CN109214456A - A kind of network anomaly detection method, system and electronic equipment - Google Patents
A kind of network anomaly detection method, system and electronic equipment Download PDFInfo
- Publication number
- CN109214456A CN109214456A CN201811038787.5A CN201811038787A CN109214456A CN 109214456 A CN109214456 A CN 109214456A CN 201811038787 A CN201811038787 A CN 201811038787A CN 109214456 A CN109214456 A CN 109214456A
- Authority
- CN
- China
- Prior art keywords
- probability
- event
- network
- node
- presorting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/29—Graphical models, e.g. Bayesian networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
Abstract
This application involves a kind of network anomaly detection method, system and electronic equipments.This method comprises: step a: drawing network structure topological diagram according to the network structure of distributed network lower network node and communication link;Step b: corresponding Bayesian network model is established according to the network structure topological diagram;Step c: the event that will presort inputs the Bayesian network model, the conditional probability that the event of presorting belongs to different Exception Types is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) in the Bayesian network model, and the Exception Type classification results for the event of presorting are obtained according to maximal condition probability.The topological structure that the application is directed to real network environment establishes Bayesian network model, there can be better flexibility and scalability, improve Detection accuracy, and binding time function carries out Network anomaly detection, model is improved to the susceptibility of certain time period abnormality detection, rate of false alarm and rate of failing to report can be efficiently reduced.
Description
Technical field
The application belongs to network safety system technical field, in particular to a kind of network anomaly detection method, system and electricity
Sub- equipment.
Background technique
With the popularity of the internet with the rapid development of network, internet Internet has been deep into huge numbers of families,
Many convenience are brought for the life and work of people.But network technology is also a double-edged sword, its fast development and wide
General application also brings unprecedented challenge.Along with the rapid development of Internet information age, network distribution type and nothing
The open nature on boundary, it is convenient that people enjoy bring therewith in the Open architecture in the environment of internet.But
ICP/IP protocol itself does not consider to seriously affect the stabilization of network with the less safety issue considered, network security problem
Operation and the normal of user are tried out, or even have also threatened national security, have brought acid test and challenge.Cause
This, a series of network security problems have attracted more and more attention from people.Although there is the various peaces such as firewall, VPN, secure router
Full product ensures the safety of computer systems and networks environment with unused angle, but network attack mode is constantly more
Newly, network safety event is also constantly occurring.
Last line of defense of the Network anomaly detection as security system, it would be desirable to energy when network environment is invaded
It detects specifically what kind of exception, allows network administrator that artificial measure can be taken to go to solve and intervene, strive for network
The destruction of environment is lost with caused by and is minimized.The research of Network anomaly detection is always one and more noticeable asks
Topic, the research for Network anomaly detection are also not within minority.
In the prior art, common to have probability statistics point for solving the model method that abnormality detection proposes in network environment
Analysis method, fuzzy mathematics theory, artificial immunity method, neural network method, support vector machine method etc..But the above method is only
It is the analysis carried out from data collected in network in data plane, wherein the parameter area of benchmark is difficult to determination and results in spirit
A series of defects such as poor activity and rate of false alarm height.Key is that traditional detection model carries out abnormal letter just for single host
The analysis of breath, without combining with existing network distribution type multinode hosted environment, but in real network environment
In operation, traditional discrimination model is difficult to determine the parameter benchmark range that various models need, so that conventional method increases
The difficulty differentiated, there are certain rate of false alarm and rate of failing to report.Existing detection method be using model to networking operational environment into
The flow information of row long-time large span is analyzed, but the flow of certain periods can't occur under existing environment, therefore have
Flow for some period is carried out selective analysis detection by necessity.
Summary of the invention
This application provides a kind of network anomaly detection method, system and electronic equipments, it is intended at least to a certain extent
Solve one of above-mentioned technical problem in the prior art.
To solve the above-mentioned problems, this application provides following technical solutions:
A kind of network anomaly detection method, comprising the following steps:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions
The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The technical solution that the embodiment of the present application is taken further include: described to be opened up according to the network structure in the step b
It flutters figure and establishes corresponding Bayesian network model further include: it is different different to calculate each network node generation in Bayesian network model
The prior probability and posterior probability of normal type, and update the conditional probability table of Bayesian network model.
