Research On Detection And Sequential Pattern Mining Of Coordinated Cyber Physical Attack

With the advancement of smart grid and energy Internet strategies,a large number of electrical equipment,data acquisition devices,and computing terminals are interconnected through two physical networks of power grid and communication network.The traditional power system with physical equipment as the core has gradually evolved into a highly coupled cyber physical system(CPS),that is,power CPS.Due to this coupling dependence,cyber attacks can not only destroy the relevant functions of the cyber system,but also penetrate into the power physical system through the information system,endangering the safety and stability of the power system operation,especially the coordinated cyber physical attack that has emerged in recent years.The attack has led to a number of large power outages in the power grid,destroying the operating state of the power system.Coordinated cyber physical attack(CCPA)can be described as a discrete cyber-side and physical-side joint attack event sequence.The attack process has strong timing and relevance.Due to the physical power grid topology and the cyber system transmission chain roads have a close coupling relationship.Therefore,under a certain cyber network-physical network connection,although there are many possible paths for coordinated attacks,there are some common laws among these paths.By digging the evolution process of different attack paths,one can discover the key attack links and attack intentions among them.This is of great significance for identifying the weak links of power CPS and formulating strategies for preventing and blocking power cyber-physical attacks.The electric power cyber-physical coordinated attack sequence mode studied in this paper refers to the process of combining the alarm events on the cyber side and the grid measurement and decision instructions on the physical side to dig out the common behavior characteristics of the coordinated attack evolving in the power CPS.The coordinated attack process represented by different attack paths may not be exactly the same in terms of attack occurrence conditions and sequence of attack events,but the attack sequence pattern may be the same.The research work can be divided into three aspects: attack behavior detection,attack path extraction,and attack sequence pattern mining.The specific research work is as follows:(1)In terms of attack behavior detection,in view of the similarities between the natural failures of the physical power grid and the failures caused by coordinated attacks,the imbalance of attack samples and high data dimensions,resulting in low attack recognition accuracy and poor generalization ability,the problem was raised.CS?GBDT-based power CPS cooperative attack detection method.First,according to the coupling relationship between the cyber network and the physical power grid,the cyber-physical topology correlation index table is established,and the cyber-physical joint state chain is established through the coupling mapping;secondly,a clustering model of operating state categories based on PCA?Two Step clustering is constructed to obtain different attack states.All the optimal features,taking into account the representation and classification capabilities of the attack event feature set,design the operating state category imbalance processing method;finally,by optimizing the cost-sensitive loss function in the GBDT algorithm,a coordinated attack classification detection algorithm and simulation example are given.It shows that the algorithm improves the accuracy of attack detection while reducing the false alarm rate.(2)In terms of attack path extraction,coordinated attacks can cause different fault states in the power system.How to quickly and accurately extract hidden attack paths based on these visible fault sequences is a key issue for effective response defense measures.HMM-based the extraction model of CPS attack path.First,symbolize,filter,segment,and merge the original state sequence of the cyber system and the physical system to obtain the joint sequence of system failures generated by the same attacker;then,according to the designed mapping table of cyber-physical coordinated attacks and system failures,the probability matrix of system failure is generated dynamically,and the concept of sensitivity is introduced to quantify the degree of interaction between cyber attacks and physical attacks.Finally,a hidden Markov model implementation algorithm is given.The joint simulation experiment of RT-LAB and OPNET shows that the model can effectively extract the attack path from the joint sequence of system faults.(3)In terms of attack sequence pattern mining,due to the lack of correlation between physical power grid fault information and cyber system alarm logs,it is impossible to extract the sequence characteristics of different attack steps in heterogeneous data,and it is difficult to reveal intrusion behavior patterns.In order to solve this problem,a coordinated attack sequence pattern mining method based on timing topology constraints is proposed.First,according to the change law of the characteristic curve of the measurement data under different attacks,a combination criterion method for physical attack events is designed to identify the type of physical attack events from the massive measurement data set.Then,the fuzzy C-means clustering algorithm is used to cluster according to the attack characteristics of the information alarm log,and the cyber attack sequence identification method based on fuzzy characteristic analysis is proposed to analyze the information attack sequence of the same attacker.Finally,based on the timing and topological constraints,the physical attack event and the cyber attack sequence are correlated and matched to effectively identify the attack sequence pattern.Through the Test Bed attack experiment of Mississippi State University,the effectiveness and efficiency of the method were verified.