A power monitoring system malicious traffic detection method and system
By constructing a spatiotemporal fusion deep learning model and utilizing encrypted traffic data from the power monitoring system, spatial and temporal features and information entropy features are extracted, enabling non-destructive detection of encrypted traffic. This solves the problem that traditional technologies cannot identify malicious attacks and improves detection accuracy and security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAN THERMAL POWER RES INST CO LTD
- Filing Date
- 2026-04-17
- Publication Date
- 2026-07-14
AI Technical Summary
Traditional deep packet inspection technology cannot parse encrypted payloads, making it impossible to identify malicious attacks in power monitoring systems. Existing technologies are 'blind' when faced with encrypted traffic.
By employing a spatiotemporal fusion deep learning model, encrypted traffic data from the power dispatch data network is collected to construct spatial and temporal feature sequences. Features are extracted using a one-dimensional convolutional neural network and a long short-term memory network, and information entropy features are combined to classify encrypted session streams, thereby achieving lossless detection of malicious traffic.
It achieves lossless, real-time detection of malicious traffic within encrypted tunnels, enhances the ability to identify disguised covert attacks, ensures high real-time performance and end-to-end security of power dispatching services, reduces false alarm rates, and improves detection accuracy and robustness.
Smart Images

Figure CN122394865A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of interdisciplinary technology of network security and power industry control, and in particular to a method and system for detecting encrypted malicious traffic in a power monitoring system. Background Technology
[0002] With the advancement of the "new power system" and smart grid construction, the data traffic generated by power monitoring systems (SCADA), distribution automation systems, and power Internet of Things terminals is growing exponentially. To prevent data from being eavesdropped on or tampered with, power industry standards (such as IEC 62351) and related compliance requirements (such as the Cybersecurity Classified Protection 2.0) mandate the use of encrypted transmission channels (such as the IEC 104 protocol based on TLS and IPSec VPN tunnels established by vertical encryption authentication gateways) between dispatch centers and substations and terminals.
[0003] While encryption technology ensures data confidentiality, it also provides a "natural cover" for malicious attacks. Advanced Persistent Threat (APT) attackers often utilize encrypted tunnels to conceal command and control (C2) communications or data penetration activities. Traditional deep packet inspection (DPI) technology cannot directly parse encrypted payloads, causing security monitoring equipment to become "blind" when faced with encrypted traffic. Therefore, how to accurately identify malicious behavior hidden in encrypted power traffic without decryption is a pressing problem that needs to be solved in current power industrial control security. Summary of the Invention
[0004] The first aspect of this disclosure provides a method and system for detecting encrypted malicious traffic in a power monitoring system, comprising the following steps: Step S1: Collect encrypted traffic data from the power dispatch data network, and perform stream reconstruction and protocol filtering on the encrypted traffic data to obtain encrypted session streams; Step S2: Extract a preset number of data packets for each encrypted session stream, and construct a spatial feature sequence and a temporal feature sequence, wherein the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; Step S3: Calculate the byte distribution entropy within a preset byte length range in the encrypted session stream, as an information entropy feature; Step S4: Input the spatial feature sequence, the temporal feature sequence, and the information entropy feature into a pre-trained spatiotemporal fusion deep learning model. The spatiotemporal fusion deep learning model extracts spatial feature vectors and temporal feature vectors respectively, and fuses the spatial feature vectors, the temporal feature vectors, and the information entropy feature to generate a fused feature vector. Based on the fused feature vector, output the malicious traffic classification result corresponding to the encrypted session stream. Step S5: In response to the malicious probability indicated by the classification result exceeding a preset threshold, the encrypted session stream is determined to be malicious traffic and an alarm is triggered.
[0005] In conjunction with the first aspect, step S1 specifically includes: Discrete data packets are aggregated into a bidirectional stream based on the five-tuple information to complete the stream reassembly. The five-tuple information includes the source IP address, destination IP address, source port, destination port, and transport layer protocol. Filter encrypted service traffic based on SSL / TLS protocol or predetermined port to complete the protocol filtering; After stream reassembly and protocol filtering, TCP handshake packets and TCP teardown packets are removed, leaving only packets carrying encrypted application data.
[0006] In conjunction with the first aspect, in step S2, the preset number of data packets are the first N data packets in the initial stage of establishing the encrypted session stream, where N is an integer greater than 1. The payload length value in the spatial feature sequence represents the direction information of the data packets with positive and negative signs, where positive values represent data packets sent by the client and negative values represent data packets sent by the server.
[0007] In conjunction with the first aspect, step S2 further includes: After constructing the spatial feature sequence and the temporal feature sequence, Z-Score standardization is performed on the spatial feature sequence and the temporal feature sequence respectively, so that the spatial feature sequence and the temporal feature sequence both conform to the standard normal distribution.
[0008] In conjunction with the first aspect, in step S3, the preset byte length range is the first K bytes of the encrypted session stream at the initial stage of its establishment, where the value of K ranges from 512 to 2048.