The technical solution that the embodiment of the present application is taken further include: the step c further include: pass through the Bayesian network mould
Node under the event of presorting of type judgement input belongs to reason node or result node, if belonging to reason node, uses
Bayes condition probability formula binding time function T (t) be calculated the event of presorting belong to different Exception Types condition it is general
Rate;If belonging to result node, the maximum probability for the event of presorting is found by the conditional probability table, according to described most general
Rate obtains the Exception Type classification results for the event of presorting.
The technical solution that the embodiment of the present application is taken further include: in the step c, Bayes's condition probability formula
The probability calculation formula combined with function of time T (t) are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException class belonging to expression event
Type, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node,
N, k are the tired mathematical notation multiplied.
The technical solution that the embodiment of the present application is taken further include: in the step c, if described belong to result node,
The maximum probability that the event of presorting is found by conditional probability table obtains the exception class for the event of presorting according to the maximum probability
Type classification results specifically: the result node is root node viThe set of composition, i representative contain the number of result node,
Different conditional probability P (H is corresponded to for result node different under event Xj|Pa(vi)), Pa(vi) indicate node v and his father's section
The set of point;It is decomposed using conditional independence, joint probability simplifies the mode P (H for being formulated as full probabilityj)=∑
P(vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
A kind of another technical solution that the embodiment of the present application is taken are as follows: Network anomaly detection system, comprising:
Topological diagram constructs module: for drawing net according to the network structure of distributed network lower network node and communication link
Network structural topology figure;
Bayesian network constructs module: for establishing corresponding Bayesian network mould according to the network structure topological diagram
Type;
First anomaly classification module: for that will presort, event inputs the Bayesian network model, the Bayesian network
Network model is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) and is presorted
Event belongs to the conditional probability of different Exception Types, and show that the Exception Type for the event of presorting is classified according to maximal condition probability
As a result.
The technical solution that the embodiment of the present application is taken further include: the Bayesian network building module is also used to calculate pattra leaves
The prior probability and posterior probability of different Exception Types occur for each network node in this network model, and update Bayesian network
The conditional probability table of model.
The technical solution that the embodiment of the present application is taken further includes node judgment module and the second anomaly classification module;
The node judgment module is used to judge that the node under the event of presorting of input to belong to reason node or result
Node calculates the item that the event of presorting belongs to different Exception Types by the first anomaly classification module if belonging to reason node
Part probability;If belonging to result node, conditional probability table is found by the second anomaly classification module and obtains the event of presorting
Maximum probability, the Exception Type classification results for the event of presorting are obtained according to the maximum probability.
The technical solution that the embodiment of the present application is taken further include: Bayes's condition probability formula and function of time T (t)
The probability calculation formula combined are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException class belonging to expression event
Type, p (Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node,
N, k are the tired mathematical notation multiplied.
The technical solution that the embodiment of the present application is taken further include: if described belong to result node, pass through second abnormal point
Generic module finds conditional probability table and obtains the maximum probability for the event of presorting, and obtains the event of presorting according to the maximum probability
Exception Type classification results specifically: the result node is root node viThe set of composition, i representative contain result node
Number corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate node v and
The set of its father node;It is decomposed using conditional independence, joint probability simplifies the mode P for being formulated as full probability
(Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
The another technical solution that the embodiment of the present application is taken are as follows: a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by one processor, and described instruction is by described at least one
Device is managed to execute, so that at least one described processor is able to carry out the following operation of above-mentioned network anomaly detection method:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions
The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
Compared with the existing technology, the beneficial effect that the embodiment of the present application generates is: the Network Abnormal of the embodiment of the present application
The topological structure that detection method, system and electronic equipment are directed to real network environment establishes corresponding Bayesian network model,
There can be better flexibility and scalability, improve Detection accuracy, and binding time function carries out Network anomaly detection, improves
Model can better adapt to the actual conditions in real network environment to the susceptibility of certain time period abnormality detection, relative to
For traditional detection model, rate of false alarm and rate of failing to report can be efficiently reduced.In addition, the application is according to multinode under network environment
The posterior probability ratio conventional model that dependence trains determines that parameter wants more acurrate and reliable, so as to improve the accurate of model
Rate.
