CN111786935B - Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange - Google Patents

Abstract

The invention belongs to the network anomaly detection of an optical fiber communication access network, and particularly relates to a service flow anomaly detection method for optical fiber core remote intelligent scheduling exchange. Including giving network traffic

And the number of the public factors k, and constructing a random matrix Y; normalizing the original data to obtain a normalized data matrix R (R ═ cov (Y)), obtaining an eigenvalue and an eigenvector of the matrix R, calculating variance and accumulated variance contribution rate, and determining a common factor Y in network flow_cAnd special factor Y in network traffic_s(ii) a After the public factor is solved, the factor is rotated to obtain a main factor meeting proper rotation; establishing a factor analysis model, and evaluating the state of each sample in the whole model; obtaining the score of each factor to obtain the flow

Middle common factor

Another time series with a particular factor of the network traffic

Obtaining another time series

Set of characteristic functions of (a): extracting characteristics; and (5) filtering the characteristics, finding out the abnormal flow part and storing the result. The method and the device are used for detecting the abnormal components in the network service flow, and have higher accuracy and timeliness.

Description

Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange

Technical Field

The invention belongs to the network anomaly detection of an optical fiber communication access network, in particular to a service flow anomaly detection method for optical fiber core remote intelligent scheduling exchange, and particularly relates to an anomaly detection method for network service flow.

Background

With the rapid development of new generation network technologies, network applications in the optical fiber communication access network present new types of traffic and cause rapid growth of network traffic, and it follows that new traffic flow in the optical fiber communication access network is abnormal. Traffic anomalies in fiber optic communications affect network performance and user quality of experience. How to effectively detect and find anomalies in network traffic has become a major challenge. More importantly, an anomaly in traffic flow implies an abnormal operation of the user or network device. If abnormal traffic is detected, the operator can effectively implement active defense of the network. Therefore, the detection of network traffic anomaly is of great significance in current network operation, and has become a very important research topic, and has received extensive attention from both academic and industrial circles.

With the development of information technology, the concealment of network traffic anomaly is stronger and stronger. From relatively large and constantly changing normal flows, a relatively small abnormal flow is detected, like a large sea fishing needle, and a new detection technology, method and mechanism are required.

The difficulty of flow anomaly detection is mainly reflected in the accuracy of anomaly detection time. How to highlight the characteristics of network traffic anomalies has been widely studied, and various methods have been proposed. A time-frequency domain method is proposed to find abnormal components in network traffic, and the method is relatively accurate in detecting abnormal network traffic. Wei Xiong describes changes in network traffic states through a collaborative neural network and mutation theory to detect anomalies in the degree of state deviation. And the Yang Yue utilizes a butterfly mutation series model to model the network flow according to the nonlinear dynamic characteristics of the network flow, and detects the mutation of the flow through the jump of mutation series. Jianren Lin et al use a cusp mutation model to model normal and abnormal data of traffic to achieve a certain effect, but the attribute statistical characteristic parameters of the model cannot effectively characterize the traffic characteristics. Thottan uses a statistical distribution of individual MIB variables to detect sudden changes in network traffic. Among the various anomaly statistical detection techniques, entropy-based methods have proven accuracy and efficiency in detecting anomalous traffic matrix time series. Zhang navigation and the like establish an anomaly detection method based on behaviors by utilizing the maximum value and the relative entropy. The baseline distribution based on maximum entropy is made up of pre-labeled training data, but the mechanism by which the baseline accommodates network traffic dynamics is still unclear. A jiang also proposes to use spectral kurtosis analysis (spectral kurtosis analysis) to analyze and identify abnormal network traffic. A jiang also proposed to characterize network traffic using compressive sensing theory, which motivated us to use signal processing techniques to look for traffic anomalies.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides a service flow anomaly detection method facing optical cable fiber core remote intelligent scheduling exchange, aiming at capturing service flow anomaly components in an optical fiber communication access network by a new rapid detection method, combining a factor analysis method and an empirical mode decomposition method and having higher timeliness and accuracy.

Based on the above purpose, the invention is realized by the following technical scheme:

a service flow abnormity detection method facing optical cable fiber core remote intelligent scheduling exchange comprises the following steps:

step 1: giving network traffic

And the number of the common factors k, constructing a random matrix Y;

step 2: normalizing the original data to obtain a correlation matrix R (R ═ cov (Y)) of the normalized data, obtaining an eigenvalue and an eigenvector of the matrix R, calculating the contribution rate of variance and the contribution rate of accumulated variance, and determining a common factor Y in the network flow_cAnd special factor Y in network traffic_s；

And step 3: after the public factor solution is obtained, factor rotation is carried out, and a main factor meeting proper rotation is obtained;

and 4, step 4: establishing a factor analysis model for the obtained main factors, and evaluating the state of each sample in the whole model by using the factor analysis model; obtaining the score of each factor by adopting a regression estimation method, a Batterest estimation method and a Thomson estimation method to obtain the flow

Common factor in

Another time series of special factors with network traffic

And 5: respectively obtained by empirical mode decompositionFlow rate

Common factor in

Another time series of special factors with network traffic

Set of characteristic functions of (a):

step 6: according to g_c(t) and h_s(t) pairs

And

carrying out feature extraction;

and 7: through g_c(t) and h_s(t) filtering the features, finding out abnormal flow parts and storing the results.

The step 5: obtaining another time series of common factors in the traffic and special factors of the network traffic respectively by using empirical mode decomposition method

The set of feature functions of (a) is:

g_c(t)＝{g_1,c(t),g_2,c(t) } and h_s(t)＝{h_1,s(t),h_2,s(t),...}；

Wherein, { g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

Characteristic function component of { h }_i,s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

Step 1, constructing the random matrix Y, wherein the method comprises the following steps:

taking the network traffic as a time sequence, representing the change of the network traffic along with time by y (t) | t ═ 1,2

Where n is an integer, the following random matrix is obtained:

Y＝{y_i}_n×1＝{y(1),y(2),...,y(n)} (1)

wherein, y_i(i ═ 1,2, …, n) is the dominant random vector whose mean vector e (y) is 0.

Step 2, determining the common factor Y in the network flow_cAnd special factor Y in network traffic_sThe determination method comprises the following steps:

according to the factorial theory, Y is decomposed into the following equation:

wherein, Y_ci(i ═ 1,2, …, p, and p ≦ n) is an implicit random vector whose mean vector E (Y) is_c)＝0(Y_c＝{Y_c1,Y_c2,...,Y_cp}), covariance matrix Cov (Y)_c) 1, represents Y_ciAre independent of one another, Y_sj(j-1, 2, …, n) is a complementary random vector in factorization, Y_sj(j ═ 1,2, …, n) and Y_ci(i ═ 1,2, …, p) (p ≦ n) independently of one another, equation E (Y)_s)＝0(Y_s＝{Y_s1,Y_s2,...,Y_sn}) are true, and Y_sThe factors in (a) are independent of each other_ij( i 1,2, …, n, j 1,2, …, p and p ≦ n)Representing an implicit random vector Y_ciThe coefficient of (a).

Flow rate in step 4

Common factor in

Another time series of special factors with network traffic

The determination method comprises the following steps:

the k most important common factors are chosen, as follows:

Y＝{y_i}_n×1＝A·Y_c+Y_s (3)

where Y is the currently obtained network traffic matrix, { Y_i}_n×1To express a random matrix of Y, Y_cBeing a common factor in network traffic, Y_sA is a factor load matrix, which is a special factor in the network traffic.

From said equations (2) - (3), a new time series is obtained:

wherein the content of the first and second substances,

is the flow rate of

The common factor of (a) is,

is a common factor

Time series characterization of (a), y_i,c(i ═ 1,2, p) as a common factor

Each time component of (a), another time series of specific factors of the network traffic

By the same way obtain

Wherein the content of the first and second substances,

is the flow rate of

By a specific factor of (a) or (b),

is a special factor

Time series characterization of (a), y_i,s(i-1, 2, …, n) is a special factor

Each time component of (a);

the state of each sample in the entire model was evaluated using a factorial analysis model, and the factorial score was calculated using a regression estimation method, a bartlett estimation method, or a thomson estimation method.

