CN111682642B - Lightweight intelligent substation information abnormality detection system and method thereof - Google Patents

Abstract

The invention provides a system and a method for detecting information abnormality of a lightweight intelligent substation, wherein a system configuration module is used for analyzing a substation configuration file, comparing the substation configuration file with captured message configuration information and acquiring all whole frame message information of the intelligent substation; the sniffing module is used for acquiring message information flowing through the system in real time, and screening, classifying and storing the message information; the detection alarm module is used for receiving the data packets GOOSE, SMV and MMS and comparing the data packets with a preset abnormal rule set to alarm; the management module is used for realizing user permission giving, duty log recording and system data recording. The invention can carry out abnormality detection alarm on the message information of the system by combining the current intelligent power transformation configuration file, feed back the information running state, realize multi-dimensional classification record of the abnormal information, assist operation and maintenance workers to carry out online analysis and summarize the abnormal information afterwards, and has certain application value in engineering.

Description

Information anomaly detection system and method for lightweight intelligent substation

technical field

The invention relates to an intelligent detection technology of an electrical system, in particular to a light-weight intelligent substation-oriented information abnormality detection system and a method thereof.

Background technique

The smart substation is based on the IEC61850 protocol. Information can be shared among the smart electrical devices inside the substation, and at the same time, the internal smart electrical devices can interoperate with each other. The intelligence of the substation breaks the original relative closedness of the smart substation network, and the information security of the smart substation has become the object of widespread concern in the academic and engineering circles. In order to ensure the normal operation of smart substations and assist operation and maintenance staff in fault location and fault analysis, many researchers have focused on the research on ensuring the safe operation of smart substations.

There are existing related analysis systems for smart substation configuration files and smart substation information exception capture systems on the market. The former can independently analyze and analyze substation configuration software, and the latter can capture smart substation abnormal information. The above-mentioned prior art solution does not analyze the cause of the message failure, does not set an abnormal alarm mechanism, lacks the classification record of abnormal information, and is inconvenient to analyze the cause of abnormality from multiple angles; and does not combine the abnormal information of the smart substation and the current smart substation configuration file. Combining the relevant content in the above, the operation and maintenance staff can more intuitively analyze the cause of the fault and quickly locate the fault.

SUMMARY OF THE INVENTION

The purpose of the present invention is to provide a light-weight intelligent substation-oriented information abnormality detection system and method thereof.

The technical solution for realizing the purpose of the present invention is: a light-weight intelligent substation-oriented information anomaly detection system, comprising a system configuration module, a sniffing module, a detection and alarm working module and a management module, wherein:

The system configuration module is used to parse the substation configuration file, compare it with the captured message configuration information, and obtain all the whole frame message information of the smart substation;

The sniffing module is used to obtain the message information flowing through the system in real time, and perform screening, classification and storage;

The detection alarm module is used to receive data packets GOOSE, SMV, MMS, and compare and alarm with a preset abnormal rule set;

The management module is used to implement user authority granting, duty log recording and system data recording.

Further, the system configuration module includes an import parsing unit of the SCD file of the smart substation and a monitoring network card unit, wherein the import parsing unit of the SCD file of the smart substation is used for parsing the substation configuration file, and compares with the captured message configuration information; The monitoring network card unit is used to obtain all the whole frame messages of the smart substation.

Further, the import parsing unit of the SCD file of the smart substation uses the DOM4J library to parse the substation configuration file, that is, uses SAXReader.read(xmlSource)() to read the document of the XML source; the root element of the XML obtained by Document.getRootElement() , use Element.node(index) to obtain the XML node at the specific index of the element, use Element.attributes() to obtain all attributes of an element, so as to obtain all the node information required by the system, and compare it with the captured message configuration information one by one right.

Further, the packet information obtained by the sniffing module includes the packet appid, source address, destination address and detection time.

Further, described detection alarm module comprises GOOSE alarm unit, SMV alarm unit, MMS message alarm unit, wherein:

The GOOSE alarm unit includes a GOOSE message format and configuration detection subunit, a GOOSE message state change detection subunit, a GOOSE message interruption detection subunit, and a GOOSE message test state detection subunit;

Described SMV alarm unit comprises SMV message format and configuration error detection subunit, SMV message interruption and jitter detection subunit, SMV message asynchronous detection subunit and SMV message quality factor change detection subunit;

The MMS message alarm unit includes a MMS message format error detection subunit.

