CN113887115A - Method, device, equipment and storage medium for safety detection of running state - Google Patents
Method, device, equipment and storage medium for safety detection of running state Download PDFInfo
- Publication number
- CN113887115A CN113887115A CN202111143086.XA CN202111143086A CN113887115A CN 113887115 A CN113887115 A CN 113887115A CN 202111143086 A CN202111143086 A CN 202111143086A CN 113887115 A CN113887115 A CN 113887115A
- Authority
- CN
- China
- Prior art keywords
- state data
- running state
- clustering
- preset
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
- G06F30/25—Design optimisation, verification or simulation using particle-based methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
- G06F30/27—Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/004—Artificial life, i.e. computing arrangements simulating life
- G06N3/006—Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/12—Computing arrangements based on biological models using genetic models
- G06N3/126—Evolutionary algorithms, e.g. genetic algorithms or genetic programming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2111/00—Details relating to CAD techniques
- G06F2111/08—Probabilistic or stochastic CAD
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Molecular Biology (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Biomedical Technology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Geometry (AREA)
- Computer Hardware Design (AREA)
- Probability & Statistics with Applications (AREA)
- Medical Informatics (AREA)
- Physiology (AREA)
- Genetics & Genomics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to a method, a device, equipment and a storage medium for safety detection of an operating state. The method comprises the steps of carrying out standardization processing on real-time running state data of the terminal equipment to obtain real-time standard running state data of the terminal equipment, inputting the obtained real-time standard running state data into a preset detection model, determining the distance between the real-time standard running state data and each clustering center in the detection model, and determining that the safety detection result of the running state of the terminal equipment is abnormal if the distance between the real-time standard running state data and each clustering center in the detection model is larger than a preset distance threshold value. The method improves the accuracy of the safety detection result of the running state of the intelligent terminal.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for security detection of an operating status.
Background
Along with the intellectualization of the power grid, more and more intelligent terminals are applied to the power grid, and the task of safety detection of the operation state of the intelligent terminals is increasingly severe.
In the related technology, the safety detection of the operation state of the intelligent terminal takes the collected terminal data as input, and discovers information such as abnormal data grouping, abnormal interaction and the like in the terminal data through methods such as statistical analysis, data mining, machine learning and the like.
However, the safety detection result of the operation state of the intelligent terminal in the related art is low in accuracy.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a method, an apparatus, a device and a storage medium for detecting the security of the operating state, which can improve the accuracy of the security detection result of the operating state of the smart terminal.
In a first aspect, an embodiment of the present application provides a method for detecting safety of an operating state, where the method includes:
carrying out standardization processing on the real-time running state data of the terminal equipment to obtain real-time standard running state data of the terminal equipment;
inputting the real-time standard running state data into a preset detection model, and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
and if the distances between the real-time standard operating state data and the clustering centers in the detection model are larger than a preset distance threshold, determining that the safety detection result of the operating state of the terminal equipment is abnormal.
In one embodiment, the construction process of the detection model comprises the following steps:
acquiring running state data of a plurality of sample terminal devices, and preprocessing the running state data of the plurality of sample terminal devices to obtain preprocessed running state data;
determining a plurality of initial clustering centers according to the preprocessed running state data;
optimizing a plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers;
acquiring the fitness value of a cluster corresponding to each candidate clustering center according to a preset clustering fitness function;
and if the fitness value of the cluster corresponding to each candidate clustering center meets a preset first iteration convergence condition, determining each candidate clustering center as a plurality of clustering centers in the detection model to obtain the detection model.
In one embodiment, the swarm intelligence optimization algorithm comprises a particle swarm optimization algorithm and a genetic algorithm; optimizing the plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers, wherein the method comprises the following steps:
initializing optimization parameters for performing a particle swarm optimization algorithm, and constructing a population optimization fitness function based on the optimization parameters; the optimization parameters include at least the position and the moving speed of the individual;
determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function, and executing a preset iteration optimization step until a preset second iteration convergence condition is met to obtain a plurality of candidate clustering centers; wherein the iterative optimization step comprises:
updating the individual positions and the moving speeds in the particle populations corresponding to all the initial clustering centers according to the individual positions and the optimized parameters in the particle populations corresponding to the optimal fitness values; the optimal fitness value represents a fitness value satisfying a preset condition;
carrying out cross variation operation on the individual positions in each particle population after the positions and the moving speeds are updated through a genetic algorithm;
and determining the fitness value of each particle swarm after the cross variation operation according to the swarm optimization fitness function.
In one embodiment, the cross mutation operation of the individual positions in each particle population after the update of the positions and the moving speeds is performed through a genetic algorithm, and the cross mutation operation comprises the following steps:
according to the fitness value of each particle population after the position and the moving speed are updated, carrying out cross operation on the individual positions of a first preset number in each particle population;
and performing mutation operation on the second preset number of individual positions subjected to the crossing operation.
In one embodiment, before obtaining the fitness value of the cluster corresponding to each candidate cluster center according to a preset cluster fitness function, the method includes:
acquiring the distance between the preprocessed running state data and each candidate clustering center;
and updating the cluster corresponding to each candidate clustering center according to the distance between the preprocessed running state data and each candidate clustering center.
In one embodiment, the preprocessing the operation state data of the plurality of sample terminal devices to obtain the preprocessed operation state data includes:
standardizing the operation state data of the plurality of sample terminal devices to obtain standard operation state data;
acquiring the weight of standard operation state data corresponding to different feature types according to the feature types of the operation state data of the terminal equipment;
and selecting standard running state data with weight values meeting preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to different feature types.
In one embodiment, obtaining the weight of the normalized operation state data corresponding to different feature types according to the feature type of the operation state data of the terminal device includes:
calculating the mean square error of the standard running state data corresponding to different feature types;
and carrying out normalization processing on the mean square deviations of the standard running state data corresponding to different feature types to obtain the weights of the standard running state data corresponding to different feature types.
In a second aspect, an embodiment of the present application provides an operation state safety detection apparatus, including:
the processing module is used for carrying out standardized processing on the real-time running state data of the terminal equipment to obtain the real-time standard running state data of the terminal equipment;
the input module is used for inputting the real-time standard running state data into a preset detection model and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
and the determining module is used for determining that the safety detection result of the operation state of the terminal equipment is abnormal if the distance between the real-time standard operation state data and each clustering center in the detection model is larger than a preset distance threshold.
In a third aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method provided in any one of the foregoing first aspects when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method provided in any one of the embodiments in the first aspect.
In the method for detecting the safety of the operating state provided in this embodiment, the real-time standard operating state data of the terminal device is obtained by standardizing the real-time operating state data of the terminal device, and then the obtained real-time standard operating state data is input into a preset detection model, and a distance between the real-time standard operating state data and each cluster center in the detection model is determined, and if the distance between the real-time standard operating state data and each cluster center in the detection model is greater than a preset distance threshold, it is determined that the safety detection result of the operating state of the terminal device is abnormal. In the method, the real-time running state data of the terminal equipment is subjected to standardized processing, so that the running state data in different units or orders of magnitude are in the same quantity level, comprehensive analysis is facilitated, and the accuracy of data analysis is improved; the distance between the real-time standard operation state data and each clustering center in the detection model is determined through the detection model, on one hand, the detection model is a pre-constructed model and can be directly called when in use, so that the detection efficiency is improved, on the other hand, the detection model comprises a plurality of clustering centers, namely, the detection model uses a clustering algorithm, the clustering algorithm can simply and efficiently analyze the operation data of the terminal equipment, and the simplicity and the high efficiency of the safety detection of the operation state of the intelligent terminal are improved; furthermore, a plurality of clustering centers are obtained by optimizing the detection model by using a group intelligent algorithm, so that the clustering centers can be accurately and quickly determined, and the accuracy of the safety detection result of the operation state of the intelligent terminal is improved.
Drawings
FIG. 1 is a diagram of an application environment of a method for security detection of an operating state in one embodiment;
FIG. 2 is a schematic flow chart diagram illustrating a method for security detection of operational status in one embodiment;
FIG. 3 is a schematic flow chart of a method for detecting operational status safety in another embodiment;
FIG. 4 is a schematic flow chart of a method for detecting operational status safety in another embodiment;
FIG. 5 is a schematic flow chart of a method for detecting operational status safety in another embodiment;
FIG. 6 is a flowchart illustrating a method for detecting operational status in accordance with another embodiment;
FIG. 7 is a flowchart illustrating a method for detecting operational status in accordance with another embodiment;
fig. 8 is a flowchart illustrating a method of detecting the safety of the operating state in another embodiment;
fig. 9 is a flowchart illustrating a method of detecting the safety of the operating state in another embodiment;
fig. 10 is a flowchart illustrating a method of detecting safety of an operation state in another embodiment;
FIG. 11 is a block diagram showing an arrangement of a safety detecting device in an operating state according to an embodiment;
FIG. 12 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The method for detecting the safety of the operating state provided by the application can be applied to computer equipment, the computer equipment can be equipment in any field, for example, terminal equipment, or various personal computers, notebook computers, tablet computers, wearable equipment and the like, and the type of the computer equipment is not limited in the embodiment of the application. As shown in FIG. 1, a schematic diagram of an internal structure of a computer device is provided, and the processor of FIG. 1 is used for providing computing and control capabilities. The memory includes a nonvolatile storage medium, an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database is used for storing relevant data of the table unit group interchange process. The network interface is used for communicating with other external devices through network connection. The computer program is executed by a processor to implement a method of security detection of an operational state.
The embodiment of the application provides a method, a device, equipment and a storage medium for detecting the running state safety, and the accuracy of the running state safety detection result of an intelligent terminal can be improved. The following describes in detail the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems by embodiments and with reference to the drawings. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. It should be noted that, according to the method for detecting safety of an operating state provided by the present application, an execution main body may be a computer device, or may also be a safety detection apparatus of an operating state, and the apparatus may be implemented as a part or all of a processor by software, hardware, or a combination of software and hardware. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments.
In an embodiment, as shown in fig. 2, a method for detecting security of an operating state is provided, where the embodiment relates to a specific process of determining a distance between real-time standard operating state data and each cluster center in a detection model according to real-time operating state data of a terminal device and a preset detection model, and determining a security detection result of the operating state of the terminal device as an anomaly according to the distance; this embodiment comprises the steps of:
s201, standardizing the real-time running state data of the terminal equipment to obtain the real-time standard running state data of the terminal equipment.
The terminal device is a device that inputs programs and data to a computer or receives a result of processing output from the computer via a communication facility. It is usually installed in a convenient place where it can be connected with a remote computer for work by using a communication facility, and is mainly composed of a communication interface control device and a special or selected input/output device. Typical input and output devices that may be selected include keyboards, card readers, paper tape readers, optical character or indicia recognizers, speech recognizers, serial or line printers, displays, card punches, paper tape punches, speech synthesizers, floppy disk drives, magnetic tape drives, disk drives, and the like.
The operation state data of the terminal device generally includes: multipoint Control Unit occupancy (MCU _ util), Memory occupancy (Memory _ util), program process stack state, system call frequency (system call frequency, system _ frequency), system call sequence (system call sequence, system _ seq), Application Layer Communication traffic Upload rate (traffic _ up), Application Layer Communication traffic Download rate (traffic _ down), and system kernel variables.
The multipoint control unit, also called multipoint conference controller, is the key equipment of multipoint video conference system, and is responsible for the access of all video conference terminals and the exchange, forwarding and processing of video and audio code streams of conference, and it extracts the information and signaling of audio, video, data, etc. from the information streams of each conference site after synchronous separation, and sends the information and signaling of each conference site to the same processing module to complete the corresponding processes of audio mixing or switching, video mixing or switching, data broadcasting and routing, timing and conference control, and finally recombines all kinds of information required by each conference site and sends them to each corresponding terminal system equipment. The method determines the reliability and stability of the whole video conference system and is a core part of the video conference system.
After the program of the terminal is compiled, the program is converted into an instruction sequence supported by the MCU, and when the MCU executes a calculated instruction, the MCU has a large load, and when some instructions for Input/Output (IO) operation are executed, the load of the MCU is relatively low. Therefore, the MCU occupancy rate is a good characteristic for representing the running state of the equipment.
mem is a memory display program which displays the occupation of all memory resident programs, and the memory is also called main memory and is a storage space which can be directly addressed by the CPU. The memory is a main component in the computer, when the terminal program runs, a space needs to be newly opened up in the memory, the running space of the program is mapped to the newly opened memory, the previously occupied memory is not released until the program stops, and the memory can be applied and released in the running process of the program. Therefore, the occupancy rate of the memory is also a characteristic of the running state of the embedded terminal.
When the kernel creates a process, a corresponding stack is created for the process. When the terminal program runs normally, the calling relationship of the function is usually fixed, so the collected program process stack is relatively stable. In common software bugs, such as buffer overflows, character strings are formatted, and if an attack load wants to realize intrusion on a device through the bugs, a stack of a program process has to be controlled, so that the program process is changed. Thus, the program process stack state feature may be used for security detection of device state.
The system call is a set of all system calls implemented by an operating system, i.e., A Program Interface (API) or an Application Programming Interface (API), which is an Interface between an Application program and a system.
The main function of the operating system is to provide a good environment for managing hardware resources and for application developers to make applications more compatible, for which purpose the kernel provides a series of multi-kernel functions with predefined functions, presented to the user through a set of interfaces called system calls. The system calls the request of the application program to the kernel, calls the corresponding kernel function to complete the required processing, and returns the processing result to the application program.
The terminal usually performs some tasks periodically through a timer, and these tasks will perform some system calls, so the system call frequency and the system call sequence of the embedded terminal will also conform to a certain rule.
The application layer interacts with a user and generates flow, and in general, the flow state of the terminal can reflect the behavior of the running program on the network, such as periodically reporting service data to the master station, collecting information of other terminals, or receiving the behavior of remote control instructions of the master station. Therefore, the traffic condition of the embedded terminal can be used for the safety detection of the device state, including: the uploading rate of the communication flow of the application layer and the downloading rate of the communication flow of the application layer.
The kernel is the core of the operating system, is the most basic part of the operating system, determines when a program operates on certain part of hardware for a long time, is responsible for managing the process, the memory, the kernel architecture device driver, the file and the network system of the system, and determines the performance and the stability of the system. And the variable of the system kernel can reflect the running state of the equipment kernel, collect the system kernel variable and detect the kernel security state of the terminal.
Because the collected running state information of the terminal device is transient information and is directly used for the safety detection of the state of the terminal device and is easily interfered by noise, the average value, the variance, the average value, the skewness and the kurtosis of the occupancy rate of a Central Processing Unit (CPU) are extracted when the safety detection is carried out; average, variance and range of memory occupancy rates; mean, variance, skewness of the system call frequency; mean, variance, maximum, and extreme differences in flow conditions.
The normalization of the data is to scale the data to fall within a small specified interval. The unit limit of data is removed in the index processing which is generally used for some comparison and evaluation, and the data is converted into a dimensionless pure numerical value, so that indexes of different units or orders can be compared and weighted.
In one embodiment, the data may be normalized by z-score normalization (zero-mean normalization) in which the mean and standard deviation of each data value are calculated, the calculated mean is subtracted from each data value, and the result is divided by the calculated standard deviation, and the processed data is normalized to the standard positive distribution, i.e., the mean is 0 and the standard deviation is 1.
In another embodiment, the data may be normalized by dividing the data by the maximum value of the data so that the normalized data is in the [0,1] interval.
And after the acquired real-time running state data of the terminal equipment is subjected to standardization processing, the acquired processed data is determined to be real-time standard running state data.
S202, inputting the real-time standard running state data into a preset detection model, and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm.
Inputting the real-time standard running state data into a preset detection model to determine the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm.
The detection model is a preset detection model, and can determine the abnormal condition of the data by inputting the data into the detection data.
Alternatively, the detection model may be constructed by a neural network, or may be constructed by some algorithm.
The clustering algorithm is a statistical analysis method for researching classification problems, and is a technology for researching the mutual relation between data logically or physically. Clustering methods are composed of several patterns, usually a vector of metrics, or a point in a multidimensional space. Cluster analysis is based on similarity, with more similarity between patterns in one cluster than between patterns not in the same cluster. The analysis result of the clustering algorithm can not only reveal the internal connection and difference among data, but also provide important basis for further data analysis and knowledge discovery. Clustering algorithms are generally classified into partition-based clustering algorithms, hierarchy-based clustering, grid-based clustering, density-based clustering, and model-based clustering.
The algorithm for solving the clustering problem comprises a K-means algorithm, and the main idea of the K-means algorithm is as follows: under the condition of giving K values and K initial cluster center points, each point (namely data record) is divided into the cluster represented by the cluster center point closest to the point, after all the points are distributed, the cluster center point is recalculated (averaged) according to all the points in one cluster, and then the steps of distributing the points and updating the cluster center point are iterated until the change of the cluster center point is small or the appointed iteration times are reached. Wherein, the center point of each cluster is the cluster center.
The method for determining the distance between the real-time standard operating state data and each clustering center in the detection model can adopt a Pasteur distance formula and can also adopt a Mahalanobis distance formula.
The Swarm intelligent algorithm (Swarm intelligence algorithm) simulates various Swarm behaviors of social animals, and the purpose of optimizing is realized by utilizing information interaction and cooperation among individuals in the Swarm. Any algorithm or distributed problem solving strategy which is motivated by insect groups or other animal social behavior mechanisms belongs to group intelligent algorithms. The group intelligent algorithm comprises the following steps: ant colony algorithm, particle swarm optimization algorithm, flora algorithm, frog leaping algorithm, artificial bee colony algorithm, firefly algorithm, cuckoo algorithm, bat algorithm, wolf colony algorithm, firework algorithm, and the like.
Optionally, the detection model includes a plurality of cluster centers, and in practical applications, specific applications are not limited herein.
In one embodiment, the plurality of clustering centers are obtained by optimizing a clustering algorithm based on a swarm intelligence optimization algorithm, wherein the swarm intelligence optimization algorithm can be an ant colony algorithm or an improved swarm intelligence algorithm combining an artificial bee colony algorithm and a wolf colony algorithm.
S203, if the distance between the real-time standard operating state data and each clustering center in the detection model is larger than a preset distance threshold, determining that the safety detection result of the operating state of the terminal equipment is abnormal.
And if the distance between the obtained real-time standard running state data and each clustering center in the detection model is larger than the preset distance threshold, determining that the safety detection result of the running state of the terminal equipment is abnormal.
If the distance between the real-time standard operating state data and each clustering center in the detection model is larger than a preset distance threshold, determining that the safety detection result of the operating state of the terminal equipment is abnormal; and if the distance between the at least one piece of real-time standard operation state data and each cluster center in the detection model is not greater than the preset distance threshold, determining that the safety detection result of the operation state of the terminal equipment is normal.
In the method for detecting the safety of the operating state provided in this embodiment, the real-time standard operating state data of the terminal device is obtained by standardizing the real-time operating state data of the terminal device, and then the obtained real-time standard operating state data is input into a preset detection model, and a distance between the real-time standard operating state data and each cluster center in the detection model is determined, and if the distance between the real-time standard operating state data and each cluster center in the detection model is greater than a preset distance threshold, it is determined that the safety detection result of the operating state of the terminal device is abnormal. In the method, the real-time running state data of the terminal equipment is subjected to standardized processing, so that the running state data in different units or orders of magnitude are in the same quantity level, comprehensive analysis is facilitated, and the accuracy of data analysis is improved; the distance between the real-time standard operation state data and each clustering center in the detection model is determined through the detection model, on one hand, the detection model is a pre-constructed model and can be directly called when in use, so that the detection efficiency is improved, on the other hand, the detection model comprises a plurality of clustering centers, namely, the detection model uses a clustering algorithm, the clustering algorithm can simply and efficiently analyze the operation data of the terminal equipment, and the simplicity and the high efficiency of the safety detection of the operation state of the intelligent terminal are improved; furthermore, a plurality of clustering centers are obtained by optimizing the detection model by using a group intelligent algorithm, so that the clustering centers can be accurately and quickly determined, and the accuracy of the safety detection result of the operation state of the intelligent terminal is improved.
For the detection model in the previous embodiment, the following describes the construction process of the detection model in detail by an embodiment. In one embodiment, as shown in fig. 3, the construction process of the detection model includes the following steps:
s301, obtaining the running state data of a plurality of sample terminal devices, and preprocessing the running state data of the plurality of sample terminal devices to obtain the preprocessed running state data.
The method comprises the steps of obtaining running state data of a plurality of sample terminal devices, and then preprocessing the running state data of the plurality of sample terminal devices, namely processing the running state data of the plurality of sample terminal devices from an original data state to obtain data which can be compiled in the next step.
In an embodiment, the operation state data of the plurality of sample terminal devices is obtained, and the obtaining mode may be directly obtained from the terminal device or obtained from an existing database, which is not limited in this application in practical application.
In the real world, data is mostly incomplete, inconsistent dirty data cannot be directly mined, or the mining result is not satisfactory. Data preprocessing (data preprocessing) techniques have been developed to improve the quality of data mining, which refers to some processing performed on data before the main processing. There are various methods for data preprocessing: data cleaning, data integration, data transformation, data reduction and the like.
In one embodiment, the plurality of sample terminal device operational state data is preprocessed in a data cleansing manner by filling in missing values, smoothing out noisy data, identifying or deleting outliers and resolving inconsistencies to "cleanse" the data. The method mainly achieves the purposes of format standardization, abnormal data removal, error correction and removal of repeated data.
In another embodiment, the running state data of the plurality of sample terminal devices is preprocessed in a data transformation mode, and the data is transformed into a form suitable for data mining in a smooth aggregation, data generalization, normalization and other modes.
S302, determining a plurality of initial clustering centers according to the preprocessed running state data.
In an embodiment, a plurality of initial clustering centers are determined according to the preprocessed operating state data, and the determining of the plurality of initial clustering centers may be performed by directly and randomly assigning the plurality of initial clustering centers in the preprocessed operating state data.
In another embodiment, a plurality of initial clustering centers are determined according to the preprocessed running state data, and the manner of determining the plurality of initial clustering centers may also be that one clustering center is randomly selected, and the rest clustering centers are determined according to the maximum distance principle. The method for determining the plurality of initial clustering centers is not limited in the application.
S303, optimizing the plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers.
And optimizing the plurality of initial clustering centers obtained by the embodiment by using a swarm intelligence optimization algorithm to obtain a plurality of optimal initial clustering centers, wherein the optimal initial clustering centers obtained by optimizing the swarm intelligence algorithm are called candidate clustering centers.
In an embodiment, the colony intelligent algorithm in this embodiment may be an ant colony algorithm, and multiple candidate clustering centers are obtained through continuous iterative optimization of the ant colony algorithm.
S304, according to a preset clustering fitness function, obtaining the fitness value of the cluster corresponding to each candidate clustering center.
The selection of the Fitness Function (Fitness Function) directly influences the convergence speed of the algorithm and whether the optimal solution can be found, because the algorithm basically does not utilize external information in evolutionary search, and only takes the Fitness Function as a basis to search by utilizing the Fitness of each individual in a population. The fitness refers to the adaptation degree of an individual to the environment, a clustering fitness function is set in the clustering problem, the fitness function is a corresponding relation between each candidate clustering center and the corresponding cluster, and the clustering fitness function is an evaluation function for guiding search in the algorithm.
The cluster fitness function is used for judging whether the current cluster division condition is good enough or not and whether the required cluster effect is achieved or not. The clustering algorithm aims to classify similar individuals into the same cluster, so that the closer the individuals in the same cluster are to the clustering center, the better the clustering effect is, and the larger the difference between the two clusters is, the better the clustering effect is, the farther the distance between the two clustering centers is,
in one embodiment, the fitness function is:
therein, fitiA fitness function representing the ith population of individuals, cijThe jth cluster center represented by the ith individual, and x is represented by cijThe individuals included in the cluster of the cluster center, dis (x-c)ij) Class center c representing x and the class to which it belongsijThe distance of (d); c. CiaAnd cibAre all the clustering centers represented by the ith individual; dis (c)ia,cib) Representing the distance between two cluster centers.
Wherein the calculation formula of the distance is
According to a preset clustering fitness function, the fitness value of the cluster corresponding to each candidate clustering center can be obtained in a mode that each candidate clustering center and the corresponding cluster are used as input, and the fitness value is output through a neural network model.
S305, if the fitness value of the cluster corresponding to each candidate cluster center meets a preset first iteration convergence condition, determining each candidate cluster center as a plurality of cluster centers in the detection model to obtain the detection model.
And comparing and analyzing the obtained fitness value of the class corresponding to each candidate clustering center with a preset first iteration convergence condition, and if the fitness value of the class corresponding to each candidate clustering center meets the preset first iteration convergence condition, determining each candidate clustering center as a plurality of clustering centers in the detection model to obtain the detection model.
In an embodiment, each candidate cluster center is determined as a plurality of cluster centers in the detection model, and the determination may be performed by directly regarding each candidate cluster center as a plurality of cluster centers in the detection model.
Optionally, the first iteration convergence condition may be that the fitness value of the cluster corresponding to each candidate cluster center is greater than a certain threshold.
The method for detecting the safety of the operating state provided in this embodiment includes obtaining operating state data of a plurality of sample terminal devices, preprocessing the operating state data of the plurality of sample terminal devices to obtain preprocessed operating state data, determining a plurality of initial clustering centers according to the preprocessed operating state data, optimizing the plurality of initial clustering centers through a swarm intelligence optimization algorithm to obtain a plurality of candidate clustering centers, obtaining a fitness value of a cluster corresponding to each candidate clustering center according to a preset clustering fitness function, and determining each candidate clustering center as a plurality of clustering centers in a detection model to obtain the detection model if the fitness value of the cluster corresponding to each candidate clustering center meets a preset first iteration convergence condition. According to the method, a plurality of initial clustering centers are obtained through optimization of a group intelligent optimization algorithm, so that a plurality of candidate clustering centers are obtained, the candidate clustering centers can be accurately and quickly determined, the accuracy of the safety detection result of the running state of the intelligent terminal is improved, then the fitness value of the cluster corresponding to each candidate clustering center is obtained, whether the preset first iteration convergence condition is met or not is judged, if yes, each candidate clustering center is determined to be a plurality of clustering centers of a detection model, the detection model is obtained, the established detection model can be directly called when used, and the detection efficiency is improved.
Based on any one of the previous embodiments, in one embodiment, as shown in fig. 4, the swarm intelligence optimization algorithm comprises a particle swarm optimization algorithm and a genetic algorithm; optimizing a plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers, and comprising the following steps of:
s401, initializing optimization parameters for performing a particle swarm optimization algorithm, and constructing a swarm optimization fitness function based on the optimization parameters; the optimization parameters include at least the position and the speed of movement of the individual.
Particle Swarm Optimization (PSO) is also known as Particle Swarm optimization, or Particle Swarm optimization. PSO is a stochastic search algorithm based on population collaboration developed by simulating the foraging behavior of a bird population. The PSO is initialized to a population of random particles (random solution), and then the optimal solution is found through iterations, where in each iteration the particles update themselves by tracking two "extrema". The first is the optimal solution found by the particle itself, which is called the individual extremum, and the other extremum is the optimal solution found by the whole population, which is the global extremum.
In one embodiment, the optimization parameters of the particle swarm optimization algorithm include the number k of the clustering centers, the dimension col of the clustering centers, the dimension dim of the particle swarm algorithm, the maximum and minimum values of the positions of the particle swarm, the maximum and minimum values of the speed, the number of iterations, the size of the swarm being M, and the maximum and minimum values of the inertial weight. Wherein dim ═ k ═ col.
Determining the population position of the particle swarm according to the plurality of initial clustering centers determined in the step S302, wherein the manner of determining the population position of the particle swarm may be that the step S302 is repeated M times, and the positions of the M particles are finally obtained. Each particle randomly initializes a particle velocity, and the velocity of the particle is randomly initialized within a range satisfying the velocity.
S402, determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function, and executing a preset iteration optimization step until a preset second iteration convergence condition is met to obtain a plurality of candidate clustering centers.
In one embodiment, the population optimization fitness function may be set as:
wherein Center represents each initial cluster Center, CiAnd representing the operation state data of the cluster center.
And determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function to obtain the fitness value of the particle population, and recording the individual extreme value, the global extreme value, the individual optimal position and the global optimal position of the particles.
The preset iterative optimization step can be preset positions and fitness values of the optimized particle swarm, if a preset second iterative convergence condition is met, the global optimal positions of the particles are output, and the global optimal positions are used as a plurality of candidate clustering centers; if the second iteration convergence condition is not satisfied, continuing to execute the preset iteration optimization step,
this is explained in detail below by an embodiment based on the iterative optimization steps in the above embodiments. Then, in one embodiment, as shown in fig. 5, the iterative optimization step comprises the steps of:
s501, updating the individual positions and the moving speeds in the particle populations corresponding to all initial clustering centers according to the individual positions and the optimized parameters in the particle populations corresponding to the optimal fitness values; the optimal fitness value represents a fitness value that satisfies a preset condition.
In one embodiment, the individual position and moving speed of the particle swarm are updated by the formula:
Vid=ωVid+C1ρ1(Pid-Xid(t))+C2ρ2(Pgd-Xid(t)) (7)
xid=Vid+xid (8)
wherein equations (7) and (8) represent update formulas of the moving speed of the particle group and the individual position; the formula (4) represents a change formula of the inertia weight, the formula is divided into three parts, the first part is a lower limit of omega in model design, the second part is an omega value influenced by particle fitness, and the third part is an omega value influenced by time lapse; formula (5) and formula (6) represent C1And C2Formula of variation of (C)1,C2Also according to Xid(t) and PidAnd PgdAnd adjusting the gap progress, namely considering the iteration speed in the previous stage and starting to slow down the iteration speed after reaching the vicinity of the extreme point to search for the extreme point. OmegaminIs the lower limit of ω, ωmaxIs the upper limit of ω, fitminIs the fitness of the best position, fit, of all particles present so faridTime, the fitness of each particle to the current locationmaxFor maximum number of iterations, timeidRepresenting the current iteration times; c1、C2Is a learning constant; vid: the velocity of the ith particle (with d dimensions); pid: the best position of each particle to appear so far, i.e. the population optimal position; pgd: the best position of all particles present so far, i.e. the global optimal position; xid(t): each particle is located at the current position; rho1,ρ2: a random number between 0 and 1.
And updating a moving speed formula (7) and an individual position formula (8) in the particle populations corresponding to all the initial clustering centers according to the individual positions and the optimization parameters in the particle populations corresponding to the optimal fitness values, wherein the optimal fitness values represent the individual extreme values and the global extreme values in the particle swarm, and the individual positions in the particle populations corresponding to the optimal fitness values represent the individual optimal positions and the global optimal positions in the particle swarm.
And S502, performing cross variation operation on the individual positions in each particle population after the positions and the moving speeds are updated through a genetic algorithm.
Genetic Algorithm (GA) is a kind of randomized search method which is evolved by the evolution law (survival of the fittest, and selection of the dominant and the recessive Genetic mechanisms) of the biological world. The GA is mainly characterized in that a structural object is directly operated, and derivation and function continuity limitation do not exist; the global optimization capability is better; by adopting a probabilistic optimization method, the optimized search space can be automatically acquired and guided, the search direction can be adaptively adjusted, and a determined rule is not needed. The genetic algorithm takes all individuals in a population as objects and utilizes a randomization technology to guide efficient searching of a coded parameter space. Wherein the selection, crossing and mutation constitute genetic operations of the genetic algorithm.
And executing intersection and variation operation of genetic algorithm on the updated individual position and moving speed through the updated individual position and moving speed of the particle swarm. Crossover operation, namely, the process of selecting two individuals to be mutually crossed and mutually exchanging partial genes of chromosomes of the individuals according to a certain mode to form two new individuals; the intersections include single-point intersections, multi-point intersections, and uniform intersections. The new individuals formed after the crossover operation have a certain probability of mutation, and the mutation operation comprises basic potential mutation, uniform mutation, boundary mutation, non-uniform mutation and Gaussian approximation mutation.
And S503, determining the fitness value of each particle swarm subjected to the cross variation operation according to the swarm optimization fitness function.
And determining the fitness value of each particle swarm after the cross mutation operation according to the population optimization fitness function of the embodiment. And obtaining the particles after the cross mutation operation, and obtaining the fitness value of the particles after the cross mutation operation according to the group optimization fitness function.
The safety detection method for the operating state provided by this embodiment includes initializing optimization parameters for performing a particle swarm optimization algorithm, where the optimization parameters at least include individual positions and moving speeds, constructing a population optimization fitness function based on the optimization parameters, determining fitness values of particle populations corresponding to initial cluster centers according to the population optimization fitness function, and executing a preset iterative optimization step until a preset second iterative convergence condition is satisfied, so as to obtain a plurality of candidate cluster centers; wherein the iterative optimization step comprises: and updating the individual positions and the moving speed in the particle populations corresponding to all the initial clustering centers according to the individual positions and the optimized parameters in the particle populations corresponding to the optimal fitness values, wherein the optimal fitness values represent the fitness values meeting preset conditions, performing cross variation operation on the individual positions in the particle populations after the positions and the moving speeds are updated through a genetic algorithm, and determining the fitness values of the particle populations after the cross variation operation according to a population optimized fitness function. In the method, a plurality of initial clustering centers are optimized by utilizing the intersection and variation operations in the particle swarm optimization algorithm and the genetic algorithm, so that a plurality of candidate clustering centers are obtained, the candidate clustering centers can be accurately and quickly determined, and the accuracy of the safety detection result of the running state of the intelligent terminal is improved.
In one embodiment, as shown in fig. 6, the cross mutation operation of the individual positions in each particle population after the position and the moving speed are updated by a genetic algorithm includes the following steps:
s601, according to the fitness value of each particle population after the position and the moving speed are updated, cross operation is conducted on the individual positions of the first preset number in each particle population.
Based on the updated individual positions and moving speeds in the particle populations obtained in the above embodiment, the fitness values of the particle populations are determined, the obtained fitness values are sorted according to an ascending order, and the first preset number of individual positions after ranking are subjected to cross operation.
In one embodiment, the population of particles is M in total and the first predetermined number is PcrossM individuals, PcrossFor cross probability, the cross can increase the search range of the algorithm, but with increasing fitness and increasing number of iterationsIn addition, the algorithm gradually approaches the optimal solution, and the search range does not need to be expanded too much, that is, the crossover probability needs to be gradually reduced, so the crossover probability and crossover operation in this embodiment are defined in the following ways:
Pcross,0=0.5 (9)
Pcross,l=max(P′cross,l,0.1) (11)
akj=akj(1-b)+aljb (12)
alj=alj(1-b)+akjb (13)
wherein, Pcross,0For the initial crossover probability, l is the current iteration number, Pcross,lIs the cross-over probability for the ith iteration,
represents the minimum fitness value of all individuals in the population of the ith iteration,
the mean fitness value of all individuals in the population of the ith iteration is shown. a iskjAnd aljDenotes the kth particle akAnd the first particle alThe new particle position obtained in the j-th dimension crossing operation, b is [0,1]]The random number of (2).
S602, performing mutation operation on the second preset number of individual positions subjected to the crossover operation.
The mutation adds randomness to the genetic algorithm, and if the local optimum is reached, a plurality of random individuals need to be provided for the algorithm to help the algorithm jump out of the local optimum. Certain randomness can be added to the PSO algorithm by utilizing the mutation operation, so that the algorithm has the opportunity to jump out of local optimum, and the algorithm is more efficient. In summary, when the fitness is closer to the optimal or the iteration enters the later stage, the probability of mutation generation needs to be increased more, so as to prevent the algorithm from being in a local optimal point and being unable to jump out. Since the mutation operation is a new individual generated by the crossover operation in the above embodiment, not all the individuals of the particle population, it is not necessary to consider that the individual having the best fitness by the mutation operation disappears due to the mutation.
In one embodiment, the mutation probability and mutation operation may be defined as:
Pmutation,l=max(P′muutation,l,0.1) (15)
f(g)=r2(1-t/tmax)2 (17)
wherein, Pmutation,lRepresenting the probability of variation, P, of the l-th iterationcross,lCross probability, t, for the ith iterationmaxRepresenting the maximum number of iterations, t being the current number of iterations,
represents the maximum fitness value of all individuals in the population of the ith iteration,
represents the minimum fitness value of all individuals in the population of the ith iteration,
representing the average fitness of all individuals in the first iteration population; a isijRepresenting the ith and jth dimension, upper is the upper limit of the population position, lower is the lower limit of the population position, r and r2A random number from 0 to 1.
According to the method for detecting the safety of the operation state provided by this embodiment, according to the fitness value of each particle population after updating the position and the moving speed, the crossing operation is performed on the individual positions of the first preset number in each particle population, and the variation operation is performed on the individual positions of the second preset number after the crossing operation. In the method, the particle swarm algorithm is prevented from falling into local optimum by utilizing the cross and variation operations, the search range is expanded, and the accuracy of the algorithm solution is improved, so that the accuracy of the safety detection result of the running state of the intelligent terminal is improved.
In the foregoing embodiment, the fitness value of the class cluster corresponding to each candidate cluster center is obtained according to the preset cluster fitness function, but before the above operation is performed, the following operation should be performed, and in an embodiment, as shown in fig. 7, before the fitness value of the class cluster corresponding to each candidate cluster center is obtained according to the preset cluster fitness function, the method further includes the following steps:
s701, obtaining the distance between the preprocessed running state data and each candidate clustering center.
In an embodiment, the distance between the preprocessed operating state data and each candidate cluster center may be obtained according to a distance measurement formula.
Wherein x represents the running state data after the preprocessing, and center represents the candidate clustering center.
Optionally, the distance between the preprocessed operating state data and each candidate cluster center may be obtained by using a solution of mahalanobis distance.
And S702, updating the cluster corresponding to each candidate clustering center according to the distance between the preprocessed running state data and each candidate clustering center.
And updating the cluster corresponding to each candidate clustering center according to the distance between the obtained preprocessed running state data and each candidate clustering center.
In one embodiment, the candidate cluster center closest to the pre-processing operation state data is selected according to a distance-to-closest principle to form a class cluster, and the pre-processing operation state data is considered as the class of the candidate cluster center when the pre-processing operation state data is closest to the candidate cluster center.
In the method for detecting the safety of the operating state provided in this embodiment, the distance between the preprocessed operating state data and each candidate clustering center is obtained, and the cluster corresponding to each candidate clustering center is updated according to the distance between the preprocessed operating state data and each candidate clustering center. According to the method, the operation state data is preprocessed, so that comprehensive analysis of the data is facilitated, the accuracy of data analysis is improved, the distance between the preprocessed operation state data and each candidate clustering center is obtained, the cluster corresponding to each candidate clustering center is updated according to the distance between the preprocessed operation state data and each candidate clustering center, and the accuracy of the safety detection result of the operation state of the intelligent terminal is improved.
Based on the foregoing embodiment, the operation state data of a plurality of sample terminal devices is preprocessed to obtain preprocessed operation state data, which is described in detail below with an embodiment. In an embodiment, as shown in fig. 8, the preprocessing the operation state data of the plurality of sample terminal devices to obtain the preprocessed operation state data includes the following steps:
and S801, standardizing the operation state data of the plurality of sample terminal devices to obtain standard operation state data.
After the operation state data of the plurality of sample terminal devices is obtained, the operation state data of the plurality of sample terminal devices needs to be standardized. Normalization of the data is to scale the data to fall within a small specified interval.
In an embodiment, the operation state data of the plurality of sample terminal devices is normalized, and the data is mapped to fall within a range of 0 to 1, and the method adopted in the embodiment is to divide each dimension of the data by the maximum value in all data dimensions.
Wherein a isipP-dimensional value representing i-th data, bipIs aipValue after pretreatment, RpThe value is the maximum value of the p-dimension value of the data.
S802, according to the characteristic types of the operation state data of the terminal equipment, acquiring the weight of the standard operation state data corresponding to different characteristic types.
The terminal equipment operation state data comprises the following characteristic types: firstly, unordered enumerated characteristics such as process stack state, system kernel variable and the like; second, orderly enumerated characteristics, such as system calling frequency, system calling time sequence and the like; (iii) a {0,1} type characteristic; and fourthly, orderly continuous type characteristics, such as cpu occupancy rate, memory occupancy rate and the like. The collected terminal operation state data often has many features, and if the feature data are all involved in the clustering process, the problem of over-high dimensionality occurs. In addition, the importance degrees of the feature data in the anomaly detection are often different greatly, so that it is necessary to perform feature selection on the high-dimensional terminal operation state data to improve the detection accuracy.
And acquiring the weight of the standard operation state data corresponding to different feature types according to the feature types of the operation state data of the terminal equipment.
In one embodiment, the weights of the standard operating state data corresponding to different feature types are obtained by inputting the standard operating state data into the neural network model, and finally, the weights of the standard operating state data are directly output.
And S803, selecting standard running state data with weight values meeting preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to different feature types.
And selecting standard running state data with weight values meeting preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to the different feature types.
In one embodiment, the preset weight condition may be a fixed value, and the standard operation state data with the weight greater than the preset weight condition is used as the preprocessed operation state data; the preset weight condition may also be a probability, the weight values of the obtained standard operating state data are arranged in an ascending order, and the standard operating state data with the weight ranked at the previously preset probability is used as the preprocessed operating state data.
In the present application, for the preset weight condition, in practical application, the preset weight condition is not limited.
According to the method for detecting the safety of the operation state, the operation state data of the plurality of sample terminal devices are standardized to obtain standard operation state data, the weights of the standard operation state data corresponding to different feature types are obtained according to the feature types of the operation state data of the terminal devices, and then the standard operation state data with the weight values meeting the preset weight conditions are selected as the preprocessed operation state data according to the weights of the standard operation state data corresponding to the different feature types. The method has the advantages that the standard running state data are subjected to feature optimization selection, important feature data are selected, secondary feature data are abandoned, overhigh dimensionality is avoided, the accuracy of anomaly detection is improved, and therefore the accuracy of the safety detection result of the running state of the intelligent terminal is improved.
Based on the feature types of the operation state data of the terminal device in the foregoing embodiment, the weights of the operation state data after the normalization processing corresponding to different feature types are obtained, which is described in detail below with an embodiment. In an embodiment, as shown in fig. 9, obtaining weights of the normalized operation state data corresponding to different feature types according to the feature types of the operation state data of the terminal device includes the following steps:
and S901, calculating the mean square error of the standard running state data corresponding to different feature types.
In one embodiment, the mean square deviations of the standard operating condition data corresponding to different feature types are calculated, the mean of the standard operating condition data is calculated respectively, and then the mean square deviation of each standard operating condition data is obtained according to the mean, which can be obtained by the equations (19) and (20).
Wherein the content of the first and second substances,
means, σ, representing the ith standard operating condition dataiThe mean square error of the ith standard running state data is represented, and P represents the dimension of the standard running state data.
S902, normalization processing is carried out on the mean square error of the standard running state data corresponding to different feature types, and the weight of the standard running state data corresponding to different feature types is obtained.
In an embodiment, normalization processing is performed according to the mean square deviations of the standard operating state data corresponding to different feature types obtained in the above embodiment, where the normalization processing is performed by dividing the mean square deviation of the standard operating state data corresponding to each different feature type by the sum of the mean square deviations of the standard operating state data corresponding to different feature types, so as to obtain weights of the standard operating state data corresponding to different feature types.
Wherein, wiAnd N represents the number of the standard operation state data.
In the method for detecting the safety of the operating state provided in this embodiment, the mean square deviations of the standard operating state data corresponding to different feature types are calculated, and the mean square deviations of the standard operating state data corresponding to different feature types are normalized to obtain the weights of the standard operating state data corresponding to different feature types. According to the method, the weight of the standard running state data corresponding to different feature types is calculated, and the accuracy of the safety detection result of the running state of the intelligent terminal is improved.
In practical applications, if the real-time standard operating state data is determined to be abnormal data, the operating state of the terminal device is in an abnormal state, and when the operating state of the terminal device is abnormal, the abnormal early warning process is started.
In one embodiment, when abnormal data is detected, the computer device pops up a dialog box, the dialog box displays that 'abnormal conditions occur in the running state of the detection terminal, and the detection terminal is required to be overhauled', and is provided with a 'confirmation' button, and the dialog box disappears only after the 'confirmation' button is clicked.
Alternatively, when abnormal data is detected, the computer device may issue an alarm indicating that an abnormal condition occurs in the operational state of the terminal device being detected, and the alarm may be removed only after confirming the abnormal state of the terminal device.
In an embodiment, at least one of the distances between the real-time standard operating state data and each cluster center in the detection model is not greater than a preset distance threshold, and it is determined that the safety detection result of the operating state of the terminal device is normal, that is, the operating state of the terminal device is not abnormal.
In an embodiment, as shown in fig. 10, there is further provided a method for detecting safety of an operating state, where the method includes the following steps:
s1001, acquiring terminal operation state data, performing normalization processing and feature optimization selection on the data to obtain the weight of each data, and selecting the data with larger weight as standard operation data;
s1002, randomly selecting an initial clustering center according to standard operation data, selecting other clustering centers according to a maximum distance principle, repeating the operation for M times to obtain the initial position of the particle swarm, and initializing optimization parameters of the particle swarm;
s1003, determining clustering division of data according to a nearest neighbor rule, and determining a fitness function of a particle swarm according to a clustering center;
s1004, calculating the fitness value of the particle according to the fitness function, and obtaining an individual extreme value, a global extreme value, an individual optimal position and a global optimal position according to the fitness value;
s1005, redefining the inertia weight, learning constants c1 and c2, and updating the speed and the position of the particle according to the speed and the position updating formula of the particle swarm.
S1006, calculating the fitness value of the particle swarm, arranging the fitness values in an ascending order, and updating the positions of the particles according to cross variation operation;
s1007, calculating the fitness value of the particle, updating the individual extreme value, the global extreme value, the individual optimal position and the global optimal position;
and S1008, judging whether an iteration convergence condition is met, if so, outputting the global optimal position of the particle, namely the optimal initial clustering center, and otherwise, continuing to execute S1005-S1007.
S1009, defining a clustering fitness function according to the characteristics of clustering, clustering and dividing data according to a nearest distance principle, and calculating a clustering fitness value;
s1010, judging whether an iterative convergence condition is met, if so, outputting a final clustering center to obtain a detection model; if not, calculating the mean value of each category, regarding the mean value as a new clustering center, and continuing to execute step S1009.
S1011, acquiring running state data of the intelligent terminal in real time, preprocessing the data to obtain real-time monitoring data, and sending the real-time monitoring data to a detection model;
and S1012, calculating the distance between the real-time monitoring data and each clustering center in the model, identifying the real-time monitoring data as abnormal data when the distance between the real-time monitoring data and each normal clustering center is greater than a set threshold distance, and performing abnormal early warning when the terminal equipment is in an abnormal state.
In the steps of the safety detection method for the operating status provided in this embodiment, the implementation principle and technical effect are similar to those in the foregoing embodiments of the safety detection method for the operating status, and details are not repeated here.
