CN111193742A - D-S evidence theory-based power communication network anomaly detection method - Google Patents
D-S evidence theory-based power communication network anomaly detection method Download PDFInfo
- Publication number
- CN111193742A CN111193742A CN201911410137.3A CN201911410137A CN111193742A CN 111193742 A CN111193742 A CN 111193742A CN 201911410137 A CN201911410137 A CN 201911410137A CN 111193742 A CN111193742 A CN 111193742A
- Authority
- CN
- China
- Prior art keywords
- network
- power communication
- communication network
- evidence theory
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/25—Fusion techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/25—Fusion techniques
- G06F18/257—Belief theory, e.g. Dempster-Shafer
Abstract
The invention relates to the field of power communication networks, in particular to a power communication network anomaly detection method based on a D-S evidence theory. By adopting the method, the accuracy of sensing the network abnormity and the type thereof in the power communication network can be effectively improved, and meanwhile, the real-time detection of the network abnormity can be realized according to the real-time data real-time fusion.
Description
Technical Field
The invention relates to the field of power communication networks, in particular to a power communication network anomaly detection method based on a D-S evidence theory.
Background
With the advance of research and practice of smart power grids, power grids in the traditional sense are gradually fused with information communication systems and monitoring control systems, the safety of power communication networks is closely connected with the operation safety of the power grids, and the safety of the power communication networks is the central importance of the safety of the power grids.
The electric power communication network system has the characteristics of complexity, dynamics and the like, has certain vulnerability, and brings great pressure and challenge to network safety work due to security risks from the inside and the outside because security incidents such as denial of service attack, network scanning, network deception, virus trojans, information leakage and the like emerge endlessly, so that an electric power communication network abnormity detection technology is needed to accurately identify the abnormal incidents of network safety and determine whether the network is in an abnormal state in real time, and the working personnel can conveniently deal with the abnormal problems in time.
In the existing network anomaly detection method, one method is to comprehensively judge network traffic by a plurality of characteristics on the basis of a D-S evidence theory and introduce a self-adaptive mechanism to ensure the detection accuracy. But the defect of the scheme is that the judgment cannot be carried out by combining the data characteristics of the host computer, and the judgment accuracy can be influenced.
Disclosure of Invention
In order to overcome the problem of low accuracy of network anomaly detection in the prior art, the invention provides the electric power communication network anomaly detection method based on the D-S evidence theory, which can effectively improve the accuracy of sensing network anomalies and types thereof in the electric power communication network and can realize real-time network anomaly detection according to real-time data real-time fusion.
In order to solve the technical problems, the invention adopts the technical scheme that: a power communication network anomaly detection method based on a D-S evidence theory comprises the following steps:
the method comprises the following steps: selecting characteristics influencing network abnormity from network connection state data collected from a power communication network, and performing data preprocessing;
step two: determining BBA (basic probability distribution, each possible probability distribution in the identification framework) in the identification framework in the D _ S evidence theory based on a K-means clustering method (K-means algorithm);
step three: determining the identification frame by using an expert system;
step four: fusion and decision making were performed using Dempster (D _ S evidence theory) composition rules.
Preferably, in the first step, network key information data with a fixed time length is selected from original records of network key information collected in the power communication network; and cleaning the selected key information data, and removing the data records containing the missing values.
Preferably, the key information data includes three pieces of information, which are traffic information, operation information, and alarm information of the network protection device, respectively. The flow information comprises the flow inflow size of each network node and the flow outflow size of the network node; the running information comprises the total number of the services running on each host, the average access amount and the access frequency of each service running on the host; the alarm information of the network protection device comprises an alarm identifier, attack frequency, a source address, a destination address, a source port and a destination port. The flow of the power grid in a normal operation state is stable (except for a specific time interval), if the flow fluctuates abnormally, whether DDOS attack occurs or not can be judged according to the flow information, the total service amount of the host in a normal state is stable, if the flow fluctuates, the host can be used for detecting whether the host is injected into a backdoor or a malicious program or not, the attack type and the attack source can be judged by collecting alarm information, and data support is provided for abnormal detection.
Preferably, in the second step, the calculation process of the clustering intervals and the clustering feature similarity includes:
s1, based on the K-means algorithm, the basic model of the clustering characteristic interval is [ c, r ], c is the clustering center, and r is the clustering radius;
s2: the clustering feature similarity is:
let F1:[c1,r1],F2:[c2,r2]Two focal elements in the frame are identified for the D _ S evidence theory, with the distance between them being:
wherein, c1Is the first cluster center; c. C2Is the second cluster center; r is1In the first clusterCluster radius of the heart; r is2The cluster radius of the second cluster center;
s3: the similarity of two clustering characteristic interval models is
Wherein λ is>0 is a support coefficient; d (F)1,F2) Is the distance of two focal elements.
Preferably, in the second step, the BBA generation step is as follows:
s2.1: and establishing a clustering interval model of the sample data attribute value.
S2.2: and calculating the distance between the attribute value of the data to be judged and the model interval.
S2.3: and calculating the similarity between the attribute value of the data to be identified and the attribute value of the sample data.
S2.4: and normalizing the similarity to generate BBA.
Preferably, in step three, an identification framework is established according to an expert system; the recognition frame is denoted as Z ═ a1,a2,…,anZ is an identification frame, n is the number of objects in the frame, and a is an event type; any two objects in the frame are mutually exclusive.
Preferably, in the fourth step, the Dempster combination rule is defined as:
wherein A is a focal element in the identification frame; b is proposition in the recognition frame; m is1And m2Respectively are basic credibility assignment combinations from 2 different information sources under the same frame; k is a conflict coefficient and reflects the degree of evidence conflict;
and finally, network abnormity judgment and related type judgment can be carried out according to the probability numerical value obtained after fusion.
Compared with the prior art, the beneficial effects are:
1. the method realizes the determination of the BBA in the identification frame in the D-S evidence theory by using a K-means-based clustering method. The subjective degree of BBA caused by strong subjective degree and evidence high conflict can be effectively determined by reducing expert experience scoring.
2. The invention comprehensively considers the transmission data of the network, extracts the characteristic attribute influencing the network abnormity from the transmission data, and can better reflect the running state of the network.
3. The method takes the instantaneity of the power communication network into full consideration, uses Dempster combination rules for fusion and decision, and utilizes a large amount of operation data in the previous database to construct a clustering interval model and an identification framework, so that the real-time operation data can be subjected to real-time data fusion, and the judgment of real-time network abnormity is accelerated.
Drawings
FIG. 1 is a schematic flow chart of a method for detecting network anomaly of a power communication network based on a D-S evidence theory according to the invention;
fig. 2 is a power communication hierarchical diagram of a power communication network anomaly detection method based on a D-S evidence theory according to the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent.
The technical scheme of the invention is further described in detail by the following specific embodiments in combination with the attached drawings:
example 1
Fig. 1-2 show an embodiment of a method for detecting network anomaly of a power communication network based on a D-S evidence theory, which includes the following steps:
the method comprises the following steps: setting an identification frame established by an existing knowledge base or expert experience as Z ═ a1,a2,…,anWherein Z is an identification frame, ai(1 ≦ i ≦ n) represents the event type, where any two objects in the frame are mutually exclusive, and n is the number of objects in the frame;
The electric power communication network system has the following selection indexes: and (3) traffic information: the flow of each NETWORK node flows into a large NETWORK _ IN (NI), and the flow of the NETWORK node flows out of a large NETWORK _ OUT (NO); the operation information includes: the total number of SERVICEs running on each host, the average access amount VISIT _ num (vn) and the access frequency VISIT _ freq (vr) of each SERVICE running on the host; the alarm information of the network protection equipment comprises: ATTACK frequency ATTACK _ FREQ (AF);
step two: BBA generation of sample index data.
