A Multi-Source Big Data Security System of Power Monitoring Network Based on Adaptive Combined Public Key Algorithm

: The multi-source data collected by the power Internet of Things (IoT) provide the data foundation for the power big data analysis. Due to the limited computational capability and large amount of data collection terminals in power IoT, the traditional security mechanism has to be adapted to such an environment. In order to ensure the security of multi-source data in the power monitoring networks, a security system for multi-source big data in power monitoring networks based on the adaptive combined public key algorithm and an identity-based public key authentication protocol is proposed. Based on elliptic curve cryptography and combined public key authentication, the mapping value of user identiﬁcation information is used to combine the information in a public and private key factor matrix to obtain the corresponding user key pair. The adaptive key fragment and combination method are designed so that the keys are generated while the status of terminals and key generation service is sensed. An identiﬁcation-based public key authentication protocol is proposed for the power monitoring system where the authentication process is described step by step. Experiments are established to validate the efﬁciency and effectiveness of the proposed system. The results show that the proposed model demonstrates satisfying performance in key update rate, key generation quantity, data authentication time, and data security. Finally, the proposed model is experimentally implemented in a substation power IoT environment where the application architecture and security mechanism are described. The security evaluation of the experimental implementation shows that the proposed model can resist a series of attacks such as counterfeiting terminal, data eavesdropping, and tampering.


Introduction
In recent years, with high-level development at the economic level promoting the transformation of the traditional power grid, the smart grid has been produced, which integrates the electricity network, telecommunication infrastructure, and information technology [1]. Smart grid is an advanced digital infrastructure with two-way information communication, equipment control, and power distribution capabilities. The power monitoring network in the smart grid needs the development of new smart sensing systems with improved characteristics, including embedded data processing, remotely controllable, etc. [2]. Hence, wireless sensor network (WSN) and IoT (Internet of Things) technologies are gradually applied for monitoring power transmission lines, substation electrical equipment, and distribution site operations in smart grid [3]. An IoT-assisted power monitoring system comprises various sensors, communication components, intermediate data storage, and a remote monitoring center [4]. The massive quantity of data collected by power IoT systems is not only of large volume but is also more diversified compared with the traditional grid data, and its sources and distribution are more extensive [5]. Advances in 1.
Inspired by the realistic implementations of SGCC (lack of efficient security countermeasures for massive IoT terminals/nodes) and the security threats faced by IoT and big data in smart grid, we propose a more efficient, effective, and easy-to-implement security system to provide end-to-end security, so that the risks such as malicious node injection, unauthorized access, and node tampering [14] are significantly lowered; 2.
To increase the efficiency of the security system, we upgraded the CPK algorithm with the adaptive key fragment and combination method, so that the key generation and updating process is adapted according to the number of connecting terminals; 3.
To eliminate the negative impact of malicious terminals, we propose an identity-based public key authentication protocol. The lightweight protocol can achieve the efficient secure access of massive terminals; 4.
To verify the easy-to-implement property of the proposed system, the system was experimentally implemented in a substation scenario where the full functions were tested. It shows that the system can be easily implemented with minor changes to the existing network.
The remainder of the paper is organized as follows. The preliminary CPK algorithm is described in Section 2. Section 3 describes our proposed system, including the adaptive method and authentication protocol. Section 4 establishes experiments to demonstrate the performance and effectiveness of the proposed system. In Section 5, the proposed system is experimentally implemented in a substation scenario to test its full functions. Section 6 gives the conclusions of our paper.

Combined Public Key Algorithm
CPK is a public key system based on the combination, which combines key production and key management, and can meet the requirements of identification authentication [23]. A CPK cryptosystem is based on the user identification information. It uses information mapping technology to map user identification and then uses the mapping value to combine the information in the public-private key factor matrix until the corresponding key information is obtained. CPK is based on elliptic curve cryptography (ECC). Its generation does not rely on the participation of a trusted third party (e.g., certificate authority).

Elliptic Curve Cryptography
ECC uses a short key length to achieve a strong security strength, and CPK authentication is implemented based on the ECC algorithm. Since ECC with a short key length can achieve the security strength of other known key algorithms with a long key length (e.g., RSA), ECC technology has broad application prospects such as identity authentication and digital signature [24].
An elliptic curve E(K) is a curve that satisfies the Weierstrass equation, including all solutions of the function plus the so-called infinity point as shown in Equation (1):  Figure 1 shows the addition of two different points P(x 1 , y 1 ) and Q(x 2 , y 2 ) on the elliptic curve. Point P and Q are connected and prolonged to intersect with the curve E(K) at R . Then, a line is made through R parallel to the Y axis and intersects with curve E(K) at R(x 3 , y 3 ). R is the sum of the two points P and Q, denoted as R = P + Q. When P and Q coincide, a tangent line through point P can be made which intersects with curve E(K) at one point. Then, a line parallel to the Y axis can be made through that point, which intersects with curve E(K) at a point R(x 3 , y 3 ), denoted as R = P + P = 2P, this kind of drawing method is called the elliptic curve double point operation [25]. The addition of multiple coincident points P is denoted as: Q = nP. It can also be seen from Figure 1 that the infinite point O intersects with the curve at point p , and makes a line through p parallel to the Y axis to intersect with the curve at p. Then, we have O + p = p, p = −p, where O is called zero element and p is the inverse element of p.
The above curve is discussed in the real number domain. However, the elliptic curves in the discussed cryptography are basically in the finite field F p which consists of p elements where p is a prime number. Then, the elliptic curve equation can be expressed by Equation (2) where a, b ∈ F p : The corresponding curve discriminant is shown in Equation (3): The following multiplication operation definition can be obtained from the double point operation in the elliptic curve: in the finite field F p , G and Q are two points on the elliptic curve E(K), where G is the base point. There is a point k ∈ [1, n − 1], so that k·G = Q. The security of the ECC is guaranteed by the following mathematical problem called the discrete logarithm problem. It is an easier process to solve for k·G = Q given a base point G on the elliptic curve and an integer k. However, given a base point G and known Q, it is hard to find k.
When using the digital signatures based on discrete logarithms, the confidentiality of k is very important. The cryptographic algorithm is so far one of the most important and fundamental algorithms. Through this discrete logarithm problem, processes such as encryption and signature are implemented [26].

CPK System
Based on ECC, CPK generates a secure elliptic curve, uses this secure elliptic curve to generate a key matrix that is used to generate key pairs required by the secure communications between nodes in the network.
The CPK system adopts the elliptic curve of Equation (2) on the finite field F p , which is defined by the parameter T = (a, b, G, n, p), where a, b is the coefficients, a, b, x, y ∈ p, G is the base point on the curve, n is the order of G. All the multiple points of the base point G form the subgroup S. The elements in subgroup S are all multiple points kG, k = (1, 2, 3, . . . , n) of G, and S = {G, 2G, 3G, . . . , nG} = {(x 1 , y 1 ), (x 2 , y 2 ), . . . , (x n , y n )} is obtained.
The key generation center is responsible for constructing the matrix. First, according to the ECC principle, the base point G and the multiple point S are selected to construct the matrix on the finite field F p . The key matrix generation process is shown in Figure 2. Based on the given parameter T = (a, b, G, n, p), a public and a private key matrix can be constructed. The public key matrix's dimension is m × h, and the elements are The public key matrix is denoted as PSK. The elements in the private key matrix are denoted as r ij , and the private key matrix is denoted as SSK.
A public key and private key pair can be expressed as The implementation process is shown in Figure 3. Firstly, the user identity information was used to generate the seed matrix through the hash function operation [27] and the row mapping algorithm. Suppose the row and column coordinates of the identification mapping value are (i 1 , j 1 ), (i 2 , j 2 ), · · · , (i t , j t ), and the obtained public key is shown in Equation (5): The obtained private key is shown in Equation (6): Hence, the generated key pair is shown in Equation (7): PK = x i 1 ,j 1 , y i 1 ,j 1 + x i 2 ,j 2 , y i 2 ,j 2 + · · · + x i t ,j t , y i t ,j t = r i 1 ,j 1 G + r i 2 ,j 2 G + · · · + r i t ,j t G = SK × G SK is kept by the CPK key management center, and PK is open to users.  In the CPK-based identity authentication system, centralized generation, and the decentralized storage of keys is adopted [28]. The CPK system structure is shown in Figure 4. Key initialization center (KIC): the parameter generation module generates the relevant parameters of the key matrix factor and transmits them to the key matrix factor generation module. In order to ensure the security of the system, KIC parameters, and algorithms are sent to KMC through a secure channel.
Key management center (KMC): it is responsible for generating the public and private key matrices. According to the parameters sent by KIC, the matrix is generated and sent to the public database, which is convenient for users to query. When KMC receives the application from the certificate registration generation system (RMC), it generates the ID certificate according to the user's ID and sends it to RMC after signing it with the algorithm.
Certificate registration and generation center (RMC): it is mainly responsible for certificate application, distribution, and other work. It accepts the user's application and then applies for the public key and private key from KMC, writes the private key into the CPK key card, protects it with the random number and distributes it to the user. The public key factor matrix is publicly accessible to the user, and the user can generate the public key according to the elliptic curve [29]. The ID certificate in the CPK key is an important structure to implement the system, in which the identity authentication of the terminal and the level division of the authority access are implemented based on the ID certificate.
Open database: it is mainly responsible for the management of accessible information database, and it is the interface for other modules of the system to access data. CPK key card: the server authenticates the user's identity through the CPK key card. The user can use the private key safely stored in the key card and call the cryptographic algorithm in the CPK key card to verify the information transmitted by the server through the elliptic curve digital signature algorithm (ECDSA).
Interface: the API interface related to the encryption algorithm is provided for the application layer in the operating system SDK, and the interface provides the required function for the application that needs to call the encryption algorithm. The digital signature, encryption, and decryption of data can be implemented through this interface.
Secure channel: the secure communication channel between the terminal and the server.

