基于告警数据统计分析的智能电网重点可疑主机检测模型

etecting compromised devices helps to analyze and evaluate the security threats in the smart grid and reduce the security risks. Compared with the alert data in the general sense, the alert data in the smart grid monitoring system has the features of higher alert aggregation level and lower alert aggregation threshold, which makes it to be difficult to detect the compromised devices with the existing detection methods. To solve this problem, in this paper, a compromised devices detection model based on statistical analysis of alert data is proposed. In this model, the features of the alert data from the smart grid monitoring system are analyzed to “learn” the “normal state” of the power grid, so that it can effectively identify the change-point between the normal state and abnormal state, where the corresponding device is detected as the compromised. Experimental results show that our proposed model achieves good accuracy and effectiveness on the current smart grid dataset by selecting appropriate parameters.