[0009] In conjunction with the first aspect, the spatiotemporal fusion deep learning model in step S4 includes: A spatial feature extraction branch is used to receive the spatial feature sequence and perform convolution processing on the spatial feature sequence using a one-dimensional convolutional neural network to extract the spatial feature vector; A time feature extraction branch is used to receive the time feature sequence and perform time-series processing on the time feature sequence using a long short-term memory network to extract the time feature vector. The feature fusion module is used to concatenate the spatial feature vector, the temporal feature vector, and the information entropy feature, and then use an attention mechanism to perform weighted fusion on the concatenated features to generate the fused feature vector. The attention mechanism is a soft attention mechanism, which calculates the attention weights of each feature dimension through a learnable weight matrix and a bias term, and performs a weighted summation on the concatenated features based on the attention weights to obtain the fused feature vector. The classification module is used to output the probability that the encrypted session stream belongs to each preset category label based on the fused feature vector.
[0010] In conjunction with the first aspect, the training process of the spatiotemporal fusion deep learning model includes: Obtain a training set containing samples of normal power service traffic and malicious attack traffic; A synthetic minority class oversampling technique is used to oversample the malicious attack traffic samples in the training set in order to balance the ratio of positive to negative samples; The spatiotemporal fusion deep learning model is obtained by using the training set after sample balancing and training the initial deep learning model with the binary cross-entropy loss function.
[0011] In conjunction with the first aspect, the malicious traffic classification results include at least one of the following: normal power services, DDoS attacks, malicious scanning, or data penetration.
[0012] A second aspect of this disclosure provides an encrypted malicious traffic detection system for a power monitoring system, comprising: The data acquisition and preprocessing module is used to acquire encrypted traffic data from the power dispatch data network, and to perform stream reconstruction and protocol filtering on the encrypted traffic data to output an encrypted session stream; The feature construction module is used to extract a preset number of data packets for each encrypted session stream and construct a spatial feature sequence and a temporal feature sequence; wherein, the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; The information entropy calculation module is used to calculate the byte distribution entropy within a preset byte length range in the encrypted session stream, as an information entropy feature; The spatiotemporal fusion detection module is used to load a pre-trained spatiotemporal fusion deep learning model, receive the spatial feature sequence, the temporal feature sequence and the information entropy feature, and output the malicious traffic classification result corresponding to the encrypted session stream; The alarm and response module is used to determine that the encrypted session stream is malicious traffic when the malicious probability indicated by the classification result exceeds a preset threshold, and to trigger an alarm and / or perform a blocking operation.
[0013] A third aspect of this disclosure provides an electronic device comprising: One or more processors; A storage unit is used to store one or more programs, which, when executed by one or more processors, enable the one or more processors to implement the encrypted malicious traffic detection method of the power monitoring system.
[0014] Beneficial Effects: This disclosure provides a method and system for detecting encrypted malicious traffic in a power monitoring system. By collecting encrypted power session streams without performing SSL / TLS decryption, and simultaneously extracting spatial features composed of packet length sequences and temporal features composed of packet arrival interval sequences, and introducing information entropy features of the encrypted payload's front-end bytes as an auxiliary discrimination criterion, a dual-stream spatiotemporal fusion deep learning model based on a one-dimensional convolutional neural network and a long short-term memory network is constructed. An attention mechanism is used to dynamically weight, fuse, and classify multi-dimensional features, thereby achieving lossless, real-time detection of malicious traffic within encrypted tunnels. This disclosure not only completely avoids the increased control command latency and private key leakage risks caused by man-in-the-middle decryption, ensuring high real-time performance and end-to-end security of power dispatching services, but also significantly enhances the ability to identify covert attacks carried out by attackers through packet stuffing or frequency simulation. While effectively reducing the false alarm rate, it significantly improves the detection accuracy and robustness against threats such as malicious encrypted scanning, DDoS, and data penetration. Attached Figure Description
[0015] Figure 1 This is a flowchart illustrating a method for detecting encrypted malicious traffic in a power monitoring system according to an embodiment of the present disclosure. Figure 2 This is a schematic diagram of the structure of an encrypted malicious traffic detection system for a power monitoring system according to an embodiment of the present disclosure; Figure 3 An electronic device according to an embodiment of this disclosure. Detailed Implementation
[0016] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with those disclosed herein.
[0017] The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. The singular forms “a,” “the,” and “the” as used in this disclosure and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
[0018] Figure 1 This is a flowchart illustrating a method for detecting encrypted malicious traffic in a power monitoring system according to an embodiment of the present disclosure, including the following steps: Step S1: Collect encrypted traffic data from the power dispatch data network, and perform stream reconstruction and protocol filtering on the encrypted traffic data to obtain encrypted session streams; Step S1 specifically includes: Discrete data packets are aggregated into a bidirectional stream based on the five-tuple information to complete the stream reassembly. The five-tuple information includes the source IP address, destination IP address, source port, destination port, and transport layer protocol. Filter encrypted service traffic based on SSL / TLS protocol or predetermined port to complete the protocol filtering; After stream reassembly and protocol filtering, TCP handshake packets and TCP teardown packets are removed, leaving only packets carrying encrypted application data.
[0019] For example, in the deployment scenario of this embodiment, the detection device is connected to the mirror port of the substation-side switch. When the infected maintenance terminal (IP: 10.12.1.5) launches an attack on the dispatch master station (IP: 192.168.1.100), the network card captures a massive number of discrete, out-of-order data packets.
