CN109214456A - A kind of network anomaly detection method, system and electronic equipment - Google Patents

A kind of network anomaly detection method, system and electronic equipment Download PDF

Info

Publication number
CN109214456A
CN109214456A CN201811038787.5A CN201811038787A CN109214456A CN 109214456 A CN109214456 A CN 109214456A CN 201811038787 A CN201811038787 A CN 201811038787A CN 109214456 A CN109214456 A CN 109214456A
Authority
CN
China
Prior art keywords
probability
event
network
node
presorting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811038787.5A
Other languages
Chinese (zh)
Inventor
叶可江
纪书鉴
须成忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Advanced Technology of CAS
Original Assignee
Shenzhen Institute of Advanced Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Advanced Technology of CAS filed Critical Shenzhen Institute of Advanced Technology of CAS
Priority to CN201811038787.5A priority Critical patent/CN109214456A/en
Publication of CN109214456A publication Critical patent/CN109214456A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/29Graphical models, e.g. Bayesian networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting

Abstract

This application involves a kind of network anomaly detection method, system and electronic equipments.This method comprises: step a: drawing network structure topological diagram according to the network structure of distributed network lower network node and communication link;Step b: corresponding Bayesian network model is established according to the network structure topological diagram;Step c: the event that will presort inputs the Bayesian network model, the conditional probability that the event of presorting belongs to different Exception Types is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) in the Bayesian network model, and the Exception Type classification results for the event of presorting are obtained according to maximal condition probability.The topological structure that the application is directed to real network environment establishes Bayesian network model, there can be better flexibility and scalability, improve Detection accuracy, and binding time function carries out Network anomaly detection, model is improved to the susceptibility of certain time period abnormality detection, rate of false alarm and rate of failing to report can be efficiently reduced.

