CN111669373A - Network anomaly detection method and system based on space-time convolutional network and topology perception - Google Patents
Network anomaly detection method and system based on space-time convolutional network and topology perception Download PDFInfo
- Publication number
- CN111669373A CN111669373A CN202010449162.9A CN202010449162A CN111669373A CN 111669373 A CN111669373 A CN 111669373A CN 202010449162 A CN202010449162 A CN 202010449162A CN 111669373 A CN111669373 A CN 111669373A
- Authority
- CN
- China
- Prior art keywords
- network
- detected
- convolution
- graph
- matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 63
- 230000008447 perception Effects 0.000 title claims abstract description 10
- 239000011159 matrix material Substances 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 29
- 230000015654 memory Effects 0.000 claims description 20
- 238000012549 training Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013528 artificial neural network Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 4
- 208000018910 keratinopathic ichthyosis Diseases 0.000 description 34
- 238000004422 calculation algorithm Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 5
- 239000000284 extract Substances 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000007787 long-term memory Effects 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000002123 temporal effect Effects 0.000 description 3
- 239000013598 vector Substances 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000007476 Maximum Likelihood Methods 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 210000004027 cell Anatomy 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000012489 doughnuts Nutrition 0.000 description 1
- 238000013551 empirical research Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 210000002364 input neuron Anatomy 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 229940050561 matrix product Drugs 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 210000004205 output neuron Anatomy 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/049—Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Biophysics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure discloses a network anomaly detection method and system based on a space-time convolutional network and topology perception, and belongs to the technical field of network anomaly detection. The method comprises the following steps: acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected; sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window; inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
Description
Technical Field
The invention relates to the technical field of network anomaly detection, in particular to a network anomaly detection method and system based on a space-time convolutional network and topology perception.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
As the scale of networks increases, the surge in traffic increases the load on network devices, causing network congestion. Therefore, the state of the devices and links is critical to the quality of service (QoS) in the network. Various KPIs (key performance indicators, such as packet traffic, queue delay, memory usage, link delay, etc.) are monitored to detect anomalies and timely troubleshoot faults. However, the most advanced algorithms only consider individual KPIs when detecting anomalies, and ignore the spatial connectivity of the devices in the network.
Due to the limitation of the network device, the sudden increase of the network traffic and the attack of the malicious user can lead to the paralysis of the network device and block the transmission of information. With an accurate global view, a Software Defined Network (SDN) has the ability to detect anomalies and maintain network QoS. As shown in fig. 1, the controller can obtain detailed status of each device and link by periodically collecting KPI data and executing an anomaly detection algorithm. When an anomaly is detected, the controller schedules the data packets by sending a flow table and troubleshooting to maintain normal operation of network transmission. Therefore, the real-time performance and accuracy of the anomaly detection algorithm play a crucial role in maintaining the QoS of the network.
The abnormality detection based on the time series is to detect an abnormal fluctuation in the series, and plays an important role in the conventional network operation and maintenance. The supervision method takes the abnormality detection problem as a classification task and depends on feature engineering. In the unsupervised approach, the prediction-based approach bases the next prediction value on anomaly detection.
However, for these supervision algorithms, different types of KPIs require a lot of human resources, which is time consuming. However, most of the unsupervised anomaly detection algorithms take a long time to model a single KPI, and it is difficult to satisfy the situation that a large number of KPIs in the network topology need to be processed in parallel.
In addition, these anomaly detection algorithms also ignore the spatial dependencies caused by connections between devices in the network topology. For example, when a packet is transmitted over a link, a change in throughput of one device may affect its neighborhood, which may have a large impact on the detection results of graph-based data.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a network anomaly detection method and a system based on a space-time convolutional network and topology perception;
in a first aspect, the invention provides a network anomaly detection method based on a space-time convolutional network and topology awareness;
the network anomaly detection method based on the space-time convolutional network and the topology perception comprises the following steps:
acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
In a second aspect, the invention provides a network anomaly detection system based on a space-time convolutional network and topology awareness;
a network anomaly detection system based on a space-time convolutional network and topology awareness comprises:
an acquisition module configured to: acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
a segment extraction module configured to: sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
an output module configured to: inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
In a third aspect, the present invention further provides an electronic device, including: one or more processors, one or more memories, and one or more computer programs; wherein a processor is connected to the memory, the one or more computer programs are stored in the memory, and when the electronic device is running, the processor executes the one or more computer programs stored in the memory, so as to make the electronic device execute the method according to the first aspect.
In a fourth aspect, the present invention also provides a computer-readable storage medium for storing computer instructions which, when executed by a processor, perform the method of the first aspect.
In a fifth aspect, the invention also provides a computer program (product) comprising a computer program for implementing the method of any of the preceding first aspects when run on one or more processors.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a graph-based gated convolution anomaly detection network (GAD) to meet the requirement of large-scale KPI parallel detection and consider the equipment connection relation in a topological scene for the first time. In particular, the graph-based gated convolutional anomaly detection network GAD uses one gated convolutional layer to encode the timing in parallel. The spatial correlation between KPIs is obtained using the GCN taking into account the link connection information of the network. Then, one convolutional layer and one linear layer constitute a decoder to reconstruct the input KPI. Finally, the residual between the input KPI and the reconstructed KPI is used to calculate an anomaly score and detect anomalies. The optimal f-value of GAD on the data set collected by the SDN simulation platform was 0.983, indicating that GAD is superior to the existing anomaly detection baseline.