Selecting test data: for each object (event) in the identification framework, 20 sets of corresponding data (from the power communication network system and the related database) are selected, wherein each set of data comprises the indexes: { NI, NO, SN, VN, VR, AF }, index NI data can be expressed as NI1,NI2,…,NI20And the others are similar.
Generating a clustering characteristic interval model: as shown in the following table:
table 1: characteristic interval model table
Jiao yuan | NI | NO | SN | VN | VR | AF |
a1 | [c11,r11] | [c12,r12] | [c13,r13] | [c14,r14] | [c15,r15] | [c16,r16] |
a2 | [c21,r21] | [c22,r22] | [c23,r23] | [c24,r24] | [c25,r25] | [c26,r26] |
… | … | … | … | … | … | … |
an | [cn1,rn1] | [cn2,rn2] | [cn3,rn3] | [cn4,rn4] | [cn5,rn5] | [cn6,rn6] |
The generation process in the above table is to directly operate on 20 groups of data, e.g. [ c ]11,r11]The generation process is as follows:
and (3) solving the distance between the data to be detected and the characteristic model interval and solving the similarity: selecting test data C { NIt,NOt,SNt,VNt,VRt,AFtSolving the distance between the BBA and the BBA, calculating the similarity, and then carrying out normalization treatment to obtain the BBA value, which can be specifically represented by the following table:
table 2: similarity between test data and interval model
Jiao yuan | NI | NO | SN | VN | VR | AF |
a1 | s11 | s12 | s13 | s14 | s15 | s16 |
a2 | s21 | s22 | s23 | s24 | s255 | s26 |
… | … | … | … | … | … | … |
an | sn1 | sn2 | sn3 | sn4 | sn5 | sn6 |
The generation process in the above table is to directly operate on the table 1 data (where the cluster radius of the test data can be 0, and the similarity coefficient can be 1), such as s11The generation process is as follows:
the normalization was performed to obtain BBA data as follows:
table 3: BBA allocation
Jiao yuan | NI | NO | SN | VN | VR | AF |
a1 | P11 | P12 | P13 | P14 | P15 | P16 |
a2 | P21 | P22 | P23 | P24 | P255 | P26 |
… | … | … | … | … | … | … |
an | Pn1 | Pn2 | Pn3 | Pn4 | Pn5 | Pn6 |
The generation process in the above table is to directly perform operation normalization on the table 2 data by taking the following steps (such as P)11):
D-S data fusion and decision analysis are carried out: first, the collision factor K is obtained, and then the fusion probability of the frame object is obtained as follows.
The formula according to K in step 4 is:
according to the fusion formula in step 4 (here denoted as P (a))1) For example) there are:
the probability P (a) of the fused event in each recognition frame is obtained through the steps1),P(a2),…,P(an) And further making judgment on the event type and subsequent relevant decisions.
The beneficial effects of this embodiment:
1. the method realizes the determination of the BBA in the identification frame in the D-S evidence theory by using a K-means-based clustering method. The subjective degree of BBA caused by strong subjective degree and evidence high conflict can be effectively determined by reducing expert experience scoring.
2. The invention comprehensively considers the transmission data of the network, extracts the characteristic attribute influencing the network abnormity from the transmission data, and can better reflect the running state of the network.
3. The method takes the instantaneity of the power communication network into full consideration, uses Dempster combination rules for fusion and decision, and utilizes a large amount of operation data in the previous database to construct a clustering interval model and an identification framework, so that the real-time operation data can be subjected to real-time data fusion, and the judgment of real-time network abnormity is accelerated.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (10)
1. A method for detecting network abnormality of a power communication network based on a D-S evidence theory is characterized by comprising the following steps:
the method comprises the following steps: selecting characteristics influencing network abnormity from network connection state data collected from a power communication network, and performing data preprocessing;
step two: determining basic probability distribution in an identification frame in a D _ S evidence theory based on a K-means clustering method;
step three: determining the identification frame by using an expert system;
step four: and D-S evidence theory combination rules are used for fusion and decision-making.
2. The method for detecting the network abnormality of the electric power communication network based on the D-S evidence theory as claimed in claim 1, wherein in the step one, network key information data with a fixed time length is selected from original records of network key information collected in the electric power communication network; and cleaning the selected key information data, and removing the data records containing the missing values.
3. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 2, wherein the key information data includes three pieces of information, which are flow information, operation information and alarm information of network protection equipment.
4. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory is characterized in that the traffic information comprises the traffic inflow size of each network node and the network traffic outflow size.
5. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory is characterized in that the operation information comprises the total number of the services operated on each host, the average access amount and the access frequency of each service operated on each host.
6. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 3, wherein the alarm information of the network protection device includes an alarm identifier, an attack frequency, a source address, a destination address, a source port and a destination port.
7. The method for detecting the abnormality of the power communication network based on the D-S evidence theory as claimed in claim 2, wherein in the second step, the calculation process of the clustering intervals and the clustering feature similarity comprises:
s1, based on the K-means algorithm, the basic model of the clustering characteristic interval is [ c, r ], c is the clustering center, and r is the clustering radius;
s2: the clustering feature similarity is:
let F1:[c1,r1],F2:[c2,r2]Two focal elements in the frame are identified for the D _ S evidence theory, with the distance between them being:
wherein, c1Is the first cluster center; c. C2Is the second cluster center; r is1The cluster radius of the first cluster center; r is2The cluster radius of the second cluster center;
s3: the similarity of two clustering characteristic interval models is
Wherein λ is>0 is a support coefficient; d (F)1,F2) Is the distance of two focal elements.
8. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 7, wherein in the second step, the basic probability distribution is generated as follows:
s2.1: establishing a clustering interval model of sample data attribute values;
s2.2: calculating the distance between the attribute value of the data to be judged and the model interval;
s2.3: calculating the similarity between the attribute value of the data to be identified and the attribute value of the sample data;
s2.4: and normalizing the similarity to generate basic probability distribution.
9. The method for detecting the abnormality of the power communication network based on the D-S evidence theory as claimed in claim 8, wherein in the third step, an identification frame is established according to an expert system; the recognition frame is denoted as Z ═ a1,a2,…,anZ is an identification frame, n is the number of objects in the frame, and a is represented as an event type; any two objects in the frame are mutually exclusive.
10. The method for detecting the network abnormality of the power communication network based on the D-S evidence theory as claimed in claim 9, wherein in the fourth step, the D-S evidence theory combination rule is defined as:
wherein A is a focal element in the identification frame; b is proposition in the recognition frame; m is1And m2Respectively are basic credibility assignment combinations from 2 different information sources under the same frame; k is a conflict coefficient and reflects the degree of evidence conflict;
and then, network abnormity judgment and related type judgment can be carried out according to the probability numerical value obtained after fusion.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911410137.3A CN111193742A (en) | 2019-12-31 | 2019-12-31 | D-S evidence theory-based power communication network anomaly detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911410137.3A CN111193742A (en) | 2019-12-31 | 2019-12-31 | D-S evidence theory-based power communication network anomaly detection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111193742A true CN111193742A (en) | 2020-05-22 |
Family
ID=70709730
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911410137.3A Pending CN111193742A (en) | 2019-12-31 | 2019-12-31 | D-S evidence theory-based power communication network anomaly detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111193742A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101355504A (en) * | 2008-08-14 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for confirming user behavior |
CN101753992A (en) * | 2008-12-17 | 2010-06-23 | 深圳市先进智能技术研究所 | Multi-mode intelligent monitoring system and method |
WO2016166725A1 (en) * | 2015-04-16 | 2016-10-20 | Telefonaktiebolaget Lm Ericsson (Publ) | System and method for sla violation monitoring via multi-level thresholds |
CN107273924A (en) * | 2017-06-06 | 2017-10-20 | 上海电力学院 | The Fault Analysis of Power Plants method of multi-data fusion based on fuzzy cluster analysis |
CN107644267A (en) * | 2017-09-11 | 2018-01-30 | 河南科技大学 | A kind of green house control Decision fusion method based on D S evidence theories |
CN107679558A (en) * | 2017-09-19 | 2018-02-09 | 电子科技大学 | A kind of user trajectory method for measuring similarity based on metric learning |
CN108199795A (en) * | 2017-12-29 | 2018-06-22 | 北京百分点信息科技有限公司 | The monitoring method and device of a kind of equipment state |
CN109193756A (en) * | 2018-09-04 | 2019-01-11 | 华南理工大学 | A kind of scene decoupling dynamic economic dispatch model solution method of wind power integration system |
-
2019
- 2019-12-31 CN CN201911410137.3A patent/CN111193742A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101355504A (en) * | 2008-08-14 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for confirming user behavior |
CN101753992A (en) * | 2008-12-17 | 2010-06-23 | 深圳市先进智能技术研究所 | Multi-mode intelligent monitoring system and method |
WO2016166725A1 (en) * | 2015-04-16 | 2016-10-20 | Telefonaktiebolaget Lm Ericsson (Publ) | System and method for sla violation monitoring via multi-level thresholds |
CN107273924A (en) * | 2017-06-06 | 2017-10-20 | 上海电力学院 | The Fault Analysis of Power Plants method of multi-data fusion based on fuzzy cluster analysis |
CN107644267A (en) * | 2017-09-11 | 2018-01-30 | 河南科技大学 | A kind of green house control Decision fusion method based on D S evidence theories |
CN107679558A (en) * | 2017-09-19 | 2018-02-09 | 电子科技大学 | A kind of user trajectory method for measuring similarity based on metric learning |
CN108199795A (en) * | 2017-12-29 | 2018-06-22 | 北京百分点信息科技有限公司 | The monitoring method and device of a kind of equipment state |
CN109193756A (en) * | 2018-09-04 | 2019-01-11 | 华南理工大学 | A kind of scene decoupling dynamic economic dispatch model solution method of wind power integration system |
Non-Patent Citations (1)
Title |
---|
高智勇,董荣光,高建民,王荣喜: "采用聚类特征的基本概率分配生成方法及应用", 《西安交通大学学报》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110210512B (en) | Automatic log anomaly detection method and system | |
WO2021184630A1 (en) | Method for locating pollutant discharge object on basis of knowledge graph, and related device | |
CN107623697B (en) | Network security situation assessment method based on attack and defense random game model | |
CN111475804B (en) | Alarm prediction method and system | |
Bivens et al. | Network-based intrusion detection using neural networks | |
CN111107072B (en) | Authentication graph embedding-based abnormal login behavior detection method and system | |
CN106790256A (en) | For the active machine learning system of dangerous Host Detection | |
CN113378990B (en) | Flow data anomaly detection method based on deep learning | |
CN110300027A (en) | A kind of abnormal login detecting method | |
CN112600800B (en) | Network risk assessment method based on map | |
CN111309565A (en) | Alarm processing method and device, electronic equipment and computer readable storage medium | |
CN112671767B (en) | Security event early warning method and device based on alarm data analysis | |
CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
Zhou et al. | Subtractive aggregation for attributed network anomaly detection | |
Lijuan et al. | A network security evaluation method based on FUZZY and RST | |
CN117216713A (en) | Fault delimiting method, device, electronic equipment and storage medium | |
CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
CN111193742A (en) | D-S evidence theory-based power communication network anomaly detection method | |
CN105553990A (en) | Network security triple anomaly detection method based on decision tree algorithm | |
CN115277178A (en) | Method, device and storage medium for monitoring abnormity based on enterprise network traffic | |
CN114022022A (en) | Industrial network security risk assessment method, device, equipment and storage medium | |
CN112637118A (en) | Flow analysis implementation method based on internal and external network drainage abnormity | |
CN110689074A (en) | Feature selection method based on fuzzy set feature entropy value calculation | |
KR102470364B1 (en) | A method for generating security event traning data and an apparatus for generating security event traning data | |
Salehi et al. | A DOS and network probe attack detection based on HMM using fuzzy inference |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200522 |