CN119312139B - Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model - Google Patents

Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model

Info

Publication number
CN119312139B
CN119312139B CN202411432534.1A CN202411432534A CN119312139B CN 119312139 B CN119312139 B CN 119312139B CN 202411432534 A CN202411432534 A CN 202411432534A CN 119312139 B CN119312139 B CN 119312139B
Authority
CN
China
Prior art keywords
power grid
grid fault
white list
fault identification
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411432534.1A
Other languages
Chinese (zh)
Other versions
CN119312139A (en
Inventor
李鹏
蒋屹新
徐文倩
张喜铭
梁志宏
杨祎巍
杨秋勇
徐欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Original Assignee
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, China Southern Power Grid Co Ltd filed Critical China South Power Grid International Co ltd
Priority to CN202411432534.1A priority Critical patent/CN119312139B/en
Publication of CN119312139A publication Critical patent/CN119312139A/en
Application granted granted Critical
Publication of CN119312139B publication Critical patent/CN119312139B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/08Locating faults in cables, transmission lines, or networks
    • G01R31/088Aspects of digital computing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0499Feedforward networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Economics (AREA)
  • Mathematical Physics (AREA)
  • General Business, Economics & Management (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Primary Health Care (AREA)
  • Software Systems (AREA)
  • Marketing (AREA)
  • Human Resources & Organizations (AREA)
  • Water Supply & Treatment (AREA)
  • Public Health (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to an abnormal maintenance method, an abnormal maintenance device, computer equipment and a computer readable storage medium of a power grid fault identification model. The method comprises the steps of sequentially carrying out static analysis and dynamic analysis on the power grid fault identification model to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors and a trusted system call range and frequency, monitoring the running state of the power grid fault identification model in real time according to the white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal running and abnormal running, the condition of the normal running indicates that the running state accords with the white list, the condition of the abnormal running indicates that the running state does not accord with the white list, and the self-adaptive strategy is adopted to maintain the power grid fault identification model under the condition that the monitoring result is abnormal. The maintenance effect of the model can be improved by adopting the method.

