Service Identification And User Behaviour Semantic Analysis For VPN Traffic In Power Grid

With the continous engergization of the new infrastructure strategy,our country’s power grid is at a critical stage of informationization and intelligent transformation.The secure and stable communication among the widely distributed grid companies,power plants,and substations at all levels in the power system,as well as among the intelligent devices belonging to the employees and the Intranet of their affiliation,is an important guarantee for the current power grid informationization.Compared with the traditional leased line method,the encrypted tunnel technology represented by Virtual Private Network(VPN)has become an important communication method for the integrated data network and scheduling network in power system due to its security,speed,flexibility,and good adaptability to intelligent terminals.Although VPN brings convenience to the employees,it also brings more hidden network security risks and management difficulties to the power grid.Because of its tunneling communication characteristics,the traditional security gateway is difficult to effectively implement effective supervision of its communication behavior,which leads to a serious challenge to the daily management of VPN users and abnormal behavior detection.The identification of the services carried in VPN traffic can effectively assist network manager to judge the reasonableness of their communication behavior using the records of employees and devices.With data mining for the carrying services in the VPN traffic at different time periods,the non-standard use of devices and internal abnormal communication behavior can be timely alarmed.In order to meet the demand for intelligent management of power grid VPN communication security,this dissertation conducts research on service type identification and user behavior semantic analysis for VPN traffic in power grid.Taking typical OpenVPN as the research object,the research is carried out from the multi-level spatio-temporal feature mining of VPN traffic,multi-channel deep neural network model design for heterogeneous spatiotemporal features and multi-timescale behavior semantic generation of VPN users.The main work can be concluded as follows:(1)The spatio-temporal statistical characteristics of VPN traffic with different service types are analyzed.Based on the real collected VPN traffic samples,the comparative analysis is carried out in terms of delay characteristics,length sequence characteristics,and interaction behavior characteristics.The delay characteristics include response delay characteristics,intermessage packet delay characteristics,and inter-request packet delay characteristics.The length sequence characteristics include upstream and downstream load length distribution,downlink load mean,and standard deviation.The interaction behavior characteristics mainly include downlink load transmission rate and interaction frequency.(2)An identification method for the service in VPN traffic based on multi-channel selfattentive neural network is proposed.Based on the pattern matching-based OpenVPN traffic identification,we construct stream-level spatio-temporal data representations by extracting multiple types of spatio-temporal features of traffic,such as sessions,loads,and interactions.Then,we construct neural network channels that adapt to different feature types for these heterogeneous spatio-temporal features,including multilayer perceptron,one-dimensional convolutional neural network,and self-attentive transform neural network.On this basis,we complete the identification of these heterogeneous spatio-temporal features by fusion learning module.The effective mapping of these heterogeneous spatio-temporal features is completed by the fusion learning module to achieve the identification of VPN traffic service.The comparative experimental results with various identification models show that the method can effectively improve the identification accuracy.(3)A semantic analysis model of user behavior for grid VPN users is proposed.The behavioral semantic analysis model can construct behavioral semantic characterization based on VPN traffic generated under different observation time scales in the same IP address.The behavioral semantic elements include N-gram of service under unit time slot,probability density of service duration,statistics of single observation day time characteristics,service switching characteristics,service period characteristics,etc.Based on this behavioral semantic representation,the similarity measure of behavioral semantic representation is further constructed by combining Rouge-N,Kullback-Leibler Diverge and Euclidean distance.On this basis,the user abnormal behavior detection method based on sliding time window behavior semantic regularity and the behavior semantic matching method between users based on fuzzy clustering are designed respectively.These methods can provide effective solutions to the problems of user abnormal behavior and illegal use of account in power grid VPN communication.Finally,the dissertation is summarized and the future problems worthy of further research are prospected.