Further, the management module includes a user management unit, a manager log unit and a document management unit, wherein the user management unit is used to implement user authority granting; the manager log unit is used to implement duty log recording; the document management unit Used to implement system data logging.

Further, JavaFX is used to develop a graphical operation interface for the intelligent substation information anomaly detection system.

A light-weight intelligent substation-oriented information abnormality detection method, comprising the following steps:

The system configuration module parses the substation configuration file, compares it with the captured message configuration information, and obtains all the entire frame message information of the smart substation;

The sniffing module obtains the real-time message information flowing through the system, and performs screening, classification and storage;

The detection alarm module receives data packets GOOSE, SMV, MMS, and compares and alarms with the preset abnormal rule set;

The management module performs user rights management, duty log recording and system data recording.

A computer device, comprising a memory, a processor and a computer program stored in the memory and running on the processor, the processor implements the following steps when executing the computer program:

The system configuration module parses the substation configuration file, compares it with the captured message configuration information, and obtains all the entire frame message information of the smart substation;

The sniffing module obtains the real-time message information flowing through the system, and performs screening, classification and storage;

The detection alarm module receives data packets GOOSE, SMV, MMS, and compares and alarms with the preset abnormal rule set;

The management module performs user rights management, duty log recording and system data recording.

A computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:

The system configuration module parses the substation configuration file, compares it with the captured message configuration information, and obtains all the entire frame message information of the smart substation;

The sniffing module obtains the real-time message information flowing through the system, and performs screening, classification and storage;

The detection alarm module receives data packets GOOSE, SMV, MMS, and compares and alarms with the preset abnormal rule set;

The management module performs user rights management, duty log recording and system data recording.

Compared with the prior art, the present invention has the following beneficial effects: combined with the current smart substation configuration file, the information abnormality detection and alarm of the smart substation system can be fed back, and the information operation status can be fed back, so as to realize the diverse classification and recording of abnormal information, and assist the operation and maintenance work. Personnel conduct online analysis, fault determination and post-event summary of such abnormal information, provide operation and maintenance personnel with meaningful and regular information summaries, and provide a strong basic technical support for future abnormal information security detection and repair. It has certain application value in engineering.

Description of drawings

Figure 1 is a frame diagram of the overall design of the system;

Fig. 2 is the main interface diagram of the system;

Figure 3 is a system module interface diagram;

Figure 3(a) is the import analysis diagram of the SCD configuration file, Figure 3(b) is the interface diagram of the sniffing module, Figure 3(c) is the specific information diagram of the abnormal message, and Figure 3(d) is the user management diagram;

Figure 4 System login configuration diagram

Figure 4(a) is a login interface diagram, and Figure 4(b) is a configuration success interface diagram;

Figure 5 is a system abnormality detection alarm diagram

Figure 5(a) is the alarm diagram of GOOSE message state change detection, Figure 5(b) is the alarm diagram of GOOSE message interruption detection, Figure 5(c) is the alarm diagram of GOOSE message restart detection, and Figure 5(d) is SMV Figure 5(e) is the alarm map of SMV loss abnormal detection, Figure 5(f) is the alarm map of SMV asynchronous abnormal detection, and Figure 5(g) is the system detection abnormal document map.

Detailed ways

In order to further illustrate the technical means adopted by the present invention and its effects, the present invention will be further described below with reference to the embodiments and accompanying drawings. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

The intelligent substation information anomaly detection system provided by the present invention includes a system configuration module, a sniffing module, a detection alarm module and a management module, wherein:

The system configuration module includes an import parsing unit and a monitoring network card unit for the SCD file of the smart substation.

The import parsing unit of the SCD file of the smart substation is used to parse the current smart substation configuration file and compare it with the captured message configuration information.

In the present invention, the import and analysis function of the SCD file of the smart substation is to import the configuration file of the smart substation, and the detection system analyzes the current configuration file to facilitate the normal use of the detection and alarm module. Since the SCD configuration file of the smart substation is written in the SCL language, it conforms to the XML language in syntax, so the SCD file needs to be parsed to detect the configuration of the message content. The present invention uses the DOM4J library to parse the configuration file, and uses the SAXReader .read(xmlSource)() reads the XML source document; Document.getRootElement() gets the root element of XML, uses Element.node(index) to get the XML node at the element-specific index, and uses Element.attributes() to get an element of all properties. Thereby, all the node information required by the system is obtained, and a one-to-one comparison is made with the captured message configuration information.

The monitoring network card unit is used to obtain all the whole frame message information flowing through the smart substation.

According to the present invention, by default, the network card device will analyze the passing packets in advance, and only accept the destination address if the destination address is local, while all others will be discarded. , the destination address, all flow through the network card will be received, so the network adapter needs to be set to promiscuous mode in order to obtain all the whole frame message information.

The sniffing module is used for intercepting the contents of the message appid, source address, destination address and detection time, which is convenient for operation and maintenance personnel to observe the information data online.

The sniffing module is also used to save the information flowing through the system in real time. When the operation and maintenance personnel need to refer to and summarize the current data information, they can press the corresponding button to realize this function, and the function of saving on demand can reduce the memory pressure.

At the same time, the module filters the sniffed packet information according to the current smart substation system appid, and then categorizes it according to time statistics, so that operation and maintenance observers can select a specific device and focus on detecting various packet traffic of the device, thereby It can deeply analyze the system message information. When the sniffing module is activated, the system counts the number of packets in real time and displays them on the main page in the form of a line graph.

The detection and alarm module includes a GOOSE alarm unit, an SMV alarm unit and an MMS alarm unit, which are used to receive data packets GOOSE, SMV, and MMS, and compare them with a preset abnormal rule set. When the data packets conform to a certain rule If the data packet does not match any of the rules, it will be discarded and no records will be left in the entire system, which can reduce the overall system data storage pressure and avoid wasting storage resources. .

The GOOSE alarm unit includes a GOOSE message format and configuration error detection subunit, a GOOSE message state change detection subunit, a GOOSE message interruption detection subunit, and a GOOSE message test state detection subunit.

The SMV alarm unit includes a SMV message format and configuration error detection subunit, an SMV message interruption and jitter detection subunit, an SMV message asynchrony detection subunit, and an SMV message quality factor change detection subunit.

The MMS message alarm unit includes a MMS message format error detection subunit.

The operation and maintenance personnel can view the abnormal information according to the packet APPID, MAC, error type, detection time, etc., which provides a lot of convenience for abnormal statistics and analysis, and facilitates the operation and maintenance personnel to quickly locate the abnormality. After viewing and processing the current abnormal information combined with the parsed content of the SCD file, the operation and maintenance personnel can provide processing opinions and system records, which are convenient for other operation and maintenance personnel to summarize and analyze. When the module is turned on, the main interface of the system performs real-time classification and recording of the detection alarm information and real-time recording of the alarm processing progress in the form of a fan-shaped statistical chart.

The management module includes a user management unit, a manager log unit and a document management unit.

The user management unit is the granting of user rights, admin has the highest rights, can perform all functions of the system, can add new users, and assign different user attributes; user cannot modify other user names and passwords, but can use sniffing, detection and Opinion management function; guest only has browsing function, not operating system. The administrator log unit is used to fill in the on-duty log of the normal operation and maintenance staff, and others cannot tamper with and delete the administrator log at will. The document management unit is used to save data to the system and view data files.

Example

In order to verify the effectiveness of the scheme of the present invention, the following simulation experiments are carried out.

Using JavaFX to develop a graphical operation interface for the intelligent substation information anomaly detection system, through the simple operation of the graphical interface, you can complete the configuration of system files and parameters, enable/disable detection (including sniffing mode and detection alarm mode), and fill in logs and view. The function of the system log file. In order to facilitate the user to operate and view the detection results, in various interfaces, the corresponding controls are selected according to the commonly used expressions to realize the corresponding functions. Configure the smart substation configuration file SCD and network card mode in the system configuration module, and then start the entire detection system. After the internal packets of the smart substation are captured by the system, the normal packets can be scrolled on the sniffing interface of the monitoring system in real time under the action of the sniffing module, and the abnormal packets will be alarmed in the detection and alarm module, and recorded in the abnormal report under the management module. In the text category, operation and maintenance staff can view abnormal packet information in real time, and can also view it offline afterward. The operation and maintenance staff will have corresponding logs to record the actions of the staff after handling exceptions.

