Research On Anomaly Detection Methods Of Cyber Physical Power System Based On Feature Fingerprints

The rapid development of smart grid has introduced a large number of communication,computation and control terminal devices into the power system.The physical system and the cyber system are coupled more closely,and the power system gradually exhibits the typical characteristics of cyber physical system.While acquiring precise and intelligent state sensing and control capabilities,however,the grid is constantly exposed to the potential cyber-attack threat.The cyberattacks against the cyber physical power system(CPPS)attempt to disrupt the normal operation of the power system through the coupling of cyber side and physical side.The current power grid security system is facing great challenges,which relies on the three lines of defense on the physical side and the security boundaries on the cyber side.CPPS can be divided into a three-layer architecture including perception layer,transmission layer and application layer,in which device identity,communication process and system information may become the targets of cyber-attacks.For these new forms of cyber-attacks that can break through traditional unilateral defense methods,a cyber-physical coordinated anomaly detection method for CPPS should be considered.Aiming at the security protection of CPPS,the research on the abnormal detection method based on feature fingerprints is conducted in this paper,on the basis of summarizing and analyzing the current achievements in device identity authentication,intrusion detection,and tampering attack defense.The main contributions of this research are listed as follows.(1)Guided by the fingerprint identification technology,the definition and characteristics of the feature fingerprint in CPPS are presented,especially its cyber-physical bilateral characteristic.Combined with the three-layer architecture of CPPS,the security threats faced by each layer and the corresponding feasible fingerprint identification methods are explained.(2)Considering the prevalent weak computing capability of the underlying terminals in the perception layer,a non-cryptographic channel feature-based device fingerprint extraction and identification method is proposed,as a supplement to the existing wiretapping attack defense methods based on data encryption and identity authentication technology.The unique channel characteristics are extracted as the device fingerprint from the communication signal by using the frequency domain analysis method,and the identity authentication is realized by comparison.A method of locating eavesdropping devices based on cosine similarity is further proposed for some communication forms where wiretapping risks exist,enabling wiretapping detection on the main communication path.(3)To address the problem of high false alarm rate of cyber-attack identification based on communication behavior alone in the transmission layer,an anomaly detection method in CPPS based on cyber-physical bilateral feature fingerprints is proposed to realize the identification of fault-triggered burst flow and cyber-attack flow.Bilateral fingerprints consist of communication behavior features on the cyber side and discretized measurements on the physical side.To detect abnormal flow,a data-driven detection model based on cyber side fingerprints is firstly proposed.To identify cyber-attack flow from abnormal flow,a detection method based on bilateral feature fingerprints is further proposed.Considering the difficulty in obtaining training samples for cyberattack flow,the single-side detection model is trained using normal and faulty flow,and the datadriven model is subsequently updated and trained using the identification results based on the bilateral fingerprints to obtain a higher anomaly detection accuracy.A joint CPPS simulation platform is used to obtain the required bilateral data,verifying the effectiveness of the proposed method.(4)To deal with the situation that stealthy false data injection attack(FDIA)in the application layer can bypass the bad data detection and thus trigger false commands,a system fingerprint extraction method based on the description of the residual distribution in state estimation is proposed,and the corresponding FDIA warning process is presented,as a complement to the current attack detection methods with high computational complexity.Combined with the principles of state estimation and stealthy FDIA,the impact of attacks on system residuals is analyzed.The characteristic parameters of measurement residual distributions are extracted as system fingerprints by Gaussian fitting,and attack detection is implemented in a sliding time window.