CN109214456A - A kind of network anomaly detection method, system and electronic equipment - Google Patents
A kind of network anomaly detection method, system and electronic equipment Download PDFInfo
- Publication number
- CN109214456A CN109214456A CN201811038787.5A CN201811038787A CN109214456A CN 109214456 A CN109214456 A CN 109214456A CN 201811038787 A CN201811038787 A CN 201811038787A CN 109214456 A CN109214456 A CN 109214456A
- Authority
- CN
- China
- Prior art keywords
- probability
- network
- node
- event
- bayesian
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000004891 communication Methods 0.000 claims abstract description 21
- 238000004364 calculation method Methods 0.000 claims abstract description 18
- 230000005856 abnormality Effects 0.000 claims abstract description 7
- 230000002159 abnormal effect Effects 0.000 claims description 47
- 230000006870 function Effects 0.000 claims description 30
- 230000015654 memory Effects 0.000 claims description 15
- 238000010276 construction Methods 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 abstract description 6
- 238000012545 processing Methods 0.000 description 4
- 230000035945 sensitivity Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000000354 decomposition reaction Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000013477 bayesian statistics method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/29—Graphical models, e.g. Bayesian networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application involves a kind of network anomaly detection method, system and electronic equipments.This method comprises: step a: drawing network structure topological diagram according to the network structure of distributed network lower network node and communication link;Step b: corresponding Bayesian network model is established according to the network structure topological diagram;Step c: the event that will presort inputs the Bayesian network model, the conditional probability that the event of presorting belongs to different Exception Types is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) in the Bayesian network model, and the Exception Type classification results for the event of presorting are obtained according to maximal condition probability.The topological structure that the application is directed to real network environment establishes Bayesian network model, there can be better flexibility and scalability, improve Detection accuracy, and binding time function carries out Network anomaly detection, model is improved to the susceptibility of certain time period abnormality detection, rate of false alarm and rate of failing to report can be efficiently reduced.
Description
Technical Field
The present application relates to the field of network security system technologies, and in particular, to a method, a system, and an electronic device for detecting network anomalies.
Background
With the popularization of the Internet and the rapid development of the network, the Internet has penetrated into thousands of households, and brings great convenience to the life and work of people. But the network technology is also a double-edged sword, and the rapid development and wide application of the double-edged sword bring unprecedented challenges. With the rapid development of the Internet information age, the open nature of network distribution and boundless, people enjoy the convenience brought by the open structure in the Internet environment. However, the TCP/IP protocol itself does not consider or considers less security issues, the network security issues seriously affect the stable operation of the network and the normal trial of the user, even threaten the national security, and bring serious examination and challenge to people. Therefore, a series of network security issues are attracting more and more attention. Although various security products such as firewalls, VPNs, security routers and the like guarantee the security of computer systems and network environments from different angles, the network attack mode is continuously updated, and network security events are continuously generated.
The network anomaly detection is used as the last line of defense of the security system, and is expected to detect what type of anomaly is specific when the network environment is invaded, so that a network administrator can take manual measures to solve and intervene, and strive to minimize the damage and the loss of the network environment. The research on network anomaly detection is always a relatively interesting problem, and the research on network anomaly detection is not limited.
In the prior art, common model methods for solving the problem of anomaly detection in a network environment include a probability statistical analysis method, a fuzzy mathematical theory, an artificial immunity method, a neural network method, a support vector machine method and the like. However, the above method only performs data analysis from data collected from the network, where the range of the reference parameter is difficult to determine, resulting in a series of defects such as poor flexibility and high false alarm rate. The key point is that the traditional detection model only analyzes abnormal information for a single host, but is not combined with the existing network distributed multi-node host environment, but in the operation of the actual network environment, the traditional discrimination model is difficult to determine the parameter reference range required by various models, so that the traditional method increases the discrimination difficulty and has certain false alarm rate and missing alarm rate. The existing detection method is to analyze long-time and large-span traffic information in a network operation environment by using a model, but the traffic in some time periods in the existing environment does not occur, so that the traffic in a certain time period needs to be mainly analyzed and detected.
Disclosure of Invention
The application provides a network anomaly detection method, a system and an electronic device, which aim to solve at least one of the technical problems in the prior art to a certain extent.
In order to solve the above problems, the present application provides the following technical solutions:
a network anomaly detection method comprises the following steps:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
The technical scheme adopted by the embodiment of the application further comprises the following steps: in step b, the establishing a corresponding bayesian network model according to the network structure topology further includes: calculating the prior probability and the posterior probability of different abnormal types of each network node in the Bayesian network model, and updating the conditional probability table of the Bayesian network model.
The technical scheme adopted by the embodiment of the application further comprises the following steps: the step c further comprises: judging whether the node under the input pre-classification event belongs to a reason node or a result node through the Bayesian network model, if the node belongs to the reason node, calculating by adopting a Bayesian conditional probability formula and a time function T (t) to obtain the conditional probability that the pre-classification event belongs to different abnormal types; and if the event belongs to the result node, checking the maximum probability of the pre-classified event through the conditional probability table, and obtaining the abnormal type classification result of the pre-classified event according to the maximum probability.
The technical scheme adopted by the embodiment of the application further comprises the following steps: in step c, the probability calculation formula of the bayesian conditional probability formula combined with the time function t (t) is:
in the above formula, p (H)j| X) indicates that event X belongs to HjClass conditional probability of HjIndicates the type of anomaly, p (H), to which the event belongsj) Indicates that the event belongs to HjA priori probability of p (X | H)j) Indicates that the event belongs to HjA posterior probability of viRepresenting the root node, and n, k are mathematical representations of multiplications.
The technical scheme adopted by the embodiment of the application further comprises the following steps: in the step c, if the event belongs to the result node, the maximum probability of the pre-classified event is found through a conditional probability table, and the obtaining of the abnormal type classification result of the pre-classified event according to the maximum probability specifically includes: the result node is a root node viThe set is formed, i represents the number of result nodes, and different result nodes under the event X correspond toDifferent conditional probabilities P (H)j|Pa(vi)),Pa(vi) Represents a collection of node v and its parent; factoring with conditional independence, joint probability reduction, and formulating as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) The maximum probability of the event X is found by the conditional probability table, and the abnormality type is classified.
Another technical scheme adopted by the embodiment of the application is as follows: a network anomaly detection system, comprising:
the topological graph building module: the system comprises a network structure topology graph used for drawing a network structure topology graph according to network nodes and communication links under a distributed network;
a Bayesian network construction module: the Bayesian network model is used for establishing a corresponding Bayesian network model according to the network structure topological graph;
a first anomaly classification module: the Bayesian network model is used for inputting the pre-classified events into the Bayesian network model, the Bayesian network model adopts a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to calculate the conditional probability of the pre-classified events belonging to different abnormal types, and the abnormal type classification result of the pre-classified events is obtained according to the maximum conditional probability.
The technical scheme adopted by the embodiment of the application further comprises the following steps: the Bayesian network construction module is also used for calculating the prior probability and the posterior probability of different abnormal types of each network node in the Bayesian network model and updating the conditional probability table of the Bayesian network model.
The technical scheme adopted by the embodiment of the application further comprises a node judgment module and a second abnormity classification module;
the node judgment module is used for judging whether the node under the input pre-classification event belongs to a reason node or a result node, and if the node under the input pre-classification event belongs to the reason node, the first exception classification module is used for calculating the conditional probability that the pre-classification event belongs to different exception types; and if the event belongs to the result node, the second anomaly classification module searches a conditional probability table to obtain the maximum probability of the pre-classification event, and the anomaly type classification result of the pre-classification event is obtained according to the maximum probability.
The technical scheme adopted by the embodiment of the application further comprises the following steps: the probability calculation formula of the Bayes conditional probability formula and the time function T (t) is as follows:
in the above formula, p (H)j| X) indicates that event X belongs to HjClass conditional probability of HjIndicates the type of anomaly, p (H), to which the event belongsj) Indicates that the event belongs to HjA priori probability of p (X | H)j) Indicates that the event belongs to HjA posterior probability of viRepresenting the root node, and n, k are mathematical representations of multiplications.
The technical scheme adopted by the embodiment of the application further comprises the following steps: if the event belongs to the result node, the conditional probability table is searched through the second abnormal classification module to obtain the maximum probability of the pre-classified event, and the abnormal type classification result of the pre-classified event according to the maximum probability is specifically as follows: the result node is a root node viThe set of i represents the number of nodes including the result, and different conditional probabilities P (H) for different result nodes under the event Xj|Pa(vi)),Pa(vi) Represents a collection of node v and its parent; factoring with conditional independence, joint probability reduction, and formulating as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) The maximum probability of the event X is found by the conditional probability table, and the abnormality type is classified.
The embodiment of the application adopts another technical scheme that: an electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the one processor to cause the at least one processor to perform the following operations of the network anomaly detection method described above:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
Compared with the prior art, the embodiment of the application has the advantages that: the network anomaly detection method, the system and the electronic equipment of the embodiment of the application establish the corresponding Bayesian network model aiming at the topological structure of the real network environment, have better flexibility and expansibility, improve the detection accuracy rate, and carry out network anomaly detection by combining the time function, improve the sensitivity of the model to anomaly detection in a certain time period, can better adapt to the actual situation in the real network environment, and can effectively reduce the false alarm rate and the false missing report rate compared with the traditional detection model. In addition, the posterior probability trained according to the dependency relationship of multiple nodes in the network environment is more accurate and reliable than the parameters determined by the traditional model, so that the accuracy of the model can be improved.
Drawings
Fig. 1 is a flowchart of a network anomaly detection method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a hardware device of a network anomaly detection method according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Please refer to fig. 1, which is a flowchart illustrating a network anomaly detection method according to an embodiment of the present application. The network anomaly detection method of the embodiment of the application comprises the following steps:
step 100: analyzing a network structure formed by network nodes and communication links in the distributed network, and drawing a network structure topological graph;
in step 100, a network of a real distributed architecture has a plurality of network units and data nodes, an actual communication link or network communication may exist between each node, and each network node may have a connection dependency relationship with one or more other network nodes, so that a network structure formed by the network nodes and the communication links in a distributed network environment needs to be analyzed first to establish a corresponding model for various data processing and communication devices in the distributed network.
Step 200: establishing a corresponding Bayesian network model according to the network structure topological graph, calculating prior probability and posterior probability of different abnormal types of each network node in the Bayesian network model, and updating a conditional probability table of the Bayesian network model;
in step 200, a bayesian network, also called a belief network, is an extension of the bayesian inference method, and is used as one of the most effective theoretical models for expressing and inferring the uncertain knowledge at present. The Bayesian network is a probabilistic graphical network based on probabilistic reasoning and consists of a directed acyclic graph representing the dependency relationship among variables and a conditional probability table representing the time association of nodes and parent nodes. Nodes in a bayesian network represent random variables, which can be observed variables or unknown parameters, etc. In the Bayesian network model, each network node has a certain correlation relationship with one or more other nodes. Each node V corresponds to a Conditional Probability Table (CPT) representing the probability value of each node under the influence of the rest of the nodes. The directed edges between the connected nodes represent the interdependencies existing between the nodes, and if two nodes are connected with each other by a single arrow, which indicates that one node is a reason (reason node) and the other is a result (result node), the two connected nodes can generate a conditional probability value. If no arrows are connected between the two nodes, the random variables in the nodes are independent of each other in terms of condition, and if a certain node has no father node, the conditional probability is only the prior probability. The Bayesian network can be applied to the decision conditionally depending on various control factors, can make reasoning from incomplete, inaccurate or uncertain information, and has great advantages for solving the faults caused by the uncertainty and relevance of complex equipment.
The topological structure of the Bayesian network is combined with Bayesian statistics, so that the prior information and the sample knowledge can be organically combined by fully utilizing the sample information, and the integration of the prior knowledge and the data is promoted. And the dependency relationship between the method description data of the graph network structure can conveniently carry out module reconfiguration aiming at the change of the condition.
Step 300: inputting the pre-classified event into a Bayesian network model, judging whether a node under the pre-classified event belongs to a reason node or a result node by the Bayesian network model, and if the node under the pre-classified event belongs to the reason node, executing the step 400; if the node belongs to the result node, executing the step 500;
in step 300, the pre-classification event is a flow feature vector combination in a real network environment, and includes a series of information such as a network flow packet, an average packet length, protocol information, a TCP flag bit, and connection information. There are many different structures for the network topology, but only the cause node and the result node exist for the bayesian network model. For the result node, the conditional probability that the pre-classified event belongs to different abnormal types can be directly judged through Bayesian network reasoning. And for the reason node, a plurality of connecting lines with other nodes exist, and the judgment of the abnormal detection type is started from the Bayesian network structure.
Step 400: calculating by adopting a probability calculation formula combining a Bayes conditional probability formula and a time function T (t) to obtain conditional probabilities of different abnormal types of the pre-classified event, and obtaining an abnormal type classification result of the pre-classified event according to the maximum probability;
in step 400, the time function t (t) is a piecewise function of the dependent variable t with respect to time distribution, a graph of the time function shows a continuously distributed curve, the function can show a time variation trend within a certain range, time is taken as a weight addition factor to be considered, a method of using different thresholds at different time periods is adopted to improve flexibility of the model, sensitivity of the model to abnormality detection of a certain time period is improved, the model can better adapt to actual conditions in a real network environment, and false alarm rate are effectively reduced.
The specific calculation method is as follows: denote the Pre-Classification event as X (X)1,x2....x3),xiRepresents the ith attribute of an event X, the event X belonging to HjThe conditional probability of (a) can be derived from a Bayesian conditional probability formula, HjIndicating the type of anomaly to which the event belongs. However, considering the accuracy of event detection and considering that the flow rate occurring in different time periods is different, the application adopts a probability calculation formula combining a bayesian conditional probability formula and a time function t (t):
in formula (1), p (H)j| X) indicates that event X belongs to HjSuch as SYN traffic attack type, DoS attack type, etc. p (H)j) A priori probabilities, p (H), representing events belonging to different anomaly typesj) And p (H)j| X) can be trained from a training dataset and the posterior probability p (X | H) that an event belongs to different anomaly types is calculated according to equation (1)j),viThe root node is represented, and n and k are mathematical representations of multiplication (k equals 1 to represent the lower bound, n to represent the upper bound, and k is taken from 1, up to n, and multiplied). The posterior probability trained according to the dependence relationship of the multiple nodes in the network environment is more accurate and reliable than the parameter determination of the traditional model, so that the accuracy of the model can be improved.
Step 500: the maximum probability of the pre-classified event is checked through a conditional probability table to obtain an abnormal type classification result of the pre-classified event;
in step 500, the result node, i.e., the root node viForm a set, i represents the number of nodes containing the result, and different conditional probabilities P (H) are applied to different nodes under the event Xj|Pa(vi)),Pa(vi) Representing the set of node v and its parent. Using conditional independence for decomposition, joint probability reduction can be formulated as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) The maximum probability of the event X is found by the conditional probability table, and the abnormality type is classified.
Please refer to fig. 2, which is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application. The network anomaly detection system comprises a topological graph construction module, a Bayesian network construction module, a node judgment module, a first anomaly classification module and a second anomaly classification module.
The topological graph building module: the system comprises a network node, a communication link and a network topology graph, wherein the network structure is used for analyzing a network node and a communication link under a distributed network and drawing the network topology graph; the network of the real distributed architecture has a plurality of network units and data nodes, actual communication links or network communication may exist between each node, and each network node may have a connection dependency relationship with one or more other network nodes, so that a network structure formed by the network nodes and the communication links in the distributed network environment needs to be analyzed first, and a corresponding model is established for various data processing and communication devices in the distributed network.
A Bayesian network construction module: the system comprises a Bayesian network model, a conditional probability table and a conditional probability table, wherein the Bayesian network model is used for establishing a corresponding Bayesian network model according to a network structure topological graph, calculating prior probability and posterior probability of different abnormal types of each network node in the Bayesian network model, and updating the conditional probability table of the Bayesian network model; in the Bayesian network model, each network node has a certain correlation relationship with one or more other nodes. Each node V corresponds to a Conditional Probability Table (CPT) representing the probability value of each node under the influence of the rest of the nodes. The directed edges between the connected nodes represent the interdependencies existing between the nodes, and if two nodes are connected with each other by a single arrow, which indicates that one node is a reason (reason node) and the other is a result (result node), the two connected nodes can generate a conditional probability value. If no arrows are connected between the two nodes, the random variables in the nodes are independent of each other in terms of condition, and if a certain node has no father node, the conditional probability is only the prior probability.
A node judgment module: the system comprises a Bayesian network model, a first abnormity classification module and a second abnormity classification module, wherein the Bayesian network model is used for inputting a pre-classification event into the Bayesian network model, the Bayesian network model judges whether a node under the pre-classification event belongs to a reason node or a result node, and if the node under the pre-classification event belongs to the reason node, the abnormity type classification of the pre-classification event is carried out through the first abnormity classification module; if the event belongs to the result node, the abnormal type of the pre-classified event is classified through a second abnormal classification module; the pre-classification event is a flow characteristic vector combination in a real network environment, and comprises a series of information such as a network flow packet, an average packet length, protocol information, a TCP zone bit and connection information. There are many different structures for the network topology, but only the cause node and the result node exist for the bayesian network model. For the result node, the conditional probability that the pre-classified event belongs to different abnormal types can be directly judged through Bayesian network reasoning. And for the reason node, a plurality of connecting lines with other nodes exist, and the judgment of the abnormal detection type is started from the Bayesian network structure.
A first anomaly classification module: the method comprises the steps of obtaining the conditional probability of different abnormal types of a pre-classified event by adopting a probability calculation formula combining a Bayes conditional probability formula and a time function T (t), and obtaining the abnormal type classification result of the pre-classified event according to the maximum probability; the time function T (t) is a piecewise function of the dependent variable t with respect to time distribution, a curve of continuous distribution is represented on a coordinate graph of the time function, the function can show a time variation trend within a certain range, time is taken as a weight addition factor to be considered, a method of using different thresholds in different time periods is adopted to improve the flexibility of the model, the sensitivity of the model to abnormal detection in a certain time period is improved, the practical situation in a real network environment can be better adapted, and the false alarm rate are effectively reduced.
The specific calculation method is as follows: denote the Pre-Classification event as X (X)1,x2....x3),xiRepresents the ith attribute of an event X, the event X belonging to HjThe conditional probability of (a) can be derived from a Bayesian conditional probability formula, HjIndicating the type of anomaly to which the event belongs. However, considering the accuracy of event detection and considering that the flow rate occurring in different time periods is different, the application adopts a probability calculation formula combining a bayesian conditional probability formula and a time function t (t):
in formula (1), p (H)j| X) indicates that event X belongs to HjSuch as SYN traffic attack type, DoS attack type, etc. p (H)j) A priori probabilities, p (H), representing events belonging to different anomaly typesj) And p (H)j| X) can be trained from a training dataset and the posterior probability p (X | H) that an event belongs to different anomaly types is calculated according to equation (1)j),viRepresenting a root node viN, k are mathematical expressions of multiplication (k is 1 for lower bound, n for upper bound, k is taken from 1, up to n, multiplied). The posterior probability trained according to the dependence relationship of the multiple nodes in the network environment is more accurate and reliable than the parameter determination of the traditional model, so that the accuracy of the model can be improved.
A second anomaly classification module: the event classification method comprises the steps of searching the maximum probability of a pre-classified event through a conditional probability table, and obtaining an abnormal type classification result of the pre-classified event according to the maximum probability; wherein the result node is the root node viForm a set, i represents the number of nodes containing the result, and different conditional probabilities P (H) are applied to different nodes under the event Xj|Pa(vi)),Pa(vi) Representing the set of node v and its parent. Using conditional independence for decomposition, joint probability reduction can be formulated as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) And checking the maximum probability of the event X by the conditional probability table, classifying the abnormal types, finishing the abnormal detection and judging the network intrusion behavior.
Fig. 3 is a schematic structural diagram of a hardware device of a network anomaly detection method according to an embodiment of the present application. As shown in fig. 3, the device includes one or more processors and memory. Taking a processor as an example, the apparatus may further include: an input system and an output system.
The processor, memory, input system, and output system may be connected by a bus or other means, as exemplified by the bus connection in fig. 3.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules. The processor executes various functional applications and data processing of the electronic device, i.e., implements the processing method of the above-described method embodiment, by executing the non-transitory software program, instructions and modules stored in the memory.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processing system over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input system may receive input numeric or character information and generate a signal input. The output system may include a display device such as a display screen.
The one or more modules are stored in the memory and, when executed by the one or more processors, perform the following for any of the above method embodiments:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
Embodiments of the present application provide a non-transitory (non-volatile) computer storage medium having stored thereon computer-executable instructions that may perform the following operations:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
Embodiments of the present application provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform the following:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
The network anomaly detection method, the system and the electronic equipment of the embodiment of the application establish the corresponding Bayesian network model aiming at the topological structure of the real network environment, have better flexibility and expansibility, improve the detection accuracy rate, and carry out network anomaly detection by combining the time function, improve the sensitivity of the model to anomaly detection in a certain time period, can better adapt to the actual situation in the real network environment, and can effectively reduce the false alarm rate and the false missing report rate compared with the traditional detection model. In addition, the posterior probability trained according to the dependency relationship of multiple nodes in the network environment is more accurate and reliable than the parameters determined by the traditional model, so that the accuracy of the model can be improved.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (11)
1. A network anomaly detection method is characterized by comprising the following steps:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
2. The method according to claim 1, wherein in the step b, the establishing a corresponding bayesian network model according to the network topology map further comprises: calculating the prior probability and the posterior probability of different abnormal types of each network node in the Bayesian network model, and updating the conditional probability table of the Bayesian network model.
3. The method according to claim 2, wherein the step c further comprises: judging whether the node under the input pre-classification event belongs to a reason node or a result node through the Bayesian network model, if the node belongs to the reason node, calculating by adopting a Bayesian conditional probability formula and a time function T (t) to obtain the conditional probability that the pre-classification event belongs to different abnormal types; and if the event belongs to the result node, checking the maximum probability of the pre-classified event through the conditional probability table, and obtaining the abnormal type classification result of the pre-classified event according to the maximum probability.
4. The method according to claim 3, wherein in the step c, the Bayesian conditional probability formula is combined with the time function T (t) to calculate the probability by the formula:
in the above formula, p (H)j| X) indicates that event X belongs to HjClass conditional probability of HjIndicates the type of anomaly, p (H), to which the event belongsj) Indicates that the event belongs to HjA priori probability of p (X | H)j) Indicates that the event belongs to HjA posterior probability of viMathematical representation representing root node, n, k being multiplicative。
5. The method according to claim 3, wherein in the step c, if the node belongs to the result node, the maximum probability of the pre-classified event is found through a conditional probability table, and the obtaining of the abnormal type classification result of the pre-classified event according to the maximum probability specifically includes: the result node is a root node viThe set of i represents the number of nodes including the result, and different conditional probabilities P (H) for different result nodes under the event Xj|Pa(vi)),Pa(vi) Represents a collection of node v and its parent; factoring with conditional independence, joint probability reduction, and formulating as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) The maximum probability of the event X is found by the conditional probability table, and the abnormality type is classified.
6. A network anomaly detection system, comprising:
the topological graph building module: the system comprises a network structure topology graph used for drawing a network structure topology graph according to network nodes and communication links under a distributed network;
a Bayesian network construction module: the Bayesian network model is used for establishing a corresponding Bayesian network model according to the network structure topological graph;
a first anomaly classification module: the Bayesian network model is used for inputting the pre-classified events into the Bayesian network model, the Bayesian network model adopts a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to calculate the conditional probability of the pre-classified events belonging to different abnormal types, and the abnormal type classification result of the pre-classified events is obtained according to the maximum conditional probability.
7. The system according to claim 6, wherein the bayesian network constructing module is further configured to calculate prior probabilities and posterior probabilities of different types of anomalies occurring in each network node in the bayesian network model, and update the conditional probability table of the bayesian network model.
8. The network anomaly detection system according to claim 7, further comprising a node judgment module and a second anomaly classification module;
the node judgment module is used for judging whether the node under the input pre-classification event belongs to a reason node or a result node, and if the node under the input pre-classification event belongs to the reason node, the first exception classification module is used for calculating the conditional probability that the pre-classification event belongs to different exception types; and if the event belongs to the result node, the second anomaly classification module searches a conditional probability table to obtain the maximum probability of the pre-classification event, and the anomaly type classification result of the pre-classification event is obtained according to the maximum probability.
9. The system according to claim 8, wherein the bayesian conditional probability formula is combined with the time function t (t) to calculate the probability by:
in the above formula, p (H)j| X) indicates that event X belongs to HjClass conditional probability of HjIndicates the type of anomaly, p (H), to which the event belongsj) Indicates that the event belongs to HjA priori probability of p (X | H)j) Indicates that the event belongs to HjA posterior probability of viRepresenting the root node, and n, k are mathematical representations of multiplications.
10. The system according to claim 8, wherein if the node belongs to a result node, the second anomaly classification module finds a conditional probability table to obtain a maximum probability of the pre-classified event, and the obtaining of the anomaly type classification result of the pre-classified event according to the maximum probability specifically includes: the result node is a root node viThe set of i represents the number of nodes containing the result, for an eventDifferent resulting nodes under X correspond to different conditional probabilities P (H)j|Pa(vi)),Pa(vi) Represents a collection of node v and its parent; factoring with conditional independence, joint probability reduction, and formulating as a pattern P (H) of total probabilityj)=∑P(vi)P(Hj|vi) The maximum probability of the event X is found by the conditional probability table, and the abnormality type is classified.
11. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the following operations of the network anomaly detection method of any one of 1 to 5 above:
step a: drawing a network structure topological graph according to network structures of network nodes and communication links under a distributed network;
step b: establishing a corresponding Bayesian network model according to the network structure topological graph;
step c: inputting the pre-classified events into the Bayesian network model, calculating by adopting a probability calculation formula combining a Bayesian conditional probability formula and a time function T (t) to obtain conditional probabilities of the pre-classified events belonging to different abnormal types, and obtaining abnormal type classification results of the pre-classified events according to the maximum conditional probability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811038787.5A CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811038787.5A CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109214456A true CN109214456A (en) | 2019-01-15 |
Family
ID=64987005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811038787.5A Pending CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109214456A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
| CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
| CN110769003A (en) * | 2019-11-05 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
| CN111061586A (en) * | 2019-12-05 | 2020-04-24 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
| CN111669379A (en) * | 2020-05-28 | 2020-09-15 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
| CN111839502A (en) * | 2020-07-21 | 2020-10-30 | 广州视源电子科技股份有限公司 | Method, device and equipment for detecting electrocardio data abnormity and storage medium |
| CN112822052A (en) * | 2021-01-08 | 2021-05-18 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
| CN113396426A (en) * | 2019-03-05 | 2021-09-14 | 赫尔实验室有限公司 | Network construction module for Bayesian neural morphology compiler |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN105608634A (en) * | 2015-11-09 | 2016-05-25 | 国网新疆电力公司 | Bayesian network based electrical network risk early-warning evaluation model |
| CN105764162A (en) * | 2016-05-10 | 2016-07-13 | 江苏大学 | Wireless sensor network abnormal event detecting method based on multi-attribute correlation |
| US20170279835A1 (en) * | 2016-03-28 | 2017-09-28 | Cisco Technology, Inc. | Adaptive capture of packet traces based on user feedback learning |
| CN107483251A (en) * | 2017-08-22 | 2017-12-15 | 国网辽宁省电力有限公司辽阳供电公司 | A kind of Network exception detecting method based on the monitoring of distributed probe |
| US20180012019A1 (en) * | 2014-12-30 | 2018-01-11 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
-
2018
- 2018-09-06 CN CN201811038787.5A patent/CN109214456A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| US20180012019A1 (en) * | 2014-12-30 | 2018-01-11 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
| CN105608634A (en) * | 2015-11-09 | 2016-05-25 | 国网新疆电力公司 | Bayesian network based electrical network risk early-warning evaluation model |
| US20170279835A1 (en) * | 2016-03-28 | 2017-09-28 | Cisco Technology, Inc. | Adaptive capture of packet traces based on user feedback learning |
| CN105764162A (en) * | 2016-05-10 | 2016-07-13 | 江苏大学 | Wireless sensor network abnormal event detecting method based on multi-attribute correlation |
| CN107483251A (en) * | 2017-08-22 | 2017-12-15 | 国网辽宁省电力有限公司辽阳供电公司 | A kind of Network exception detecting method based on the monitoring of distributed probe |
Non-Patent Citations (3)
| Title |
|---|
| BUNTINEW等: "LearningclassificationrulesusingBayes", 《PROCEEDINGS OF THE SIXTH INTERNATIONAL WORKSHOP ON MACHINE LEARNING》 * |
| 刘涛等: "基于时间分段的贝叶斯网络异常检测方法", 《信息安全与通信保密》 * |
| 常金玲 等: "《网络环境下信息质量评价与管理》", 30 June 2016, 知识产权出版社 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113396426A (en) * | 2019-03-05 | 2021-09-14 | 赫尔实验室有限公司 | Network construction module for Bayesian neural morphology compiler |
| CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
| CN110380888B (en) * | 2019-05-29 | 2021-02-23 | 华为技术有限公司 | Network anomaly detection method and device |
| CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
| CN110769003A (en) * | 2019-11-05 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
| CN110769003B (en) * | 2019-11-05 | 2022-02-22 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
| CN111061586A (en) * | 2019-12-05 | 2020-04-24 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
| CN111061586B (en) * | 2019-12-05 | 2023-09-19 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
| CN111669379B (en) * | 2020-05-28 | 2022-02-22 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
| CN111669379A (en) * | 2020-05-28 | 2020-09-15 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
| CN111839502A (en) * | 2020-07-21 | 2020-10-30 | 广州视源电子科技股份有限公司 | Method, device and equipment for detecting electrocardio data abnormity and storage medium |
| CN111839502B (en) * | 2020-07-21 | 2024-02-09 | 广州视源电子科技股份有限公司 | Electrocardiogram data anomaly detection method, device, equipment and storage medium |
| CN112822052A (en) * | 2021-01-08 | 2021-05-18 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
| CN112822052B (en) * | 2021-01-08 | 2022-03-29 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109214456A (en) | A kind of network anomaly detection method, system and electronic equipment | |
| US10986121B2 (en) | Multivariate network structure anomaly detector | |
| US20240244073A1 (en) | Multi-stage anomaly detection for process chains in multi-host environments | |
| US10289841B2 (en) | Graph-based attack chain discovery in enterprise security systems | |
| US10298607B2 (en) | Constructing graph models of event correlation in enterprise security systems | |
| Sangkatsanee et al. | Practical real-time intrusion detection using machine learning approaches | |
| US20230011004A1 (en) | Cyber security sandbox environment | |
| Zhu et al. | Alert correlation for extracting attack strategies | |
| Kavitha et al. | An ensemble design of intrusion detection system for handling uncertainty using Neutrosophic Logic Classifier | |
| Saxena et al. | Intrusion detection in KDD99 dataset using SVM-PSO and feature reduction with information gain | |
| US20160308725A1 (en) | Integrated Community And Role Discovery In Enterprise Networks | |
| US10511613B2 (en) | Knowledge transfer system for accelerating invariant network learning | |
| CN112333195B (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
| CN115277102B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| WO2018071356A1 (en) | Graph-based attack chain discovery in enterprise security systems | |
| Shahraki et al. | An outlier detection method to improve gathered datasets for network behavior analysis in IoT | |
| Gao et al. | Consensus extraction from heterogeneous detectors to improve performance over network traffic anomaly detection | |
| Bingu et al. | Design of intrusion detection system using ensemble learning technique in cloud computing environment | |
| Barot et al. | Feature selection for modeling intrusion detection | |
| Das et al. | The devil is in the details: Confident & explainable anomaly detector for software-defined networks | |
| CN117729027A (en) | Abnormal behavior detection method, device, electronic equipment and storage medium | |
| Khandelwal et al. | Machine learning methods leveraging ADFA-LD dataset for anomaly detection in linux host systems | |
| US20230141747A1 (en) | Communication monitoring method and communication monitoring system | |
| CN115473748B (en) | DDoS attack classification detection method, device and equipment based on BiLSTM-ELM | |
| Jaiganesh et al. | Kernelized extreme learning machine with levenberg-marquardt learning approach towards intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190115 |