System Architecture
As shown in Figure 5, the system consists of a server-side security service and a monitoring terminal-side security agent for each monitoring terminal in smart grid networks. The server-side service includes the preliminary CPK module introduced in Section 2, the adaptive service module that adjusts the parameters of CPK based on the sensed environment, the encryption module that provides secure data transmission, the identitybased public key authentication service module that provides terminal identity verification and the communication module. Accordingly, the terminal-side agent is comprised of secure data storage that ensures the security of intermediate data, key-related information, authentication module, encryption module, and communication module. The working procedure of the system during the power monitoring process can be summarized as follows: (1) The terminal agent sends the terminal's identification information to the CPK module via the communication module. If the CPK module approves the application, it generates a key pair of that terminal and sends it to the terminal as well as the public key matrix. (2) While the terminal agent applies for access to a specific business application, the authentication process begins between the server-side authentication service module and terminal side authentication module. The details of the authentication process will be discussed in Section 3.2. (3) Once the terminal identity is verified, the negotiated symmetric key can be used in the following encrypted data transmission between server-side the encryption service  (4) When the data transmission is done, the server sider security service will decrypt the data and send them to the intranet application servers. (5) During the above steps, the server-side adaptive service module monitors the status of connecting terminals and the current performance of CPK, and adjusts the parameters of the CPK module if necessary. The details of the adaptive service module will be discussed in Section 3.1.

Adaptive Key Fragment and Combination Method
Based on performing identity authentication through public and private key pairs generated by an identity-based cryptographic system to ensure the secure access of multisource big data in the power monitoring network, an adaptive key slicing and combination method is proposed where the initial key is used as the seed key. Through the process of partition and combination, it is made up for the defects of low-key generation and distribution rate. The components of the adaptive service module are shown in Figure 5.
As shown in Figure 6, by monitoring the key generation center via communications between the key generation rate monitoring module, a key resources monitoring module in adaptive service module, and an adaptation assisting module in the CPK module, the generation rate of keys is identified that varies by time and the total key resources are obtained at each time. Meanwhile, the number of terminals in this area is detected and the key update speed is measured via the terminal status detection module. By comparing the current key-related performance of the CPK module and the required key-related performance of connecting terminals, the key fragmentation and combination mode is adjusted via communications between the key generation adjustment module of the adaptive service module and adaptation assisting module in CPK module in order to fulfill the performance demands of multi-source big data encryption in the power monitoring network. The method of key fragmentation is to divide the initial key pool into m fragment groups, called m sub-keys, each of which includes n keys, so that L = m × n sub-key resources are formed after fragmentation. Then, the sub-keys are further used to generate the corresponding keys. The key fragmentation method can adopt a two-segment or multisegment method. Two-segment and three-segment methods are taken as examples whose processes are shown in Figure 7. Firstly, the number of key generations is compared with the number of keys required, and then the number of key segments is determined. The relationship between the different partition numbers and the corresponding total number of key generations is: if a two-fragment mode is adopted where the key pool has n keys. After the two fragments, a total of 2n sub-keys are formed. The set of sub-keys is shown in Equation (9): Considering the combination of keys, C 2 2n combined keys can be generated. If the three-segment mode is taken, a total of 3n sub-keys are formed after fragmentation, and C 3 3n combined keys can be generated by considering the combination of keys. The number of key segments can be adjusted according to the number of terminals.
The next step is to combine the sub-key resources to generate keys: r 11 r 12 · · · r 1j r 21 r 22 · · · r 2j · · · · · · · · · · · · r i1 r i2 · · · r ij     As shown in Equation (10), the rows of the matrix represent the key variables of the combined key, and the columns of the matrix represent the number of segments of the combined key. Let the matrix be a key factor matrix with i rows and j columns, where i = m × n, j = m, and i represents the number of sub-keys and j represents the number of stages of the combined key operation.
The key slices are extracted and combined to generate the corresponding keys. Based on the terminal identification information, the key factors are selected by the sub-key set in some columns of the key factor matrix as K m : Then, the new key is generated as Using the key combination method presented above, the public key is obtained from the public key matrix PSK and the private key is obtained from the private key matrix SSK to facilitate the multi-source data encryption in the power monitoring network, fulfilling the needs of the terminals for the large capacity key, and ensuring the security of multi-source big data in the power monitoring network.

Identity-Based Public Key Authentication Protocol
Aiming at the security requirements of rejecting malicious nodes in the smart grid, we propose an identity-based public key authentication protocol that combines CPK-based authentication and the public key encryption scheme and is integrated into the server-side and terminal-side authentication modules. The private key of the system is distributed and managed by a special private key generator. The secure access of multi-source big data in the power monitoring network is guaranteed by public key authentication based on identity information. Once the terminal applies the data transmission to the application server, both sides verify their identities using the proposed authentication protocol. Compared with PKI technology which requires the full online participation of a trusted third party, the proposed authentication protocol can be more efficient [30].
The process of the authentication protocol is described as follows: (where the "client" refers to the terminal-side security agent, and the "server" is the server-side security service).
(1) The client randomly generates a 128-bit seed, namely rand, and uses the current time to generate timestamp. In plaintext M = rand + timestamp, the hash value of rand and timestamp is calculated to obtain H(M), and the client uses the private key to sign H(M) to obtain Sign A (H(M)). The identification A of the client, the plaintext information M, and the signature Sign A (H(M)) are taken as the information to be sent for the client. The client uses the public key matrix disclosed by CPK to map the server's unique identifier to calculate the server's public key PK B . The client uses PK B to encrypt the information that needs to be sent, and the cipher text C 1 is expressed as shown in Equation (13): The client sends C 1 to the server through the secure socket layer.
(2) After the server receives the cipher text C 1 , it decrypts it with its private key SK B , and obtains: According to the public key matrix of the client's identifier A and CPK, the public key PK A is obtained after mapping, and the public key can be used to verify whether the signature Sign A (H(M)) of A is consistent with the received data. If it succeeds, it passes the signature verification and confirms that the information comes from the client. The server verifies the timestamp. If the verification succeeds, the server reverses the random number rand bit by bit to obtain rand_s and uses the current server time to generate the timestamp timestamp_s, and combines rand_s and timestamp_s to obtain M_S, which is the plaintext information for server. The server uses the hash algorithm to calculate H(M_S), and uses its private key SK B to sign H(M_S) to obtain Sign B (H(M_S)). Finally, the server uses PK A to encrypt M_S + Sign B (H(M_S)) to obtain the cipher text C 2 , as shown in Equation (15), and sends it to the client: (3) After receiving the cipher text C 2 , the client uses their private key SK A to decrypt it to obtain M_S + Sign B (H(M_S)). Then, the client uses the server public key PK B to verify whether the signatures Sign B (H(M_S)) and H(M_S) match. If it matches, the verification is successful. Otherwise, it fails, and the customer will be prompted with a warning that the authentication has failed. After passing the verification, the client gets rand_s and timestamp_s, and reverses rand_s by bit to get rand. Additionally, check the timestamp timestamp_s, judge the time of this session through the timestamp, and enter the next step within a reasonable range. (4) The client extracts rand_s and timestamp_s to obtain H(M_S), and then uses a fixed key Key negotiated in advance to encrypt H(M_S) to obtain the session key K S , which is expressed as After obtaining the session key, the client uses the session key to encrypt rand_s, and obtain the cipher text information C 3 expressed as Then, the cipher text information C 3 is sent to the server.
(5) Negotiation of the session secret key. The server obtains the hash value H(M_S) of rand_s and timestamp_s, encrypts H(M_S) with the symmetric key Key negotiated in advance, obtains the session key K S , which is used to decrypt the cipher text C 3 . The server matches its rand_s with the decrypted information. If they agree, the key negotiation is successful. Both parties use K S as the session key for this communication. The server uses K S to encrypt rand_s + 1 to obtain C 4 as shown in Equation (18) and returns it to client: (6) After receiving C 4 , the client uses the session key K S of this communication to decrypt, and compares the result with rand_s + 1. If it matches, the key negotiation is successful. The communication parties use rand_s + 1 as the starting number of the communication packet to avoid replay attacks.

Experimental Results and Analysis
The proposed system is developed and tested in the CentOS Linux 8.0 environment and Docker engine on the server side and various Linux editions on the terminal side. The development environment is the Visual Studio Code and MATLAB. Run the key management center module to construct the basic private key matrix, the auxiliary private and auxiliary public key matrix according to the elliptic curve parameters. The management center retains the basic private and the auxiliary private key matrix and discloses the auxiliary public key matrix to the Web service. Considering the research background of reference [21] that is similar to ours and the purpose to demonstrate the effectiveness of the proposed adaptation mechanism, the experiments are established using our system, our system without the adaptive service module and method in reference [21]. The experiments of Sections 4.1-4.3 aimed to verify the performance of the proposed system where the authentication time [31], key generation quantity [32], and key update rate [33] are tested and compared. The experiments in Section 4.4 were established to test the security strength [30] of the proposed system.

Data Authentication Time Analysis
The number of simulated terminals is set to 500, 1000, 1500, 2000, and 2500, respectively. The data authentication time under different methods is calculated as the average authentication time of terminals over three repeated simulations in this experiment. The results are shown in Figure 8. As shown in Figure 8, it can be seen that with the increase in terminals, the average data authentication time of the three methods increases. Since the authentication time mainly relies on the computational capability of terminals and the authentication server, the communication channel quality and the authentication protocol, increased terminals may correspondingly increase the computational burden on both sides, so that the authentication time of both methods raises. It can also be seen that our system demonstrates a shorter authentication time than the other two methods under different terminal amounts. This might be due to the authentication protocol difference between the two methods. Reference [21] uses the PKI mechanism which involves the certification of a third-party authority while our system does not need that, so that the authentication process of our system requires fewer computational steps. In addition, it shows that the adaptive service may assist in reducing the authentication time.

Key Generation Quantity Analysis
The number of simulated terminals was set to 5000. The results of the number of key generations of different methods under different simulation periods are as shown in Figure 9. It can be seen from Figure 8 that when the simulation period proceeds, the generated key increases to fulfill the communication demands of the terminals. When the simulation is run for 50 periods, the number of keys generated by the method reference [21] is 2900, the number of keys generated by our system without an adaptive service is 4200, and the number of keys generated by our system is 7400. It also can be seen that the number of keys generated by our system increases faster than the other two methods, so that the keys generated by our system can fulfill the demands of the terminal keys in power IoT in a shorter time. This may be due to the adaptive CPK method in our system where the requirements of terminals can be acquired in time and the hash function is used to map the key chip ID, and then extracts the corresponding key factors to combine them adaptively.

Key Update Rate Analysis
Several power monitoring network terminals, most of which are sensors in the power Internet of Things, were taken for this experiment. The number of simulated terminals is set to 500, 1000, 1500, 2000, and 2500, respectively. The key update rates of different methods are compared, as shown in Figure 10. It can be seen from Figure 8 that with the increase in the number of power monitoring network terminals, the key update rate increases in all three methods. When the number of power monitoring network terminals is 2500, the key update rate of reference [21] is 610 times/s, the key update rate of our system without adaptive service is 1190 times/s while the key update rate of our system is 1350 times/s. It can be seen that our system demonstrates the highest rate, since the initial key is used as seed key to generate terminal keys where adaptive key fragment and combination is adopted to facilitate the efficient key generation of a large number of terminals. The acceleration of the terminal key pair generation process and the following authentication will lead to the faster generation of negotiated symmetric keys that are used in secure communications between the server and terminals.

Data Security Analysis
The data security is tested and evaluated by simulated attacks under different methods in this experiment. The evaluation results are shown in Table 1. Table 1. Results of data security evaluation of different methods.

Security Test Our System Our System without Adaptive Service Reference [21]
Anti-forgery Anti-eavesdropping Anti-tampering Anti-repudiation Anti-interference It can be seen from Table 1 that our system may resist the attacks of the forgery of terminals, eavesdropping, tampering, repudiation, and interference. It can also be seen that the adaptive service does not affect the security strength of our system. The first four attacks were simulated by the test suite and the results show that those attacks can be resisted by the security mechanism of authentication and data encryption in our system. The fifth security was evaluated under the strong electromagnetic field environment of a substation and the results show that all methods remain functional. The implementation of our system in a substation scenario will be discussed in detail in Section 5.

Implementation of the Proposed System in Power System
The proposed security model was experimentally applied in a power IoT scenario in a substation of SGCC.
As shown in Figure 11, the implemented security system is comprised of a security server that includes a security gateway and a key management center, and agents installed on terminals. The proposed security system is implemented at the border of the intranet region to ensure the end-to-end security of the communications with terminals. The implementation of the security system can be easily done with minor network configuration changes. The key management center retains the primary private key, the private key factor matrix and public key factor matrix and is responsible for the terminal registration and key generation. The security gateway is a special type of terminal that integrates the access control mechanism and allows only legitimate terminals to connect, recording the terminal access history and authorizing the terminals to access specific power applications. Agents are installed on terminals that are responsible for establishing the secure connections with security gateway to ensure the data transmission security. The communication channel between terminals and the security gateway is compatible with power wireless networks such as LoRa and NB-IoT. control mechanism and allows only legitimate terminals to connect, recording the termi nal access history and authorizing the terminals to access specific power applications Agents are installed on terminals that are responsible for establishing the secure connec tions with security gateway to ensure the data transmission security. The communication channel between terminals and the security gateway is compatible with power wireless networks such as LoRa and NB-IoT.  Figure 11. Implementation in power system. As shown in Figure 12, the security gateway registers it on the key management cen ter and obtains its private key and public key matrix. When a terminal connects to the security gateway for the first time, it sends its identification to the gateway and obtains the public key of the gateway and public key matrix. Then, it applies for registration to the gateway that consequently forwards the application to the key management center. I the registration application is disapproved, the gateway will disconnect the terminal and record this connection-including the terminal's identification. Otherwise, the key pair is generated by the key management center and forwarded to the terminal. Secondly, the terminal applies for authentication to the gateway. While the authentication process in the previous section is completed, the gateway will allocate the specific application access authority to the terminal according to predefined rules, then the terminal and gateway will start encrypted data transmission using the negotiated session key. Figure 11. Implementation in power system. As shown in Figure 12, the security gateway registers it on the key management center and obtains its private key and public key matrix. When a terminal connects to the security gateway for the first time, it sends its identification to the gateway and obtains the public key of the gateway and public key matrix. Then, it applies for registration to the gateway that consequently forwards the application to the key management center. If the registration application is disapproved, the gateway will disconnect the terminal and record this connection-including the terminal's identification. Otherwise, the key pair is generated by the key management center and forwarded to the terminal. Secondly, the terminal applies for authentication to the gateway. While the authentication process in the previous section is completed, the gateway will allocate the specific application access authority to the terminal according to predefined rules, then the terminal and gateway will start encrypted data transmission using the negotiated session key. Before the application of the proposed system, the power IoT terminals are directly connected to IoT edge devices or power applications through power wireless private network or public network so that the intranet servers have been facing the security risks of malicious terminals, the leakage of transmitting data, and so on. After the experimental application of the proposed system, a series of simulated attacks are carried out to test the security of the system including malicious terminal, eavesdropping, and tampering. The records of the security gateway show that the malicious (counterfeiting) terminal is rejected. The network packets are captured to demonstrate the encrypted data so that the data are protected. Finally, the test results show that the implementation of the proposed system can resist a series of attacks while the transmission performance is not compromised.

Conclusions
A security system of multi-source big data in power monitoring networks is proposed based on combined public key algorithm where an adaptive key fragment and combination method and an identity-based authentication protocol are described in detail. The proposed security system demonstrates the advantages in the aspects of the key update rate, key generation quantity, data authentication time, and implementation complexity while maintaining strong security strength in the multi-source big data environment of the power monitoring network. However, the stability of the communication between the client and the server needs further research. Compared with the actual environment, the test environment of the system in this paper has some differences in the number of concurrent users and access environment. How to improve the concurrent mechanism of terminal access is a problem that needs to be further solved. The big data features and associated advanced processing algorithms in the smart grid also need to be further studied such as incomplete big data [34], the prediction of missing data in big data [35], and deep learning in big data [36]. Meanwhile, future research may also pay attention to the combination of the combined public key algorithm with other popular security mechanisms in order to improve the adaptability of the proposed model for more application scenarios.