The running environment of the test system is to install java develop toolkit (JDK) 1.8 in windows, configure the binary file directory (/bin) of the runtime environment (JRE) attached to jdk in the system environment variable, and set the packet capture middleware Jpcap The dynamic link library (DLL) and JAVA class library (JAR) are integrated into the JDK. The hardware configuration adopts 8G memory, 500G hard disk, i5-10210UCPU.

When the intelligent substation experimental system is running normally, no abnormal data will be generated. In the performance and function test of the system of the present invention, the NPI-801 test tool is used, which can simulate the sending function of single-channel or multi-channel GOOSE and SMV messages and the GOOSE message receiving function in the real situation. Testers can choose to combine some message states according to their own needs, so as to simulate various events in real situations and the situation when the message is abnormal, but compared with the actual smart substation information system, the information flow is relatively simple, and the amount of data less.

(1) The overall module design of the system

The detection system consists of a main interface and four window interfaces, which are: system configuration interface, sniffing mode working interface, detection alarm working interface and management interface. The functions of configuring system parameters, turning on/off detection (including sniffing mode and detection alarm mode) and filling in processing comments can be completed through simple operations on the graphical interface. In various interfaces, the corresponding controls are selected according to the commonly used expressions to realize the corresponding functions. In order to facilitate the user to operate and view the detection results, in the embodiment, JavaFX is used to develop a graphical operation interface application software for the intelligent substation network abnormality detection function. . JavaFX is a new set of toolkits provided by JAVA for graphical interfaces, including windows, labels, buttons, text boxes, password boxes and many other built-in controls, which are well compatible with cross-platforms. The entire program display window is designed with JavaFXScene Builder, the interface is clear and clear, and the overall frame of the system is shown in Figure 1.

(1) Configuration interface: use javafx.stage.FileChooser as the entrance of the resource manager to select the information storage path and scd file path; use the javafx.scene.control.TextField control to display the file path; use javafx.scene.control. Two components, RadioButton and javafx.scene.control.ChoiceBox, implement network card selection.

(2) The sniffing mode interface, detection alarm mode interface and management mode interface all use the javafx.scene.control.RadioButton control to implement user operation buttons; use javafx.scene.control.TableColumnu and javafx.scene.control.TableView to present sniffing The data content detected by the mode is displayed graphically with javafx.scene.chart.LineChart, javafx.scene.chart.CategoryAxis, javafx.scene.chart.LineChartNumberAxis.

(2) The function and realization of each module of the system

The intelligent substation information anomaly detection system designed in this embodiment is composed of four modules, and the main interface is shown in Figure 2.

Configuration module design

In the configuration module, it is mainly divided into two functions, the configuration of the smart substation configuration file SCD and the configuration of the monitoring network card.

(1) Import analysis of SCD configuration file

As shown in Figure 3(a), the import and analysis function of the SCD file of the smart substation is to import the configuration file of the smart substation, and the detection system parses the current configuration file, so as to detect the normal use of the alarm module.

Because the SCD configuration file of the smart substation is written in the SCL language, which conforms to the XML language in syntax, it is necessary to parse the SCD file to detect the configuration of the message content. This embodiment uses the DOM4J library to implement this function. Use SAXReader.read(xmlSource)() to read the document of the XML source. The root element of XML obtained by Document.getRootElement(). Element.node(index) gets the XML node at the element-specific index. Element.attributes() gets all attributes of an element. Thereby, the node information required by the system is obtained and compared with the captured message configuration information.

(2) Monitor the configuration of the network card

Because by default, the network card device will analyze the passing packets in advance, only the destination address is local and will be accepted, while others will be discarded; in mixed mode, as long as the network card passes through, no matter the packet address, format, destination address , everything that flows through the network card will be received, so the network adapter needs to be set to promiscuous mode in order to obtain all the whole frame message information.

Sniffing Module Design

After successfully configuring the current system SCD file and selecting the monitoring network card, you can click the sniffing mode button to enter the sniffing mode. Click the "Not Started" button to read the packet information from the network, and scroll the window to display it in real time until the inspector clicks the "Started" button to terminate the sniffing mode.

The system uses the JpcapCaptor.openDevice method to open the monitoring network, and the JpcapCaptor.loopPacket method to start packet capture. Two implementation classes are designed for the parameter interface PacketReciver of the loopPacket method, which are respectively used to process data packets in sniffing mode and alarm mode. The system will capture the message information and distinguish three types of messages according to the Ethernet type. Information that does not conform to the three types of packets is directly discarded, which can avoid excessive system data traffic and longer detection time.

The detection system presses the start button of the sniffing mode interface, and the system interface displays the path packet as shown in Figure 3(b), which is a screenshot of the interface in sniffing mode. A series of data information such as measurement time is convenient for operation and maintenance personnel to observe information data online. In the sniffing mode, the function of saving the information currently flowing through the system is added. When the operation and maintenance personnel need to refer to and summarize the current data information, they can press the corresponding button to realize this function. The function of saving on demand can reduce the memory pressure.

At the same time, the module combines the sniffed packet information with the analysis results of the current substation configuration file. The system can filter according to the smart substation system device appid, and then classify it according to time statistics, so that the operation and maintenance observers can choose a specific device. Focus on detecting all kinds of packet traffic of the device, so as to deeply analyze the system packet information. When the sniffing module starts, the system counts the number of packets in real time and displays them on the main page in the form of a line graph.

Design of detection and alarm module

Detection and alarm module: Compare the received three types of data packets GOOSE, SMV, MMS with the abnormal rule set set before to find abnormal behavior of network communication. When the data packet matches a rule, it will alarm and record the log; if the data packet does not match any of the rules, it will be discarded and no records will be left in the entire system, which can relieve the overall system Data storage pressure to avoid wasting storage resources.

(1) GOOSE alarm detection unit

The GOOSE message alarm detection unit is divided into four categories, the first type of GOOSE message format/configuration error detection sub-unit. Under this rule, the message length error GOOSE_LENGTH_ERROR, the message TLV decoding error GOOSE_TLV_ENCODING_ERROR, and the message configuration error GOOSE_SCD_MISMATCH are defined.

The second category is the GOOSE message state change detection subunit. Under this rule, GOOSE message restart GOOSE_RESTART, GOOSE message dummy GOOSE_STATUS_CHANGE, GOOSE message out of order GOOSE_DUMMY_CHANGE) are defined.

The third category is the GOOSE message interruption detection subunit. GOOSE message interrupt GOOSE_INTERRUPTED is defined under this rule.

The fourth category is the detection sub-unit of the GOOSE message in the test state. GOOSE_TEST is defined under this rule. The judgment of this function only needs to detect gooseAPDU.test==1 when the GOOSE message format configuration state is normal.

(2) SMV alarm detection unit

The first type of SMV message format/configuration error alarm detection sub-unit. Under this rule, the message length error SMV_LENGTH_ERROR, the message TLV decoding error SMV_TLV_ENCODING_ERROR, and the message configuration error SMV_SCD_MISMATCH are defined.

The second largest type of SMV packet interruption/jitter detection subunit. The SMV interrupt SMV_LOST is defined under this rule.

The third type of SMV packet asynchronous detection subunit. The message asynchrony exception SMV_MV_NSYNCHRONOUS is defined under this rule.

The fourth type of SMV packet quality factor change detection subunit. SMV_VALIDITY is defined under this rule.

(3) MMS message alarm detection unit

MMS message format error detection sub-unit, MMS message format error MMS_ASN_ERROR is defined under this rule.

Click the "Not Started" button to start the abnormal detection mode, and click the same button to stop the detection and alarm mode. During this process, if abnormal data packets pass through, they will be captured and recorded, and corresponding log files will be generated.

The operation and maintenance personnel can view the abnormal information according to APPID, MAC, error type, detection time, etc., which provides a lot of convenience for abnormal statistics and analysis, and facilitates the operation and maintenance personnel to quickly locate the abnormality. Double-click any abnormal message information, process the control event by adding a monitoring method to the row of the detection table, and pop up the specific information of the abnormal message, as shown in Figure 3(c).

After viewing and processing the current abnormal information combined with the parsed content of the SCD file, the operation and maintenance personnel can provide processing opinions and system records, which are convenient for other operation and maintenance personnel to summarize and analyze. At the same time, the main interface of the system classifies the detection alarm information in the form of a fan-shaped statistical chart and records the progress of the alarm processing in real time.

