CN111884874A - Programmable data plane-based ship network real-time anomaly detection method - Google Patents

Programmable data plane-based ship network real-time anomaly detection method Download PDF

Info

Publication number
CN111884874A
CN111884874A CN202010681796.7A CN202010681796A CN111884874A CN 111884874 A CN111884874 A CN 111884874A CN 202010681796 A CN202010681796 A CN 202010681796A CN 111884874 A CN111884874 A CN 111884874A
Authority
CN
China
Prior art keywords
network
anomaly
prediction error
likelihood
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010681796.7A
Other languages
Chinese (zh)
Other versions
CN111884874B (en
Inventor
罗威
夏子贤
江昊
吴静
朱博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Ship Development and Design Centre
Original Assignee
China Ship Development and Design Centre
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Ship Development and Design Centre filed Critical China Ship Development and Design Centre
Priority to CN202010681796.7A priority Critical patent/CN111884874B/en
Publication of CN111884874A publication Critical patent/CN111884874A/en
Application granted granted Critical
Publication of CN111884874B publication Critical patent/CN111884874B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/11Complex mathematical operations for solving equations, e.g. nonlinear equations, general mathematical optimization problems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • H04L43/087Jitter
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/11Identifying congestion

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Operations Research (AREA)
  • Algebra (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a programmable data plane-based ship network real-time anomaly detection method, which comprises the following steps: 1) collecting network state data of each node i in a network; 2) inputting the sequence data of the network state data into a hierarchical memory network (HTM) at each time point t to obtain a prediction error; 3) according to the distribution of the original prediction error as the measurement, calculating the likelihood value of the abnormal degree by using the distribution, and judging whether to trigger the abnormal alarm; 4) in the multivariate joint anomaly detection, the input is decomposed into a plurality of sub-modules according to the number of parameters, and a global metric is obtained through joint likelihood anomaly score calculation to represent the anomaly likelihood score of the whole system; 5) and performing joint estimation on the distribution of the original abnormal scores of the multiple detection systems, and judging whether to trigger abnormal alarm or not. The invention provides an anomaly detection method capable of quantitatively evaluating the anomaly degree of a network.

Description

Programmable data plane-based ship network real-time anomaly detection method
Technical Field
The invention relates to a network technology, in particular to a programmable data plane-based ship network real-time anomaly detection method.
Background
Military ship network technology in China has undergone three generations of technical development, and the earliest source is the development and construction of carrier-based combat command systems. In the early 80 s, the military 1553B bus with the speed of 1Mbps and the working modes of baseband transmission and master-slave communication is adopted by the carrier-based combat command system in China. In the early 90 s, in order to improve the communication rate, a commercial 10Mbps Ethernet which is adapted to a carrier-based combat system network and is modified is adopted, a network topology structure in a shared medium and bus form is generally adopted, and a shared medium and star-shaped network topology structure taking a hub as a center are adopted in a small amount. In the middle and later period of the 90 s, with the further development of a ship-based combat command system, a ship network is quickly transited to adopt an exchange type Ethernet, the speed is developed to 100Mbps, the connection range is greatly expanded, and some sensors and weapon systems are connected with each other.
The information-based launching of the naval vessel platform is late in China, the application of a data network is also late, and the technical requirement is also low. Compared with the computer network formed by the battle system, although the centralized management of the ship platform parts such as the power monitoring system, the electric power monitoring system, the damage management monitoring system, the whole-ship equipment guarantee management system, the frame control system and the like is realized by adopting the field bus technology such as the CAN bus or the Ethernet technology, and the flexible control evolution of the whole ship network is accelerated along with the popularization of the software defined network technology, in the operation process of the systems, due to the complex battle environment, various abnormal conditions such as network flow burst, link failure and the like are easily caused to the network, and the quality and the reliability of the battle network CAN be reduced by the abnormality, so that the wartime information transmission and the ship control are influenced.
The traditional network anomaly detection method is mainly a time-series-based network anomaly detection method. The method uses the classic time series model for network flow analysis, predicts the network flow through the classic time series model, and analyzes and warns the abnormal state of the network on the basis of prediction. The method has the disadvantages of complicated detection process, large calculation amount and long time delay.
Therefore, by combining the flexibility and fine-grained control characteristics of the software defined network and the data plane programmable technology, the problem of anomaly detection in the ship network is researched, and the method has important theoretical and military application values.
Disclosure of Invention
The invention aims to solve the technical problem of providing a programmable data plane-based ship network real-time anomaly detection method aiming at the defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a programmable data plane-based ship network real-time anomaly detection method comprises the following steps:
1) data X at time t for collecting network state data of each node i in networkt=(x1,x2,x3,…,xi),xiRepresenting network state parameters of a node i in a network, wherein the network state parameters are one or more of throughput, time delay, jitter and packet loss rate; if the network state parameter is one, turning to the step 2), otherwise, turning to the step 4);
2) at each time point t, sequence data X of the network state datatInputting into a hierarchical memory network HTM to obtain a prediction error st(ii) a The HTM network comprises an encoder, a sparse pooling unit and a sequence memory unit;
3) from the original prediction error stAs a metric, and using the distribution to calculate a likelihood value of the degree of abnormality;
the method comprises the following specific steps:
3.1) to calculate the likelihood of the original anomaly score, the most recent window value W of prediction error is retained andmodeling this value with a rolling normal distribution, the sample mean of the model being μtVariance is σt 2As shown in the following equation:
Figure BDA0002586120840000031
Figure BDA0002586120840000032
3.2) calculating the short-term average of the current prediction error
Figure BDA0002586120840000033
Mixing L withtApplying to the Gaussian right tail function Q to determine whether the abnormal condition is an abnormal condition needing alarm, defining the abnormal likelihood as a complementary set of the Q function probability, and calculating LtAs shown in the following equation:
Figure BDA0002586120840000034
Figure BDA0002586120840000041
wherein W 'represents a moving average of window values and W' < W, the threshold is determined based on a user-defined parameter if LtIf the value is more than or equal to 1-, an abnormal alarm is triggered;
4) in the multivariable joint anomaly detection, the input is decomposed into M submodules according to the number of parameters, and the order is given
Figure BDA0002586120840000042
The M-th block when t is input, M is 0,1,2, … M-1,
Figure BDA0002586120840000043
representing the original prediction error of each module, and obtaining a global metric through the calculation of the combined likelihood anomaly score to represent the anomaly likelihood score of the whole system;
5) performing joint estimation on the distribution of the original anomaly scores of the multiple detection systems;
Figure BDA0002586120840000044
the joint estimate of the corresponding anomaly likelihoods is:
Figure BDA0002586120840000045
wherein, among others,
Figure BDA0002586120840000046
is the sample mean, μ, of the i-th modeli tFor the short-term mean, σ, of the prediction error of the ith modelt iIs the sample variance of the ith model;
determining the threshold based on a user-defined parameter, if LtAnd the value is more than or equal to 1-, an abnormal alarm is triggered.
According to the scheme, in the step 2), the prediction error is obtained as follows:
2.1) inputting the current XtSending to HTM network encoder, then entering sparse pooling unit for processing, and outputting result a (X)t) The binary vector after the current input is thinned;
2.2) sequence memory cells in a (X)t) A time sequence model is built in the method, and a sparse vector pi (X) is outputt);π(Xt) Is a (X)t) The predicted result of the network state data at the t +1 moment;
2.3) calculating the prediction error st,
Figure BDA0002586120840000051
Wherein, | a (X)t) I is a scalar norm, representing a (X)t) Total number of 1 s, output error value st0 denotes a perfect match of the predicted value and the actual value, s t1 means that the two binary vectors are not coincident at all, so stReflects the predicted value of HTMDeviation from actual value;
according to the scheme, in the step 5), the following formula is adopted for carrying out joint estimation on the distribution of the original abnormal scores of the multiple detection systems;
Figure BDA0002586120840000052
the joint estimate of the corresponding anomaly likelihoods is:
Figure BDA0002586120840000053
wherein G represents a gaussian convolution.
According to the scheme, in the step 1), when the network state data of each node i in the network is collected, each node in the network communicates through a virtual software defined network which is deployed in a host and supports data plane programming, and the network state data information is collected through an in-band network telemetry technology.
The invention has the following beneficial effects: the invention provides an anomaly detection method capable of quantitatively evaluating the degree of network anomaly, which supports univariate detection and multivariate joint detection, can find network anomaly behaviors which are difficult to discover by some traditional means, such as network congestion caused by burst flow, link load imbalance caused by software configuration problems, broadcast storms caused by loops generated by network topology, and the like, and reduce the number of false positive alarms.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a schematic diagram of a network topology of an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a univariate anomaly detection method according to an embodiment of the present invention;
FIG. 3 is a flow chart of a multivariate abnormality detection method according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 2 and fig. 3, a real-time anomaly detection method based on a programmable data plane includes the following steps:
the abnormal detection and quantitative evaluation in the data flow are divided into univariate detection and multivariate joint detection according to the number of detected variables;
the method comprises the following steps: in univariate anomaly detection, the data stream input at time t is denoted Xt=(...xt-1,xt,xt+1,..), wherein xtThe representation may be network state parameters such as throughput, delay, jitter, packet loss rate, etc. of a certain node in the network. As shown in FIG. 2, at each time t, the sequence data xtThe incoming HTM network is processed, and the core algorithm components and processing flow in a typical HTM system are shown within the dashed box. Current input xtSent to an encoder, then enters a sparse pooling unit to be processed, and outputs a result a (x)t) Representing the binary vector of the current input after sparsification. The core of the system is a sequence memory unit, the component is in a (x)t) In the method, a time sequence model is established and another sparse vector pi (x)t) The prediction result is output in the form of (1). Thus, π (x)t) Is a (x)t+1) A predicted result of (1). Prediction error stIs a scalar value inversely proportional to the number of bits shared between the actual and predicted binary vectors, and is calculated as follows:
Figure BDA0002586120840000071
wherein, | a (X)t) I is a scalar norm, representing a (X)t) Total number of 1 s, output error value st0 denotes a perfect match of the predicted value and the actual value, s t1 means that the two binary vectors are not coincident at all, so stReflecting the deviation of the predicted value of the HTM from the actual value.
Step two: in order to reduce the influence of noise, the distribution of the original prediction error is used as a measure, the distribution is used for calculating the likelihood value of the abnormal degree, and the likelihood value is used for judging whether an alarm needs to be generated or not.
To calculate the likelihood of the original anomaly score, the nearest window value W of the prediction error is retained and modeled using a rolling normal distribution with a sample mean of μtVariance is σt 2As shown in the formulas (2) and (3):
Figure BDA0002586120840000081
Figure BDA0002586120840000082
then, the short-term average value of the current prediction error is calculated, and a threshold is applied to a Gaussian right-tail function (Q function) to determine whether the current prediction error is an anomaly requiring alarm or not. The likelihood of an anomaly is defined as the complement of the probability of this Q function. As shown in equations (4) (5):
Figure BDA0002586120840000083
Figure BDA0002586120840000084
w 'represents the moving average of the window values, and W' < W. Determining a threshold L based on a user-defined parametertIf it is very close to 1, an exception alarm is triggered, which can be expressed as:
Abnomaly detectedt≡Lt≥1- (6)
because L istThere is an inherent upper limit on the number of alarms and a corresponding upper limit on the number of false positives, as it relates to thresholding of the gaussian tail probabilities. Especially in the case of very close to 0, it is difficult to get a higher probability alarm.
