Power CPS Situation Analysis And Network Anomaly Identification Under Cyber Attack

In the process of the continuous development of the smart grid,the communication,calculation,and control capabilities of the power grid have been greatly improved,and the interaction between the power physical side and the information side has continued to increase,which reflect the characteristics of cyber physical system.While the cyber-physical coupling characteristics improve the observability of the power grid,it also puts forward strict requirements on the security of the information side.Cyber attacks are usually injected on the information side,which disrupt the normal transmission of information and affect the safe and stable operation of the physical side through cyberphysical coupling and association.Therefore,this paper aims at the hazards of cyber attacks in cyber physical power systems.Through the analysis of cyber attack modeling,consequence quantification,and identification,the research on power CPS security situation analysis and network anomaly identification methods under cyber attacks is carried out.The main content as follows:(1)Basing on the analysis of cyber attack behavior description methods and security protection measures,the Petri net modeling of the power CPS is carried out for typical cyber attack forms.The modeling objects include the main station,sub-station firewall,and encryption authentication in the system.The transmission process of cyber attack is analyzed according to the data flow transmission process,and obtain the success probability of the attack by implementing the attack behavior.Since the cyber attack is an occasional event,the probability of occurrence is extremely small,so the generalized extreme value distribution is proposed.The function fits the probability of successful attack,thereby assessing the probability of successful cyber attack when different confidence intervals are selected under the generalized extreme value distribution function.(2)Under the evaluation of the success probability of cyber attacks,in view of the problem that the consequences of events caused by different attacks are difficult to quantify,a judgment matrix is established according to the analytic hierarchy process to quantify the consequences of the event.The established judgment matrix can pass the consistency test,because this assessment results of the incident are not much different in this method.Therefore,it is proposed to use the extreme learning machine combined with the analytic hierarchy process to analyze the situation of the power CPS under the cyber attack.The situation elements mainly include the elements that can reflect the business flow and the abnormal network flow.The advantage of the extreme learning machine lies in the analysis of situation elements,which can accurately analyze the attack state of the system;the analytic hierarchy process can more accurately quantify the consequences of different attack events,so the combination of the two can comprehensively determine the situation of the system under different attack events.And take the 7-node system as an example to verify the feasibility of the proposed method.(3)In order to analyze the abnormal phenomenon of the information system,because the abnormal phenomenon in the system may be caused by a cyber attack,it may also be caused by a natural failure.Therefore,according to the sequence of occurrence of different events,the continuous physical quantity is discretized to form the state transition sequence of the POWER CPS under different events.Aiming at the state transition sequence of POWER CPS,an identification method of sequence feature matching is proposed to identify cyber attacks and natural failures.Through cosimulation,the expected natural faults and cyber attacks are obtained.The expected natural faults and cyber attacks are regarded as abnormal phenomena.The sequence set with the largest number of state transitions under an abnormal phenomenon event is extracted.During the state transition process,the typical features is extracted and the corresponding probability is setted,lastly,add them to the feature sequence library.When performing feature matching on unknown anomalies,matching is performed according to the extracted feature sequence to find the best matching known phenomenon type as the anomaly classification result.However,the feature matching process needs to traverse the entire feature database,speed is slow.Therefore,in order to improve the recognition accuracy and speed,the feature sequence before and after the abnormal phenomenon can be selected as the identification basis.The advantage of ensemble learning is that it can combine the advantages of multiple machine learning methods.A model with smaller deviation and higher recognition accuracy is formed,so the state transition sequence is trained through the ensemble learning algorithm to verify the effectiveness of the proposed method.