Description

Abnormal maintenance method and device for power grid fault identification model, computer equipment and computer readable storage medium
Technical Field
The present application relates to the field of artificial intelligence model maintenance, and in particular, to an abnormal maintenance method and apparatus for a power grid fault identification model, a computer device, and a computer readable storage medium.
Background
In the power grid fault identification model, bit overturn attack may cause misclassification of the power grid fault identification model, and failure type cannot be accurately identified or normal state is misreported as a fault, so that normal operation of the power grid is affected. In addition, the attack can lead to the obvious reduction of model precision, failure to correctly detect and classify faults, and the reliability and effectiveness of fault identification are reduced. The robustness of the model is also weakened, false alarms can be generated on normal power grid fluctuation and noise, and the operation and maintenance burden is increased. However, the current fault detection method of the machine learning model extracts the characteristic of the software abnormality through analysis of a large number of software abnormalities, abstracts the characteristic into an abnormal mode, relies on a threshold value of manually defining the abnormal mode, matches the software characteristic of the model with the established abnormal mode, and causes lower abnormality detection accuracy, so that the problem of poor maintenance effect of the model exists.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an abnormal maintenance method, apparatus, computer device, computer readable storage medium, and computer program product for a grid fault recognition model that can improve the maintenance effect of the model.
In a first aspect, the present application provides an anomaly maintenance method for a power grid fault identification model, including:
Carrying out static analysis and dynamic analysis on the power grid fault identification model successively to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors, and a trusted system call range and frequency;
the method comprises the steps of monitoring the running state of a power grid fault identification model in real time according to a white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal running and abnormal running;
and under the condition that the monitoring result is abnormal, maintaining the power grid fault identification model by adopting a self-adaptive strategy.
In one embodiment, static analysis and dynamic analysis are sequentially performed on the power grid fault identification model to generate a white list, including:
Under the condition that the code of the power grid fault identification model is not executed, carrying out static analysis on the code of the power grid fault identification model to obtain an initial white list;
Under the condition of executing the codes of the power grid fault identification model, dynamically analyzing the codes of the power grid fault identification model to obtain a supplementary white list;
and generating the white list according to the union set of the initial white list and the supplementary white list.
In one embodiment, monitoring the running state of the power grid fault identification model in real time according to the white list to obtain a monitoring result of the power grid fault identification model includes:
the real-time acquisition of the running state of the power grid fault identification model comprises a code execution path, a disk access behavior and a system call condition;
And respectively comparing the code execution path, the disk access behavior and the system call condition according to a preset detection rule by the white list to obtain a monitoring result of the power grid fault recognition model.
In one embodiment, comparing the code execution path, the disk access behavior and the system call condition according to the white list to obtain a monitoring result of the power grid fault recognition model, includes:
Respectively calculating the similarity among the code execution path, the disk access behavior, the system call condition and the data of the white list;
Under the condition that any similarity is lower than a preset threshold value, determining that the monitoring result is abnormal;
and under the condition that all the similarities are higher than a preset threshold value, determining that the monitoring result is normal operation.
In one embodiment, when the monitoring result is that there is an abnormality, after maintaining the power grid fault identification model by adopting the adaptive strategy, the method further includes:
Updating the white list and the detection rule by adopting a feedback function according to the self-adaptive strategy and the abnormal behavior detection result of the monitoring result;
the method for updating the white list and the detection rule by adopting the feedback function comprises the following steps:
W‘=F(W,E)
φ‘=F(φ,E)
wherein, F () represents a feedback function, E represents an abnormal behavior detection result, W represents a white list, phi represents a detection rule, W 'represents an updated white list, phi' represents an updated detection rule.
In one embodiment, if the monitoring result is that there is an abnormality, maintaining the power grid fault identification model by adopting an adaptive strategy includes:
Under the condition that the monitoring result is that the abnormality exists, determining a code segment or a disk memory area generating the abnormality according to the abnormal behavior detection result;
isolating the code segments or the disk memory areas, analyzing root causes, and determining abnormal reasons;
And maintaining the power grid fault identification model by adopting a self-adaptive strategy according to the abnormal reasons.
In one embodiment, according to the cause of the anomaly, maintaining the power grid fault identification model by adopting an adaptive strategy includes:
rolling back the data of the code segment or the disk memory area or repairing the data by adopting an online repairing function according to the abnormal reasons;
the repairing corresponding functions by adopting the online repairing functions comprise:
Srepair(t)=R(S(t),E)
S (t) is the running state of the power grid fault recognition model at the current time, E represents an abnormal behavior detection result, S repair (t) represents the running state of the repaired power grid fault recognition model, and R () represents an online repair function.
In a second aspect, the present application further provides an abnormal maintenance device for a power grid fault identification model, including:
the system comprises a power grid fault identification module, a white list generation module, a power grid fault identification module and a power grid fault identification module, wherein the power grid fault identification module is used for carrying out static analysis and dynamic analysis on the power grid fault identification module sequentially to generate a white list;
The system comprises a model monitoring module, a power grid fault identification module, a power grid fault detection module and a power grid fault detection module, wherein the model monitoring module is used for monitoring the running state of the power grid fault identification module in real time according to a white list to obtain a monitoring result of the power grid fault identification module, wherein the monitoring result comprises two conditions of normal running and abnormal running;
and the model maintenance module is used for maintaining the power grid fault identification model by adopting a self-adaptive strategy under the condition that the monitoring result is abnormal.
In a third aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
Carrying out static analysis and dynamic analysis on the power grid fault identification model successively to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors, and a trusted system call range and frequency;
the method comprises the steps of monitoring the running state of a power grid fault identification model in real time according to a white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal running and abnormal running;
and under the condition that the monitoring result is abnormal, maintaining the power grid fault identification model by adopting a self-adaptive strategy.
In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
Carrying out static analysis and dynamic analysis on the power grid fault identification model successively to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors, and a trusted system call range and frequency;
the method comprises the steps of monitoring the running state of a power grid fault identification model in real time according to a white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal running and abnormal running;
and under the condition that the monitoring result is abnormal, maintaining the power grid fault identification model by adopting a self-adaptive strategy.
The abnormal maintenance method, the abnormal maintenance device, the abnormal maintenance computer equipment, the abnormal maintenance computer readable storage medium and the abnormal maintenance computer program product of the power grid fault identification model generate a white list by carrying out static analysis and dynamic analysis on the power grid fault identification model. The white list comprises a trusted code section, trusted disk access behaviors, a trusted system call range and a trusted system call frequency, and the selection of the two analysis modes comprehensively prescribes a legal behavior range of the normal operation of the power grid fault recognition model. And monitoring the running state of the power grid fault identification model in real time according to the white list to obtain a monitoring result of the power grid fault identification model. The monitoring result comprises two conditions of normal operation and abnormal operation, wherein the condition of normal operation indicates that the operation state accords with the white list, and the condition of abnormal operation indicates that the operation state does not accord with the white list. The abnormal behavior of the power grid fault identification model can be accurately judged according to the white list, and the running condition of the model is monitored. Further, under the condition that the monitoring result is abnormal, the self-adaptive strategy is adopted to maintain the power grid fault identification model, so that manual intervention is avoided, the self-adaptive strategy can be adopted to maintain the power grid fault identification model automatically and timely according to the abnormal condition, normal operation of the model is ensured, and the maintenance effect of the model is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are needed in the description of the embodiments of the present application or the related technologies will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other related drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a flow chart of a method for exception maintenance of a grid fault identification model in one embodiment;
FIG. 2 is a flow chart of a monitoring result determining step in one embodiment;
FIG. 3 is a block diagram of a smart grid fault identification model bit-flipping vulnerability intrusion detection and self-healing system based on a whitelist in one embodiment;
FIG. 4 is a block diagram of an anomaly maintenance device of a grid fault identification model in one embodiment;
fig. 5 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In one embodiment, as shown in fig. 1, an exception maintenance method of a power grid fault identification model is provided, and this embodiment is applied to a terminal for illustration by using the method, it is understood that the method may also be applied to a server, and may also be applied to a system including the terminal and the server, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the steps of:
step S102, static analysis and dynamic analysis are sequentially carried out on the power grid fault identification model, and a white list is generated.
The white list comprises trusted code segments, trusted disk access behaviors, and the range and frequency of trusted system calls. The whitelist may be a security mechanism for allowing a particular user, device, network address or application to access certain resources or perform a particular operation. In network security, certain IP addresses, domain names, or software applications may be whitelisted to allow them to bypass certain security checks or restrictions.
The power grid fault recognition model can be an artificial intelligent model obtained by training according to historical parameters of equipment included in a power grid, and a fault prediction result can be output by inputting real-time parameters of the power grid equipment into the power grid fault recognition model in real time so as to know the running condition of the power grid.
Where static analysis may be analysis of source code or binary code without executing the program, mainly focusing on code structure, syntax, potential errors, compliance with code specifications, and the like. Dynamic analysis may be analysis of the behavior of software as the program executes, finding problems by calling the program and monitoring its behavior, performance, and resource usage, etc. as it runs.
Optionally, the server performs static analysis on the power grid fault recognition model under the condition that the code of the power grid fault recognition model is not executed, performs dynamic analysis on the power grid fault recognition model under the condition that the code of the power grid fault recognition model is executed, and generates the white list according to the two analysis results.
Step S104, the running state of the power grid fault identification model is monitored in real time according to the white list, and a monitoring result of the power grid fault identification model is obtained.
The monitoring result comprises two conditions of normal operation and abnormal operation, wherein the normal operation condition indicates that the operation state accords with the white list, and the abnormal operation condition indicates that the operation state does not accord with the white list.
Optionally, the server monitors the running state of the power grid fault recognition model according to the data included in the white list, and judges whether the running state accords with the range of the white list or not to obtain a monitoring result of the power grid fault recognition model.
And step S106, under the condition that the monitoring result is that the abnormality exists, maintaining the power grid fault identification model by adopting a self-adaptive strategy.
The self-adaptive strategy can be an automatic maintenance method aiming at the abnormal type of the monitoring result, if the abnormal type is that the code of the model is subjected to bit-flipping attack, and thus the abnormal part of the code segment appears, the self-adaptive strategy is that the part of the code segment is automatically repaired or the code version is rolled back to the version before being subjected to the bit-flipping attack.
Optionally, if the monitoring result is that there is an abnormality, the server maintains the power grid fault identification model by adopting a corresponding self-adaptive strategy so as to correct the abnormality and ensure the normal operation of the power grid fault identification model.
In the abnormal maintenance method of the power grid fault identification model, the white list is generated by carrying out static analysis and dynamic analysis on the power grid fault identification model. The white list comprises a trusted code section, trusted disk access behaviors, a trusted system call range and a trusted system call frequency, and the selection of the two analysis modes comprehensively prescribes a legal behavior range of the normal operation of the power grid fault recognition model. And monitoring the running state of the power grid fault identification model in real time according to the white list to obtain a monitoring result of the power grid fault identification model. The monitoring result comprises two conditions of normal operation and abnormal operation, wherein the condition of normal operation indicates that the operation state accords with the white list, and the condition of abnormal operation indicates that the operation state does not accord with the white list. The abnormal behavior of the power grid fault identification model can be accurately judged according to the white list, and the running condition of the model is monitored. Further, under the condition that the monitoring result is abnormal, the self-adaptive strategy is adopted to maintain the power grid fault identification model, so that manual intervention is avoided, the self-adaptive strategy can be adopted to maintain the power grid fault identification model automatically and timely according to the abnormal condition, normal operation of the model is ensured, and the maintenance effect of the model is improved.
In an exemplary embodiment, step S102 performs static analysis and dynamic analysis on the grid fault identification model sequentially, and generates a white list, including:
Under the condition that the code of the power grid fault identification model is not executed, carrying out static analysis on the power grid fault identification model to obtain an initial white list, under the condition that the code of the power grid fault identification model is executed, carrying out dynamic analysis on the power grid fault identification model to obtain a supplementary white list, and generating the white list according to the union of the initial white list and the supplementary white list.
The initial white list can be composed of a normal code execution path, disk access and a system call mode which are identified after static analysis. The supplementary white list can be composed of normal execution paths, function call sequences, disk access behaviors and system call records of the models collected after dynamic analysis.
Optionally, under the condition that the code of the power grid fault identification model is not executed, performing static analysis on the code of the power grid fault identification model, including code analysis, control flow analysis, data flow analysis and disk access and system call, wherein the code analysis uses a static analysis tool (such as LLVM, low Level Virtual Machine) to analyze the source code of the power grid fault identification model, generates abstract syntax trees (AST, abstract Syntax Tree) and control flow graphs (CFG, control Flow Graph), the control flow analysis identifies all possible execution paths in a program, including circulation, branching, exception handling and the like, the data flow analysis identifies all possible data dependency relationships according to the flow of data in the program, ensures the validity of data access, the disk access determines the legal disk access range and mode through memory allocation and access operation in the analysis code, and generates an initial white list by means of the static analysis content. Specifically, let P be the execution path set of the program of the power grid fault recognition model, P be any execution path in P, W static be the initial white list generated by static analysis, and then there are:
Wstatic={p|p∈P,static_analysis(p)}
The server further dynamically analyzes the codes of the power grid fault identification model under the condition of executing the codes of the power grid fault identification model to obtain a supplementary white list, the supplementary white list comprises four processes of test case design, code insertion, execution monitoring and behavior recording, the test case design covers the comprehensive test case as much as possible, the intelligent power grid fault identification model is ensured to be fully tested under various possible input conditions, the code insertion comprises inserting monitoring codes into key code sections, function inlets and outlets, disk access points and system call points for collecting data during operation, the fault identification model is executed during operation, an execution path, a function call sequence, disk access behavior and system call records are collected with the aid of a monitoring tool, and the detailed information of code paths, function calls, disk access and system call of each operation, including call frequencies and parameters, is recorded in the behavior recording stage. Specifically, let B be the behavior set of the power grid fault recognition model for dynamic analysis, B be any behavior in B, W dynamic be the white list generated by dynamic analysis, and then there are:
