CN106982235A - A kind of power industry control network inbreak detection method and system based on IEC 61850 - Google Patents

Abstract

The invention discloses a kind of power industry control network inbreak detection method based on IEC 61850 and system, including access control detection, the detection of agreement white list, the detection based on model and the detection based on multi-parameter.Wherein, access control detection can prevent from attempting the malware activity with control server communication and attack, especially effective in the primary infection stage；The detection of agreement white list can detect the abnormal protocol traffic in transformer station's station level and process-level network and alert；Anomaly detection method based on model, which has, finds malicious attack or potentiality abnormal unintentionally in station level and process-level network；Detection based on multi-parameter is recognized by monitoring the most sensitive parameter of intelligent substation because the internal possibility for being not intended to be directed to industrial control system caused by misuse or malicious external attack is threatened.The present invention is verified in the network physical test platform for simulating actual 500kV intelligent substations, it was confirmed that the real-time and availability of intrusion detection method.

Description

It is a kind of based on IEC 61850 power industry control network inbreak detection method and System

Technical field

The invention belongs to industrial control system technical field of network information safety, more particularly to it is a kind of based on IEC61850's Power industry controls network inbreak detection method and system.

Background technology

Industrial control system is that computer-based production process is controlled and dispatch automated system, and it can be to existing The operational outfit of field is monitored and controlled, and is played in the industrial control system of the critical infrastructures such as electric power, oil, chemical industry Important function.It is continuously increased with the complexity and interconnectivity of industrial control system, the possibility of malicious network attacks is also big Width increase.The industrial control network of conventional communication protocols is followed, the consideration to network security threats at the beginning of design is often not enough. The industrial control system continued to develop may be considered as the highest priority of attack by malicious attacker or the interior employee felt discontented, In the case of without permission unauthorized access and control are realized using system tender spots.This invasion is probably that some are simple or high The lasting attack of level, and the safe and stable operation of industrial control system may be jeopardized.Domestic and international industrial quarters and academia are to electric power Industrial control system network security problem is paid attention to and focused more on further, power industry Control System NetWork information security issue into For safe and reliable and stable operation the engineering problem of relation power system.

With the appearance of new information security threats, the existing method for general IT safety, and based on IEC 61850 The Run-time scenario of the electric power industrial control system of standard can not be completely compatible.For example, traditional IT safety means such as fire wall, invasion inspection Examining system (IDS) is usually the application layer data without this communication of method interpretation.Although the standards of IEC 62351 are based on IEC One framework of the network security stipulative definition of 61850 agreements, but producer typically will not implement to its intelligent electronic device (IED) Appropriate protection.In the case of manufacturer's response speed is slow, how grid company tackles security breaches, can detect and Mitigating the threat occurred again turns into urgent problem to be solved.However, intrusion detection method at this stage can't solve it is this kind of Problem.

The intrusion detection method suitable for electric power industrial control system issued at present is mainly for DNP3, EtherNet/ IP and Modbus Transmission Control Protocol, these Snort detected rules can recognize unwarranted request, the agreement of incorrect form is asked Ask and respond, the order of less use and danger, and other possible attack conditions.But the electric power work based on IEC 61850 The research of Network Intrusion Detection System is controlled still in initial stage.The host-host protocols of IEC 61850 have been widely used in electric power work In control system (such as intelligent substation).Data in intelligent substation industry control network are transmitted with clear-text way, cause information Transmission there may be ravesdropping, sniff or the risk distorted.For example, attacker can initiate man-in-the-middle attack (MITM) with sniff With collection telemetry value, remote control command or other remote signals.In each case, they are refilled after being distorted Into communication system, will jeopardize electric power industrial control system stability or reduce system security, it is also possible to initiated in future into The attack of one step.Because conventional electric power industrial system lacks control instruction authentication mechanism, malicious attacker may be without permission Industrial control system is accessed, the integrality and availability of information is destroyed, spoofing attack, Replay Attack and man-in-the-middle attack is initiated, may Cause the catastrophic safe operation for damaging and jeopardizing system.The existing intruding detection system based on IEC 61850 is existed Following deficiency：(1) can not effectively it take precautions against " zero-day attacks " (unknown threat or undiscovered leak)；(2) manufactured and advised by message The influence of model (MMS) and transformer substation case (GOOSE) message in face of general object so that most statistical analysis detection methods productions Raw false negative, misses real attack；(3) accuracy of detection has much room for improvement, and misses to adapt to actual transformer station.

The content of the invention

Goal of the invention：To solve problems of the prior art, the present invention proposes a kind of electricity based on IEC 61850 Power industrial control network intrusion detection method and system.

Technical scheme：A kind of power industry control network inbreak detection method based on IEC 61850, including：

ACD access controls are detected：For in the primary infection stage, preventing from attempting the Malware with control server communication Activity and attack；It includes extracting purpose and source IP address, purpose and source MAC or port from the message of capture, and with The access control white list pre-established is compared, if the IP address, MAC Address or port are not belonging to described access White list is controlled, then is considered as suspicious IP address, MAC Address or port；If belonging to described access control white list, depending on For normal IP address, MAC Address or port；

PWD agreements white list is detected：For detecting the abnormal protocol streams in Substation Station control layer network and process-level network Measure and alert；Its various agreement for including the support to station level network and process-level network is configured, the various agreements Including MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For the station level network, only permit compliance with MMS, The communication service of COTP, TPKT or SNTP agreement, is otherwise considered suspicious traffic and generates warning information；For the process Layer network, only allows the flow of GOOSE, SV or IEEE 1588, is otherwise considered suspicious traffic and generates warning information；

Detections of the MBD based on model：It is for malicious attack in measuring station control layer network and process-level network or abnormal unintentionally Behavior；It includes analysis SCD file and the message contents of IEC 61850, and by the message of detection with being defined using protocal analysis Normal behaviour model be compared, if there is the situation for violating any normal behaviour model, generation is alerted and records inspection Survey result；

Detections of the MPD based on multi-parameter：For being recognized by monitoring the parameter of intelligent substation because inside is not intended to miss With or malicious external attack caused by threaten；It is included to the telemetry from station level network and process-level network and distant The detection that letter data is carried out, by homologous matching identification abnormal data, when same source data is inconsistent, is considered as abnormal data；Tool Body is that detection is compared in remote signalling and detection is compared in remote measurement.

Further, in the ACD access controls detection, the access control white list of foundation is included in data link layer The access control white list of IP address and transport layer port in MAC Address, Internet.

Further, in the ACD access controls detection, suspicious IP address, MAC Address or port are considered as to described, Default action will be also taken, it is specially：Alarm is sent under IDS patterns, is prevented under IPS patterns, and records detection knot Really；Such as following formula (1)：

Wherein, AC=MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dst, AC_wlRepresent that the access control set up is white List；MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dstRepresent source MAC and target MAC (Media Access Control) address respectively, source IP Location and purpose IP address, and source port and destination interface；Each main frame or equipment have uniquely<IP, MAC>Matching；If Intelligent electronic device is not replaced by new device, but if two or more MAC Address correspondence identical IP address, that is, judge To occur spoofing attack.

Further, it is described to be specially to detections of the MBD based on model that station level network is carried out：

In station level network, normal behaviour model is set up based on the ACSI or SNTP for being mapped to MMS, if violated any Normal behaviour model, generation is alerted and testing result is recorded；The foundation of the normal behaviour model is as follows：

A) report services model

In SCD file, the maximum quantity for instantiating report-control block of configured each intelligent electronic device；Carried The maximum number for instantiating report-control block of each intelligent electronic device is defined as detection rule by the report services model gone out Then；If identification may take all abnormal connection requests for instantiating report-control block of intelligent electronic device, alert Suspicious refusal service DoS attack simultaneously records testing result；

B) association service model

The association service model definition maximum quantity of the attachable clients of IEC 61850；If detected to client The abnormal connection request at end, then produce and alert and record testing result；

C) service model is set

Setting service model to define only allows the clients of IEC 61850 to change setting, if violating this definition, will send announcement Alert information.

D) Module of File Transporting

ACSI GetFile services are used for by the content of file from server transport to client by client, and client makes Obtained with ACSI GetFileAttributeValues services server file storage in specific file title and category Property, Module of File Transporting, which defines the clients of IEC 61850, can only transmit single file, if violating this definition, and generation is accused Warn and record testing result；

E) SNTP models

In substation network, SNTP is used to realize time synchronized by LAN communication, and SNTP flows are in transport layer using use User data datagram protocol, in terms of SNTP flows, the port numbers to the UDP connection of the servers of IEC 61850 should be <123>If the port numbers of SNTP flows are not<123>, triggering is alerted and result is stored in journal file；

F) time correlation model

Important control command has the constraint of time correlation, and the constraint includes time interval and limited and frequency limit, such as Fruit identical lawful order sends too frequent, then violates formula (2) (3) rule, in each case, will start some alarms and day Will is acted：

CV (n)-CV (n-1) ＜ T → Actions (alert, log) (2)

CV is control command in formula (2), and n is positive integer (n>, and T is the limit of time interval 1)；

F represents frequency limit in formula (3).

Further, it is described to be specially to detections of the MBD based on model that process-level network is carried out：In process-level network In, the normal behaviour model is set up based on GOOSE and SMV protocol specifications, if violating any normal behaviour model, will be generated Alert and record testing result；GOOSE APDU have 12 fields for gocbRef, timeAllowedToLive, DatSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDatSetEntries and allData；According to IEC 61850-9-2, SMV datagram use ISO/IEC 8802-3 in a data link layer；SV APDU have svID, Five fields of smpCnt, confRev, smpSynch and seqData, the normal behaviour model definition is as follows：

A) destination address model

In SCD file<Communication>→<SubNetwork>→<ConnectedAP>Middle configuration purpose ISO/ IEC 8802-3 multicast address is used to transmit GOOSE/SMV；GOOSE message and the destination address field (DAF) of SMV messages are respectively with four Individual eight bit byte 01-0C-CD-01 and 01-0C-CD-04 starts.GOOSE and SMV destination-address such as formula (4) and (5)：

P is the message captured in process-level network, P in formula (4)_GOOSEGOOSE message is represented, DstAField represents ISO/ The value of destination address field (DAF) in IEC 8802-3 frame formats；

P in formula (5)_SMVRepresent SMV messages；

B) TPID fields model

Tag protocol identifier symbol 2 eight bit bytes of field are shown as the Ethernet class of 802.1Q Ethernets coded frame distribution Type；The value of TPID fields in GOOSE/SMV messages should be 0x8100, i.e.,

Wherein TPIDField represents the value of TPID fields, and P GOOSE/SMV represent GOOSE or SMV messages；

C) EtherType fields model

ISO/IEC 8802-3 2 bytes of EtherType fields are registered by IEEE authorized organizations, GOOSE and SMV point The EtherType values matched somebody with somebody are 0x88B8 and 0x88BA, i.e. formula (7) (8) respectively：

Wherein EthTField is the value of EtherType fields；

D) Priority field model

The priority value of GOOSE and SMV messages is defined, GOOSE/SMV default value is 4, while matching somebody with somebody in SCD file Put, priority value should be from 0 to 7, i.e. formula (9)：

PrioField is the value of user-priority field in formula (9)；

E) APPID fields model

Each GOOSE/SMV control blocks have unique APPID, the APPID fields of GOOSE message 2 in SCD file Eight bit byte is 4 hexadecimals [0000-3FFF], and the field of SMV messages is [4000-7FFF], such as formula (10) and (11)：

F) length model

2 eight bit bytes of length field of GOOSE/SMV messages specify the byte in the frame started from APPID to APDU total Number, it is equal to 8+m, wherein, m is APDU length, m<1492, length field model such as formula (12)：

Wherein LengField is the value of length field；

The length of goOD fields in GOOSE APDU is less than 65 bytes, i.e. formula (13),

Wherein LenGOIDField is the length of goOD fields；

G) TimeAllowedToLive fields model

TimeAllowedToLive fields in GOOSE APDU should be double MaxTime (2T0).“MaxTime” Generally it is configured in SCD file<5000>、<Communication>→<SubNetwork>→<ConnectedAP>→< GSE>→<MaxTime>；If not having any GOOSE packets in 10000ms, communication disruption alarm will be sent；

H) tag field model

In GOOSE tag field models, gocbRef, timeAllowedToLive, the datSet of GOOSE message, The mark value of goID, t, StNum, SqNum, test, confRev, ndsCom and numDatSetEntries field is 0x80, 0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89 and 0x8a.In SMV label field models, SMV reports The label value of svID, smpCnt, confRev and the smpSynch field of text is respectively 0x80,0x82,0x83 and 0x85；

I) SmpCnt fields model

SmpCnt fields model specifies the value of counter, and it is incremented by the new samples of each sampled analog value；Work as merging When unit MU sample rate is 4000Hz, wherein, 80 sampling/cycles, smpCnt value is kept in the range of [0,3999] Correct order, i.e. formula (14),

Wherein SmpCField is the value of smpCnt fields；

J) correlation model

Configured according to the actual SCD of intelligent substation, APPID fields are equal to most latter two eight bit word of destination address field (DAF) Section, is defined as related domain model, i.e. formula (15)：

Wherein DstAField (P) 5,6 represents most latter two eight bit byte of destination address field (DAF)；

The type of gocbRef fields in GOOSE APDU is to include logical device LD titles, logical node LN titles, work( The character string of FC and control block CB titles, i.e. LD/LN $ FC $ CB can be constrained；DatSet fields in GOOSE APDU include LD Title, LN titles and data set DS titles, i.e. LD/LN DS；The default value of goID fields in GOOSE APDU is joined similar to gobi Examine the default value of field, i.e. LD/LN $ CB；LD/LN values in gocoRef fields are matched with the LD/LN values in dataSet fields； Control block title in gocoRef fields and the control block name-matches in goID fields；gocbRef：PM5001APIGO/ LLN0 $ GO $ gocb1, dataSet：PM5001APIGO/LLN0 $ dsGOOSE1, goID：PM5001APIGO/LLN0.gocb1, Corresponding related dictionary model such as formula (16)：

Wherein GibField, DatSField and GoIDfield represent gobi Ref, dataSet and goID fields respectively；

The change of number of states StNum and sequence number SqNum in GOOSE APDU strictly observe associated behavior mould Formula；When the value of datSet in the GOOSE message of transmission changes, StNum value will increase, and this is set the value for causing SqNum It is set to zero；When StNum value does not change, SqNum value will be transmitted to each GOOSE to be incremented by, but it will be maximum at it 0 is turned at value SqNummax=4,294,967,295：

StNum (GPi) and SqNum (GPi) represent StNum the and SqNum values of i-th of GOOSE message respectively in formula (17)；

K) model based on flow

According to the business from actual transformer station's scene capture, the message transmission rate per second of the model definition based on business PPS, transmission byte-sized BPS per second, message length LoP and message size SoP upper and lower bound threshold value, are used as normal discharge Behavior, such as formula (18)：

Wherein PPS_minAnd PPS_maxRepresent PPS lower and upper limit threshold value.

Further, the remote signalling compares detection and is specially：In the intelligent substations of IEC 61850, in process-level network Intelligent electronic device using GOOSE message come into wall intelligent electronic device send remote signalling data, and from protection or Measure and control device receives tripping operation/reclosing command；The remote signalling compares detection by comparing GOOSE message and associated MMS messages To recognize anomalous event；If protecting opening into signal and from station control for intelligent electronic device GOOSE message in process-level network The associated signal reports MMS messages of layer network are inconsistent, then alarm that exception will occur.

Further, the remote measurement compares detection and is specially：In the intelligent substations of IEC 61850, combining unit MU tools There is sampled value model, and SV message is sent to protection supervisory equipment, the remote measurement compares detection and includes two rules：

A) range detection rule

Sampled value has upper boundary values and lower border value, if measured value is outside desired extent, sends alarm, i.e. formula (19)：

Wherein SMV (i) (i=I, U ...) represent different sampled values, electric current I and voltage U；[SMV(i)_min-e(i), SMV(i)_max+ e (i)] scope between up-and-down boundary is represented, e (i) is measurement tolerance, under normal operation, according to power transformation Design and working specification the configuration up-and-down boundary stood, the upper and lower border of bus voltage of 500 (330) kV transformer stations is set to 90% With 110% rated voltage.

B) consistency detection rule

Duplicate system retrofit intelligent electronic device in wall is A and B groups, and Current Transmit/voltage from association is mutual Sensor VT receives identical MU sampled values, detects configured combining unit SMV parameters and associated multiple protection equipments Inconsistency between MMS, the parameter that remote measurement is compared includes voltage, electric current and difference current, if violating consistency detection rule Then, alarm that exception will occur.

The present invention also provides a kind of power industry control Network Intrusion Detection System based on IEC 61850, including：

ACD access control detection modules：The module was used in the primary infection stage, prevented from attempting and control server communication Malware activity and attack；Its by the MAC Address in the data link layer that pre-establishes, the IP address in Internet and The access control white list of transport layer port is detected, purpose and source IP address, purpose and source are extracted from the message of capture MAC Address or port, and be compared with the access control white list of foundation, if the IP address, MAC Address or port are not Belong to described access control white list, be then considered as suspicious IP address, MAC Address or port, the module will be taken default Action；If belonging to described access control white list, it is considered as normal IP address, MAC Address or port；

PWD agreement white list detection modules：The module is used to detect in Substation Station control layer network and process-level network Abnormal protocol traffic is simultaneously alerted；Its various agreement by setting the support of station level network and process-level network, sets up agreement White list is detected that the various agreements include MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For institute Station level network is stated, the module only permits compliance with the communication service of MMS, COTP, TPKT or SNTP agreement, and being otherwise considered can Doubt communication and generate warning information；For the process-level network, the module only allows the flow of GOOSE, SV or IEEE 1588, Otherwise it is considered suspicious traffic and generates warning information；

Detection modules of the MBD based on model：The module is used for malicious attack in measuring station control layer network and process-level network Or it is not intended to abnormal behavior；It is assisted by analyzing SCD file and the message contents of IEC 61850, and by the message of detection with using The normal behaviour model of view analytic definition is compared, and if there is the situation for violating any normal behaviour model, generation is accused Warn and record testing result；

Detection modules of the MPD based on multi-parameter：The module be used for recognized by monitoring the parameter of intelligent substation due to Inside is not intended to threaten caused by misuse or malicious external attack；It passes through to distant from station level network and process-level network The detection that data and remote signalling data are carried out is surveyed, by homologous matching identification abnormal data, when same source data is inconsistent, is considered as different Regular data；Specifically include that detection module is compared in remote signalling and detection module is compared in remote measurement.

Further, the ACD access controls detection module will take it is default action be specially：Issued in IDS patterns Go out alarm, prevented under IPS patterns, and record testing result；Such as following formula (1)：

Wherein, AC=MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dst, AC_wlRepresent that the access control set up is white List；MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dstRepresent source MAC and target MAC (Media Access Control) address respectively, source IP Location and purpose IP address, and source port and destination interface；Each main frame or equipment have uniquely<IP, MAC>Matching；If Intelligent electronic device is not replaced by new device, but if two or more MAC Address correspondence identical IP address, the i.e. mould Block is judged as occurring spoofing attack.

Beneficial effect：The present invention improves the internet security of the industrial control system based on the agreements of IEC 61850, it is proposed that suitable For industry control network intrusion detection method and system based on IEC 61850, it is integrated with power business knowledge, protocol specification and patrols Volume behavior, is that a kind of can mitigate the effective solution of synthesis of multiple network attack.The present invention include access control detection, The detection of agreement white list, the detection based on model and the detection based on multi-parameter.Wherein, access control detection can prevent from attempting Malware activity and attack with controlling server communication, it is especially effective in the primary infection stage；The detection of agreement white list can Detection transformer station's station level and abnormal protocol traffic in process-level network are simultaneously alerted；Anomaly detection method based on model With malicious attack in discovery station level and process-level network or potentiality abnormal unintentionally；Detection based on multi-parameter passes through monitoring The most sensitive parameter of intelligent substation is not intended to be directed to industry control caused by misuse or malicious external attack to recognize due to internal The possibility of system is threatened.The present invention is verified in the network physical test platform for simulating actual 500kV intelligent substations, it was demonstrated that The real-time and availability of intrusion detection method.

Brief description of the drawings

Fig. 1 is flow chart of the invention；

Fig. 2 compares the flow chart of detection for remote signalling in the present invention；

Fig. 3 is the flow chart of consistency detection in the present invention.

Embodiment

Below in conjunction with accompanying drawing, the case study on implementation of the present invention is described in detail；

As shown in figure 1, a kind of power industry control network inbreak detection method based on IEC 61850 of the present invention Including：

ACD access controls are detected：For in the primary infection stage, preventing from attempting the Malware with control server communication Activity and attack；It includes setting up the access of the MAC Address in data link layer, the IP address in Internet and transport layer port White list is controlled, if any address or port will take default action not in corresponding white list；

PWD agreements white list is detected：For detecting the abnormal protocol streams in Substation Station control layer network and process-level network Measure and alert；Its various agreement for including the support to station level network and process-level network is configured, and sets up the white name of agreement Single, the various agreements include MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For the station level net Network, only permits compliance with the communication service of MMS, COTP, TPKT or SNTP normal protocol, is otherwise considered suspicious traffic and generates Warning information；For the process-level network, only allow the normal discharge of GOOSE, SV or IEEE 1588, being otherwise considered can Doubt flow and generate warning information；

Detections of the MBD based on model：It is for malicious attack in measuring station control layer network and process-level network or abnormal unintentionally Behavior；It includes analysis SCD file (substation configuration description, whole station system configuration text Part) and message contents of normal IEC 61850, define normal behaviour model using deep protocal analysis, and by the report of detection Text is compared with normal behaviour model, builds detection model identification abnormal variation；

Detections of the MPD based on multi-parameter：For being recognized by monitoring the most sensitive parameter of intelligent substation due to interior Portion is not intended to threaten caused by misuse or malicious external attack；It is included to the remote measurement from station level network and process-level network The detection carried out with remote signalling data, identification is abnormal, and specially detection is compared in remote signalling and detection is compared in remote measurement.

Meanwhile, the present invention also provide it is a kind of can realize it is above-mentioned based on IEC 61850 power industry control network intrusions inspection The system for surveying tired method, including：

ACD access control detection modules：The module was used in the primary infection stage, prevented from attempting and control server communication Malware activity and attack；It is by setting up IP address and transport layer in the MAC Address in data link layer, Internet The access control white list of port is detected that, if any address or port be not in corresponding white list, the module will be adopted Take default action；

PWD agreement white list detection modules：The module is used to detect in Substation Station control layer network and process-level network Abnormal protocol traffic is simultaneously alerted；Its various agreement by setting the support of station level network and process-level network, sets up agreement White list is detected that the various agreements include MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For institute Station level network is stated, the module only permits compliance with the communication service of MMS, COTP, TPKT or SNTP normal protocol, otherwise will be considered to It is suspicious traffic and generates warning information；For the process-level network, the module is only allowing GOOSE, SV or IEEE 1588 just Normal flow, is otherwise considered suspicious traffic and generates warning information；

Detection modules of the MBD based on model：The module is used for malicious attack in measuring station control layer network and process-level network Or it is not intended to abnormal behavior；It uses deep agreement point by analyzing SCD file and the message contents of normal IEC 61850 Analysis defines normal behaviour model, and the message of detection is compared with normal behaviour model, builds detection model different to recognize Normal deviation；

Detection modules of the MPD based on multi-parameter：The module be used for by monitor the most sensitive parameter of intelligent substation come Identification is not intended to threaten caused by misuse or malicious external attack due to inside；It passes through to from station level network and process layer The detection that the remote measurement of network and remote signalling data are carried out, identification is abnormal, specifically includes that detection module is compared in remote signalling and inspection is compared in remote measurement Survey module.

The process respectively detected in the inventive method is described below in detail, while being also each detection module in present system Implementation process：

(1) ACD access controls are detected

ACD is a kind of access control white list strategy, including the medium access control (MAC) in data link layer The port in IP address and transport layer in location, Internet.The TCP port of the flows of IEC 61850 is<102>.If anyly Location or port be not in corresponding white list, and the IDS will take default action.For example, in IDS (Intrusion Detection System, intruding detection system) alarm is sent under pattern, in IPS (Intrusion Prevention System, intrusion prevention system) prevent under pattern, and record testing result.Such as following formula (1)：

Herein, AC=MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dst, AC_wlRepresent corresponding white list collection Close.MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dstExpression source MAC and purpose MAC, source IP and purpose IP, Yi Jiyuan Port and destination interface.

Each main frame or equipment in secondary system of intelligent substation have uniquely<IP, MAC>Matching.If IED is set It is standby not replaced by new device, but correspond to identical IP address from two or more MAC Address, it means that it may take advantage of Deceive attack.

(2) PWD agreements white list is detected

The detection of agreement white list handles intelligent substation network with reference to 2-7 layers of open system interconnection (OSI) model Various agreements, such as MMS, COTP, TPKT, SNTP (SNTP), GOOSE, SMV and IEEE 1588.It is based on IEC 61850 typical substation network includes station level network and process-level network.For station level network, IDS can be by It is set to only permit compliance with the communication service of the normal protocols such as MMS/COTP/TPKT/SNTP.For process-level network, IDS only permits Perhaps the grades of GOOSE/SV/IEEE 1588 normal discharge.In different situations, IDS could be arranged to support other specific protocols. For example, when IDS is deployed in transformer station process layer network, only allowing the flows of GOOSE/SV/IEEE 1588, otherwise recognizing To be that suspicious traffic generates warning information.

(3) detections of the MBD based on model

Detection method based on model analyzes SCD file and the message contents of normal IEC 61850, uses deep association Analytic definition normal behaviour model is discussed, and the message of detection is compared with correct behavior model, to recognize abnormal variation. Anomaly detection method based on model has the potentiality of detection unknown attack.Compared with traditional IT networks, intelligent substation In industry control network take on a different character, such as regular flow and predictable behavior pattern, this may simplify row For model.The MBD proposed, which has, finds station level and the malicious attack in process-level network or potentiality abnormal unintentionally.

1) it is directed to the MBD of station level network

In station level network, unusual checking is based on the ACSI or SNTP for being mapped to MMS.Detection model is defined such as Under,

A) report services model

In SCD file, the configured each IED maximum quantity for instantiating report-control block.The report proposed The each IED maximum number for instantiating report-control block is defined as detected rule by service model.If MBD identifications may IED all abnormal connection requests for instantiating report-control block are taken, then alerts suspicious refusal service (DoS) and attacks and remember Record testing result.

B) association service model

The association service model definition of the proposition maximum quantity of the attachable clients of IEC 61850.If MBD is detected To the abnormal connection request to client, then produce and alert and record testing result.

C) service model is set

The setting service model definition proposed only allows the clients of IEC 61850 to change setting.When violating this model, MBD will send warning information.

D) Module of File Transporting

ACSI GetFile services are used for the content of file from server transport to client by client.Client makes Obtained with ACSI GetFileAttributeValues services server file storage in specific file title and category Property.Module of File Transporting, which defines the clients of IEC 61850, can only transmit single file.If violating this rule, it will generation Alert and record testing result.

E) SNTP models

In substation network, SNTP is used to realize time synchronized by LAN communication.SNTP flows are in transport layer using use User data datagram protocol (UDP).In terms of SNTP flows, the port numbers to the UDP connections of the servers of IEC 61850 should be<123>. If the port numbers of SNTP flows are not<123>, MBD by trigger alert and result is stored in journal file.

F) time correlation model

Important control command has the constraint of time correlation, such as time interval limitation and frequency limit.If identical Lawful order send too frequent, then following rule may be violated, such as formula (2) (3).In each case, IDS will start Action (alarm and daily record).

CV (n)-CV (n-1) ＜ T → Actions (alert, log) (2)

CV is control command in formula (2), and n is positive integer (n>, and T is the limit of time interval 1).

F represents frequency limit in formula (3).

2) MBD of process layer

In process-level network, model inspection is based on GOOSE and SMV protocol specifications.GOOSE APDU have 12 words Section, such as gocbRef (control block reference), timeAllowedToLive, datSet (data set reference), goID (GOOSE ID), t (Event Timestamp), StNum (state number), SqNum (test identifier), test (test position), confRev (repair by configuration Order), ndsCom (needs debugging), numDatSetEntries (data set stripe mesh number) and allData.According to IEC 61850-9- 2, SMV datagrams use ISO/IEC 8802-3 in a data link layer, similar to GOOSE datagrams.SV APDU have such as SvID (SMV control block ID), smpCnt (sample counter), confRev (configuration revision), smpSynch (using synchronous) and SeqData (data sequence) five fields.Part detection model is defined as follows：

A) destination address model

SCD file (<Communication>→<SubNetwork>→<ConnectedAP>) in configuration purpose ISO/ IEC 8802-3 multicast address is used to transmit GOOSE/SMV.GOOSE message and the destination address field (DAF) of SMV messages (6 eight Byte) started respectively with four eight bit bytes (01-0C-CD-01) and (01-0C-CD-04).GOOSE and SMV destination Location model such as (4) and (5), i.e.,：

P is the message captured in process-level network, P in formula (4)_GOOSEGOOSE message is represented, DstAField represents ISO/ The value of destination address field (DAF) in IEC 8802-3 frame formats.

P in formula (5)_SMVRepresent SMV messages.

B) TPID fields model

Tag protocol identifier symbol (TPID) field (2 eight bit bytes) be shown as 802.1Q Ethernets coded frame distribution with Too net type.The value of TPID fields in GOOSE/SMV messages should be 0x8100, i.e.,

Wherein TPIDField represents the value of TPID fields, and P GOOSE/SMV represent GOOSE or SMV messages.

C) EtherType fields model

ISO/IEC 8802-3 EtherType fields (2 bytes) are registered by IEEE authorized organizations.GOOSE's and SMV The EtherType values of distribution are 0x88B8 and 0x88BA, i.e. formula (7) (8) respectively：

Wherein EthTField is the value of EtherType fields.

D) Priority field model

The priority value of precedence field (3 bit) model definition GOOSE and SMV message.GOOSE/SMV default value is 4, also configured in SCD file.Priority value should be from 0 to 7, i.e. formula (9)：

PrioField is the value of user-priority field in formula (9).

E) APPID fields model

Each GOOSE/SMV control blocks have unique APPID in SCD file.The APPID fields (2 of GOOSE message Individual eight bit byte) should be 4 hexadecimals, i.e. [0000-3FFF], and the field of SMV messages should be [4000- 7FFF].This detection model such as formula (10) and (11),

F) length model

The length field (2 eight bit bytes) of GOOSE/SMV messages specifies the byte in the frame started from APPID to APDU Sum, it is equal to 8+m, and (m is APDU length, m<1492).Length field model such as formula (12),

Wherein LengField is the value of length field.

The length of goOD fields in GOOSE APDU is less than 65 bytes, i.e. formula (13),

Wherein LenGOIDField is the length of goOD fields.

G) TimeAllowedToLive fields model

TimeAllowedToLive fields in GOOSE APDU should be double MaxTime (2T0).“MaxTime” Generally it is configured in SCD file<5000>(<Communication>→<SubNetwork>→<ConnectedAP>→< GSE>→<MaxTime>).If not having any GOOSE packets in 10000ms, this detection pattern will be sent in communication Disconnected alarm.

H) tag field model

In GOOSE tag field models, gocbRef, timeAllowedToLive, the datSet of GOOSE message, The mark value of goID, t, StNum, SqNum, test, confRev, ndsCom and numDatSetEntries field is 0x80, 0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89 and 0x8a.In SMV label field models, SMV reports The label value of svID, smpCnt, confRev and the smpSynch field of text is respectively 0x80,0x82,0x83 and 0x85.

I) SmpCnt fields model

SmpCnt fields model specifies the value of counter, and it is incremented by the new samples of each sampled analog value.Work as merging When the sample rate of unit (MU) is 4000Hz (80 sampling/cycles), smpCnt value should be protected in the range of [0,3999] Correct order, i.e. formula (14) are held,

Wherein SmpCField is the value of smpCnt fields.

J) correlation model

Configured according to the actual SCD of intelligent substation, APPID fields are equal to most latter two eight bit word of destination address field (DAF) Section.It can be defined as related domain model, i.e. formula (15),

Wherein DstAField (P) 5,6 represents most latter two eight bit byte of destination address field (DAF).

The type of gocbRef fields in GOOSE APDU is to include logical device (LD) title, logical node (LN) name The character string of title, functional restraint (FC) and control block (CB) title, i.e. LD/LN $ FC $ CB.DatSet words in GOOSE APDU Section includes LD titles, LN titles and data set (DS) title, i.e. LD/LN DS.The default value of goID fields in GOOSE APDU Similar to the default value of gobi reference fields, i.e. LD/LN $ CB.In LD/LN values and dataSet fields in gocoRef fields LD/LN values are matched.Control block title in gocoRef fields and the control block name-matches in goID fields.For example, gocbRef：PM5001APIGO/LLN0 $ GO $ gocb1, dataSet：PM5001APIGO/LLN0 $ dsGOOSE1, goID： PM5001APIGO/LLN0.gocb1.Corresponding related dictionary model such as formula (16),

Wherein GibField, DatSField and GoIDfield represent gobi Ref, dataSet and goID fields respectively.

The change of number of states (StNum) and sequence number (SqNum) in GOOSE APDU strictly observes associated row For pattern.When the value of datSet in the GOOSE message of transmission changes, StNum value will increase, and this will cause SqNum value It is arranged to zero.When StNum value does not change, SqNum value will be transmitted to each GOOSE to be incremented by, but it will be at it Maximum (SqNummax=4,294,967,295) place is turned to 0.

StNum (GPi) and SqNum (GPi) represent StNum the and SqNum values of i-th of GOOSE message respectively in formula (17).

K) model based on flow

According to the business from actual transformer station's scene capture, the message transmission rate per second of the model definition based on business (PPS), the upper and lower bound threshold value of transmission byte-sized (BPS) per second, message length (LoP) and message size (SoP), as Normal discharge behavior.This flow detection model such as formula (18),

Wherein PPS_minAnd PPS_maxRepresent PPS lower and upper limit threshold value.

Behavior outside these protocol models is considered as abnormal and suspicious.If violating any of above model, MBD, which will be generated, to be alerted and records testing result.

(4) detections of the MPD based on multi-parameter

The core concept of detection based on multi-parameter be recognized by monitoring the most sensitive parameter of intelligent substation by The possible threat of industrial control system is directed to caused by internal misuse unintentionally or malicious external attack.These multi-Dimensional parameters and intelligence The safety of energy transformer station is related to stable operation, such as remote measurement and remote signalling data from station level and process-level network.From intelligence The professional knowledge and operating experience of energy transformer station propose multi-parameter inspection policies, such as key switch signal and critical analog signal Compare.

1) detected rule is compared in remote signalling

In the intelligent substations of IEC 61850, intelligent terminal in process-level network is using GOOSE message come to wall In IED send remote signalling data, and from protection or measure and control device receive tripping operation/reclosing command.As shown in Fig. 2 what is proposed is distant Letter compares detected rule by comparing GOOSE message and associated MMS messages to recognize anomalous event.If for example, process IED (GOOSE message) associated signal reports (the MMS reports opened into signal and from station level network are protected in layer network Text) inconsistent, then alarm that exception will occur.

2) detected rule is compared in remote measurement

In the intelligent substations of IEC 61850, combining unit (MU) has sampled value model, and is sent out to protection supervisory equipment Send SV message.Remote measurement compares detected rule and includes two classifications：

A) range detection rule

Usual sampled value has upper boundary values and lower border value (such as electric current (I) and voltage (U)).If measured value is pre- Outside phase scope, then alarm, i.e. formula (19) are sent,

Wherein SMV (i) (i=I, U ...) represent different sampled values, such as electric current and voltage；[SMV(i)_min-e(i), SMV(i)_max+ e (i)] scope between up-and-down boundary is represented, e (i) is measurement tolerance.Under normal operation, according to power transformation Design and working specification the configuration up-and-down boundary stood.For example, the upper and lower border of bus voltage of 500 (330) kV transformer stations is set to 90% and 110% rated voltage.From the perspective of industrial control system safety operation, as long as measured value is outside desired extent, this Planting suspicious phenomenon should be noticed and be solved by the operations staff in transformer station.Therefore, the range detection rule proposed can be with Identification anomalous event caused by measuring error or malicious attack.

B) consistency detection rule

In practical situations both, in wall duplicate system retrofit IED (A and B groups) is mutual from current transformer/voltage of association Sensor (CT/VT) receives identical MU sampled values.As shown in figure 3, the consistency detection rule proposed is used to detect configured Inconsistency (such as route protection A/B, bus between the MMS of combining unit SMV parameters and associated multiple protection equipments Protect A/B and tranformer protection A/B).The parameter that remote measurement is compared includes voltage and current, in addition to difference current, that is, compares two Difference current in set protection MMS messages.If violating consistency detection rule, alarm that exception will occur.It is proposed by the present invention A kind of power industry control network inbreak detection method and system based on IEC 61850, can be formed in digital transformer substation One logical network boundaries, wherein including the place of safety of a related communication of IEC 61850.Next step ensure depth defense be Supervision mechanism is set up in place of safety, can detect the security control of leak and failure, and such as attacker penetrates the fire prevention of configuration error Wall, or transformer station's LAN has been directly connected to by an engineer completely around fire wall and has been infected by malware Computer carrys out offensive attack.Once invader establishes presence in target substation network, from basic network scanning to intentional trial Responded from IED；Or it is performed particular command；Automatic or manual action will start, and these action will not be prevented by border Wall with flues is prevented.Therefore, design is to find to there may be in electric power industrial control system for IEC 61850 intruding detection system Abnormal behaviour of feeling uncertain, improve the electric power industrial control system based on the agreements of IEC 61850 security.

It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.Moreover, the application can be used in one or more computers for wherein including computer usable program code The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.

The application is the flow with reference to method, equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.

These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.

These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.

Claims (9)

1. a kind of power industry control network inbreak detection method based on IEC 61850, it is characterised in that including：

ACD access controls are detected：For in the primary infection stage, preventing from attempting the malware activity with control server communication And attack；It includes extracting purpose and source IP address, purpose and source MAC or port from the message of capture, and with it is advance The access control white list of foundation is compared, if the IP address, MAC Address or port are not belonging to described access control White list, then be considered as suspicious IP address, MAC Address or port；If belonging to described access control white list, it is considered as just Normal IP address, MAC Address or port；

PWD agreements white list is detected：For detecting the abnormal protocol traffic in Substation Station control layer network and process-level network simultaneously Alarm；Its various agreement for including the support to station level network and process-level network is configured, and the various agreements include MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For the station level network, only permit compliance with MMS, The communication service of COTP, TPKT or SNTP agreement, is otherwise considered suspicious traffic and generates warning information；For the process Layer network, only allows the flow of GOOSE, SV or IEEE 1588, is otherwise considered suspicious traffic and generates warning information；

Detections of the MBD based on model：For malicious attack in measuring station control layer network and process-level network or row abnormal unintentionally For；It includes analysis SCD file and the message contents of IEC 61850, and is defined the message of detection just and using protocal analysis Normal behavior model is compared, and if there is the situation for violating any normal behaviour model, generation is alerted and detection knot is recorded Really；

Detections of the MPD based on multi-parameter：For recognized by monitoring the parameter of intelligent substation due to inside be not intended to misuse or Threatened caused by malicious external attack；It is included to the telemetry from station level network and process-level network and remote signalling number According to the detection of progress, by homologous matching identification abnormal data, when same source data is inconsistent, it is considered as abnormal data；Specially Detection is compared in remote signalling and detection is compared in remote measurement.

2. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In in the ACD access controls detection, the access control white list of foundation includes the MAC Address in data link layer, Internet In IP address and transport layer port access control white list.

3. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In in ACD access controls detection, being considered as suspicious IP address, MAC Address or port to described, will also take default Action, it is specially：Alarm is sent under IDS patterns, is prevented under IPS patterns, and record testing result；Such as following formula (1)：

$AC\&NotElement;\left\{{\mathrm{AC}}_{wl}\right\}\&RightArrow;Actions\left(alert/block,\log \right)---\left(1\right)$

Wherein, AC=MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dst, AC_wlRepresent the access control white list set up； MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dstRepresent source MAC and target MAC (Media Access Control) address respectively, source IP address and Purpose IP address, and source port and destination interface；Each main frame or equipment have uniquely<IP, MAC>Matching；If intelligence Electronic equipment is not replaced by new device, but if two or more MAC Address correspondence identical IP address, that is, be judged as hair Raw spoofing attack.

4. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In described to be specially to detections of the MBD based on model that station level network is carried out：

In station level network, normal behaviour model is set up based on the ACSI or SNTP for being mapped to MMS, if violating any normal Behavior model, generation is alerted and testing result is recorded；The foundation of the normal behaviour model is as follows：

A) report services model

In SCD file, the maximum quantity for instantiating report-control block of configured each intelligent electronic device；Proposed The maximum number for instantiating report-control block of each intelligent electronic device is defined as detected rule by report services model；Such as Fruit identification may take all abnormal connection requests for instantiating report-control block of intelligent electronic device, then alert suspicious refuse DoS attack is serviced absolutely and records testing result；

B) association service model

The association service model definition maximum quantity of the attachable clients of IEC 61850；If detected to client Abnormal connection request, then produce and alert and record testing result；

C) service model is set

Setting service model to define only allows the clients of IEC 61850 to change setting, if violating this definition, will send alarm letter Breath.

D) Module of File Transporting

ACSI GetFile services are used for by the content of file from server transport to client by client, and client is used ACSI GetFileAttributeValues services come obtain server file storage in specific file title and attribute, Module of File Transporting, which defines the clients of IEC 61850, can only transmit single file, if violating this definition, by generation alarm simultaneously Record testing result；

E) SNTP models

In substation network, SNTP is used to realize time synchronized by LAN communication, and SNTP flows use number of users in transport layer According to datagram protocol, in terms of SNTP flows, the port numbers to the UDP connection of the servers of IEC 61850 should be<123 >If the port numbers of SNTP flows are not<123>, triggering is alerted and result is stored in journal file；

F) time correlation model

Important control command has the constraint of time correlation, and the constraint includes time interval and limited and frequency limit, if phase Same lawful order sends too frequent, then violates formula (2) (3) rule, in each case, will start some alarms and be moved with daily record Make：

CV (n)-CV (n-1) ＜ T → Actions (alert, log) (2)

CV is control command in formula (2), and n is positive integer (n>, and T is the limit of time interval 1)；

$\frac{CV\left(n\right)-CV\left(1\right)}{n-1}>F\&RightArrow;Actions(alert,log)---\left(3\right)$

F represents frequency limit in formula (3).

5. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In described to be specially to detections of the MBD based on model that process-level network is carried out：In process-level network, based on GOOSE and SMV protocol specifications set up the normal behaviour model, if violating any normal behaviour model, and generation is alerted and detection is recorded As a result；GOOSE APDU have 12 fields for gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDatSetEntries and allData；According to IEC 61850-9-2, SMV data Report uses ISO/IEC 8802-3 in a data link layer；SV APDU have a svID, smpCnt, confRev, smpSynch and Five fields of seqData, the normal behaviour model definition is as follows：

A) destination address model

In SCD file<Communication>→<SubNetwork>→<ConnectedAP>Middle configuration purpose ISO/IEC 8802-3 multicast address is used to transmit GOOSE/SMV；GOOSE message and the destination address field (DAF) of SMV messages are respectively with four eight Bit byte 01-0C-CD-01 and 01-0C-CD-04 start.GOOSE and SMV destination-address such as formula (4) and (5)：

$\begin{array}{c}\&ForAll;P\&Element;P_{GOOSE}\&DoubleRightArrow;DstAdrField\left(P\right)\\ \&Element;\&lsqb;01-0C-CD-01-00-00,01-0C-01-01-FF\&rsqb;\end{array}---\left(4\right)$

P is the message captured in process-level network, P in formula (4)_GOOSEGOOSE message is represented, DstAField represents ISO/IEC The value of destination address field (DAF) in 8802-3 frame formats；

$\begin{array}{c}\&ForAll;P\&Element;P_{SMV}\&DoubleRightArrow;DstAField\left(P\right)\\ \&Element;\&lsqb;01-0C-CD-04-00-00,01-0C-CD-04-01-FF\&rsqb;\end{array}---\left(5\right)$

P in formula (5)_SMVRepresent SMV messages；

B) TPID fields model

Tag protocol identifier symbol 2 eight bit bytes of field are shown as the ethernet type of 802.1Q Ethernets coded frame distribution； The value of TPID fields in GOOSE/SMV messages should be 0x8100, i.e.,

$\&ForAll;P\&Element;P_{GOOSE/SMV}\&DoubleRightArrow;TPIDField\left(P\right)=0x8100---\left(6\right)$

Wherein TPIDField represents the value of TPID fields, and P GOOSE/SMV represent GOOSE or SMV messages；

C) EtherType fields model

ISO/IEC 8802-3 2 bytes of EtherType fields are registered by IEEE authorized organizations, GOOSE and SMV distribution EtherType values are 0x88B8 and 0x88BA, i.e. formula (7) (8) respectively：

$\&ForAll;P\&Element;P_{GOOSE}\&DoubleRightArrow;EthTField\left(P\right)=0x81B8---\left(7\right)$

Wherein EthTField is the value of EtherType fields；

$\&ForAll;P\&Element;P_{SMV}\&DoubleRightArrow;EthTField\left(P\right)=0x81BA---\left(8\right)$

D) Priority field model

The priority value of GOOSE and SMV messages is defined, GOOSE/SMV default value is 4, while configured in SCD file, it is excellent First level value should be from 0 to 7, i.e. formula (9)：

$\&ForAll;P\&Element;P_{GOOSE/SMV}\&DoubleRightArrow;\mathrm{Pr}ioField\left(P\right)\&Element;\&lsqb;0,7\&rsqb;---\left(9\right)$

PrioField is the value of user-priority field in formula (9)；

E) APPID fields model

Each GOOSE/SMV control blocks have unique APPID, the APPID fields 2 of GOOSE message eight in SCD file Byte is 4 hexadecimals [0000-3FFF], and the field of SMV messages is [4000-7FFF], such as formula (10) and (11)：

$\&ForAll;P\&Element;P_{GOOSE}\&DoubleRightArrow;APPIDField\left(P\right)\&Element;\&lsqb;0000,3FFF\&rsqb;---\left(10\right)$

$\&ForAll;P\&Element;P_{SMV}\&DoubleRightArrow;APPIDField\left(P\right)\&Element;\&lsqb;4000,7FFF\&rsqb;---\left(11\right)$

F) length model

2 eight bit bytes of length field of GOOSE/SMV messages specify the total amount of byte in the frame started from APPID to APDU, It is equal to 8+m, wherein, m is APDU length, m<1492, length field model such as formula (12)：

$\&ForAll;P\&Element;P_{GOOSE/SMV}\&DoubleRightArrow;LengField\left(P\right)\&Element;\&lsqb;8,1500\&rsqb;---\left(12\right)$

Wherein LengField is the value of length field；

The length of goOD fields in GOOSE APDU is less than 65 bytes, i.e. formula (13),

$\&ForAll;P\&Element;P_{GOOSE}\&DoubleRightArrow;LenGoIDField\left(P\right)\&le;65---\left(13\right)$

Wherein LenGOIDField is the length of goOD fields；

G) TimeAllowedToLive fields model

TimeAllowedToLive fields in GOOSE APDU should be double MaxTime (2T0)." MaxTime " is usual It is configured in SCD file<5000>、<Communication>→<SubNetwork>→<ConnectedAP>→<GSE>→ <MaxTime>；If not having any GOOSE packets in 10000ms, communication disruption alarm will be sent；

H) tag field model

In GOOSE tag field models, gocbRef, timeAllowedToLive, datSet, goID, the t of GOOSE message, The mark value of StNum, SqNum, test, confRev, ndsCom and numDatSetEntries field is 0x80,0x81, 0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89 and 0x8a.In SMV label field models, SMV messages The label value of svID, smpCnt, confRev and smpSynch field is respectively 0x80,0x82,0x83 and 0x85；

I) SmpCnt fields model

SmpCnt fields model specifies the value of counter, and it is incremented by the new samples of each sampled analog value；Work as combining unit When MU sample rate is 4000Hz, wherein, 80 sampling/cycles, smpCnt value keeps correct in the range of [0,3999] Order, i.e. formula (14),

$\&ForAll;P\&Element;P_{SMV}\&DoubleRightArrow;SmpCField\left(P\right)\&Element;\&lsqb;0,3999\&rsqb;---\left(14\right)$

Wherein SmpCField is the value of smpCnt fields；

J) correlation model

Configured according to the actual SCD of intelligent substation, APPID fields are equal to most latter two eight bit byte of destination address field (DAF), It is defined as related domain model, i.e. formula (15)：

$\begin{array}{c}\&ForAll;P\&Element;P_{GOOSE/SMV}\&CenterDot;DstAField{\left(P\right)}_{5,6}=\left\{abcd\right\}\\ \&Element;\&lsqb;0000,01FF\&rsqb;\&DoubleRightArrow;APPIDField\left(P\right)=\left\{abcd\right\}\end{array}---\left(15\right)$

Wherein DstAField (P) 5,6 represents most latter two eight bit byte of destination address field (DAF)；

The type of gocbRef fields in GOOSE APDU is to include logical device LD titles, logical node LN titles, function about Beam FC and control block CB titles character string, i.e. LD/LN $ FC $ CB；DatSet fields in GOOSE APDU include LD titles, LN titles and data set DS titles, i.e. LD/LN DS；The default value of goID fields in GOOSE APDU is referred to similar to gobi The default value of field, i.e. LD/LN $ CB；LD/LN values in gocoRef fields are matched with the LD/LN values in dataSet fields； Control block title in gocoRef fields and the control block name-matches in goID fields；gocbRef：PM5001APIGO/ LLN0 $ GO $ gocb1, dataSet：PM5001APIGO/LLN0 $ dsGOOSE1, goID：PM5001APIGO/LLN0.gocb1, Corresponding related dictionary model such as formula (16)：

$\begin{array}{c}\&ForAll;P\&Element;P_{GOOSE}\&CenterDot;APDU\&Element;GocbField\left(P\right)=\left\{LD/LN\$FC\$CB\right\}\\ \&DoubleRightArrow;DatSField\left(P\right)=\left\{LD/LN\$DS\right\}\\ \&DoubleRightArrow;GoIDField\left(P\right)=\left\{LD/LN\$CB\right\}\end{array}---\left(16\right)$

Wherein GibField, DatSField and GoIDfield represent gobi Ref, dataSet and goID fields respectively；

The change of number of states StNum and sequence number SqNum in GOOSE APDU strictly observe associated behavior pattern；When When datSet value changes in the GOOSE message of transmission, StNum value will increase, and the value for causing SqNum is arranged to by this Zero；When StNum value does not change, SqNum value will be transmitted to each GOOSE to be incremented by, but it will be in its maximum 0 is turned at SqNummax=4,294,967,295：

$\begin{array}{c}If\&lsqb;StNum\left(GPi\right)=StNum\left({\mathrm{GP}}_{i-1}\right)\&rsqb;\\ \&DoubleRightArrow;SqNum\left({\mathrm{GP}}_i\right)=\&lsqb;SqNum\left({\mathrm{GP}}_{i-1}\right)+1\&rsqb;\&le;{\mathrm{SqNum}}_{\max }\\ If\&lsqb;StNum\left({\mathrm{GP}}_i\right)>StNum\left({\mathrm{GP}}_{i-1}\right)\&rsqb;\&DoubleRightArrow;SqNum\left({\mathrm{GP}}_i\right)=0\end{array}---\left(17\right)$

StNum (GPi) and SqNum (GPi) represent StNum the and SqNum values of i-th of GOOSE message respectively in formula (17)；

K) model based on flow

It is the message transmission rate PPS per second of the model definition based on business, every according to the business from actual transformer station's scene capture Second transmission byte-sized BPS, message length LoP and message size SoP upper and lower bound threshold value, as normal discharge behavior, Such as formula (18)：

$\begin{array}{c}PPS\&Element;\&lsqb;{\mathrm{PPS}}_{\min },{\mathrm{PPS}}_{\max }\&rsqb;\\ BPS\&Element;\&lsqb;{\mathrm{BPS}}_{\min },{\mathrm{BPS}}_{\max }\&rsqb;\\ LoP\&Element;\&lsqb;{\mathrm{LoP}}_{\min },{\mathrm{LoP}}_{\max }\&rsqb;\\ SoP\&Element;\&lsqb;{\mathrm{SoP}}_{\min },{\mathrm{SoP}}_{\max }\&rsqb;\end{array}---\left(18\right)$

Wherein PPS_minAnd PPS_maxRepresent PPS lower and upper limit threshold value.

6. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In the remote signalling compares detection and is specially：In the intelligent substations of IEC 61850, the intelligent electronic device in process-level network Remote signalling data is sent come the intelligent electronic device into wall using GOOSE message, and jump is received from protection or measure and control device Lock/reclosing command；The remote signalling compares detection by comparing GOOSE message and associated MMS messages to recognize anomalous event； If protecting opening into signal and from the associated of station level network for intelligent electronic device GOOSE message in process-level network Signal reports MMS messages are inconsistent, then alarm that exception will occur.

7. the power industry control network inbreak detection method according to claim 1 based on IEC 61850, its feature exists In the remote measurement compares detection and is specially：In the intelligent substations of IEC 61850, combining unit MU has sampled value model, and SV message is sent to protection supervisory equipment, the remote measurement compares detection and includes two rules：

A) range detection rule

Sampled value has upper boundary values and lower border value, if measured value is outside desired extent, sends alarm, i.e. formula (19)：

$\begin{array}{c}SMV\left(i\right)\&NotElement;\&lsqb;SMV{\left(i\right)}_{\min }-e\left(i\right),SMV{\left(i\right)}_{\max }+e\left(i\right)\&rsqb;\\ \&RightArrow;Actions\left(alert,\log \right),\left(i=I,U,\mathrm{...}\right)\end{array}---\left(19\right)$

Wherein SMV (i) (i=I, U ...) represent different sampled values, electric current I and voltage U；[SMV(i)_min-e(i),SMV (i)_max+ e (i)] scope between up-and-down boundary is represented, e (i) is measurement tolerance, under normal operation, according to transformer station Design and working specification configuration up-and-down boundary, the upper and lower border of bus voltage of 500 (330) kV transformer stations is set to 90% He 110% rated voltage.

B) consistency detection rule

Duplicate system retrofit intelligent electronic device in wall is A and B groups, from Current Transmit/voltage transformer of association VT receives identical MU sampled values, detect configured combining unit SMV parameters and associated multiple protection equipments MMS it Between inconsistency, the parameter that remote measurement is compared include voltage, electric current and difference current, if violate consistency detection rule, will Generation abnormality alarming.

8. a kind of power industry control Network Intrusion Detection System based on IEC 61850, it is characterised in that including：

ACD access control detection modules：The module was used in the primary infection stage, prevented from attempting the evil with control server communication Meaning software exercise and attack；It passes through MAC Address, the IP address in Internet and the transmission in the data link layer that pre-establishes The access control white list of layer port detected, extraction purpose and source IP address, purpose and source MAC from the message of capture Location or port, and be compared with the access control white list of foundation, if the IP address, MAC Address or port are not belonging to Described access control white list, then be considered as suspicious IP address, MAC Address or port, and the module will take default action； If belonging to described access control white list, it is considered as normal IP address, MAC Address or port；

PWD agreement white list detection modules：The module is used to detect the exception in Substation Station control layer network and process-level network Protocol traffic is simultaneously alerted；Its various agreement by setting the support of station level network and process-level network, sets up the white name of agreement Single to be detected, the various agreements include MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588；For the station Layer network is controlled, the module only permits compliance with the communication service of MMS, COTP, TPKT or SNTP agreement, be otherwise considered suspicious logical Believe and generate warning information；For the process-level network, the module only allows the flow of GOOSE, SV or IEEE 1588, otherwise It is considered suspicious traffic and generates warning information；

Detection modules of the MBD based on model：The module is used for malicious attack or nothing in measuring station control layer network and process-level network The behavior for exception of anticipating；It divides by analyzing SCD file and the message contents of IEC 61850, and by the message of detection and using agreement The normal behaviour model of analysis definition is compared, and if there is the situation for violating any normal behaviour model, generation is alerted simultaneously Record testing result；

Detection modules of the MPD based on multi-parameter：The module is used to recognize due to inside by monitoring the parameter of intelligent substation Threatened unintentionally caused by misuse or malicious external attack；It passes through to the remote measurement number from station level network and process-level network According to the detection carried out with remote signalling data, by homologous matching identification abnormal data, when same source data is inconsistent, it is considered as abnormal number According to；Specifically include that detection module is compared in remote signalling and detection module is compared in remote measurement.

9. the power industry control Network Intrusion Detection System according to claim 8 based on IEC 61850, its feature exists In, the ACD access controls detection module the default action will be taken to be specially：Alarm is sent under IDS patterns, in IPS moulds Prevented under formula, and record testing result；Such as following formula (1)：

$AC\&NotElement;\left\{{\mathrm{AC}}_{wl}\right\}\&RightArrow;Actions(alert/block,log)---\left(1\right)$

Wherein, AC=MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dst, AC_wlRepresent the access control white list set up； MAC_src, MAC_dst, IP_src, IP_dst, Port_src, Port_dstRepresent source MAC and target MAC (Media Access Control) address respectively, source IP address and Purpose IP address, and source port and destination interface；Each main frame or equipment have uniquely<IP, MAC>Matching；If intelligence Electronic equipment is not replaced by new device, but if two or more MAC Address correspondence identical IP address, i.e. module is sentenced Break to occur spoofing attack.