[0020] The specific implementation logic of stream reassembly: The device first reads the IP header and TCP header of each data packet. Using the 5-tuple (source IP: 10.12.1.5, destination IP: 192.168.1.100, source port: random high port, destination port: 2404, protocol: TCP) as the hash key, it aggregates bidirectional data packets belonging to the same specific communication session that were originally mixed in with the background traffic. This step is fundamental to feature extraction because the context of the communication cannot be determined from a single data packet.
[0021] The specific implementation logic of protocol filtering: After reassembly, the device identifies the destination port of the session as 2404, which is a standard port according to the IEC 60870-5-104 protocol. Simultaneously, the TCP payload header contains the record layer identifiers (Content Type: 22, 23) for the TLS handshake protocol. Based on this, the device determines that the session is business traffic encrypted with SSL / TLS on the predetermined port, falling within the detection target range, and includes it in the subsequent processing queue. Other unencrypted or non-ICMP port traffic (such as HTTP, ICMP) is filtered and discarded at this stage to save computational overhead.
[0022] The specific implementation logic of data cleaning (removing handshake / handshake packets): The device further parses the aggregated stream packet sequence. The TLS handshake phase includes multiple non-application packets (such as Client Hello, Server Hello, Certificate, Change Cipher Spec), as well as SYN packets for TCP connection establishment and FIN packets for connection termination. These packets do not carry actual IEC 104 telemetry or remote control commands. If retained, their unique packet length (e.g., handshake packets are typically several hundred bytes but have random content) would cause severe noise interference to subsequent Packet Length Sequence Feature (PLS) calculations. Therefore, step S1 removes these control messages used only for link maintenance, retaining only messages with Content Type 23 (Application Data) in the TLS record layer, thereby accurately extracting service interaction characteristics.
[0023] Step S2: Extract a preset number of data packets for each encrypted session stream, and construct a spatial feature sequence and a temporal feature sequence, wherein the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; In step S2, the preset number of data packets are the first N data packets in the initial stage of the establishment of the encrypted session stream, where N is an integer greater than 1. The payload length value in the spatial feature sequence represents the direction information of the data packets with positive and negative signs, where positive values represent data packets sent by the client and negative values represent data packets sent by the server.
[0024] Step S2 further includes: After constructing the spatial feature sequence and the temporal feature sequence, Z-Score standardization is performed on the spatial feature sequence and the temporal feature sequence respectively, so that the spatial feature sequence and the temporal feature sequence both conform to the standard normal distribution.
[0025] Specifically, the logic for selecting the preset number (first N packets) is as follows: In this embodiment, N=20 is set. The first 20 packets at the initial stage of connection establishment are selected because attackers' probing activities (such as port scanning and exploit payload delivery) often occur within the first interaction cycle after the session handshake is completed. Detecting the entire stream (which may take several hours and contain tens of thousands of packets) would introduce extremely high computational latency and memory consumption, and the attack signature would be diluted by subsequent normal telemetry data. This embodiment captures the first 20 packets, which is sufficient to cover the probing sequence of slow scanning attacks.
[0026] Spatial Feature Sequence (PLS) Construction Logic: The device reads the TCP payload length of the first to the 20th Application Data packets.
[0027] Normal conditions: As mentioned earlier, normal IEC 104 traffic consists of shorter U-frames (heartbeats) and longer I-frames (data transmissions). The sequence should exhibit a fluctuating pattern of [+60, -60, +150, -60,...].
[0028] In this example, the attacker deliberately padded the data to keep the packet length around 60 bytes in order to disguise the attack. The extracted sequence is [+60, -60, +60, -60,...].
[0029] Directional symbols signify: a positive value (+) represents an encrypted request or scan probe packet sent from the infected terminal (10.12.1.5, client); a negative value (-) represents an encrypted response packet returned from the scheduling master station (192.168.1.100, server). Retaining directional information helps the model identify attack patterns (e.g., during scanning, there are often many small outbound packets and few response packets).
[0030] Time Feature Series (IAT) Construction Logic: The device records the timestamp difference between the arrival times of two adjacent Application Data packets at the mirror network interface card.
[0031] Normal situation: Because the scheduling automation system polls at a fixed pace, even if it is encrypted, the arrival rhythm of data packets is regular and has a slight network jitter, such as [2.01, 0.05, 1.99, ...].
[0032] In this embodiment of the attack, the attack program sets an extremely high sending frequency in order to quickly detect whether the port is open, and lacks the randomness of a real physical network or industrial control application. The sequence is mechanical [0.5,0.5,0.5,0.5,...].
[0033] Physical meaning: IAT sequences capture the interaction rhythm of encrypted communication, which is an inherent physical / link layer characteristic that does not change with the encrypted content.
[0034] Z-Score standardization explanation: After constructing the original sequences, the PLS sequence values range from 0 to 1500 bytes, while the IAT sequence values range from 0 to 10 seconds. If directly input into a neural network, features with larger values (packet length) will dominate the gradient descent direction, causing the model to ignore the role of temporal features. Therefore, this step uses the Z-Score formula (x-μ) / σ to uniformly map both types of features to a distribution space with a mean of 0 and a variance of 1, ensuring that subsequent CNN and LSTM networks can fairly extract effective information from both modalities.