Respectively obtaining the flow by using an empirical mode decomposition method as described in step 5

Common factor in

Another time series of special factors with network traffic

Set of characteristic functions of (a): the method comprises the following steps:

step (1): is provided with

And c is 1; r is₀(t) denotes a common factor

C is a judgment factor;

step (2): setting i to be 1, initializing a threshold value a and a maximum iteration number S;

and (3): initial setting k is 0 and e_i+1,k(t)＝r_i(t), let spline function s (t) be a cubic spline, s ═ 3, v ═ P, and P0; e.g. of the type_i+1,k(t) is r_i(t) expressing a polynomial function, wherein s is the highest degree of the polynomial in the spline interpolation function, and v is the number of interpolation points;

and (4): find out e_i+1,k(t) local maxima and local minima, creating two spline curves s using a spline interpolation method based on s (t)_u(t) and s_l(t) obtaining m_i+1,k＝(s_u(t)+s_l(t))2, and e_i+1,k+1(t)＝e_i+1,k(t)-m_i+1,k；m_i+1,kAs a spline mean curve, e_i+1,k(t)、e_i+1,k+1(t) is a flow function r_i(t) a polynomial function representation;

and (5): judgment e_i+1,k+1(t) whether the conditions for the eigenmode function components are met, if so, going to step (9); if not, the next step is carried out;

and (6): judging v > m_i+1,kIf yes, setting v as m_i+1,k，e(t)＝e_i+1,k+1(t) if not, proceeding the next step; v represents the maximum value of the spline mean of the current cycle;

and (7): and (3) judging: if s ═ 3 is true, the spline function s (t) is set as a B-spline function, and if s ═ B, the step (4) is carried out, otherwise, the next step is carried out;

and (8): and (3) judging: if k is ≦ S and

if yes, k +1, s + 3 are set and the procedure returns to step (4), or e is set_i+1,k+1(t) ═ e (t); otherwise, carrying out the next step; s is the maximum number of iterations, a is a threshold, e_k-1(t)、e_k(t) is the flow rate

A polynomial function representation of (a);

and (9): obtaining the eigenmode function component f_i+1(t)＝e_i+1,k+1(t) and r_i+1(t)＝r_i(t)-f_i+1(t)；r_i(t)、r_i+1(t) is a common factor

The ith and i +1 components of the time function;

step (10): and (3) judging: if the residual error r_i+1(t) if the monotone function is true, setting i to i +1, and returning to step (3); otherwise, carrying out the next step;

step (11): judging whether c is 1, if so, calculating a common factor to enable g_i,c(t)＝f_i(t)，r_m,c(t)＝r_i+1(t) obtaining a set of characteristic functions g_c(t)＝{g_1,c(t),g_2,c(t) }, make

c is 2, returning to the step (2), and recalculating the special factor part; otherwise, entering the next step; r is_m,c(t) recording a non-monotonic function r_i+1(t)，{g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

A characteristic function component of (a);

step (12): let h_i,s(t)＝f_i(t)，s_m,s(t)＝r_i+1(t) obtaining a set of characteristic functions

h_s(t)＝{h_1,s(t),h_2,s(t),...}；s_m,s(t) recording a non-monotonic function r_i+1(t)，{h_s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

The invention has the following advantages and beneficial effects:

the invention discloses a service flow abnormity detection method for intelligent optical cable fiber core dispatching exchange based on factor analysis, which combines a factor analysis method and empirical mode decomposition. And converting the network flow sequence into a flow matrix, and performing principal component decomposition on the matrix to determine a public component and a special component of the network flow. The flow is divided into two parts, so that empirical mode decomposition is conveniently carried out on k factors of each part, and the analysis accuracy is improved; respectively establishing different empirical mode functions to capture and characterize the factors, and effectively capturing the characteristics of the factors; the invention provides a new rapid detection method based on the thought, which can be used for detecting abnormal components in the network service flow and has higher accuracy and timeliness.

Drawings

The technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiment of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. Other embodiments, which can be derived by one of ordinary skill in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

FIG. 1 is a general flowchart of an embodiment of a method for detecting abnormal traffic flow in an optical fiber core intelligent scheduling switch based on factor analysis according to the present invention;

FIG. 2 is a flow chart of steps in an embodiment of the empirical mode decomposition method of the present invention;

FIG. 3a is a normal network flow diagram of the present invention;

FIG. 3b is a graph of abnormal network traffic for the present invention;

FIG. 3c is a diagram of the common parts extracted from the abnormal network traffic of FIG. 3b in accordance with the present invention;

FIG. 3d is a special portion of the graph extracted from the abnormal network traffic of FIG. 3b according to the present invention;

FIG. 4 is a result of empirical mode decomposition of a traffic common component of the present invention;

FIG. 5 is a result of empirical mode decomposition of a particular portion of the flow of the present invention;

fig. 6 shows the flow anomaly detection result of the present invention, in this simulation, the determined detection threshold is 0.6, and the point-pulse curve shows the time when the anomaly flow is injected.

Detailed Description

The invention relates to a service flow anomaly detection method for optical cable fiber core remote intelligent scheduling exchange, which is used for detecting abnormal components in network flow, and is shown in figure 1, wherein figure 1 is a general flow chart of an embodiment of the service flow anomaly detection method for optical cable fiber core intelligent scheduling exchange based on factor analysis. The method comprises the following steps:

step 101: starting;

step 102: given network traffic as a known condition, determining the number of common factors k, network traffic in a fiber optic communications access network varies over time, and therefore we can treat them as a time series. Let y (t) represent network traffic at time t. Then the time series y (t) t 1,2, represents the change in network traffic over time. Without loss of generality, network traffic of length n is set

Where n is an integer. According to network traffic

We can get the following random matrix:

Y＝{y_i}_n×1＝{y(1),y(2),...,y(n)} (1)

wherein, y_i(i ═ 1,2, …, n) is the dominant random vector whose mean vector e (y) is 0.

Step 103: the covariance matrix cov (Y) R of the matrix Y is determined, and the eigenvalues and eigenvectors of the covariance matrix R are obtained. Then, the flow rate Y in equation (1) is factorized, and the contribution rate of variance and the contribution rate of cumulative variance are calculated, and the factor Y is determined_cAnd factor Y_s. According to factorial theory, Y can be decomposed into the following equation:

wherein, Y_ci(i ═ 1,2, …, p, and p ≦ n) is an implicit random vector whose mean vector E (Y) is_c)＝0(Y_c＝{Y_c1,Y_c2,...,Y_cp}), covariance matrix Cov (Y)_c) 1. This represents Y_ciAre independent of each other. Y is_sj(j-1, 2, …, n) is a complementary random vector in factorization, Y_sj(j ═ 1,2, …, n) and Y_ci(i ═ 1,2, …, p) (p ≦ n) independently of one another, equation E (Y)_s)＝0(Y_s＝{Y_s1,Y_s2,...,Y_sn}) are true, and Y_sThe factors in (1) are independent of each other. a is_ij( i 1,2, …, n, j 1,2, …, p and p ≦ n) represents an implicit random vector Y_ciThe coefficient of (a).

Step 104: typical representative amounts of each common factor are not significant after the common factor solution is obtained. And then, performing an orthogonal factor rotation method with the largest variance to ensure that each row of elements in the common factor sequence is separated by the distance as much as possible and obtain a main factor meeting the appropriate rotation. Since the k most important common factors have been selected, there is the following equation:

Y＝{y_i}_n×1＝A·Y_c+Y_s (3)

where Y is the currently obtained network traffic matrix, { Y_i}_n×1To express a random matrix of Y, Y_cRepresenting a common factor in network traffic, Y_sRepresenting a particular factor in the network traffic, a is called a factor load matrix. The model in equation (3) may be used to characterize network traffic.

Step 105: the state of each sample in the entire model is evaluated using a factorial analysis model. The score for each sample for the common factor is calculated from a linear combination of factors represented by the variable y as a factor score function. The number p of equations in the factor score function is less than the number n of variables, so that the factor score cannot be accurately calculated, and can only be estimated. A regression estimation method, a butteret estimation method or a thomson estimation method is used.

Therefore, according to equations (2) - (3), a new time series can be obtained as follows:

wherein the content of the first and second substances,

representative of the flow

The common factor of (a) is,

is a common factor

Time series characterization of (a), y_i,c(i ═ 1,2, p) as a common factor

Each of (1)A time component. Then another time series of special factors for describing the network traffic

The construction was as follows:

wherein the content of the first and second substances,

is the flow rate of

By a specific factor of (a) or (b),

is a special factor

Time series characterization of (a), y_i,s(i-1, 2, n) is a special factor

Each time component of (a).

In this case, the network traffic is divided into

And

two components.

Step 106: separate derivation of flow using empirical mode decomposition

Common factor in

With another of the special factors of the network trafficIntermediate sequence

Set g of feature functions of_c(t)＝{g_1,c(t),g_2,c(t) } and h_s(t)＝{h_1,s(t),h_2,s(t),. Wherein, { g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

Characteristic function component of { h }_i,s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

This step is relatively complex and is illustrated in detail in the flowchart and explanation of fig. 2.

Step 107: through g_c(t) and h_s(t) filtering the characteristics, finding out abnormal parts of the service flow and storing the results.

FIG. 2 is a flow chart showing the steps of the empirical mode decomposition method according to the present invention. The process comprises the following steps:

step 201: starting;

step 202: is provided with

And c is 1. r is₀(t) denotes a common factor

C is a judgment factor.

Step 203: let i equal to 1. A threshold a and a maximum number of iterations S are then initialized.

Step 204: initial setting k is 0 and e_i+1,k(t)＝r_i(t) of (d). Let spline function s (t) be a cubic spline, s-3, v-P and P0. e.g. of the type_i+1,k(t) is r_iAnd (t) expressing a polynomial function, wherein s is the highest degree of the polynomial in the spline interpolation function, and v is the number of interpolation points.

Step 205: find out e_i+1,k(t) local maxima and local minima, creating two spline curves s using a spline interpolation method based on s (t)_u(t) and s_l(t) obtaining m_i+1,k＝(s_u(t)+s_l(t))2, and e_i+1,k+1(t)＝e_i+1,k(t)-m_i+1,k。m_i+1,kAs a spline mean curve, e_i+1,k(t)、e_i+1,k+1(t) is a flow function r_i(t) is a polynomial function representation.

Step 206: judgment e_i+1,k+1(t) whether the conditions for the eigenmode function components are met, and if so, proceeding to step 210; if not, the next step is carried out.

Step 207: judging v > m_i+1,kIf yes, setting v as m_i+1,k，e(t)＝e_i+1,k+1(t) otherwise, proceeding to the next step. v represents the maximum spline mean for the current cycle.

Step 208: and (3) judging: if s ═ 3 is true, then spline s (t) is assumed to be a B-spline, and go to step 205, otherwise proceed to the next step.

Step 209: and (3) judging: if k is ≦ S and

if true, k +1 and s 3 are set and the process returns to step 205. Or is provided with e_i+1,k+1(t) e (t). Otherwise, the next step is carried out. S is the maximum number of iterations, a is a threshold, e_k-1(t)、e_k(t) is the flow rate

Is expressed by a polynomial function of (1).

Step 210: obtaining the eigenmode function component f_i+1(t)＝e_i+1,k+1(t)，And is provided with r_i+1(t)＝r_i(t)-f_i+1(t)。r_i(t)、r_i+1(t) is a common factor

The ith and i +1 components of the time function.