Detailed description of the invention
Fig. 1 is the flow chart of the network anomaly detection method of the embodiment of the present application;
Fig. 2 is the structural schematic diagram of the Network anomaly detection system of the embodiment of the present application;
Fig. 3 is the hardware device structural schematic diagram of network anomaly detection method provided by the embodiments of the present application.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, not
For limiting the application.
Referring to Fig. 1, being the flow chart of the network anomaly detection method of the embodiment of the present application.The network of the embodiment of the present application
Method for detecting abnormality the following steps are included:
Step 100: the network structure that analysis distribution formula network lower network node and communication link are constituted draws out network knot
Structure topological diagram;
In step 100, the network of real distributed structure/architecture has multiple network units and a back end, between each node
There may be actual communication link or network communication, each network node there may be with other one or more network nodes
Join dependency relationship, therefore, it is necessary first to the network that analysis distribution formula network environment lower network node and communication link are constituted
Structure establishes corresponding model to data processings various in distributed network and communication equipment.
Step 200: corresponding Bayesian network model being established according to network structure topological diagram, calculates Bayesian network model
In each network node the prior probability and posterior probability of different Exception Types occurs, and update the condition of Bayesian network model
Probability tables;
In step 200, it is a kind of extension of Bayesian inference method that Bayesian network, which is otherwise known as belief network, as
Uncertain knowledge is expressed and one of infers most effective theoretical model at present.Bayesian network is a kind of probabilistic type based on probability
The graphical network of reasoning indicates the directed acyclic graph and an expression node and father node of dependence between variable by one
The conditional probability table of association in time forms.Node on behalf in Bayesian network stochastic variable, these stochastic variables are can be with
Observe obtained variable or unknown parameter etc..In Bayesian network model, each network node with other one or more
There are certain correlative relationships between a node.Each node V corresponds to a conditional probability table (Condition
Probability Table, abbreviation CPT), represent probability value of each node under the influence of by remaining node.Between connecting node
Directed edge represents the existing relationship that interdepends between node, if being mutually connected to each other between two nodes with single arrow,
Indicate that a node is that another is fruit (result node) due to (reason node), the node of two connections can generate an item
Part probability value.If not having arrow to be mutually connected to each other between two nodes, condition is only each other for the stochastic variable in expression node
Vertical, its conditional probability only has prior probability if some node does not have father node.Bayesian network can apply to conditionally according to
The decision for relying various control factor, can make reasoning from incomplete, inaccurate or uncertain information, complicated for solving
Failure caused by equipment uncertainty and relevance has very big advantage.
The topological structure of Bayesian network is combined with Bayesian statistics, can make full use of sample information by prior information with
Sample knowledge combines, and promotes the integrated of priori knowledge and data.And the method for this graphic network structure is retouched
Stating the dependence between data easily can carry out reconfiguring for module for the change of condition.
Step 300: the event that will presort inputs Bayesian network model, and Bayesian network model judgement is presorted under event
Node belong to reason node or result node, if belonging to reason node, execute step 400;If belonging to result node,
Execute step 500;
In step 300, event of presorting combines for traffic characteristic vector in real network environment, including network flow packet,
The range of information such as average packet length, protocol information, TCP flag bit, link information.Exist for network topology structure very much
Different structure, but reason node and result node are only existed for Bayesian network model.For result node,
It can directly differentiate that the event of presorting belongs to the conditional probability of different Exception Types by Bayesian Network Inference.And for reason
There are several lines between other nodes in node, determine that abnormality detection type should start with from bayesian network structure.
Step 400: being calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t)
The conditional probability that the event of presorting belongs to different Exception Types is obtained, and obtains the exception class for the event of presorting according to maximum probability
Type classification results;
In step 400, wherein function of time T (t) is piecewise function of the dependent variable t about Annual distribution, time letter
Continuously distributed curve is shown as in several coordinate diagrams, which can show the variation tendency of time in a certain range, when
Between as weight addition because usually considering, the flexibility for the method raising model for taking different time sections to use without threshold value mentions
High susceptibility of the model to certain time period abnormality detection, can better adapt to the actual conditions in real network environment, have
Reduce rate of false alarm and rate of failing to report in effect ground.
Specific calculation are as follows: the event of presorting is denoted as X (x1,x2....x3), xiThe ith attribute of expression event X,
Event X belongs to HjConditional probability can be obtained from Bayes's condition probability formula, HjException Type belonging to expression event.But
Allow for event detection accuracy and in view of the flow occurred inside different time sections be it is different, the application uses
The probability calculation formula that Bayes's condition probability formula is combined with function of time T (t):
In formula (1), p (Hj| X) indicate that event X belongs to HjClass conditional probability, such as SYN flow attacking type, DoS attack
Hit type etc..p(Hj) expression event belongs to the prior probabilities of different Exception Types, p (Hj) and p (Hj| X) each value can be from
Training data concentrate training obtains, then according to formula (1) calculate outgoing event belong to different Exception Types posterior probability p (X |
Hj), viIndicate that root node, n, k are that (k=1 indicates that lower bound, n indicate the upper bound to the tired mathematical notation multiplied, and k fetches since 1, always
N is got, is multiplied).The posterior probability ratio tradition mould that the application is trained according to the dependence of multinode under network environment
Type determines that parameter wants more acurrate and reliable, so as to improve the accuracy rate of model.
Step 500: finding the maximum probability for the event of presorting by conditional probability table, obtain the exception class for the event of presorting
Type classification results;
In step 500, result node i.e. root node viA set is constituted, i, which is represented, contains of result node
Number, corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate node v and its
The set of father node.It is decomposed using conditional independence, joint probability simplification can be formulated as the mode P of full probability
(Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
Referring to Fig. 2, being the structural schematic diagram of the Network anomaly detection system of the embodiment of the present application.The embodiment of the present application
Network anomaly detection system includes topological diagram building module, Bayesian network building module, node judgment module, first abnormal point
Generic module and the second anomaly classification module.
Topological diagram constructs module: the network structure constituted for analysis distribution formula network lower network node and communication link,
Draw out network structure topological diagram;Wherein, the network of real distributed structure/architecture has multiple network units and back end, each
There may be actual communication link or network communication between node, there may be one or more with other for each network node
The join dependency relationship of network node, therefore, it is necessary first to analysis distribution formula network environment lower network node and communication link structure
At network structure, corresponding model is established to data processings various in distributed network and communication equipment.
Bayesian network constructs module: for establishing corresponding Bayesian network model according to network structure topological diagram, counting
It calculates each network node in Bayesian network model and the prior probability and posterior probability of different Exception Types occurs, and update pattra leaves
The conditional probability table of this network model;Wherein, in Bayesian network model, each network node with it is other one or more
There are certain correlative relationships between node.Each node V corresponds to a conditional probability table (Condition
Probability Table, abbreviation CPT), represent probability value of each node under the influence of by remaining node.Between connecting node
Directed edge represents the existing relationship that interdepends between node, if being mutually connected to each other between two nodes with single arrow,
Indicate that a node is that another is fruit (result node) due to (reason node), the node of two connections can generate an item
Part probability value.If not having arrow to be mutually connected to each other between two nodes, condition is only each other for the stochastic variable in expression node
Vertical, its conditional probability only has prior probability if some node does not have father node.
Node judgment module: for the event input Bayesian network model that will presort, Bayesian network model judgement is pre-
Node under classifiable event belongs to reason node or result node, if belonging to reason node, passes through the first anomaly classification mould
Block presort the Exception Type classification of event;If belonging to result node, divided in advance by the second anomaly classification module
The Exception Type of class event is classified;Wherein, event of presorting is traffic characteristic vector combination in real network environment, including network
The range of information such as flow packet, average packet length, protocol information, TCP flag bit, link information.For network topology structure
In the presence of many different structures, but reason node and result node are only existed for Bayesian network model.For
Result node can directly differentiate that the event of presorting belongs to the conditional probability of different Exception Types by Bayesian Network Inference.
And for reason node, there are several lines between other nodes, determines that abnormality detection type should be from Bayesian network knot
Structure is started with.
First anomaly classification module: the probability for being combined using Bayes's condition probability formula with function of time T (t)
The conditional probability that the event of presorting belongs to different Exception Types is calculated in calculation formula, and is presorted according to maximum probability
The Exception Type classification results of event;Wherein, wherein function of time T (t) is segmentation of the dependent variable t about Annual distribution
Function shows as continuously distributed curve in the coordinate diagram of the function of time, which can show the change of time in a certain range
Change trend takes the time different time sections use and improves model without the method for threshold value as weight addition because usually considering
Flexibility, improve model to the susceptibility of certain time period abnormality detection, can better adapt in real network environment
Actual conditions efficiently reduce rate of false alarm and rate of failing to report.
Specific calculation are as follows: the event of presorting is denoted as X (x1,x2....x3), xiThe ith attribute of expression event X,
Event X belongs to HjConditional probability can be obtained from Bayes's condition probability formula, HjException Type belonging to expression event.But
Allow for event detection accuracy and in view of the flow occurred inside different time sections be it is different, the application uses
The probability calculation formula that Bayes's condition probability formula is combined with function of time T (t):
In formula (1), p (Hj| X) indicate that event X belongs to HjClass conditional probability, such as SYN flow attacking type, DoS attack
Hit type etc..p(Hj) expression event belongs to the prior probabilities of different Exception Types, p (Hj) and p (Hj| X) each value can be from
Training data concentrate training obtains, then according to formula (1) calculate outgoing event belong to different Exception Types posterior probability p (X |
Hj), viIndicate root node vi, n, k be it is tired multiply mathematical notation (k=1 indicates that lower bound, n indicate the upper bound, and k fetches since 1, one
N is directly got, is multiplied).The posterior probability ratio tradition that the application is trained according to the dependence of multinode under network environment
Model determines that parameter wants more acurrate and reliable, so as to improve the accuracy rate of model.
Second anomaly classification module: for finding the maximum probability for the event of presorting by conditional probability table, according to maximum
Probability obtains the Exception Type classification results for the event of presorting;Wherein, result node i.e. root node viA set is constituted,
I representative contains the number of result node, and different conditional probability P (H is corresponded to for result node different under event Xj|Pa
(vi)), Pa(vi) indicate node v and its father node set.It is decomposed using conditional independence, joint probability simplification can be with
It is formulated as the mode P (H of full probabilityj)=∑ P (vi)P(Hj|vi), the most general of event X is found by conditional probability table
Rate carries out the classification of Exception Type, completes abnormality detection, judges network intrusions behavior.
Fig. 3 is the hardware device structural schematic diagram of network anomaly detection method provided by the embodiments of the present application.Such as Fig. 3 institute
Show, which includes one or more processors and memory.It takes a processor as an example, which can also include: defeated
Enter system and output system.
Processor, memory, input system and output system can be connected by bus or other modes, in Fig. 3 with
For being connected by bus.
Memory as a kind of non-transient computer readable storage medium, can be used for storing non-transient software program, it is non-temporarily
State computer executable program and module.Processor passes through operation non-transient software program stored in memory, instruction
And module realizes the place of above method embodiment thereby executing the various function application and data processing of electronic equipment
Reason method.
Memory may include storing program area and storage data area, wherein storing program area can storage program area, extremely
Application program required for a few function;It storage data area can storing data etc..In addition, memory may include that high speed is random
Memory is accessed, can also include non-transient memory, a for example, at least disk memory, flush memory device or other are non-
Transient state solid-state memory.In some embodiments, it includes the memory remotely located relative to processor that memory is optional, this
A little remote memories can pass through network connection to processing system.The example of above-mentioned network includes but is not limited to internet, enterprise
Intranet, local area network, mobile radio communication and combinations thereof.
Input system can receive the number or character information of input, and generate signal input.Output system may include showing
Display screen etc. shows equipment.
One or more of module storages in the memory, are executed when by one or more of processors
When, execute the following operation of any of the above-described embodiment of the method:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions
The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
Method provided by the embodiment of the present application can be performed in the said goods, has the corresponding functional module of execution method and has
Beneficial effect.The not technical detail of detailed description in the present embodiment, reference can be made to method provided by the embodiments of the present application.
The embodiment of the present application provides a kind of non-transient (non-volatile) computer storage medium, and the computer storage is situated between
Matter is stored with computer executable instructions, the executable following operation of the computer executable instructions:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions
The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The embodiment of the present application provides a kind of computer program product, and the computer program product is non-temporary including being stored in
Computer program on state computer readable storage medium, the computer program include program instruction, when described program instructs
When being computer-executed, the computer is made to execute following operation:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different exceptions
The conditional probability of type, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
The network anomaly detection method, system and electronic equipment of the embodiment of the present application are directed to the topology knot of real network environment
Corresponding Bayesian network model is found in building, can there is better flexibility and scalability, when improving Detection accuracy, and combining
Between function carry out Network anomaly detection, improve model to the susceptibility of certain time period abnormality detection, can better adapt to existing
Actual conditions in real network environment can efficiently reduce rate of false alarm and rate of failing to report for traditional detection model.Separately
Outside, the posterior probability ratio conventional model that the application is trained according to the dependence of multinode under network environment determines that parameter will be more
It is accurate and reliable, so as to improve the accuracy rate of model.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application.
Various modifications to these embodiments will be readily apparent to those skilled in the art, defined herein
General Principle can realize in other embodiments without departing from the spirit or scope of the application.Therefore, this Shen
These embodiments shown in the application please be not intended to be limited to, and are to fit to special with principle disclosed in the present application and novelty
The consistent widest scope of point.
Claims (11)
1. a kind of network anomaly detection method, which comprises the following steps:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes's condition
The probability calculation formula that new probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different Exception Types
Conditional probability, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
2. network anomaly detection method according to claim 1, which is characterized in that described according to institute in the step b
It states network structure topological diagram and establishes corresponding Bayesian network model further include: calculate each network section in Bayesian network model
The prior probability and posterior probability of different Exception Types occur for point, and update the conditional probability table of Bayesian network model.
3. network anomaly detection method according to claim 2, which is characterized in that the step c further include: by described
Node under the event of presorting of Bayesian network model judgement input belongs to reason node or result node, if belonging to original
Because of node, the event of presorting is calculated using Bayes condition probability formula binding time function T (t) and belongs to different exception class
The conditional probability of type;If belonging to result node, the maximum probability for the event of presorting is found by the conditional probability table, according to
The maximum probability obtains the Exception Type classification results for the event of presorting.
4. network anomaly detection method according to claim 3, which is characterized in that in the step c, the Bayes
The probability calculation formula that condition probability formula is combined with function of time T (t) are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException Type belonging to expression event, p
(Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, n, k are
The tired mathematical notation multiplied.
5. network anomaly detection method according to claim 3, which is characterized in that in the step c, if described belong to
In result node, the maximum probability for the event of presorting is found by conditional probability table, is presorted according to the maximum probability
The Exception Type classification results of event specifically: the result node is root node viThe set of composition, i representative contain result
The number of node corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi) indicate section
The set of point v and its father node;It is decomposed using conditional independence, joint probability simplifies the mould for being formulated as full probability
Formula P (Hj)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out the classification of Exception Type.
6. a kind of Network anomaly detection system characterized by comprising
Topological diagram constructs module: for drawing network knot according to the network structure of distributed network lower network node and communication link
Structure topological diagram;
Bayesian network constructs module: for establishing corresponding Bayesian network model according to the network structure topological diagram;
First anomaly classification module: for that will presort, event inputs the Bayesian network model, the Bayesian network mould
The event of presorting is calculated using the probability calculation formula that Bayes's condition probability formula is combined with function of time T (t) in type
Belong to the conditional probability of different Exception Types, and obtains the Exception Type classification knot for the event of presorting according to maximal condition probability
Fruit.
7. Network anomaly detection system according to claim 6, which is characterized in that the Bayesian network building module is also
The prior probability and posterior probability of different Exception Types occur for calculating each network node in Bayesian network model, and more
The conditional probability table of new Bayesian network model.
8. Network anomaly detection system according to claim 7, which is characterized in that further include node judgment module and second
Anomaly classification module;
The node judgment module is used to judge that the node under the event of presorting of input to belong to reason node or result node,
If belonging to reason node, the condition for belonging to different Exception Types by the first anomaly classification module calculating event of presorting is general
Rate;If belonging to result node, conditional probability table is found by the second anomaly classification module and obtains the event of presorting most
Maximum probability obtains the Exception Type classification results for the event of presorting according to the maximum probability.