[0035] Step S3: Calculate the byte distribution entropy (Shannon entropy) within a preset byte length range in the encrypted session stream, as an information entropy feature; In step S3, the preset byte length range is the first K bytes of the encrypted session stream at the initial stage of its establishment, where K ranges from 512 to 2048.
[0036] Specifically, the selection logic for the preset byte length range (the first K bytes) is as follows: In this embodiment, K is set to 1024 bytes (1KB). The first 1KB of the stream is selected because the first data packet immediately following the TLS handshake (usually carrying application layer protocol initialization information) contains rich entropy difference information. For example, a normal IEC 104 StartDT Act / Con message has a fixed structure enforced by the specification (such as type identifiers, variable structure qualifiers, etc.). Even if TLS encryption obfuscates the content, the presence of fixed format fields will cause uneven byte distribution probability at specific offset positions; while attack payloads (such as port scanning payloads, Webshell code snippets) are often randomly generated or highly compressed binary data.
[0037] A detailed explanation of information entropy feature calculation: Normal traffic: The first 1KB of ciphertext implicitly contains the fixed header structure of the IEC 104 protocol. Although it is encrypted with AES or ChaCha20, statistically, the entropy value is relatively convergent, with the measured entropy value being approximately between 7.2 and 7.5.
[0038] In this example, the attacker filled the payload with a large number of pseudo-random numbers to mimic a normal packet length. This resulted in the probability of each byte from 0x00 to 0xFF appearing in the first 1KB of the packet stream being extremely close to 1 / 256. Based on the Shannon entropy formula: , in, Represents a byte value (0-255). It is the probability of this byte value appearing in the stream. The calculated entropy value is extremely high, reaching 7.92 or even closer to the theoretical maximum value of 8.0.
[0039] Mechanism of action: The information entropy feature is used as an auxiliary feature input to the model to specifically combat advanced padding attacks that attempt to disguise the size of the spatial scale (PLS) but reveal their true nature in the random distribution of the payload.
[0040] Step S4: Input the spatial feature sequence, the temporal feature sequence, and the information entropy feature into a pre-trained spatiotemporal fusion deep learning model. The spatiotemporal fusion deep learning model extracts spatial feature vectors and temporal feature vectors respectively, and fuses the spatial feature vectors, the temporal feature vectors, and the information entropy feature to generate a fused feature vector. Based on the fused feature vector, output the malicious traffic classification result corresponding to the encrypted session stream. The spatiotemporal fusion deep learning model in step S4 includes: A spatial feature extraction branch is used to receive the spatial feature sequence and perform convolution processing on the spatial feature sequence using a one-dimensional convolutional neural network to extract the spatial feature vector; A time feature extraction branch is used to receive the time feature sequence and perform time-series processing on the time feature sequence using a long short-term memory network to extract the time feature vector. The feature fusion module is used to concatenate the spatial feature vector, the temporal feature vector, and the information entropy feature, and then use an attention mechanism to perform weighted fusion on the concatenated features to generate the fused feature vector. The attention mechanism is a soft attention mechanism, which calculates the attention weights of each feature dimension through a learnable weight matrix and a bias term, and performs a weighted summation on the concatenated features based on the attention weights to obtain the fused feature vector. The classification module is used to output the probability that the encrypted session stream belongs to each preset category label based on the fused feature vector.
[0041] The training process of the spatiotemporal fusion deep learning model includes: Obtain a training set containing samples of normal power service traffic and malicious attack traffic; A synthetic minority class oversampling technique is used to oversample the malicious attack traffic samples in the training set in order to balance the ratio of positive to negative samples; The spatiotemporal fusion deep learning model is obtained by using the training set after sample balancing and training the initial deep learning model with the binary cross-entropy loss function.
[0042] Specifically, the three inputs extracted in the above steps are fed into the trained model: The 1D-CNN branch operates as follows: the convolutional kernel slides across the normalized PLS sequence [+0.5, -0.5, +0.5, -0.5, ...]. This branch is trained to recognize packet length mutation patterns in industrial control protocols. In this embodiment, the CNN identifies the lack of long pulse fluctuations representing I-frames (telemetry data) in the sequence and outputs a high-resolution "spatial anomaly feature vector".
[0043] LSTM branch working logic: The LSTM unit processes the standardized IAT sequence [0.5, 0.5, 0.5, ...]. This branch remembers the normal timing rhythm of IEC104 communication (approximately a 2-second polling cycle with jitter). When the input variance is a highly regular short-interval sequence, the LSTM's gating mechanism determines that the timing does not conform to the Brownian motion characteristics of human operation or physical device response, and outputs an extremely high "time anomaly feature vector".
[0044] Attention fusion mechanism: After concatenating the CNN vector, LSTM vector, and entropy vector, the attention layer automatically calculates the weights. In this embodiment, because the time series anomaly is too significant (mechanical 0.5-second intervals), the attention mechanism automatically allocates more than 80% of the weights to the time feature vector output by the LSTM, so that the final decision is mainly based on the conclusive evidence of "too fast rhythm and no jitter".
[0045] Explanation of model training strategy (SMOTE and loss function): Why use SMOTE? Power systems inherently possess high reliability, with very few malicious samples. If trained directly with raw imbalanced data (e.g., normal:attack = 10000:1), the model will tend to predict all traffic as "normal" to reduce the loss value, resulting in an extremely high false negative rate. The SMOTE algorithm artificially synthesizes new malicious samples by interpolating in the feature space of minority (malicious) samples, making the ratio of positive to negative samples close to 1:1 during training, thereby forcing the model to learn the true attack feature boundaries.
[0046] Final determination: After comprehensive calculation by the classification module, the probability that the traffic belongs to "malicious scanning" is 0.98, which far exceeds the threshold of 0.95.
[0047] Step S5: In response to the malicious probability indicated by the classification result exceeding a preset threshold, the encrypted session stream is determined to be malicious traffic and an alarm is triggered.
[0048] The malicious traffic classification results include at least one of the following: normal power services, DDoS attacks, malicious scanning, or data penetration.
[0049] Specifically, the judgment and alarm logic (corresponding to step 4 in the embodiment): Probability threshold trigger: The model outputs the highest probability label "malicious encryption scan" with a score of 0.98. This score exceeds the system's preset security threshold (e.g., 0.95), and the detection device makes a final judgment based on this: confirming that the encrypted session initiated by 10.12.1.5 is malicious behavior.
[0050] Alarm Information Generation: The device not only issues a notification to identify the attack, but also generates a structured log with traceability value. The log includes: "Alarm Type = Malicious Scan", "Source IP = 10.12.1.5", "Destination IP = 192.168.1.100", "Protocol = IEC 104 over TLS", and "Anomaly Basis = Spatiotemporal Feature Anomaly".
[0051] Coordinated Response: To improve the real-time response (second-level), the device writes to the boundary firewall via the SNMP protocol or sends instructions via the Netconf protocol to dynamically add a blocking policy (ACL rule) for the source IP 10.12.1.5, forcibly interrupting the TCP connection, thereby completing the proactive defense loop before the attack causes actual leakage of internal network information.
[0052] like Figure 2 As shown, this is a power monitoring system encrypted malicious traffic detection system disclosed herein, comprising: The data acquisition and preprocessing module 210 is used to acquire encrypted traffic data in the power dispatch data network, and to perform stream reconstruction and protocol filtering on the encrypted traffic data to output an encrypted session stream; In this embodiment, the data acquisition and preprocessing module 210 is deployed at the mirror port of the substation-side switch, acquiring network traffic copies non-intrusively via a bypass method. This module serves as the front-end entry point of the entire detection system, responsible for transforming the raw bitstream into structured analysis objects.
[0053] Data Acquisition Mechanism: The module's high-performance packet capture engine (such as a zero-copy packet capture framework based on DPDK or PF_RING) captures Ethernet frames flowing through the mirror port in real time. In this embodiment, when the infected maintenance terminal (IP: 10.12.1.5) initiates a TCP connection to port 2404 of the scheduling master station (IP: 192.168.1.100), all relevant data packets are completely copied to the memory buffer of module 210.
[0054] Stream reassembly logic: Module 210 first performs protocol parsing on the captured data packets, extracting the five-tuple information from the IP header and TCP header. For a series of data packets with a source IP of 10.12.1.5, a destination IP of 192.168.1.100, a destination port of 2404, and a transport layer protocol of TCP, the module associates them into a bidirectional session stream based on the source port and TCP sequence number. The stream reassembly operation reassembles the originally discrete, potentially out-of-order, independent data packets into two unidirectional message sequences: client, server, server, client, providing a complete contextual view for subsequent feature extraction.
[0055] Protocol Filtering and Cleaning: After reassembly, module 210 performs two levels of filtering. First, protocol filtering: It checks the destination port (2404) and TLS record layer header in the five-tuple to confirm that the session belongs to IEC 104 industrial control service traffic based on SSL / TLS encryption and retains it; other irrelevant traffic (such as HTTP web browsing and ICMP ping packets) is discarded here. Second, data cleansing: Within the retained encrypted session stream, the module further removes TCP three-way handshake packets (SYN, SYN-ACK, ACK) and four-way handshake packets (FIN, RST), as well as non-application data records from the TLS handshake phase (messages with Content Type 21 and 22), extracting only Application Data messages with Content Type 23 as output. The cleaned encrypted session stream contains only the encrypted payload actually carrying the IEC 104 protocol interaction, eliminating the characteristic interference of connection management messages. Finally, the module outputs a clean, structured encrypted session stream object to the feature construction module 220.
[0056] The feature construction module 220 is used to extract a preset number of data packets for each encrypted session stream and construct a spatial feature sequence and a temporal feature sequence; wherein, the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; Feature construction module 220 receives the encrypted session stream object from module 210 and is responsible for converting it into three-dimensional numerical features that can be understood by the deep learning model. This module acts as a bridge connecting the raw traffic and the intelligent detection algorithm.
[0057] Preset interception quantity: Based on the configuration parameters (N=20 in this embodiment), module 220 only intercepts the first 20 Application Data packets during the initial stage of the encrypted session stream. The interception operation is based on the following considerations: Malicious behavior (such as port scanning and vulnerability detection) is usually completed in the initial interaction stage after the session is established, and subsequent traffic is mostly normal business communication or session persistence packets. Intercepting the first 20 packets can effectively capture attack characteristics while strictly controlling computational overhead, thus meeting the requirements for real-time detection.
[0058] Spatial Feature Sequence (PLS) Construction: Module 220 sequentially reads the TCP payload length of the first 20 packets in bytes. For packets sent by the client (10.12.1.5), the length value is recorded as a positive number; for packets returned by the server (192.168.1.100), the length value is recorded as a negative number.
[0059] Normal flow example: [+60,-60,+150,-60,+72,-60,...].
[0060] Example attack flow in this embodiment: [+60,-60,+60,-60,+60,-60,... The sequence implies the directionality of communication through positive and negative signs, providing crucial structured information for subsequent CNN branches to identify the "request-response" pattern.
[0061] Time Feature Sequence (IAT) Construction: Module 220 calculates the timestamp difference (usually in microseconds) between two adjacent Application Data packets arriving at the mirror network interface card, in seconds.
[0062] Example of a normal flow: [2.01,0.05,1.99,0.04,2.00,...].
[0063] Example attack flow in this embodiment: [0.5, 0.5, 0.5, 0.5, 0.5, ...].
[0064] This sequence reflects the temporal rhythm of encrypted interactions and is a physical layer feature that is difficult to forge using cryptographic obfuscation methods.
[0065] Z-Score Standardization: Before output, module 220 performs Z-Score standardization on the constructed PLS and IAT sequences respectively. Since the packet length range (0~1500) and the time interval range (0~10s) differ significantly in magnitude, the standardization operation maps the two sequences to distributions with a mean of 0 and a variance of 1, thereby ensuring the stability of gradient descent during subsequent deep learning model training and preventing features with larger values from dominating the model's convergence direction. The standardized feature vectors are output to the spatiotemporal fusion detection module 240.
[0066] Information entropy calculation module 230 is used to calculate the byte distribution entropy within a preset byte length range in the encrypted session stream, as an information entropy feature; The information entropy calculation module 230 operates independently of module 220, but its input also comes from the encrypted session stream output by module 210. This module is designed to introduce a measure of payload randomness to combat spoofing by attackers through packet padding.
[0067] Preset byte range truncation: Module 230 does not focus on the boundaries of individual data packets, but treats the encrypted session stream as a continuous byte stream. In this embodiment, the configuration parameter K=1024 (1KB), and the module extracts the first 1024 ciphertext bytes starting from the beginning of the first ApplicationData message as the analysis object. The initial 1KB of data at the beginning of the connection establishment is selected because this part carries the initialization interaction of the application layer protocol (such as the StartDT confirmation of IEC 104), and its statistical distribution differs from the subsequent large amount of encrypted telemetry data. Moreover, the attacker's scanning payload is also concentrated in this range.
[0068] Byte distribution entropy calculation: Module 230 iterates through the 1024 bytes extracted, counts the frequency of each byte value (0x00 to 0xFF), and then calculates its probability of occurrence. Using the Shannon entropy formula, a floating-point value between 0.0 and 8.0 is obtained.
[0069] Normal IEC 104 encrypted traffic: Although it is encrypted with TLS, the byte distribution is not completely uniform due to the fixed structure of the protocol message (such as the fixed values of specific fields). The calculated entropy value is usually between 7.2 and 7.5.
[0070] In this example, the attacker filled the payload with a large number of pseudo-random numbers to mimic the normal packet length, resulting in an extremely uniform byte distribution and an entropy value close to 8.0 (e.g., 7.92).
[0071] Feature Output: Module 230 outputs the calculated information entropy value as a one-dimensional scalar feature to the spatiotemporal fusion detection module 240 as an auxiliary discrimination dimension in addition to spatial and temporal features. This dimension is specifically used to reveal subtle differences in data randomness between attack payloads and normal industrial control protocol payloads.
[0072] The spatiotemporal fusion detection module 240 is used to load a pre-trained spatiotemporal fusion deep learning model, receive the spatial feature sequence, the temporal feature sequence and the information entropy feature, and output the malicious traffic classification result corresponding to the encrypted session stream; The spatiotemporal fusion detection module 240 is the core inference engine of the entire system. Internally, this module loads a deep neural network model file (such as TensorFlow SavedModel or ONNX format) that has been trained offline and includes 1D-CNN branches, LSTM branches, and attention fusion layers. During system runtime, this module operates in inference mode, performing forward computation on the input features.
[0073] Feature reception and distribution: Module 240 receives the normalized PLS sequence and normalized IAT sequence from module 220, and the information entropy scalar from module 230. The three features are then routed to different branches of the model. PLS sequence: Spatial feature extraction branch (1D-CNN). IAT Sequence: Temporal Feature Extraction Branch (LSTM) Information entropy value: the splicing layer of the feature fusion module.
[0074] Spatial Feature Extraction (1D-CNN): The CNN branch consists of several stacked one-dimensional convolutional and pooling layers. The convolutional kernel slides along the time step direction of the PLS sequence, automatically extracting local patterns. In this embodiment, the convolutional kernel is trained to be sensitive to abrupt combinations of packet length. When the input attack sequence [+0.5, -0.5, +0.5, -0.5, ...] (normalized values) is input, each layer of the CNN extracts features step by step, finally outputting a high-dimensional spatial feature vector. This vector encodes the anomalous pattern of "lack of long packet (I-frame) fluctuations in the sequence, with only short heartbeat packet repetitions."
[0075] Temporal Feature Extraction (LSTM): The LSTM branch receives the IAT sequence and uses its gating mechanism (forget gate, input gate, output gate) to capture long-distance dependencies between time steps. In this embodiment, when the LSTM processes the mechanized, equally spaced sequence [0.5, 0.5, 0.5, ...], its internal cell state detection shows that the sequence variance is extremely small and the period is much smaller than the normal industrial control polling period (2 seconds). It is determined that this timing pattern does not conform to the physical characteristics of power business communication, and a time feature vector with a strong anomalous signal is output.
[0076] Attention Fusion and Classification: The feature fusion module first concatenates the spatial feature vector, temporal feature vector, and information entropy scalar to form a combined feature vector. Subsequently, the soft-attention layer dynamically assigns weights to each dimension of this combined vector using learnable parameters. In this embodiment, due to the significant anomaly of the IAT sequence (0.5-second jitter-free mechanical interval), the attention mechanism automatically allocates higher weights to the feature dimensions generated by the LSTM branch. The weighted summation of the fused feature vector is fed into the classification module, which consists of a fully connected layer and a Softmax activation function. The classification module ultimately outputs a probability distribution vector, for example, [Normal: 0.01, DDoS: 0.00, Malicious Scanning: 0.98, Data Penetration: 0.01]. This result is then passed to the alarm and response module 250.
[0077] The alarm and response module 250 is used to determine that the encrypted session stream is malicious traffic when the malicious probability indicated by the classification result exceeds a preset threshold, and to trigger an alarm and / or perform a blocking operation.
[0078] The alarm and response module 250 is the execution output terminal of the detection system, responsible for transforming the intelligent analysis conclusions of module 240 into specific security operation and maintenance actions. This module has a built-in configurable response strategy library and supports linkage with the existing security management platform and network control equipment of the power monitoring system.
[0079] Threshold determination logic: Module 250 continuously monitors the probability distribution vector output by module 240. The system's preset alarm threshold is 0.95. When the probability value of any malicious category (such as "malicious scanning") exceeds this threshold, module 250 triggers the alarm state machine. In this embodiment, module 240 outputs a "malicious scanning" probability of 0.98, which is greater than 0.95. Therefore, module 250 makes a final judgment: confirming that the TLS encrypted session from source IP 10.12.1.5 to destination IP 192.168.1.100:2404 is a malicious encrypted scanning behavior.
[0080] Alarm Generation and Push: After an alarm is triggered, module 250 immediately generates a structured security event record, which includes: Alert Name: Encrypted Malicious Traffic Detection - Slow Scan Severity level: High risk Source IP / Port: 10.12.1.5 / random high port Destination IP / Port: 192.168.1.100 / 2404 Protocol type: TLS over IEC 104 Anomalies are identified by: abnormal temporal feature sequences (mechanically short intervals), abnormal spatial feature sequences (lack of I-frame fluctuations), and high information entropy.
[0081] Recommended action: Immediately block access from the source IP address. The alarm record should be pushed to the Security Management Platform (SOC) of the power dispatch center in real time via Syslog, SNMP Trap, or API interface for operation and maintenance personnel to monitor visually.
[0082] Linked blocking operation: Based on the preset automatic response strategy, module 250 simultaneously initiates the active defense process. The module's built-in automated orchestration script establishes a management session with the substation boundary firewall via SNMP or Netconf protocol, and issues a temporary access control list (ACL) rule, for example: Text deny tcp host 10.12.1.5 host 192.168.1.100 eq 2404, The rule takes effect immediately, forcibly severing the encrypted session connection between the infected terminal and the dispatch master station, preventing attackers from continuing port probing or transmitting subsequent attack payloads. The blocking operation is completed within milliseconds to seconds, achieving rapid closed-loop handling before the attack causes substantial harm. Simultaneously, this blocking policy can be set to automatically lift after a timeout (e.g., a 30-minute block) to balance security and operational convenience.
[0083] Processor 301 can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor can be a microprocessor or any conventional processor.
[0084] The memory 302 can be an internal storage unit of the electronic device 300, such as a hard disk or RAM of the electronic device 300. The memory 302 can also be an external storage device of the electronic device 300, such as a plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, or Flash Card equipped on the electronic device 300. Furthermore, the memory 302 can include both internal and external storage units of the electronic device 300. The memory 302 is used to store the computer program 303 and other programs and data required by the electronic device. The memory 302 can also be used to temporarily store data that has been output or will be output.
[0085] The above embodiments are only used to illustrate the technical solutions of this disclosure, and are not intended to limit it. Although this disclosure has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this disclosure, and should all be included within the protection scope of this disclosure.
Claims
1. A method for detecting encrypted malicious traffic in a power monitoring system, characterized in that, Includes the following steps: Step S1: Collect encrypted traffic data from the power dispatch data network, and perform stream reconstruction and protocol filtering on the encrypted traffic data to obtain encrypted session streams; Step S2: Extract a preset number of data packets for each encrypted session stream, and construct a spatial feature sequence and a temporal feature sequence, wherein the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; Step S3: Calculate the byte distribution entropy within a preset byte length range in the encrypted session stream, as an information entropy feature; Step S4: Input the spatial feature sequence, the temporal feature sequence, and the information entropy feature into a pre-trained spatiotemporal fusion deep learning model. The spatiotemporal fusion deep learning model extracts spatial feature vectors and temporal feature vectors respectively, and fuses the spatial feature vectors, the temporal feature vectors, and the information entropy feature to generate a fused feature vector. Based on the fused feature vector, output the malicious traffic classification result corresponding to the encrypted session stream. Step S5: In response to the malicious probability indicated by the classification result exceeding a preset threshold, the encrypted session stream is determined to be malicious traffic and an alarm is triggered.
2. The method according to claim 1, characterized in that, Step S1 specifically includes: Discrete data packets are aggregated into a bidirectional stream based on the five-tuple information to complete the stream reassembly. The five-tuple information includes the source IP address, destination IP address, source port, destination port, and transport layer protocol. Filter encrypted service traffic based on SSL / TLS protocol or predetermined port to complete the protocol filtering; After stream reassembly and protocol filtering, TCP handshake packets and TCP teardown packets are removed, leaving only packets carrying encrypted application data.
3. The method according to claim 1, characterized in that, In step S2, the preset number of data packets are the first N data packets in the initial stage of the establishment of the encrypted session stream, where N is an integer greater than 1. The payload length value in the spatial feature sequence represents the direction information of the data packets with positive and negative signs, where positive values represent data packets sent by the client and negative values represent data packets sent by the server.
4. The method according to claim 1, characterized in that, Step S2 further includes: After constructing the spatial feature sequence and the temporal feature sequence, Z-Score standardization is performed on the spatial feature sequence and the temporal feature sequence respectively, so that the spatial feature sequence and the temporal feature sequence both conform to the standard normal distribution.
5. The method according to claim 1, characterized in that, In step S3, the preset byte length range is the first K bytes of the encrypted session stream at the initial stage of its establishment, where K ranges from 512 to 2048.
6. The method according to claim 1, characterized in that, The spatiotemporal fusion deep learning model in step S4 includes: A spatial feature extraction branch is used to receive the spatial feature sequence and perform convolution processing on the spatial feature sequence using a one-dimensional convolutional neural network to extract the spatial feature vector; A time feature extraction branch is used to receive the time feature sequence and perform time-series processing on the time feature sequence using a long short-term memory network to extract the time feature vector. The feature fusion module is used to concatenate the spatial feature vector, the temporal feature vector, and the information entropy feature, and then use an attention mechanism to perform weighted fusion on the concatenated features to generate the fused feature vector. The attention mechanism is a soft attention mechanism, which calculates the attention weights of each feature dimension through a learnable weight matrix and a bias term, and performs a weighted summation on the concatenated features based on the attention weights to obtain the fused feature vector. The classification module is used to output the probability that the encrypted session stream belongs to each preset category label based on the fused feature vector.
7. The method according to claim 1, characterized in that, The training process of the spatiotemporal fusion deep learning model includes: Obtain a training set containing samples of normal power service traffic and malicious attack traffic; A synthetic minority class oversampling technique is used to oversample the malicious attack traffic samples in the training set in order to balance the ratio of positive to negative samples; The spatiotemporal fusion deep learning model is obtained by using the training set after sample balancing and training the initial deep learning model with the binary cross-entropy loss function.
8. The method according to claim 1, characterized in that, The malicious traffic classification results include at least one of the following: normal power services, DDoS attacks, malicious scanning, or data penetration.
9. A power monitoring system for detecting encrypted malicious traffic, characterized in that, include: The data acquisition and preprocessing module is used to acquire encrypted traffic data from the power dispatch data network, and to perform stream reconstruction and protocol filtering on the encrypted traffic data to output an encrypted session stream; The feature construction module is used to extract a preset number of data packets for each encrypted session stream and construct a spatial feature sequence and a temporal feature sequence; wherein, the spatial feature sequence is the payload length sequence of each data packet, and the temporal feature sequence is the arrival time interval sequence of adjacent data packets; The information entropy calculation module is used to calculate the byte distribution entropy within a preset byte length range in the encrypted session stream, as an information entropy feature; The spatiotemporal fusion detection module is used to load a pre-trained spatiotemporal fusion deep learning model, receive the spatial feature sequence, the temporal feature sequence and the information entropy feature, and output the malicious traffic classification result corresponding to the encrypted session stream; The alarm and response module is used to determine that the encrypted session stream is malicious traffic when the malicious probability indicated by the classification result exceeds a preset threshold, and to trigger an alarm and / or perform a blocking operation.
10. An electronic device, characterized in that, include: One or more processors; A storage unit is used to store one or more programs, which, when executed by one or more processors, enable the one or more processors to implement the encrypted malicious traffic detection method of the power monitoring system.