CN101771584B - Network abnormal flow detection method - Google Patents

Abstract

The invention discloses a network abnormal flow detection method which includes that firstly, normalize and equalize the network flow sample data to get a network flow sample data vector k, wherein, k is equal to or more than 1 but less than or equal to M, M stands for the category number of the network flow sample data, and then normalize and equalize the identified network flow test data to get a network flow test data vector q (0); secondly, compute the attention parameters of the network abnormal flow and work out the adjoint vector corresponding to the network flow sample data vector; thirdly, compute the initial value of order parameters according to the adjoint vector; finally, compute the order parameters in circulation by using the attention parameters and get the detection result when the circulation is ended. The method is characterized in low computation complexity, high detection rate and low false detection rate, and good real-time performance.

Description

A kind of network flow abnormal detecting method

Technical field

The present invention relates to the network information security and synergetics correlation technique; Be specifically related to a kind of network flow abnormal detecting method based on collaborative catastrophic model; This method can in time be found network failure and performance issue; To improving the availability of network, reliability guarantees that network service quality is significant.

Background technology

Though some significant work have obtained enforcement in network security management, yet the exception of network traffic of automatic time detects and to remain in the network security an open question still.

In general, network anomaly detection method can be divided into two types: misuse detects and abnormality detection.The abnormal data in the former usage flag past detects contingent unusual.The latter has set up the database of normal network behavior, has departed from the unusual of normal behaviour greatly in order to detect to attack.

Early stage research work abnormality detection mainly is based on the abnormality detection of characteristic, and this method needs often to upgrade attack database, is not suitable for the real-time network abnormality detection.In the numerous method for detecting abnormality that has proposed, take the method for traditional Statistical Physics mostly, extract the gross feature of network traffics, such as self-similarity coefficient, entropy, probability-distribution function, probability density or the like.Use various mode identification technologys subsequently, like neural net, hidden Markov model, comprehensive access control, and sensor fusion, it is unusual that methods such as machine learning detect network.

Yet the generation of network traffics is processes of a complicacy, receives many factors; Like the network equipment, topological structure, host-host protocol; And the influence of the interactive cooperation and competition between the network user, therefore, network traffics often show non-linear; Non-stationary and complexity features is a complex dynamic system.Its macroscopic behavior is produced by the collaborative activities of these factors.At a time, the variation tendency of network traffics is determined by the several main factors of minority, and other secondary cause is very little to the contribution of network traffics variation tendency.Even the fluctuation by the proper network flow that secondary cause produced maybe be bigger, but whole network system remains on the normal equilibrium state of certain level.But when attacking generation, the network traffics system will change the equilibrium state of attack from normal equilibrium state into.This transition process is a sudden change, the process of non-stationary, this process is determined by main attack factor.(publication number is CN101286897 at patent documentation " a kind of network flow abnormal detecting method based on ultra statistical theory "; Be 2008.10.15 in open day) in the give chapter and verse actual characteristic of network traffics confirm a kind of distributed model; And according to this distributed model computing network flow seasonal effect in time series slow variable sequence, i.e. distributed constant sequence; Unusual fluctuations according to the slow variable sequence detect exception of network traffic.This method adopts the method for statistics that exception of network traffic is detected, carried out the mixing tranquilization and handle producing all unusual factors, has ignored network traffics this mutation process when unusual takes place.Thisly traditional detect the stationarity hypothesis that is based on network traffics, ignored network traffics the sudden change when unusual, non-stationary process take place based on Statistical Physics method exception of network traffic.Therefore, the real-time that network traffics detect, accuracy has received considerable influence.

Summary of the invention

The object of the present invention is to provide a kind of network flow abnormal detecting method, it is low that this method has a computation complexity, and recall rate is high and false drop rate is low, has characteristics such as good real-time performance.

