CN112165496A - Network security anomaly detection algorithm and detection system based on cluster map neural network - Google Patents

Network security anomaly detection algorithm and detection system based on cluster map neural network Download PDF

Info

Publication number
CN112165496A
CN112165496A CN202011090335.9A CN202011090335A CN112165496A CN 112165496 A CN112165496 A CN 112165496A CN 202011090335 A CN202011090335 A CN 202011090335A CN 112165496 A CN112165496 A CN 112165496A
Authority
CN
China
Prior art keywords
graph
network
nodes
node
neural network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011090335.9A
Other languages
Chinese (zh)
Other versions
CN112165496B (en
Inventor
赵曦滨
梁若舟
高跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202011090335.9A priority Critical patent/CN112165496B/en
Publication of CN112165496A publication Critical patent/CN112165496A/en
Application granted granted Critical
Publication of CN112165496B publication Critical patent/CN112165496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/253Fusion techniques of extracted features
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Molecular Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Biophysics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security anomaly detection algorithm based on a cluster map neural network. The algorithm comprises the following steps: describing a network topological structure by using a graph model, optimizing node characteristics by using a graph neural network convolution layer, dividing a graph into a plurality of disjoint subgraphs by using a graph clustering algorithm, regarding each subgraph as a node, regarding the adjacent relation of the subgraphs as an edge to form a subgraph, learning a weight for each node by using a graph attention layer, performing weighted summation on the characteristics of all nodes in each subgraph to form the characteristics of the nodes in the subgraph, and finally judging whether the network receives attacks or not by using a full-connection layer and a classifier layer. The method constructs a hierarchical graph neural network, optimizes node characteristics in a graph through a graph convolution layer, captures local characteristics on the graph through a pooling layer based on a graph clustering algorithm, generates high-level semantic characteristics, generates situation characteristics of the whole network through a fusion layer, and classifies network situations by using a classifier.