Step three: in multivariate joint anomaly detection, assume that the system input is decomposed into M sub-modules, let
Figure BDA0002586120840000091
The M-th block when t is input, M is 0,1,2, … M-1,
Figure BDA0002586120840000092
and representing the original prediction error of each module, and obtaining a global metric through joint likelihood anomaly score calculation to represent the anomaly likelihood score of the whole system. As shown in FIG. 3, the distribution of raw anomaly scores for multiple detection systems is jointly estimated P(s)t 0......st M-1) And a threshold value of the gaussian right tail probability is given. Since it is difficult to model the joint probability distribution of real-time data, it is simplified here:
Figure BDA0002586120840000093
based on the above equation, the joint estimation corresponding to the likelihood of an anomaly is simplified as:
Figure BDA0002586120840000094
wherein,
Figure BDA0002586120840000095
is the sample mean, μ, of the i-th modelt iFor the short-term mean, σ, of the prediction error of the ith modeli tThe mean and variance of each model are calculated for the sample variance of the ith model in the same manner as in computational equations (1) - (5) for univariate testing.
The method is characterized in that the key problem of one part of the system is often spread to other parts under the real-time dynamic scene. Thus, there can sometimes be random delays for a single detection system, which in turn can lead to different delays between anomaly scores in different models. In other words, multiple abnormal events in multiple different models occurring next to each other can be more unusual than a single abnormal event in a single model, which is more valuable for detecting and capturing abnormal behavior in complex systems.
In practical situations, the joint distribution P of the abnormal scores is difficult to calculate, so that the invention provides a simple and general method for solving the problem of joint modeling of multiple models. As shown in equation (10), the sliding window mechanism allows the system to combine the temporally close but not completely uniform spikes with a certain probability, where G represents the gaussian convolution.
Figure BDA0002586120840000101
Figure BDA0002586120840000102
Performing Gaussian convolution processing on each independent model to obtain a final abnormal likelihood score, and if the score of the combined abnormal likelihood reaches a certain threshold value Lt' > 1-equation (10) represents a method for detecting anomalies in complex real-time streaming applications. L calculated at this timet' is a very straightforward metric because it is calculated from the raw anomaly scores of each model. It reflects the potential predictability of the model at a particular point in time, rather than modeling the measurement data itself directly.
Fig. 1 is a schematic structural diagram of a real-time anomaly detection method based on a programmable data plane, in which a VM1 host and a VM2 host in a network topology communicate through a virtual software-defined network supporting data plane programming, which is deployed in a VM3 host, and state information of the network is collected through an in-band network telemetry technique. The method is explained here by taking an abnormal phenomenon that the network is congested as an example. And (3) sending the data stream to a hierarchical memory network added with an anomaly scoring function through an in-band network telemetry technology, wherein the network is responsible for detecting and quantitatively evaluating anomalies in the data stream, and sending an anomaly alarm to an Alert alarm platform to realize complete detection-evaluation-alarm.
Anomaly detection and quantitative evaluation in data streams are classified into univariate detection and multivariate joint detection according to the number of detected variables. Fig. 2 is a schematic diagram of a univariate anomaly detection method, in which a network state information monitoring data stream at a certain time obtained by a programmable data plane and an in-band network telemetry technique is input into a hierarchical memory network (HTM), and the HTM continuously learns and models the spatio-temporal characteristics of input data, and finally outputs a predicted value at the next time. The original abnormal scoring function block calculates the deviation between the predicted value and the actual value and gives a real-time score, and due to the fact that the HTM has the continuous learning capacity, when the system behavior drifts (namely, the system behavior is transferred from one steady state to another steady state), the HMT learns the change of the data stream and adjusts the predicted value, and therefore the score can truly reflect the abnormal degree of the data stream. However, due to the presence of noise, direct scoring may generate meaningless frequent alarms, requiring further processing of the score. The abnormal likelihood function block calculates the likelihood value of the abnormal degree by using the distribution of the original prediction error as a measurement, and reduces the noise influence to a certain extent by using the likelihood value as a basis for judging whether to need to alarm or not.
Some network anomalies are represented by the correlation among a plurality of variables, such as throughput and delay anomalies, can jointly determine whether congestion occurs in a link, so that the method is expanded to multivariable joint detection on the basis of univariate anomaly detection, and a schematic diagram of the method is shown in fig. 3. And respectively processing the plurality of monitoring data streams by an HTM (hypertext transport protocol), calculating to obtain respective original abnormal score values, aggregating all the original abnormal score values to calculate to obtain a joint likelihood abnormal score value, and using the joint likelihood abnormal score value as a basis for judging whether to need alarming.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (4)