Description

A kind of network anomaly detection method, system and electronic equipment
Technical field
The application belongs to network safety system technical field, in particular to a kind of network anomaly detection method, system and electricity Sub- equipment.
Background technique
With the popularity of the internet with the rapid development of network, internet Internet has been deep into huge numbers of families, Many convenience are brought for the life and work of people.But network technology is also a double-edged sword, its fast development and wide General application also brings unprecedented challenge.Along with the rapid development of Internet information age, network distribution type and nothing The open nature on boundary, it is convenient that people enjoy bring therewith in the Open architecture in the environment of internet.But ICP/IP protocol itself does not consider to seriously affect the stabilization of network with the less safety issue considered, network security problem Operation and the normal of user are tried out, or even have also threatened national security, have brought acid test and challenge.Cause This, a series of network security problems have attracted more and more attention from people.Although there is the various peaces such as firewall, VPN, secure router Full product ensures the safety of computer systems and networks environment with unused angle, but network attack mode is constantly more Newly, network safety event is also constantly occurring.
Last line of defense of the Network anomaly detection as security system, it would be desirable to energy when network environment is invaded It detects specifically what kind of exception, allows network administrator that artificial measure can be taken to go to solve and intervene, strive for network The destruction of environment is lost with caused by and is minimized.The research of Network anomaly detection is always one and more noticeable asks Topic, the research for Network anomaly detection are also not within minority.
In the prior art, common to have probability statistics point for solving the model method that abnormality detection proposes in network environment Analysis method, fuzzy mathematics theory, artificial immunity method, neural network method, support vector machine method etc..But the above method is only It is the analysis carried out from data collected in network in data plane, wherein the parameter area of benchmark is difficult to determination and results in spirit A series of defects such as poor activity and rate of false alarm height.Key is that traditional detection model carries out abnormal letter just for single host The analysis of breath, without combining with existing network distribution type multinode hosted environment, but in real network environment In operation, traditional discrimination model is difficult to determine the parameter benchmark range that various models need, so that conventional method increases The difficulty differentiated, there are certain rate of false alarm and rate of failing to report.Existing detection method be using model to networking operational environment into The flow information of row long-time large span is analyzed, but the flow of certain periods can't occur under existing environment, therefore have Flow for some period is carried out selective analysis detection by necessity.
Summary of the invention
This application provides a kind of network anomaly detection method, system and electronic equipments, it is intended at least to a certain extent Solve one of above-mentioned technical problem in the prior art.
To solve the above-mentioned problems, this application provides following technical solutions:
A kind of network anomaly detection method, comprising the following steps:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The technical solution that the embodiment of the present application is taken further include: described to be opened up according to the network structure in the step b It flutters figure and establishes corresponding Bayesian network model further include: it is different different to calculate each network node generation in Bayesian network model The prior probability and posterior probability of normal type, and update the conditional probability table of Bayesian network model.
The technical solution that the embodiment of the present application is taken further include: the step c further include: pass through the Bayesian network mould Node under the event of presorting of type judgement input belongs to reason node or result node, if belonging to reason node, uses Bayes condition probability formula binding time function T (t) be calculated the event of presorting belong to different Exception Types condition it is general Rate;If belonging to result node, the maximum probability for the event of presorting is found by the conditional probability table, according to described most general Rate obtains the Exception Type classification results for the event of presorting.
The technical solution that the embodiment of the present application is taken further include: in the step c, Bayes's condition probability formula The probability calculation formula combined with function of time T (t) are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException class belonging to expression event Type, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, N, k are the tired mathematical notation multiplied.
The technical solution that the embodiment of the present application is taken further include: in the step c, if described belong to result node, The maximum probability that the event of presorting is found by conditional probability table obtains the exception class for the event of presorting according to the maximum probability Type classification results specifically: the result node is root node viThe set of composition, i representative contain the number of result node, Different conditional probability P (H is corresponded to for result node different under event Xj|Pa(vi)), Pa(vi) indicate node v and his father's section The set of point;It is decomposed using conditional independence, joint probability simplifies the mode P (H for being formulated as full probabilityj)=∑ P(vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
A kind of another technical solution that the embodiment of the present application is taken are as follows: Network anomaly detection system, comprising:
Topological diagram constructs module: for drawing net according to the network structure of distributed network lower network node and communication link Network structural topology figure;
Bayesian network constructs module: for establishing corresponding Bayesian network mould according to the network structure topological diagram Type;
First anomaly classification module: for that will presort, event inputs the Bayesian network model, the Bayesian network Network model is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) and is presorted Event belongs to the conditional probability of different Exception Types, and show that the Exception Type for the event of presorting is classified according to maximal condition probability As a result.
The technical solution that the embodiment of the present application is taken further include: the Bayesian network building module is also used to calculate pattra leaves The prior probability and posterior probability of different Exception Types occur for each network node in this network model, and update Bayesian network The conditional probability table of model.
The technical solution that the embodiment of the present application is taken further includes node judgment module and the second anomaly classification module;
The node judgment module is used to judge that the node under the event of presorting of input to belong to reason node or result Node calculates the item that the event of presorting belongs to different Exception Types by the first anomaly classification module if belonging to reason node Part probability;If belonging to result node, conditional probability table is found by the second anomaly classification module and obtains the event of presorting Maximum probability, the Exception Type classification results for the event of presorting are obtained according to the maximum probability.
The technical solution that the embodiment of the present application is taken further include: Bayes's condition probability formula and function of time T (t) The probability calculation formula combined are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException class belonging to expression event Type, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, N, k are the tired mathematical notation multiplied.
The technical solution that the embodiment of the present application is taken further include: if described belong to result node, pass through second abnormal point Generic module finds conditional probability table and obtains the maximum probability for the event of presorting, and obtains the event of presorting according to the maximum probability Exception Type classification results specifically: the result node is root node viThe set of composition, i representative contain result node Number corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate node v and The set of its father node;It is decomposed using conditional independence, joint probability simplifies the mode P for being formulated as full probability (Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
The another technical solution that the embodiment of the present application is taken are as follows: a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by one processor, and described instruction is by described at least one Device is managed to execute, so that at least one described processor is able to carry out the following operation of above-mentioned network anomaly detection method:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
Compared with the existing technology, the beneficial effect that the embodiment of the present application generates is: the Network Abnormal of the embodiment of the present application The topological structure that detection method, system and electronic equipment are directed to real network environment establishes corresponding Bayesian network model, There can be better flexibility and scalability, improve Detection accuracy, and binding time function carries out Network anomaly detection, improves Model can better adapt to the actual conditions in real network environment to the susceptibility of certain time period abnormality detection, relative to For traditional detection model, rate of false alarm and rate of failing to report can be efficiently reduced.In addition, the application is according to multinode under network environment The posterior probability ratio conventional model that dependence trains determines that parameter wants more acurrate and reliable, so as to improve the accurate of model Rate.
Detailed description of the invention
Fig. 1 is the flow chart of the network anomaly detection method of the embodiment of the present application;
Fig. 2 is the structural schematic diagram of the Network anomaly detection system of the embodiment of the present application;
Fig. 3 is the hardware device structural schematic diagram of network anomaly detection method provided by the embodiments of the present application.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, not For limiting the application.
Referring to Fig. 1, being the flow chart of the network anomaly detection method of the embodiment of the present application.The network of the embodiment of the present application Method for detecting abnormality the following steps are included:
Step 100: the network structure that analysis distribution formula network lower network node and communication link are constituted draws out network knot Structure topological diagram;
In step 100, the network of real distributed structure/architecture has multiple network units and a back end, between each node There may be actual communication link or network communication, each network node there may be with other one or more network nodes Join dependency relationship, therefore, it is necessary first to the network that analysis distribution formula network environment lower network node and communication link are constituted Structure establishes corresponding model to data processings various in distributed network and communication equipment.
Step 200: corresponding Bayesian network model being established according to network structure topological diagram, calculates Bayesian network model In each network node the prior probability and posterior probability of different Exception Types occurs, and update the condition of Bayesian network model Probability tables;
In step 200, it is a kind of extension of Bayesian inference method that Bayesian network, which is otherwise known as belief network, as Uncertain knowledge is expressed and one of infers most effective theoretical model at present.Bayesian network is a kind of probabilistic type based on probability The graphical network of reasoning indicates the directed acyclic graph and an expression node and father node of dependence between variable by one The conditional probability table of association in time forms.Node on behalf in Bayesian network stochastic variable, these stochastic variables are can be with Observe obtained variable or unknown parameter etc..In Bayesian network model, each network node with other one or more There are certain correlative relationships between a node.Each node V corresponds to a conditional probability table (Condition Probability Table, abbreviation CPT), represent probability value of each node under the influence of by remaining node.Between connecting node Directed edge represents the existing relationship that interdepends between node, if being mutually connected to each other between two nodes with single arrow, Indicate that a node is that another is fruit (result node) due to (reason node), the node of two connections can generate an item Part probability value.If not having arrow to be mutually connected to each other between two nodes, condition is only each other for the stochastic variable in expression node Vertical, its conditional probability only has prior probability if some node does not have father node.Bayesian network can apply to conditionally according to The decision for relying various control factor, can make reasoning from incomplete, inaccurate or uncertain information, complicated for solving Failure caused by equipment uncertainty and relevance has very big advantage.
The topological structure of Bayesian network is combined with Bayesian statistics, can make full use of sample information by prior information with Sample knowledge combines, and promotes the integrated of priori knowledge and data.And the method for this graphic network structure is retouched Stating the dependence between data easily can carry out reconfiguring for module for the change of condition.
Step 300: the event that will presort inputs Bayesian network model, and Bayesian network model judgement is presorted under event Node belong to reason node or result node, if belonging to reason node, execute step 400;If belonging to result node, Execute step 500;
In step 300, event of presorting combines for traffic characteristic vector in real network environment, including network flow packet, The range of information such as average packet length, protocol information, TCP flag bit, link information.Exist for network topology structure very much Different structure, but reason node and result node are only existed for Bayesian network model.For result node, It can directly differentiate that the event of presorting belongs to the conditional probability of different Exception Types by Bayesian Network Inference.And for reason There are several lines between other nodes in node, determine that abnormality detection type should start with from bayesian network structure.
Step 400: being calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) The conditional probability that the event of presorting belongs to different Exception Types is obtained, and obtains the exception class for the event of presorting according to maximum probability Type classification results;
In step 400, wherein function of time T (t) is piecewise function of the dependent variable t about Annual distribution, time letter Continuously distributed curve is shown as in several coordinate diagrams, which can show the variation tendency of time in a certain range, when Between as weight addition because usually considering, the flexibility for the method raising model for taking different time sections to use without threshold value mentions High susceptibility of the model to certain time period abnormality detection, can better adapt to the actual conditions in real network environment, have Reduce rate of false alarm and rate of failing to report in effect ground.
Specific calculation are as follows: the event of presorting is denoted as X (x1,x2....x3), xiThe ith attribute of expression event X, Event X belongs to HjConditional probability can be obtained from Bayes's condition probability formula, HjException Type belonging to expression event.But Allow for event detection accuracy and in view of the flow occurred inside different time sections be it is different, the application uses The probability calculation formula that Bayes's condition probability formula is combined with function of time T (t):
In formula (1), p (Hj| X) indicate that event X belongs to HjClass conditional probability, such as SYN flow attacking type, DoS attack Hit type etc..p(Hj) expression event belongs to the prior probabilities of different Exception Types, p (Hj) and p (Hj| X) each value can be from Training data concentrate training obtains, then according to formula (1) calculate outgoing event belong to different Exception Types posterior probability p (X | Hj), viIndicate that root node, n, k are that (k=1 indicates that lower bound, n indicate the upper bound to the tired mathematical notation multiplied, and k fetches since 1, always N is got, is multiplied).The posterior probability ratio tradition mould that the application is trained according to the dependence of multinode under network environment Type determines that parameter wants more acurrate and reliable, so as to improve the accuracy rate of model.
Step 500: finding the maximum probability for the event of presorting by conditional probability table, obtain the exception class for the event of presorting Type classification results;
In step 500, result node i.e. root node viA set is constituted, i, which is represented, contains of result node Number, corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate node v and its The set of father node.It is decomposed using conditional independence, joint probability simplification can be formulated as the mode P of full probability (Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
Referring to Fig. 2, being the structural schematic diagram of the Network anomaly detection system of the embodiment of the present application.The embodiment of the present application Network anomaly detection system includes topological diagram building module, Bayesian network building module, node judgment module, first abnormal point Generic module and the second anomaly classification module.
Topological diagram constructs module: the network structure constituted for analysis distribution formula network lower network node and communication link, Draw out network structure topological diagram;Wherein, the network of real distributed structure/architecture has multiple network units and back end, each There may be actual communication link or network communication between node, there may be one or more with other for each network node The join dependency relationship of network node, therefore, it is necessary first to analysis distribution formula network environment lower network node and communication link structure At network structure, corresponding model is established to data processings various in distributed network and communication equipment.
Bayesian network constructs module: for establishing corresponding Bayesian network model according to network structure topological diagram, counting It calculates each network node in Bayesian network model and the prior probability and posterior probability of different Exception Types occurs, and update pattra leaves The conditional probability table of this network model;Wherein, in Bayesian network model, each network node with it is other one or more There are certain correlative relationships between node.Each node V corresponds to a conditional probability table (Condition Probability Table, abbreviation CPT), represent probability value of each node under the influence of by remaining node.Between connecting node Directed edge represents the existing relationship that interdepends between node, if being mutually connected to each other between two nodes with single arrow, Indicate that a node is that another is fruit (result node) due to (reason node), the node of two connections can generate an item Part probability value.If not having arrow to be mutually connected to each other between two nodes, condition is only each other for the stochastic variable in expression node Vertical, its conditional probability only has prior probability if some node does not have father node.
Node judgment module: for the event input Bayesian network model that will presort, Bayesian network model judgement is pre- Node under classifiable event belongs to reason node or result node, if belonging to reason node, passes through the first anomaly classification mould Block presort the Exception Type classification of event;If belonging to result node, divided in advance by the second anomaly classification module The Exception Type of class event is classified;Wherein, event of presorting is traffic characteristic vector combination in real network environment, including network The range of information such as flow packet, average packet length, protocol information, TCP flag bit, link information.For network topology structure In the presence of many different structures, but reason node and result node are only existed for Bayesian network model.For Result node can directly differentiate that the event of presorting belongs to the conditional probability of different Exception Types by Bayesian Network Inference. And for reason node, there are several lines between other nodes, determines that abnormality detection type should be from Bayesian network knot Structure is started with.
First anomaly classification module: the probability for being combined using Bayes's condition probability formula with function of time T (t) The conditional probability that the event of presorting belongs to different Exception Types is calculated in calculation formula, and is presorted according to maximum probability The Exception Type classification results of event;Wherein, wherein function of time T (t) is segmentation of the dependent variable t about Annual distribution Function shows as continuously distributed curve in the coordinate diagram of the function of time, which can show the change of time in a certain range Change trend takes the time different time sections use and improves model without the method for threshold value as weight addition because usually considering Flexibility, improve model to the susceptibility of certain time period abnormality detection, can better adapt in real network environment Actual conditions efficiently reduce rate of false alarm and rate of failing to report.
Specific calculation are as follows: the event of presorting is denoted as X (x1,x2....x3), xiThe ith attribute of expression event X, Event X belongs to HjConditional probability can be obtained from Bayes's condition probability formula, HjException Type belonging to expression event.But Allow for event detection accuracy and in view of the flow occurred inside different time sections be it is different, the application uses The probability calculation formula that Bayes's condition probability formula is combined with function of time T (t):
In formula (1), p (Hj| X) indicate that event X belongs to HjClass conditional probability, such as SYN flow attacking type, DoS attack Hit type etc..p(Hj) expression event belongs to the prior probabilities of different Exception Types, p (Hj) and p (Hj| X) each value can be from Training data concentrate training obtains, then according to formula (1) calculate outgoing event belong to different Exception Types posterior probability p (X | Hj), viIndicate root node vi, n, k be it is tired multiply mathematical notation (k=1 indicates that lower bound, n indicate the upper bound, and k fetches since 1, one N is directly got, is multiplied).The posterior probability ratio tradition that the application is trained according to the dependence of multinode under network environment Model determines that parameter wants more acurrate and reliable, so as to improve the accuracy rate of model.
Second anomaly classification module: for finding the maximum probability for the event of presorting by conditional probability table, according to maximum Probability obtains the Exception Type classification results for the event of presorting;Wherein, result node i.e. root node viA set is constituted, I representative contains the number of result node, and different conditional probability P (H is corresponded to for result node different under event Xj|Pa (vi)), Pa(vi) indicate node v and its father node set.It is decomposed using conditional independence, joint probability simplification can be with It is formulated as the mode P (H of full probabilityj)=∑ P (vi)P(Hj|vi), the most general of event X is found by conditional probability table Rate carries out the classification of Exception Type, completes abnormality detection, judges network intrusions behavior.
Fig. 3 is the hardware device structural schematic diagram of network anomaly detection method provided by the embodiments of the present application.Such as Fig. 3 institute Show, which includes one or more processors and memory.It takes a processor as an example, which can also include: defeated Enter system and output system.
Processor, memory, input system and output system can be connected by bus or other modes, in Fig. 3 with For being connected by bus.
Memory as a kind of non-transient computer readable storage medium, can be used for storing non-transient software program, it is non-temporarily State computer executable program and module.Processor passes through operation non-transient software program stored in memory, instruction And module realizes the place of above method embodiment thereby executing the various function application and data processing of electronic equipment Reason method.
Memory may include storing program area and storage data area, wherein storing program area can storage program area, extremely Application program required for a few function;It storage data area can storing data etc..In addition, memory may include that high speed is random Memory is accessed, can also include non-transient memory, a for example, at least disk memory, flush memory device or other are non- Transient state solid-state memory.In some embodiments, it includes the memory remotely located relative to processor that memory is optional, this A little remote memories can pass through network connection to processing system.The example of above-mentioned network includes but is not limited to internet, enterprise Intranet, local area network, mobile radio communication and combinations thereof.
Input system can receive the number or character information of input, and generate signal input.Output system may include showing Display screen etc. shows equipment.
One or more of module storages in the memory, are executed when by one or more of processors When, execute the following operation of any of the above-described embodiment of the method:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
Method provided by the embodiment of the present application can be performed in the said goods, has the corresponding functional module of execution method and has Beneficial effect.The not technical detail of detailed description in the present embodiment, reference can be made to method provided by the embodiments of the present application.
The embodiment of the present application provides a kind of non-transient (non-volatile) computer storage medium, and the computer storage is situated between Matter is stored with computer executable instructions, the executable following operation of the computer executable instructions:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The embodiment of the present application provides a kind of computer program product, and the computer program product is non-temporary including being stored in Computer program on state computer readable storage medium, the computer program include program instruction, when described program instructs When being computer-executed, the computer is made to execute following operation:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The network anomaly detection method, system and electronic equipment of the embodiment of the present application are directed to the topology knot of real network environment Corresponding Bayesian network model is found in building, can there is better flexibility and scalability, when improving Detection accuracy, and combining Between function carry out Network anomaly detection, improve model to the susceptibility of certain time period abnormality detection, can better adapt to existing Actual conditions in real network environment can efficiently reduce rate of false alarm and rate of failing to report for traditional detection model.Separately Outside, the posterior probability ratio conventional model that the application is trained according to the dependence of multinode under network environment determines that parameter will be more It is accurate and reliable, so as to improve the accuracy rate of model.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, defined herein General Principle can realize in other embodiments without departing from the spirit or scope of the application.Therefore, this Shen These embodiments shown in the application please be not intended to be limited to, and are to fit to special with principle disclosed in the present application and novelty The consistent widest scope of point.

Claims (11)

1. a kind of network anomaly detection method, which comprises the following steps:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes's condition The probability calculation formula that new probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different Exception Types Conditional probability, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
2. network anomaly detection method according to claim 1, which is characterized in that described according to institute in the step b It states network structure topological diagram and establishes corresponding Bayesian network model further include: calculate each network section in Bayesian network model The prior probability and posterior probability of different Exception Types occur for point, and update the conditional probability table of Bayesian network model.
3. network anomaly detection method according to claim 2, which is characterized in that the step c further include: by described Node under the event of presorting of Bayesian network model judgement input belongs to reason node or result node, if belonging to original Because of node, the event of presorting is calculated using Bayes condition probability formula binding time function T (t) and belongs to different exception class The conditional probability of type;If belonging to result node, the maximum probability for the event of presorting is found by the conditional probability table, according to The maximum probability obtains the Exception Type classification results for the event of presorting.
4. network anomaly detection method according to claim 3, which is characterized in that in the step c, the Bayes The probability calculation formula that condition probability formula is combined with function of time T (t) are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException Type belonging to expression event, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, n, k are The tired mathematical notation multiplied.
5. network anomaly detection method according to claim 3, which is characterized in that in the step c, if described belong to In result node, the maximum probability for the event of presorting is found by conditional probability table, is presorted according to the maximum probability The Exception Type classification results of event specifically: the result node is root node viThe set of composition, i representative contain result The number of node corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate section The set of point v and its father node;It is decomposed using conditional independence, joint probability simplifies the mould for being formulated as full probability Formula P (Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
6. a kind of Network anomaly detection system characterized by comprising
Topological diagram constructs module: for drawing network knot according to the network structure of distributed network lower network node and communication link Structure topological diagram;
Bayesian network constructs module: for establishing corresponding Bayesian network model according to the network structure topological diagram;
First anomaly classification module: for that will presort, event inputs the Bayesian network model, the Bayesian network mould The event of presorting is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) in type Belong to the conditional probability of different Exception Types, and obtains the Exception Type classification knot for the event of presorting according to maximal condition probability Fruit.
7. Network anomaly detection system according to claim 6, which is characterized in that the Bayesian network building module is also The prior probability and posterior probability of different Exception Types occur for calculating each network node in Bayesian network model, and more The conditional probability table of new Bayesian network model.
8. Network anomaly detection system according to claim 7, which is characterized in that further include node judgment module and second Anomaly classification module;
The node judgment module is used to judge that the node under the event of presorting of input to belong to reason node or result node, If belonging to reason node, the condition for belonging to different Exception Types by the first anomaly classification module calculating event of presorting is general Rate;If belonging to result node, conditional probability table is found by the second anomaly classification module and obtains the event of presorting most Maximum probability obtains the Exception Type classification results for the event of presorting according to the maximum probability.
9. Network anomaly detection system according to claim 8, which is characterized in that Bayes's condition probability formula with The probability calculation formula that function of time T (t) is combined are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException Type belonging to expression event, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, n, k are The tired mathematical notation multiplied.
10. Network anomaly detection system according to claim 8, which is characterized in that if described belong to result node, lead to It crosses the second anomaly classification module and finds conditional probability table and obtain the maximum probability for the event of presorting, obtained according to the maximum probability The Exception Type classification results for event of presorting specifically: the result node is root node viThe set of composition, i representative include The number of result node, corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) Indicate the set of node v and its father node;It is decomposed using conditional independence, joint probability, which simplifies, to be formulated as entirely generally Mode P (the H of ratej)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out Exception Type Classification.
11. a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by one processor, and described instruction is by least one described processor It executes, so that at least one described processor is able to carry out the following of above-mentioned 1 to 5 described in any item network anomaly detection methods Operation:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes's condition The probability calculation formula that new probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different Exception Types Conditional probability, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
CN201811038787.5A 2018-09-06 2018-09-06 A kind of network anomaly detection method, system and electronic equipment Pending CN109214456A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811038787.5A CN109214456A (en) 2018-09-06 2018-09-06 A kind of network anomaly detection method, system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811038787.5A CN109214456A (en) 2018-09-06 2018-09-06 A kind of network anomaly detection method, system and electronic equipment

Publications (1)

Publication Number Publication Date
CN109214456A true CN109214456A (en) 2019-01-15

Family

ID=64987005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811038787.5A Pending CN109214456A (en) 2018-09-06 2018-09-06 A kind of network anomaly detection method, system and electronic equipment

Country Status (1)

Country Link
CN (1) CN109214456A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951499A (en) * 2019-04-25 2019-06-28 北京计算机技术及应用研究所 A kind of method for detecting abnormality based on network structure feature
CN110380888A (en) * 2019-05-29 2019-10-25 华为技术有限公司 A kind of network anomaly detection method and device
CN110769003A (en) * 2019-11-05 2020-02-07 杭州安恒信息技术股份有限公司 Network security early warning method, system, equipment and readable storage medium
CN111061586A (en) * 2019-12-05 2020-04-24 深圳先进技术研究院 Container cloud platform anomaly detection method and system and electronic equipment
CN111669379A (en) * 2020-05-28 2020-09-15 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device
CN111839502A (en) * 2020-07-21 2020-10-30 广州视源电子科技股份有限公司 Method, device and equipment for detecting electrocardio data abnormity and storage medium
CN112822052A (en) * 2021-01-08 2021-05-18 河海大学 Network fault root cause positioning method based on network topology and alarm
CN113396426A (en) * 2019-03-05 2021-09-14 赫尔实验室有限公司 Network construction module for Bayesian neural morphology compiler

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN105608634A (en) * 2015-11-09 2016-05-25 国网新疆电力公司 Bayesian network based electrical network risk early-warning evaluation model
CN105764162A (en) * 2016-05-10 2016-07-13 江苏大学 Wireless sensor network abnormal event detecting method based on multi-attribute correlation
US20170279835A1 (en) * 2016-03-28 2017-09-28 Cisco Technology, Inc. Adaptive capture of packet traces based on user feedback learning
CN107483251A (en) * 2017-08-22 2017-12-15 国网辽宁省电力有限公司辽阳供电公司 A kind of Network exception detecting method based on the monitoring of distributed probe
US20180012019A1 (en) * 2014-12-30 2018-01-11 Battelle Memorial Institute Anomaly detection for vehicular networks for intrusion and malfunction detection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
US20180012019A1 (en) * 2014-12-30 2018-01-11 Battelle Memorial Institute Anomaly detection for vehicular networks for intrusion and malfunction detection
CN105608634A (en) * 2015-11-09 2016-05-25 国网新疆电力公司 Bayesian network based electrical network risk early-warning evaluation model
US20170279835A1 (en) * 2016-03-28 2017-09-28 Cisco Technology, Inc. Adaptive capture of packet traces based on user feedback learning
CN105764162A (en) * 2016-05-10 2016-07-13 江苏大学 Wireless sensor network abnormal event detecting method based on multi-attribute correlation
CN107483251A (en) * 2017-08-22 2017-12-15 国网辽宁省电力有限公司辽阳供电公司 A kind of Network exception detecting method based on the monitoring of distributed probe

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BUNTINEW等: "LearningclassificationrulesusingBayes", 《PROCEEDINGS OF THE SIXTH INTERNATIONAL WORKSHOP ON MACHINE LEARNING》 *
刘涛等: "基于时间分段的贝叶斯网络异常检测方法", 《信息安全与通信保密》 *
常金玲 等: "《网络环境下信息质量评价与管理》", 30 June 2016, 知识产权出版社 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113396426A (en) * 2019-03-05 2021-09-14 赫尔实验室有限公司 Network construction module for Bayesian neural morphology compiler
CN109951499A (en) * 2019-04-25 2019-06-28 北京计算机技术及应用研究所 A kind of method for detecting abnormality based on network structure feature
CN110380888B (en) * 2019-05-29 2021-02-23 华为技术有限公司 Network anomaly detection method and device
CN110380888A (en) * 2019-05-29 2019-10-25 华为技术有限公司 A kind of network anomaly detection method and device
CN110769003B (en) * 2019-11-05 2022-02-22 杭州安恒信息技术股份有限公司 Network security early warning method, system, equipment and readable storage medium
CN110769003A (en) * 2019-11-05 2020-02-07 杭州安恒信息技术股份有限公司 Network security early warning method, system, equipment and readable storage medium
CN111061586A (en) * 2019-12-05 2020-04-24 深圳先进技术研究院 Container cloud platform anomaly detection method and system and electronic equipment
CN111061586B (en) * 2019-12-05 2023-09-19 深圳先进技术研究院 Container cloud platform anomaly detection method and system and electronic equipment
CN111669379A (en) * 2020-05-28 2020-09-15 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device
CN111669379B (en) * 2020-05-28 2022-02-22 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device
CN111839502A (en) * 2020-07-21 2020-10-30 广州视源电子科技股份有限公司 Method, device and equipment for detecting electrocardio data abnormity and storage medium
CN111839502B (en) * 2020-07-21 2024-02-09 广州视源电子科技股份有限公司 Electrocardiogram data anomaly detection method, device, equipment and storage medium
CN112822052A (en) * 2021-01-08 2021-05-18 河海大学 Network fault root cause positioning method based on network topology and alarm
CN112822052B (en) * 2021-01-08 2022-03-29 河海大学 Network fault root cause positioning method based on network topology and alarm

Similar Documents

Publication Publication Date Title
CN109214456A (en) A kind of network anomaly detection method, system and electronic equipment
US10289841B2 (en) Graph-based attack chain discovery in enterprise security systems
US20210067549A1 (en) Anomaly detection with graph adversarial training in computer systems
US10476749B2 (en) Graph-based fusing of heterogeneous alerts
Otoum et al. Empowering reinforcement learning on big sensed data for intrusion detection
EP3528463A1 (en) An artificial intelligence cyber security analyst
Li et al. LNNLS-KH: a feature selection method for network intrusion detection
Ren et al. An online adaptive approach to alert correlation
US8443080B2 (en) System and method for determining application dependency paths in a data center
Kostas Anomaly detection in networks using machine learning
JP2018512823A (en) Integrated discovery of communities and roles in corporate networks
US10367838B2 (en) Real-time detection of abnormal network connections in streaming data
Li et al. Using naive Bayes with AdaBoost to enhance network anomaly intrusion detection
US20170288979A1 (en) Blue print graphs for fusing of heterogeneous alerts
US20230188554A1 (en) Lateral Movement Detection Using a Mixture of Online Anomaly Scoring Models
Masarat et al. A novel framework, based on fuzzy ensemble of classifiers for intrusion detection systems
Dayal et al. An RBF-PSO based approach for early detection of DDoS attacks in SDN
Tian et al. A digital evidence fusion method in network forensics systems with Dempster-shafer theory
CN115277102B (en) Network attack detection method and device, electronic equipment and storage medium
Feizollah et al. Anomaly detection using cooperative fuzzy logic controller
WO2018071356A1 (en) Graph-based attack chain discovery in enterprise security systems
CN114499982A (en) Honey net dynamic configuration strategy generating method, configuration method and storage medium
Shahraki et al. An outlier detection method to improve gathered datasets for network behavior analysis in IoT
CN113225337A (en) Multi-step attack alarm correlation method, system and storage medium
Xie et al. Network intrusion detection based on dynamic intuitionistic fuzzy sets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190115