Network flow abnormal detecting method provided by the invention, its step comprises:

The 1st step, the network traffics sample data was carried out normalization and equalization is handled, and obtained network traffics sample data vector v _k, 1≤k≤M, M represent the classification number of network traffics sample data, and the network traffics test data of identification is carried out normalization and equalization processing, obtain network traffics test data vector q (0);

The attention parameters of the 2nd step computing network Traffic Anomaly, and obtain the corresponding adjoint vector of network traffics sample data vector;

The 3rd goes on foot the initial value that calculates the preface parameter according to said adjoint vector,

The 4th step utilized said attention parameters that the preface parameter is carried out cycle calculations, when loop ends, obtained testing result.

The present invention describes the complex behavior of network traffics system, has embodied the relation between exception of network traffic and the network traffics.Because when exception of network traffic takes place; Receive the control of minority driving factors; That network traffics behavior meeting shows is non-linear, non-stationary and complicated characteristic; Have sudden change and take place, adopt the preface parameter to describe the minority controlling elements of the mutation process that causes network traffics system generation non-stationary among the present invention, the preface parameter has embodied the leading factor in the domination network traffics mutation process.The preface parameter is carried out cycle calculations, when the preface parameter is restrained, can obtain the result of network abnormality detection.In order to verify the validity of this method, use the DARPA data set to carry out l-G simulation test, repeatedly experimental result shows, even in network, exist under the situation of multiple different attack, it is very effective that the method that we propose detects exception of network traffic.

The present invention is through setting up the exception of network traffic detection model based on collaborative sudden change; (publication number is CN101286897 with patent " a kind of network flow abnormal detecting method based on ultra statistical theory "; Being 2008.10.15 in open day) technical scheme that proposed compares: because network traffics often receive the control of a plurality of driving factors; That its behavior will show will be non-linear, non-stationary and complicated characteristic; When network traffics take place when unusual, the change procedure of network traffics is mutation processes of a kind of non-stationary, and this mutation process often only receives the control of few factors.Patent " a kind of network flow abnormal detecting method based on ultra statistical theory " adopts the method for statistics that exception of network traffic is detected; Carried out the tranquilization processing of mixing to producing unusual a plurality of factors; Ignored network traffics this mutation process when unusual has taken place; The real-time that network traffics detect, accuracy has received considerable influence.Compare with other exception of network traffic detection models, it is low that this method has a computation complexity, and recall rate is high and false drop rate is low, has characteristics such as good real-time performance.

Description of drawings

Fig. 1 is the network flow abnormal detecting method flow chart

Fig. 2 is that (Fig. 2 a is the cycle calculations result that normal discharge detects to 5 kinds of test data preface parameter cycle calculations results; Fig. 2 b is the cycle calculations result that U2R attacks; Fig. 2 c is the cycle calculations result that R2L attacks; Fig. 2 d is the cycle calculations result of DoS attack, and Fig. 2 e is the cycle calculations result that Probing attacks)

The figure as a result that Fig. 3 detects for exception of network traffic

Embodiment

For helping better to understand this method, do a brief account in the face of the theoretical foundation of this model down:

Because the cooperation and competition between various network equipment, topological structure, host-host protocol interaction and the network user; Make that the form of network traffics is processes of a complicacy, the network traffics that controlled by a plurality of driving factors often show the characteristic of non-linear, non-stationary and complexity.Thereby produce the macroscopic behavior of network traffics by the interaction of these factors.Here, we adopt collaborative theory to study the cooperation behavior between these factors.But in some moment, the trend that network traffics change is only determined by several dominant factor of minority, and the contribution of other the less important factor is just very little.This factor as the main object of our exception of network traffic detection researchs, we are called the preface parameter.

The motion of network traffics dynamic system depends on the conversion between the equilibrium state that is determined by the main factor.For example; In normal network traffics (when the state of network traffics is normal; That is to say when not having unusual the generation; We claim that this network traffics are normal network traffics), even bigger by the fluctuation of the network traffics that the less important factor produced, the network traffics system still can keep the variation tendency stably that is determined by the main factor.We claim that this network state is normal equilibrium state.After attacking generation, the network traffics system held is stably by the main attack state that attack factor determined, we claim the equilibrium state of this network state for attacking.But when attack taking place, the network traffics system mode can be under the driving of main attack factor, is converted to the equilibrium state of attack by normal equilibrium state, and we claim that this process for the network traffics dynamic system sudden change has taken place.Here, we adopt kinetics equation to describe the relation between various equilibrium states and the driving factors.Kinetics equation is following:

$\stackrel{\·}{q}=-\frac{\∂V}{\∂q^{+}},$ ${\stackrel{\·}{q}}^{+}=-\frac{\∂V}{\∂q}$

Here, q representes state of network traffic vector, q ⁺Be the adjoint vector of q,

Be the first derivative of state of network traffic factor q, the V representative can reflect the potential function of network traffics system balancing attitude sudden change.

The method that adopts collaborative catastrophic model to carry out the exception of network traffic detection is a kind of mode identification procedure based on synergetics.During pattern recognition, treat the dynamic process that recognition data q can construct the nonlinear kinetics system: make q enter into a sample data v of all sample datas through intermediateness q (t) _k, promptly this sample data and q (0) the most near, also promptly draw it to make its attraction the lowest point that is in this sample data, can be described as q (0) → q (t) → v _k, the t express time.

Suppose that the sample data number is M, sample data vector dimension is N, requires M≤N, and kinetics equation is:

$\stackrel{\·}{q}=\underset{k}{\mathrm{\Σ}}{\mathrm{\λ}}_k{v}_k\left(v_k^{+}q\right)-B\underset{k\≠k^{\′}}{\mathrm{\Σ}}{\left(v_{k^{\′}}^{+}q\right)}^2\left(v_k^{+}q\right)v_k-C\left(q^{+}q\right)q+F\left(t\right)---\left(1\right)$

Wherein, q be with the input data q (0) be the state vector of initial value, be data vector to be identified.λ _kBe attention parameters, have only when it for positive the time, data just can be identified, if all attention parameters all equate, then be called the balance attention parameters, otherwise, if to certain sample data in addition " attention ", then can be to its tax with bigger λ _k, be called uneven attention parameters; F (t) is a fluctuating force, can ignore and not remember; B and C are prescribed coefficient, and all greater than 0, for the assurance system all restrains each data, can select B=C=1; v _kBe sample data vector, v _k=(v _{K, 1}, v _{K, 2}..., v _{K, N}) ^Tv _k ⁺Be v _kAdjoint vector, and need to satisfy:

$(v_k^{+},v_{k^{\′}})=v_k^{+}{v}_{k^{\′}}={\mathrm{\δ}}_{k,k^{\′}}=\left\{\begin{array}{c}1,k=k^{\′}\\ 0,k\≠k^{\′}\end{array}\right.---\left(2\right)$

v _kMust satisfy normalization and zero-mean condition:

$\underset{l=1}{\overset{N}{\mathrm{\Σ}}}{v}_{k,l}=0,{\left|\right|v_k\left|\right|}_2={\left(\underset{l=1}{\overset{N}{\mathrm{\Σ}}}{v}_{k,l}^2\right)}^{1/2}=1---\left(3\right)$

Vector q is decomposed into the sample data vector v _kWith surplus w:

$q=\underset{k=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_k{v}_k+w,v_k^{+}w=0---\left(4\right)$

Defining its adjoint vector is:

$q^{+}=\underset{k=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_k{v}_k^{+}+w^{+},w^{+}{v}_k=0---\left(5\right)$

Relation is obviously arranged:

$(v_k^{+},q)=(q^{+},v_k)---\left(6\right)$

Formula (4) substitution (6) according to orthogonality relation, obtains the preface parameter:

${\mathrm{\ξ}}_k=(v_k^{+},q)=v_k^{+}q---\left(7\right)$

Can describe formula (1) and be one has gesture dynamics, and ignores F (t) and transient state amount, and potential function is:

$V=-\frac{1}{2}\underset{k=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\λ}}_k{\left(v_k^{+}q\right)}^2+\frac{1}{4}B\underset{k\≠k^{\′}}{\mathrm{\Σ}}{\left(v_{k^{\′}}^{+}q\right)}^2+\frac{1}{4}C{\left(\underset{k=1}{\overset{M}{\mathrm{\Σ}}}{\left(v_k^{+}q\right)}^2\right)}^2---\left(8\right)$

Corresponding kinetics equation and abrupt potential function can be represented by following formula:

${\stackrel{\·}{\mathrm{\ξ}}}_k={\mathrm{\λ}}_k{\mathrm{\ξ}}_k-B\underset{k^{\′}\≠k}{\mathrm{\Σ}}{\mathrm{\ξ}}_{k^{\′}}^2{\mathrm{\ξ}}_k-C\left(\underset{k^{\′}=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_{k^{\′}}^2\right){\mathrm{\ξ}}_k---\left(9\right)$

$V=-\frac{1}{2}\underset{k=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\λ}}_k{\mathrm{\ξ}}_k^2+\frac{1}{4}B\underset{k^{\′}\≠k}{\mathrm{\Σ}}{\mathrm{\ξ}}_{k^{\′}}^2{\mathrm{\ξ}}_k^2+\frac{1}{4}C{\left(\underset{k^{\′}=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_{k^{\′}}^2\right)}^2$

The stationary state of network traffics dynamic system is determined by following formula:

${\stackrel{\·}{\mathrm{\ξ}}}_k=\mathrm{0,0}\≤k\≤M---\left(10\right)$

Promptly have:

${\stackrel{\·}{\mathrm{\ξ}}}_k={\mathrm{\λ}}_k{\mathrm{\ξ}}_k-B\underset{k^{\′}\≠k}{\mathrm{\Σ}}{\mathrm{\ξ}}_{k^{\′}}^2{\mathrm{\ξ}}_k-C\left(\underset{k^{\′}=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_{k^{\′}}^2\right){\mathrm{\ξ}}_k=0---\left(11\right)$

If definition:

$D=(B+C)\underset{k^{\′}}{\mathrm{\Σ}}{\mathrm{\ξ}}_{k^{\′}}^2---\left(12\right)$

Then, formula (9) and (11) can be rewritten as respectively:

${\stackrel{\·}{\mathrm{\ξ}}}_k={\mathrm{\ξ}}_k(\mathrm{\λ}-D+B{\mathrm{\ξ}}_k^2)---\left(13\right)$

${\mathrm{\ξ}}_k(\mathrm{\λ}-D+B{\mathrm{\ξ}}_k^2)=0---\left(14\right)$

Haken proves, works as λ _k=C＞0, when promptly attention parameters equated, the stable fixed point of V was on each sample data, and by positive and negative symmetrical distribution, these stable fixed points are used ξ _k=1 describes, all other ξ=0, and unique unstable fixed point is at the q=0 place.The final state of system depends on the initial preface value of consult volume of input vector, promptly in competition, has the v of maximum initial preface parameter _kWin its preface parameter ξ _kTrend towards 1, and other preface parameter trends towards 0.When attention parameters is different, stable fixed point and the non-uniform Distribution of V, attention parameters choose the behavior that is determining system.

Below in conjunction with accompanying drawing step of the present invention is described in further detail:

(1) network traffics sample data and network traffics test data are handled

(1.1) choose the network traffics sample data.According to the mode of the characteristic that reflects proper network data on flows and diverse network Traffic Anomaly data, adopt the maximized principle of distance between normal discharge and the diverse network Traffic Anomaly data to carry out choosing of network traffics sample data;

(1.2) the network traffics sample data is carried out normalization and equalization processing, obtain network traffics sample data vector v _k, 1≤k≤M, M represent the classification number of network traffics sample data, and network traffics test data to be identified is carried out normalization and equalization processing, obtain network traffics test data vector q (0);

(2) attention parameters of computing network Traffic Anomaly, and obtain the corresponding adjoint vector of network traffics sample data vector;

(2.1) establishing in the network traffics sample data number of times that every type of exception of network traffic takes place is N _k, 1≤k≤M calculates corresponding attention parameters λ _kValue

${\mathrm{\λ}}_k=\frac{N_k}{\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{N}_n}$

(2.2) obtain network traffics sample data vector v _kCorresponding adjoint vector v _k ⁺, adjoint vector v _k ⁺Be expressed as v _kThe stack of transposition;

$v_k^{+}=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{a}_{\mathrm{Nk}}\stackrel{\‾}{v_n}$ Formula (I)

In the formula (I), v _kBe vector v _kTransposition, coefficient a _NkSatisfy orthogonality condition $(v_k^{+},\stackrel{\‾}{v_h})={\mathrm{\δ}}_{\mathrm{Hk}},1\≤h\≤M,$ Use v _kMultiply by formula (I),

${\mathrm{\δ}}_{\mathrm{Kh}}=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{a}_{\mathrm{Hn}}(\stackrel{\‾}{v_n},v_k)$ Formula (II)

Order

A＝(a _hn)，W＝[(v _n，v _k)]

I=AW is then arranged, and I is a unit matrix, and

A=W ^-1Formula (III)

Wushu (III) substitution $v_k^{+}=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{a}_{\mathrm{Nk}}\stackrel{\‾}{v_n},$ Promptly obtain adjoint vector v _k ⁺

(3) calculate the preface parameter

With the adjoint vector v of network traffics test data vector q (0) with each network traffics sample data _k ⁺Multiply each other, promptly ${\mathrm{\ξ}}_k\left(0\right)=v_k^{+}\×q\left(0\right),$ Obtain preface parameter ξ _kInitial value ξ _k(0), 1≤k≤M;

(4) utilize said attention parameters that the preface parameter is carried out cycle calculations, when loop ends, obtain testing result.

(4.1) make t=0;

(4.2) calculate $D=(B+C)\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_n^2\left(t\right)$ , computation cycles is calculated step-length γ=1/D, and M representes network traffics sample data classification number, and wherein, B and C are coefficient, and all greater than 0;

(4.3) make i=1;

(4.4) calculate t+1 i preface parameter ξ constantly _i(t+1), its computing formula is:

${\mathrm{\ξ}}_i(t+1)-{\mathrm{\ξ}}_i\left(t\right)=\mathrm{\γ}\×({\mathrm{\λ}}_i-D+B\×{\mathrm{\ξ}}_i^2\left(t\right))\×{\mathrm{\ξ}}_i\left(t\right)$

Wherein, ξ _i(t) be t i preface parameter constantly,

(4.5) making i=i+1, judge whether i＞M, is then to get into step (4.6), otherwise changes step (4.4) over to;

(4.6) to all ξ ₁(t+1), ξ ₂(t+1) ..., ξ _MJudge that (t+1) if wherein a value only to be arranged be 1, and all the other each values are 0, then loop ends makes that above-mentioned value is that the sequence number of 1 preface parameter is J, i.e. ξ _J(t+1)=1, change step (4.7) then over to, otherwise make t=t+1, change step (4.2) over to

(4.7) with preface parameter ξ ₁(t+1), ξ ₂(t+1) ..., ξ _M(t+1) project to network traffics sample data vector v by formula (IV) _kOn

$q(t+1)=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_n(t+1)v_n$ Formula (IV)

Wherein, q (t+1) is the corresponding abnormal results of network traffics test data vector q (0) that identify and input, and promptly network traffics test data vector q (0) is preface parameter ξ _J(t+1) corresponding sample data v _JPairing unusual, accomplish abnormality detection process to network traffics test data vector q (0).

The testing process of this exception of network traffic is as shown in Figure 1.

Below in conjunction with an instance the inventive method is done further detailed explanation.

The breadboard information systems technology group of Massachusetts science and engineering Lincoln is used data acquisition system for the computer network intrusion detection system assessment provides test under Advanced Research Projects administration of U.S. Department of Defense (DARPA) and the patronage of air research chamber.This data acquisition system has comprised rich data bag flow and many dissimilar invasions attack (mainly contains Denial of Service attack DoS; Distributed denial of service attack DDoS; Long-range attack R2L; The local user illegally promotes the attack U2R and four types of illegal monitoring and detection Probing etc. of authority).Each data item comprises a part and the text of package number, packet.Wherein write down in the header file of packet this bag zero-time, with information such as time interval of first bag, source address, destination address, data packet length, procotol.Packet mainly is made up of following several types: IP, arp, netbeui.Wherein the length (bytes) of IP bag adds 40 (IP packet header is long) for the byte number in the bracket, and netbeui is the agreement of local area network (LAN), and the data packet length that meets this agreement is 14 bytes, arp (address resolution protocol) length of data package 28 bytes.

Here we have adopted DARPA 1999 data sets.This data set is made up of 2 parts: the sample data that the mark in 3 weeks is attacked, the unlabelled test data in 2 weeks.Each data set all comprises the tcpdump file, Solaris BSM Audit data, three types of data of ps monitor data.Here we adopt the tcpdump file that can write down network traffic information to carry out anomaly analysis.Through using the tcpdump instrument, we are extracted as per second bag number with network traffic information and come the method for this patent is assessed.In the sample data in 3 weeks, first week with the 3rd all be the sample data that does not comprise attack, these data are used for producing normal sample data to abnormality detection system.The sample data in second week has comprised except the attack information of DARPA 1998 data sets, also has some new attacks, and this sample data is as the abnormality detection system sample data.In addition, in background traffic, contain attack information the around with the 5th week the network traffics data be used as test data.

In this experiment, we have used the normal discharge data, and U2R attacks data, and R2L attacks data, the DoS attack data, these five kinds of data of Probing attack data, and respectively mark corresponding data value be 1,2,3,4,5.That is to say that in our method for detecting abnormality, the test network flow can be detected as a kind of in these five kinds of data.Here, we have selected five kinds of sample datas in the collaborative catastrophic model of partial data structure respectively according to these five kinds of data from the sample data of network traffics.In this model, some corresponding parameters are: M=5, B=C=1 and λ=λ _k=1, N _k=1000, θ=0.01.Provided the normal discharge data respectively in the accompanying drawing 2 (a-e), U2R attacks data, and R2L attacks data; The DoS attack data; Probing attacks the preface parameter evolution result of these five kinds of different type network flow rate test data of data, as can be seen from the figure, and when a certain preface parameter converges to 1; Corresponding other preface parameters converge to 0, at this moment can detect attack.

The result that Fig. 3 detects for exception of network traffic, the verification and measurement ratio of exception of network traffic reaches 97%, and false drop rate has only 8.9%.

Claims (5)

1. network flow abnormal detecting method, its step comprises:

The 1st step, the network traffics sample data was carried out normalization and equalization is handled, and obtained network traffics sample data vector v _k, 1≤k≤M, M represent the classification number of network traffics sample data, and the network traffics test data of identification is carried out normalization and equalization processing, obtain network traffics test data vector q (0);

The attention parameters of the 2nd step computing network Traffic Anomaly, and obtain the corresponding adjoint vector of network traffics sample data vector;

The 3rd goes on foot the initial value that calculates the preface parameter according to said adjoint vector,

The 4th step utilized said attention parameters that the preface parameter is carried out cycle calculations, when loop ends, obtained testing result.

2. network flow abnormal detecting method according to claim 1 is characterized in that: the network traffics sample data in the 1st step is chosen in the following manner:

According to the mode of the characteristic of reflection proper network data on flows and every type of exception of network traffic data, the maximized principle of distance between employing normal discharge and the every type of exception of network traffic data is carried out choosing of network traffics sample data.

3. network flow abnormal detecting method according to claim 1 and 2 is characterized in that: the 2nd step specifically comprised following process:

(2.1) establishing in the network traffics sample data number of times that every type of exception of network traffic takes place is N _k, 1≤k≤M calculates corresponding attention parameters λ _kValue

${\mathrm{\λ}}_k=\frac{N_k}{\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{N}_n}$

(2.2) obtain network traffics sample data vector v _kCorresponding adjoint vector

Adjoint vector

Can be expressed as v _kThe stack of transposition, promptly

$v_k^{+}=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{a}_{\mathrm{Nh}}\stackrel{\‾}{v_n}$ Formula (I)

In the formula (I),

Be vector v _nTransposition, coefficient a _NhBe to make orthogonality condition

Set up, 1≤h≤M uses v _kMultiply by formula (I),

${\mathrm{\δ}}_{\mathrm{Kh}}=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{a}_{\mathrm{Nh}}(\stackrel{\‾}{v_n},v_k)$ Formula (II)

δ wherein _Nh, δ _KhAll be by the determined unit vector of orthogonality condition;

Order

$A=\left(a_{\mathrm{nh}}\right),W=\left[(\stackrel{\‾}{v_n},v_k)\right]$

I=AW is then arranged, and I is a unit matrix, and

A=W ^-1Formula (III)

Because

v _kFor known, therefore by a _NhThe matrix A of forming is decided with regard to unique, a of correspondence in the wushu (III) _NhIn the substitution formula (I), promptly obtain adjoint vector

4. network flow abnormal detecting method according to claim 3 is characterized in that: the 3rd step utilized formula

to calculate the initial value that the k value is each preface parameter of 1 to M.

5. network flow abnormal detecting method according to claim 4 is characterized in that: the 4th step comprised following process:

(4.1) make t=0;

(4.2) calculate

computation cycles and calculate step-length γ=1/D; M representes network traffics sample data classification number; Wherein, B and C are coefficient, and all greater than 0;

(4.3) make i=1;

(4.4) calculate t+1 i preface parameter ξ constantly _i(t+1), its computing formula is:

${\mathrm{\ξ}}_i(t+1)-{\mathrm{\ξ}}_i\left(t\right)=\mathrm{\γ}\×({\mathrm{\λ}}_i-D+B\×{\mathrm{\ξ}}_i^2\left(t\right))\×{\mathrm{\ξ}}_i\left(t\right)$

Wherein, ξ _i(t) be t i preface parameter constantly,

(4.5) making i=i+1, judge whether i＞M, is then to get into step (4.6), otherwise changes step (4.4) over to;

(4.6) to all ξ ₁(t+1), ξ ₂(t+1) ..., ξ _MJudge that (t+1) if wherein a value only to be arranged be 1, and all the other each values are 0, then loop ends makes that above-mentioned value is that the sequence number of 1 preface parameter is J, i.e. ξ _J(t+1)=1, change step (4.7) then over to, otherwise make t=t+1, change step (4.2) over to

(4.7) with preface parameter ξ ₁(t+1), ξ ₂(t+1) ..., ξ _M(t+1) project to network traffics sample data vector v by formula (IV) _kOn

$q(t+1)=\underset{n=1}{\overset{M}{\mathrm{\Σ}}}{\mathrm{\ξ}}_n(t+1)v_n$ Formula (IV)

Wherein, q (t+1) is the corresponding abnormal results of network traffics test data vector q (0) that identify and input, and promptly network traffics test data vector q (0) is preface parameter ξ _J(t+1) corresponding sample data v _JPairing unusual, accomplish abnormality detection process to network traffics test data vector q (0).

Images