1. A programmable data plane-based ship network real-time anomaly detection method is characterized by comprising the following steps:
1) collecting sequence data of network state data of each node i in the network, and data X at time tt=(x1,x2,x3,…,xi),xiRepresenting network state parameters of a node i in a network, wherein the network state parameters are one or more of throughput, time delay, jitter and packet loss rate; if the network state parameter is one, turning to the step 2), otherwise, turning to the step 4);
2) at each time point t, sequence data X of the network state datatInputting into a hierarchical memory network HTM to obtain a prediction error st(ii) a The HTM network comprises an encoder, a sparse pooling unit and a sequence memory unit;
3) from the original prediction error stAs a metric, and using the distribution to calculate a likelihood value of the degree of abnormality;
the method comprises the following specific steps:
3.1) to calculate the likelihood of the original anomaly score, the most recent window value W of the prediction error is retained and modeled using a rolling normal distribution with the sample mean of the model being μtVariance is σt 2As shown in the following equation:
Figure FDA0002586120830000011
Figure FDA0002586120830000012
3.2) calculating the short-term average of the current prediction error
Figure FDA0002586120830000021
Mixing L withtApplying to the Gaussian right tail function Q to determine whether the abnormal condition is an abnormal condition needing alarm, defining the abnormal likelihood as a complementary set of the Q function probability, and calculating LtAs shown in the following equation:
Figure FDA0002586120830000022
Figure FDA0002586120830000023
wherein W 'represents a moving average of window values and W' < W, the threshold is determined based on a user-defined parameter if LtIf the value is more than or equal to 1-, an abnormal alarm is triggered;
4) in the multivariable joint anomaly detection, the input is decomposed into M submodules according to the number of parameters, and the order is given
Figure FDA0002586120830000024
The M-th block when t is input, M is 0,1,2, … M-1,
Figure FDA0002586120830000025
representing the original prediction error of each module, and obtaining a global metric through the calculation of the combined likelihood anomaly score to represent the anomaly likelihood score of the whole system;
5) performing joint estimation on the distribution of the original anomaly scores of the multiple detection systems;
Figure FDA0002586120830000026
the joint estimate of the corresponding anomaly likelihoods is:
Figure FDA0002586120830000027
wherein,
Figure FDA0002586120830000028
is the sample mean, μ, of the i-th modeli tFor the short-term mean, σ, of the prediction error of the ith modelt iIs the sample variance of the ith model;
determining the threshold based on a user-defined parameter, if LtAnd the value is more than or equal to 1-, an abnormal alarm is triggered.
2. The programmable data plane-based ship network real-time anomaly detection method according to claim 1, wherein in the step 2), the prediction error is obtained as follows:
2.1) inputting the current XtSending to HTM network encoder, then entering sparse pooling unit for processing, and outputting result a (X)t) The binary vector after the current input is thinned;
2.2) sequence memory cells in a (X)t) A time sequence model is built in the method, and a sparse vector pi (X) is outputt);π(Xt) Is a (X)t) The predicted result of the network state data at the t +1 moment;
2.3) calculating the prediction error st,
Figure FDA0002586120830000031
Wherein, | a (X)t) I is a scalar norm, representing a (X)t) Total number of 1 s, output error value st0 denotes a perfect match of the predicted value and the actual value, st1 means that the two binary vectors are not coincident at all, so stReflecting the deviation of the predicted value of the HTM from the actual value. (ii) a
3. The programmable data plane-based ship network real-time anomaly detection method according to claim 1, wherein in the step 5), the following formula is adopted for joint estimation of the distribution of the original anomaly scores of the plurality of detection systems;
Figure FDA0002586120830000032
the joint estimate of the corresponding anomaly likelihoods is:
Figure FDA0002586120830000041
wherein G represents a gaussian convolution.
4. The programmable data plane-based ship network real-time anomaly detection method according to claim 1, wherein in step 1), when network state data of each node i in the network is collected, each node in the network communicates through a virtual software defined network supporting data plane programming deployed in a host, and network state data information is collected through an in-band network telemetry technology.
CN202010681796.7A 2020-07-15 2020-07-15 Programmable data plane-based ship network real-time anomaly detection method Active CN111884874B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010681796.7A CN111884874B (en) 2020-07-15 2020-07-15 Programmable data plane-based ship network real-time anomaly detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010681796.7A CN111884874B (en) 2020-07-15 2020-07-15 Programmable data plane-based ship network real-time anomaly detection method

Publications (2)

Publication Number Publication Date
CN111884874A true CN111884874A (en) 2020-11-03
CN111884874B CN111884874B (en) 2022-02-01

Family

ID=73154605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010681796.7A Active CN111884874B (en) 2020-07-15 2020-07-15 Programmable data plane-based ship network real-time anomaly detection method

Country Status (1)

Country Link
CN (1) CN111884874B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113254485A (en) * 2021-06-24 2021-08-13 福建省海峡信息技术有限公司 Real-time data flow abnormity detection method and system
CN114048601A (en) * 2021-11-11 2022-02-15 北京天融信网络安全技术有限公司 HTM algorithm-based anomaly detection method, device and equipment
CN114065802A (en) * 2021-10-15 2022-02-18 华电电力科学研究院有限公司 Hydroelectric equipment abnormity detection method
CN118551672A (en) * 2024-07-30 2024-08-27 威鹏晟(山东)机械有限公司 Performance evaluation and optimization system and method for vacuum pump cooling system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299287A1 (en) * 2009-05-22 2010-11-25 Alcatel-Lucent Usa Inc. Monitoring time-varying network streams using state-space models
US20160299938A1 (en) * 2015-04-10 2016-10-13 Tata Consultancy Services Limited Anomaly detection system and method
CN106792799A (en) * 2016-11-29 2017-05-31 德清云浩电子科技有限公司 A kind of mobile sensor network noise reduction and calibration method based on Bayesian network
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN107317701A (en) * 2017-06-13 2017-11-03 电子科技大学 A kind of network flow abnormal detecting method based on empirical mode decomposition
CN107483251A (en) * 2017-08-22 2017-12-15 国网辽宁省电力有限公司辽阳供电公司 A kind of Network exception detecting method based on the monitoring of distributed probe
US20190158522A1 (en) * 2018-01-02 2019-05-23 Maryam AMIRMAZLAGHANI Generalized likelihood ratio test (glrt) based network intrusion detection system in wavelet domain
CN110071913A (en) * 2019-03-26 2019-07-30 同济大学 A kind of time series method for detecting abnormality based on unsupervised learning
CN110445680A (en) * 2019-07-29 2019-11-12 新华三大数据技术有限公司 Network flow abnormal detecting method, device and server
CN110460591A (en) * 2019-07-26 2019-11-15 南京理工大学 Based on the CDN Traffic anomaly detection device and method for improving separation time memory network
US20200097857A1 (en) * 2010-03-15 2020-03-26 Numenta, Inc. Sparse Distributed Representation for Networked Processing in Predictive System

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299287A1 (en) * 2009-05-22 2010-11-25 Alcatel-Lucent Usa Inc. Monitoring time-varying network streams using state-space models
US20200097857A1 (en) * 2010-03-15 2020-03-26 Numenta, Inc. Sparse Distributed Representation for Networked Processing in Predictive System
US20160299938A1 (en) * 2015-04-10 2016-10-13 Tata Consultancy Services Limited Anomaly detection system and method
CN106792799A (en) * 2016-11-29 2017-05-31 德清云浩电子科技有限公司 A kind of mobile sensor network noise reduction and calibration method based on Bayesian network
CN107317701A (en) * 2017-06-13 2017-11-03 电子科技大学 A kind of network flow abnormal detecting method based on empirical mode decomposition
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN107483251A (en) * 2017-08-22 2017-12-15 国网辽宁省电力有限公司辽阳供电公司 A kind of Network exception detecting method based on the monitoring of distributed probe
US20190158522A1 (en) * 2018-01-02 2019-05-23 Maryam AMIRMAZLAGHANI Generalized likelihood ratio test (glrt) based network intrusion detection system in wavelet domain
CN110071913A (en) * 2019-03-26 2019-07-30 同济大学 A kind of time series method for detecting abnormality based on unsupervised learning
CN110460591A (en) * 2019-07-26 2019-11-15 南京理工大学 Based on the CDN Traffic anomaly detection device and method for improving separation time memory network
CN110445680A (en) * 2019-07-29 2019-11-12 新华三大数据技术有限公司 Network flow abnormal detecting method, device and server

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JIAN LI,HAO JIANG,WEI JIANG,JING WU,WEN DU: "《SDN-based Stateful Firewall for Cloud》", 《IN: 2020 IEEE 6TH INTL CONFERENCE ON BIG DATA SECURITY ON CLOUD (BIGDATASECURITY)》 *
SENDRA S, REGO A, LLORET J: "《Programmable Firewall Using Software Defined Networking》", 《2017 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS WORKSHOPS (ICC WORKSHOPS)》 *
周爱平,程光,郭晓军: "《高速网络流量测量方法》", 《软件学报》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113254485A (en) * 2021-06-24 2021-08-13 福建省海峡信息技术有限公司 Real-time data flow abnormity detection method and system
CN114065802A (en) * 2021-10-15 2022-02-18 华电电力科学研究院有限公司 Hydroelectric equipment abnormity detection method
CN114048601A (en) * 2021-11-11 2022-02-15 北京天融信网络安全技术有限公司 HTM algorithm-based anomaly detection method, device and equipment
CN114048601B (en) * 2021-11-11 2022-08-05 北京天融信网络安全技术有限公司 HTM algorithm-based anomaly detection method, device and equipment
CN118551672A (en) * 2024-07-30 2024-08-27 威鹏晟(山东)机械有限公司 Performance evaluation and optimization system and method for vacuum pump cooling system

Also Published As

Publication number Publication date
CN111884874B (en) 2022-02-01

Similar Documents

Publication Publication Date Title
CN111884874B (en) Programmable data plane-based ship network real-time anomaly detection method
Huong et al. Detecting cyberattacks using anomaly detection in industrial control systems: A federated learning approach
Luo et al. Distributed anomaly detection using autoencoder neural networks in WSN for IoT
KR102291869B1 (en) Method and apparatus for anomaly detection of traffic pattern
CN107370732B (en) Abnormal behavior discovery system of industrial control system based on neural network and optimal recommendation
Blazek et al. A novel approach to detection of “denial–of–service” attacks via adaptive sequential and batch–sequential change–point detection methods
CN114499979B (en) SDN abnormal flow cooperative detection method based on federal learning
Nakhodchi et al. Steeleye: An application-layer attack detection and attribution model in industrial control systems using semi-deep learning
CN111260124A (en) Chaos time sequence prediction method based on attention mechanism deep learning
CN110708318A (en) Network abnormal flow prediction method based on improved radial basis function neural network algorithm
CN113794695B (en) GRU-based network abnormal flow detection and identification method
CN110018390B (en) Hierarchical fuzzy petri network fault diagnosis method based on comprehensive variable weight
CN112364304B (en) Method and device for detecting solar erosion attack of block chain
Zhang et al. Federated variational learning for anomaly detection in multivariate time series
CN115862319A (en) Traffic flow prediction method for space-time diagram self-encoder
CN112333147B (en) Nuclear power plant DCS platform network operation situation sensing method and system
CN115987643A (en) Industrial control network intrusion detection method based on LSTM and SDN
CN115659269A (en) Industrial system abnormal data flow detection and diagnosis method fusing multi-graph neural network
CN115936473A (en) Unsupervised KPI (Key performance indicator) abnormity detection method combining prediction and reconstruction
CN115632887A (en) Block chain network abnormal data detection method, device and equipment
CN113645231B (en) Intrusion detection method, memory and processor for industrial control system
Zhang et al. Bayes-Optimized Adaptive Growing Neural Gas Method for Online Anomaly Detection of Industrial Streaming Data
Yağci et al. EA-GAT: Event aware graph attention network on cyber-physical systems
Yamaguchi et al. Data based construction of Bayesian network for fault diagnosis of event-driven systems
CN117834567B (en) Deep learning-based intelligent switch fault prediction method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant