CN102487293B - Satellite communication network abnormity detection method based on network control - Google Patents

Abstract

The invention discloses a satellite communication network abnormity detection method based on network control. A fuzzy C-means clustering algorithm is utilized to study normal audit data and an abnormity detection mechanism is established, so that a post analysis on an abnormal event is realized; a support vector data description single classifier is utilized to summarize a normal short sequence and an abnormal short sequence as well as a hidden Markov model is used to carry out abnormity detection on communication signalings of all earth stations in a whole time slot, so that real-time detection based on the communication signalings can be realized; and by utilizing the above-mentioned methods of the post analysis and the real-time detection, a satellite communication network abnormity detection prototype system based on network control is realized. According to the invention, the post analysis method is suitable for large-scale data as well as a declaration omission rate and a misdeclaration rate are low; and the real-time detection method has a good detection performance as well as signaling detection time is short and the reaction speed is fast; therefore, an on-line detection object can be realized and safety of a signaling system can be enhanced.

Description

Satellite communication network abnormality detection system based on network control

Technical field

The invention belongs to satellite communication network abnormality detection technology, particularly a kind of satellite communication network abnormality detection system based on network control.

background technology

Along with the development of computer and the communication technology, use unknown new method to invade cyber-net more and more serious, all the more important of this status that just makes abnormality detection.Abnormality detection is a branch of intrusion detection, and invasion refers to any active set of attempting to endanger resource integrity, confidentiality and availability.The hypotheses of abnormality detection is that invader's activity is different with the activity of normal main body, can mutually differentiate, then using this " different ", " difference mutually " as judging whether it is the foundation of intrusion behavior.Conventional method is to set up the system of a correspondence " normal activity " or user's normal epitome; while detecting invasion activity; abnormality detection program produces current activity epitome same normal epitome comparison; think invasion if comparative result generation departure degree exceedes certain threshold value, thereby trigger corresponding mechanism.The correlation of abnormality detection and system is less, and therefore its versatility is good, and maximum advantage is exactly to detect current also unknown intrusion behavior.

Abnormality detection technology mainly can be divided into four large classes:

(1) the abnormality detection technology based on statistics

This technology is to observe the activity of main body according to anomaly detector, then produces the profile of portraying these movable behaviors.Each profile keeping records main body current behavior, and periodically the profile of current profile and storage is merged.Judge abnormal behaviour by more current profile and the profile of storing.This technical development the earliest, is also the most ripe and practical abnormality detection technology.But also there are some shortcomings in this technology: threshold value is difficult to determine, too low or too high false-alarm or the false dismissal of easily occurring; To utilizing the attack of event sequence relation to be difficult to detect.

(2) based on predictive mode abnormality detection technology

The assumed condition of the method is that sequence of events is not random but follows recognizable pattern, and the feature of this detection method is considered the sequence of event and connected each other.Teng and Chen provide time-based inductive method TIM (the Time-based Inductive Machine), utilize time rule to identify the feature of user behavior normal mode.Produce these rule sets by inductive learning, and these rules in dynamically amendment system, make it to there is higher predictability, accuracy and confidence level.If the rule most of the time is correct, and can successfully use the viewed data of prediction, rule just has high confidence level so.The shortcoming of the method is that amount of calculation is larger, also easily causes high false alarm rate.

(3) the abnormality detection technology based on system call

The people such as Forrest think that the local mode (short sequence) that the normal behaviour of a program can be carried out track by it characterizes, and can think with departing from of these patterns extremely.Two features when method is carried out based on program a: when program is normally carried out, it is carried out and produces the local mode being different from when normal when mark has locally coherence and abnormal generation.The typical method that adopts this technology is that the time delay being proposed by people such as Forrest embeds sequence method, the continuous sequence that length given in advance is exactly K is carried out constructor normal behaviour profile, when detection, program to be detected is carried out to the sequence comparison of mark and normal profile, in the time that unmatched execution mark sequence number exceedes threshold value, just think abnormal.The method analysis modeling is fairly simple, but major defect is to detect cooperation attack and appropriator.