9. Network anomaly detection system according to claim 8, which is characterized in that Bayes's condition probability formula with
The probability calculation formula that function of time T (t) is combined are as follows:
In above-mentioned formula, p (Hj| X) indicate that event X belongs to HjClass conditional probability, HjException Type belonging to expression event, p
(Hj) expression event belongs to HjPrior probability, p (X | Hj) expression event belongs to HjPosterior probability, viIndicate root node, n, k are
The tired mathematical notation multiplied.
10. Network anomaly detection system according to claim 8, which is characterized in that if described belong to result node, lead to
It crosses the second anomaly classification module and finds conditional probability table and obtain the maximum probability for the event of presorting, obtained according to the maximum probability
The Exception Type classification results for event of presorting specifically: the result node is root node viThe set of composition, i representative include
The number of result node, corresponds to result node different under event X different conditional probability P (Hj|Pa(vi)), Pa(vi)
Indicate the set of node v and its father node;It is decomposed using conditional independence, joint probability, which simplifies, to be formulated as entirely generally
Mode P (the H of ratej)=∑ P (vi)P(Hj|vi), the maximum probability of event X is found by conditional probability table, carries out Exception Type
Classification.
11. a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by one processor, and described instruction is by least one described processor
It executes, so that at least one described processor is able to carry out the following of above-mentioned 1 to 5 described in any item network anomaly detection methods
Operation:
Step a: network structure topological diagram is drawn according to the network structure of distributed network lower network node and communication link;
Step b: corresponding Bayesian network model is established according to the network structure topological diagram;
Step c: the event that will presort inputs the Bayesian network model, and the Bayesian network model uses Bayes's condition
The probability calculation formula that new probability formula is combined with function of time T (t) is calculated the event of presorting and belongs to different Exception Types
Conditional probability, and obtain according to maximal condition probability the Exception Type classification results for the event of presorting.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811038787.5A CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811038787.5A CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109214456A true CN109214456A (en) | 2019-01-15 |
Family
ID=64987005
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811038787.5A Pending CN109214456A (en) | 2018-09-06 | 2018-09-06 | A kind of network anomaly detection method, system and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109214456A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
CN110769003A (en) * | 2019-11-05 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
CN111061586A (en) * | 2019-12-05 | 2020-04-24 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
CN111669379A (en) * | 2020-05-28 | 2020-09-15 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
CN111839502A (en) * | 2020-07-21 | 2020-10-30 | 广州视源电子科技股份有限公司 | Method, device and equipment for detecting electrocardio data abnormity and storage medium |
CN112822052A (en) * | 2021-01-08 | 2021-05-18 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
CN113396426A (en) * | 2019-03-05 | 2021-09-14 | 赫尔实验室有限公司 | Network construction module for Bayesian neural morphology compiler |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
CN105608634A (en) * | 2015-11-09 | 2016-05-25 | 国网新疆电力公司 | Bayesian network based electrical network risk early-warning evaluation model |
CN105764162A (en) * | 2016-05-10 | 2016-07-13 | 江苏大学 | Wireless sensor network abnormal event detecting method based on multi-attribute correlation |
US20170279835A1 (en) * | 2016-03-28 | 2017-09-28 | Cisco Technology, Inc. | Adaptive capture of packet traces based on user feedback learning |
CN107483251A (en) * | 2017-08-22 | 2017-12-15 | 国网辽宁省电力有限公司辽阳供电公司 | A kind of Network exception detecting method based on the monitoring of distributed probe |
US20180012019A1 (en) * | 2014-12-30 | 2018-01-11 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
-
2018
- 2018-09-06 CN CN201811038787.5A patent/CN109214456A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
US20180012019A1 (en) * | 2014-12-30 | 2018-01-11 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
CN105608634A (en) * | 2015-11-09 | 2016-05-25 | 国网新疆电力公司 | Bayesian network based electrical network risk early-warning evaluation model |
US20170279835A1 (en) * | 2016-03-28 | 2017-09-28 | Cisco Technology, Inc. | Adaptive capture of packet traces based on user feedback learning |
CN105764162A (en) * | 2016-05-10 | 2016-07-13 | 江苏大学 | Wireless sensor network abnormal event detecting method based on multi-attribute correlation |
CN107483251A (en) * | 2017-08-22 | 2017-12-15 | 国网辽宁省电力有限公司辽阳供电公司 | A kind of Network exception detecting method based on the monitoring of distributed probe |
Non-Patent Citations (3)
Title |
---|
BUNTINEW等: "LearningclassificationrulesusingBayes", 《PROCEEDINGS OF THE SIXTH INTERNATIONAL WORKSHOP ON MACHINE LEARNING》 * |
刘涛等: "基于时间分段的贝叶斯网络异常检测方法", 《信息安全与通信保密》 * |
常金玲 等: "《网络环境下信息质量评价与管理》", 30 June 2016, 知识产权出版社 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113396426A (en) * | 2019-03-05 | 2021-09-14 | 赫尔实验室有限公司 | Network construction module for Bayesian neural morphology compiler |
CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
CN110380888B (en) * | 2019-05-29 | 2021-02-23 | 华为技术有限公司 | Network anomaly detection method and device |
CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
CN110769003B (en) * | 2019-11-05 | 2022-02-22 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
CN110769003A (en) * | 2019-11-05 | 2020-02-07 | 杭州安恒信息技术股份有限公司 | Network security early warning method, system, equipment and readable storage medium |
CN111061586A (en) * | 2019-12-05 | 2020-04-24 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
CN111061586B (en) * | 2019-12-05 | 2023-09-19 | 深圳先进技术研究院 | Container cloud platform anomaly detection method and system and electronic equipment |
CN111669379A (en) * | 2020-05-28 | 2020-09-15 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
CN111669379B (en) * | 2020-05-28 | 2022-02-22 | 北京天空卫士网络安全技术有限公司 | Behavior abnormity detection method and device |
CN111839502A (en) * | 2020-07-21 | 2020-10-30 | 广州视源电子科技股份有限公司 | Method, device and equipment for detecting electrocardio data abnormity and storage medium |
CN111839502B (en) * | 2020-07-21 | 2024-02-09 | 广州视源电子科技股份有限公司 | Electrocardiogram data anomaly detection method, device, equipment and storage medium |
CN112822052A (en) * | 2021-01-08 | 2021-05-18 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
CN112822052B (en) * | 2021-01-08 | 2022-03-29 | 河海大学 | Network fault root cause positioning method based on network topology and alarm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109214456A (en) | A kind of network anomaly detection method, system and electronic equipment | |
US10289841B2 (en) | Graph-based attack chain discovery in enterprise security systems | |
US20210067549A1 (en) | Anomaly detection with graph adversarial training in computer systems | |
US10476749B2 (en) | Graph-based fusing of heterogeneous alerts | |
Otoum et al. | Empowering reinforcement learning on big sensed data for intrusion detection | |
EP3528463A1 (en) | An artificial intelligence cyber security analyst | |
Li et al. | LNNLS-KH: a feature selection method for network intrusion detection | |
Ren et al. | An online adaptive approach to alert correlation | |
US8443080B2 (en) | System and method for determining application dependency paths in a data center | |
Kostas | Anomaly detection in networks using machine learning | |
JP2018512823A (en) | Integrated discovery of communities and roles in corporate networks | |
US10367838B2 (en) | Real-time detection of abnormal network connections in streaming data | |
Li et al. | Using naive Bayes with AdaBoost to enhance network anomaly intrusion detection | |
US20170288979A1 (en) | Blue print graphs for fusing of heterogeneous alerts | |
US20230188554A1 (en) | Lateral Movement Detection Using a Mixture of Online Anomaly Scoring Models | |
Masarat et al. | A novel framework, based on fuzzy ensemble of classifiers for intrusion detection systems | |
Dayal et al. | An RBF-PSO based approach for early detection of DDoS attacks in SDN | |
Tian et al. | A digital evidence fusion method in network forensics systems with Dempster-shafer theory | |
CN115277102B (en) | Network attack detection method and device, electronic equipment and storage medium | |
Feizollah et al. | Anomaly detection using cooperative fuzzy logic controller | |
WO2018071356A1 (en) | Graph-based attack chain discovery in enterprise security systems | |
CN114499982A (en) | Honey net dynamic configuration strategy generating method, configuration method and storage medium | |
Shahraki et al. | An outlier detection method to improve gathered datasets for network behavior analysis in IoT | |
CN113225337A (en) | Multi-step attack alarm correlation method, system and storage medium | |
Xie et al. | Network intrusion detection based on dynamic intuitionistic fuzzy sets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190115 |