In one embodiment, a security detection model is constructed. (1) The method comprises the steps of firstly collecting data of an intelligent terminal, acquiring relevant state information of equipment, respectively carrying out normalization processing of different methods on different types of data characteristics of original state information, carrying out optimization selection on the data characteristics, providing a characteristic optimization selection method based on characteristic numerical distribution analysis, calculating characteristic weight, selecting important characteristics, abandoning secondary characteristics, avoiding overhigh dimensionality and improving the accuracy of anomaly detection. (2) An Improved particle swarm optimization algorithm and an Improved genetic algorithm are combined, an Improved particle swarm optimization algorithm (GPSO) algorithm based on the genetic algorithm is provided, the GPSO algorithm can be used for searching an optimal solution, an initial clustering center in a K-means cluster can be regarded as the optimal solution of the GPSO algorithm, and the optimal clustering center can enable a fitness function to reach an optimal value. The crossover and variation operations of the genetic algorithm are introduced into the particle swarm to update the particle positions, so that the population can generate new individuals during each iteration, and the difficulty of the particle population jumping out of the local optimum is reduced. And combining the GPSO algorithm with the improved K-means algorithm to provide the GPSOK-means algorithm, taking the fitness function of the particle swarm algorithm as a target function of the GPSO algorithm, obtaining an optimal initial clustering center in the improved K-means algorithm through the GPSO algorithm, clustering the terminal operation state data by using the result, and finally obtaining the high-efficiency and accurate intelligent terminal safety detection model. (3) After the model training is completed, the real-time terminal running state data can be sent into the model for detection, and whether the terminal is safe or not is judged; the detection steps are as follows: 1) acquiring running state data of the intelligent terminal in real time; 2) preprocessing the information to obtain real-time monitoring data, and sending the real-time monitoring data to a detection model; 3) calculating the distance between the real-time monitoring data and each clustering center in the model; 4) and when the distances between the real-time monitoring data and the normal clustering centers are larger than the set threshold distance, identifying the real-time monitoring data as abnormal data, and performing abnormal early warning when the terminal equipment is in an abnormal state.
It should be understood that, although the respective steps in the flowcharts in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps of the flowcharts in the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In addition, an embodiment of the present application further provides an operating state safety detection apparatus, as shown in fig. 11, in an embodiment, the operating state safety detection apparatus 1100 includes: a processing module 1101, an input module 1102 and a determination module 1103, wherein:
the processing module 1101 is configured to perform standardized processing on the real-time operation state data of the terminal device to obtain real-time standard operation state data of the terminal device;
the input module 1102 is configured to input the real-time standard operating state data into a preset detection model, and determine a distance between the real-time standard operating state data and each cluster center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
the determining module 1103 is configured to determine that a safety detection result of the operating state of the terminal device is abnormal if distances between the real-time standard operating state data and the cluster centers in the detection model are greater than a preset distance threshold.
In one embodiment, there is also provided an operation state safety detection device, including:
the preprocessing module is used for acquiring the running state data of the plurality of sample terminal devices, and preprocessing the running state data of the plurality of sample terminal devices to obtain preprocessed running state data;
the clustering module is used for determining a plurality of initial clustering centers according to the preprocessed running state data;
the obtaining module is used for optimizing a plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers;
the acquisition module is used for acquiring the fitness value of the cluster corresponding to each candidate clustering center according to a preset clustering fitness function;
and the judging module is used for determining each candidate clustering center as a plurality of clustering centers in the detection model to obtain the detection model if the fitness value of the cluster corresponding to each candidate clustering center meets a preset first iteration convergence condition.
In one embodiment, the obtaining module includes:
the initial unit is used for initializing optimization parameters for performing the particle swarm optimization algorithm and constructing a swarm optimization fitness function based on the optimization parameters; the optimization parameters include at least the position and the moving speed of the individual;
the judging unit is used for determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function, and executing a preset iteration optimization step until a preset second iteration convergence condition is met to obtain a plurality of candidate clustering centers; wherein the iterative optimization step comprises:
the updating unit is used for updating the individual positions and the moving speeds in the particle populations corresponding to all the initial clustering centers according to the individual positions and the optimized parameters in the particle populations corresponding to the optimal fitness values; the optimal fitness value represents a fitness value satisfying a preset condition;
the operation unit is used for carrying out cross variation operation on the individual positions in each particle population after the positions and the moving speeds are updated through a genetic algorithm;
and the determining unit is used for determining the fitness value of each particle swarm subjected to the cross variation operation according to the population optimization fitness function.
In one embodiment, the operation unit includes:
the first operation subunit is used for performing cross operation on individual positions of a first preset number in each particle population according to the fitness value of each particle population after the position and the moving speed are updated;
and the second operation subunit is used for performing mutation operation on a second preset number of individual positions subjected to the crossover operation.
In one embodiment, there is provided an operation state safety detection device, further including:
the distance module is used for acquiring the distance between the preprocessed running state data and each candidate clustering center;
and the updating module is used for updating the cluster corresponding to each candidate clustering center according to the distance between the preprocessed running state data and each candidate clustering center.
In one embodiment, the preprocessing module includes:
the first processing unit is used for standardizing the operation state data of the plurality of sample terminal devices to obtain standard operation state data;
the acquiring unit is used for acquiring the weight of the standard running state data corresponding to different characteristic types according to the characteristic types of the running state data of the terminal equipment;
and the selection unit is used for selecting the standard running state data with the weight values meeting the preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to different feature types.
In one embodiment, the obtaining unit includes:
the calculating subunit is used for calculating the mean square error of the standard running state data corresponding to different feature types;
and the processing subunit is used for carrying out normalization processing on the mean square error of the standard running state data corresponding to different feature types to obtain the weight of the standard running state data corresponding to different feature types.
For the specific definition of the safety detection device for the operation state, reference may be made to the above definition of the safety detection method for the operation state, and details are not described here. The modules in the safety detection device for the operating state can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 12. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a method of security detection of an operational state. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 12 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
carrying out standardization processing on the real-time running state data of the terminal equipment to obtain real-time standard running state data of the terminal equipment;
inputting the real-time standard running state data into a preset detection model, and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
and if the distances between the real-time standard operating state data and the clustering centers in the detection model are larger than a preset distance threshold, determining that the safety detection result of the operating state of the terminal equipment is abnormal.
In one embodiment, the processor, when executing the computer program, performs the steps of:
acquiring running state data of a plurality of sample terminal devices, and preprocessing the running state data of the plurality of sample terminal devices to obtain preprocessed running state data;
determining a plurality of initial clustering centers according to the preprocessed running state data;
optimizing a plurality of initial clustering centers through a group intelligent optimization algorithm to obtain a plurality of candidate clustering centers;
acquiring the fitness value of a cluster corresponding to each candidate clustering center according to a preset clustering fitness function;
and if the fitness value of the cluster corresponding to each candidate clustering center meets a preset first iteration convergence condition, determining each candidate clustering center as a plurality of clustering centers in the detection model to obtain the detection model.
In one embodiment, the processor, when executing the computer program, performs the steps of:
initializing optimization parameters for performing a particle swarm optimization algorithm, and constructing a population optimization fitness function based on the optimization parameters; the optimization parameters include at least the position and the moving speed of the individual;
determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function, and executing a preset iteration optimization step until a preset second iteration convergence condition is met to obtain a plurality of candidate clustering centers; wherein the iterative optimization step comprises:
updating the individual positions and the moving speeds in the particle populations corresponding to all the initial clustering centers according to the individual positions and the optimized parameters in the particle populations corresponding to the optimal fitness values; the optimal fitness value represents a fitness value satisfying a preset condition;
carrying out cross variation operation on the individual positions in each particle population after the positions and the moving speeds are updated through a genetic algorithm;
and determining the fitness value of each particle swarm after the cross variation operation according to the swarm optimization fitness function.
In one embodiment, the processor, when executing the computer program, performs the steps of:
according to the fitness value of each particle population after the position and the moving speed are updated, carrying out cross operation on the individual positions of a first preset number in each particle population;
and performing mutation operation on the second preset number of individual positions subjected to the crossing operation.
In one embodiment, the processor, when executing the computer program, performs the steps of:
acquiring the distance between the preprocessed running state data and each candidate clustering center;
and updating the cluster corresponding to each candidate clustering center according to the distance between the preprocessed running state data and each candidate clustering center.