Management module design

The management module design is divided into three parts, user management unit, administrator log unit and document management unit.

(1) User management is the granting and establishment of user rights. Click the Settings button to set different permissions for different operation and maintenance workers. Among them, admin has the highest authority, and can add new users, assign different user attributes, and use the functions of the system; user cannot modify other user names and passwords, but can use sniffing, detection and opinion management functions; guest only has browsing function, not operating system . The specific operation function is shown in Figure 3(d).

(2) The manager log is that the current operation and maintenance staff can record the processing results and methods of the abnormal alarm information or the current duty log. Click the "Add" button to fill in the current log. Once submitted successfully, it cannot be modified. Also cannot fill in blanks. This can prevent other abnormal operation and maintenance staff from tampering with and deleting the contents of the administrator log at will.

(3) Document management can check the currently saved data files. This function can only be performed by the admin to prevent the content of the file from being deleted or removed. Click the "View Data File" button to enter the data file library. There are four Excel files in the document, including the user account file user, the normal information file message, the abnormal information file alert and the administrator log file opinion. These four files can facilitate other operation and maintenance staff to query work records at any time to understand the system running status.

The user Excel table defines the user ID userid, user account username, user password password, and user role role. The message Excel table defines the normal message number msgid, normal message id appid, normal message source IP and destination address mac, normal message storage path filepath, normal message capture time time, and normal message type type. The alert Excel table defines the exception information number alertid, the exception packet type alerttype, the exception packet capture time time, the current exception information label opinion, the exception information source IP and destination address mac, the exception information idappid, and the exception packet storage path filepath. opinion The log number opinionid, log time and log content are defined in the Excel sheet.

The database adopts a self-designed and developed lightweight database based on apache.POI class library and excel file as data storage medium. The data persistence layer fully realizes the basic addition, deletion, modification and query functions of traditional databases, and at the same time facilitates data analysis by non-professionals, and also makes up for the problem that traditional databases need to be installed and deployed separately.

(3) Test steps of intelligent substation information abnormality detection system

In the first step, the operation and maintenance personnel need to log in with a password to log in to the intelligent substation information abnormality monitoring system, as shown in Figure 4(a). At the same time, different users have different permissions, and admin permissions can be selected here to maximize the functions of the test system. If the user name and password are not the same, or there is no such user name, the system cannot be accessed.

The second step is to select the network card as the hybrid network card mode in the configuration module, and import the SCD file of the current substation into the system and parse it correctly. As shown in Figure 4(b). If the current SCD file is incorrect or the system fails to parse the SCD file, the system cannot enter the sniffing and detection mode.

Click the "sniffing mode" button, when the intelligent substation system is running normally, the intelligent substation information abnormal monitoring system will not issue an alarm, and the sniffing mode window will display the path message information in real time.

The third step is to detect typical abnormal information. Click the "Detection Mode" button, the system enters the detection function.

(4) Test results of intelligent substation information abnormality detection system

This embodiment uses several typical exceptions to test system functions, as shown in Table 1.

Table 1 Test Cases

(1) GOOSE message status change

In the normal sending state, if any content in the message data set is changed, the state of the GOOSE message will change, and the detection result is shown in Figure 5(a).

(2) GOOSE interrupt status

Test principle: In this case, click the message send button to ensure that other configurations are correct and the message format is correct. Press the stop sending state button of the test software to reach the abnormal test condition of GOOSE interrupt state. The system detects the abnormal information and issues an alarm as shown in Figure 5(b).

(3) GOOSE message restart status

Test principle: Continue to press the send button, and the GOOSE message will enter the restart test process again. Reached the GOOSE restart state abnormal test conditions. The system detects the abnormal information and issues an alarm as shown in Figure 5(c).

(4) SMV message interruption abnormal detection

Test principle: In the process of SMV sending normally, click stop sending to reach the SMV interrupt abnormal test condition. The system detects the abnormal alarm information and issues an alarm as shown in Figure 5(d).

(5) Anomaly detection of packet loss in SMV packets

Test principle: In the process of sending SMV message, click the button of simulated frame loss mode, the abnormal packet loss detection condition is reached, and the test result is shown in Figure 5(e). The detection system issues an alarm of abnormal SMV packet loss.

(6) SMV asynchronous anomaly detection

Test process: Change the synchronization domain value during normal transmission, if it is not true, then the asynchronous abnormal test condition is achieved. The test results are shown in Figure 5(f). The detection system issues an SMV asynchronous anomaly alert.

After verification, the test cases can pass the test. After the test, the system data file is recorded as shown in Figure 5(g). The system can successfully record the system information, and can manually judge the cause of the system information according to the abnormality.

To sum up, the present invention uses the JAVA programming language to develop an abnormal information detection system for intelligent substations on the Windows platform. The system includes four functional modules, namely a configuration module, a sniffing module, a detection and alarm module, and a management module. The testing and verification of the intelligent substation information abnormality monitoring system verifies that the designed information abnormality rules are correct and the system functions are effective.

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage In the medium, when the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other medium used in the various embodiments provided in this application may include non-volatile and/or volatile memory. Nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Road (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

The technical features of the above embodiments can be combined arbitrarily. In order to make the description simple, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features It is considered to be the range described in this specification.

The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be pointed out that for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.

Claims (7)

1. a light-weight intelligent substation information abnormality detection system, characterized in that, comprising a system configuration module, a sniffing module, a detection alarm module and a management module, wherein: The system configuration module is used to parse the substation configuration file, compare it with the captured message configuration information, and obtain all the whole frame message information of the smart substation; The sniffing module is used to obtain the message information flowing through the system in real time, and perform screening, classification and storage; The detection alarm module is used to receive data packets GOOSE, SMV, MMS, and compare and alarm with a preset abnormal rule set; The management module is used to realize user authority granting, duty log recording and system data recording; The system configuration module includes an import parsing unit of the SCD file of the smart substation and a monitoring network card unit, wherein the import parsing unit of the SCD file of the smart substation is used to analyze the substation configuration file and compare with the captured message configuration information; the monitoring network card The unit is used to obtain all the whole frame messages of the smart substation; The import parsing unit of the SCD file of the smart substation utilizes the DOM4J library to parse the substation configuration file, that is, utilizes SAXReader.read(xmlSource)() to read the document of the XML source; the root element of the XML obtained by Document.getRootElement() utilizes Element. node(index) obtains the XML node at the specific index of the element, and uses Element.attributes() to obtain all attributes of an element, so as to obtain all the node information required by the system, and compare it with the captured message configuration information one by one; Described detection alarm module comprises GOOSE alarm unit, SMV alarm unit, MMS message alarm unit, wherein: The GOOSE alarm unit includes a GOOSE message format and configuration detection subunit, a GOOSE message state change detection subunit, a GOOSE message interruption detection subunit, and a GOOSE message test state detection subunit; Described SMV alarm unit comprises SMV message format and configuration error detection subunit, SMV message interruption and jitter detection subunit, SMV message asynchronous detection subunit and SMV message quality factor change detection subunit; The MMS message alarm unit includes a MMS message format error detection subunit. 2 . The light-weight intelligent substation-oriented information anomaly detection system according to claim 1 , wherein the message information obtained by the sniffing module includes message appid, source address, destination address and detection time. 3 . 3. The light-weight intelligent substation-oriented information anomaly detection system according to claim 1, wherein the management module comprises a user management unit, a manager log unit and a document management unit, wherein the user management unit is used to realize User rights are granted; the administrator log unit is used to realize on-duty log recording; the document management unit is used to realize system data recording. 4 . The light-weight intelligent substation information anomaly detection system according to claim 1 , wherein a graphical operation interface is developed for the intelligent substation information anomaly detection system by using JavaFX. 5 . 5. A method for detecting information abnormality oriented to lightweight intelligent substations, characterized in that, based on the information anomaly detection system oriented to lightweight intelligent substations according to any one of claims 1-4, a method for detecting information anomalies oriented to lightweight intelligent substations is realized. Substation information anomaly detection. 6. A computer device, comprising a memory, a processor and a computer program stored on the memory and running on the processor, when the processor executes the computer program, based on any one of claims 1-4 The information anomaly detection system for lightweight intelligent substations is designed to realize information anomaly detection for lightweight intelligent substations. 7. A computer-readable storage medium on which a computer program is stored, when the computer program is executed by a processor, based on the light-weight intelligent substation-oriented information anomaly detection system according to any one of claims 1-4 , to achieve information anomaly detection for lightweight smart substations.

Images