CN105915399A - Network risk source tracing method based on back propagation - Google Patents

Abstract

The invention discloses a network risk source tracing method based on back propagation. The method comprises following steps of setting users willing to be monitored as monitoring nodes; monitoring the monitoring nodes; marking all infected monitoring nodes; broadcasting marked risks to an extracted network topology in a flooding mode, from the positions of the infected monitoring nodes according to the infected time differences of the monitoring nodes; carrying out statistics to the nodes in the network topology and adding the nodes to a potential risk source set, wherein the nodes can receive all marked risks at the same time; establishing a network risk microcosmic propagation model based on the potential risk source set and the state conversion dynamic properties of the network nodes in the risk propagation process; and positioning risk sources from the potential risk source set by using a maximum likelihood method based on the microcosmic propagation model. According to the method, on the premise of protecting the privacy of most of the users, the more precise network risk tracing result can be obtained through the relatively low calculation quantity.

Description

A kind of network risks source based on back propagation retroactive method

Technical field

This invention belongs to the information security field of online network.Specifically, it is a kind of by the extensive online network of monitoring Fraction of subscribers, in a network after occurrence risk (rumour, worm-type virus, electric network fault) communication events, Security Officer can To infer source user (rumor monger, the anthelmintic of Risk of Communication quickly, accurately according to limited monitoring information and network topology Propagating source) method.

Background technology

The widely available of the Internet makes us be easier to suffer disparate networks risk, such as in online social networks, rumour is propagated wantonly, On the Internet, virus infects a large amount of main frames, and the Network Isolation fault of intelligent grid causes major power outage etc..Every year, because of these nets Network risk and the loss of the finance that causes and the wealth of society is countless.

Rumour, computer virus and smart power grid fault are all the network risks carrying out propagating in heterogeneous networks, in order to tackle this A little network risks, trace back to they propagation sources by technological means in a network and are extremely necessary.First, from judicial evidence collection Angle, is accurately positioned " cybercriminal " (rumor monger, virus-spreader) extremely important, it is provided that technology evidence hits net Network criminal.Additionally, trace back to network risks propagation source as quickly as possible to contribute to determining in time the occurrence cause of network risks, It is intervened as early as possible and can reduce the loss that these network risks cause to the full extent.Most efficient method is to enter the whole network user Row monitoring, knows the infected absolute time of each user thus judges that the most infected user is Risk of Communication source.But It is so to process to there are two significant drawback: the most real-life network often scale is excessive, and all webs' watch cost is the highest； On the other hand for the demand to secret protection, people are unwilling monitored in most cases and accept data acquisition.Such as, Often through pop-up window, Consumer's Experience plan and the various antivirus software of microsoft operation system solicit whether user agrees to submit to Local safe operation daily record, and claim that these data can preferably protect user.But, most users are generally selected Refusal.This just requires that we can only monitor minority in network and be ready the user being monitored, after Risk of Communication event occurs, logical The status information crossing these monitored nodes utilizes efficient algorithm to speculate the propagation face of the overall situation, thus obtains network risks Propagate source.

From the point of view of technological layer, this kind of research can be referred to as source and review problem, and its purpose is namely based on limited network structure and knows Know the safe condition with part of nodes and come the propagation source of localization message or network risks.At academia, traditional source is reviewed Technology has IP to follow the trail of and stepping-stone detects, but they are the most effective.This is because they can only determine from certain The true source of the packet of individual intended recipient, and in actual communication process, the source of packet is generally only network risks The participant that propagates, turn originator rather than true source.For more accurately and efficiently location Risk of Communication source, need badly will application and The aspect design of logical structure applies more advanced algorithm and technology to process source and review problem, and is not only to utilize IP layer The log information forwarded with packet carries out reviewing source.

In recent years, the source problem of reviewing had been done relevant work by a lot of researchers.Initial research is just for tradition SI model propagate tree network, occur in that further in tree network with other propagation models such as SIS, the source of SIR Review algorithm.Along with technology develops further, source is reviewed algorithm and is no longer limited to tree network, starts general networking structure The risk problem of tracing to the source is studied.Generally, source is reviewed or seeks optimum solution by the calculating of complexity tight, high Scheme, or realize Best Times performance by the heuritic approach simplified.But, generally there is great deficiency in these algorithms. The most computationally intensive (needing all users in test network), secondly location is not very accurate.The state of Chinese Academy of Sciences's classification Survey article " the Identifying that border 1 district periodical IEEE Communications Surveys and Tutorials delivered upper 2014 year Propagation Sources in Networks:State-of-the-Art and Comparative Studies " point out academic circles at present ratio More advanced source is reviewed algorithm more than 80% and will be navigated to the errors present of 2～4 network topology distances (according to hops Calculate), therefore can not meet and be actually needed.Academia and industrial quarters are needed badly and are wanted more efficient risk source searching method to solve This problem.

Summary of the invention

It is an object of the invention to overcome the deficiencies in the prior art, propose a kind of network risks source based on back propagation side of reviewing Method.The method can obtain the most accurate by smaller amount of calculation on the premise of the most privacy of user of protection Network risks is traced to the source result, can be applicable to carrying out the network crime in judicial evidence collection and risk repair process in large-scale online network.

The present invention finds Risk of Communication source by suspect's search strategy of criminal investigation, and conventional algorithm is dfficult to apply on a large scale Network, applies the algorithm of forefathers, complexity, accuracy and time loss thereof will be difficult to bear in live network.Therefore, originally Invent and this process finding Risk of Communication source is divided into two subprocess: first pass through back propagation and reduce hunting zone, its Real risk source is found in secondary scope after reducing.

Specifically, back propagation, by monitor node labelling, then sends labelling from monitor node broadcast (flooding is propagated) Risk.The logic of the method is: if there is node in network topology can receive the labelling that the transmission of all of monitor node comes simultaneously Risk, then these nodes are likely to be Risk of Communication source.This algorithm pays the utmost attention to accuracy, then considers operational efficiency. Due to the screening through previous step, the set of potential risks source only exists the fraction network user.Use maximum likelihood afterwards The estimation technique combines the microcosmic propagation model test potential risks source set of risk, positions Risk of Communication source further.This The principle of step is: tests each potential risks source as propagating source, can obtain after propagating certain time with microcosmic propagation model The probability of current network state.Each potential risks source is substituted into propagation formula respectively and calculates the general of current network state The likelihood function of rate, then can obtain the potential risks source of maximum likelihood value and be most likely to be and infect source really.

The technical solution adopted for the present invention to solve the technical problems is:

A kind of network risks source based on back propagation retroactive method, including:

Network being ready, the user setup being monitored is monitor node and is monitored；

Network risks communication events occurred after certain time, all infected monitor nodes of labelling, according to monitor node infected time Between differ from infected monitor node to the risk of Flooding broadcast labelling, energy in statistics network topology in the network topology extracted It is simultaneously received the node of all labelling risks and described node is added in the set of potential risks source；

Based on the set of potential risks source and network node dynamic of condition conversion during Risk of Communication, set up network risks Microcosmic propagation model；Described state includes health, Infection Status and infected and have infectivity；

Based on described microcosmic propagation model, Maximum Likelihood Estimation Method is used to position risk source from described potential risks source is gathered.

Preferably, described will be ready in network that the user setup being monitored is monitor node and is monitored, monitoring information includes:

If whether monitor node receives risk of infection and receives its infected absolute time of risk of infection.

Preferably, described monitor node infected time difference equation below represents:

d_i=max (T)-τ_i

Wherein, i represents that the infected monitor node of i-th, i ∈ [1, n], n represent the sum of infected monitor node； T={ τ₁,τ₂…τ_nRepresent the infected absolute time of monitor node.

Preferably, according to the infected time difference of monitor node at infected monitor node to flood in the network topology extracted The risk of broadcast flag, can be simultaneously received the node of all labelling risks and add to latent by described node in statistics network topology Risk source set in, including:

The infected time difference of infected monitor node arrives, and infected monitor node sends by node to its all adjacent nodes The risk copy of labelling；

After any node in network topology receives the risk copy of infected monitor node labelling for the first time, broadcast this risk secondary This is to its all of adjacent node；

If any node in network topology has been simultaneously received the risk copy of all infected monitor node labellings, then this Node joins in the set of potential risks source.

It is preferably, described based on the set of potential risks source and network node dynamic of condition conversion during Risk of Communication, The microcosmic propagation model setting up network risks includes:

Set up following iterative formula to represent the propagation of risk:

P_S(i,t；U)=[1-v (i, t)] P_S(i,t-1；u)

P_I(i,t；U)=v (i, t) P_S(i,t-1；u)+P_I(i,t-1；u)

$v(i,t)=1-\underset{j\∈N_i}{\Π}\[1-{\mathrm{\η}}_{ij}\·P_C(j,t-1;u)\]$

P_C(i,t；U)=v (i, t) P_S(i,t-1；u)

Wherein, P_S(i,t；u)、P_I(i,t；u)、P_c(i,t；U) represent that network risks, from the beginning of potential propagating source u ∈ U, passes respectively Broadcasting S, I and C-shaped probability of state after the t time, U represents that potential risks source is gathered, and S represents health, and I represents Infection Status, C represents infected and has infectivity；(i t) represents the infected probability of t node, η to v_ij∈ [0,1] is any in network The history probability of spreading of two nodes, η_ijShow when=0 and between node i, j, there is not connection, η_ij=1 represents that node i will receive Any information all pass to node j；N_iRepresent the set of the adjacent node of node i.

Preferably, described based on described microcosmic propagation model, use Maximum Likelihood Estimation Method from described potential risks source is gathered Risk source, location, including:

Use equation below calculate potential propagating source u likelihood function L (u, t):

$L(u,t)=\underset{i\∈S_I}{\Σ}{P}_C(i,t_i;u)+\underset{j\∈S_H}{\Σ}{P}_S(j,t;u)$

Wherein, S_IRepresent infected monitor node set, S_HRepresent the most infected monitor node set, t_iIt it is infected joint The infected absolute time of point；

Equation below is used to obtain the possibility predication of communication events

$L(u,{\tilde{t}}_u)=\underset{S_I,S_H\∈S}{max}L(u,t)$

Wherein S_I,S_HS in ∈ S represents all monitor node set；

Likelihood function is taken u during maximum by use equation below_fAnd t_fRespectively as estimating of Risk of Communication source and Risk of Communication time Evaluation:

$(u_f,t_f)=\arg \[{\max }_{u\∈U}L(u,{\tilde{t}}_u)\].$

There is advantages that

1, precision is high: by some reality catenet US.Power Grid, on Facebook, AS-level Internet Carry out 100 times tracing to the source experiment respectively.Wherein, US.Power Grid network can reach the accurate rate of about 80%, additionally The position error of 20% is 1 to 3hops.And the inventive method can be determined on 100% ground on Facebook and AS-Internet Position to risk source, is significantly better than current network risks and traces to the source algorithm.

2, it is adapted to the various different network architecture, as there is the Facebook of small world and there is Power Law AS-level Internet network etc..

3, amount of calculation is little: back-propagation algorithm greatly reduces hunting zone, source, significantly subtracts compared to traditional algorithm amount of calculation Little.

Below in conjunction with drawings and Examples, the present invention is described in further detail, but a kind of based on back propagation the net of the present invention Network risk source retroactive method is not limited to embodiment.

Accompanying drawing explanation

Fig. 1 is the main flow chart of the inventive method；

Fig. 2 is the schematic diagram that the back propagation of the present invention reduces searching method；

Fig. 3 is the individual condition conversion figure during Risk of Communication of network of the present invention；

Fig. 4 is the inventive method experimental result picture of tracing to the source on three kinds of real networks.

Detailed description of the invention

See Fig. 1, a kind of network risks source based on back propagation retroactive method, comprise the steps:

Step 101, will be ready in network that the user setup being monitored is monitor node and is monitored；

Step 102, after network risks communication events occurs certain time, all infected monitor nodes of labelling, according to monitoring joint The infected time difference of point to the risk of Flooding broadcast labelling in the network topology extracted, adds up net at infected monitor node Network topology can be simultaneously received the node of all labelling risks and described node is added in the set of potential risks source；

Step 103, based on the set of potential risks source and network node dynamic of condition conversion during Risk of Communication, builds The microcosmic propagation model of vertical network risks；Described state includes health, Infection Status and infected and have infectivity；

Step 104, based on described microcosmic propagation model, uses Maximum Likelihood Estimation Method fixed from described potential risks source is gathered Risk source, position.

Will be described in detail network risks source based on back propagation retroactive method as follows.

A certain proportion of user being ready to be monitored in monitoring network, safety manager can extract its various status informations at any time, Described status information includes but not limited to whether receive risk of infection, and the infected absolute time of its correspondence.

Further, after network risks communication events there occurs certain time, safety manager by all monitor node labellings, Then according to the infected time difference of monitor node at infected monitor node to Flooding broadcast in the network topology extracted The risk of labelling.The user that can be simultaneously received all labelling risks in network topology is potential risk resource, adds it to In the set of potential risks source.

The collection potential risk resource false code of above-mentioned steps is as follows:

In above-mentioned false code, d_i=max (T)-τ_i, (i ∈ [1, n]), n represents the sum of infected monitoring user, and i is district Between variable in [1, n], be used for representing i-th user.And T={ τ₁,τ₂…τ_n(n=| S_I|) represent that infected user is felt The absolute time of dye.t_maxRepresent the wheel number of back propagation, and t_max＞ max (d_i)。

In the present embodiment, being illustrated in figure 2 back propagation and reduce the schematic diagram of searching method, wherein figure (a) represents basic Network topology structure, figure (b) represent Risk of Communication event, figure (c) represent back propagation event.By in figure (c) Reverse diffusion method at infected monitor node according to infect time difference send labelling risk.Such as Fig. 2, according to being felt The absolute time difference of infection of dye node is classified, be divided into A, B, C, D tetra-class (practical situation has larger class, In figure only as a example by four classes).Assume T={ τ₁,τ₂…τ_n(n=| S_I|) represent the infected absolute time of infected user, Then infection time difference d_i=max (T)-τ_i, (i ∈ [1, n]).By d_iThe node of=0,1,2,3 is respectively labeled as D, C, B, A Category node.During back propagation, A category node is first broadcasted, B category node broadcast after the unit interval, the like.Network connects simultaneously The node receiving all labelling risks is then potential risk source node.After back propagation, obtain less potential risk resource set, And risk source is first to be scheduled in this set.

Further, the microcosmic propagation model of network risks is set up.In the microcosmic propagation model of risk, it is of interest that network is individual The dynamic that user converts at Risk of Communication status of processes.Following four iterative formula given below represents the propagation of risk:

P_S(i,t；U)=[1-v (i, t)] P_S(i,t-1；u) (1)

P_I(i,t；U)=v (i, t) P_S(i,t-1；u)+P_I(i,t-1；u) (2)

$v(i,t)=1-{\Π}_{j\∈N_i}\[1-{\mathrm{\η}}_{ij}\·P_C(j,t-1;u)\]---\left(3\right)$

P_c(i,t；U)=v (i, t) P_S(i,t-1；u) (4)

Wherein, S represents health, and I represents Infection Status (not having infectivity), and C represents that node is infected and has infectivity. (as Fig. 3 represents the individual condition conversion figure during Risk of Communication of network, it is similar to reality, does not consider the weight of risk Multiple infection.User only can propagate risk in infected next round, loses infectivity subsequently, becomes I state, and I state will not Retransmit risk.).P in formula (1), (2), (4)_S(i,t；u)、P_I(i,t；u)、P_c(i,t；U) network wind is represented respectively Danger, from the beginning of propagating source u ∈ U, is S, I and C-shaped probability of state after propagating the t time.η_ij∈ [0,1] is any in network The history probability of spreading of two users.Work as η_ijRepresent when=0 and between node i, j, there is not connection, η_ij=1 represents use in every case Family i receives new information and will be forwarded to user j.(i t) represents the individual infected probability of t, and its all topologys is adjacent v Occupy (N_iRepresent user i neighbor user set) P_c(i,t；U) relevant.

Further, based on the potential risk resource set confirmed, use Maximum Likelihood Estimation Method true from potential risk resource set The most positive risk source, i.e. risk source, location.Concrete method can be obtained by following three formula:

$L(u,t)=\underset{i\∈S_I}{\Σ}{P}_C(i,t_i;u)+\underset{j\∈S_H}{\Σ}{P}_S(j,t;u)---\left(5\right)$

$L(u,{\tilde{t}}_u)=\underset{S_I,S_H\∈S}{max}L(u,t)---\left(6\right)$

$(u_f,t_f)=\arg \[\underset{u\∈U}{max}L(u,{\tilde{t}}_u)\]---\left(7\right)$

Wherein, S_IIt is infected monitoring user's set, S_HIt is the most infected monitoring user's set, t_iIt it is infected user's quilt The absolute time infected.First by all potential risks source u ∈ U utilization (5) formula calculate its likelihood function L (u, t).Because Each potential risks source may the most repeatedly be simultaneously received risky copy, therefore by (6) Shi Lai get Possibility predication to the propagation timeSolve finally by (7) formula, likelihood function is taken u during maximum_fAnd t_f Respectively as Risk of Communication source and the estimated value of Risk of Communication time.

Concrete, at some reality catenet US.Power Grid, Facebook, AS-level Internet is carried out respectively Tracing to the source for 100 times experiment, be illustrated in figure 4 the experimental result picture of tracing to the source on above-mentioned three kinds of real networks, in figure, δ is monitored User accounts for the ratio of the total user of network.Wherein, US.Power Grid network averagely can reach the accurate rate of about 80%, The position error of other 20% is 1 to 3hops.And the inventive method can 100% ground on Facebook and AS-Internet Navigate to risk source, be significantly better than current network risks and trace to the source algorithm.

The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all the spirit and principles in the present invention it In, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.

Claims (6)

1. network risks source based on a back propagation retroactive method, its feature is, including:

Network being ready, the user setup being monitored is monitor node and is monitored；

Labelling all infected monitor nodes, according to the infected time difference of monitor node at infected monitor node to having extracted The risk of Flooding broadcast labelling in network topology, can be simultaneously received the node of all labelling risks and incite somebody to action in statistics network topology Described node adds in the set of potential risks source；

Based on the set of potential risks source and network node dynamic of condition conversion during Risk of Communication, set up network risks Microcosmic propagation model；Described state includes health, Infection Status and infected and have infectivity；

Based on described microcosmic propagation model, Maximum Likelihood Estimation Method is used to position risk source from described potential risks source is gathered.

Network risks source based on back propagation the most according to claim 1 retroactive method, it is characterised in that described To be ready in network that the user setup being monitored is monitor node and is monitored, monitoring information includes:

If whether monitor node receives risk of infection and receives its infected absolute time of risk of infection.

Network risks source based on back propagation the most according to claim 1 retroactive method, it is characterised in that described Monitor node infected time difference equation below represents:

d_i=max (T)-τ_i

Wherein, i represents that the infected monitor node of i-th, i ∈ [1, n], n represent the sum of infected monitor node； T={ τ₁,τ₂…τ_nRepresent the infected absolute time of monitor node.

Network risks source based on back propagation the most according to claim 3 retroactive method, it is characterised in that according to The infected time difference of monitor node at infected monitor node to the risk of Flooding broadcast labelling in the network topology extracted, Statistics network topology can be simultaneously received the node of all labelling risks and described node is added to the set of potential risks source In, including:

The infected time difference of infected monitor node arrives, and infected monitor node sends by node to its all adjacent nodes The risk copy of labelling；

After any node in network topology receives the risk copy of infected monitor node labelling for the first time, broadcast this risk secondary This is to its all of adjacent node；

If any node in network topology has been simultaneously received the risk copy of all infected monitor node labellings, then this Node joins in the set of potential risks source.

Network risks source based on back propagation the most according to claim 4 retroactive method, it is characterised in that described Based on the set of potential risks source and network node dynamic of condition conversion during Risk of Communication, set up the micro-of network risks Sight propagation model includes:

Set up following iterative formula to represent the propagation of risk:

P_S(i, t；U)=[1-v (i, t)] P_S(i, t-1；u)

P_I(i,t；U)=v (i, t) P_S(i,t-1；u)+P_I(i,t-1；u)

$v(i,t)=1-\underset{j\∈N_i}{\mathrm{\Π}}\[1-{\mathrm{\η}}_{ij}\·P_C(j,t-1;u)\]$

P_c(i,t；U)=v (i, t) P_S(i,t-1；u)

Wherein, P_S(i,t；u)、P_I(i,t；u)、P_c(i,t；U) represent that network risks, from the beginning of potential propagating source u ∈ U, passes respectively Broadcasting S, I and C-shaped probability of state after the t time, U represents that potential risks source is gathered, and S represents health, and I represents Infection Status, C represents infected and has infectivity；(i t) represents the infected probability of t node, η to v_ij∈ [0,1] is any in network The history probability of spreading of two nodes, η_ijShow when=0 and between node i, j, there is not connection, η_ij=1 represents that node i will receive Any information all pass to node j；N_iRepresent the set of the adjacent node of node i.

Network risks source based on back propagation the most according to claim 5 retroactive method, it is characterised in that described Based on described microcosmic propagation model, Maximum Likelihood Estimation Method is used to position risk source, bag from described potential risks source is gathered Include:

Use equation below calculate potential propagating source u likelihood function L (u, t):

$L(u,t)=\underset{i\∈S_I}{\mathrm{\Σ}}{P}_C(i,t_i;u)+\underset{j\∈S_H}{\mathrm{\Σ}}{P}_S(j,t;u)$

Wherein, S_IRepresent infected monitor node set, S_HRepresent the most infected monitor node set, t_iIt it is infected joint The infected absolute time of point；

Equation below is used to obtain the possibility predication of communication events

$L(u,{\tilde{t}}_u)=\underset{S_I,S_H\∈S}{max}L(u,t)$

Wherein S_I,S_HS in ∈ S represents all monitor node set；

Likelihood function is taken u during maximum by use equation below_fAnd t_fRespectively as estimating of Risk of Communication source and Risk of Communication time Evaluation:

$(u_f,t_f)=\arg \[{\max }_{u\∈U}L(u,{\tilde{t}}_u)\].$