CN112165496A - Network security anomaly detection algorithm and detection system based on cluster map neural network - Google Patents
Network security anomaly detection algorithm and detection system based on cluster map neural network Download PDFInfo
- Publication number
- CN112165496A CN112165496A CN202011090335.9A CN202011090335A CN112165496A CN 112165496 A CN112165496 A CN 112165496A CN 202011090335 A CN202011090335 A CN 202011090335A CN 112165496 A CN112165496 A CN 112165496A
- Authority
- CN
- China
- Prior art keywords
- graph
- network
- nodes
- node
- neural network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/25—Fusion techniques
- G06F18/253—Fusion techniques of extracted features
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Molecular Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Biophysics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security anomaly detection algorithm based on a cluster map neural network. The algorithm comprises the following steps: describing a network topological structure by using a graph model, optimizing node characteristics by using a graph neural network convolution layer, dividing a graph into a plurality of disjoint subgraphs by using a graph clustering algorithm, regarding each subgraph as a node, regarding the adjacent relation of the subgraphs as an edge to form a subgraph, learning a weight for each node by using a graph attention layer, performing weighted summation on the characteristics of all nodes in each subgraph to form the characteristics of the nodes in the subgraph, and finally judging whether the network receives attacks or not by using a full-connection layer and a classifier layer. The method constructs a hierarchical graph neural network, optimizes node characteristics in a graph through a graph convolution layer, captures local characteristics on the graph through a pooling layer based on a graph clustering algorithm, generates high-level semantic characteristics, generates situation characteristics of the whole network through a fusion layer, and classifies network situations by using a classifier.
Description
Technical Field
The invention belongs to the field of network security anomaly detection, and particularly relates to a method for detecting whether an entire network has an anomaly or not by using a graph model to describe a topological structure of the network and using a hierarchical graph neural network model.
Background
With the progress of information technology, both enterprises and individuals enjoy the convenience of information technology. Network technology is widely used in life as part of information technology. With the increasing of network attack events in recent years, the attack means are more diversified and concealed. By judging the running state of a single device and information such as logs, hidden complex attacks are difficult to discover. How to reasonably and effectively utilize the information of all devices in the whole network to comprehensively judge whether the whole network is attacked or not is a very challenging but meaningful work.
Currently, the main challenges faced by network security anomaly detection are:
(1) how to optimize the characteristics of the current device node by taking into account the characteristics of the neighboring device nodes in the network, using the topology of the network.
(2) How to comprehensively consider the characteristics of all device nodes in the network, and fuse the characteristics into one characteristic capable of reflecting the state of the whole network.
Aiming at the difficulties and challenges existing in network security situation perception, the invention provides a method for detecting whether an anomaly exists in the whole network by utilizing a hierarchical graph neural network. The graph convolution layer in the hierarchical graph neural network can optimize the node characteristics by using the characteristics of the current node and the characteristics of the adjacent nodes thereof according to the adjacent relation of the equipment nodes in the network topological graph so as to solve the first challenge. The hierarchical graph neural network utilizes the pooling layer to map a local node set in the graph into a node to generate a sub-graph, and simultaneously maps the characteristics of each node in the node set into a characteristic which serves as the characteristics of the corresponding node in the sub-graph. Through the pooling layer, characteristics of local regions in the network can be learned. Finally, the global characteristics of the whole network can be obtained by fusing the local area characteristics.
Disclosure of Invention
The invention aims to naturally describe the topological structure of the network by using a graph structure, and simultaneously generate the characteristics of the whole network according to the characteristics of each node in the network by using the strong characteristic extraction capability of a graph neural network, so as to reflect whether the whole network has abnormality or not.
The technical scheme of the invention provides a novel network security anomaly detection algorithm based on a graph neural network, which comprises the following steps:
step 1, extracting multi-source features from multi-source data;
and 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics.
Step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing a network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters;
and step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent. Simultaneously mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; averaging the feature vectors of all the nodes output in the step 6 to generate semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space;
wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows:
Xl+1=F(WXl)
Xlthe characteristic vector of the l-th layer is represented, W is a transformation matrix and is a linear mapping, F is an activation function and can increase nonlinearity;
and 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
Further, in step 1:
for the network traffic data packet, fields in the data packet comprising a source IP address and a destination IP address can be used as the characteristics of the traffic data;
for the log information, a long short term memory network (LSTM), a model commonly used in natural language processing, can be used to convert each piece of log information into a feature vector.
Further, in step 4:
the spectral clustering algorithm comprises the following specific steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes;
defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
wherein ViIndicating the ith cluster in the original image.
Further, in step 9, a softmax classifier is used to generate a tag of the data, and it is determined whether there is an abnormality in the system.
The invention also provides a cluster map neural network-based network security anomaly detection system, which comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The characteristic extraction module is used for extracting characteristics from the system and fusing multi-source heterogeneous characteristics into one equipment characteristic;
and the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module, wherein:
the graph convolution module is used for optimizing the feature vectors of the nodes;
the graph pooling layer module is used for fusing the characteristics of part of nodes to form higher-order semantic characteristics;
the graph fusion layer is used for fusing all the feature vectors to form a feature vector for the whole network;
the function of the full connection layer is to optimize the characteristic vector of the whole network;
the classifier module outputs whether the network is abnormal or not according to the optimized feature vector of the whole network.
The invention has the beneficial effects that: the system constructs a hierarchical graph neural network, optimizes node characteristics in a graph through a graph convolution layer, captures local characteristics on the graph through a pooling layer based on a graph clustering algorithm, generates high-level semantic characteristics, generates situation characteristics of the whole network through a fusion layer, and classifies network situations by using a classifier.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
As shown in fig. 1, the embodiment provides a method for detecting network security anomaly based on a cluster map neural network, including:
step 1, extracting multi-source features from multi-source data. In a network security anomaly detection system based on a clustering neural network, a plurality of data sources are used for improving the detection effect.
For network traffic packets, some fields in the packet such as source IP address, destination IP address, etc. may be used as characteristics of the traffic data.
For log information, a long short term memory network (LSTM), a common model of natural language processing, may be used to convert each piece of log information into a feature vector.
And 2, fusing the multi-source features extracted in the step 1 to form equipment node features.
For multi-source features, firstly, the multi-source features are mapped into a feature space by using a multilayer perceptron, and then the features are fused to form a high-order semantic feature.
And 3, optimizing the node characteristics of the equipment generated in the step 2, and describing the network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph.
Step 3 feature optimization by graph convolution layer, which can be formalized as a function
Fl+1=GNN(Al,Fl),
WhereinThe graph convolution operation is a transformation that uses the spectral domain information of the graph, and the above function can be implemented by the following equation:
wherein, A is an adjacent matrix representing the network topological graph in the step 3, D is a normalized matrix, diagonal elements of the matrix are degrees of nodes in the network topological graph, off-diagonal elements are 0, FlIs a matrix formed by all the device characteristics in step 3, each row in the matrix represents the characteristics of one device, and W is a parameter matrix which can be learned.
Is defined as adding self-loop on the basis of the adjacent matrix, that is, not only the characteristics of the adjacent nodes are considered in the process of optimizing the characteristics, but also the characteristics which are originally carried by the nodes are utilized, that is, the characteristics areD is a diagonal matrix with diagonal elements correspondingRows in the matrix, i.e.D corresponds to a normalized matrix and,is a parameter matrix whose function is to map a k-dimensional feature to an m-dimensional feature, which is a parameter to be learned whose value can be updated using back-propagation algorithms during neural network training. According to the graph convolution operation formula, the convolution layer fuses the characteristics of the current node and the neighbor nodes thereof and generates the optimized node characteristicsThe process. Features of local areas in the map can be captured by the stack of map convolutional layers.
And 4, on the basis of the step 3, according to the graph structure defined in the step 3, clustering similar points on the graph by using a spectral clustering algorithm to generate K clusters.
The spectral clustering algorithm comprises the following specific steps:
and 4.1, calculating the Laplace matrix of the graph.
And 4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors.
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
And 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to the n nodes, and clustering the n nodes into K clusters.
By means of a spectral clustering algorithm, a mapping from a set of nodes in the graph to clusters is defined. Meanwhile, according to the result of spectral clustering, each cluster is regarded as a node, so that a new graph is generated, and the edge of two nodes in the new graph can be defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph. The formalization of the adjacency matrix of the generated new graph is defined as follows:
wherein ViIndicating the ith cluster in the original image.
And 5, generating the characteristics of each cluster by using the k clusters generated in the step 4 and the optimized node characteristics in the step 3.
After step 5, the feature matrix becomes smaller, and because this step fuses the features of the local nodes, a higher level semantic feature description of the graph can be generated. It is also necessary to generate a feature vector for each node in the subgraph, where the feature vector reflects the features of a local node set in the original graph. The feature vectors in the subgraph are generated by weighted summation of all the feature vectors in the vertex set in the original graph. An attention mechanism is introduced to learn a weight for each node. Specifically, a single-layer graph convolution neural network is used as an attention layer in the neural network, and the feature vector matrix F having a size of n × k can be mapped into the weight vector V having a size of n × 1 by using the attention layer, and the importance of the node increases as the weight increases. The feature vectors of the vertexes in the subgraph are obtained by weighting and summing the feature vectors of the corresponding vertex sets in the original graph.
And 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again.
And 7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6.
Step 7 is to map the features of all nodes in the graph into one feature. Specifically, the feature vectors of all the nodes output in step 6 are averaged to generate semantic features for the entire graph.
And 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space.
And 8, performing characteristic optimization by adopting two full connection layers. The formula of the full connection layer is as follows:
Xl+1=F(WXl)
Xlthe non-linearity can be increased by representing the eigenvectors of layer i, W being a transformation matrix, which is a linear mapping, and F being an activation function.
And 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
And 9, generating a label of the data by using the softmax classifier, and judging whether the system has an abnormality or not.
The embodiment also provides a network security anomaly detection system based on the cluster map neural network, which comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The feature extraction module is used for extracting features from the system and fusing the multi-source heterogeneous features into one feature.
And the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module.
The function of the graph convolution module is to optimize the feature vector of the node.
The graph pooling layer module is used for fusing the characteristics of partial nodes to form higher-order semantic characteristics.
The role of the graph fusion layer is to fuse all the feature vectors into one feature vector for the whole network.
The role of the fully-connected layer is to optimize the feature vectors of the entire network.
The classifier module outputs whether the network is abnormal or not according to the characteristic vector of the network.
Although the present invention has been disclosed in detail with reference to the accompanying drawings, it is to be understood that such description is merely illustrative of and not restrictive on the application of the present invention. The scope of the invention is defined by the appended claims and may include various modifications, adaptations and equivalents of the invention without departing from its scope and spirit.
Claims (5)
1. A network security anomaly detection implementation method based on a cluster map neural network is characterized in that:
step 1, extracting multi-source features from multi-source data;
and 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics.
Step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing a network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters;
and step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent. Simultaneously mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; averaging the feature vectors of all the nodes output in the step 6 to generate semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space;
wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows:
Xl+1=F(WXl)
Xlthe characteristic vector of the l-th layer is represented, W is a transformation matrix and is a linear mapping, F is an activation function and can increase nonlinearity;
and 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
2. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in the step 1:
for the network traffic data packet, fields in the data packet comprising a source IP address and a destination IP address can be used as the characteristics of the traffic data;
for the log information, a long short term memory network (LSTM), a model commonly used in natural language processing, can be used to convert each piece of log information into a feature vector.
3. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in the step 4:
the spectral clustering algorithm comprises the following specific steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes;
defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
wherein ViIndicating the ith cluster in the original image.
4. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in step 9, a label of the data is generated by using a softmax classifier, and whether the system is abnormal or not is judged.
5. A network security anomaly detection system based on a cluster map neural network comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The characteristic extraction module is used for extracting characteristics from the system and fusing multi-source heterogeneous characteristics into one equipment characteristic;
and the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module, wherein:
the graph convolution module is used for optimizing the feature vectors of the nodes;
the graph pooling layer module is used for fusing the characteristics of part of nodes to form higher-order semantic characteristics;
the graph fusion layer is used for fusing all the feature vectors to form a feature vector for the whole network;
the function of the full connection layer is to optimize the characteristic vector of the whole network;
the classifier module outputs whether the network is abnormal or not according to the optimized feature vector of the whole network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011090335.9A CN112165496B (en) | 2020-10-13 | 2020-10-13 | Network security anomaly detection algorithm and detection system based on cluster map neural network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011090335.9A CN112165496B (en) | 2020-10-13 | 2020-10-13 | Network security anomaly detection algorithm and detection system based on cluster map neural network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112165496A true CN112165496A (en) | 2021-01-01 |
CN112165496B CN112165496B (en) | 2021-11-02 |
Family
ID=73866742
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011090335.9A Active CN112165496B (en) | 2020-10-13 | 2020-10-13 | Network security anomaly detection algorithm and detection system based on cluster map neural network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112165496B (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112559695A (en) * | 2021-02-25 | 2021-03-26 | 北京芯盾时代科技有限公司 | Aggregation feature extraction method and device based on graph neural network |
CN112861967A (en) * | 2021-02-07 | 2021-05-28 | 中国电子科技集团公司电子科学研究院 | Social network abnormal user detection method and device based on heterogeneous graph neural network |
CN113225331A (en) * | 2021-04-30 | 2021-08-06 | 中国科学技术大学 | Method, system and device for detecting host intrusion safety based on graph neural network |
CN113709120A (en) * | 2021-08-12 | 2021-11-26 | 李蓉 | Network node safety system for intelligent finance |
CN113961759A (en) * | 2021-10-22 | 2022-01-21 | 北京工业大学 | Anomaly detection method based on attribute map representation learning |
CN113965393A (en) * | 2021-10-27 | 2022-01-21 | 浙江网安信创电子技术有限公司 | Botnet detection method based on complex network and graph neural network |
CN114021140A (en) * | 2021-10-20 | 2022-02-08 | 深圳融安网络科技有限公司 | Method and device for predicting network security situation and computer readable storage medium |
CN114077811A (en) * | 2022-01-19 | 2022-02-22 | 华东交通大学 | Electric power Internet of things equipment abnormality detection method based on graph neural network |
CN114422211A (en) * | 2021-12-30 | 2022-04-29 | 中国人民解放军战略支援部队信息工程大学 | HTTP malicious traffic detection method and device based on graph attention network |
CN115242680A (en) * | 2022-07-30 | 2022-10-25 | 北京理工大学 | Node classification method of graph neural network based on multi-stage training in communication network |
CN115296876A (en) * | 2022-07-26 | 2022-11-04 | 北京科能腾达信息技术股份有限公司 | Network security early warning system of self-adaptation mimicry technique |
CN115293919A (en) * | 2022-07-22 | 2022-11-04 | 浙江大学 | Graph neural network prediction method and system oriented to social network distribution generalization |
CN115941501A (en) * | 2023-03-08 | 2023-04-07 | 华东交通大学 | Host equipment control method based on graph neural network |
CN117132218A (en) * | 2023-07-17 | 2023-11-28 | 杭州逍邦网络科技有限公司 | Workflow management system |
CN117909910A (en) * | 2024-03-19 | 2024-04-19 | 成都工业学院 | Automatic detection method for system exception log based on graph attention network |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109886312A (en) * | 2019-01-28 | 2019-06-14 | 同济大学 | A kind of bridge wheel of vehicle detection method based on multilayer feature fused neural network model |
CN110968701A (en) * | 2019-11-05 | 2020-04-07 | 量子数聚(北京)科技有限公司 | Relationship map establishing method, device and equipment for graph neural network |
US10771488B2 (en) * | 2018-04-10 | 2020-09-08 | Cisco Technology, Inc. | Spatio-temporal anomaly detection in computer networks using graph convolutional recurrent neural networks (GCRNNs) |
US20200287923A1 (en) * | 2019-03-08 | 2020-09-10 | International Business Machines Corporation | Unsupervised learning to simplify distributed systems management |
CN111681059A (en) * | 2020-08-14 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Training method and device of behavior prediction model |
-
2020
- 2020-10-13 CN CN202011090335.9A patent/CN112165496B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10771488B2 (en) * | 2018-04-10 | 2020-09-08 | Cisco Technology, Inc. | Spatio-temporal anomaly detection in computer networks using graph convolutional recurrent neural networks (GCRNNs) |
CN109886312A (en) * | 2019-01-28 | 2019-06-14 | 同济大学 | A kind of bridge wheel of vehicle detection method based on multilayer feature fused neural network model |
US20200287923A1 (en) * | 2019-03-08 | 2020-09-10 | International Business Machines Corporation | Unsupervised learning to simplify distributed systems management |
CN110968701A (en) * | 2019-11-05 | 2020-04-07 | 量子数聚(北京)科技有限公司 | Relationship map establishing method, device and equipment for graph neural network |
CN111681059A (en) * | 2020-08-14 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Training method and device of behavior prediction model |
Non-Patent Citations (2)
Title |
---|
ANSHIKA CHAUDHARY等: "《Anomaly Detection using Graph Neural Networks》", 《2019 INTERNATIONAL CONFERENCE ON MACHINE LEARNING, BIG DATA, CLOUD AND PARALLEL COMPUTING》 * |
郭嘉琰等: "《基于图神经网络的动态网络异常检测算法》", 《软件学报》 * |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112861967A (en) * | 2021-02-07 | 2021-05-28 | 中国电子科技集团公司电子科学研究院 | Social network abnormal user detection method and device based on heterogeneous graph neural network |
CN112861967B (en) * | 2021-02-07 | 2023-04-07 | 中国电子科技集团公司电子科学研究院 | Social network abnormal user detection method and device based on heterogeneous graph neural network |
CN112559695A (en) * | 2021-02-25 | 2021-03-26 | 北京芯盾时代科技有限公司 | Aggregation feature extraction method and device based on graph neural network |
CN113225331A (en) * | 2021-04-30 | 2021-08-06 | 中国科学技术大学 | Method, system and device for detecting host intrusion safety based on graph neural network |
CN113709120A (en) * | 2021-08-12 | 2021-11-26 | 李蓉 | Network node safety system for intelligent finance |
CN114021140B (en) * | 2021-10-20 | 2022-10-21 | 深圳融安网络科技有限公司 | Method and device for predicting network security situation and computer readable storage medium |
CN114021140A (en) * | 2021-10-20 | 2022-02-08 | 深圳融安网络科技有限公司 | Method and device for predicting network security situation and computer readable storage medium |
CN113961759A (en) * | 2021-10-22 | 2022-01-21 | 北京工业大学 | Anomaly detection method based on attribute map representation learning |
CN113961759B (en) * | 2021-10-22 | 2024-05-07 | 北京工业大学 | Abnormality detection method based on attribute map representation learning |
CN113965393A (en) * | 2021-10-27 | 2022-01-21 | 浙江网安信创电子技术有限公司 | Botnet detection method based on complex network and graph neural network |
CN113965393B (en) * | 2021-10-27 | 2023-08-01 | 浙江网安信创电子技术有限公司 | Botnet detection method based on complex network and graph neural network |
CN114422211A (en) * | 2021-12-30 | 2022-04-29 | 中国人民解放军战略支援部队信息工程大学 | HTTP malicious traffic detection method and device based on graph attention network |
CN114422211B (en) * | 2021-12-30 | 2023-07-18 | 中国人民解放军战略支援部队信息工程大学 | HTTP malicious traffic detection method and device based on graph attention network |
CN114077811A (en) * | 2022-01-19 | 2022-02-22 | 华东交通大学 | Electric power Internet of things equipment abnormality detection method based on graph neural network |
CN114077811B (en) * | 2022-01-19 | 2022-04-12 | 华东交通大学 | Electric power Internet of things equipment abnormality detection method based on graph neural network |
CN115293919B (en) * | 2022-07-22 | 2023-08-04 | 浙江大学 | Social network distribution outward generalization-oriented graph neural network prediction method and system |
CN115293919A (en) * | 2022-07-22 | 2022-11-04 | 浙江大学 | Graph neural network prediction method and system oriented to social network distribution generalization |
CN115296876A (en) * | 2022-07-26 | 2022-11-04 | 北京科能腾达信息技术股份有限公司 | Network security early warning system of self-adaptation mimicry technique |
CN115242680A (en) * | 2022-07-30 | 2022-10-25 | 北京理工大学 | Node classification method of graph neural network based on multi-stage training in communication network |
CN115941501A (en) * | 2023-03-08 | 2023-04-07 | 华东交通大学 | Host equipment control method based on graph neural network |
CN117132218A (en) * | 2023-07-17 | 2023-11-28 | 杭州逍邦网络科技有限公司 | Workflow management system |
CN117132218B (en) * | 2023-07-17 | 2024-03-19 | 杭州逍邦网络科技有限公司 | Workflow management system |
CN117909910A (en) * | 2024-03-19 | 2024-04-19 | 成都工业学院 | Automatic detection method for system exception log based on graph attention network |
Also Published As
Publication number | Publication date |
---|---|
CN112165496B (en) | 2021-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112165496B (en) | Network security anomaly detection algorithm and detection system based on cluster map neural network | |
CN114077811B (en) | Electric power Internet of things equipment abnormality detection method based on graph neural network | |
Huang et al. | Resilient routing mechanism for wireless sensor networks with deep learning link reliability prediction | |
CN109902740B (en) | Re-learning industrial control intrusion detection method based on multi-algorithm fusion parallelism | |
CN104601565A (en) | Network intrusion detection classification method of intelligent optimization rules | |
CN113283909B (en) | Ether house phishing account detection method based on deep learning | |
CN112884204B (en) | Network security risk event prediction method and device | |
Qu et al. | Statistics-enhanced direct batch growth self-organizing mapping for efficient DoS attack detection | |
CN114172688A (en) | Encrypted traffic network threat key node automatic extraction method based on GCN-DL | |
Chakraborty et al. | Industrial control system device classification using network traffic features and neural network embeddings | |
Zhang et al. | An intrusion detection method based on stacked sparse autoencoder and improved gaussian mixture model | |
Guihai et al. | Adversarial machine learning against false data injection attack detection for smart grid demand response | |
CN117272195A (en) | Block chain abnormal node detection method and system based on graph convolution attention network | |
Bacciu et al. | Compositional generative mapping of structured data | |
CN112651422B (en) | Space-time sensing network flow abnormal behavior detection method and electronic device | |
CN114329099A (en) | Overlapping community identification method, device, equipment, storage medium and program product | |
Moundounga et al. | Stochastic Machine Learning Based Attacks Detection System in Wireless Sensor Networks | |
CN114760104A (en) | Distributed abnormal flow detection method in Internet of things environment | |
JP2023543128A (en) | Marketing arbitrage network dark industry identification method based on dynamic attention graph network | |
CN114265954A (en) | Graph representation learning method based on position and structure information | |
CN114254738A (en) | Double-layer evolvable dynamic graph convolution neural network model construction method and application | |
CN113537272A (en) | Semi-supervised social network abnormal account detection method based on deep learning | |
Chen et al. | Optimisation for image salient object detection based on semantic‐aware clustering and CRF | |
Kuang et al. | Network link connectivity prediction based on GCN and differentiable pooling model | |
Qian | Research on fault diagnosis model of generative adss based on improved semisupervised diagnosis algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |