Anomoly Intrusion Detection Method Based On AMI

The architecture of traditional grid was designed in the last century,as a rigid system,which is only suitable for access to stable and controllable energy.However,due to the shortage of traditional fossil energy resources and the development of distributed renewable energy,it becomes a necessary solution to access a large amount of distributed energy on the user side,so the architectonics of the power grid needs to be redesigned to ensure the stable and safe operation of the power grid equipment.Advanced Metering Infrastructure provides two-way communication for the power grid and the users,allowing the grid to be able to access the user's power,voltage,current and equipment status in real time,to enhance the monitoring and control capability and increase prediction accuracy of power consumption.However,the encapsulation of traditional power grid allows the industrial control systems to not take full account of the problem of network security at the beginning of the design.Therefore,once the two-way communication channel is exploited,may result in economic loss or power failure or even equipment damage.Therefore,it is of great significance to detect anomaly traffic in advanced metering infrastructure network.This paper first studies the state of the art intrusion detection of AMI network and the differences between domestic and international countries,then analyzes the reasons for the differences mainly in network architecture and communication protocol,Finally,based on the security demand of smart grid,the real traffic of the domestic smart grid is collected and analyzed,the appropriate intrusion detection methods for this network is proposed.The main contents and achievements of the paper are as follows:Reverse analysis based on the spatial and temporal characteristics of traffic.This paper collects the data from a certain provincial real smart grid network in China to design applicable intrusion detection methods for the netowrk.because of the closed nature of the domestic grid management,communication protocols and network architecture are unknown.meanwhile the differences between the network architecture and protocols lead to different approaches,so we must do reverse analysis to identify the network architecture and the communication protocols.Firstly,the two types of protocols in the traffic flow are determined by reverse analysis,namely,the private protocol and DL/T 645 protocol.Then,through the analysis of the correlation between the two and the format of DL/T 645,the private protocol format is calculated,and the role of the private protocol is determined as the authentication forward DL/T 645 protocol data.Finally,the network architecture of the power grid is further revealed based on the relevant characteristics of the two protocols.Anomaly detection model based on operation flow authentication.Firstly,according to the approval mechanism of the reverse analysis,the meaning of the operation flow is defined,that is,the power grid first transfers the private protocol flow for authentication,and then transfers the DL/T 645 protocol flow.Without one flow or the authentication failed,the grid will not be able to transmit the data correctly,Therefore,on the one hand,verify the authentication of each operation flow conforms to the authentication mechanism,which can detect the occurrence of abnormal authentication,On the other hand,the anomaly operation flow in the authentication process can be used to detect Network anomalies.Various anomaly operation flows and the reasons for their generation are then analyzed in the authentication process.Finally,based on the spatio-temporal characteristics of the operation flow and the authentication mechanism,an anomaly detection model is established,which is used to detect anomaly authentication and network anomalies,such as port collision,network link anomalies and terminal equipment failure.Traffic modeling method based on traffic decomposition.In the AMI network,some of the infrastructure is deployed on the user side,so it is highly vulnerable to the invasion of malicious users.However,network intrusion can lead to changes in network traffic behavior.Therefore,anomaly behaviors can be detected by establishing normal network traffic profiles.Firstly,the business model and communication characteristics of the power grid are analyzed through the analysis of the grid data.In combination with network traffic analysis and the changes of communication mode,this paper further analyzes the working mechanism of the smart grid by referring to the characteristics of IT network,domestic and foreign smart grid and industrial control system.According to the characteristics of transmission of certain business data,the normal traffic model is established by decomposing the traffic into the mutation,trend,period and random component,and a supervised traffic detection method is proposed.