Wdynamic={b|b∈B,dynamic_analysis(b)}
And the server generates the white list according to the union of the initial white list and the supplementary white list. Specifically, let W static be the initial white list generated by static analysis, W dynamic be the white list generated by dynamic analysis, and W be the final white list, if there is
W=Wstatic∪Wdynamic
In this embodiment, static analysis and dynamic analysis are performed on codes of the power grid fault identification model respectively, an initial white list and a supplementary white list are correspondingly generated, a union between the initial white list and the supplementary white list is adopted to obtain a final white list, comprehensiveness and accuracy of the white list are ensured, conflicts between static analysis and dynamic analysis results are checked, possible reasons are analyzed, manual verification and correction are performed, the white list is optimized according to the running environment and application requirements of the system, simplicity and effectiveness are ensured, and excessive slackening or strictness is avoided.
In an exemplary embodiment, as shown in fig. 2, step S204 monitors the running state of the power grid fault identification model in real time according to the white list, to obtain a monitoring result of the power grid fault identification model, which includes the following steps S202 to S204. Wherein:
Step S202, acquiring the running state of the power grid fault identification model in real time comprises a code execution path, a disk access behavior and a system call condition.
Where code execution path refers to a particular code path that a program passes through when running, it is typically monitored by a debugging tool or a performance analysis tool. The execution path may contain multiple function calls and condition decisions that affect the generation of the final output. The disk access behavior relates to read-write operation of the model on the disk in the running process. For example, the model may have file reads when loading the data set, and during the training process, the model may save checkpoints or log files. The system call may be a mode that the program requests the operating system to perform a specific task, and the power grid fault recognition model may perform various system calls, such as memory management, file operation, network request, and the like.
Optionally, the server obtains the running state of the power grid fault identification model in real time, including using a debugging tool or a performance analysis tool to monitor its code execution path, using a tool (such as an I/O input/output analysis tool) to monitor the file operation frequency and type (such as reading and writing) of the model access disk to obtain disk access behavior, and using a tool (such as strace tracking system call and signal tool or dtrace dynamic tracking framework) to track interaction with the operating system during running of the model to obtain system call conditions.
And step S204, respectively comparing the code execution path, the disk access behavior and the system call condition according to a preset detection rule to obtain a monitoring result of the power grid fault recognition model.
The preset detection rule may be a comparison judgment standard between a preset white list and a power grid fault recognition model.
Optionally, the trusted code segments, the trusted disk access behaviors and the range and the frequency of the trusted system call included in the white list are respectively compared with the code execution path, the disk access behaviors and the system call condition of the power grid fault recognition model according to a preset detection rule, and the comparison result is used as the monitoring result of the power grid fault recognition model.
In this embodiment, by monitoring the code execution path, the disk access behavior and the system call condition of the power grid fault identification model in real time, comparing the code execution path, the disk access behavior and the system call condition with the white list, the abnormal behavior of the model can be found in time, corresponding measures are adopted to correct the problem, the time of fault occurrence is reduced, the maintenance effect of the model is improved, and the reliability of the power grid monitoring system is ensured.
In an exemplary embodiment, step S204 compares the whitelist with the code execution path, the disk access behavior and the system call condition according to a preset detection rule, to obtain a monitoring result of the power grid fault recognition model, including:
The method comprises the steps of respectively calculating the similarity between a code execution path, a disk access behavior and system call condition and data of a white list, determining that a monitoring result is abnormal under the condition that any similarity is lower than a preset threshold value, and determining that the monitoring result is normal operation under the condition that all the similarities are higher than the preset threshold value.
Wherein, the similarity can be the degree of similarity between two or more objects, which is used to measure their identity on a specific feature or attribute.
Optionally, the server calculates the similarity between the code execution path, the disk access behavior, the system call condition and the trusted code section and the trusted disk access behavior of the whitelist, and the range and the frequency of the trusted system call, for example, for the control flow data, calculates the deviation value of the code execution path with the N high before the monitored power grid fault recognition model call frequency and the normal execution path recorded in the whitelist, and performs weight assignment on different positions according to the call frequency, if the abnormality represented by the control flow with the highest trigger frequency is higher than the control flow with the trigger frequency ordered as N, the specific weighting method can be set according to the loose degree of the security policy of the manager, and the abnormality degree T control-flow of the control flow execution data is obtained in this way, and the higher the abnormality degree indicates the lower the similarity.
Specifically, let the control flow execution path in the white list be P whitelist={p1,p2,…,pn }, and the monitored control flow execution path be P monitor={q1,q2,…,qn }, the deviation value is defined as:
Where p ij and q ij represent the values of paths p i and q i, respectively, at position j.
Let f i be the trigger frequency of path p i, the weight assignment w i may be assigned according to the trigger frequency:
The degree of abnormality T control-flow of the control flow execution data can be calculated by a weighted deviation value:
similarly, the same white list matching step is performed on the data flow execution data, the disk access feature data and the system call feature data, and matching results T data-flow,Tread-disk and T syscall of various data are calculated.
The final outlier calculation method is a weighted summation of four outliers, namely:
T=n1*Tcontrol-flow+n2*Tdata-flow+n3*Tread-disk+n4*Tsyscall,
Wherein, the The assignment strategy of the weight is set by the manager according to the condition, after the anomaly degree T is obtained, the anomaly degree T is compared with the anomaly threshold P, so that whether the anomaly occurs is judged, namely, if any similarity is lower than a preset threshold, the monitoring result is determined to be abnormal, and an alarm flow is entered. Specifically, let B real-time be the behavior set monitored during system operation, T be the monitored time sequence length, then there are:
Breal-time={bt|t=1,2...,T}
For an alarm mechanism, the system reports the detected abnormal behavior in a log record mode, a real-time alarm notification mode and the like, and simultaneously triggers corresponding safety response measures. Let E be the set of abnormal events, then there is And under the condition that all the similarities are higher than a preset threshold value, determining that the monitoring result is normal operation.
In this embodiment, by calculating the similarity between the running condition of the power grid fault recognition model and the data included in the white list and comparing with a preset threshold, it is determined whether the monitoring result is abnormal, so that the abnormal monitoring accuracy of the power grid fault recognition model is improved, a corresponding adaptive strategy is executed for the existing abnormality later, and the maintenance effect of the power grid fault recognition model is improved.
In an exemplary embodiment, step S206 further includes, after maintaining the grid fault identification model by adopting the adaptive strategy if the monitoring result is that there is an abnormality:
and updating the white list and the detection rule by adopting a feedback function according to the self-adaptive strategy and the abnormal behavior detection result of the monitoring result.
The method for updating the white list and the detection rule by adopting the feedback function comprises the following steps:
W‘=F(W,E)
φ‘=F(φ,E)
wherein, F () represents a feedback function, E represents an abnormal behavior detection result, W represents a white list, phi represents a detection rule, W 'represents an updated white list, phi' represents an updated detection rule.
Optionally, the server updates the whitelist and the detection rule by adopting a feedback function according to the adopted adaptive strategy and the abnormal behavior monitoring result of the monitoring result, for example, the adaptive strategy corrects the abnormal code segment, updates the corrected code segment into the whitelist, and updates the calculation weight of the similarity included in the detection rule according to the abnormal behavior monitoring result.
In this embodiment, behavior learning is performed after the server completes repair of the power grid fault recognition model, and the main content is that the server learns from the self-adaptive strategy and the abnormal behavior monitoring result of the monitoring result, optimizes the white list and the detection rule to improve the detection precision and the response speed, and meanwhile, the system also periodically updates the white list and the self-healing strategy according to the latest attack means and the change of the system operation environment, so as to maintain the defending capability of the system.
In an exemplary embodiment, step S206 maintains the grid fault identification model using an adaptive strategy in the case that the monitoring result is that there is an abnormality, including:
Under the condition that the monitoring result is that the abnormality exists, determining a code segment or a disk memory area generating the abnormality according to the abnormality behavior detection result, isolating the code segment or the disk memory area, analyzing root causes to determine abnormality reasons, and maintaining a power grid fault identification model by adopting a self-adaptive strategy according to the abnormality reasons.
Root cause analysis (Root Cause Analysis, RCA) may be a systematic approach to identify and address the root cause of the problem, not just to address surface symptoms, among other things. By looking for deep causes that lead to problems, organizations can take effective measures to prevent similar problems from reoccurring in the future.
Optionally, if the monitoring result of the power grid fault identification model is that there is an abnormality, the server determines a code segment or a disk memory area generating the abnormality according to the detection result of the abnormal behavior, isolates the code segment or the disk memory area, analyzes root cause, and determines the cause of the abnormality, for example, determines whether the characteristic of the input sample is changed or the integrity of the program is damaged. And maintaining the power grid fault identification model by adopting a self-adaptive strategy according to the abnormal reasons. For example, when an abnormality in the control flow and the data flow of the grid fault recognition model is detected, since the execution logic of the program is greatly changed in a short time, if it is determined that a bit flip attack occurs as a result of the abnormal behavior detection, if the input sample is far from the history sample, it is determined that a countersample attack is likely to occur, and the model needs to be retrained. For another example, the basic linear algebraic subprogram (Basic Linear Algebra Subprogram, BLAS) on which the original model depends is soft-linked to a backup normal dynamic link library, and the model is rerun to observe whether to recover to normal, if not, the lower priority preset repair scheme is continuously executed until the model is rerun and enters a normal state, or the repair failure is continuously alarmed to a higher layer.
In this embodiment, by isolating the code segment or the disk memory area in which the abnormality occurs, the fault is prevented from being continuously spread to other positions, and according to the root cause analysis of the code segment or the disk memory area in which the abnormality occurs, the corresponding cause of the abnormality is obtained, and the code segment and the disk memory area are maintained by adopting the adaptive strategy, so that the influence of the abnormality on the performance of the model is reduced, and the maintenance effect of the power grid fault identification model is further improved.
In an exemplary embodiment, the steps of the foregoing embodiment maintain the grid fault identification model according to the cause of the anomaly by adopting an adaptive strategy, including:
And rolling back the data of the code segment or the disk memory area or repairing the data by adopting an online repairing function according to the abnormal reasons.
The repairing corresponding functions by adopting the online repairing functions comprise:
Srepair(t)=R(S(t),E)
S (t) is the running state of the power grid fault recognition model at the current time, E represents an abnormal behavior detection result, S repair (t) represents the running state of the repaired power grid fault recognition model, and R () represents an online repair function.
Optionally, the server detects whether the abnormality is caused by the characteristic change of the input sample or the abnormality of the model program itself according to the abnormality cause, and rolls back the data of the code segment or the disk memory area or repairs the data by adopting an online repair function. Specifically, if the code segment is abnormal, the code segment version is rolled back to the code segment version which works normally, and the data in the disk memory area can also be rolled back to the data version which is not abnormal.
In this embodiment, according to the abnormal cause of the power grid fault identification model, a corresponding adaptive strategy is adopted, so that the downtime is reduced, the availability of the model is improved, and the maintenance effect of the model is further improved.
In an exemplary embodiment, another method for maintaining abnormality of a power grid fault identification model is provided, which is applied to a smart power grid fault identification model bit-flipping vulnerability intrusion detection and self-healing system based on a white list as shown in fig. 3, and includes:
The white list generating module, the real-time monitoring module and the self-adapting and self-healing module of the system run on hardware equipment provided with the intelligent power grid fault identification model, the abnormality detection and alarm module runs on the cloud server, the white list generating module sends the generated white list to a corresponding address on the cloud server during running, similarly, during running of the model, data collected by the real-time monitoring module are uploaded to the cloud server, at the moment, the cloud server compares model running state data with the white list, judges whether abnormality occurs or not, alarms are needed to be carried out, the judgment result is generated and then sent to the model running equipment, if the judgment result of the server is abnormal, the equipment firstly tries self-healing, for example, a dynamic link library judged to be abnormal is replaced with a normal link library which is backed up, if the abnormality is not relieved, the model local equipment requests the last backup state to the cloud server, at the moment, the cloud server also extracts the characteristics of the abnormal behavior and updates the white list of the local model.
The system can also completely run locally, and the fact that the abnormality detection and alarm module runs on the cloud server is considered, so that on one hand, white lists of all intelligent power grid fault detection models are stored on the cloud server to be convenient for management of an administrator, on the other hand, the comparison process of real-time data and the white lists is complex, calculation force is large, and therefore the load of local equipment of the model can be reduced and better real-time performance is provided when the system runs on the server.
The smart grid fault recognition model bit flip vulnerability intrusion detection and self-healing system described in this embodiment mainly includes four modules, namely a white list generation module, a real-time monitoring module, an anomaly detection and alarm module and an adaptive and self-healing module, and further includes a behavior learning process, which is specifically as follows:
The static analysis process of the whitelist generation module sequentially carries out four processes of code analysis, control Flow analysis, data Flow analysis, disk access and system call, for the code analysis process, the embodiment mainly focuses on the analysis of an underlying code library of a machine learning framework, because bit inversion attack is usually aimed at the underlying code library so as to realize whitebox attack and be more universal, the intelligent power grid fault identification model in the embodiment is an image identification model based on a deep neural network developed by using PyTorch and is used for checking whether foreign matters such as branches, plastic packages and the like possibly cause power grid equipment faults occur on a transmission line, the model source code depends on an underlying basic linear algebra subprogram, namely a BLAS library, and the executable program is reflected on a libbalas. So or a libenblas. So library (under a Linux system), and during static code analysis, the system firstly uses an IDA Pro tool to analyze a BLAS dynamic link library on local equipment of the model so as to generate control (Control Flow Graph, CFG) and a Data Flow Graph (Data), and then respectively carries out control Flow diagram analysis and Data Flow Graph.
The control flow analysis mainly extracts program execution paths at function level according to the control flow graph generated by code analysis, and because the control flow graph can be essentially stored by using a multi-tree data structure, nodes are functions, and edges are transfer relations of the control flow, the embodiment can reversely traverse from leaf nodes to obtain all the execution paths.
Specifically, the node is V, the edge is E, and there are:
CFG=(V,E)
Let P CFG be the set of all execution paths in the control flow graph, each execution path P i be the sequence of a series of nodes, and m be the tree depth, then there are:
PCFG={p1,p2,…,pn}
pi=(vi1,vi2,…,vim),vij∈V
By reverse traversing from leaf node v L, all execution paths can be obtained:
similarly, the same processing is used for data flow analysis, starting from a leaf node, to obtain a path for all data to flow into that leaf node.
Specifically, the node is V ', and the edge is E', and there are:
DFG=(V′,E′)
Let P DFG be the set of all data flow paths in the control flow graph, each execution path d i be a sequence of a series of nodes, and m be the tree depth, then there are:
PDFG={d1,d2,…,dn}
di=(v′i1,v′i2,…,v′im),v′ij∈V′
by reverse traversing from leaf node v' L, all execution paths can be obtained:
