Research Of Extraction Model Of Power Grid Situation Elements Based On Anomaly Detection

With the development of enterprise information construction,the scale of Intranet environment tends to expand and the structure tends to be complex.The ability of network security managers to supervise and control the intranet is limited,and the hidden danger of internal threats is gradually increasing.As a new subject rising in recent years,network situation awareness technology can effectively understand the current network situation,distinguish the users or devices that may produce threats,and provide an efficient means for the management of security managers,which has great practical significance.However,the current network situation awareness technology is still in the exploratory stage,and there are some problems,such as insufficient detection accuracy,insufficient information extraction breadth,and lack of logical connection between behaviors.Based on the real data environment of power grid,this thesis designs the detection model of key suspicious power grid host based on alarm data statistical analysis and the abnormal behavior detection model of operation log based on behavior tag.On this basis,a power grid situation element extraction model based on the fusion of alarm log and operation log is designed,and a complete subject and behavior scene is constructed,which provides information basis for power grid security personnel to make further decisions.The main work is as follows.1.The detection model of key suspicious power grid host based on alarm data statistical analysis is proposed.The model consists of flat top detection module and pointed top detection module.The two modules respectively detect the flat top abnormal state and the sharp top abnormal state in the grid environment.The data are detected by the two modules after the preprocessing module,and the detection results are obtained.The experimental results show that the comprehensive accuracy of the algorithm is 87%,the regression rate is 87%,and the accuracy rate is 91%,which improves the accuracy of situation awareness.2.A behavior tag based abnormal behavior detection model for operation log is proposed.Based on the operation log of the host computer in the power grid,the model divides four dimensions according to the characteristics of user’s operation behavior to accurately depict the behavior portrait of user’s operation,and uses the isolated forest as the classifier,and uses the label free learning method to design an updatable user behavior learning model,which completely describes the user’s behavior characteristics in multiple dimensions.The experimental results show that the comprehensive accuracy rate of the model is 86%,the accuracy rate is 99%,and the recall rate is 79%.3.A power grid situation element extraction model based on the fusion of alarm log and operation log is proposed.In this model,the output results of the detection model of key suspicious power grid host based on the statistical analysis of alarm data and the abnormal behavior detection model of operation log based on the behavior tag are fused by the causal association method.Then,deep learning long-term and short-term memory network(LSTM)is used to learn the chain,which provides feasibility for predicting the probability of propagation after the chain.The experimental results show that the comprehensive accuracy rate of the model is 88%,the average accuracy rate is 90%,and the average recall rate is 90%.It provides a strong basis for network security managers to understand the overall situation of network security and make further decisions.