Description

Network security anomaly detection algorithm and detection system based on cluster map neural network
Technical Field
The invention belongs to the field of network security anomaly detection, and particularly relates to a method for detecting whether an entire network has an anomaly or not by using a graph model to describe a topological structure of the network and using a hierarchical graph neural network model.
Background
With the progress of information technology, both enterprises and individuals enjoy the convenience of information technology. Network technology is widely used in life as part of information technology. With the increasing of network attack events in recent years, the attack means are more diversified and concealed. By judging the running state of a single device and information such as logs, hidden complex attacks are difficult to discover. How to reasonably and effectively utilize the information of all devices in the whole network to comprehensively judge whether the whole network is attacked or not is a very challenging but meaningful work.
Currently, the main challenges faced by network security anomaly detection are:
(1) how to optimize the characteristics of the current device node by taking into account the characteristics of the neighboring device nodes in the network, using the topology of the network.
(2) How to comprehensively consider the characteristics of all device nodes in the network, and fuse the characteristics into one characteristic capable of reflecting the state of the whole network.
Aiming at the difficulties and challenges existing in network security situation perception, the invention provides a method for detecting whether an anomaly exists in the whole network by utilizing a hierarchical graph neural network. The graph convolution layer in the hierarchical graph neural network can optimize the node characteristics by using the characteristics of the current node and the characteristics of the adjacent nodes thereof according to the adjacent relation of the equipment nodes in the network topological graph so as to solve the first challenge. The hierarchical graph neural network utilizes the pooling layer to map a local node set in the graph into a node to generate a sub-graph, and simultaneously maps the characteristics of each node in the node set into a characteristic which serves as the characteristics of the corresponding node in the sub-graph. Through the pooling layer, characteristics of local regions in the network can be learned. Finally, the global characteristics of the whole network can be obtained by fusing the local area characteristics.
Disclosure of Invention
The invention aims to naturally describe the topological structure of the network by using a graph structure, and simultaneously generate the characteristics of the whole network according to the characteristics of each node in the network by using the strong characteristic extraction capability of a graph neural network, so as to reflect whether the whole network has abnormality or not.
The technical scheme of the invention provides a novel network security anomaly detection algorithm based on a graph neural network, which comprises the following steps:
step 1, extracting multi-source features from multi-source data;
and 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics.
Step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing a network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters;
and step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent. Simultaneously mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; averaging the feature vectors of all the nodes output in the step 6 to generate semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space;
wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows:
Xl+1=F(WXl)
Xlthe characteristic vector of the l-th layer is represented, W is a transformation matrix and is a linear mapping, F is an activation function and can increase nonlinearity;
and 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
Further, in step 1:
for the network traffic data packet, fields in the data packet comprising a source IP address and a destination IP address can be used as the characteristics of the traffic data;
for the log information, a long short term memory network (LSTM), a model commonly used in natural language processing, can be used to convert each piece of log information into a feature vector.
Further, in step 4:
the spectral clustering algorithm comprises the following specific steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure BDA0002721886760000031
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes;
defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
Figure BDA0002721886760000041
wherein ViIndicating the ith cluster in the original image.
Further, in step 9, a softmax classifier is used to generate a tag of the data, and it is determined whether there is an abnormality in the system.
The invention also provides a cluster map neural network-based network security anomaly detection system, which comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The characteristic extraction module is used for extracting characteristics from the system and fusing multi-source heterogeneous characteristics into one equipment characteristic;
and the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module, wherein:
the graph convolution module is used for optimizing the feature vectors of the nodes;
the graph pooling layer module is used for fusing the characteristics of part of nodes to form higher-order semantic characteristics;
the graph fusion layer is used for fusing all the feature vectors to form a feature vector for the whole network;
the function of the full connection layer is to optimize the characteristic vector of the whole network;
the classifier module outputs whether the network is abnormal or not according to the optimized feature vector of the whole network.
The invention has the beneficial effects that: the system constructs a hierarchical graph neural network, optimizes node characteristics in a graph through a graph convolution layer, captures local characteristics on the graph through a pooling layer based on a graph clustering algorithm, generates high-level semantic characteristics, generates situation characteristics of the whole network through a fusion layer, and classifies network situations by using a classifier.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
As shown in fig. 1, the embodiment provides a method for detecting network security anomaly based on a cluster map neural network, including:
step 1, extracting multi-source features from multi-source data. In a network security anomaly detection system based on a clustering neural network, a plurality of data sources are used for improving the detection effect.
For network traffic packets, some fields in the packet such as source IP address, destination IP address, etc. may be used as characteristics of the traffic data.
For log information, a long short term memory network (LSTM), a common model of natural language processing, may be used to convert each piece of log information into a feature vector.
And 2, fusing the multi-source features extracted in the step 1 to form equipment node features.
For multi-source features, firstly, the multi-source features are mapped into a feature space by using a multilayer perceptron, and then the features are fused to form a high-order semantic feature.
And 3, optimizing the node characteristics of the equipment generated in the step 2, and describing the network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph.
Step 3 feature optimization by graph convolution layer, which can be formalized as a function
Fl+1=GNN(Al,Fl),
Wherein
Figure BDA0002721886760000051
The graph convolution operation is a transformation that uses the spectral domain information of the graph, and the above function can be implemented by the following equation:
Figure BDA0002721886760000061
wherein, A is an adjacent matrix representing the network topological graph in the step 3, D is a normalized matrix, diagonal elements of the matrix are degrees of nodes in the network topological graph, off-diagonal elements are 0, FlIs a matrix formed by all the device characteristics in step 3, each row in the matrix represents the characteristics of one device, and W is a parameter matrix which can be learned.
Figure BDA0002721886760000062
Is defined as adding self-loop on the basis of the adjacent matrix, that is, not only the characteristics of the adjacent nodes are considered in the process of optimizing the characteristics, but also the characteristics which are originally carried by the nodes are utilized, that is, the characteristics are
Figure BDA0002721886760000063
D is a diagonal matrix with diagonal elements corresponding
Figure BDA0002721886760000064
Rows in the matrix, i.e.
Figure BDA0002721886760000065
D corresponds to a normalized matrix and,
Figure BDA0002721886760000066
is a parameter matrix whose function is to map a k-dimensional feature to an m-dimensional feature, which is a parameter to be learned whose value can be updated using back-propagation algorithms during neural network training. According to the graph convolution operation formula, the convolution layer fuses the characteristics of the current node and the neighbor nodes thereof and generates the optimized node characteristicsThe process. Features of local areas in the map can be captured by the stack of map convolutional layers.
And 4, on the basis of the step 3, according to the graph structure defined in the step 3, clustering similar points on the graph by using a spectral clustering algorithm to generate K clusters.
The spectral clustering algorithm comprises the following specific steps:
and 4.1, calculating the Laplace matrix of the graph.
And 4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors.
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure BDA0002721886760000067
And 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to the n nodes, and clustering the n nodes into K clusters.
By means of a spectral clustering algorithm, a mapping from a set of nodes in the graph to clusters is defined. Meanwhile, according to the result of spectral clustering, each cluster is regarded as a node, so that a new graph is generated, and the edge of two nodes in the new graph can be defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph. The formalization of the adjacency matrix of the generated new graph is defined as follows:
Figure BDA0002721886760000071
wherein ViIndicating the ith cluster in the original image.
And 5, generating the characteristics of each cluster by using the k clusters generated in the step 4 and the optimized node characteristics in the step 3.
After step 5, the feature matrix becomes smaller, and because this step fuses the features of the local nodes, a higher level semantic feature description of the graph can be generated. It is also necessary to generate a feature vector for each node in the subgraph, where the feature vector reflects the features of a local node set in the original graph. The feature vectors in the subgraph are generated by weighted summation of all the feature vectors in the vertex set in the original graph. An attention mechanism is introduced to learn a weight for each node. Specifically, a single-layer graph convolution neural network is used as an attention layer in the neural network, and the feature vector matrix F having a size of n × k can be mapped into the weight vector V having a size of n × 1 by using the attention layer, and the importance of the node increases as the weight increases. The feature vectors of the vertexes in the subgraph are obtained by weighting and summing the feature vectors of the corresponding vertex sets in the original graph.
And 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again.
And 7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6.
Step 7 is to map the features of all nodes in the graph into one feature. Specifically, the feature vectors of all the nodes output in step 6 are averaged to generate semantic features for the entire graph.
And 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space.
And 8, performing characteristic optimization by adopting two full connection layers. The formula of the full connection layer is as follows:
Xl+1=F(WXl)
Xlthe non-linearity can be increased by representing the eigenvectors of layer i, W being a transformation matrix, which is a linear mapping, and F being an activation function.
And 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
And 9, generating a label of the data by using the softmax classifier, and judging whether the system has an abnormality or not.
The embodiment also provides a network security anomaly detection system based on the cluster map neural network, which comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The feature extraction module is used for extracting features from the system and fusing the multi-source heterogeneous features into one feature.
And the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module.
The function of the graph convolution module is to optimize the feature vector of the node.
The graph pooling layer module is used for fusing the characteristics of partial nodes to form higher-order semantic characteristics.
The role of the graph fusion layer is to fuse all the feature vectors into one feature vector for the whole network.
The role of the fully-connected layer is to optimize the feature vectors of the entire network.
The classifier module outputs whether the network is abnormal or not according to the characteristic vector of the network.
Although the present invention has been disclosed in detail with reference to the accompanying drawings, it is to be understood that such description is merely illustrative of and not restrictive on the application of the present invention. The scope of the invention is defined by the appended claims and may include various modifications, adaptations and equivalents of the invention without departing from its scope and spirit.

Claims (5)

1. A network security anomaly detection implementation method based on a cluster map neural network is characterized in that:
step 1, extracting multi-source features from multi-source data;
and 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics.
Step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing a network topology by using a graph model, wherein the equipment in the network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters;
and step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent. Simultaneously mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; averaging the feature vectors of all the nodes output in the step 6 to generate semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space;
wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows:
Xl+1=F(WXl)
Xlthe characteristic vector of the l-th layer is represented, W is a transformation matrix and is a linear mapping, F is an activation function and can increase nonlinearity;
and 9, predicting whether the network is abnormal or not according to the optimized feature vector obtained in the step 8.
2. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in the step 1:
for the network traffic data packet, fields in the data packet comprising a source IP address and a destination IP address can be used as the characteristics of the traffic data;
for the log information, a long short term memory network (LSTM), a model commonly used in natural language processing, can be used to convert each piece of log information into a feature vector.
3. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in the step 4:
the spectral clustering algorithm comprises the following specific steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure FDA0002721886750000021
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes;
defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
Figure FDA0002721886750000022
wherein ViIndicating the ith cluster in the original image.
4. The method for realizing network security anomaly detection based on the cluster map neural network according to claim 1, wherein: in step 9, a label of the data is generated by using a softmax classifier, and whether the system is abnormal or not is judged.
5. A network security anomaly detection system based on a cluster map neural network comprises: the device comprises a feature extraction module and an anomaly detection module based on a cluster map neural network.
The characteristic extraction module is used for extracting characteristics from the system and fusing multi-source heterogeneous characteristics into one equipment characteristic;
and the anomaly detection module based on the cluster map neural network judges whether the network is attacked or not by using the map neural network according to the equipment characteristics extracted by the characteristic extraction module.
The anomaly detection module based on the cluster map neural network comprises a map convolution module, a pooling layer module, a map fusion layer module, a full connection layer module and a classifier module, wherein:
the graph convolution module is used for optimizing the feature vectors of the nodes;
the graph pooling layer module is used for fusing the characteristics of part of nodes to form higher-order semantic characteristics;
the graph fusion layer is used for fusing all the feature vectors to form a feature vector for the whole network;
the function of the full connection layer is to optimize the characteristic vector of the whole network;
the classifier module outputs whether the network is abnormal or not according to the optimized feature vector of the whole network.
CN202011090335.9A 2020-10-13 2020-10-13 Network security anomaly detection algorithm and detection system based on cluster map neural network Active CN112165496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011090335.9A CN112165496B (en) 2020-10-13 2020-10-13 Network security anomaly detection algorithm and detection system based on cluster map neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011090335.9A CN112165496B (en) 2020-10-13 2020-10-13 Network security anomaly detection algorithm and detection system based on cluster map neural network

Publications (2)

Publication Number Publication Date
CN112165496A true CN112165496A (en) 2021-01-01
CN112165496B CN112165496B (en) 2021-11-02

Family

ID=73866742

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011090335.9A Active CN112165496B (en) 2020-10-13 2020-10-13 Network security anomaly detection algorithm and detection system based on cluster map neural network

Country Status (1)

Country Link
CN (1) CN112165496B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559695A (en) * 2021-02-25 2021-03-26 北京芯盾时代科技有限公司 Aggregation feature extraction method and device based on graph neural network
CN112861967A (en) * 2021-02-07 2021-05-28 中国电子科技集团公司电子科学研究院 Social network abnormal user detection method and device based on heterogeneous graph neural network
CN113225331A (en) * 2021-04-30 2021-08-06 中国科学技术大学 Method, system and device for detecting host intrusion safety based on graph neural network
CN113709120A (en) * 2021-08-12 2021-11-26 李蓉 Network node safety system for intelligent finance
CN113961759A (en) * 2021-10-22 2022-01-21 北京工业大学 Anomaly detection method based on attribute map representation learning
CN113965393A (en) * 2021-10-27 2022-01-21 浙江网安信创电子技术有限公司 Botnet detection method based on complex network and graph neural network
CN114021140A (en) * 2021-10-20 2022-02-08 深圳融安网络科技有限公司 Method and device for predicting network security situation and computer readable storage medium
CN114077811A (en) * 2022-01-19 2022-02-22 华东交通大学 Electric power Internet of things equipment abnormality detection method based on graph neural network
CN114422211A (en) * 2021-12-30 2022-04-29 中国人民解放军战略支援部队信息工程大学 HTTP malicious traffic detection method and device based on graph attention network
CN115242680A (en) * 2022-07-30 2022-10-25 北京理工大学 Node classification method of graph neural network based on multi-stage training in communication network
CN115296876A (en) * 2022-07-26 2022-11-04 北京科能腾达信息技术股份有限公司 Network security early warning system of self-adaptation mimicry technique
CN115293919A (en) * 2022-07-22 2022-11-04 浙江大学 Graph neural network prediction method and system oriented to social network distribution generalization
CN115941501A (en) * 2023-03-08 2023-04-07 华东交通大学 Host equipment control method based on graph neural network
CN117132218A (en) * 2023-07-17 2023-11-28 杭州逍邦网络科技有限公司 Workflow management system
CN117909910A (en) * 2024-03-19 2024-04-19 成都工业学院 Automatic detection method for system exception log based on graph attention network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109886312A (en) * 2019-01-28 2019-06-14 同济大学 A kind of bridge wheel of vehicle detection method based on multilayer feature fused neural network model
CN110968701A (en) * 2019-11-05 2020-04-07 量子数聚(北京)科技有限公司 Relationship map establishing method, device and equipment for graph neural network
US10771488B2 (en) * 2018-04-10 2020-09-08 Cisco Technology, Inc. Spatio-temporal anomaly detection in computer networks using graph convolutional recurrent neural networks (GCRNNs)
US20200287923A1 (en) * 2019-03-08 2020-09-10 International Business Machines Corporation Unsupervised learning to simplify distributed systems management
CN111681059A (en) * 2020-08-14 2020-09-18 支付宝(杭州)信息技术有限公司 Training method and device of behavior prediction model

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10771488B2 (en) * 2018-04-10 2020-09-08 Cisco Technology, Inc. Spatio-temporal anomaly detection in computer networks using graph convolutional recurrent neural networks (GCRNNs)
CN109886312A (en) * 2019-01-28 2019-06-14 同济大学 A kind of bridge wheel of vehicle detection method based on multilayer feature fused neural network model
US20200287923A1 (en) * 2019-03-08 2020-09-10 International Business Machines Corporation Unsupervised learning to simplify distributed systems management
CN110968701A (en) * 2019-11-05 2020-04-07 量子数聚(北京)科技有限公司 Relationship map establishing method, device and equipment for graph neural network
CN111681059A (en) * 2020-08-14 2020-09-18 支付宝(杭州)信息技术有限公司 Training method and device of behavior prediction model

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANSHIKA CHAUDHARY等: "《Anomaly Detection using Graph Neural Networks》", 《2019 INTERNATIONAL CONFERENCE ON MACHINE LEARNING, BIG DATA, CLOUD AND PARALLEL COMPUTING》 *
郭嘉琰等: "《基于图神经网络的动态网络异常检测算法》", 《软件学报》 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112861967A (en) * 2021-02-07 2021-05-28 中国电子科技集团公司电子科学研究院 Social network abnormal user detection method and device based on heterogeneous graph neural network
CN112861967B (en) * 2021-02-07 2023-04-07 中国电子科技集团公司电子科学研究院 Social network abnormal user detection method and device based on heterogeneous graph neural network
CN112559695A (en) * 2021-02-25 2021-03-26 北京芯盾时代科技有限公司 Aggregation feature extraction method and device based on graph neural network
CN113225331A (en) * 2021-04-30 2021-08-06 中国科学技术大学 Method, system and device for detecting host intrusion safety based on graph neural network
CN113709120A (en) * 2021-08-12 2021-11-26 李蓉 Network node safety system for intelligent finance
CN114021140B (en) * 2021-10-20 2022-10-21 深圳融安网络科技有限公司 Method and device for predicting network security situation and computer readable storage medium
CN114021140A (en) * 2021-10-20 2022-02-08 深圳融安网络科技有限公司 Method and device for predicting network security situation and computer readable storage medium
CN113961759A (en) * 2021-10-22 2022-01-21 北京工业大学 Anomaly detection method based on attribute map representation learning
CN113961759B (en) * 2021-10-22 2024-05-07 北京工业大学 Abnormality detection method based on attribute map representation learning
CN113965393A (en) * 2021-10-27 2022-01-21 浙江网安信创电子技术有限公司 Botnet detection method based on complex network and graph neural network
CN113965393B (en) * 2021-10-27 2023-08-01 浙江网安信创电子技术有限公司 Botnet detection method based on complex network and graph neural network
CN114422211A (en) * 2021-12-30 2022-04-29 中国人民解放军战略支援部队信息工程大学 HTTP malicious traffic detection method and device based on graph attention network
CN114422211B (en) * 2021-12-30 2023-07-18 中国人民解放军战略支援部队信息工程大学 HTTP malicious traffic detection method and device based on graph attention network
CN114077811A (en) * 2022-01-19 2022-02-22 华东交通大学 Electric power Internet of things equipment abnormality detection method based on graph neural network
CN114077811B (en) * 2022-01-19 2022-04-12 华东交通大学 Electric power Internet of things equipment abnormality detection method based on graph neural network
CN115293919B (en) * 2022-07-22 2023-08-04 浙江大学 Social network distribution outward generalization-oriented graph neural network prediction method and system
CN115293919A (en) * 2022-07-22 2022-11-04 浙江大学 Graph neural network prediction method and system oriented to social network distribution generalization
CN115296876A (en) * 2022-07-26 2022-11-04 北京科能腾达信息技术股份有限公司 Network security early warning system of self-adaptation mimicry technique
CN115242680A (en) * 2022-07-30 2022-10-25 北京理工大学 Node classification method of graph neural network based on multi-stage training in communication network
CN115941501A (en) * 2023-03-08 2023-04-07 华东交通大学 Host equipment control method based on graph neural network
CN117132218A (en) * 2023-07-17 2023-11-28 杭州逍邦网络科技有限公司 Workflow management system
CN117132218B (en) * 2023-07-17 2024-03-19 杭州逍邦网络科技有限公司 Workflow management system
CN117909910A (en) * 2024-03-19 2024-04-19 成都工业学院 Automatic detection method for system exception log based on graph attention network

Also Published As

Publication number Publication date
CN112165496B (en) 2021-11-02

Similar Documents

Publication Publication Date Title
CN112165496B (en) Network security anomaly detection algorithm and detection system based on cluster map neural network
CN114077811B (en) Electric power Internet of things equipment abnormality detection method based on graph neural network
Huang et al. Resilient routing mechanism for wireless sensor networks with deep learning link reliability prediction
CN109902740B (en) Re-learning industrial control intrusion detection method based on multi-algorithm fusion parallelism
CN104601565A (en) Network intrusion detection classification method of intelligent optimization rules
CN113283909B (en) Ether house phishing account detection method based on deep learning
CN112884204B (en) Network security risk event prediction method and device
Qu et al. Statistics-enhanced direct batch growth self-organizing mapping for efficient DoS attack detection
CN114172688A (en) Encrypted traffic network threat key node automatic extraction method based on GCN-DL
Chakraborty et al. Industrial control system device classification using network traffic features and neural network embeddings
Zhang et al. An intrusion detection method based on stacked sparse autoencoder and improved gaussian mixture model
Guihai et al. Adversarial machine learning against false data injection attack detection for smart grid demand response
CN117272195A (en) Block chain abnormal node detection method and system based on graph convolution attention network
Bacciu et al. Compositional generative mapping of structured data
CN112651422B (en) Space-time sensing network flow abnormal behavior detection method and electronic device
CN114329099A (en) Overlapping community identification method, device, equipment, storage medium and program product
Moundounga et al. Stochastic Machine Learning Based Attacks Detection System in Wireless Sensor Networks
CN114760104A (en) Distributed abnormal flow detection method in Internet of things environment
JP2023543128A (en) Marketing arbitrage network dark industry identification method based on dynamic attention graph network
CN114265954A (en) Graph representation learning method based on position and structure information
CN114254738A (en) Double-layer evolvable dynamic graph convolution neural network model construction method and application
CN113537272A (en) Semi-supervised social network abnormal account detection method based on deep learning
Chen et al. Optimisation for image salient object detection based on semantic‐aware clustering and CRF
Kuang et al. Network link connectivity prediction based on GCN and differentiable pooling model
Qian Research on fault diagnosis model of generative adss based on improved semisupervised diagnosis algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant