Background
With the rapid development of power dispatching automation level and computer technology, network connection between power data and a system is more and more compact, and a power system is more and more dependent on a power information network and a dispatching automation system. Network security also becomes an important guarantee and means for guaranteeing safe and stable operation of the power dispatching automation system and power production. Various network security measures are also commonly applied to the power automation system and the communication network, and the network security protection technology level and measures of the power monitoring system are also developed in the depth direction. At present, communication of power dispatching automation service mainly adopts a master station and a master station, communication modes of the master station and the master station are adopted, communication protocols generally adopt special standard communication protocols such as IEC-60870-5-104/102, 61850MMS and the like, and at present, most of adopted protection measures such as longitudinal encryption, firewall and the like only carry out access control on communication from a network layer in terms of data encryption, IP address, port control and the like, and cannot deeply analyze and control the special communication protocols used by the power dispatching automation service, and protect and control the system and the communication from the angles of protocols and application layers.
Based on the access control of the neural network, the transmission protocol of the IEC60870-5-104 is an international standard protocol, however, the IEC60870-5-104 is an open protocol, the message structure and the data format of the open protocol are disclosed, under the condition that no enough security measures exist, potential safety hazards exist, an attacker can implement deceptive attack by using the data message conforming to the IEC60870-5-104 protocol rule, for example, the attacker can tamper or forge the IEC60870-5-104 data message by using the data packet conforming to the IEC60870-5-104 protocol rule in the transmission process of the IEC60870-5-104 protocol message, thereby causing system errors and even destruction and seriously threatening the security of the power system. To protect against such fraudulent attacks, it is necessary to filter the IEC60870-5-104 data content, i.e. to deep packet filter the application layer. Because the data packets of the fraudulent attack are compliant with the IC60870-5-104 protocol rules, the traditional firewall cannot recognize the data packets, and thus cannot prevent the attack. Therefore, in order to prevent fraudulent attacks which cannot be prevented by the traditional firewall, a method for performing IEC60870-5-104 belief access controllability based on a neural network algorithm is proposed. The access control method is deployed between the master station and the substation and used for capturing IEC60870-5-104 data messages passing through the security module, and filtering application layer data to realize communication access control by the filtering technology of the data messages, so that the safety and reliability of the ICC60870-5-I04 communication process are improved, and the safety of a power system is ensured. The solution flow comprises the following steps: capturing data packets, namely capturing IEC60870-5-104 data packets according to an IEC60870-5-104 protocol port by using an Ethernet data packet capturing tool between a master station and a substation, and rejecting the data packets without the IEC60870-5-104 protocol; data preprocessing, extracting the values of bits 1 and 2 of the first octet of the control field of each IEC60870-5-104 data packet, respectively marked as CF1-1 and CF1-2, the value of bit 1 of the third octet of the control field, marked as CF3-1, the value of one byte of the type identification bit, marked as TI, and the value of two bytes of the transmission reason bit, marked as TR. CP1-1, CF1-2, CF3-1, TI and TR extracted from each IEC60870-5-104 data packet are combined into a group of data with the following data format: (CF 1-1, CF1-2, CF3-1, TI, TR); judging whether each group of data (CF 1-1, CF1-2, CF3-1, TI and T is legal, if CF 1-1=1, CF1-2=0, CF3-1=0 or CP 1-1=1, CF1-2=1, CF3-1=0, the group of data is legal data, otherwise is illegal data, if CF 1-1=0, CF3-1=0, judging according to the rule that TI is 9 or 11 or 13 or 38-40, the data is legal data, otherwise is illegal data, TI is 1 or 3 or 30-32, if TR is 3, otherwise is illegal data, if TI is 15, the data is legal, otherwise is illegal data, if TR is 6 or 7 or 10, otherwise is illegal data, if TI is 46 or 47 or 100 or 101, the data is illegal data, and if TI is 104, the data is 6 or 7, otherwise is illegal data.
Constructing access control based on a neural network, taking data (CT 1-1, CF1-2, CF3-1, TI, TR) as input of the neural network model, setting output corresponding to synthetic data (CT 11, CF1-2, CF3-1, TI, T) as 1, setting output corresponding to illegal data (CF 1-1, CF1-2, CF3-1, TI, T) as 0, and finishing training of the hedging through the network model;
the communication access control module detects abnormal flow of the communication data packet, detects the communication data packet in an actual industrial environment, adjusts the data packet into standard input data CF1-1, CT1-2, CT3-1, TI and T according to the steps after acquiring the data packet, inputs the data packet into the neural network model for detection, judges that the data is normal if the output of the neural network model is 1, and judges that the data is abnormal if the output of the neural network model is 0.
The access control method based on the neural network also has the following effects: the method can be directly applied between an IEC60870-5-104 master station and a substation, and the network topology structure of a control system tree is not required to be changed, so that the communication access control between the master station and the substation is realized; according to the specific combination of the type, the type identification and the transmission reason of the data frame of the learning IEC60870-5-104 protocol, the access control can be respectively carried out for the data frames of the I format, the format and the S format between the master station and the substations. The IC60870-5-104 communication access control model is constructed by utilizing a neural network method, so that deceptive attack can be prevented, and the EC60870-5-104 communication access control is completed.
Based on access control of message monitoring, the IEC60870-5-104 protocol is used as an international standard protocol, has the advantages of good real-time performance, high reliability, network transmission support and the like, and the content and the function of the protocol cover the definition of protection, so that the protocol can be applied to dispatching and transformer substation terminals and is completely suitable for a communication network in a transformer substation. However, when a communication fault occurs between different devices, the IEC104 protocol instrument automatically disconnects if no acknowledgement message is received after retransmission is performed for a plurality of times. Therefore, when the equipment has network faults, a master control station worker cannot immediately find the faults, and cannot timely process and repair the faults, so that the master station shakes, data cannot be normally sent and connected, and network blockage and other adverse consequences are caused.
The monitoring method and system based on the IEC104 protocol can solve the technical problem that the prior art cannot timely feed back equipment faults. The monitoring method based on the IEC104 protocol comprises the following steps: establishing TCP connection of a master station, a substation and a monitoring system: judging the message type, wherein the message type comprises an uplink message and a downlink message; if the message is an uplink message, judging whether the response of the master station is correct or not: if the message is a downlink message, judging whether the response of the substation is correct or not: if the response of the master station and/or the substation is incorrect, recording incorrect times of the response of the master station or incorrect times of the response of the substation, and if the incorrect times of the response of the master station or incorrect times of the response of the substation exceeds 5 times, sending an alarm signal: and if the response of the master station and/or the substation is correct, storing the corresponding uplink message and/or the corresponding downlink message.
The prior art has the defects that: the prior art does not develop related researches on possible safety risks in IEC-104 message construction mechanism, at present, common technologies on the market mainly concentrate on the aspects of message correctness and message transmission robustness, and related technical researches on the aspects of reasonability and the like of message internal construction structures are not developed in the prior art. The prior art does not develop related researches on logic abnormal conditions in IEC-104 business interaction logic, mainly focuses on the aspects related to network security, and does not develop related researches on security defense technology in combination with business.
The invention mainly provides a security audit and defense mechanism for power security communication from the aspects of protocol construction mechanism and business communication logic.
Disclosure of Invention
The present invention has been made in view of the above-described problems.
Accordingly, the present invention solves the problems of: how to provide security audit and defense mechanism issues for power security communications from the perspective of protocol construction mechanisms and business communication logic.
In order to solve the technical problems, the invention provides the following technical scheme: the method for detecting the active and passive security defense of the electric power communication based on protocol interaction comprises the steps of capturing all flow of a message and analyzing the message; when communication abnormality is detected or potential security threat is identified, active defense is performed; passive defense is performed when the communication process is normal or no apparent abnormal behavior is detected.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: the active defense comprises capturing an anomaly and backtracking a source end problem, inducing a potential attacker to conduct further attack, providing an alarm and suggesting a strategy rule of a user to develop a response so as to actively intervene in a communication process; the passive defense comprises rule audit according to the machine learning and manually input defense rules, and alarming corresponding to the rules is provided for a user through rule matching.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: analyzing the message comprises analyzing the power special communication protocol message to obtain the protocol, the network address, the port number and the communication message subtype at the two ends of the communication.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: the active defense further comprises the steps of backtracking the communication pair, backtracking all communication messages after the current communication pair is established, diagnosing the communication pair messages, judging whether the current communication pair prompts an alarm and has abnormality, if the current communication pair is normal, passing through, and archiving the messages; if the communication is abnormal, historical communication messages of the two communication ends are obtained, message histories of communication points of the two communication ends are analyzed, heuristic messages are sent to the two communication ends, response of the messages of the opposite ends is waited, faults and defect conditions of the opposite ends are analyzed, an alarm is sent, and a decision is provided by combining the analysis.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: the communication to message diagnosis includes defining the normal range of message sizes by calculating an average message size and standard deviation as:
Tt =μ+k·σ
Tl =μ-k·σ
wherein mu is the average message size, N is the total number of messages, i is the ith message, Si The size of the ith message, sigma is the standard deviation of the size of the message, Tt Is the upper threshold, k is the threshold coefficient, Tl Is a lower threshold; for each new message, comparing the new message size Snew And threshold value, if Snew >Tt Or Snew <Tl The message is marked as abnormal.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: the passive defense further comprises the steps of carrying out communication pair strategy comparison, directly carrying out warning if the communication pair is abnormal, displaying the communication pair abnormal warning, and carrying out tamper-proof strategy comparison if the communication pair is not abnormal; in the anti-tampering strategy comparison, if the message is tampered, the alarm is directly given, the message tampering alarm is displayed, and if the message is not tampered, the anti-replay strategy comparison is carried out; in the anti-replay strategy comparison, if the message Wen Chongfang is sent, the alarm is directly given, the message Wen Chongfang is displayed for alarm, and if the message is not replayed, the threshold strategy comparison is carried out; in the threshold strategy comparison, if the threshold value is abnormal, directly alarming, displaying the abnormal alarm of the threshold value, and if the threshold value is not abnormal, performing communication logic strategy comparison; in the communication logic strategy comparison, if the communication logic is abnormal, directly alarming, displaying communication logic abnormal alarming, and if the communication logic is not abnormal, archiving the message; if all strategies are triggered, triggering strategy related alarms, archiving the messages and associating with the alarms.
As a preferable scheme of the protocol interaction-based active and passive security defense detection method for electric power communication, the invention comprises the following steps: the communication comparison strategy comprises the steps of confirming whether a communication pair accords with an expected communication mode or behavior, and comparing the behavior of the communication pair with a predefined normal behavior mode; the tamper-resistant policy comparison includes detecting whether a message is tampered, expressed as:
H(Mi )=H′(Mi )
wherein H (M)i ) For the expected hash value, H' (Mi ) M is the hash value of the received messagei Is an original message; the comparison of the anti-replay strategy comprises preventing an attacker from replaying an old message, and comparing the timestamp of the message with an expected value; the threshold strategy comparison comprises the steps of comparing the attribute value of the message with a preset threshold, and if the attribute value of the message is larger than the preset threshold, the threshold is abnormal; the communication logic policy comparison includes comparing a sequence of a message with an expected sequence, expressed as:
wherein L is a logical consistency ratio, Sa For the actual message sequence, Se Is an expected message sequence; if L.noteq.1, the communication logic is abnormal.
It is another object of the present invention to provide a system for an active and passive security defense detection method for power communication based on protocol interaction, which can solve the problem of security defense of power communication by constructing an active and passive security defense detection system.
In order to solve the technical problems, the invention provides the following technical scheme: the power communication active and passive security defense detection system based on protocol interaction comprises a data acquisition module, a message analysis module, an active defense module, a passive defense module, an alarm and response module and a strategy management module; the data acquisition module captures all traffic and is responsible for monitoring and recording all data transmission in the power communication network in real time, wherein the data transmission comprises protocols at two ends of communication, network addresses, port numbers and communication message subtype information; the message analysis module carries out deep analysis on the captured message, including identifying the protocol, network address, port number and communication message subtype at two ends of communication; the active defense module performs active defense when detecting communication abnormality or identifying potential security threat, captures abnormality and backtracks the problem of a source end, induces a potential attacker to perform further attack, provides alarm and recommends a strategy rule of user unfolding response to actively intervene in the communication process; the passive defense module performs passive defense when the communication process shows normal or no obvious abnormal behavior is detected, performs rule audit and provides an alarm corresponding to the rule to a user through rule matching; the alarm and response module is responsible for generating and sending alarm information to the system when the system detects an abnormality or a potential threat, and executing corresponding response actions according to a preset strategy; the policy management module is responsible for managing the defending policies of the system, including defining, updating and deleting defending rules.
A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the protocol interaction based active and passive security defense detection method for power communication as described above.
A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the protocol interaction based active and passive security defense detection method for power communication as described above.
The invention has the beneficial effects that: the protocol interaction-based active and passive security defense detection method for the power communication provided by the invention is used for protecting the protocol security of the power special communication protocol, and simultaneously supporting a plurality of power communication protocols through modularization; the present security protection mainly focuses on the security protection of the network layer, and the self data transmission and related attack means of the power special communication protocol are not considered. By utilizing an active defense mode, each communication node in the network is probed and tested periodically under the condition that service communication logic is not affected, and the security defense capacity and the service logic correctness of the node are analyzed through the message response of each node. By utilizing a passive defense mode, combining the manual guiding rule from the manual guiding in the early stage to the manual guiding in the gradual evolution and the training by utilizing big data rules, gradually deeply optimizing the effectiveness of the defense rules, and auditing the rationality of the business logic and the coordination message under the condition of not affecting the normal operation of the business.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1 to 3, a first embodiment of the present invention provides a method for detecting active and passive security defense of power communication based on protocol interaction, including: capturing all flow of the message, and analyzing the message; active defense is performed when communication anomalies are detected or potential security threats are identified, and passive defense is performed when communication processes are normal or no obvious abnormal behavior is detected.
The active and passive defense systems are mainly divided into active defense and passive defense, wherein the active defense needs to capture an abnormality and simultaneously aim at an abnormality backtracking end problem, induce a counterpart attack, induce a potential attacker to conduct further attack, provide an alarm and suggest a strategy rule for a user to develop a response so as to actively intervene in a communication process; the passive defense is mainly to develop rule audit according to machine learning and manually input defense rules, and provide corresponding alarms of the rules to users through rule matching; the former actively defends against the policy rules that provide alarms and suggest user deployment responses to actively intervene in the communication process, and the latter provides rules corresponding alarms to the user through rule matching.
The communication pair (Communication Pair) refers to two entities exchanging information in a communication, which may be two devices, two network nodes or two programs, etc. In one communication pair, one entity acts as a sender of information and the other entity acts as a receiver. The two entities together form a communication session.
Analyzing the message comprises analyzing the special communication protocol message of the power to acquire the protocols, network addresses, port numbers and communication message subtype at two ends of communication.
The active defense carries out communication pair backtracking, backtracking all communication messages after the current communication pair is established, carrying out communication pair message diagnosis, whether the current communication pair prompts an alarm or not and has abnormality, and if the communication pair is normal, carrying out message archiving; if the communication is abnormal, historical communication messages of the two communication ends are obtained, message histories of communication points of the two communication ends are analyzed, heuristic messages are sent to the two communication ends, response of the messages of the opposite ends is waited, faults and defect conditions of the opposite ends are analyzed, an alarm is sent, and a decision is provided by combining the analysis. As shown in fig. 2, the specific steps are as follows:
s1, capturing all traffic by the message.
S2, analyzing the corresponding protocol message, and only performing deep analysis on the power special communication protocol message to acquire the protocols, network addresses (IP), port numbers and communication message sub-types at two ends of communication.
S3, backtracking the communication pair, and backtracking all communication messages after the current communication pair is established (or the communication pair is established).
S4, diagnosing a message of the communication pair, judging whether the current communication pair has a prompt alarm and is abnormal, and if the current communication pair is normal, passing; if the communication is abnormal; then the historical communication messages at both ends of the communication are obtained.
S5, analyzing the message histories of the communication points at the two ends.
S6, sending a heuristic message to two communication ends.
S7, waiting for response of the opposite terminal message.
S8, analyzing the fault or defect condition of the opposite terminal, and sending an alarm.
And S9, combining the analysis to provide a decision.
Communication to message diagnostics includes defining the normal range of message sizes by calculating an average message size and standard deviation expressed as:
Tt =μ+k·σ
Tl =μ-k·σ
wherein mu is the average message size, N is the total number of messages, i is the ith message, Si The size of the ith message, sigma is the standard deviation of the size of the message, Tt Is the upper threshold, k is the threshold coefficient, Tl Is a lower threshold; for each new message, comparing the new message size Snew And threshold value, if Snew >Tt Or Snew <Tl The message is marked as abnormal.
The passive defense performs communication pair policy comparison, if the communication pair is abnormal, the alarm is directly performed, the communication pair abnormal alarm is displayed, and if the communication pair is not abnormal, the tamper-proof policy comparison is performed; in the anti-tampering strategy comparison, if the message is tampered, the alarm is directly given, the message tampering alarm is displayed, and if the message is not tampered, the anti-replay strategy comparison is carried out; in the anti-replay strategy comparison, if the message Wen Chongfang is sent, the alarm is directly given, the message Wen Chongfang is displayed for alarm, and if the message is not replayed, the threshold strategy comparison is carried out; in the threshold strategy comparison, if the threshold value is abnormal, directly alarming, displaying the abnormal alarm of the threshold value, and if the threshold value is not abnormal, performing communication logic strategy comparison; in the communication logic strategy comparison, if the communication logic is abnormal, directly alarming, displaying communication logic abnormal alarming, and if the communication logic is not abnormal, archiving the message; if all strategies are triggered, triggering strategy related alarms, archiving the messages and associating with the alarms.
The communication pair policy comparison confirms whether the communication pair accords with an expected communication mode or behavior, and the behavior of the communication pair is compared with a predefined normal behavior mode;
tamper-resistant policy comparison detects whether a message is tampered, expressed as:
H(Mi )=H′(Mi )
wherein H (M)i ) For the expected hash value, H' (Mi ) M is the hash value of the received messagei Is the original message.
The anti-replay policy comparison prevents an attacker from replaying an old message by comparing the timestamp of the message with an expected value.
The threshold strategy compares the attribute value of the message with a preset threshold, and if the attribute value of the message is larger than the preset threshold, the threshold is abnormal.
The communication logic strategy compares the sequence of the comparison message with the expected sequence, expressed as:
wherein L is a logical consistency ratio, Sa For the actual message sequence, Se Is an expected message sequence; if L.noteq.1, the communication logic is abnormal. As shown in fig. 3, the specific steps are as follows:
s1, capturing all traffic by the message.
S2, analyzing the corresponding protocol message, and only performing deep analysis on the power special communication protocol message to acquire the protocols, network addresses (IP), port numbers and communication message sub-types at two ends of communication.
S3, communication comparison strategies are compared; rules are mainly derived from machine learning strategies and manual input strategies.
S4, comparing tamper-proof strategies, wherein the rules mainly come from machine learning strategies and manual input strategies.
S5, comparing the anti-replay strategies, wherein the rules mainly come from a machine learning strategy and a manual input strategy.
S6, comparing communication logic strategies, wherein the rules mainly come from machine learning strategies and manual input strategies.
And S7, if all the strategies are triggered, triggering strategy related alarms.
S8, archiving the message, and associating with the alarm number.
Example 2
Referring to fig. 4, a second embodiment of the present invention, which is different from the previous embodiment, provides a protocol interaction-based active and passive security defense detection system for power communication, comprising: the system comprises a data acquisition module, a message analysis module, an active defense module, a passive defense module, an alarm and response module and a strategy management module.
The data acquisition module captures all traffic and is responsible for monitoring and recording all data transmission in the power communication network in real time, wherein the data transmission comprises protocols, network addresses, port numbers and communication message subtype information at two communication ends.
The message analysis module carries out deep analysis on the captured message, including identifying the protocol, network address, port number and communication message subtype at two ends of communication.
When communication abnormality is detected or potential security threat is identified, the active defense module performs active defense, captures abnormality and backtracks the problem of the source end, induces potential attackers to perform further attack, provides alarm and suggests a strategy rule for a user to develop response so as to actively intervene in the communication process.
And when the communication process shows normal or no obvious abnormal behavior is detected, the passive defense module performs passive defense, performs rule audit and provides an alarm corresponding to the rule to the user through rule matching.
The alarm and response module is responsible for generating and sending alarm information to the system when the system detects an abnormality or potential threat, and executing corresponding response actions according to a preset strategy.
The policy management module is responsible for managing the defending policies of the system, including defining, updating, and deleting defending rules.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Example 3
A third embodiment of the present invention, which is different from the first two embodiments, is: the technical effects adopted in the invention are verified and explained to verify the true effects of the method.
When simulation experiments are carried out, a plurality of power special communication protocols are considered, and in a simulated network environment, a plurality of communication nodes including a master station, a substation, a relay station and the like are tested for various attack types, such as tamper attack, replay attack, denial of service attack and the like. The test messages will include normal messages and various abnormal messages to verify the performance of the system under normal and various attack conditions. The method adopts an active defense strategy and a passive defense strategy, and optimizes the effectiveness of the defense rules by combining big data rule training with manual guidance. The evaluation index comprises a plurality of aspects such as detection accuracy, false alarm rate, detection time delay and the like, so that the performance difference and the advantages of the invention in the aspect of safety protection of the power communication network are comprehensively evaluated.
The present example uses the conventional method and my invention method to detect simultaneously, and the comparison results are shown in the following table:
table 1 comparison table of conventional method and my invention method
| Judging the category | Conventional method | My invent method |
| Detection accuracy | 85% | 94% |
| False alarm rate | 10% | 3% |
| Detecting time delay | 150ms | 50ms |
| Defensive policy flexibility | Low and low | High height |
As can be seen from the comparison results, the detection accuracy of the my invention method is 94% which is 9% higher than that of the traditional method, the false alarm rate is 3% which is 7% lower than that of the traditional method, the detection time delay is 50ms which is 100ms lower than that of the traditional method, and the defending strategy flexibility of the my invention method is much higher than that of the traditional method.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.