The invention provides a gated convolution anomaly detection network (GAD) based on a graph, which solves the problem of time series data anomaly detection with topological information for the first time. In particular, a gated convolutional encoder is employed for temporal encoding, and a Graph Convolutional Network (GCN) is developed to capture spatial dependencies. Then, based on the characteristics of encoding the time information and the spatial information, the characteristics are decoded by the convolutional layer, and the input sequence is reconstructed. The residual between the input sequence and the reconstructed sequence is used to further detect anomalies.
The invention combines all KPI sequences in the network to be detected into a multidimensional matrix. Different from the traditional feature extraction method based on single KPI, the method realizes the parallel extraction of time dimension features through a gated convolution network. The invention firstly provides a GCN-based time series anomaly detection method, which can extract detailed node state information by extracting spatial features among nodes in consideration of interaction among nodes in a network topology structure.
The invention utilizes the SDN simulation platform to perform empirical research on the data set. The results of the present invention indicate that GAD is superior to the existing baseline for anomaly detection. And calculating the difference between the reconstructed data and the original data as an abnormal score based on a reconstruction method, and selecting an optimal threshold value to detect the abnormal score. The convolution operation can extract the characteristics of the multidimensional data, so the invention adopts the gated convection network to capture the long-term memory on the time dimension in parallel. The present invention uses a graph-convolution neural network (GCN) to extract the spatial correlation of KPIs in a network topology.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
Figure 1 is an SDN based anomaly detection framework;
FIG. 2 is a schematic view of a GAD model according to a first embodiment;
FIG. 3 is a schematic diagram of time-series anomaly detection based on network topology according to the first embodiment
FIG. 4 is a schematic structural diagram of a gated convolutional layer of the first embodiment;
FIG. 5 is a diagram illustrating a spatiotemporal feature extraction process according to a first embodiment;
fig. 6(a) -6 (f) are schematic diagrams of a case study of anomaly detection of the first embodiment;
FIGS. 7(a) and 7(b) are schematic diagrams of the performance of the model variant of the first embodiment;
fig. 8 is a diagram illustrating measurement of GAD using different sliding window lengths according to the first embodiment.
Detailed Description
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
Example one
The embodiment provides a network anomaly detection method based on a space-time convolutional network and topology perception;
as shown in fig. 1, the method for detecting network anomaly based on spatio-temporal convolutional network and topology awareness includes:
s101: acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
s102: sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
s103: inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
As one or more embodiments, in S101, acquiring a device topology connection relationship of a to-be-detected network, and constructing an adjacency matrix of a to-be-detected network device; the method comprises the following specific steps:
the method comprises the steps of obtaining the topological connection relation of equipment of a network to be detected, constructing a graph structure according to the topological connection relation of the equipment, and obtaining an adjacent matrix of the network equipment to be detected according to the graph structure.
As one or more embodiments, a graph structure is constructed according to the topological connection relation of the equipment, and an adjacency matrix of the network equipment to be detected is obtained according to the graph structure; the method comprises the following specific steps:
constructing a network to be detected into a graph structure, wherein equipment in the network to be detected is regarded as nodes in the graph structure, and the connection relation between the equipment in the network to be detected is regarded as a connecting line between the nodes in the graph structure; and constructing the adjacency matrix of the network equipment to be detected according to the connection relation between the nodes in the graph structure.
As one or more embodiments, in S101, the obtaining a time sequence of a network performance matrix to be detected specifically includes:
acquiring a plurality of performance parameters of each device at each moment in a network to be detected, and constructing a corresponding network performance matrix to be detected according to all the performance parameters of all the devices at the same moment; and further obtaining the time sequence of the network performance matrix to be detected.
Or, in S101, the acquiring a time sequence of the network performance matrix to be detected specifically includes:
acquiring a plurality of performance parameters of each device at each moment in a network to be detected, performing regularization on all the performance parameters, and constructing a corresponding network performance matrix to be detected according to all the performance parameters of all the devices at the same moment after regularization; and further obtaining the time sequence of the network performance matrix to be detected.
Illustratively, the plurality of performance indicators includes one or more of the following: packet traffic, queue delay, memory usage, link delay, etc.
As one or more embodiments, in S103, the adjacency matrix of the network device to be detected and each extracted time sequence segment are used as input sequences, and are input into a pre-trained graph-based gated convolution anomaly detection network; outputting whether the network to be detected is abnormal or not; the method comprises the following specific steps:
inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into an encoder, and extracting space-time characteristics; inputting the space-time characteristics into a decoder for reconstruction, and reconstructing a new input sequence; the space-time characteristics refer to time characteristics and space characteristics;
and carrying out error calculation on the reconstructed new input sequence and the input sequence in the encoder, calculating an abnormal score through Gaussian distribution estimation, and outputting whether the network to be detected is abnormal or not according to an abnormal score value.
As one or more embodiments, in S103, the gated convolution anomaly detection network based on a graph has a specific structure that includes:
the encoder, the decoder and the error calculation module are connected in sequence;
the encoder, comprising: a plurality of time-space convolution modules connected in series, wherein each time-space convolution module comprises a Gated convolution neural Network (Gated-Conv for short) and a Graph convolution Network (GCN for short) connected in series; the gate-controlled convolution neural network is the input end of the encoder, and the graph convolution network is the output end of the encoder;
the decoder, comprising: a convolutional layer and a full link layer connected in series; the input end of the convolution layer is connected with the output end of the encoder, the output end of the convolution layer is connected with the output end of the full-connection layer, and the output end of the full-connection layer is connected with the error calculation module.
As one or more embodiments, in S103, a graph-based gated convolution anomaly detection network trained in advance; the specific training steps include:
constructing a gating convolution abnormal detection network based on a graph;
constructing a training set, wherein the training set is a time sequence of a network performance matrix of a known normal performance label and a network equipment adjacency matrix;
and inputting the training set into a graph-based gated convolution anomaly detection network, training, and stopping training when the loss function reaches a minimum value to obtain the trained graph-based gated convolution anomaly detection network.
As shown in fig. 2, the present invention first normalizes KPI data and then extracts time series segments through a sliding window. And obtaining the time and space characteristics after coding through a gating convolution neural network and a graph convolution network GCN two-layer neural network. The KPI data is then reconstructed using a convolution-based network. Finally, a reconstruction error is calculated to detect anomalies. In general, the present invention trains a model using normal KPIs, so when the anomaly score in a test dataset is greater than some threshold, the point can be considered anomalous.
The time series abnormity detection based on the network topology structure is to detect whether the node has abnormity through the connection relation between KPIs and the nodes under the condition of a set time step. As shown in fig. 3, each node has a KPI curve reflecting its state. The present invention defines a topology-based KPI as an unweighted graph G ═ (V, E), and treats each individual KPI as a node, where V is a set of network KPI nodes and V ═ V-1,v2,...,vNAnd N is the number of nodes in the network. E is a set of edges representing associations between KPIs.
Let X (t) be [ x ]1(t),x2(t),...,xn(t)]When represents tAt all KPIs in the network, KPI abnormal detection based on network topology is defined as X (t) with given length l1),X(t2),...,X(tl) Reconstructed to obtain a time series X' (t)1),X′(t2),...,X′(tl). By xi(tj) And xi′(tj) Indicates whether the node i is abnormal at time j.
The recurrent neural network has the characteristic of capturing long-term dependence items, and can be widely applied to the field of time series abnormality detection. When a topological environment is involved, the RNN may be faced with time-consuming operations, requiring separate training of time series for each index. However, gated convolutional networks allow parallel encoding of each time series and capture of long term memory based on gating cells.
The gated convolutional layer has a structure similar to that of the convolutional layer, except that a gating mechanism is added in the convolution operation, as shown in FIG. 4, the gated convolutional network consists of one causal convolutional layer and another convolutional layer processed by a sigmod activation function, for each node of graph G, the KPI series of length L form the input X ∈ Rn×m×LThus, the gated convolution is:
h(X)=(X*W+b)⊙σ(X*V+c); (1)
where m is a feature size, n is the number of KPI nodes in G, l is the length of an input sequence, σ denotes a sigmoid function, which indicates a Hadamard product, W is a weight coefficient, and b and c are offset coefficients. Based on the door mechanism, the model can be trained to select the information that is passed to the next layer, which means that the nonlinear door mechanism can capture long-term memory by superposition.
The connection relationships between the network devices constitute a graph structure. CNN can capture spatial features but is not applicable to non-euclidean spaces such as topology-based data. Thus, as shown in FIG. 5, the present invention uses a Graph Convolution Network (GCN) that is capable of mining relationships between nodes in a spatial dimension based on spectrogram theory.
The spatial signature of graph G can be obtained by a laplacian matrix, defined as L ═ D-a. Where A is the adjacency matrix and D is the diagonal matrix, where the diagonal elements represent the node degree.The spectral decomposition of the Laplace operator matrix is L-U Λ UT,Λ=diag([λ1,λ2,...,λn]) Is a diagonal matrix composed of n eigenvalues, U ═ U1,u2,...,un) Is a unit formed by the characteristic vectors of the matrix.
Let f be an N-dimensional vector on the graph, then the Fourier transform of the graph is represented as
Its fourier inverse transform:
according to the convolution theorem, a convolution kernel h is given, and the convolution formula of the graph is as follows:
wherein |, indicates a hadamard product,
using diag (theta)l) Substitution
Then f h u gθ(Λ)UTx, wherein gθ(Λ)=diag(θ1,θ2,...,θn) Representing the kernel. However, the matrix product of U, diag (θ)1) And UTLeading to high computational costs for large-scale graph data.
The Chebyshev polynomial is used to recursively compute the convolution kernel, which is then used
β thereinkIs cutThe coefficients of the bixef polynomial,
according to the nature of the chebyshev polynomial, the recursion formula is as follows:
wherein
Then the time complexity is from O (n)2) Reducing to linear time. The expansion of the chebyshev polynomial corresponds to a convolution operation from 0 to the (K-1) th order neighbor centered on each node. Thereafter, each node is updated by the values of its 0-K-1 neighbors.
After the space-time features are encoded, KPI sequence data is reconstructed using a decoder model consisting of a gated convolutional layer and a linear layer. Defining the reconstruction error at time t as e ═ xt-x′tL, where xtTo input KPI data, x'tTo reconstruct KPI data.
The invention divides the normal KPI into two sets: training set SNVerification 1 set VN1Abnormal KPIs are also divided into two sets: verification set 2VN2Test set TN. With SNAfter training the model, use set VN1The calculated error vector is used by maximum likelihood estimation methods to estimate the μ and ∑ parameters of the normal distribution N (μ, ∑) for each node in a graph
scorei=(ei-μ)T∑(ei-μ) (4)
If scorei,tObserve x at time t node ii,tConsidered abnormal, otherwise normal. When a sufficient score is reached, pass VN2Learning the threshold for each device maximizes F1-2P R/(P + R), where P denotes accuracy and R denotes recall.
First, data and performance indexes used in experiments are introduced, and then the performance of the model is proved through experiments.
The invention builds an SDN simulation platform comprising 200 switches and 660 links. The invention then installs the REST full API associated with the KPI set on the controller via the northbound interface. The SDN controller is then configured to periodically collect KPI sequence data from the network topology. The detailed statistics and settings of the inventive data set are shown in table 1.
For each time point, when the reconstruction error is greater than the minimum value, the time point is considered abnormal. And (4) regarding the abnormal detection problem as a classification problem, and evaluating models with different thresholds by adopting precision and recall degree. The invention further uses F1-score, which weights the accuracy and recall at certain thresholds, and the region under the PR curve (AUCPR) that describes the overall performance of the model at all thresholds. Since different thresholds affect accuracy and recall, the best F1-score and AUCPR were chosen by the present invention as the primary metrics to describe the model of the present invention.
Table 1: detailed statistics and setup of data sets
| Time series | Edge | Dot | Abnormality (S) | General window | Exception window |
| 200 | 660 | 35000 | 51 | 34982 | 69 |
The present invention measures accuracy, recall, F1-best, and AUCPR vs. GAD and the following algorithms. The self-encoder is a multi-layer copy neural network, which has the same number of input neurons and output neurons, and the number of intermediate nodes in the model is relatively small, so that the low-latitude characteristics of the time series can be compressed and reconstructed. EncDec-AD trains the model using LSTM as an encoder and decoder. And taking the final hidden state value of the encoder as the initial hidden state of the decoder, and reversely reconstructing the time sequence. On the basis of VAE, an anomaly detection scene is improved, missing value injection and MCMC homing are added, and KED in z space is reasonably explained. The DAGMM first acquires low-dimensional information using a depth encoder, reconstructing errors of the input data. After splicing, the probability distribution was calculated using a gaussian mixture model. Joint training of the hybrid model with the self-encoder makes it easier to separate the local optima. The LSTM-NDT uses an LSTM-based prediction model in combination with a thermally encoded command message for anomaly detection. Since the data set of the present invention does not contain control information, the present invention trains the model using only time series.
Table 2: result of abnormality detection
| Method of producing a composite material | Accuracy of measurement | Recall from scratch | F1-best | AUCPR |
| Auto-Encoder | 0.2881 | 0.6365 | 0.3522 | 0.2675 |
| Donut | 0.9991 | 0.9517 | 0.9709 | 0.9548 |
| EncDec-AD | 0.9957 | 0.9057 | 0.9413 | 0.9219 |
| LSTM-NDT | 0.9999 | 0.9147 | 0.9488 | 0.9207 |
| DAGMM | 0.7340 | 0.8587 | 0.7232 | 0.6992 |
| GAD | 0.9791 | 0.9887 | 0.9835 | 0.9925 |
Table 2 shows the results of comparison of F1-best and AUCPR for all algorithms. Algorithm GAD has an F-value of 0.9835 and an AUCPR value of 0.9925, generally superior to the other comparative algorithms. This means that modeling in combination with temporal and spatial information can better understand the abnormal sequence features.
To elaborate the comparison results, fig. 6(a) -6 (f) present case studies of GAD and other baseline algorithms. The bar gray box label indicates anomaly, the dotted line indicates optimal threshold, and the curve indicates anomaly score at different time points. When the score is above the threshold, it indicates that an anomaly is detected. According to the invention, the GAD abnormal point has a significant difference from the normal value in the score, all parts of the first abnormal point are successfully detected, and the other baselines can hardly detect the fragments of the first abnormal point and contain a plurality of false positives and false negatives.
In addition to comparison to the baseline described above, the present invention also contemplates three variants of CAD to analyze the effectiveness of temporal gating mechanisms and spatial feature extraction modules.
(1)GADConv2Is a CAD without a map convolutional layer.
(2)
Is a GAD with only one gated convolution and GCN layer.
(3)GADConv1Is the GAD with only one gated convolutional encoder layer.
As can be seen from fig. 7(a) -7 (b), the performance of GAD improves as the number of layers of the gated convolution increases. Among them, GAD is superior to
GADConv2Has better performance than GADConv1The deep-gated convolutional layer is shown to retain the hierarchical features in the time dimension. GAD is also observed in the present inventionConv2Than GADWorse, this indicates that the GCN can extract spatial dependencies between nodes to improve anomaly detection performance.
The length of the input time series L plays an important role in the reconstruction. Shorter sequence lengths do not reflect the characteristic information of the main sequence, while longer sequences lack sensitivity over large time spans, increasing reconstruction difficulty. Fig. 8 shows the variation of the anomaly detection result with the length l of the input sequence, because F1-best and AUCPR can take the performance of the model into account, ignoring small-scale fluctuations in accuracy and recall. It can be seen that the model performs best when the sequence length L is 19.
Example two
The embodiment provides a network anomaly detection system based on a space-time convolutional network and topology perception;
a network anomaly detection system based on a space-time convolutional network and topology awareness comprises:
an acquisition module configured to: acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
a segment extraction module configured to: sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
an output module configured to: inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
It should be noted here that the above-mentioned obtaining module, the segment extracting module and the output module correspond to steps S101 to S103 in the first embodiment, and the above-mentioned modules are the same as the examples and application scenarios realized by the corresponding steps, but are not limited to the disclosure of the first embodiment. It should be noted that the modules described above as part of a system may be implemented in a computer system such as a set of computer-executable instructions.
In the foregoing embodiments, the descriptions of the embodiments have different emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The proposed system can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the above-described modules is merely a logical functional division, and in actual implementation, there may be other divisions, for example, multiple modules may be combined or integrated into another system, or some features may be omitted, or not executed.
EXAMPLE III
The present embodiment also provides an electronic device, including: one or more processors, one or more memories, and one or more computer programs; wherein, a processor is connected with the memory, the one or more computer programs are stored in the memory, and when the electronic device runs, the processor executes the one or more computer programs stored in the memory, so as to make the electronic device execute the method according to the first embodiment.
It should be understood that in this embodiment, the processor may be a central processing unit CPU, and the processor may also be other general purpose processors, digital signal processors DSP, application specific integrated circuits ASIC, off-the-shelf programmable gate arrays FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include both read-only memory and random access memory, and may provide instructions and data to the processor, and a portion of the memory may also include non-volatile random access memory. For example, the memory may also store device type information.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software.
The method in the first embodiment may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, among other storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.
Those of ordinary skill in the art will appreciate that the various illustrative elements, i.e., algorithm steps, described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Example four
The present embodiments also provide a computer-readable storage medium for storing computer instructions, which when executed by a processor, perform the method of the first embodiment.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. The network anomaly detection method based on the space-time convolutional network and the topology perception comprises the following steps:
acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
2. The method according to claim 1, characterized in that, the device topology connection relation of the network to be detected is obtained, and the adjacency matrix of the network device to be detected is constructed; the method comprises the following specific steps:
the method comprises the steps of obtaining the topological connection relation of equipment of a network to be detected, constructing a graph structure according to the topological connection relation of the equipment, and obtaining an adjacent matrix of the network equipment to be detected according to the graph structure.
3. The method as claimed in claim 2, wherein a graph structure is constructed according to the device topology connection relationship, and the network device adjacency matrix to be detected is obtained according to the graph structure; the method comprises the following specific steps:
constructing a network to be detected into a graph structure, wherein equipment in the network to be detected is regarded as nodes in the graph structure, and the connection relation between the equipment in the network to be detected is regarded as a connecting line between the nodes in the graph structure; and constructing the adjacency matrix of the network equipment to be detected according to the connection relation between the nodes in the graph structure.
4. The method as claimed in claim 1, wherein the step of obtaining the time sequence of the network performance matrix to be detected comprises:
acquiring a plurality of performance parameters of each device at each moment in a network to be detected, and constructing a corresponding network performance matrix to be detected according to all the performance parameters of all the devices at the same moment; further obtaining a time sequence of the network performance matrix to be detected;
alternatively, the first and second electrodes may be,
the method for acquiring the time sequence of the network performance matrix to be detected specifically comprises the following steps:
acquiring a plurality of performance parameters of each device at each moment in a network to be detected, performing regularization on all the performance parameters, and constructing a corresponding network performance matrix to be detected according to all the performance parameters of all the devices at the same moment after regularization; and further obtaining the time sequence of the network performance matrix to be detected.
5. The method as claimed in claim 1, wherein the network equipment adjacency matrix to be detected and each extracted time sequence segment are used as input sequences and input into a pre-trained graph-based gated convolution anomaly detection network; outputting whether the network to be detected is abnormal or not; the method comprises the following specific steps:
inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into an encoder, and extracting space-time characteristics; inputting the space-time characteristics into a decoder for reconstruction, and reconstructing a new input sequence; the space-time characteristics refer to time characteristics and space characteristics;
and carrying out error calculation on the reconstructed new input sequence and the input sequence in the encoder, calculating an abnormal score through Gaussian distribution estimation, and outputting whether the network to be detected is abnormal or not according to an abnormal score value.
6. The method of claim 1, wherein the graph-based gated convolution anomaly detection network is structured as follows:
the encoder, the decoder and the error calculation module are connected in sequence;
the encoder, comprising: the system comprises a plurality of time-space convolution modules which are connected in series, wherein each time-space convolution module comprises a gate control convolution neural network and a graph convolution network which are connected in series; the gate-controlled convolution neural network is the input end of the encoder, and the graph convolution network is the output end of the encoder;
the decoder, comprising: a convolutional layer and a full link layer connected in series; the input end of the convolution layer is connected with the output end of the encoder, the output end of the convolution layer is connected with the output end of the full-connection layer, and the output end of the full-connection layer is connected with the error calculation module.
7. The method of claim 1, wherein a pre-trained graph-based gated convolution anomaly detection network; the specific training steps include:
constructing a gating convolution abnormal detection network based on a graph;
constructing a training set, wherein the training set is a time sequence of a network performance matrix of a known normal performance label and a network equipment adjacency matrix;
and inputting the training set into a graph-based gated convolution anomaly detection network, training, and stopping training when the loss function reaches a minimum value to obtain the trained graph-based gated convolution anomaly detection network.
8. A network anomaly detection system based on a space-time convolutional network and topology perception is characterized by comprising:
an acquisition module configured to: acquiring a device topological connection relation of a network to be detected, and constructing an adjacency matrix of the network device to be detected; acquiring a time sequence of a network performance matrix to be detected;
a segment extraction module configured to: sliding on the time sequence of the network performance matrix to be detected by using a sliding window; extracting time sequence segments in the sliding window through the sliding of the sliding window;
an output module configured to: inputting the adjacency matrix of the network equipment to be detected and each extracted time sequence segment as an input sequence into a pre-trained gate-controlled convolution anomaly detection network based on a graph; and outputting whether the network to be detected is abnormal or not.
9. An electronic device, comprising: one or more processors, one or more memories, and one or more computer programs; wherein a processor is connected to the memory, the one or more computer programs being stored in the memory, the processor executing the one or more computer programs stored in the memory when the electronic device is running, to cause the electronic device to perform the method of any of the preceding claims 1-7.
10. A computer-readable storage medium storing computer instructions which, when executed by a processor, perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449162.9A CN111669373B (en) | 2020-05-25 | 2020-05-25 | Network anomaly detection method and system based on space-time convolutional network and topology perception |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449162.9A CN111669373B (en) | 2020-05-25 | 2020-05-25 | Network anomaly detection method and system based on space-time convolutional network and topology perception |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111669373A true CN111669373A (en) | 2020-09-15 |
| CN111669373B CN111669373B (en) | 2022-04-01 |
Family
ID=72384525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010449162.9A Expired - Fee Related CN111669373B (en) | 2020-05-25 | 2020-05-25 | Network anomaly detection method and system based on space-time convolutional network and topology perception |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111669373B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112071065A (en) * | 2020-09-16 | 2020-12-11 | 山东理工大学 | Traffic flow prediction method based on global diffusion convolution residual error network |
| CN112131274A (en) * | 2020-09-22 | 2020-12-25 | 平安科技(深圳)有限公司 | Method, device and equipment for detecting time series abnormal points and readable storage medium |
| CN112383516A (en) * | 2020-10-29 | 2021-02-19 | 博雅正链(北京)科技有限公司 | Graph neural network construction method and abnormal flow detection method based on graph neural network |
| CN112766551A (en) * | 2021-01-08 | 2021-05-07 | 鹏城实验室 | Traffic prediction method, intelligent terminal and computer readable storage medium |
| CN112953729A (en) * | 2021-03-16 | 2021-06-11 | 讯翱(上海)科技有限公司 | Digital certificate authentication method based on image recognition |
| CN113079168A (en) * | 2021-04-13 | 2021-07-06 | 网络通信与安全紫金山实验室 | Network anomaly detection method and device and storage medium |
| CN113127705A (en) * | 2021-04-02 | 2021-07-16 | 西华大学 | Heterogeneous bidirectional generation countermeasure network model and time sequence anomaly detection method |
| CN113158543A (en) * | 2021-02-02 | 2021-07-23 | 浙江工商大学 | Intelligent prediction method for software defined network performance |
| CN113409413A (en) * | 2021-06-03 | 2021-09-17 | 东南数字经济发展研究院 | Time sequence image reconstruction method based on gated convolution-long and short memory network |
| CN113535823A (en) * | 2021-07-26 | 2021-10-22 | 北京天融信网络安全技术有限公司 | Abnormal access behavior detection method and device and electronic equipment |
| CN113590654A (en) * | 2021-06-22 | 2021-11-02 | 中国人民解放军国防科技大学 | Spacecraft attitude system anomaly detection method and device based on space-time mode network |
| CN113671917A (en) * | 2021-08-19 | 2021-11-19 | 中国科学院自动化研究所 | Detection method, system and equipment for abnormal state of multi-modal industrial process |
| CN114139648A (en) * | 2021-12-07 | 2022-03-04 | 北京科技大学 | Intelligent detection method and system for abnormity of tailing filling pipeline |
| CN114692767A (en) * | 2022-03-31 | 2022-07-01 | 中国电信股份有限公司 | Abnormality detection method and apparatus, computer-readable storage medium, and electronic device |
| CN114866438A (en) * | 2022-04-19 | 2022-08-05 | 湖南宝马文化传播有限公司 | Abnormal hidden danger prediction method and system under cloud architecture |
| CN115018073A (en) * | 2022-08-09 | 2022-09-06 | 之江实验室 | Time-space perception information prediction method and system based on graph neural network |
| CN115098566A (en) * | 2022-08-18 | 2022-09-23 | 创思(广州)电子科技有限公司 | Information system for improving convolutional neural network model |
| CN116760583A (en) * | 2023-06-02 | 2023-09-15 | 四川大学 | Enhanced graph node behavior characterization and abnormal graph node detection method |
| CN117879907A (en) * | 2023-12-26 | 2024-04-12 | 中国人民解放军61660部队 | Network environment anomaly detection method based on graph convolution behavior feature extraction |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107423814A (en) * | 2017-07-31 | 2017-12-01 | 南昌航空大学 | A kind of method that dynamic network model is established using depth convolutional neural networks |
| CN109743286A (en) * | 2018-11-29 | 2019-05-10 | 武汉极意网络科技有限公司 | A kind of IP type mark method and apparatus based on figure convolutional neural networks |
| CN109885734A (en) * | 2019-02-13 | 2019-06-14 | 北京航空航天大学 | A kind of abnormal subgraph discovery method based on deep learning |
| CN110213788A (en) * | 2019-06-15 | 2019-09-06 | 福州大学 | WSN abnormality detection and kind identification method based on data flow space-time characteristic |
| CN110430224A (en) * | 2019-09-12 | 2019-11-08 | 贵州电网有限责任公司 | A kind of communication network anomaly detection method based on random block models |
-
2020
- 2020-05-25 CN CN202010449162.9A patent/CN111669373B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107423814A (en) * | 2017-07-31 | 2017-12-01 | 南昌航空大学 | A kind of method that dynamic network model is established using depth convolutional neural networks |
| CN109743286A (en) * | 2018-11-29 | 2019-05-10 | 武汉极意网络科技有限公司 | A kind of IP type mark method and apparatus based on figure convolutional neural networks |
| CN109885734A (en) * | 2019-02-13 | 2019-06-14 | 北京航空航天大学 | A kind of abnormal subgraph discovery method based on deep learning |
| CN110213788A (en) * | 2019-06-15 | 2019-09-06 | 福州大学 | WSN abnormality detection and kind identification method based on data flow space-time characteristic |
| CN110430224A (en) * | 2019-09-12 | 2019-11-08 | 贵州电网有限责任公司 | A kind of communication network anomaly detection method based on random block models |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112071065A (en) * | 2020-09-16 | 2020-12-11 | 山东理工大学 | Traffic flow prediction method based on global diffusion convolution residual error network |
| CN112131274A (en) * | 2020-09-22 | 2020-12-25 | 平安科技(深圳)有限公司 | Method, device and equipment for detecting time series abnormal points and readable storage medium |
| CN112131274B (en) * | 2020-09-22 | 2024-01-19 | 平安科技(深圳)有限公司 | Method, device, equipment and readable storage medium for detecting abnormal points of time sequence |
| CN112383516A (en) * | 2020-10-29 | 2021-02-19 | 博雅正链(北京)科技有限公司 | Graph neural network construction method and abnormal flow detection method based on graph neural network |
| CN112766551A (en) * | 2021-01-08 | 2021-05-07 | 鹏城实验室 | Traffic prediction method, intelligent terminal and computer readable storage medium |
| CN113158543B (en) * | 2021-02-02 | 2023-10-24 | 浙江工商大学 | Intelligent prediction method for software defined network performance |
| CN113158543A (en) * | 2021-02-02 | 2021-07-23 | 浙江工商大学 | Intelligent prediction method for software defined network performance |
| CN112953729A (en) * | 2021-03-16 | 2021-06-11 | 讯翱(上海)科技有限公司 | Digital certificate authentication method based on image recognition |
| CN113127705B (en) * | 2021-04-02 | 2022-08-05 | 西华大学 | Heterogeneous bidirectional generation countermeasure network model and time sequence anomaly detection method |
| CN113127705A (en) * | 2021-04-02 | 2021-07-16 | 西华大学 | Heterogeneous bidirectional generation countermeasure network model and time sequence anomaly detection method |
| CN113079168A (en) * | 2021-04-13 | 2021-07-06 | 网络通信与安全紫金山实验室 | Network anomaly detection method and device and storage medium |
| CN113079168B (en) * | 2021-04-13 | 2023-02-21 | 网络通信与安全紫金山实验室 | Network anomaly detection method and device and storage medium |
| CN113409413B (en) * | 2021-06-03 | 2024-04-19 | 东南数字经济发展研究院 | Time sequence image reconstruction method based on gating convolution-long and short memory network |
| CN113409413A (en) * | 2021-06-03 | 2021-09-17 | 东南数字经济发展研究院 | Time sequence image reconstruction method based on gated convolution-long and short memory network |
| CN113590654A (en) * | 2021-06-22 | 2021-11-02 | 中国人民解放军国防科技大学 | Spacecraft attitude system anomaly detection method and device based on space-time mode network |
| CN113535823A (en) * | 2021-07-26 | 2021-10-22 | 北京天融信网络安全技术有限公司 | Abnormal access behavior detection method and device and electronic equipment |
| CN113535823B (en) * | 2021-07-26 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Abnormal access behavior detection method and device and electronic equipment |
| CN113671917B (en) * | 2021-08-19 | 2022-08-02 | 中国科学院自动化研究所 | Detection method, system and equipment for abnormal state of multi-modal industrial process |
| CN113671917A (en) * | 2021-08-19 | 2021-11-19 | 中国科学院自动化研究所 | Detection method, system and equipment for abnormal state of multi-modal industrial process |
| CN114139648A (en) * | 2021-12-07 | 2022-03-04 | 北京科技大学 | Intelligent detection method and system for abnormity of tailing filling pipeline |
| CN114692767B (en) * | 2022-03-31 | 2024-01-19 | 中国电信股份有限公司 | Abnormality detection method and apparatus, computer-readable storage medium, and electronic device |
| CN114692767A (en) * | 2022-03-31 | 2022-07-01 | 中国电信股份有限公司 | Abnormality detection method and apparatus, computer-readable storage medium, and electronic device |
| CN114866438A (en) * | 2022-04-19 | 2022-08-05 | 湖南宝马文化传播有限公司 | Abnormal hidden danger prediction method and system under cloud architecture |
| CN115018073A (en) * | 2022-08-09 | 2022-09-06 | 之江实验室 | Time-space perception information prediction method and system based on graph neural network |
| CN115098566A (en) * | 2022-08-18 | 2022-09-23 | 创思(广州)电子科技有限公司 | Information system for improving convolutional neural network model |
| CN116760583A (en) * | 2023-06-02 | 2023-09-15 | 四川大学 | Enhanced graph node behavior characterization and abnormal graph node detection method |
| CN116760583B (en) * | 2023-06-02 | 2024-02-13 | 四川大学 | Enhanced graph node behavior characterization and abnormal graph node detection method |
| CN117879907A (en) * | 2023-12-26 | 2024-04-12 | 中国人民解放军61660部队 | Network environment anomaly detection method based on graph convolution behavior feature extraction |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111669373B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111669373B (en) | Network anomaly detection method and system based on space-time convolutional network and topology perception | |
| Xu et al. | Digital twin-based anomaly detection in cyber-physical systems | |
| US10552727B2 (en) | Methods and systems for data traffic analysis | |
| Wang et al. | A compound framework for wind speed forecasting based on comprehensive feature selection, quantile regression incorporated into convolutional simplified long short-term memory network and residual error correction | |
| Velasco-Gallego et al. | RADIS: A real-time anomaly detection intelligent system for fault diagnosis of marine machinery | |
| Fu et al. | Spatiotemporal attention networks for wind power forecasting | |
| WO2024039421A1 (en) | Interdependent causal networks for root cause localization | |
| CN110851654A (en) | Industrial equipment fault detection and classification method based on tensor data dimension reduction | |
| CN112116078A (en) | Information security baseline learning method based on artificial intelligence | |
| CN113808396A (en) | Traffic speed prediction method and system based on traffic flow data fusion | |
| CN116311880A (en) | Traffic flow prediction method and equipment based on local-global space-time feature fusion | |
| Wang et al. | Hankel-structured tensor robust PCA for multivariate traffic time series anomaly detection | |
| CN114419507A (en) | Internet factory operation diagnosis method and system based on federal learning | |
| Huang et al. | Robust spatial temporal imputation based on spatio-temporal generative adversarial nets | |
| Li et al. | HRGCN: Heterogeneous Graph-level Anomaly Detection with Hierarchical Relation-augmented Graph Neural Networks | |
| CN115964621B (en) | Regional road network tail gas emission data complement method | |
| CN117131452A (en) | Abnormality detection method and system based on normalized flow and Bayesian network | |
| CN113541986A (en) | Fault prediction method and device for 5G slice and computing equipment | |
| Wei et al. | Intrusive detection systems design based on BP neural network | |
| CN110839253A (en) | Method for determining wireless grid network flow | |
| CN115658546A (en) | Software fault prediction method and system based on heterogeneous information network | |
| Lin et al. | A novel spatial-temporal regularized tensor completion algorithm for traffic data imputation | |
| Bi et al. | Integrated spatio-temporal prediction for water quality with graph attention network and WaveNet | |
| Qian et al. | Cellular fault prediction of graphical representation based on spatio-temporal graph convolutional networks | |
| Lin et al. | A semi-supervised approach for abnormal event prediction on large operational network time-series data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220401 |