(4) the abnormality detection technology based on artificial intelligence

Artificial intelligence technology is applied in abnormality detection, can improve the performance of abnormality detection.Mainly comprise artificial neural network technology, data mining technology and artificial immunity technology.

Based on artificial neural network technology: in artificial neural net, each neuronic 26S Proteasome Structure and Function is relatively simple and limited, but these numerous simple in structure, neuronic " microcosmic " activities that function is limited just, have formed complicated " macroeffect "---can complete information identification and the task processing of various complexity.At present, the existing multiple model of neural net is applied in IDS.As long as audit mark (Audit traces) data of system are provided, neural net just can therefrom be extracted by self study the feature mode of normal user or system activity, and does not need to obtain the Distribution Statistics of describing user behavior feature set and user behavior characteristic measurement.But amount of calculation is larger.

Based on data mining technology: Wenke Lee and Salvatore.J.Stolfo are applied to data mining technology in Study of Intrusion Detection field.The target of its research is to reduce as much as possible setting up craft and an experience composition in intruding detection system.Here adopt data-centered viewpoint, intrusion detection problem is regarded as to the process of a data analysis.But, also have problems for real-time intrusion detection, the distributed system that need to develop active data mining algorithm and adapt.

Based on artificial immunity technology: for the research of the intruding detection system model based on artificial immune system, have both direction.The one, call the immune model of carrying out sequence monitoring for host computer system key; Another is the immune model for network data.There is the features such as distributed, diversity, Memorability, expandability due to immune system, can utilize these features to set up the intrusion detection model of distributed, efficient and self-organizing.Its shortcoming is the theoretical system that also there is no a set of perfect artificial immunity at present, also there is no more effective antigen recognizing algorithm.

Satellite communication network is a complicated integrated system.As the node in satellite communication network, the normal operation of earth station is directly connected to quality height and the security performance of whole network.Earth station comprises all many-sides extremely, except the fault of earth station, also comprise earth station by counterfeit, lose, used by disabled user or captured etc. wartime by enemy.Because the various data of earth station and the signaling of transmission are the direct embodiments of user behavior, be mainly the detection to earth station to the abnormality detection of satellite communication network.The attack of abnormal behaviour is difficult to detect by traditional detection mode.At present, satellite webmaster does not also propose effective abnormality detection mechanism and solution scheme for this problem.

Summary of the invention

The object of the present invention is to provide a kind of method that can detect the abnormal behavior of earth station satellite communication network from ex-post analysis and real-time two aspects and send abnormality alarming to user, thereby realize the abnormality detection of the satellite communication network based on network control.

The technical solution that realizes the object of the invention is: a kind of satellite communication network method for detecting abnormality based on network control, be arranged in the overall framework of satellite communication net safety protective, realize the abnormal and abnormal detection of signaling sequence of Audit data, comprise data acquisition pretreatment module, audit detection module, based on communication signaling modeling, HMM model detects, the modeling of pattern matching knowledge base, pattern matching knowledge base detection module and graphical user interface module, data acquisition pretreatment module is obtained detection data from data acquisition interface, the line number of going forward side by side Data preprocess, exporting to other each modules uses, audit detection module uses typical clustering algorithm FCM to carry out cluster analysis to a large amount of Audit datas, realizes ex-post analysis, based on communication signaling modeling, signaling is extracted to coding, by Hidden Markov Algorithm Learning, set up the HMM detection model based on normal signaling sequence, HMM model detection module is on the model basis of having set up based on normal signaling sequence, pass through network interface, the communication signaling sequence of certain earth station of Real-time Obtaining within one period of operating time, through data preliminary treatment, obtain the short sequence of signaling through simple coding, short sequence is detected with grader, obtain testing result, the processing of tablet pattern subscriber interface module, realizes in real time and detecting, the modeling of pattern matching knowledge base is according to the regularity of earth station user behavior and certainty, count earth station user behavior simple mode, be stored as knowledge base, in the time that detecting, passes through pattern matching knowledge base detection module Real-time Obtaining communication data, carry out matching ratio with earth station user behavior, discovery is different from the behavior pattern in knowledge base, thinks extremely, result to be input to graphical user interface module processing.

The present invention compared with prior art, its remarkable advantage: (1) can effectively protect satellite communication network avoid from earth station initiate various " Signaling attack "; (2) in conjunction with field priori with use machine learning techniques, utilize Audit data to carry out the detection method of earth station abnormal behaviour efficient, accurately, can adapt to large-scale data, fail to report with rate of false alarm low; (3) machine learning method is had to innovation in the analysis of satellite communication signaling, HMM method for detecting abnormality based on data of short-time series has been proposed, the method not only has good detection performance, and it is very short to detect the signaling time, reaction speed is very fast, can realize the target of online detection, strengthen the safety of signaling system; (4) improve security personnel's efficiency on duty, alleviate security personnel's operating pressure.

Below in conjunction with accompanying drawing, the present invention is described in further detail.

Brief description of the drawings

Fig. 1 is the general frame figure of satellite communication net safety protective.

Fig. 2 is the satellite communication network abnormality detection nucleus module figure based on network control.

Fig. 3 is the satellite communication network abnormality detection workflow diagram based on network control.

Fig. 4 is that grader is selected and training process figure.

Fig. 5 is the abnormality detection illustraton of model based on Hidden Markov.

Embodiment

1, the present invention carries out abnormality detection in the general frame of satellite communication net safety protective, for all kinds of satellite network control systems, finds in time abnormal behaviour in satellite communication system.Fig. 1 has provided the general frame figure of satellite communication net safety protective.This shielded frame comprises network control center server security guard system, the detection of earth station abnormal behaviour, satellite communication control channel safety, four aspects of general signaling system design.

(a) security protection system of network control center server has comprised access control mechanisms, authentication, encryption system and intruding detection system.Utilize the safety of general diverse network safety protection technique protection network control central server, particularly long-distance user is attacked to the strick precaution that this two large class of U2R is attacked to local unauthorized access R2L and unauthorized acquisition superuser right.

(b) earth station abnormal behaviour detection subsystem has realized the satellite communication network method for detecting abnormality based on network control, mainly comprises the abnormality detection of Audit data and the abnormality detection of the signaling sequence that each earth station sends.The various attack that this subsystem is initiated network control center mainly for counterfeit legal earth station.Assailant is attacking behind network control center, leaves assailant's attack vestige in the record of the audit of system, the behavior that notes abnormalities from the Audit data of magnanimity by clustering method, and this method belongs to " ex-post analysis "; The behavior at signaling sequence abnormality detection model learning normal earth station, any signaling sequence that departs from normal earth station " profile " will be considered to extremely, realize the abnormality detection based on earth station signaling sequence.Because model is the signaling sequence that all earth stations of monitoring send, and detect, belong to " monitoring in real time ".

(c) satellite communication control channel rescue bag has contained two parts, and single channel encryption and channel are anti-interference.

(d) safety Design of signaling has been given prominence in the general signaling system design of satellite communication network, security threat and existing safety measure that satellite communication network is met with are analyzed, in conjunction with the feature of satellite communication network self, design the signaling system of safety general, and fail safe has been carried out to formalization analysis by the method for protocol verification.

2, the satellite communication network method for detecting abnormality that the present invention is based on network control can detect the abnormal behavior of earth station satellite communication network and send abnormality alarming to user from ex-post analysis and real-time two aspects.System comprises two interfaces: data acquisition interface and graphical interface of user interface.Data acquisition interface comprises database interface and UDP frame interface, is responsible for obtaining for training and detecting data from ORACLE database and UDP frame; User graphical interface is the visual man-machine interface that system offers user, and user can monitor system in real time by this interface, can change system parameters configuration simultaneously.The satellite communication network method for detecting abnormality that the present invention is based on network control is implemented by following seven nucleus modules, as shown in Figure 2:

(a) data acquisition pretreatment module, obtain detection data from data acquisition interface, and it is carried out to standardization, normalized data preliminary treatment, data formation standard, that can train by cluster analysis with in real time Check processing, then select according to user, the normal data of generation can be stored in file or database;

(b) pattern matching knowledge base modeling, according to the regularity of earth station user behavior and certainty, counts some simple modes of earth station user behavior, is stored as knowledge base;

(c) pattern matching knowledge base detects, and Real-time Obtaining communication data, carries out matching ratio with earth station user behavior, finds to be different from the behavior pattern in pattern matching knowledge base, thinks extremely, result to be input to graphical user interface module processing;

(d) audit detection module, uses typical clustering algorithm FCM to carry out cluster analysis to a large amount of Audit datas that record in the database of network control center, and behavior notes abnormalities;

(e) HMM modeling, by with the interface of satellite communication system, the signaling that Real-time Obtaining earth station is communicated by letter with network control center, by Hidden Markov Algorithm Learning, obtain state-transition matrix and meet as seen transfer matrix, set up the HMM detection model based on normal signaling sequence.

(f) HMM model detects, on the model basis of having set up based on normal signaling sequence, pass through network interface, the communication signaling sequence of certain earth station of Real-time Obtaining within one period of operating time, through data preliminary treatment, obtain the short sequence of signaling through simple coding, short sequence is detected with grader, obtain testing result, the processing of tablet pattern subscriber interface module.

(g) graphic user interface, the testing result of receiving mode coupling, audit detection and the real-time detection module of HMM, then by visual and understandable graph-based modes such as charts, each testing result is shown, the interface that provides user that system parameters is set, and provide and accept manual intervention and will intervene result feedback to the interface in system.

The satellite communication network method for detecting abnormality that the present invention is based on network control is from record of the audit and two aspects of signaling sequence in real time, and an auxiliary mode pair system detects, and its workflow as shown in Figure 3.System extracts record of the audit on the one hand from the database of network control center, obtains the data that quantize for cluster analysis after data preliminary treatment, through cluster analysis, obtains the testing result to historical auditing data, through the collection to data in database, by the study of pattern matching algorithm, set up pattern base, then, by the interface of system and network management system, obtain Frame, corresponding data field in Frame is mated with pattern base, if do not mated, show to have abnormal generation, if there is erroneous judgement, operator can interfering system, allows this erroneous judgement record be increased in pattern base, on the other hand, abnormality detection system by with network management system interface, obtain the signaling that earth station is communicated by letter with network control, after data preliminary treatment, obtain for the normal signaling sequence of training classifier and the detected short sequence of signaling, adopt Hidden Markov algorithm, normal signaling sequence is learnt, obtain the one-class classifier based on normal signaling sequence, obtain after grader, short the signaling of Real-time Obtaining sequence is detected, if it is wrong that operator finds testing result, emerging sequence can be added in training sequence grader is trained again, obtain the training aids after upgrading.

3, the present invention is based on the abnormality detection based on Audit data in the satellite communication network method for detecting abnormality of network control

From network control database, extract the record of the audit of describing earth station behavior, after data preliminary treatment, obtain the data that quantize for cluster analysis, utilize fuzzy C-mean algorithm in data mining technology (FCM) clustering algorithm, the normal Audit data of satellite communication network is learnt, the degree that departs from each normal sample Clustering by calculating historical auditing data, obtains the testing result to historical auditing data, has set up abnormality detection mechanism.Belong to " ex-post analysis " by the behavior of noting abnormalities from the Audit data of magnanimity of the machine learning methods such as cluster analysis.

