Research On Security Analysis Technology Of Smart Grid Monitoring System Based On Multi-step Attack Detection

Smart Grid Monitoring System(SGMS)is an important means to protect the smart grid security.The high volumes of alerts generated by SGMS often confuse managers.Automatically handling alerts and extracting attack events is a critical issue for smart grid.Most of the existing security event analysis methods are designed for Internet,which will not be directly applicable to the power grid for high reliability and low attack tolerance requirements.In addition,most of the current attack prediction researches are focused on traffic data.A few researches based on attack chains are relatively simple,ineffective and not portable.For this reason,a multi-step attack detection model and attack prediction models based on self-attention and model stacking were proposal.The specific works are as follows:1.Multi-step attack detection model.In this model,an alert graph is constructed by IP correlation,and then transformed into candidate attack chains after being aggregated.Consequently,the candidate preliminary attack chains are pruned and denoised by negative causal correlation and non-cascading events.Finally,attack chains and visual attack graphs are formed.Our proposal model needs a little of priori knowledge while automatically extracting multi-step attack events and demonstrating the trajectories among IPs.The experimental results show the model performs well on China Grid data and DARPA 2000 data set.2.Attack prediction model based on self-attention.Firstly,the extracted attack chains are expanded and the samples are divided.Then the IP and alert information in the attack chains are embedded and spliced into the neural network model in turn.The experiment between various neural networks in the attack prediction model shows the self-attention model based on Bi-LSTM performs best.The HLC-AUC of the model is 0.802.Experiments on DARPA2000 data set also prove the validity of the model.3.Attack prediction model based on model stacking.The input features of the model are divided into two parts,one is the attack chain coding information extracted from the self-attention model,the other is the network information extracted manually.The features are spliced into the classification model for attack prediction.The HLC-AUC of the XGBoost model 0.838 gets the best effect.The model also performs well in DARPA2000 dataset,which proves the validity of the model.