In addition, in the process of analyzing the control flow and the data flow, the condition that the intermediate code accesses the memory is recorded, such as the characteristics of disk access at which positions of an execution path, the accessed space size and frequency and the like, and the static analysis of the code of the power grid fault identification model is realized through the steps. The dynamic analysis of the embodiment comprises four processes of test case design, code insertion, execution monitoring and behavior recording, and for the test case design, the mode in the embodiment is to input a large amount of power grid equipment monitoring picture data to a model for fault identification, and it is noted that the input data needs to be representative, and the implementation mode is to input images with characteristics of different time periods, different areas, different equipment, different climates and the like to the model, so that the feature space of all input images is covered as much as possible. The purpose of dynamic analysis is to collect the state characteristics of the model in normal operation so as to generate a white list, and in order to achieve the purpose, dynamic instrumentation is needed for codes, for example, a counter is set for a certain key function, and the characteristics of the frequency and the sequence of functions called before different functions are counted in the range of the number of times of functions called in one normal fault identification. The monitoring step is performed by using a control flow graph and a data flow graph obtained in static code analysis, and the main content is frequency information of monitoring different paths to be executed in the normal running process of the model. Recording the behavior of the monitored information, in this embodiment, recording the execution of the control flow path and the data flow path, and sequencing according to the frequency to obtain the program characteristics of the model in normal execution, and recording the disk access characteristics (the function triggering the disk access, the access size, the disk access times, etc.) and the system call characteristics (the function triggering the system call, the type of the system call, the number of the system call, etc.) in the path execution process. And finally, generating a white list by integrating data obtained by static analysis and dynamic analysis, wherein the white list is generated mainly by considering four aspects of control flow path frequency, data flow path frequency, disk access characteristics and system call characteristics in the embodiment. Specifically, a threshold value N is set, a control flow path and a data flow path with the frequency ordered as the first N are extracted, and the characteristics of disk access and system call in the path execution process are recorded, so that the control flow path and the data flow path are stored locally as a white list or uploaded and stored when a cloud server is used.
The real-time monitoring module in the embodiment comprises three aspects of code execution monitoring, disk access monitoring and system call monitoring. The code execution monitoring in this embodiment is to collect control flows and data flow program running paths in a blast library part (such as libplas. So or libependblos. So under Linux platform) during the model running process by means of instrumentation codes, record all execution paths and extract the top N control flows and data flow paths with highest frequency. The disk access monitoring in this embodiment is responsible for collecting the disk access characteristics in the running process of the model, including the characteristics of the size and frequency of the access memory block. Likewise, the system call characteristics in the running process of the main monitoring program include the triggered system call types, times and the like. Finally, all collected data are transmitted to an abnormality detection and alarm module of a local or cloud server for processing.
The abnormality detection and alarm module is used for comparing the received running data of the intelligent power grid fault detection model with the white list in the abnormality detection process, specifically, matching control flow execution data, data flow execution data, disk access characteristic data and system call characteristic data according to the white list rule, calculating similarity between four types of data and the white list data, for example, calculating a deviation value of a monitored control flow execution path with a high N control flow execution path before the model call frequency and a normal execution path recorded by the white list, and carrying out weight assignment on different positions according to the call frequency, wherein the abnormality represented by different control flows with the highest trigger frequency is higher than the control flow with the trigger frequency ordered as N, and the specific weighting method can be set according to the degree of slackening of a manager safety strategy, so that the abnormality degree of the control flow execution data is obtained. And judging the abnormality caused by the various characteristics according to the abnormal values of the various characteristics, and transmitting the reason and the judging result to the self-adapting and self-healing module.
The self-adapting and self-healing module is used for being triggered after the abnormality detection and alarm module generates alarm information, and in the embodiment, the module performs three steps of fault isolation, root cause analysis and automatic repair. In this embodiment, the fault isolation mainly means that the module immediately notifies the device to stop the operation of the fault detection model, so as to prevent the fault from continuing to spread to other positions, which causes more serious influence. In order to recover the normal operation of the model as soon as possible, the system will firstly perform root cause analysis on the model abnormality, determine whether the cause of the abnormality is due to the change of the characteristics of the input sample or the damage of the program integrity, for example, when the abnormality of the control flow and the data flow is detected, the execution logic of the program is greatly changed in a short time, if it is determined that the bit flip attack occurs, and when the distance between the input sample and the history sample is far, it is determined that the attack against the sample is likely to occur, and steps such as retraining the model are required. After the abnormal reasons are obtained, an automatic repair process is started, a preset scheme is executed according to specific reasons, such as soft linking of basic linear algebraic subroutines (Basic Linear Algebra Subprogram, BLAS) depending on an original model to a backup normal dynamic link library, and the model is restarted to observe whether the normal state is restored, if not, the preset repair scheme with lower priority is continuously executed until the model is restarted, or the repair failure is continuously alarmed to a higher layer. After the module repairs the abnormality successfully, the abnormal behavior is learned, so that the white list is perfected, in the embodiment, the module finds that the system executes a large number of write system calls in the abnormal state when analyzing the root cause, and the module is reminded to properly limit the corresponding system call times or frequencies in the white list when learning the behavior, so that the aim of more accurately identifying the attack is fulfilled.
In the embodiment, by generating the white list based on the deep neural network (Deep Neural Network, DNN) model in the smart grid, comparing the running behavior of the model with the white list, detecting abnormal behavior, particularly the abnormality caused by bit flip attack, once the abnormality is detected, the system automatically self-heals, and the normal state of the model is restored, so that the accuracy and reliability of fault detection are ensured.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an abnormal maintenance device of the power grid fault recognition model for realizing the abnormal maintenance method of the power grid fault recognition model. The implementation scheme of the device for solving the problem is similar to the implementation scheme recorded in the method, so the specific limitation in the embodiment of the abnormality maintenance device for one or more power grid fault identification models provided below can be referred to the limitation of the abnormality maintenance method for the power grid fault identification model hereinabove, and is not repeated herein.
In one exemplary embodiment, as shown in FIG. 4, an anomaly maintenance device 400 for a power grid fault identification model is provided, comprising a whitelist generation module 402, a model monitoring module 404, and a model maintenance module 406, wherein:
The white list generation module is used for carrying out static analysis and dynamic analysis on the power grid fault identification model successively to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors and the range and frequency of trusted system call.
The model monitoring module is used for monitoring the running state of the power grid fault identification model in real time according to the white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal running and abnormal running, the condition of normal running indicates that the running state accords with the white list, and the condition of abnormal running indicates that the running state does not accord with the white list.
And the model maintenance module is used for maintaining the power grid fault identification model by adopting a self-adaptive strategy under the condition that the monitoring result is abnormal.
Further, in one embodiment, the white list generating module 402 is further configured to perform static analysis on the code of the power grid fault recognition model to obtain an initial white list without executing the code of the power grid fault recognition model, perform dynamic analysis on the code of the power grid fault recognition model to obtain a supplementary white list with executing the code of the power grid fault recognition model, and generate the white list according to a union of the initial white list and the supplementary white list.
Further, in one embodiment, the model monitoring module 404 is further configured to obtain, in real time, an operation state of the power grid fault identification model, where the operation state includes a code execution path, a disk access behavior, and a system call condition, and compare the whitelist with the code execution path, the disk access behavior, and the system call condition according to a preset detection rule, respectively, to obtain a monitoring result of the power grid fault identification model.
Further, in one embodiment, the model monitoring module 404 is further configured to calculate similarities between the code execution path, the disk access behavior, the system call situation and the whitelist data, determine that the monitoring result is abnormal if any one of the similarities is lower than a preset threshold, and determine that the monitoring result is normal operation if all the similarities are higher than the preset threshold.
Further, in one embodiment, the model maintenance module 406 is further configured to update the whitelist and the detection rule with a feedback function according to the adaptive policy and the abnormal behavior detection result of the monitoring result, where updating the whitelist and the detection rule with the feedback function includes:
W‘=F(W,E)
φ‘=F(φ,E)
wherein, F () represents a feedback function, E represents an abnormal behavior detection result, W represents a white list, phi represents a detection rule, W 'represents an updated white list, phi' represents an updated detection rule.
Further, in one embodiment, the model maintenance module 406 is further configured to determine, if the monitoring result is that there is an abnormality, a code segment or a disk memory area generating the abnormality according to the abnormality behavior detection result, isolate the code segment or the disk memory area, analyze a root cause, determine a cause of the abnormality, and maintain the power grid fault identification model according to the cause of the abnormality by adopting an adaptive strategy.
Further, in one embodiment, the model maintenance module 406 is further configured to rollback data of the code segment or the disk memory area or repair the data with an online repair function according to an anomaly cause, where the repairing with the online repair function corresponds to the functions including:
Srepair(t)=R(S(t),E)
S (t) is the running state of the power grid fault recognition model at the current time, E represents an abnormal behavior detection result, S repair (t) represents the running state of the repaired power grid fault recognition model, and R () represents an online repair function.
The various modules in the anomaly maintenance device 400 of the above-described grid fault identification model may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one exemplary embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store trusted code segments, trusted disk access behavior, and range and frequency data for trusted system calls. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements an anomaly maintenance device method for a grid fault identification model.
It will be appreciated by those skilled in the art that the structure shown in FIG. 5 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile memory and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (RESISTIVE RANDOM ACCESS MEMORY, reRAM), magneto-resistive Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computation, an artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) processor, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the present application.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. An anomaly maintenance method for a power grid fault identification model, which is characterized by comprising the following steps:
performing static analysis and dynamic analysis on the power grid fault identification model successively to generate a white list, wherein the white list comprises a trusted code section, trusted disk access behaviors, and a trusted system call range and frequency;
The method comprises the steps of acquiring an operation state of a power grid fault identification model in real time, wherein the operation state of the power grid fault identification model comprises a code execution path, a disk access behavior and a system call condition, wherein the code execution path comprises control flow execution data and data flow execution data, respectively calculating abnormal values among the control flow execution data, the data flow execution data, the disk access behavior, the system call condition and the data of a white list to obtain a monitoring result of the power grid fault identification model, wherein the monitoring result comprises two conditions of normal operation and abnormal operation;
and under the condition that the monitoring result is abnormal, maintaining the power grid fault identification model by adopting a self-adaptive strategy.
2. The method of claim 1, wherein the performing static analysis and dynamic analysis on the grid fault identification model sequentially generates a whitelist, comprising:
Under the condition that the code of the power grid fault identification model is not executed, carrying out static analysis on the code of the power grid fault identification model to obtain an initial white list;
Under the condition of executing the code of the power grid fault identification model, dynamically analyzing the code of the power grid fault identification model to obtain a supplementary white list;
and generating a white list according to the union set of the initial white list and the supplementary white list.
3. The method according to claim 1, wherein the calculating the abnormal values between the control flow execution data, the data flow execution data, the disk access behavior, the system call condition and the whitelist data, respectively, to obtain the monitoring result of the grid fault recognition model includes:
carrying out weighted summation according to the control flow execution data, the data flow execution data, the disk access behavior and the abnormal value between the system call condition and the data of the white list to obtain a final abnormal value;
And obtaining a monitoring result of the power grid fault identification model according to the comparison result between the final abnormal value and the abnormal threshold value.
4. The method according to claim 1, wherein, in the case that the monitoring result is that there is an abnormality, after maintaining the power grid fault identification model by adopting an adaptive strategy, the method further comprises:
Updating the white list and the detection rule by adopting a feedback function according to the self-adaptive strategy and the abnormal behavior detection result of the monitoring result, wherein the detection rule is a comparison judgment standard between a preset white list and a power grid fault recognition model;
the updating the corresponding functions of the white list and the detection rule by adopting a feedback function comprises the following steps:
W‘=F(W,E)
φ‘=F(φ,E)
Wherein F () represents the feedback function, E represents the abnormal behavior detection result, W represents the white list, phi represents the detection rule, W 'represents the updated white list, phi' represents the updated detection rule.
5. The method according to claim 4, wherein in case the monitoring result is that there is an abnormality, maintaining the grid fault identification model using an adaptive strategy comprises:
Under the condition that the monitoring result is abnormal, determining a code segment or a disk memory area generating the abnormality according to the abnormal behavior detection result;
isolating the code segment or the disk memory area, and analyzing root cause to determine the cause of abnormality;
and maintaining the power grid fault identification model by adopting a self-adaptive strategy according to the abnormal reasons.
6. The method of claim 5, wherein maintaining the grid fault identification model using an adaptive strategy based on the anomaly cause comprises:
Rolling back the data of the code segment or the disk memory area or repairing the data by adopting an online repairing function according to the abnormal reason;
the repairing corresponding functions by adopting the online repairing functions comprise:
Srepair(t)=R(S(t),E)
S (t) is the running state of the power grid fault recognition model at the current time, E represents the abnormal behavior detection result, S repair (t) represents the running state of the power grid fault recognition model after repair, and R () represents the online repair function.
7. An anomaly maintenance device for a power grid fault recognition model, the device comprising:
The system comprises a power grid fault identification module, a white list generation module, a power grid fault identification module and a power grid fault identification module, wherein the power grid fault identification module is used for carrying out static analysis and dynamic analysis on the power grid fault identification module sequentially to generate a white list, and the white list comprises a trusted code section, trusted disk access behaviors, a trusted system call range and a trusted system call frequency;
The model monitoring module is used for acquiring the running state of the power grid fault identification model in real time, wherein the running state comprises a code execution path, a disk access behavior and a system call condition, the code execution path comprises control flow execution data and data flow execution data, abnormal values among the control flow execution data, the data flow execution data, the disk access behavior, the system call condition and the white list data are calculated respectively to obtain a monitoring result of the power grid fault identification model, the monitoring result comprises normal running and abnormal conditions, the normal running condition indicates that the running state accords with the white list, and the abnormal conditions indicate that the running state does not accord with the white list;
and the model maintenance module is used for maintaining the power grid fault identification model by adopting a self-adaptive strategy under the condition that the monitoring result is abnormal.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the preceding claims 1 to 6.
CN202411432534.1A 2024-10-14 2024-10-14 Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model Active CN119312139B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411432534.1A CN119312139B (en) 2024-10-14 2024-10-14 Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411432534.1A CN119312139B (en) 2024-10-14 2024-10-14 Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model

