize and render the aggregated security situation data to construct a global security risk map of the target power monitoring network.

[0067] Compared with the prior art, the present invention has the following beneficial effects:

[0068] 1. This method achieves standardized processing of security log data by performing redundancy filtering and event paradigm reconstruction on multi-source heterogeneous security logs, effectively improving the validity and standardization of security event data. It also improves the timeliness and completeness of device status data by actively collecting status data from heterogeneous devices using fingerprint detection technology, accurately acquiring real-time device attributes and port status information. Furthermore, it enriches security events by performing field-level correlation and fusion with real-time device status data, and accurately mines the correlation features of attack events by combining tactical intent annotation and attack chain topology reconstruction, improving the comprehensiveness and accuracy of security event analysis. Finally, the quantitative model built based on multi-dimensional indicators enables a scientific quantitative assessment of the security status of heterogeneous devices, significantly improving the objectivity and accuracy of device security status assessment.

[0069] 2. This method leverages a quantitative health index to perform hierarchical situational aggregation tailored to the characteristics of power monitoring networks, accurately matching network regional attributes and scheduling levels, thereby enhancing the hierarchy and relevance of security situation analysis. The globally constructed security risk map, constructed through visualization rendering, presents the aggregated security situation data intuitively, effectively improving the intuitiveness and efficiency of global security risk perception in power monitoring networks. The entire quantitative assessment method works in synergy with various functional modules of the system, significantly improving the overall efficiency of quantitative assessment of power monitoring security data. It provides precise data support for security protection decisions and risk management in power monitoring networks, while also adapting to the application requirements of portable security assessments, enhancing the convenience and practicality of power monitoring network security assessment work, and strengthening the overall capability of power monitoring network security management. Attached Figure Description

[0070] Figure 1 A flowchart illustrating a portable security data quantification and evaluation method based on power monitoring, provided in an embodiment of the present invention;

[0071] Figure 2 A functional block diagram of a portable security data quantification and evaluation system based on power monitoring, provided in an embodiment of the present invention;

[0072] The realization of the objective, functional features and advantages of the present invention will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0073] It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

[0074] This application provides a portable security data quantification and evaluation method based on power monitoring. The executing entity of this portable security data quantification and evaluation method based on power monitoring includes, but is not limited to, at least one of the following electronic devices that can be configured to execute the method provided in this application embodiment: a server, a terminal, etc. In other words, the portable security data quantification and evaluation method based on power monitoring can be executed by software or hardware installed on a terminal device or a server device. The server includes, but is not limited to, a single server, a server cluster, a cloud server, or a cloud server cluster. The server can be an independent server or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDNs), and big data and artificial intelligence platforms.

[0075] Reference Figure 1 The diagram shown is a flowchart illustrating a portable security data quantification and evaluation method based on power monitoring, according to an embodiment of the present invention. In this embodiment, the portable security data quantification and evaluation method based on power monitoring includes:

[0076] P1. Redundant data filtering is performed on the original multi-source heterogeneous security logs of the target power monitoring network, and the event paradigm is reconstructed on the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network.

[0077] In this embodiment of the invention, the process of filtering redundant data from the original multi-source heterogeneous security logs of the target power monitoring network and reconstructing the event paradigm of the filtered original multi-source heterogeneous security logs to obtain standardized security events of the target power monitoring network includes:

[0078] Collect raw multi-source heterogeneous security logs from the target power monitoring network. These raw multi-source heterogeneous security logs include substation station control layer firewall filtering logs, remote communication gateway operation and maintenance audit records, and power dispatch data network router session logs.

[0079] The original multi-source heterogeneous security log is segmented by protocol fields to obtain a log tuple to be parsed. The log tuple to be parsed includes a log timestamp, source media access control address, and original event description text.

[0080] Redundancy filtering is performed on the original event description text to obtain a simplified event text.

[0081] Perform syntactic dependency parsing on the simplified event text to obtain the event behavior triplet of the simplified event text;

[0082] Based on the log timestamp and the source media access control address, the event behavior triples are aggregated using a time-series paradigm to obtain standardized security events for the target power monitoring network.

[0083] Extract all filtering rule matching logs generated during the operation of the substation control layer firewall, retrieve the operation and maintenance audit records generated during the entire operation and maintenance process of the remote communication gateway, and collect all session logs generated during the communication between the power dispatch data network router and network nodes. After collecting and integrating the three types of logs—substation control layer firewall filtering logs, remote communication gateway operation and maintenance audit records, and power dispatch data network router session logs—the original multi-source heterogeneous security logs of the target power monitoring network are formed.

[0084] The integrated original multi-source heterogeneous security logs are split into fields according to the corresponding network communication protocol format. The log timestamp field that identifies the time of the event, the source media access control address field that identifies the device that initiated the event, and the original event description text field that describes the specific process of the event are extracted from each log. The three extracted fields are combined and encapsulated to form the log tuple to be parsed for each log.

[0085] The process involves identifying repeated descriptions, invalid descriptions unrelated to the security event, and redundant embellishments in the original event description text of the log tuple to be parsed, word by word. All such content is then removed from the original event description text, retaining only the content that accurately represents the core process and key information of the security event, thus forming a concise event text corresponding to the log tuple to be parsed.

[0086] A grammatical structure analysis is conducted on the simplified event text to comprehensively sort out the grammatical dependencies between the words in the text. The subject, predicate, and object representing the initiator of the action are accurately identified. The identified subject, predicate, and object are combined in a fixed order to form event behavior triplets corresponding to the simplified event text.