In one embodiment, the processor, when executing the computer program, performs the steps of:
standardizing the operation state data of the plurality of sample terminal devices to obtain standard operation state data;
acquiring the weight of standard operation state data corresponding to different feature types according to the feature types of the operation state data of the terminal equipment;
and selecting standard running state data with weight values meeting preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to different feature types.
In one embodiment, the processor, when executing the computer program, performs the steps of:
calculating the mean square error of the standard running state data corresponding to different feature types;
and carrying out normalization processing on the mean square deviations of the standard running state data corresponding to different feature types to obtain the weights of the standard running state data corresponding to different feature types.
The implementation principle and technical effect of the computer-readable storage medium provided by the above embodiments are similar to those of the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for safety detection of an operating condition, the method comprising:
carrying out standardization processing on real-time running state data of the terminal equipment to obtain real-time standard running state data of the terminal equipment;
inputting the real-time standard running state data into a preset detection model, and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
and if the distances between the real-time standard operating state data and the clustering centers in the detection model are larger than a preset distance threshold, determining that the safety detection result of the operating state of the terminal equipment is abnormal.
2. The method of claim 1, wherein the construction process of the detection model comprises:
acquiring running state data of a plurality of sample terminal devices, and preprocessing the running state data of the plurality of sample terminal devices to obtain preprocessed running state data;
determining a plurality of initial clustering centers according to the preprocessed running state data;
optimizing the plurality of initial clustering centers through the swarm intelligent optimization algorithm to obtain a plurality of candidate clustering centers;
acquiring the fitness value of the cluster corresponding to each candidate clustering center according to a preset clustering fitness function;
and if the fitness value of the cluster corresponding to each candidate clustering center meets a preset first iteration convergence condition, determining each candidate clustering center as a plurality of clustering centers in the detection model to obtain the detection model.
3. The method of claim 2, wherein the swarm intelligence optimization algorithm comprises a particle swarm optimization algorithm and a genetic algorithm; then, the optimizing the plurality of initial clustering centers through the swarm intelligence optimization algorithm to obtain a plurality of candidate clustering centers includes:
initializing optimization parameters for performing the particle swarm optimization algorithm, and constructing a population optimization fitness function based on the optimization parameters; the optimization parameters include at least a position and a moving speed of the individual;
determining the fitness value of the particle population corresponding to each initial clustering center according to the population optimization fitness function, and executing a preset iteration optimization step until a preset second iteration convergence condition is met to obtain a plurality of candidate clustering centers; wherein the iterative optimization step comprises:
updating the individual positions and the moving speeds in the particle populations corresponding to all the initial clustering centers according to the individual positions in the particle populations corresponding to the optimal fitness values and the optimization parameters; the optimal fitness value represents a fitness value meeting a preset condition;
performing cross variation operation on the individual positions in each particle population after the positions and the moving speeds are updated through the genetic algorithm;
and determining the fitness value of each particle swarm after the cross variation operation according to the population optimization fitness function.
4. The method according to claim 3, wherein the cross mutation operation of the individual positions in each particle population after the position and the moving speed are updated by the genetic algorithm comprises:
according to the fitness value of each particle population after the position and the moving speed are updated, carrying out cross operation on individual positions of a first preset number in each particle population;
and performing mutation operation on the second preset number of individual positions subjected to the crossing operation.
5. The method according to any one of claims 2 to 4, wherein before the obtaining the fitness value of the cluster corresponding to each candidate cluster center according to the preset cluster fitness function, the method comprises:
acquiring the distance between the preprocessed running state data and each candidate clustering center;
and updating the cluster corresponding to each candidate clustering center according to the distance between the preprocessed running state data and each candidate clustering center.
6. The method according to any one of claims 2 to 4, wherein the preprocessing the operation state data of the plurality of sample terminal devices to obtain preprocessed operation state data comprises:
standardizing the operation state data of the plurality of sample terminal devices to obtain standard operation state data;
acquiring the weight of standard operation state data corresponding to different feature types according to the feature types of the operation state data of the terminal equipment;
and selecting standard running state data with weight values meeting preset weight conditions as the preprocessed running state data according to the weights of the standard running state data corresponding to the different feature types.
7. The method according to claim 6, wherein the obtaining the weight of the normalized operation state data corresponding to different feature types according to the feature type of the operation state data of the terminal device comprises:
calculating the mean square error of the standard running state data corresponding to the different feature types;
and normalizing the mean square deviations of the standard running state data corresponding to the different feature types to obtain the weights of the standard running state data corresponding to the different feature types.
8. An operational condition safety detection device, comprising:
the processing module is used for carrying out standardized processing on the real-time running state data of the terminal equipment to obtain the real-time standard running state data of the terminal equipment;
the input module is used for inputting the real-time standard running state data into a preset detection model and determining the distance between the real-time standard running state data and each clustering center in the detection model; the detection model comprises a plurality of clustering centers, and the clustering centers are obtained by optimizing a clustering algorithm based on a group intelligent optimization algorithm;
and the determining module is used for determining that the safety detection result of the operation state of the terminal equipment is abnormal if the distances between the real-time standard operation state data and the clustering centers in the detection model are larger than a preset distance threshold.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143086.XA CN113887115A (en) | 2021-09-28 | 2021-09-28 | Method, device, equipment and storage medium for safety detection of running state |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143086.XA CN113887115A (en) | 2021-09-28 | 2021-09-28 | Method, device, equipment and storage medium for safety detection of running state |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113887115A true CN113887115A (en) | 2022-01-04 |
Family
ID=79007505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111143086.XA Pending CN113887115A (en) | 2021-09-28 | 2021-09-28 | Method, device, equipment and storage medium for safety detection of running state |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113887115A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117350891A (en) * | 2023-09-27 | 2024-01-05 | 广东电网有限责任公司 | Power grid safety detection method and system based on particle swarm optimization model |
-
2021
- 2021-09-28 CN CN202111143086.XA patent/CN113887115A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117350891A (en) * | 2023-09-27 | 2024-01-05 | 广东电网有限责任公司 | Power grid safety detection method and system based on particle swarm optimization model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11487941B2 (en) | Techniques for determining categorized text | |
| CN108023876B (en) | Intrusion detection method and intrusion detection system based on sustainability ensemble learning | |
| US10353685B2 (en) | Automated model management methods | |
| CN105589806B (en) | A kind of software defect tendency Forecasting Methodology based on SMOTE+Boosting algorithms | |
| CN111324642A (en) | Model algorithm type selection and evaluation method for power grid big data analysis | |
| Cardoso et al. | Weightless neural networks for open set recognition | |
| CN110008259A (en) | The method and terminal device of visualized data analysis | |
| CN108364106A (en) | A kind of expense report Risk Forecast Method, device, terminal device and storage medium | |
| CN113254833B (en) | Information pushing method and service system based on birth teaching fusion | |
| CN110674636B (en) | Power consumption behavior analysis method | |
| CN113506009B (en) | Equipment management method and system based on smart cloud service | |
| CN103197983A (en) | Service component reliability online time sequence predicting method based on probability graph model | |
| CN109636212B (en) | Method for predicting actual running time of job | |
| CN112363896A (en) | Log anomaly detection system | |
| Pande et al. | Crime detection using data mining | |
| CN110474799A (en) | Fault Locating Method and device | |
| CN111159481B (en) | Edge prediction method and device for graph data and terminal equipment | |
| Florez‐Perez et al. | Using machine learning to analyze and predict construction task productivity | |
| Frey et al. | Modeling ecological success of common pool resource systems using large datasets | |
| Gupta et al. | Relevance feedback based online learning model for resource bottleneck prediction in cloud servers | |
| CN113887115A (en) | Method, device, equipment and storage medium for safety detection of running state | |
| Denter et al. | Forecasting future bigrams and promising patents: introducing text-based link prediction | |
| Pohl et al. | Active online learning for social media analysis to support crisis management | |
| CN111984514A (en) | Prophet-bLSTM-DTW-based log anomaly detection method | |
| CN116624226A (en) | Coal mine disaster data acquisition, analysis and visual display system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |