A network security risk detection method and device of a power monitoring system, a terminal device, and a storage medium
By acquiring asset and network behavior data from the power monitoring system, comparing and weighting the data with a preset baseline, and combining this with the verification and update frequency adjustment of the knowledge graph, the problem of high false alarm rate in existing technologies has been solved, achieving more accurate risk assessment and rapid defense.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- POWER DISPATCHING CONTROL CENT OF GUANGDONG POWER GRID CO LTD
- Filing Date
- 2026-04-17
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies rely on single feature matching or isolated machine learning models for detecting cybersecurity risks in power monitoring systems, resulting in high false alarm rates and difficulty in dealing with the reality of diverse equipment types, complex topological relationships, and dynamically changing asset information.
By acquiring asset data and network behavior data from the power monitoring system, comparing them with a preset baseline, calculating the deviation value and performing weighted calculations, and combining the verification and update frequency adjustment of the knowledge graph, risk assessment of multi-source heterogeneous data fusion is achieved.
It reduced the false alarm rate, improved the sensitivity to identify complex attacks and lateral movement, and enabled more accurate anomaly risk assessment and rapid defense response.
Smart Images

Figure CN122394868A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology for power monitoring systems, and in particular to a method, apparatus, terminal equipment, and storage medium for detecting network security risks in power monitoring systems. Background Technology
[0002] As power monitoring systems become increasingly digitalized, intelligent, and networked, they face complex cybersecurity threats such as advanced persistent threats (APTs), "enemy inside" attacks, zero-day attacks, and lateral movement.
[0003] Existing technologies mainly rely on single feature matching or isolated machine learning models for risk detection, which is difficult to effectively cope with the reality of a wide variety of equipment, complex topological relationships, and dynamic changes in asset information, thus resulting in a high false alarm rate. Summary of the Invention
[0004] This invention provides a method, device, terminal equipment, and storage medium for detecting network security risks in power monitoring systems. It can solve the problem of high false alarm rates in existing technologies that rely on single feature matching or isolated machine learning models for risk detection.
[0005] An embodiment of the present invention provides a method for detecting network security risks in a power monitoring system, comprising: Acquire asset data of the power monitoring system during the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; The asset data is compared with a preset asset baseline, and the asset deviation value and asset deviation fluctuation are statistically obtained based on the comparison results and preset asset anomalies. The network behavior data is compared with the corresponding preset behavior baselines, and based on the comparison results and the corresponding preset behavior anomalies, the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value are statistically obtained. The risk value of the power monitoring system is obtained by weighting the asset deviation value, the communication behavior deviation value, and all operation and access behavior deviation values. The current risk status of the power monitoring system is determined based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
[0006] Furthermore, the step of comparing the asset data with a preset asset baseline, and statistically obtaining the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies, includes: Obtain the first score for each of the preset asset anomalies; Based on the comparison results and all preset asset anomalies, determine the preset asset anomalies currently triggered by the power monitoring system; Calculate the sum of the first scores of all triggered preset asset anomalies to obtain the asset deviation score; The asset deviation score is normalized to obtain the asset deviation value. The asset deviation score is used to calculate the moving standard deviation, which yields the asset deviation volatility.
[0007] Furthermore, the process of comparing the network behavior data with corresponding preset behavior baselines, and statistically obtaining communication behavior deviation values, operation and access behavior deviation values for each device, and isolation device return packet characteristic deviation values based on the comparison results and corresponding preset behavior anomalies, includes: Obtain the second score for each preset behavioral anomaly item; Based on the comparison results, the first preset behavior anomaly triggered by the device communication behavior data, the second preset behavior anomaly triggered by the operation access behavior data, and the third preset behavior anomaly triggered by the isolation device return packet data are determined. Calculate the sum of the second scores of all the first preset abnormal behavior items to obtain the device communication behavior deviation score for each device; Calculate the sum of the second scores of all the second preset behavioral anomalies to obtain the operation and access behavior deviation score for each device; Calculate the sum of the second scores of all the third preset behavioral anomalies to obtain the isolation device return packet deviation score for each device; The sum of the communication behavior deviation scores of all devices is normalized to obtain the communication behavior deviation value; The operation and access behavior deviation scores of each device are normalized to obtain the operation and access behavior deviation values. The sum of the return packet deviation scores of all isolation devices is normalized to obtain the return packet characteristic deviation value of the isolation device.
[0008] Furthermore, determining the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value includes: If the risk value is not less than a preset high-risk threshold, or if the asset deviation fluctuation exceeds a preset fluctuation range, the power monitoring system is determined to have a high threat risk. If the first ratio of the communication behavior deviation value to the isolation device return packet characteristic deviation value exceeds a preset ratio range, it is determined that the power monitoring system has a communication-dominated anomaly risk. Calculate the ratio of the operation and access behavior deviation value of each device to the communication behavior deviation value to obtain several second ratios; Calculate the difference between any two second ratios to obtain several second ratio differences; If any second ratio exceeds the preset upper limit and the corresponding difference between the second ratios exceeds the preset difference, the power monitoring system is determined to have a complex risk.
[0009] Furthermore, after determining that the power monitoring system poses a high threat risk, the following measures are also included: Get the current anomaly detection threshold; Increase the verification and update frequency of the knowledge graph used for real-time extraction of the asset data; The current anomaly detection threshold is tightened by a preset anomaly threshold percentage to obtain the updated anomaly detection threshold, and global anomaly detection is performed based on the updated anomaly detection threshold.
[0010] Furthermore, after determining that the power monitoring system has a communication-dominated anomaly risk, the following measures are also included: Get the current communication baseline value; The current communication baseline value is tightened by a preset communication baseline tightening percentage to obtain an updated communication baseline value, and communication detection is performed on all new messages based on the updated communication baseline value; For each packet of data from the isolation device, perform full packet parsing from the link layer to the application layer, and monitor the parsed packets for illegal protocol matching based on the enabled preset protocol whitelist and preset protocol blacklist rules. Application layer load matching and monitoring are performed on the application layer load of the parsed message based on the preset abnormal load fingerprint database.
[0011] Furthermore, after determining that the power monitoring system has complex risks, the following measures are also included: Input the current operation and access behavior data into the preset anomaly detection model to obtain the current anomaly detection score; If the anomaly detection score exceeds a preset anomaly detection score threshold, obtain the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period; Based on the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period, an attack chain is generated on the current knowledge graph; The anomaly detection score and the corresponding attack chain will be used as the alarm content for alarms.
[0012] Based on the above method embodiments, the present invention provides corresponding apparatus embodiments; This invention provides a network security risk detection device for a power monitoring system, comprising: The module includes a data acquisition module, an asset deviation calculation module, a behavior deviation calculation module, a risk calculation module, and a risk status assessment module. The data acquisition module is used to acquire asset data of the power monitoring system during the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; The asset deviation calculation module is used to compare the asset data with a preset asset baseline, and to obtain the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies. The behavior deviation calculation module is used to compare the network behavior data with the corresponding preset behavior baseline, and based on the comparison results and the corresponding preset behavior anomalies, to statistically obtain the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value. The risk calculation module is used to perform weighted calculations on the asset deviation value, communication behavior deviation value, and all operation and access behavior deviation values to obtain the risk value of the power monitoring system. The risk status judgment module is used to determine the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
[0013] Based on the above method embodiments, the present invention provides a corresponding terminal device embodiment; The present invention provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor. When the processor executes the computer program, it implements a network security risk detection method for a power monitoring system as described in any embodiment of the present invention.
[0014] Based on the above method embodiments, the present invention provides a corresponding storage medium embodiment; The present invention provides a storage medium including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor. When the processor executes the computer program, it implements a network security risk detection method for a power monitoring system according to any embodiment of the present invention.
[0015] The embodiments of the present invention have the following beneficial effects: This invention provides a method, apparatus, terminal device, and storage medium for detecting network security risks in a power monitoring system. The method includes: acquiring asset data of the power monitoring system in the current time period, and network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; subsequently, comparing the asset data with a preset asset baseline, and statistically obtaining asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies; comparing the network behavior data with corresponding preset behavior baselines, and statistically obtaining communication behavior deviation value, operation and access behavior deviation value of each device, and isolation device return packet characteristic deviation value based on the comparison results and corresponding preset behavior anomalies; then weighting the asset deviation value, communication behavior deviation value, and all operation and access behavior deviation values to obtain the risk value of the power monitoring system; finally, judging the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value. Therefore, in this invention, based on the asset data and network behavior data that are currently acquired, including equipment asset information, equipment topology relationships, equipment communication behavior data, and operation access behavior data, deviation values are calculated, and then the final risk status judgment result is determined based on the weighted calculation of the deviation values. This method of decision-making based on the fusion of multi-source heterogeneous data greatly reduces the false alarm rate caused by relying on single feature matching or isolated machine learning models for risk detection. Attached Figure Description
[0016] To more clearly illustrate the technical solution of this application, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0017] Figure 1 This is a flowchart illustrating a network security risk detection method for a power monitoring system according to an embodiment of the present invention.
[0018] Figure 2This is a schematic diagram of the structure of a network security risk detection device for a power monitoring system provided in an embodiment of the present invention. Detailed Implementation
[0019] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings of the embodiments. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0020] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the application; the terms “comprising” and “having”, and any variations thereof, in the specification, claims, and foregoing description of the drawings are intended to cover non-exclusive inclusion.
[0021] In the description of the embodiments of this application, technical terms such as "first" and "second" are used only to distinguish different objects and should not be construed as indicating or implying relative importance or implicitly specifying the number, specific order, or primary and secondary relationship of the indicated technical features. In the description of the embodiments of this application, "multiple" means two or more, unless otherwise explicitly defined.
[0022] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0023] In the description of the embodiments in this application, the term "and / or" is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. Additionally, the character " / " in this document generally indicates that the preceding and following related objects have an "or" relationship.
[0024] In the description of the embodiments of this application, the term "multiple" refers to two or more (including two), similarly, "multiple sets" refers to two or more (including two sets), and "multiple pieces" refers to two or more (including two pieces).
[0025] In the description of the embodiments of this application, unless otherwise expressly specified and limited, technical terms such as "installation," "connection," "joining," and "fixing" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. For those skilled in the art, the specific meaning of the above terms in the embodiments of this application can be understood according to the specific circumstances.
[0026] See Figure 1 To address the high false alarm rate inherent in existing risk detection technologies that rely on single feature matching or isolated machine learning models, this invention provides a network security risk detection method for a power monitoring system, comprising: Step S101: Obtain asset data of the power monitoring system in the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; Specifically, the aforementioned operational access behavior data includes equipment operation behavior data and business access behavior data. A unified data acquisition component can be deployed at the main station of the power monitoring system to acquire the aforementioned asset data and network behavior data in real time by interfacing with the security access platform, the mirror port of the vertical encryption device, and the log server. The aforementioned equipment asset information and equipment topology relationships include: the IP addresses, ports, models, and logical connections of servers, workstations, remote control devices, and protection devices. Meanwhile, the equipment communication behavior in the network behavior data includes protocol messages such as 104, 61850, and MMS, as well as forward and reverse messages from the isolation device. Equipment operation behavior includes key commands such as remote control, remote adjustment, and remote signaling changes. Business access behavior includes the session and operation records of the dispatcher workstation to the database and application server. Isolation device response data refers to the data packets simulated and returned by the isolation device itself according to its security policy when devices from external networks (such as the information management area) attempt to access or probe the internal network (such as the production control area) protected by the isolation device.
[0027] Preferably, the above-mentioned acquisition components can support network outage caching and retransmission mechanisms to ensure that data is not lost during brief network interruptions.
[0028] Step S102: Compare the asset data with the preset asset baseline, and based on the comparison results and preset asset anomalies, calculate the asset deviation value and asset deviation fluctuation. Specifically, the aforementioned preset asset baseline refers to the list of equipment assets and network topology relationships during stable system operation. Therefore, when comparing asset data with the preset asset baseline, if some equipment present in the preset asset baseline is missing from the asset data, or if the network topology relationships of the two are different, it means that there is a deviation in the asset data of the current power monitoring system, and thus the aforementioned asset deviation value and asset deviation fluctuation can be obtained.
[0029] Specifically, the preset asset anomalies include: missing equipment, newly added unregistered equipment, and topology conflicts.
[0030] In a preferred embodiment, the step of comparing the asset data with a preset asset baseline, and statistically obtaining the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies, includes: Obtain the first score for each of the preset asset anomalies; Specifically, each preset asset anomaly has a preset score. For example, the first score for missing equipment can be set to 1 point, the first score for newly added unregistered equipment can be set to 2 points, and the first score for topology conflict can be set to 3 points.
[0031] Based on the comparison results and all preset asset anomalies, determine the preset asset anomalies currently triggered by the power monitoring system; Calculate the sum of the first scores of all triggered preset asset anomalies to obtain the asset deviation score; Specifically, based on the comparison results, all preset asset anomalies that the asset data violates are first identified, and then the total score of these preset asset anomalies is calculated to obtain the aforementioned asset deviation score.
[0032] The asset deviation score is normalized to obtain the asset deviation value. Specifically, the above asset deviation scores are mapped to the [0,1] interval using the Min-Max normalization method. During normalization, the normalization parameters (i.e., the maximum possible score of each sub-item) are determined by the statistical analysis of all normal and attack data over the past year during the system initialization phase, and can be synchronously refreshed during subsequent baseline rolling update times.
[0033] The asset deviation score is used to calculate the moving standard deviation, which yields the asset deviation volatility.
[0034] Specifically, the moving standard deviation of the asset deviation value series within the last 5 minutes can be calculated to obtain the aforementioned asset deviation fluctuation.
[0035] In this preferred embodiment, asset deviation value and asset deviation fluctuation are obtained by comparing asset data with a preset asset baseline and based on the comparison results and preset asset anomalies.
[0036] Step S103: Compare the network behavior data with the corresponding preset behavior baselines respectively, and based on the comparison results and the corresponding preset behavior anomalies, calculate the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value. Specifically, similar to the definition of the preset asset baseline, the aforementioned preset behavior baseline is also network behavior data during stable system operation. By comparing the device communication behavior data, operation access behavior data, and isolation device return packet data in the network behavior data with their respective preset behavior baselines, and then combining them with their respective preset behavior anomalies, the aforementioned communication behavior deviation values, the operation and access behavior deviation values of each device, and the isolation device return packet characteristic deviation values can be determined.
[0037] Specifically, for device communication behavior data, the preset behavior anomalies can be message frequency anomalies, length distribution anomalies, and timing entropy anomalies, etc.; for operation access behavior data, the preset behavior anomalies can be instruction frequency anomalies, illegal source anomalies, concurrency anomalies, and sensitive operation ratio anomalies; for isolation device return packet data, the preset behavior anomalies can be length, frequency, load entropy, and key field anomalies of the isolation device's forward and reverse return packets, etc.
[0038] In a preferred embodiment, the step of comparing the network behavior data with corresponding preset behavior baselines, and statistically obtaining communication behavior deviation values, operation and access behavior deviation values for each device, and isolation device return packet characteristic deviation values based on the comparison results and corresponding preset behavior anomalies, includes: Obtain the second score for each preset behavioral anomaly item; Specifically, obtain the second score of the preset behavioral anomaly items from all network behavior data.
[0039] Based on the comparison results, the first preset behavior anomaly triggered by the device communication behavior data, the second preset behavior anomaly triggered by the operation access behavior data, and the third preset behavior anomaly triggered by the isolation device return packet data are determined. Specifically, based on the comparison results of each data item, the default behavioral anomalies that it violates can be obtained.
[0040] Calculate the sum of the second scores of all the first preset abnormal behavior items to obtain the device communication behavior deviation score for each device; Calculate the sum of the second scores of all the second preset behavioral anomalies to obtain the operation and access behavior deviation score for each device; Calculate the sum of the second scores of all the third preset behavioral anomalies to obtain the isolation device return packet deviation score for each device; Specifically, the corresponding deviation score can be obtained by calculating the sum of the second scores of the first preset behavioral anomaly item, the second preset behavioral anomaly item, and the third preset behavioral anomaly item.
[0041] The sum of the communication behavior deviation scores of all devices is normalized to obtain the communication behavior deviation value; The operation and access behavior deviation scores of each device are normalized to obtain the operation and access behavior deviation values. The sum of the return packet deviation scores of all isolation devices is normalized to obtain the return packet characteristic deviation value of the isolation device.
[0042] Specifically, similar to the calculation of asset deviation values, the sum of these deviation scores is mapped to the [0,1] interval using the Min-Max normalization method to obtain the corresponding deviation value. The normalization parameters are also determined during the system initialization phase using statistical analysis of a full year of normal and attack data, and are updated synchronously during subsequent baseline rolling updates.
[0043] In this preferred embodiment, based on the results of comparing network behavior data with the corresponding preset behavior baselines and the corresponding preset behavior anomalies, the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value are determined.
[0044] Step S104: Perform a weighted calculation on the asset deviation value, communication behavior deviation value, and all operation and access behavior deviation values to obtain the risk value of the power monitoring system; Specifically, the following formula is used for fusion calculation to obtain the anomaly risk score, i.e., the risk value mentioned above: In the formula, R represents the risk value. This indicates the weight corresponding to the asset deviation value. Indicates the asset deviation value. The weights corresponding to the communication behavior deviation values are represented. Indicates the deviation value of general behavior. This represents the weight corresponding to the deviation value between the operation and the access behavior. This indicates the deviation value between the operation and access behavior. This represents the interaction coefficient, which ranges from [0, 0.15].
[0045] Specifically, the values of the three weights are determined in the offline phase: at least 12 months of historical real alarm and false alarm data are collected, and the optimal weight combination is trained using a combination of logistic regression and grid search to maximize the F1 score, thus obtaining the values of the three weights. Illustratively, in a typical deployment environment, , and The values are taken as 0.28–0.35, 0.32–0.42, and 0.28–0.38 respectively, and the sum of the three values is always 1. The interaction influence coefficient is determined by the proportion of composite attacks in the same batch of historical attack samples. When the proportion of composite attack samples exceeds 15%, its value is taken as 0.12–0.15; otherwise, it is taken as 0.08–0.10. The system default value is 0.12, and it is recalculated and automatically adjusted each time the baseline is updated.
[0046] Specifically, the aforementioned risk value ranges from 0 to 1.65. Based on the specific calculation results of the risk value, the specific risk level can be determined. In this process, the risk level mapping threshold can be determined through ROC curve analysis of the same training set: the cutoff point that maximizes the Youden index is selected as the high or medium risk boundary (usually 0.75), and the point with a false positive rate of less than 5% is selected as the medium or low risk boundary (usually 0.55). The aforementioned thresholds, weights, and β can be written together into a system-readable configuration file. In actual deployment, authorized operation and maintenance personnel can fine-tune the value within ±0.05 according to the local alarm tolerance policy, thereby ensuring that those skilled in the art can directly and completely implement the abnormal risk level determination process described in this claim in different power station environments.
[0047] Preferably, the above-mentioned risk value calculation formula introduces a "linear weight + interaction enhancement" risk scoring model, which integrates three key indicators: asset deviation, communication deviation, and operational deviation. The linear part reflects the basic risk contribution of each independent dimension, while the interaction term is used to characterize the coupling enhancement effect of multi-dimensional anomalies. This significantly improves the sensitivity to identifying complex attacks, coordinated anomalies, and cross-domain anomalies, thereby achieving more accurate anomaly risk assessment in multi-service scenarios of power monitoring systems.
[0048] Step S105: Determine the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
[0049] Specifically, after obtaining the risk value, the risk level can be determined. Based on the known risk level, combined with asset deviation fluctuations, communication behavior deviation values, isolation device feedback characteristic deviation values, and operation and access behavior deviation values, the current security risk status of the entire power monitoring system can be judged.
[0050] In a preferred embodiment, determining the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value includes: If the risk value is not less than a preset high-risk threshold, or if the asset deviation fluctuation exceeds a preset fluctuation range, the power monitoring system is determined to have a high threat risk. Specifically, the aforementioned preset fluctuation range can be determined based on three times the standard deviation of the asset deviation value during the historical normal operation period. When the risk value is not less than the preset high-risk threshold, or when the asset deviation fluctuation exceeds any one of the conditions triggered in the preset fluctuation range, the system is determined to be in a high-threat state.
[0051] Preferably, to prevent accidental triggering by transient noise, a high-threat state can be determined only if both of the above conditions are met within two consecutive calculation cycles.
[0052] If the first ratio of the communication behavior deviation value to the isolation device return packet characteristic deviation value exceeds a preset ratio range, it is determined that the power monitoring system has a communication-dominated anomaly risk. Specifically, the communication behavior deviation value in the most recent 10 minutes of the current time period can be taken, and the first ratio of it to the return packet characteristic deviation value of the isolation device can be calculated. At the same time, in order to reduce the impact of noise, this first ratio can be updated in an exponential smoothing manner, that is, the current first ratio = 0.7 × the first ratio of the previous period + 0.3 × the instantaneous first ratio of the current period.
[0053] Specifically, the above-mentioned preset ratio range can be determined by statistical analysis of historical real communication attack samples during the offline phase, with a default upper limit of 1.8 to 2.2 (slightly different for different protocols).
[0054] Preferably, in order to reduce false judgments caused by single noise, if the first ratio exceeds the preset ratio range in two consecutive judgments, the current situation is determined to be a communication-dominated anomaly, and the communication behavior is marked as the main source of threat.
[0055] Calculate the ratio of the operation and access behavior deviation value of each device to the communication behavior deviation value to obtain several second ratios; Calculate the difference between any two second ratios to obtain several second ratio differences; If any second ratio exceeds the preset upper limit and the corresponding difference between the second ratios exceeds the preset difference, the power monitoring system is determined to have a complex risk.
[0056] Specifically, the aforementioned complex risks refer to the fact that the current anomaly has moved beyond a single scenario and is highly likely to be a multi-stage attack, such as "the enemy is already inside" or a long-term, lurking weak deviation attack.
[0057] Specifically, all operation and access behavior deviations within the current time period (e.g., the last 15 minutes) can be divided into multiple groups based on the source device. For example, the same workstation, the same type of terminal, or the same user session can be considered as one group. Then, a second ratio between the operation and access behavior deviations and the communication behavior deviations in each group is calculated. Subsequently, a horizontal comparison is performed to obtain the difference between these second ratios, i.e., the aforementioned second ratio difference. Finally, based on these second ratios and the corresponding second ratio differences, it is determined whether a composite risk exists.
[0058] Specifically, the upper limit of the preset ratio is also obtained from training with historical composite attack samples, and the default value is 1.9 to 2.3. Meanwhile, the preset difference corresponding to the second ratio difference with other groups is 0.6 by default. This threshold is determined by the 95th percentile of the inter-group difference distribution during normal operation.
[0059] It should be noted that the above three risk states can be triggered simultaneously. That is, as long as the power monitoring system meets the corresponding conditions, it can be judged to have multiple corresponding risks at the same time.
[0060] In this preferred embodiment, the current specific risk status of the power monitoring system is determined based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
[0061] In another preferred embodiment, after determining that the power monitoring system poses a high threat risk, the method further includes: Get the current anomaly detection threshold; Increase the verification and update frequency of the knowledge graph used for real-time extraction of the asset data; The current anomaly detection threshold is tightened by a preset anomaly threshold percentage to obtain the updated anomaly detection threshold, and global anomaly detection is performed based on the updated anomaly detection threshold.
[0062] Specifically, after a high-threat status is determined, in order to quickly suppress potential lateral movement and asset tampering attacks, it is necessary to increase the frequency of automatic verification and update of the knowledge graph and tighten the anomaly detection threshold. This countermeasure is essentially a tactical upgrade of the defensive posture. By drastically compressing the attacker's operating window and amplifying its attack noise, it is possible to quickly detect and suppress lateral movement and asset tampering behaviors.
[0063] Specifically, the automatic verification and update frequency of the knowledge graph can be increased from the default once every 300 seconds to once every 30 seconds. The verification content includes node integrity, relationship consistency, and mandatory synchronization with the asset registry. At the same time, all anomaly detection thresholds will be tightened uniformly by a preset anomaly threshold tightening percentage (e.g., 20%) (including communication frequency upper limit, operation command concurrency threshold, access session number threshold, etc.), and the tightened thresholds will directly override the original baseline. The above adjusted parameters can be packaged into a first security protection scheme. The scheme is in JSON format and includes fields such as "automatic verification and update frequency of the knowledge graph", "anomaly threshold tightening percentage of global anomaly detection threshold", and "mandatory asset synchronization switch". The first security protection scheme will be pushed to all high-performance real-time intelligent analysis software instances deployed on the main site in real time through a dedicated secure configuration channel (based on TLS-encrypted MQTT or Kafka topics). Upon receiving the data, the software immediately parses it and switches the knowledge graph construction tool to high-frequency mode. All detection engines load the tightened thresholds, the asset synchronization task is forcibly triggered, and after execution, the software can return an ACK confirmation. If the ACK confirmation is not received from all nodes within 30 seconds, it will automatically initiate a retransmission and highlight the "Some nodes are not effective" alarm on the situational awareness interface until all nodes are confirmed, ensuring that the protection solution is truly implemented across the entire network.
[0064] In a schematic representation, upon receiving the first security protection scheme, the knowledge graph construction tool performs high-frequency verification and synchronization according to the new upper limit. All detection engines (communication, operation, and access) hot-load and take effect after multiplying their respective thresholds by (1 - the preset anomaly threshold tightening percentage). Specifically, the thresholds for the communication detection engine include: single-device message frequency limit (e.g., a normal baseline of 50 messages per second), burst message quantity threshold (e.g., no more than 500 messages within 10 consecutive seconds), and anomaly timing window, etc.; the thresholds for the operation detection engine include: remote control / teleading command concurrency threshold (e.g., no more than 5 commands from the same source simultaneously), and sensitive operation frequency threshold (e.g., no more than 3 remote control commands issued per minute); the thresholds for the access detection engine include: such as the business session concurrency threshold (e.g., no more than 10 simultaneous sessions on a single workstation), and sensitive database query frequency threshold (e.g., no more than 20 queries per minute). After tightening, the system becomes more sensitive to potential anomalies, quickly suppressing the further development of threats, and the entire parameter application process does not require a service restart. Simultaneously, after each parameter change, the old values can be backed up to the local cache for easy one-click restoration after the high-threat state is resolved.
[0065] Preferably, the automatic verification and update frequency of the aforementioned knowledge graph can also be determined based on asset deviation fluctuations. If the fluctuation is within 2 to 5 times the historical asset deviation fluctuation during normal operation, the upper limit of the automatic verification and update frequency of the knowledge graph is set to once every 60 seconds; when the fluctuation exceeds 5 times the historical asset deviation fluctuation during normal operation, it is further increased to once every 20 seconds. At the same time, the update of the upper limit of the frequency adopts a smooth transition method to avoid frequent switching due to instantaneous spikes.
[0066] Preferably, the preset anomaly threshold tightening percentage for the aforementioned anomaly detection threshold can be obtained by multiplying the normalized mean of the current communication behavior deviation value and the operation and access behavior deviation value by a preset amplification factor (default 1.5 to 2.0, obtained from training with historical attack samples). For example, when the normalized mean is 0.4, the preset anomaly threshold tightening percentage can be 60% to 80%, meaning that all anomaly detection thresholds will be uniformly tightened by 60% to 80% from their original values. This percentage limit does not exceed 90% to prevent excessive tightening from hindering normal business operations. Furthermore, this percentage can be dynamically recalculated every 30 seconds to ensure real-time matching with the current threat intensity.
[0067] Preferably, when a high-threat state is determined, a high-priority event notification can be immediately sent to the high-performance real-time intelligent analysis software on the main station, and the global risk level can be set to red on the situational awareness dashboard. Additionally, the aforementioned packaged first security protection solution can include a timeout recovery mechanism, which, by default, automatically reverts to the normal frequency and threshold if no new alarms are detected after 600 seconds of a high-threat state.
[0068] Preferably, the system can record the issuance time of the solution, the list of execution nodes, and the application results to form a traceable closed-loop log, which facilitates subsequent auditing and optimization.
[0069] Preferably, throughout the entire process of generating and distributing the first security protection solution, the solution focuses on strengthening asset governance, which can effectively prevent the further spread of attacks such as asset tampering and lateral movement.
[0070] In this preferred embodiment, after determining that the power monitoring system poses a high threat risk, security protection is provided for the power monitoring system by increasing the verification and update frequency of the knowledge graph and tightening the current anomaly detection threshold.
[0071] In another preferred embodiment, after determining that the power monitoring system has a communication-dominated anomaly risk, the method further includes: Get the current communication baseline value; Specifically, the communication baseline defines the behavioral profile of normal traffic (such as frequency, bursts, and timing). Under normal circumstances, a certain degree of deviation (such as 10-15%) is usually allowed without alarms to tolerate network jitter and normal service fluctuations.
[0072] The current communication baseline value is tightened by a preset communication baseline tightening percentage to obtain an updated communication baseline value, and communication detection is performed on all new messages based on the updated communication baseline value; For each packet of data from the isolation device, perform full packet parsing from the link layer to the application layer, and monitor the parsed packets for illegal protocol matching based on the enabled preset protocol whitelist and preset protocol blacklist rules. Application layer load matching and monitoring are performed on the application layer load of the parsed message based on the preset abnormal load fingerprint database.
[0073] Specifically, after determining that the power monitoring system has a communication-dominated anomaly risk, three optimization actions will be performed according to the above method: The first is to upgrade the isolation device's packet return depth parsing level from the default message header and basic payload to full message depth parsing, enabling all protocol whitelist and blacklist rules. That is, a complete seven-layer protocol stack parsing will be performed on each packet data. For industrial control protocols, this means not only identifying it as an IEC 104 message, but also fully parsing its ASDU (Application Service Data Unit), checking the legality and rationality of all fields such as the information body address, transmission reason, and information object value. The protocol whitelist records predefined, business-essential protocol types (such as IEC-104, IEC-61850-MMS, Modbus-TCP), so after enabling the protocol whitelist, any protocol not on the whitelist will be immediately blocked and an alarm will be triggered. Similarly, the protocol blacklist can further define illegal function codes, operation types, or value fields for protocols within the whitelist. For example, in the Modbus protocol, the "write coil" function code (05 / 15) is added to a blacklist, and an alert is triggered if it appears. In this way, a shift from traffic monitoring to in-depth content auditing is achieved, enabling the detection of advanced attacks such as "using a legitimate 104 protocol message format, but containing out-of-range settings or malicious instructions."
[0074] Specifically, the second optimization action is to temporarily tighten the current communication baseline value by a preset baseline tightening percentage (e.g., 30%) (including single-device packet frequency limits, burst packet thresholds, and abnormal timing windows), and force all new packets to strictly match the latest baseline. This way, when relevant data exceeds the corresponding new baseline, it can be detected and alerted immediately. This operation significantly reduces the space for attackers to exploit "noise masking." Even low-rate, slow-scanning or carefully crafted attack traffic mimicking normal behavior is more easily detected due to minor parameter deviations. This forces attackers to operate in a more normal manner, increasing the difficulty of the attack.
[0075] Specifically, the third optimization is to enable a fast anomaly payload fingerprint matching module for protocols such as 104, 61850, and MMS. Since anomaly detection by default is primarily based on statistical and behavioral models, it may not be able to match known attack payloads with fixed characteristics (such as malicious code snippets exploiting specific vulnerabilities) in real time. However, the above operation enables a preset anomaly payload fingerprint database, which consists of threat intelligence, historical attack samples, and vulnerability proof-of-concept (POC) data. For example, it includes specific ASDU structures known to cause PLC restarts and illegal read request sequences used to steal data. For each parsed packet, during deep analysis, its application-layer payload is compared at high speed with the fingerprint database. If an inconsistency is found, an alert is immediately issued and the attack is intercepted. This operation achieves feature-based real-time detection, enabling zero-latency discovery and interception of known attack variants, compensating for potential learning lag in behavioral analysis models.
[0076] Preferably, the three optimization actions mentioned above can be packaged into a second security protection scheme using JSON (JavaScript Object Notation) format, including fields such as "return packet parsing depth," "baseline tightening ratio," and "fingerprint matching switch." This second security protection scheme is then pushed in real-time to all high-performance real-time intelligent analysis software and the front-end isolation device gateway on the main station via a dedicated secure channel encrypted with TLS (Transport Layer Security) (using the MQTT (MessageQueuing Telemetry Transport) protocol). The receiving end immediately parses the data and switches the return packet parsing module to full-depth mode, forcibly replacing the communication baseline file with the tightened version, and the fingerprint matching engine completes rule hot loading. After execution, each node returns an ACK (Acknowledgement) confirmation. The entire process, from generation to effectiveness, is controlled within 2 seconds. Similarly, if ACK confirmations are not received from all nodes within the preset confirmation time, a retransmission is automatically initiated. Finally, if the first ratio falls below 70% of the preset ratio upper limit within 300 consecutive seconds, the normal communication baseline and parsing depth are automatically restored.
[0077] Preferably, the triggering reason, the ratio curve of the first ratio, the distribution range and the recovery time of this scheme are recorded simultaneously to form a complete audit chain.
[0078] In this preferred embodiment, after determining that the power monitoring system has a communication-dominant anomaly risk, security protection against the communication-dominant anomaly risk is achieved by upgrading to full message deep parsing, enabling all protocol whitelist and blacklist rules, tightening the current communication baseline, and enabling rapid matching of abnormal load fingerprints.
[0079] In another preferred embodiment, after determining that the power monitoring system has a complex risk, the method further includes: Input the current operation and access behavior data into the preset anomaly detection model to obtain the current anomaly detection score; If the anomaly detection score exceeds a preset anomaly detection score threshold, obtain the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period; Based on the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period, an attack chain is generated on the current knowledge graph; The anomaly detection score and the corresponding attack chain will be used as the alarm content for alarms.
[0080] Specifically, upon discovering a complex risk in the power monitoring system, the following actions need to be performed simultaneously for security protection. The first action is to activate a pre-trained unsupervised anomaly detection model (e.g., based on a combination of Isolation Forest and Variational Autoencoder) to perform real-time cross-scoring of all device operation behaviors and business access behaviors. Isolation Forest excels at point anomaly detection, efficiently isolating behaviors that are significantly different from most data points. Variational Autoencoder excels at pattern anomaly detection, learning the distribution of normal behavior data in the latent space to determine if the cost of reconstructing the current behavior is too high. For example, a seemingly normal sequence of operations may have subtle but fundamental differences in its underlying patterns (such as delays and order between steps) compared to historical normal patterns. This process involves inputting current device operation behavior data and business access behavior data into the pre-set anomaly detection model. Isolation Forest outputs an isolation score, representing the ease with which the behavior can be isolated (higher scores indicate greater anomalies). Variational Autoencoder outputs a reconstruction error score, representing the error in the model's reconstruction of the behavior (larger errors indicate greater anomalies). These two scores are then weighted and fused to obtain the aforementioned anomaly detection score for cross-comparison. This can reveal anomalies that "appear normal on a single device but are out of place in a group" (such as a single device among similar devices having a different access pattern).
[0081] Specifically, the second action is to activate the full-volume behavior chain reconstruction and analysis module. This module reconstructs and visualizes attack chains for communication messages, operation commands, and access sessions within the most recent preset time period (e.g., the last 30 minutes) based on timestamps and entity relationships on a knowledge graph, and generates alerts. This involves extracting communication messages, device operation behavior data, and business access behavior data from the last 30 minutes, along with their corresponding timestamps. Each log or message is then mapped to a specific entity in the knowledge graph. Events are then linked together strictly according to the timestamp order to generate an attack chain, which is visualized as a timeline or topology diagram. For example, an attacker's attack chain might be from "OA network segment -> database server -> SCADA server -> PLC," and the anomaly detection score and the corresponding attack chain are used as alert content.
[0082] Preferably, the aforementioned "recent preset time period" can also use the most recent 30 minutes as a baseline window, dynamically extending or shortening the time window based on the current magnitude of the deviation value between the operation and access behavior. For example, if the deviation value between the operation and access behavior is less than 0.6, it remains at 30 minutes; if the deviation value is in the range of 0.6 to 0.8, it is extended to 60 minutes; and if the deviation value is greater than 0.8, it is further extended to 120 minutes. This mapping relationship can be trained from historical latent attack samples and written into the configuration table to ensure that the time window is sufficient to cover the complete attack chain. Simultaneously, this time window can use a sliding method, scrolling forward every 10 seconds to maintain real-time performance.
[0083] Preferably, when generating attack chains, the degree of restoration can be determined based on the proportion of operation and access behavior deviation values in the sum of the three types of deviation values. For example, if the proportion is less than 40%, only key entity relationships are restored; if the proportion is 40% to 70%, the full time series and knowledge graph paths are restored; if the proportion is greater than 70%, field-level payload association and interpretability path highlighting are additionally enabled. For unsupervised models, different clustering granularities can also be determined based on the proportion of operation and access behavior deviation values in the sum of the three types of deviation values. The clustering results are then input into the feature extractor in the model to obtain anomaly detection scores. For example, if the proportion is less than 40%, the clustering granularity remains the default (clustered by device IP + user ID); if the proportion is 40% to 70%, the clustering granularity is refined to the session level (same IP + same login session clustered separately); if the proportion is greater than 70%, it is further refined to the operation command level (each remote control / teleading command clustered separately).
[0084] Preferably, the alarm sensitivity of the unsupervised model can be temporarily increased and an interpretable path can be forced to be output, thereby achieving a higher detection rate at the cost of increasing potential false alarms.
[0085] Preferably, the above actions and related parameters are uniformly encapsulated into a third security protection scheme in JSON (JavaScript Object Notation) format, including fields such as "unsupervised model switch," "sensitivity level," "link restoration time window," "knowledge graph attack path highlighting," "clustering granularity level," and "link restoration depth level." This third security protection scheme is pushed in real-time to all high-performance real-time intelligent analysis software instances and situational awareness platforms on the main station via a dedicated secure channel encrypted with TLS (Transport Layer Security) (using the MQTT (Message Queuing Telemetry Transport) protocol). The receiving end immediately completes model hot-switching, link restoration task initiation, and visualization path rendering. After execution, it returns an ACK (Acknowledge) confirmation. Similarly, if ACK confirmations are not received from all nodes within a preset confirmation time, a retransmission is automatically initiated. The entire process, from judgment to full effectiveness, is controlled within 4 seconds.
[0086] Preferably, the ratio curve of the second ratio triggered by this complex risk, the anomaly detection score output by the preset anomaly detection model, the reconstructed attack chain, the actual window length used, the number of clusters, and the number of reconstructed chains are all saved simultaneously to form a high-value intelligence report and evidence for subsequent evidence collection.
[0087] Preferably, after all security protection schemes are generated, they are broadcast and pushed to all high-performance real-time intelligent analysis software instances on the main station via a dedicated encrypted secure channel protocol. The push message carries a unique sequence number, timestamp, scheme type, and digital signature. The receiving end completes integrity and signature verification within 500 milliseconds. Simultaneously, this channel supports breakpoint resumption and local caching. When the network experiences a momentary interruption, the scheme is first stored in a local persistent queue and automatically resent after the network recovers, ensuring zero data loss.
[0088] In this preferred embodiment, after determining that the power monitoring system has a complex risk, the alarm content is obtained and an alarm is issued based on the preset anomaly detection model and attack link reconstruction operation.
[0089] Based on the above method embodiments, the present invention provides corresponding apparatus embodiments.
[0090] like Figure 2 As shown, an embodiment of the present invention provides a network security risk detection device for a power monitoring system, comprising: The module includes a data acquisition module, an asset deviation calculation module, a behavior deviation calculation module, a risk calculation module, and a risk status assessment module. The data acquisition module is used to acquire asset data of the power monitoring system during the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; The asset deviation calculation module is used to compare the asset data with a preset asset baseline, and to obtain the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies. The behavior deviation calculation module is used to compare the network behavior data with the corresponding preset behavior baseline, and based on the comparison results and the corresponding preset behavior anomalies, to statistically obtain the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value. The risk calculation module is used to perform weighted calculations on the asset deviation value, communication behavior deviation value, and all operation and access behavior deviation values to obtain the risk value of the power monitoring system. The risk status judgment module is used to determine the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
[0091] It should be noted that the device embodiments described above are merely illustrative. The modules described as separate components may or may not be physically separate, and the components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Furthermore, in the accompanying drawings of the device embodiments provided by this invention, the connection relationship between modules indicates that they have a communication connection, which can be implemented as one or more communication buses or signal lines. Those skilled in the art can understand and implement this without creative effort. The above schematic diagrams are merely examples of a network security risk detection device for a power monitoring system and do not constitute a limitation on a network security risk detection device for a power monitoring system. It may include more or fewer components than illustrated, or combine certain components, or use different components.
[0092] Based on the above method embodiments, the present invention provides corresponding terminal device embodiments.
[0093] Another embodiment of the present invention provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor. When the processor executes the computer program, it implements the network security risk detection method of a power monitoring system described in any embodiment of the present invention.
[0094] For example, in this embodiment, the computer program can be divided into one or more modules, which are stored in the memory and executed by the processor to complete the present invention. The one or more modules may be a series of computer program instruction segments capable of performing a specific function, which describe the execution process of the computer program in the device. The aforementioned terminal devices may be computing devices such as desktop computers, laptops, handheld computers, and cloud servers. These devices may include, but are not limited to, processors and memory. The processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor can be a microprocessor or any conventional processor. This processor is the control center of the device, connecting various parts of the device via various interfaces and lines. The aforementioned memory can be used to store the aforementioned computer programs and / or modules. The aforementioned processor implements various functions of the aforementioned device by running or executing the computer programs and / or modules stored in the aforementioned memory, and by calling data stored in the memory. The aforementioned memory may mainly include a program storage area and a data storage area, wherein the program storage area may store the operating system, at least one application program required for a function, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other volatile solid-state storage device.
[0095] Based on the above method embodiments, the present invention provides corresponding storage medium embodiments.
[0096] Another embodiment of the present invention provides a storage medium including a stored computer program, wherein, when the computer program is running, it controls the device where the storage medium is located to execute the network security risk detection method of any embodiment of the present invention for a power monitoring system described above.
[0097] In this embodiment, the storage medium is a computer-readable storage medium, and the computer program includes computer program code, which may be in the form of source code, object code, executable file, or some intermediate form. The computer-readable medium may include any entity or device capable of carrying the computer program code, recording media, USB flash drive, portable hard drive, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signals, telecommunication signals, and software distribution media, etc.
[0098] The above are preferred embodiments of the present invention. It should be noted that, for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications are also considered to be within the scope of protection of the present invention.
Claims
1. A method for detecting network security risks in a power monitoring system, characterized in that, include: Acquire asset data of the power monitoring system during the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; The asset data is compared with a preset asset baseline, and the asset deviation value and asset deviation fluctuation are statistically obtained based on the comparison results and preset asset anomalies. The network behavior data is compared with the corresponding preset behavior baselines, and based on the comparison results and the corresponding preset behavior anomalies, the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value are statistically obtained. The risk value of the power monitoring system is obtained by weighting the asset deviation value, the communication behavior deviation value, and all operation and access behavior deviation values. The current risk status of the power monitoring system is determined based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
2. The network security risk detection method for a power monitoring system according to claim 1, characterized in that, The step of comparing the asset data with a preset asset baseline, and statistically obtaining the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies, includes: Obtain the first score for each of the preset asset anomalies; Based on the comparison results and all preset asset anomalies, determine the preset asset anomalies currently triggered by the power monitoring system; Calculate the sum of the first scores of all triggered preset asset anomalies to obtain the asset deviation score; The asset deviation score is normalized to obtain the asset deviation value. The asset deviation score is used to calculate the moving standard deviation, which yields the asset deviation volatility.
3. The network security risk detection method for a power monitoring system according to claim 2, characterized in that, The process of comparing the network behavior data with corresponding preset behavior baselines, and statistically obtaining communication behavior deviation values, operation and access behavior deviation values for each device, and isolation device return packet characteristic deviation values based on the comparison results and corresponding preset behavior anomalies, includes: Obtain the second score for each preset behavioral anomaly item; Based on the comparison results, the first preset behavior anomaly triggered by the device communication behavior data, the second preset behavior anomaly triggered by the operation access behavior data, and the third preset behavior anomaly triggered by the isolation device return packet data are determined. Calculate the sum of the second scores of all the first preset abnormal behavior items to obtain the device communication behavior deviation score for each device; Calculate the sum of the second scores of all the second preset behavioral anomalies to obtain the operation and access behavior deviation score for each device; Calculate the sum of the second scores of all the third preset behavioral anomalies to obtain the isolation device return packet deviation score for each device; The sum of the communication behavior deviation scores of all devices is normalized to obtain the communication behavior deviation value; The operation and access behavior deviation scores of each device are normalized to obtain the operation and access behavior deviation values. The sum of the return packet deviation scores of all isolation devices is normalized to obtain the return packet characteristic deviation value of the isolation device.
4. The network security risk detection method for a power monitoring system according to claim 3, characterized in that, The step of determining the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value includes: If the risk value is not less than a preset high-risk threshold, or if the asset deviation fluctuation exceeds a preset fluctuation range, the power monitoring system is determined to have a high threat risk. If the first ratio of the communication behavior deviation value to the return packet characteristic deviation value of the isolation device exceeds a preset ratio range, it is determined that the power monitoring system has a communication-dominated anomaly risk. Calculate the ratio of the operation and access behavior deviation value of each device to the communication behavior deviation value to obtain several second ratios; Calculate the difference between any two second ratios to obtain several second ratio differences; If any second ratio exceeds the preset upper limit and the corresponding difference between the second ratios exceeds the preset difference, the power monitoring system is determined to have a complex risk.
5. The network security risk detection method for a power monitoring system according to claim 4, characterized in that, After determining that the power monitoring system poses a high threat risk, the following steps are also included: Get the current anomaly detection threshold; Increase the verification and update frequency of the knowledge graph used for real-time extraction of the asset data; The current anomaly detection threshold is tightened by a preset anomaly threshold percentage to obtain the updated anomaly detection threshold, and global anomaly detection is performed based on the updated anomaly detection threshold.
6. The network security risk detection method for a power monitoring system according to claim 4, characterized in that, After determining that the power monitoring system has a communication-dominated anomaly risk, the following is also included: Get the current communication baseline value; The current communication baseline value is tightened by a preset communication baseline tightening percentage to obtain an updated communication baseline value, and communication detection is performed on all new messages based on the updated communication baseline value; For each packet of data from the isolation device, perform full packet parsing from the link layer to the application layer, and monitor the parsed packets for illegal protocol matching based on the enabled preset protocol whitelist and preset protocol blacklist rules. Application layer load matching and monitoring are performed on the application layer load of the parsed message based on the preset abnormal load fingerprint database.
7. The network security risk detection method for a power monitoring system according to claim 4, characterized in that, After determining that the power monitoring system has complex risks, the following is also included: Input the current operation and access behavior data into the preset anomaly detection model to obtain the current anomaly detection score; If the anomaly detection score exceeds a preset anomaly detection score threshold, obtain the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period; Based on the communication messages, operation access behavior data and corresponding timestamps within the most recent preset time period, an attack chain is generated on the current knowledge graph; The anomaly detection score and the corresponding attack chain will be used as the alarm content for alarms.
8. A network security risk detection device for a power monitoring system, characterized in that, include: The module includes a data acquisition module, an asset deviation calculation module, a behavior deviation calculation module, a risk calculation module, and a risk status assessment module. The data acquisition module is used to acquire asset data of the power monitoring system during the current time period, as well as network behavior data of different devices; wherein, the asset data includes: device asset information and device topology; the network behavior data includes: device communication behavior data, operation access behavior data, and isolation device return packet data; The asset deviation calculation module is used to compare the asset data with a preset asset baseline, and to obtain the asset deviation value and asset deviation fluctuation based on the comparison results and preset asset anomalies. The behavior deviation calculation module is used to compare the network behavior data with the corresponding preset behavior baseline, and based on the comparison results and the corresponding preset behavior anomalies, to statistically obtain the communication behavior deviation value, the operation and access behavior deviation value of each device, and the isolation device return packet characteristic deviation value. The risk calculation module is used to perform weighted calculations on the asset deviation value, communication behavior deviation value, and all operation and access behavior deviation values to obtain the risk value of the power monitoring system. The risk status judgment module is used to determine the current risk status of the power monitoring system based on the risk value, asset deviation fluctuation, communication behavior deviation value, isolation device return packet characteristic deviation value, and operation and access behavior deviation value.
9. A terminal device, characterized in that, The system includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor executes the computer program to implement a network security risk detection method for a power monitoring system as described in any one of claims 1 to 7.
10. A storage medium, characterized in that, The storage medium includes a stored computer program, wherein, when the computer program is running, it controls the device where the storage medium is located to execute a network security risk detection method for a power monitoring system as described in any one of claims 1 to 7.