[0087] The system retrieves the corresponding log timestamp and source media access control address from the log tuples to be parsed. Using the source media access control address as the classification basis, it centrally categorizes all event behavior triples corresponding to the same device. Within each category, the event behavior triples are sorted sequentially according to the order of the log timestamps. All sorted event behavior triples are formatted according to a unified event description paradigm. All formatted event behavior triples are then integrated to form a standardized security event for the target power monitoring network.

[0088] The beneficial effects of this implementation process are that it enables refined processing of raw, multi-source, heterogeneous security logs from different sources and in different formats within the power monitoring network. From accurate log collection to the segmentation and extraction of key fields, to the filtering of invalid information and the analysis of core elements, each step can selectively retain key information about security events. Finally, relying on log timestamps and source media access control addresses, it achieves time-sequential and standardized aggregation of event behavior triples, successfully transforming heterogeneous security logs into standardized security events in a unified format. This effectively improves the regularity and effectiveness of network security event data in the power monitoring network, establishing a standardized and unified data foundation for subsequent in-depth analysis of security events. At the same time, the entire processing flow is logically coherent and operationally specific, preventing the loss of core security information during data processing and ensuring the integrity of security event data.

[0089] P2. Actively detect the heterogeneous devices of the target power monitoring network to obtain the real-time status data of the heterogeneous devices;

[0090] In this embodiment of the invention, the step of actively fingerprinting the heterogeneous devices of the target power monitoring network to obtain real-time status data of the heterogeneous devices includes:

[0091] Send probe messages to heterogeneous devices in the target power monitoring network. The probe messages contain protocol stack feature probe payloads and service port scanning instructions, and capture the original response messages of the heterogeneous devices.

[0092] The original response message is parsed using protocol stack features to obtain the protocol stack fingerprint feature vector of the original response message;

[0093] Based on the protocol stack fingerprint feature vector, fingerprint matching and identification are performed on the heterogeneous device to obtain the device attribute label of the heterogeneous device;

[0094] The device attribute tags are associated and encapsulated with the open status of the service port corresponding to the probe message to obtain the real-time status data of the heterogeneous device.

[0095] The step of parsing the protocol stack features of the original response message to obtain the protocol stack fingerprint feature vector of the original response message includes:

[0096] The network layer header fields of the original response message are read to obtain the network layer characteristics of the original response message;

[0097] The transport layer header fields of the original response message are decoded to obtain the transport layer characteristics of the original response message;

[0098] The application layer load feature of the original response message is sampled to obtain the application layer feature scalar of the original response message.

[0099] The network layer features, transport layer features, and application layer features are normalized and fused to obtain the protocol stack fingerprint feature vector of the original response message.

[0100] Customized probe messages are sent one by one to all heterogeneous devices within the target power monitoring network. These probe messages are pre-embedded with protocol stack feature probe payloads for detecting the network protocol stack characteristics of the devices, as well as service port scanning instructions for detecting the operating status of each service port of the devices. After sending the probe messages, the network messages fed back by each heterogeneous device are listened to and received in real time. The received feedback messages without any processing are completely retained to form the original response messages corresponding to the heterogeneous devices.

[0101] The network layer header of the original response message is parsed and read field by field to extract all fields that identify the network protocol version, packet identifier, time to live, protocol type, and header checksum. All extracted fields are then integrated in a fixed order to form the network layer features of the original response message.

[0102] The transport layer header of the original response message is professionally decoded to extract all fields that identify the source port, destination port, message sequence number, acknowledgment sequence number, data offset, window size, checksum, and urgent pointer. All extracted fields are then integrated in a fixed order to form the transport layer characteristics of the original response message.

[0103] The application layer payload of the original response message is sampled at equal intervals. Key data segments in the payload that can characterize the application layer protocol type, data transmission rules, and device interaction characteristics are selected. The selected key data segments are then integrated in an orderly manner according to the sampling order to form the application layer feature scalar of the original response message.

[0104] The extracted network layer features, transport layer features, and application layer features are formatted according to a unified feature representation form. The feature content of different layers is then orderly spliced ​​and fused to form a structured feature set. This structured feature set is the protocol stack fingerprint feature vector of the original response message.

[0105] The system retrieves a pre-defined fingerprint feature database for power monitoring equipment. This database stores a one-to-one correspondence between standard protocol stack fingerprint feature vectors and equipment attribute information for various heterogeneous power monitoring equipment. The parsed protocol stack fingerprint feature vectors are compared and matched one by one with all standard protocol stack fingerprint feature vectors in the equipment fingerprint feature database. If a match is successful, the system retrieves the equipment attribute information corresponding to the standard vector and creates a standardized identification label from this information, thus forming the equipment attribute label for the heterogeneous equipment.

[0106] Based on the feedback results of the service port scanning command in the probe message, the open or closed operation status of each service port of the heterogeneous device is determined one by one. The operation status information of all ports is organized in order according to the port number to form the service port open status information of the heterogeneous device. The service port open status information is bound and integrated with the device attribute tag corresponding to the heterogeneous device one-to-one. All the integrated information is encapsulated as a whole to form the real-time status data of the heterogeneous device.

[0107] The beneficial effects of this implementation process are that it achieves status detection of heterogeneous devices by actively sending probe messages, overcoming the limitations of passive data collection. It can obtain the latest operating status of devices in real time. At the same time, it performs layered feature analysis of the network layer, transport layer, and application layer of the original response messages, realizing the comprehensive extraction of protocol stack features. Combined with the preset device fingerprint feature library, it can obtain accurate device attribute tags. Finally, the device attribute tags are associated and encapsulated with the open status of service ports. The resulting real-time status data can completely and accurately reflect the actual operating attributes and port status of heterogeneous devices, providing real and effective device status data support for subsequent security event analysis of the power monitoring network. The entire detection process is specific and logically coherent, enabling comprehensive and accurate status detection of all heterogeneous devices in the target power monitoring network, ensuring the timeliness and completeness of device status data.

[0108] P3. Perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network;

[0109] In this embodiment of the invention, the step of performing field-level correlation and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network includes:

[0110] Key fields are extracted from the standardized security events to obtain event-related key-value pairs.

[0111] Based on the event-related key-value pairs, device fingerprint matching is performed on the real-time status data to obtain the status records of the heterogeneous devices;

[0112] The state record and the event behavior triple are time-series aligned and verified. Based on the verification result, the state field is injected into the standardized security event to obtain the temporary security event of the standardized security event.

[0113] Based on the state record, the temporary security event is semantically completed to obtain the enhanced security event of the target power monitoring network;

[0114] The enhanced security events are assessed for threat levels, and risk labels are attached to the enhanced security events based on the assessment results to obtain the enriched security events of the target power monitoring network.

[0115] A comprehensive review of the overall content of standardized security incidents is conducted, and the device identifier field that can uniquely point to the corresponding heterogeneous device and the event time field that represents the specific moment when the security incident occurred are accurately extracted. The extracted fields are used as keys, and the specific information content corresponding to the fields is used as values. They are combined in a fixed form with one-to-one correspondence between keys and values ​​to form event-related key-value pairs corresponding to standardized security incidents.

[0116] Retrieve real-time status data of all heterogeneous devices within the target power monitoring network, extract device fingerprint information of each heterogeneous device from the real-time status data, match the device identification information in the event association key-value pairs with the device fingerprint information in the real-time status data one by one, and after a successful match, retrieve all real-time status data content corresponding to the heterogeneous device, and organize this content in an orderly manner according to the categories of device attribute information and service port open status to form the status record corresponding to the heterogeneous device.

[0117] The system retrieves the time information representing the device status acquisition time from the status record, and simultaneously retrieves the security event occurrence time information corresponding to the event behavior triplet. After converting the two types of time information into a representation with the same time dimension, they are compared and verified to confirm the matching of the device's real-time status and the security event in the time dimension. After verification, all device status information in the status record is treated as independent status fields and completely implanted into the specified field position of the corresponding standardized security event. The standardized security event with the completed field implantation is formatted to form the temporary security event corresponding to the standardized security event.

[0118] A comprehensive review of status records is conducted to supplement information on the equipment operating background and network environment characteristics that could explain the occurrence of temporary security events. For content in temporary security events that is brief in description, lacks background information, or affects the understanding of the event, the relevant information is supplemented into the corresponding text positions according to semantic logic and the order of event development. The temporary security events after the supplemented information are semantically reviewed as a whole to ensure that the event content is coherent and logically sound, thus forming enhanced security events for the target power monitoring network.

[0119] Based on industry standards and established norms for power monitoring network security protection, a comprehensive assessment is made of the impact of enhanced security events on the stability of equipment operation, data transmission security, and business continuity of the power monitoring network. Each enhanced security event is assigned a corresponding threat level, and a standardized risk label is created based on the determined threat level. This risk label is then uniquely bound to the corresponding enhanced security event, and the label attachment operation is completed. The enhanced security event after label attachment is the enriched security event of the target power monitoring network.

[0120] The beneficial effects of this implementation process are that it achieves deep field-level correlation and fusion of standardized security events and real-time status data of heterogeneous devices. Key field extraction and device fingerprint matching ensure the accuracy of the correlation between the two types of data. Time sequence alignment verification ensures the rationality and timeliness of device status field injection. Contextual semantic completion enriches the information dimensions and background content of security events. Threat level assessment and risk label attachment give security events clear risk characteristics. The resulting enriched security events integrate the dual core information of the security event itself and the real-time operating status of the devices. The information is more comprehensive, the semantics are more complete, and the risk characteristics are clearer. This provides accurate and rich data sources for subsequent attack behavior analysis and security status assessment of power monitoring networks. The entire fusion process is specific and logically rigorous, effectively improving the utilization value of security event data and ensuring the accuracy of subsequent security analysis work.

[0121] P4. Tactical intent labeling is performed on the enriched security events, and attack link topology reconstruction is performed on the labeled tactical tag events to obtain the fusion attack events of the target power monitoring network.

[0122] In this embodiment of the invention, the step of labeling the enriched security events with tactical intent and reconstructing the attack link topology of the labeled tactical events to obtain the fused attack events of the target power monitoring network includes:

[0123] The attack behavior features of the enrichment security event are traversed, and the sequence of operation instructions obtained by the traversal is encoded with temporal features to obtain the initial tactical label of the enrichment security event.

[0124] The initial tactical labels are filtered by confidence threshold, and the filtered initial tactical labels are clustered and merged by tactical phase to obtain the tactical intent labels of the enriched security events.

[0125] Based on the tactical intent tag, the enriched security events are associated with a topology mapping to obtain the attack event node pairs of the enriched security events;

[0126] The attack event node pairs are fused and optimized to obtain the fused attack events of the target power monitoring network.

[0127] A comprehensive and detailed analysis of the overall content of the enrichment security incident was conducted, systematically reviewing all characteristic information that could characterize the attack behavior, including the specific operational actions carried out, the target equipment, and the sequence of operations. All the attack operations obtained were organized in chronological order to form a standardized sequence of operation instructions. Following a fixed temporal feature encoding rule, the sequence of operation instructions was transformed and encoded into a label that could directly characterize the attack tactical tendencies. This label is the initial tactical label for the enrichment security incident.

[0128] A fixed confidence level judgment standard is preset. The tactical characterization confidence level information corresponding to each initial tactical label is extracted. The confidence level information is compared and verified one by one with the preset judgment standard. Initial tactical labels that do not meet the preset judgment standard are eliminated. Only valid initial tactical labels that meet the confidence level requirements are retained. The retained valid initial tactical labels are classified and clustered according to the tactical implementation stage of the power monitoring network attack behavior. Initial tactical labels belonging to the same tactical implementation stage are centrally merged and integrated. Duplicate label content that occurs during the merging process is eliminated to form a standardized label that can accurately represent the core intent of the enrichment security event attack tactic. This label is the tactical intent label of the enrichment security event.

[0129] A device topology diagram of the target power monitoring network is constructed, which fully presents the physical connection relationships and data interaction transmission paths of all heterogeneous devices in the network. Tactical intent tags are used as the core association basis. Enriched security events with tactical association attributes in the target power monitoring network are mapped one by one to the corresponding device nodes in the device topology diagram. Two device nodes with attack behavior propagation relationships in the topology diagram are paired up. Each pair of device nodes with direct attack behavior propagation relationships is the attack event node pair of enriched security events.

[0130] All attack event node pairs identified were individually verified. The rationality of the tactical intent association between each pair, the logical coherence of the attack behavior transmission, and the actual authenticity of the topological connection between devices were checked in turn. Invalid attack event node pairs with unreasonable associations, incoherent logic, or false connections were eliminated during the verification process. The remaining valid attack event node pairs were integrated and optimized as a whole. According to the actual occurrence sequence and actual transmission path of the attack behavior, all valid attack event node pairs were systematically spliced ​​together to form a standardized event set that can completely present the attack chain within the network. This event set is the fused attack event of the target power monitoring network.

[0131] The beneficial effects of this implementation process are as follows: Starting with the attack behavior characteristics of enriched security events, it achieves a preliminary characterization of attack tactical tendencies through traversal and encoding. After confidence threshold filtering and tactical stage clustering and merging, the obtained tactical intent labels can accurately reflect the core tactical intent of the attack behavior. Then, combined with the device topology relationship diagram of the power monitoring network, it performs correlation topology mapping, realizing the accurate extraction of attack event node pairs. Finally, through fusion verification optimization to eliminate invalid node pairs and complete orderly splicing, the resulting fused attack event can completely and clearly present the tactical intent and attack link topology relationship of the attack behavior within the target power monitoring network, accurately showing the transmission path and correlation characteristics of the attack behavior. This provides accurate and complete attack event evidence for subsequent heterogeneous device security status assessment and network-wide security risk analysis. The entire process is specific and logically rigorous, effectively improving the depth and accuracy of power monitoring network attack event analysis and ensuring the effective implementation of subsequent security assessment-related work.

[0132] P5. Based on the aforementioned fusion attack event, the security status of the heterogeneous device is assessed to obtain a quantitative health index of the heterogeneous device.

[0133] In this embodiment of the invention, the step of assessing the security status of the heterogeneous device based on the fusion attack event to obtain a quantitative health index of the heterogeneous device includes:

[0134] The attack elements of the fusion attack event are analyzed to obtain the attack exposure vector of the heterogeneous device;

[0135] The attack exposure vector is quantified to obtain the attack scalar of the heterogeneous device.

[0136] Obtain the device attribute tags from the real-time status data, wherein the device attribute tags include the device type code and the operating system version identifier;

[0137] The device type code is weighted to obtain the device type weight value of the heterogeneous device;

[0138] The security level of the operating system version identifier is assessed to obtain the operating system security baseline value of the heterogeneous device;

[0139] The attack severity scalar, the device type weight value, and the operating system security baseline value are merged and combined to obtain the quantitative health index of the heterogeneous device. The formula for calculating the quantitative health index is as follows:

[0140] ;

[0141] in, This indicates the quantitative health index. This indicates the weight value of the device type. This represents a scalar measure of the severity of the attack. This represents the operating system's security baseline value. This represents an exponential function.

[0142] A comprehensive and detailed analysis of the overall content of the fusion attack event is conducted, and the core elements of the attack against heterogeneous devices are analyzed one by one. This includes the specific parts of the devices targeted by the attack, the specific methods of the attack, the duration of the attack, and the scope of the impact on the devices. All the attack elements obtained are then structured and organized according to the preset element classification standards to form a set of elements that can completely represent the attack exposure of the devices. This set of elements is the attack exposure vector of heterogeneous devices.

[0143] Based on industry norms and established standards for power monitoring network security protection, each attack element in the attack exposure vector is independently assessed for risk level. Each element is assigned a corresponding level representation information according to its impact on the operational security of heterogeneous equipment. Then, the level representation information of all attack elements is integrated and normalized to transform it into a single representation value that can reflect the overall degree of harm of the attack to the equipment. This representation value is the attack harm scalar of heterogeneous equipment.

[0144] Retrieve real-time status data collected from heterogeneous devices in the early stage, accurately extract pre-made device attribute tags from the overall encapsulated content of the real-time status data, and directly retain the device attribute tags and two types of information contained in the tags: device type code for identifying the specific type of device and operating system version identifier for identifying the specific version of the operating system running on the device for future use.

[0145] Based on the overall operational architecture and business requirements of the target power monitoring network, the functional positioning and security importance level of different types of equipment in the network are clarified. For the specific equipment type corresponding to the equipment type code, a corresponding calibration value is assigned according to its security importance level in the network. This calibration value can directly reflect the security importance of the corresponding equipment type. This value is the equipment type weight value of heterogeneous equipment.

[0146] The power industry's operating system security level assessment specifications and standards are retrieved, and the specific operating system version corresponding to the operating system version identifier is compared with each standard in the assessment specifications. A comprehensive assessment is conducted based on the operating system version's security protection capabilities, known vulnerability patching status, and degree of support for secure communication protocols, and a corresponding level value is assigned to the operating system version. This value is the operating system security baseline value for heterogeneous devices.

[0147] The obtained attack severity scalar, device type weight value, and operating system security baseline value are comprehensively integrated according to fixed fusion rules. The information represented by the three types of values, such as the degree of impact of the attack on the device, the security importance of the device itself, and the basic security capabilities of the device system, is fully merged. The integrated information is transformed into a single value that can comprehensively reflect the overall security status of heterogeneous devices. This value is the quantitative health index of heterogeneous devices.

[0148] The device type weight value is derived from the weighting of the device type code contained in the device attribute label in the real-time status data. The calibration process combines the operation architecture and business requirements of the target power monitoring network, and assigns a corresponding calibration value to the device type code based on the functional positioning and security importance level of the device type in the network. This value is the device type weight value used in the formula.

[0149] The attack severity scalar is derived from the risk level quantification of the attack exposure vector obtained from the analysis of fused attack events. The quantification process is based on the power monitoring network security protection industry standard. The risk level of each attack element in the attack exposure vector is determined, and then the level representation information of all elements is integrated and normalized to form a single representation value. This representation value is the attack severity scalar used in the formula.

[0150] The operating system security baseline value is derived from the security level assessment of the operating system version identifier contained in the device attribute tags in the real-time status data. The assessment process is based on the power industry operating system security level assessment standard, and comprehensively compares the operating system version's security protection capabilities, vulnerability patching status, and security protocol support level, assigning a corresponding level value to the operating system version. This value is the operating system security baseline value used in the formula.

[0151] The process of obtaining the value of the exponential function is as follows: first, calculate the difference between the attack severity scalar and the operating system security baseline value; then, take the opposite of this difference and use the opposite as the exponent of the exponential function; the result of the exponential function is obtained through exponential operation; this result is multiplied by the device type weight value to finally obtain the quantitative health index.

[0152] The significance of the formula lies in integrating indicators from three core dimensions: the security importance of the device itself, the overall severity of the attack, and the basic security capabilities of the operating system. It constructs the correlation between the attack severity and the operating system security baseline through an exponential function, and then combines the weighting effect of the device type weight value to achieve a comprehensive quantitative representation of the security status of heterogeneous devices. The resulting quantitative health index can comprehensively and accurately reflect the actual security and health level of heterogeneous devices in the power monitoring network, providing a standardized quantitative basis for subsequent security posture aggregation and global risk analysis.

[0153] The trend of the formula is that when the device type weight value is fixed and the operating system security baseline value remains unchanged, the larger the attack severity scalar value, the larger the difference between the attack severity scalar value and the operating system security baseline value, the smaller the negative number of this difference, the smaller the calculation result of the exponential function, and the smaller the final quantitative health index value. Conversely, the smaller the attack severity scalar value, the larger the calculation result of the exponential function, and the larger the final quantitative health index value.

[0154] The formula also shows that when the attack severity scalar is fixed and the operating system security baseline remains unchanged, the larger the device type weight value, the larger the quantitative health index value obtained after multiplying it with the result of the exponential function calculation; the smaller the device type weight value, the smaller the final quantitative health index value.

[0155] The trend of the formula is also as follows: when the device type weight value is fixed and the attack severity scalar remains unchanged, the larger the operating system security baseline value, the smaller the difference between the attack severity scalar and the operating system security baseline value, the larger the negative number of this difference, the larger the calculation result of the exponential function, and the larger the final quantitative health index value. Conversely, the smaller the operating system security baseline value, the smaller the calculation result of the exponential function, and the smaller the final quantitative health index value.

[0156] The beneficial effects of this implementation process are that it conducts security status and health assessments of heterogeneous devices based on the convergence of attack events. Through precise analysis of attack elements, it achieves a comprehensive characterization of the devices' exposure to attacks. The attack severity scalar obtained through risk level quantification can intuitively reflect the overall severity of the attack. Simultaneously, by combining the device's own type code weighting and operating system version security baseline assessment, it fully considers the importance of the devices in the power monitoring network and their own basic security attributes. Finally, the quantitative health index obtained through the fusion and aggregation of multi-dimensional indicators can comprehensively and accurately reflect the actual security status of heterogeneous devices, providing objective and accurate quantitative data support for subsequent security posture aggregation and global risk analysis of the power monitoring network. The entire assessment process is specific and logically rigorous, effectively improving the comprehensiveness and accuracy of device security status assessment and ensuring the reference value of the assessment results.

[0157] P6. Using the quantitative health index as the data base, perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and visualize and render the security situation data obtained after aggregation to construct a global security risk map of the target power monitoring network.

[0158] In this embodiment of the invention, the step of using the quantitative health index as a data base to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and then visualizing and rendering the aggregated security situation data to construct a global security risk map of the target power monitoring network includes:

[0159] Regional attribute indexing is performed on the target power monitoring network to obtain the regional indexing device of the target power monitoring network;

[0160] Hierarchical coding is attached to the regional indexing equipment to obtain the hierarchical coding equipment of the target power monitoring network;

[0161] Based on the hierarchical coding device, the quantitative health index is subjected to hierarchical quantization mapping to obtain the regional hierarchical situation vector of the hierarchical coding device;

[0162] Anchor the regional-level situation vector in a spatial coordinate system to obtain the situation nodes of the regional-level situation vector;

[0163] Risk topology construction is performed on the aforementioned situation nodes to obtain the risk situation topology map of the target power monitoring network;

[0164] The risk situation topology map is globally fused and rendered to obtain the global security risk map of the target power monitoring network.

[0165] The step of performing hierarchical quantization mapping on the quantized health index based on the hierarchical encoding device to obtain the regional hierarchical situation vector of the hierarchical encoding device includes:

[0166] A device-level topology is constructed for the hierarchical coding device to obtain a hierarchical topology diagram of the hierarchical coding device;

[0167] The node health index is embedded in the hierarchical topology graph to obtain the node health feature vector of the hierarchical topology graph;

[0168] Based on the node health feature vector, hierarchical attention aggregation is performed on the hierarchical topology graph to obtain the hierarchical health aggregation vector of the hierarchical topology graph;

[0169] The hierarchical health aggregation vector is dimensionally reduced and encoded to obtain the regional hierarchical situation vector of the hierarchical encoding device.

[0170] For all heterogeneous devices within the target power monitoring network, each device is individually indexed based on its physical area, administrative division, business coverage, and other attributes. Each device is assigned a unique regional attribute identifier, which accurately reflects the specific regional scope to which the device belongs. All devices after indexing are considered regional indexed devices of the target power monitoring network.

[0171] For regional indexing devices, a coding and attachment operation is performed one by one according to the hierarchical architecture of the power dispatching system. According to the dispatching levels such as national, provincial, municipal, county, substation, and terminal, a corresponding hierarchical code is assigned to each regional indexing device. This code can clearly represent the hierarchical affiliation of the device in the dispatching system. All devices after the hierarchical coding attachment is completed are the hierarchical coded devices of the target power monitoring network.

[0172] For hierarchical coding devices, hierarchical connection relationships between devices are constructed based on the scheduling and management relationships reflected by their hierarchical coding. Devices at the same level are grouped into the same topology level, and devices at different levels are connected in topology according to the rule that the upper level scheduler manages the lower level scheduler. The resulting structured hierarchical connection relationship diagram is the hierarchical topology relationship diagram of the hierarchical coding device.

[0173] For each device node in the hierarchical topology graph, the quantified health index corresponding to the device is embedded as the health feature value of the node into the node attribute, so that each node has a unique health feature identifier. The health feature values ​​of all nodes are combined in an orderly manner according to the hierarchical topology relationship, and the feature set formed is the node health feature vector of the hierarchical topology graph.

[0174] Based on the node health feature vector, a hierarchical attention aggregation operation is performed on the hierarchical topology graph. First, the health feature values ​​of all nodes within the same level are weighted and integrated according to the functional importance of the device in that level to obtain the initial health aggregation value of that level. Then, the initial health aggregation values ​​of different levels are integrated from top to bottom according to the management weight of the upper level to the lower level to obtain the final health aggregation value of each level. The set formed by the combination of the final health aggregation values ​​of all levels is the hierarchical health aggregation vector of the hierarchical topology graph.

[0175] The hierarchical health aggregation vector is subjected to dimension reduction encoding. The hierarchical health aggregation values ​​in the hierarchical health aggregation vector are grouped according to the regional attributes of the regional indexing device. All hierarchical health aggregation values ​​in the same region are combined into a sub-vector. Then, the sub-vectors of all regions are arranged in order according to the regional order. The resulting structured vector is the regional hierarchical situation vector of the hierarchical encoding device.

[0176] Each set of regional-level health aggregation values ​​in the regional-level situation vector is anchored to a preset spatial coordinate system. The regional attribute is used as the horizontal dimension of the coordinate system, the scheduling level is used as the vertical dimension, and the health aggregation value is used as the height dimension. Each set of values ​​is mapped to a unique spatial point in the coordinate system, which is the situation node of the regional-level situation vector.

[0177] For all status nodes, based on their regional attributes and scheduling hierarchy relationships, as well as the business interaction logic between devices, a topological connection relationship between nodes is constructed. Status nodes at different levels within the same region are connected by edges, and status nodes with business interactions between different regions are connected by edges. The resulting structured topological relationship graph is the risk status topology graph of the target power monitoring network.

[0178] A global fusion rendering operation is performed on the risk situation topology map, converting the health aggregation value of the situation nodes into visual features such as color and size. The lower the health aggregation value, the darker the color and the larger the size of the node. The interaction strength of the topology connection edge is converted into the thickness of the edge. The higher the interaction strength, the thicker the edge. At the same time, labeling information such as region label, hierarchy label, and health value is added. The topology content of all regions and levels is integrated into the same view, and the resulting interactive and visual map is the global security risk map of the target power monitoring network.

[0179] The beneficial effects of this implementation process are that it uses a quantitative health index as the core data base, achieves accurate classification of equipment through regional attribute indexing and hierarchical coding, effectively integrates layered situations by relying on hierarchical topology construction and attention aggregation, transforms abstract security situation data into structured topological relationships through spatial coordinate system anchoring and risk topology construction, and finally forms a global security risk map through global fusion rendering. This map can intuitively and comprehensively present the security situation distribution of the target power monitoring network in different regions and scheduling levels, helping maintenance personnel to quickly locate high-risk areas and levels, improving the accuracy and efficiency of power monitoring network security management. At the same time, the entire process is logically rigorous and the operation is specific, ensuring the objectivity and operability of security situation aggregation and visualization.

[0180] like Figure 2 The diagram shown is a functional block diagram of a portable security data quantification and evaluation system based on power monitoring, provided by an embodiment of the present invention.

[0181] The portable security data quantification and evaluation system 100 based on power monitoring described in this invention can be installed in an electronic device. Depending on the functions implemented, the portable security data quantification and evaluation system 100 based on power monitoring may include a log standardization module 101, a fingerprint detection module 102, an event enrichment module 103, an attack topology reconstruction module 104, a health index calculation module 105, and a situation aggregation module 106. The modules described in this invention can also be referred to as units, which are a series of computer program segments that can be executed by the processor of an electronic device and can perform a fixed function, stored in the memory of the electronic device.

[0182] In this embodiment, the functions of each module / unit are as follows:

[0183] The log standardization module 101 is used to filter redundant data from the original multi-source heterogeneous security logs of the target power monitoring network, and to reconstruct the event paradigm from the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network.

[0184] The fingerprint detection module 102 is used to actively detect the heterogeneous devices of the target power monitoring network and obtain the real-time status data of the heterogeneous devices.

[0185] The event enrichment module 103 is used to perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network.

[0186] The attack topology reconstruction module 104 is used to label the enriched security events with tactical intent and to reconstruct the attack link topology of the labeled tactical tag events to obtain the fused attack events of the target power monitoring network.

[0187] The health index calculation module 105 is used to assess the security status of the heterogeneous device based on the fusion attack event, and obtain the quantitative health index of the heterogeneous device.

[0188] The situation aggregation module 106 is used to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network based on the quantitative health index, and to visualize and render the aggregated security situation data to construct a global security risk map of the target power monitoring network.

[0189] In the several embodiments provided by this invention, it should be understood that the disclosed methods and systems can be implemented in other ways. For example, the system embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and other division methods may be used in actual implementation.

[0190] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.

[0191] Furthermore, the functional modules in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or in the form of hardware plus software functional modules.

[0192] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the present invention can be implemented in other specific forms without departing from the spirit or essential characteristics of the present invention.

[0193] This application embodiment can acquire and process relevant data based on artificial intelligence technology. Artificial intelligence is the theory, method, technology, and application system that uses digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to obtain optimal results.

[0194] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims

1. A portable method for quantitative evaluation of security data based on power monitoring, characterized in that, The method includes: P1. Redundant data filtering is performed on the original multi-source heterogeneous security logs of the target power monitoring network, and the event paradigm is reconstructed on the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network. P2. Actively detect the heterogeneous devices of the target power monitoring network to obtain the real-time status data of the heterogeneous devices; P3. Perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network; P4. Tactical intent labeling is performed on the enriched security events, and attack link topology reconstruction is performed on the labeled tactical tag events to obtain the fusion attack events of the target power monitoring network. P5. Based on the aforementioned fusion attack event, the security status of the heterogeneous device is assessed to obtain a quantitative health index of the heterogeneous device. P6. Using the quantitative health index as the data base, perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and visualize and render the security situation data obtained after aggregation to construct a global security risk map of the target power monitoring network.

2. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The process involves filtering redundant data from the original multi-source heterogeneous security logs of the target power monitoring network and reconstructing the event paradigm of the filtered logs to obtain standardized security events for the target power monitoring network, including: Collect raw multi-source heterogeneous security logs from the target power monitoring network. These raw multi-source heterogeneous security logs include substation station control layer firewall filtering logs, remote communication gateway operation and maintenance audit records, and power dispatch data network router session logs. The original multi-source heterogeneous security log is segmented by protocol fields to obtain a log tuple to be parsed. The log tuple to be parsed includes a log timestamp, source media access control address, and original event description text. Redundancy filtering is performed on the original event description text to obtain a simplified event text. Perform syntactic dependency parsing on the simplified event text to obtain the event behavior triplet of the simplified event text; Based on the log timestamp and the source media access control address, the event behavior triples are aggregated using a time-series paradigm to obtain standardized security events for the target power monitoring network.

3. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The step of actively fingerprinting heterogeneous devices in the target power monitoring network to obtain real-time status data of the heterogeneous devices includes: Send probe messages to heterogeneous devices in the target power monitoring network. The probe messages contain protocol stack feature probe payloads and service port scanning instructions, and capture the original response messages of the heterogeneous devices. The original response message is parsed using protocol stack features to obtain the protocol stack fingerprint feature vector of the original response message; Based on the protocol stack fingerprint feature vector, fingerprint matching and identification are performed on the heterogeneous device to obtain the device attribute label of the heterogeneous device; The device attribute tags are associated and encapsulated with the open status of the service port corresponding to the probe message to obtain the real-time status data of the heterogeneous device.

4. The portable security data quantification and evaluation method based on power monitoring as described in claim 3, characterized in that, The step of parsing the protocol stack features of the original response message to obtain the protocol stack fingerprint feature vector of the original response message includes: The network layer header fields of the original response message are read to obtain the network layer characteristics of the original response message; The transport layer header fields of the original response message are decoded to obtain the transport layer characteristics of the original response message; The application layer load feature of the original response message is sampled to obtain the application layer feature scalar of the original response message. The network layer features, transport layer features, and application layer features are normalized and fused to obtain the protocol stack fingerprint feature vector of the original response message.

5. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The step of fusing the standardized security events with the real-time status data at the field level to obtain the enriched security events of the target power monitoring network includes: Key fields are extracted from the standardized security events to obtain event-related key-value pairs. Based on the event-related key-value pairs, device fingerprint matching is performed on the real-time status data to obtain the status records of the heterogeneous devices; The state record and the event behavior triple are time-series aligned and verified. Based on the verification result, the state field is injected into the standardized security event to obtain the temporary security event of the standardized security event. Based on the state record, the temporary security event is semantically completed to obtain the enhanced security event of the target power monitoring network; The enhanced security events are assessed for threat levels, and risk labels are attached to the enhanced security events based on the assessment results to obtain the enriched security events of the target power monitoring network.

6. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The step of labeling the enriched security events with tactical intent and reconstructing the attack link topology of the labeled tactical events to obtain the fused attack events of the target power monitoring network includes: The attack behavior features of the enrichment security event are traversed, and the sequence of operation instructions obtained by the traversal is encoded with temporal features to obtain the initial tactical label of the enrichment security event. The initial tactical labels are filtered by confidence threshold, and the filtered initial tactical labels are clustered and merged by tactical phase to obtain the tactical intent labels of the enriched security events. Based on the tactical intent tag, the enriched security events are associated with a topology mapping to obtain the attack event node pairs of the enriched security events; The attack event node pairs are fused and optimized to obtain the fused attack events of the target power monitoring network.

7. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The process of assessing the security status of the heterogeneous devices based on the fusion attack event, and obtaining a quantitative health index for the heterogeneous devices, includes: The attack elements of the fusion attack event are analyzed to obtain the attack exposure vector of the heterogeneous device; The attack exposure vector is quantified to obtain the attack scalar of the heterogeneous device. Obtain the device attribute tags from the real-time status data, wherein the device attribute tags include the device type code and the operating system version identifier; The device type code is weighted to obtain the device type weight value of the heterogeneous device; The security level of the operating system version identifier is assessed to obtain the operating system security baseline value of the heterogeneous device; The attack severity scalar, the device type weight value, and the operating system security baseline value are merged and combined to obtain the quantitative health index of the heterogeneous device. The formula for calculating the quantitative health index is as follows: ; in, This indicates the quantitative health index. This indicates the weight value of the device type. This represents a scalar measure of the severity of the attack. This represents the operating system's security baseline value. This represents an exponential function.

8. The portable security data quantification and evaluation method based on power monitoring as described in claim 1, characterized in that, The process involves using the quantitative health index as a data base to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network, and visualizing the resulting security situation data to construct a global security risk map of the target power monitoring network. This includes: Regional attribute indexing is performed on the target power monitoring network to obtain the regional indexing device of the target power monitoring network; Hierarchical coding is attached to the regional indexing equipment to obtain the hierarchical coding equipment of the target power monitoring network; Based on the hierarchical coding device, the quantitative health index is subjected to hierarchical quantization mapping to obtain the regional hierarchical situation vector of the hierarchical coding device; Anchor the regional-level situation vector in a spatial coordinate system to obtain the situation nodes of the regional-level situation vector; Risk topology construction is performed on the aforementioned situation nodes to obtain the risk situation topology map of the target power monitoring network; The risk situation topology map is globally fused and rendered to obtain the global security risk map of the target power monitoring network.

9. The portable security data quantification and evaluation method based on power monitoring as described in claim 8, characterized in that, The step of performing hierarchical quantization mapping on the quantized health index based on the hierarchical encoding device to obtain the regional hierarchical situation vector of the hierarchical encoding device includes: A device-level topology is constructed for the hierarchical coding device to obtain a hierarchical topology diagram of the hierarchical coding device; The node health index is embedded in the hierarchical topology graph to obtain the node health feature vector of the hierarchical topology graph; Based on the node health feature vector, hierarchical attention aggregation is performed on the hierarchical topology graph to obtain the hierarchical health aggregation vector of the hierarchical topology graph; The hierarchical health aggregation vector is dimensionally reduced and encoded to obtain the regional hierarchical situation vector of the hierarchical encoding device.

10. A portable security data quantification and evaluation system based on power monitoring, characterized in that, The system for implementing the portable security data quantification and evaluation method based on power monitoring as described in claim 1 includes: The log standardization module is used to filter redundant data from the original multi-source heterogeneous security logs of the target power monitoring network, and to reconstruct the event paradigm from the filtered original multi-source heterogeneous security logs to obtain the standardized security events of the target power monitoring network. The fingerprint detection module is used to actively detect the heterogeneous devices of the target power monitoring network and obtain the real-time status data of the heterogeneous devices. The event enrichment module is used to perform field-level association and fusion of the standardized security events and the real-time status data to obtain the enriched security events of the target power monitoring network. The attack topology reconstruction module is used to label the enriched security events with tactical intent and reconstruct the attack link topology of the labeled tactical events to obtain the fused attack events of the target power monitoring network. The health index calculation module is used to assess the security status of the heterogeneous device based on the fusion attack event, and obtain the quantitative health index of the heterogeneous device. The situation aggregation module is used to perform hierarchical situation aggregation on the regional attributes and scheduling levels of the target power monitoring network based on the quantitative health index, and to visualize and render the aggregated security situation data to construct a global security risk map of the target power monitoring network.