Fuzzy c-means Clustering (FCM) supposes that each sample is that " fuzzy " is under the jurisdiction of a certain class, both can belong to a class, also can belong to another kind of.Order (wherein Rs is data set), and u={u _ik} _{c × n}∈ M _fcn(wherein M _fcnfor Matrix dividing), cluster centre v={v ₁, v ₂..., v _c, v _i∈ R ^s; 1 < m <+∞, 2≤c < n, the global objective function of FCM is defined as follows:

$J_m=\underset{i=1}{\overset{c}{\mathrm{\&Sigma;}}}\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{u}_{\mathrm{ik}}^m{\left|\right|x_k-v_i\left|\right|}^2...\left(1\right)$

Wherein m is a free parameter that is used for controlling different classes of degree of mixing, is called Fuzzy Exponential;

(1) constraints of formula is:

$0\&le;u_{\mathrm{ik}}\&le;1;\underset{i=1}{\overset{c}{\mathrm{\&Sigma;}}}{u}_{\mathrm{ik}}=1,\&ForAll;k;\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{u}_{\mathrm{ik}}>0...\left(2\right)$

Can find out, work as u _ik=0 o'clock, this target function just equaled the target function of k-means; Work as u _ikwhen > 0, allow each sample to belong to multiple classes; When solving target function hour, solve:

$u_{\mathrm{ik}}=\frac{{(1/{\left|\right|x_k-v_i\left|\right|}^2)}^{1/(m-1)}}{\underset{j=1}{\overset{c}{\mathrm{\&Sigma;}}}{(1/{\left|\right|x_k-v_j\left|\right|}^2)}^{1/(m-1)}},\&ForAll;i...\left(3\right)$

$v_i=\frac{\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{u}_{\mathrm{ik}}^m{x}_k}{\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{u}_{\mathrm{ik}}^m},\&ForAll;i...\left(4\right)$

As each cluster centre u _iknear those belong to his classification over-evaluate Probability Point time, J _mwill minimize, owing to finding, the analytic solutions of formula (3), (4) are more difficult, so adopt the method for iterative estimation cluster average and some probability, algorithm steps is as follows:

(a) input n, c, m, the parameters such as u;

(b) by constraints normalization u _ik;

(c) do recalculates u by formula (3) formula _ik;

(d) recalculate v by formula (4) formula _i;

(e) until u _ikwith v _ichange very little;

(f)return?u。

4, the present invention is based on the abnormality detection based on communication signaling in the satellite communication network method for detecting abnormality of network control

(a) adopt typical one-class classifier detection method-Support Vector data description, a small amount of sample gathering is carried out to single classification, sum up normal and abnormal short sequence library, instruct network management personnel to process network signal abnormal.

With normal signaling training sequence, to the model training choosing, the sorter model that obtains training, tests the sorter model training by test signaling sequence, if grader precision reaches requirement, training finishes; Otherwise grader is carried out to parameter adjustment, re-start test.Fig. 4 is that grader is selected and training process.

Its basic thought of Support Vector data description (SVDD) is to utilize gaussian kernel function that sample space is mapped to nuclear space, finds a spheroid that can comprise all training datas at nuclear space.In the time differentiating, if test sample book is arranged in this higher-dimension spheroid, so just thinks normal, otherwise just think abnormal.Hypothesized model f (x; W) represent class bounded data set closely, by a suprasphere ε _struct(R a) goes to comprise and describe it.This spheroid represents with center a and radius R, and all samples of training set is all dropped in this spheroid.In order to improve the robustness of result, copying SVM is that each sample is introduced slack variable to control wild value to the impact of separating.Therefore, minimization problem becomes following form:

ε _struct(R，a)＝R ²

Its constraints is:

${\left|\right|x_i-a\left|\right|}^2\&le;R^2+{\mathrm{\&xi;}}_i,{\mathrm{\&xi;}}_i\&GreaterEqual;0,\&ForAll;i$

Parameters C is similar to the control variables in SVM.

Utilize Lagrange function to solve the minimization problem under above-mentioned constraint, can obtain:

$l=\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i(x_i\&CenterDot;x_i)-\underset{i,j}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j(x_i\&CenterDot;x_j)$

Be constrained to: $\left(1\right)\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i=1,$ $\left(2\right)0\&le;{\mathrm{\&alpha;}}_i\&le;C,\&ForAll;i$

Suppose that z is test sample book, when following formula meets, sentencing z is normal class, otherwise is exception class so.Be equivalent to z and drop on this suprasphere inside.

${\left|\right|z-a\left|\right|}^2=(z\&CenterDot;z)-2\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i(z\&CenterDot;x_i)+\underset{i,j}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j(x_i\&CenterDot;x_j)\&le;R^2$

Wherein, R is any one support vector x _kdistance to centre of sphere a:

$R^2=(x_k\&CenterDot;x_k)-2\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i(x_i\&CenterDot;x_k)+\underset{i,j}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j(x_i\&CenterDot;x_j)$

In the time that the discontented football shaped of sample point of the input space distributes, by core skill, the input space is first mapped to higher dimensional space, then in the higher dimensional space after mapping, solve.Inner product form in above-mentioned formula is all transformed into kernel function form:

x _i·x _j→φ(x _i)·φ(x _j)＝K(x _i，x _j)

Introduce after kernel function, formula has originally become following form:

$L=\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(x_i,x_i)-\underset{i,j}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_{j}K(x_i,x_j)$

Retrain constantly, and decision function becomes:

$f_{\mathrm{SVDD}}(z,\mathrm{\&alpha;},R)=I({\left|\right|\mathrm{\&phi;}\left(z\right)-\mathrm{\&phi;}\left(a\right)\left|\right|}^2\&le;R^2)$

$=I(K(z,z)-2\underset{i}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(z,x_i)+\underset{i,j}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_{j}K(x_i,x_j)\&le;R^2)$

Here indicator function I is defined as:

$I\left(A\right)=\left\{\begin{array}{cc}1& \mathrm{if\; A\; is\; true}\\ -1& \mathrm{otherwise}\end{array}\right.$

(b), because the communication sequence of normal users behavior generation exists continuity and regularity, the discrete series becoming while being a group, therefore adopts HMM to process the data sample sequence of discrete time.By being simplified to coding, earth station normal users signaling that behavior produces processes, obtain the signaling sequence of symbolism, then estimate to obtain the parameter of model with Baum-Welch algorithm, complete the modeling to HMM, whole earth station communication signalings of whole time period are carried out to abnormality detection with this HMM, realized the abnormality detection based on communication signaling.

As shown in Figure 5, HMM is a dual random process, the random process that includes sightless (a hiding) subordinate random process, this sightless subordinate random process can only be observed and be obtained by the random process of another set of generation observation sequence.

Suppose that in satellite communication network, certain earth station user behavior is normal, the communication signaling symbolism sequence being observed producing within a long period for T, is designated as: V ^t={ v ₁, v ₂..., v _x, the corresponding implicit communications status sequence of this visicode sequence, is designated as: ω ^t={ ω ₁, ω ₂..., ω _y.The mechanism that hidden status switch produces is by state transition probability, and this probability is designated as: P (ω _j(t+1) | ω _i(t))=a _ij, represent that some moment are in state ω _isituation under, the next moment is converted to state ω _jprobability.And under some state ω (t), the symbol v (t) that can be observed has corresponding probability equally, be designated as: P (v _k(t) | ω _j(t))=b _jk.Model can only observe visible symbol sebolic addressing, and can not directly know inner ω _jin the state such as talking state or call state.HMM is paid close attention to following 3 key problems:

Valuation problem: suppose to have a transition probability a _ijand b _jkall known HMM, calculate this model and produce some specific observation sequence V ^tprobability;

Decoding problem: suppose to have an observation sequence of a HMM and its generation, determine the most possible hidden status switch ω that produces this visible sequence ^t;

Problem concerning study: suppose only to know the general configuration (such as hidden state and visicode quantity) of a HMM, but a _ijand b _jkall unknown, how, from the training sequence of one group of visicode, determine these parameters.

Model representation is following form: λ=(A, B, π), A={a _ijexpression state transition probability matrix, B={b _jkexpression Observable symbol probability matrix, π={ π _l, 1≤l≤N represents initial state distribution, and P={p ₁, p ₂... p _mrepresent that M is observed assemble of symbol, Q={q ₁, q ₂..., q _nn hidden state set of expression.Here first to solve problem concerning study, determine the transition probability a of model by proper communication signaling sequence training sample _ijand b _jk, the present invention adopts famous Baum-Welch algorithm, visicode quantity M=9, and hidden number of states N respectively value is 10,15 and 20 to carry out parameter Estimation, obtains respectively 3 HMMs.Then, communication signaling sequence to be tested is detected through model, see the probability of this signaling sequence and Model Matching, solve valuation problem.In satellite communication, hidden state can be talking state, hook state etc., and visicode sequence is the sequence after communication signaling symbolism, shape as: 2,5,1,8,7,6,4 ...

Baum-Welch algorithm is only to know observation sequence and do not know in the situation of corresponding status switch, computation model parameter A, and B, π is that the one of maximum likelihood algorithm (EM) realizes:

Algorithm is brought into use rough in other words conj.or perhaps arbitrarily about a _ijand b _jkestimation, then progressively revise according to following formula (5) and formula (6), until reach convergence.

${\hat{a}}_{\mathrm{ij}}=\frac{{\mathrm{\&Sigma;}}_{t=1}^T{\mathrm{\&gamma;}}_{\mathrm{ij}}\left(t\right)}{{\mathrm{\&Sigma;}}_{t=1}^T{\mathrm{\&Sigma;}}_k{\mathrm{\&gamma;}}_{\mathrm{jk}}\left(t\right)}...\left(5\right)$

$\widehat{b_{\mathrm{jk}}}=\frac{{\underset{v\left(t\right)=v_k}{\mathrm{\&Sigma;}}}_{i=1}^T\underset{q}{\mathrm{\&Sigma;}}{\mathrm{\&gamma;}}_{\mathrm{jq}}\left(t\right)}{{\mathrm{\&Sigma;}}_{t=1}^T\underset{q}{\mathrm{\&Sigma;}}{\mathrm{\&gamma;}}_{\mathrm{jq}}\left(t\right)}...\left(6\right)$

Wherein, formula be defined as from state ω _i(t-1) transfer to state ω _j(t) probability, P (V ^t| λ) be model hidden Path generation sequence V arbitrarily ^tprobability.α _iand β (t) _i(t) provided by formula (7) and (8) respectively:

Computation model is positioned at hidden state ω in the t moment respectively _j, and produced visible sequence V ^tfront t symbol probability and be positioned at state ω in the t moment _i, and will produce the probability of t moment target sequence afterwards.

The process that HMM detects as shown in Figure 5.After model is set up, then read proper communication signaling and exceptional communication signaling from network control center, after coded identification, with the sliding window that length is K, signaling sequence is cut apart, sliding window stepping is moved one backward.Suppose the long T of being of cycle tests, short sequence sets comprises (T-K+1) individual long short sequence for K, try to achieve the output probability of the short sequence of each test with model, if testing the output probability of short sequence is less than given threshold value θ (this threshold value characterizes matching degree or the similarity of short sequence and model, be greater than this value and think short sequences match model, illustrate that it is normal signaling sequence, because model is only to use the training of proper communication signaling to obtain), this short sequence is demarcated as to " not mating ", counter adds 1, in the data of test, the ratio of unmatched short sequence number and total short sequence number is defined as abnormality degree, in the time that abnormality degree exceedes another given threshold epsilon, think that communication signaling is abnormal, provide warning message.K is value 4,8,12,16 and 20 (because at least need 4 signalings just can complete normal course of communications one time, therefore K stepping is 4) successively.

Claims (4)

1. the satellite communication network abnormality detection system based on network control, it is characterized in that this system is arranged in the overall framework of satellite communication net safety protective, realize the abnormal and abnormal detection of signaling sequence of Audit data, comprise data acquisition pretreatment module, audit detection module, based on communication signaling MBM, HMM model detects, pattern matching knowledge base MBM, pattern matching knowledge base detection module and graphical user interface module, data acquisition pretreatment module is obtained detection data from data acquisition interface, the column criterion of going forward side by side, normalized, exporting to other each modules uses, audit detection module uses typical clustering algorithm FCM to carry out cluster analysis to a large amount of Audit datas, realizes ex-post analysis, by the behavior that notes abnormalities from the Audit data of magnanimity of the machine learning method of cluster analysis, based on communication signaling MBM, signaling is extracted to coding, by Hidden Markov Algorithm Learning, set up the HMM detection model based on normal signaling sequence, HMM model detection module is on the model basis of having set up based on normal signaling sequence, pass through network interface, the communication signaling sequence of certain earth station of Real-time Obtaining within one period of operating time, through data preliminary treatment, obtain the short sequence of signaling through simple coding, short sequence is detected with grader, obtain testing result, the processing of tablet pattern subscriber interface module, realizes in real time and detecting, pattern matching knowledge base MBM is according to the regularity of earth station user behavior and certainty, count earth station user behavior simple mode, be stored as knowledge base, in the time that detecting, passes through pattern matching knowledge base detection module Real-time Obtaining communication data, carry out matching ratio with earth station user behavior, discovery is different from the behavior pattern in knowledge base, thinks extremely, result to be input to graphical user interface module processing.

2. the satellite communication network abnormality detection system based on network control according to claim 1, it is characterized in that in audit detection module, based on the abnormality detection of Audit data, utilize Fuzzy C-Means Cluster Algorithm in data mining technology, the normal Audit data of satellite communication network is learnt, depart from the degree of each normal sample Clustering by calculating, set up abnormality detection mechanism.

3. the satellite communication network abnormality detection system based on network control according to claim 1, it is characterized in that in HMM model detection module, abnormality detection based on communication signaling adopts typical one-class classifier detection method-Support Vector data description, with normal signaling training sequence to the model training choosing, the sorter model that obtains training, by test signaling sequence, the sorter model training is tested, if grader precision reaches requirement, training finishes; Otherwise grader is carried out to parameter adjustment, re-start test.

4. the satellite communication network abnormality detection system based on network control according to claim 1, it is characterized in that in based on communication signaling MBM, abnormality detection based on communication signaling adopts hidden Markov model, by to earth station normal users signaling that behavior produces, process through simplifying coding, obtain the signaling sequence of symbolism, then Baum-Welch algorithm estimates to obtain the parameter of model, complete the modeling to hidden Markov model, after model is set up, read again proper communication signaling and exceptional communication signaling from network control center, after coded identification, signaling sequence is cut apart with the sliding window that length is K, mobile one backward of sliding window stepping, suppose the long T of being of cycle tests, short sequence sets comprises T-K+1 the long short sequence for K, try to achieve the output probability of the short sequence of each test with hidden Markov model, be less than given threshold value θ if test the output probability of short sequence, this short sequence is demarcated as to " not mating ", counter adds 1, in the data of test, the ratio of unmatched short sequence number and total short sequence number is defined as abnormality degree, in the time that abnormality degree exceedes another given threshold epsilon, think that communication signaling is abnormal, provide warning message.