Step 211: and (3) judging: if the residual error r_i+1If (t) is the monotone function is established, i is set to i +1, and the process returns to step 205. Otherwise, the next step is carried out.

Step 212: and judging whether c is 1, and if so, indicating that the calculation is to calculate the common factor. Let g be_i,c(t)＝f_i(t)，r_m,c(t)＝r_i+1(t) obtaining a set of characteristic functions g_c(t)＝{g_1,c(t),g_2,c(t) }, make

c is 2, the process returns to step 203 to recalculate the special factor part. Otherwise, the next step is carried out. r is_m,c(t) recording a non-monotonic function r_i+1(t)，{g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

The characteristic function component of (2).

Step 213: the calculation result is a special factor part, so that h is_i,s(t)＝f_i(t)，s_m,s(t)＝r_i+1(t) obtaining a set of eigenfunctions h_s(t)＝{h_1,s(t),h_2,s(t),...}。s_m,s(t) recording a non-monotonic function r_i+1(t)，{h_s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

In the actual simulation process, in order to better verify the detection capability of abnormal traffic of the service flow intelligently scheduled and exchanged at the fiber core of the optical cable, the simulation uses real data from an Abilene backbone network. In the simulation, abnormal network traffic is injected into normal background network traffic at four different time slots, which are 300,700,1100 and 1500 respectively, and the duration is 80. To avoid random errors, 50 simulations were run to obtain an average detection result, and the detection threshold was automatically determined according to the detection algorithm. The factorization-based feature extraction capability, the empirical mode decomposition-based feature extraction capability, and the anomaly detection capability are evaluated.

The network traffic and the factorization results of the present invention are shown in fig. 3 a-3 d, where fig. 3a and 3b represent normal and abnormal network traffic, respectively, and fig. 3c and 3d depict the common and special portions extracted from the abnormal network traffic in fig. 3b, respectively. As can be seen from fig. 3a and 3b, there is no significant difference between the normal flow and the abnormal flow, which makes the detection difficult. Fig. 3c and 3d show that the algorithm of the present invention can correctly extract the common features and the special features of the abnormal network traffic. It can be seen that the traffic of the common part reflects the common characteristics of this network traffic. This demonstrates the effectiveness of the present invention.

Fig. 4 shows the result of empirical mode decomposition on the common part of the flow. The common part flow can be accurately characterized by 10 empirical mode functions, and different empirical mode functions can capture different characteristics of the common part of the flow.

Fig. 5 shows the result of empirical mode decomposition of a particular portion of the flow. The particular portion of flow may be accurately characterized by 10 empirical mode functions, and different empirical mode functions may capture different characteristics of the particular portion of flow. This further demonstrates the reliability of the invention.

Fig. 6 shows the flow anomaly detection result of the present invention, in this simulation, the determined detection threshold is 0.6, and the point-pulse curve shows the time when the anomaly flow is injected. As can be seen from the figure, the detection curve can accurately mark the time when the abnormal network traffic occurs, and the abnormal network traffic can be correctly found out by using threshold detection. The invention can accurately detect the abnormal traffic of the fiber core of the optical cable. The invention is proved to be reliable, accurate and timely.

Although specific embodiments of the present invention have been described above, it will be appreciated by those skilled in the art that these are merely illustrative and that various changes or modifications may be made to these embodiments without departing from the principles and spirit of the invention. The scope of the invention is only limited by the appended claims.

Claims (7)

1. A service flow abnormity detection method facing optical cable fiber core remote intelligent scheduling exchange is characterized in that: the method comprises the following steps:

step 1: giving network traffic

And the number of the common factors k, constructing a random matrix Y; r (R ═ cov (y))

Step 2: standardizing the original data to obtain a correlation matrix of the standardized data, obtaining an eigenvalue and an eigenvector of a matrix R, calculating the contribution rate of variance and the contribution rate of accumulated variance, and determining a common factor Y in the network flow_cAnd special factor Y in network traffic_s；

And step 3: after the public factor solution is obtained, factor rotation is carried out, and a main factor meeting proper rotation is obtained;

and 4, step 4: establishing a factor analysis model for the obtained main factors, and evaluating the state of each sample in the whole model by using the factor analysis model; obtaining the score of each factor by adopting a regression estimation method, a Batterest estimation method and a Thomson estimation method to obtain the flow

Common factor in

And network flowAnother time series of special factors of the quantity

And 5: separate derivation of flow using empirical mode decomposition

Common factor in

Another time series of special factors with network traffic

Set of characteristic functions of (a):

step 6: according to g_c(t) and h_s(t) pairs

And

carrying out feature extraction;

and 7: through g_c(t) and h_s(t) filtering the features, finding out abnormal flow parts and storing the results.

2. The method for detecting the abnormal traffic flow of the optical cable fiber core remote intelligent dispatching exchange as claimed in claim 1, wherein: the step 5: obtaining another time series of common factors in the traffic and special factors of the network traffic respectively by using empirical mode decomposition method

The set of feature functions of (a) is:

g_c(t)＝{g_1,c(t),g_2,c(t) } and h_s(t)＝{h_1,s(t),h_2,s(t),...}；

Wherein, { g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

Characteristic function component of { h }_i,s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

3. The method for detecting the abnormal traffic flow of the optical cable fiber core remote intelligent dispatching exchange as claimed in claim 1, wherein: step 1, constructing the random matrix Y, wherein the method comprises the following steps:

taking the network traffic as a time sequence, representing the change of the network traffic along with time by y (t) | t ═ 1,2

Where n is an integer, the following random matrix is obtained:

Y＝{y_i}_n×1＝{y(1),y(2),...,y(n)} (1)

wherein, y_iN is a dominant random vector whose mean vector e (y) is 0.

4. The method for detecting the abnormal traffic flow of the optical cable fiber core remote intelligent dispatching exchange as claimed in claim 1, wherein: step 2, determining the common factor Y in the network flow_cAnd special factor Y in network traffic_sThe determination method comprises the following steps:

according to the factorial theory, Y is decomposed into the following equation:

wherein, Y_ci(i 1, 2.. p and p.ltoreq.n) is an implicit random vector whose mean vector E (Y) is_c)＝0(Y_c＝{Y_c1,Y_c2,...,Y_cp}), covariance matrix Cov (Y)_c) 1, represents Y_ciAre independent of one another, Y_sj(j ═ 1, 2.. times, n) is the complementary random vector in the factorization, Y_sj(j ═ 1,2,. n) and Y_ci(i ═ 1, 2.. times, p) (p ≦ n), independent of one another, equation E (Y)_s)＝0(Y_s＝{Y_s1,Y_s2,...,Y_sn}) are true, and Y_sThe factors in (a) are independent of each other_ij(i 1, 2.., n, j 1, 2.. 7., p, and p ≦ n) represents an implicit random vector Y_ciThe coefficient of (a).

5. The method for detecting the abnormal traffic flow of the optical cable fiber core remote intelligent dispatching exchange as claimed in claim 1, wherein: flow rate in step 4

Common factor in

Another time series of special factors with network traffic

The determination method comprises the following steps:

the k most important common factors are chosen, as follows:

Y＝{y_i}_n×1＝A·Y_c+Y_s (3)

wherein Y is the currently obtained network flowQuantity matrix, { y_i}_n×1To express a random matrix of Y, Y_cBeing a common factor in network traffic, Y_sA is a factor load matrix, which is a special factor in the network traffic.

6. The method for detecting traffic flow abnormality of optical cable fiber core remote intelligent dispatching exchange according to claim 4 or 5, wherein: from said equations (2) - (3), a new time series is obtained:

wherein the content of the first and second substances,

is the flow rate of

The common factor of (a) is,

is a common factor

Time series characterization of (a), y_i,c(i ═ 1, 2.. times, p) is a common factor

Each time component of (a), another time series of specific factors of the network traffic

By the same way obtain

Wherein the content of the first and second substances,

is the flow rate of

By a specific factor of (a) or (b),

is a special factor

Time series characterization of (a), y_i,s(i ═ 1, 2.. times.n) is a special factor

Each time component of (a);

the state of each sample in the entire model was evaluated using a factorial analysis model, and the factorial score was calculated using a regression estimation method, a bartlett estimation method, or a thomson estimation method.

7. The method for detecting the abnormal traffic flow of the optical cable fiber core remote intelligent dispatching exchange as claimed in claim 1, wherein: respectively obtaining the flow by using an empirical mode decomposition method as described in step 5

Common factor in

Another time series of special factors with network traffic

Set of characteristic functions of (a): the method comprises the following steps:

step (1): is provided with

And c is 1; r is₀(t) denotes a common factor

C is a judgment factor;

step (2): setting i to be 1, initializing a threshold value a and a maximum iteration number S;

and (3): initial setting k is 0 and e_i+1,k(t)＝r_i(t) if the spline function s (t) is a cubic spline, s is 3, v is P and P > 0; e.g. of the type_i+1,k(t) is r_i(t) expressing a polynomial function, wherein s is the highest degree of the polynomial in the spline interpolation function, and v is the number of interpolation points;

and (4): find out e_i+1,k(t) local maxima and local minima, creating two spline curves s using a spline interpolation method based on s (t)_u(t) and s_l(t) obtaining m_i+1,k＝(s_u(t)+s_l(t))/2, and e_i+1,k+1(t)＝e_i+1,k(t)-m_i+1,k；m_i+1,kAs a spline mean curve, e_i+1,k(t)、e_i+1,k+1(t) is a flow function r_i(t) a polynomial function representation;

and (5): judgment e_i+1,k+1(t) whether the conditions for the eigenmode function components are met, if so, going to step (9); if not, the next step is carried out;

and (6): judging v > m_i+1,kIf yes, setting v as m_i+1,k，e(t)＝e_i+1,k+1(t) if not, proceeding the next step; v represents the maximum value of the spline mean of the current cycle;

and (7): and (3) judging: if s ═ 3 is true, the spline function s (t) is set as a B-spline function, and if s ═ B, the step (4) is carried out, otherwise, the next step is carried out;

and (8): and (3) judging: if k is ≦ S and

if yes, k +1, s + 3 are set and the procedure returns to step (4), or e is set_i+1,k+1(t) ═ e (t); otherwise, carrying out the next step; s is the maximum number of iterations, a is a threshold, e_k-1(t)、e_k(t) is the flow rate

A polynomial function representation of (a);

and (9): obtaining the eigenmode function component f_i+1(t)＝e_i+1,k+1(t) and r_i+1(t)＝r_i(t)-f_i+1(t)；r_i(t)、r_i+1(t) is a common factor

The ith and i +1 components of the time function;

step (10): and (3) judging: if the residual error r_i+1(t) if the monotone function is true, setting i to i +1, and returning to step (3); otherwise, carrying out the next step;

step (11): judging whether c is 1, if so, calculating a common factor to enable g_i,c(t)＝f_i(t)，r_m,c(t)＝r_i+1(t) obtaining a set of characteristic functions g_c(t)＝{g_1,c(t),g_2,c(t) }, make

c is 2, returning to the step (2), and recalculating the special factor part; otherwise, entering the next step; r is_m,c(t) recording a non-monotonic function r_i+1(t)，{g_i,c(t) } flow rate after decomposition by empirical mode decomposition

Common factor in

A characteristic function component of (a);

step (ii) of(12): let h_i,s(t)＝f_i(t)，s_m,s(t)＝r_i+1(t) obtaining a set of eigenfunctions h_s(t)＝{h_1,s(t),h_2,s(t),...}；s_m,s(t) recording a non-monotonic function r_i+1(t)，{h_s(t) } flow rate after decomposition by empirical mode decomposition

Specific factor in

The characteristic function component of (2).

Images