Publications (2)

Publication Number Publication Date
CN119312139A CN119312139A (en) 2025-01-14
CN119312139B true CN119312139B (en) 2025-09-23

Family

ID=94184017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411432534.1A Active CN119312139B (en) 2024-10-14 2024-10-14 Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model

Country Status (1)

Country Link
CN (1) CN119312139B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114417326A (en) * 2021-12-31 2022-04-29 深信服科技股份有限公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN116595526A (en) * 2023-06-16 2023-08-15 华北电力大学 A container escape attack detection and defense method based on system calls

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4149178B2 (en) * 2001-03-09 2008-09-10 松下電器産業株式会社 Remote maintenance system
JP5301310B2 (en) * 2009-02-17 2013-09-25 株式会社日立製作所 Anomaly detection method and anomaly detection system
US11747035B2 (en) * 2020-03-30 2023-09-05 Honeywell International Inc. Pipeline for continuous improvement of an HVAC health monitoring system combining rules and anomaly detection
CN112202736B (en) * 2020-09-15 2021-07-06 浙江大学 Communication network anomaly classification method based on statistical learning and deep learning
US11740618B2 (en) * 2021-04-23 2023-08-29 General Electric Company Systems and methods for global cyber-attack or fault detection model
CN114357452A (en) * 2022-02-18 2022-04-15 深圳供电局有限公司 Malicious code detection method and system for secondary equipment of power system
US20230412629A1 (en) * 2022-06-17 2023-12-21 Vmware, Inc. Securing an Anomaly Detection System for Microservice-Based Applications
CN117473505A (en) * 2022-07-20 2024-01-30 上海交通大学 A method for detecting memory fault injection vulnerabilities in machine learning code bases based on bit flipping
CN115865412B (en) * 2022-11-01 2026-03-17 中国农业银行股份有限公司 Training methods for intrusion detection models, intrusion detection methods and devices
CN115865487B (en) * 2022-11-30 2024-06-04 四川启睿克科技有限公司 Abnormal behavior analysis method and device with privacy protection function
CN116032003A (en) * 2022-12-13 2023-04-28 国网湖北省电力有限公司荆州供电公司 A power grid inspection method and system based on power private network data processing
CN116167010B (en) * 2023-04-25 2023-12-08 南方电网数字电网研究院有限公司 Rapid identification method for abnormal events of power system with intelligent transfer learning capability
CN118445174B (en) * 2023-08-31 2025-04-29 北京奇虎科技有限公司 Model security assessment method, device, storage medium and apparatus
CN117648637A (en) * 2023-11-30 2024-03-05 云南电网有限责任公司 Method and system for establishing fault rule base of automatic calibrating device of electric energy meter
CN118642874A (en) * 2024-05-13 2024-09-13 度小满科技(北京)有限公司 Database anomaly identification method, device, equipment and medium
CN118551224A (en) * 2024-05-18 2024-08-27 河北亿广云数据有限公司 Power supply fault detection method, system, equipment and medium for data center
CN118709091B (en) * 2024-07-04 2024-11-08 广东粤海水务检测技术有限公司 A method and system for fault diagnosis of environmental soil monitoring equipment
CN118568471B (en) * 2024-08-02 2024-09-27 成都鑫众泰通用电气有限责任公司 Intelligent power distribution station operation fault prediction method and system
CN118647092B (en) * 2024-08-12 2024-12-03 国网信通亿力科技有限责任公司 Comprehensive management method and system for power distribution communication network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114417326A (en) * 2021-12-31 2022-04-29 深信服科技股份有限公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN116595526A (en) * 2023-06-16 2023-08-15 华北电力大学 A container escape attack detection and defense method based on system calls

Also Published As

Publication number Publication date
CN119312139A (en) 2025-01-14

Similar Documents

Publication Publication Date Title
US11846921B2 (en) Feedback loop driven end-to-end state control of complex data-analytic systems
US10417072B2 (en) Scalable predictive early warning system for data backup event log
CN113326177B (en) Index anomaly detection method, device, equipment and storage medium
US8015551B2 (en) Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method
CN118312109B (en) A bad block management method, system, medium and product for industrial-grade solid-state hard disk
CN117972596B (en) A risk prediction method based on operation log
CN118939562B (en) Method and system for non-functional testing of distributed financial systems
CN111444093B (en) Method and device for determining quality of project development process and computer equipment
CN119557186A (en) A data security tracing method and system based on artificial intelligence
CN110570544A (en) Aircraft fuel system fault identification method, device, equipment and storage medium
CN115114064B (en) A microservice fault analysis method, system, device and storage medium
WO2025081596A1 (en) Risk assessment method and apparatus
CN118133321A (en) A data security maintenance system based on data assets in database
US12437192B1 (en) Artificial intelligence system for anomalous activity detection using static and dynamic covariates
US20220113716A1 (en) Method for detecting abnormal event and apparatus implementing the same method
CN119312139B (en) Abnormal maintenance method, device, computer equipment and computer-readable storage medium for power grid fault identification model
CN116643906A (en) Cloud platform fault processing method and device, electronic equipment and storage medium
CN116661954B (en) Virtual machine abnormality prediction method, device, communication equipment and storage medium
CN114553588A (en) Internet financial data protection method based on artificial intelligence and server
CN121012685B (en) Network security threat early warning method, system and equipment
CN121029472B (en) Fault Repair Methods and Devices for All-Flash Storage Systems
CN121501613A (en) A method, apparatus, device, and storage medium for determining anomaly log strategies.
Valente Data quality and dependability of IOT Platform for buildings energy assessment
CN117035551A (en) Vulnerability assessment methods, devices, equipment, media and products for nuclear power systems
CN121364976A (en) Service robustness testing method, device, equipment, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant