基于业务逻辑的电力业务报文攻击识别方法

Identification method of power service packet attacks based on service logic

针对电网测控终端的电力业务报文攻击极易造成电力一次设备误动,从而引发电力事故。电力业务报文攻击通常通过干扰正常业务逻辑达到攻击目的,已有攻击识别方法没有考虑业务逻辑,有效性比较差。因此,提出一种基于业务逻辑的电力业务报文攻击识别方法,该方法定义了电力业务逻辑状态链和黑白名单,将误用检测与异常检测方法相结合,基于业务逻辑黑白名单对业务的威胁度进行评估,并考虑电网时间风险与业务重要性,对威胁度进行修正,通过比较业务威胁度与安全阈值,实现对电力业务报文攻击的高效准确识别。给出了应用所提方法实现的一个攻击识别系统架构,并对实现后的系统进行了测试,验证了所提方法的有效性。

The PSPAs(Power Service Packet Attacks)of power grid measurement and control terminals are easy to cause misoperation of primary electric equipment,thus causing electric power accidents.PSPAs usually achieve the attack purpose by interfering the normal service logic.Existing attack identification methods do not take service logic into account and have poor effectiveness.Therefore,an identification method of PSPAs based on service logic is proposed.The state chain of power service logic,blacklist and whitelist are defined.The misuse detection method and anomaly detection method are combined to evaluate the threat degree of power service based on the service logic blacklist and whitelist.Considering the time risk and service importance of power grid,the threat degree is corrected,and the effective and accurate identification of PSPAs is realized by comparing the service threat degree and the security threshold.The architecture of an attack identification system based on the proposed method is presented,and the system is tested to verify the effectiveness of the proposed method.