CN114330544A

CN114330544A - Method for establishing business flow abnormity detection model and abnormity detection method

Info

Publication number: CN114330544A
Application number: CN202111627392.0A
Authority: CN
Inventors: 来骥; 张实君; 李硕; 徐相森; 曾婧; 姚启桂; 杨睿; 许大卫; 聂正璞; 常海娇; 那琼澜; 孟德; 李贤�; 寇晓溪; 肖娜; 管嘉珩; 王海超; 吕冰; 高崧
Original assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Current assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Priority date: 2021-12-28
Filing date: 2021-12-28
Publication date: 2022-04-12

Abstract

The invention provides a method for establishing a service flow abnormity detection model and an abnormity detection method, wherein the method comprises the following steps: acquiring historical power grid flow data with classification marks; encoding historical power grid flow data to obtain a first characteristic vector set; inputting the first feature vector set into a multilayer coding block of an initial anomaly detection model for processing to obtain a second feature vector set, and then inputting the second feature vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result; according to the prediction result and the classification marks of the historical power grid flow data, the initial anomaly detection model is trained to obtain a trained anomaly detection model, and the key information of the power grid flow data is extracted and the interdependence relation between the information is established, so that the reliability and the accuracy of the training of the anomaly detection model are improved, and the accuracy of the anomaly prediction of the power grid flow data is improved.

Description

Method for establishing business flow abnormity detection model and abnormity detection method

Technical Field

The text belongs to the technical field of energy Internet, and particularly relates to a business flow abnormity detection model establishing method and an abnormity detection method.

Background

The energy internet and the intelligent terminal thereof are nerve centers of social operation and economic production, and the safety of the energy network and the terminal thereof is an important guarantee for social safety, production safety and energy safety. The electric power service flow can comprise professional control type and non-control type service flow such as scheduling, power utilization, power distribution and the like. At present, however, energy networks encounter more and more frequent network attacks, more and more attack sections, and increasingly serious threats and consequences are faced.

The traditional method for identifying abnormal and invasive behaviors by means of expert knowledge and experience is difficult to effectively detect and prevent network attacks in new situations. In the prior art, network data are detected and classified by a machine learning method, and the technology needs to use a feature engineering and requires that the data have good features, but as the network environment is more and more complex, the attacking sections are more and more flexible, so that the feature extraction becomes more difficult. The method also comprises an anomaly and intrusion detection technology based on deep learning, uses deep learning technologies such as a neural network and the like, automatically learns and extracts attack characteristics and flow characteristics by training on original network flow, and although the deep method can learn and extract abundant intrusion characteristics, information for extracting characteristics is treated equally no matter whether the information is related to the anomaly or the intrusion, in fact, not all information is important for constructing the characteristics and detecting the flow, so that the lower anomaly detection accuracy of the power grid service data is caused, and therefore a scheme capable of improving the anomaly detection accuracy of the energy Internet service flow is urgently needed.

Disclosure of Invention

In view of the foregoing problems in the prior art, an object of the present invention is to provide a method for establishing a traffic anomaly detection model and an anomaly detection method, which can improve the accuracy of detecting traffic anomalies in an energy internet service.

In order to solve the technical problems, the specific technical scheme is as follows:

in one aspect, a method for establishing a service traffic anomaly detection model is provided herein, where the method includes:

acquiring historical power grid flow data with classification marks;

encoding the historical power grid flow data to obtain a first characteristic vector set;

inputting the first characteristic vector set into a multilayer coding block of an initial anomaly detection model for processing to obtain a second characteristic vector set, and then inputting the second characteristic vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result;

and training the initial anomaly detection model according to the prediction result and the classification mark of the historical power grid flow data to obtain a trained anomaly detection model.

Further, the obtaining of historical grid flow data with the classification mark includes:

according to the energy Internet intelligent terminal topological structure, an intelligent terminal on the topological structure is determined, and an initial service message which is related to the intelligent terminal and is provided with a classification mark is collected;

and according to the attribute characteristics of the preset service message, carrying out segmentation processing on the initial service message to obtain historical power grid flow data with the same data source and destination.

Further, the encoding the historical grid flow data to obtain a first feature vector includes:

performing first coding processing on each byte in historical power grid flow data to obtain a word vector set consisting of a plurality of multi-dimensional word vectors;

performing second coding processing on each word vector in the word vector set to obtain an initial characteristic vector set;

and adding a learnable classification mark in each initial feature vector of the initial feature vector set to obtain a first feature vector set.

Further, the coding block comprises a transformation matrix layer, an attention weight calculation layer, a weighting layer and a feedforward neural network layer;

the transformation matrix layer in any coding block M is used for calculating a transformation vector of each eigenvector N in any coding block M according to the output result of each eigenvector N in the coding block M-1 at the upper layer and the transformation matrix in any coding block M;

the attention weight calculation layer in any coding block M is used for calculating and obtaining the attention weight of each eigenvector N in any coding block M according to the conversion vector of each eigenvector N in any coding block M and the conversion vector of the eigenvector corresponding to all historical power grid flow data in any coding block M;

the weighting layer in any coding block M is used for calculating and obtaining a weighting value corresponding to the feature vector N in any coding M block according to the attention weight of the feature vector N in any coding block M and the transformation vector of the feature vector corresponding to all historical power grid flow data in any coding block M;

and the feedforward neural network layer in any coding block M is used for calculating and obtaining the output result of the eigenvector N in any coding block M according to the weighted value corresponding to the eigenvector N in any coding block M and the linear transformation matrix in any coding block M, wherein the output result of the last layer of coding block is the second eigenvector output by the eigenvector N in the multilayer coding block.

Further, the transformation matrix comprises a query transformation matrix, a key transformation matrix, and a value transformation matrix;

the transformation vectors include a query transformation vector, a key transformation vector, and a value transformation vector.

Further, the transform matrix layer in the first layer coding block is configured to calculate a transform vector of each eigenvector in the first layer coding block according to each eigenvector in the first eigenvector set and the transform matrix of the first layer coding block.

In another aspect, a method for detecting traffic flow anomaly is further provided, where the method includes:

acquiring service flow data to be detected;

coding the to-be-detected service flow data to obtain a first characteristic vector set;

and inputting the first characteristic vector set into the anomaly detection model established by the method to obtain a classification result of the to-be-detected service flow data.

In another aspect, this document also provides a device for establishing a service traffic anomaly detection model, where the device includes:

the historical power grid flow data acquisition module is used for acquiring historical power grid flow data with classification marks;

the encoding module is used for encoding the historical power grid flow data to obtain a first characteristic vector set;

a prediction result obtaining module, configured to input the first feature vector set into a multilayer coding block of an initial anomaly detection model for processing to obtain a second feature vector set, and then input the second feature vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result;

and the training module is used for training the initial anomaly detection model according to the prediction result and the classification mark of the historical power grid flow data so as to obtain a trained anomaly detection model.

In another aspect, a computer device is also provided herein, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the method as described above when executing the computer program.

Finally, a computer-readable storage medium is also provided herein, which stores a computer program that, when executed by a processor, implements the method as described above.

By adopting the technical scheme, the method for establishing the service flow anomaly detection model and the anomaly detection method are disclosed, wherein the anomaly detection model establishment method obtains historical power grid flow data with classification marks, then codes the historical power grid flow data to obtain a first characteristic vector, inputs the first characteristic vector into a multilayer coding block of an initial anomaly detection model for processing to obtain a second characteristic vector set, then inputs the second characteristic vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result, trains the initial anomaly detection model based on the prediction result and the classification marks of the historical power grid flow data to obtain the trained anomaly detection model, and then can realize the prediction of the anomaly type of the power grid flow data through the trained model, the method extracts the key information of the power grid flow data and establishes the interdependency relation among the information, so that the service understanding is more accurate, the reliability and the accuracy of the training of the anomaly detection model are improved, and the accuracy of the anomaly prediction of the power grid flow data is improved.

In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.

Drawings

In order to more clearly illustrate the embodiments or technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 shows a schematic representation of an implementation environment for a method provided by embodiments herein;

fig. 2 is a schematic diagram illustrating steps of a service traffic anomaly detection model establishing method provided in an embodiment of the present disclosure;

FIG. 3 is a schematic diagram illustrating a first feature vector set obtaining step in an embodiment herein;

FIG. 4 is a diagram illustrating the structure of a coding block in an embodiment herein;

fig. 5 is a schematic structural diagram illustrating a service traffic anomaly detection model building apparatus according to an embodiment of the present disclosure;

fig. 6 is a schematic diagram illustrating steps of a method for detecting traffic flow anomaly provided in an embodiment of the present disclosure;

fig. 7 is a schematic structural diagram illustrating a traffic flow anomaly detection apparatus provided in an embodiment of the present disclosure;

fig. 8 shows a schematic structural diagram of a computer device provided in an embodiment herein.

Description of the symbols of the drawings:

10. a client;

20. a network;

30. a server;

110. a historical power grid flow data acquisition module;

120. an encoding module;

130. a prediction result obtaining module;

140. a training module;

210. a module for acquiring data to be detected;

220. a to-be-detected data encoding module;

230. a prediction module;

802. a computer device;

804. a processor;

806. a memory;

808. a drive mechanism;

810. an input/output module;

812. an input device;

814. an output device;

816. a presentation device;

818. a graphical user interface;

820. a network interface;

822. a communication link;

824. a communication bus.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments herein without making any creative effort, shall fall within the scope of protection.

It should be noted that the terms "first," "second," and the like in the description and claims herein and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments herein described are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or device.

In the prior art, network data are generally detected and classified by a machine learning method for flow data detection in an energy internet and an intelligent terminal thereof, and the technology needs to use a feature engineering and requires that the data have good features. The method also comprises an anomaly and intrusion detection technology based on deep learning, uses deep learning technologies such as a neural network and the like, automatically learns and extracts attack characteristics and flow characteristics by training on original network flow, and although the deep method can learn and extract abundant intrusion characteristics, information for extracting the characteristics is treated equally no matter whether the information is related to the anomaly or the intrusion, in fact, not all the information is equally important for constructing the characteristics and detecting the flow, thereby resulting in lower power grid service data anomaly detection accuracy.

In order to solve the above problems, embodiments of the present specification provide a method for establishing a service traffic anomaly detection model, where the anomaly detection model established by the method can establish a mutual dependency relationship between data traffic on the basis of paying attention to key information of the data traffic, so as to improve service understanding capability and further improve accuracy of prediction of the anomaly detection model. As shown in fig. 1, the implementation environment of the method is schematically illustrated, and the method may include a client 10 and a server 30, where the client 10 and the server 30 are connected through a network 20, and may implement data interaction through the network 20.

The client 10 may establish a connection with a background server corresponding to an energy internet, and acquire historical grid flow data stored in the background server, where the historical grid flow data is already marked with a classification flag, that is, an abnormal label; the client 10 sends the collected historical grid flow data to the server 30.

The server 30 is preconfigured with corresponding model training logic, and performs training of the anomaly detection model according to the received historical grid flow data, so as to obtain an anomaly detection model for predicting an anomaly condition of the grid flow data, specifically, the training process of the server 30 may be: encoding the historical power grid flow data to obtain a first characteristic vector set; inputting the first characteristic vector set into a multilayer coding block of an initial anomaly detection model for processing to obtain a second characteristic vector set, and then inputting the second characteristic vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result; and training the initial anomaly detection model according to the prediction result and the classification mark of the historical power grid flow data to obtain a trained anomaly detection model.

In an optional embodiment, the server 30 may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.

In an alternative embodiment, the client 10 may perform the anomaly prediction of the grid data traffic in combination with the anomaly detection model trained by the server 30. Specifically, the client 10 may include, but is not limited to, a smart phone, a desktop computer, a tablet computer, a notebook computer, a smart speaker, a digital assistant, an Augmented Reality (AR)/Virtual Reality (VR) device, a smart wearable device, and other types of electronic devices. Optionally, the operating system running on the electronic device may include, but is not limited to, an android system, an IOS system, Linux, Windows, and the like.

In addition, it should be noted that fig. 1 shows only one application environment provided by the present disclosure, and in practical applications, other application environments may also be included, for example, training of a target image segmentation model may also be implemented on the client 10.

It should be noted again that the client 10 may also be an intelligent terminal of the energy internet, and the intelligent terminal may be an intelligent electric meter, an exchanger, or other equipment, and by acquiring historical grid flow data of the intelligent terminal and sending the data to the server 30 for training the anomaly detection model, and finally deploying the trained anomaly detection model in the client 10 or other key nodes, real-time detection and classification of the grid flow data are achieved, and real-time alarm is further achieved.

Specifically, embodiments herein provide a method for establishing a service traffic anomaly detection model, where the anomaly detection model established by the method can establish a mutual dependency relationship between data traffic on the basis of focusing attention on key information of the data traffic, thereby improving service understanding capability and further improving accuracy of prediction of the anomaly detection model. Fig. 2 is a schematic step diagram of a method for establishing a traffic flow anomaly detection model provided in an embodiment herein, and the present specification provides the method operation steps as described in the embodiment or the flowchart, but more or less operation steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual system or apparatus product executes, it can execute sequentially or in parallel according to the method shown in the embodiment or the figures. Specifically, as shown in fig. 2, the method may include:

s101: acquiring historical power grid flow data with classification marks;

s102: encoding the historical power grid flow data to obtain a first characteristic vector set;

s103: inputting the first characteristic vector set into a multilayer coding block of an initial anomaly detection model for processing to obtain a second characteristic vector set, and then inputting the second characteristic vector set into a multilayer perceptron of the initial anomaly detection model to obtain a prediction result;

s104: and training the initial anomaly detection model according to the prediction result and the classification mark of the historical power grid flow data to obtain a trained anomaly detection model.

It can be understood that, in the embodiments of the present description, a first feature vector set is obtained by encoding historical grid flow data with a classification flag, then a prediction result is obtained by processing in an initial anomaly detection model provided with a multilayer encoding block and a multilayer sensor, where the prediction result may be a prediction result of an anomaly type of the historical grid flow data, and finally the initial anomaly detection model is trained on the classification flag determined in advance according to the prediction result and the historical grid flow data, so as to obtain an anomaly detection model capable of accurately predicting the anomaly type of the grid flow data.

The classification flag may be a tag of an abnormal condition of the grid traffic data, for example, the classification flag may be normal traffic and abnormal traffic, and further, the abnormal traffic may be classified into grid attack abnormal traffic such as Denial of Service attack (DoS), Port scan (Port Scans), backdoor attack (Backdoors), vulnerability exploitation (explorers), vulnerability mining (Fuzzers), worm attack (Worms), and the like. And the output result of the anomaly detection model is the classification mark of the input power grid flow data.

In this embodiment of the present disclosure, the initial anomaly detection model may be a pre-training model, where the pre-training model may be obtained through training a public data set, and then fine-tuning (finetune) the pre-training model according to the historical grid flow data, so that the efficiency of model training may be improved by using the pre-training model as the initial anomaly detection model, and it is further ensured that the trained anomaly detection model is more suitable for detecting anomalies and intrusions associated with the energy internet. The common data set may be an intrusion detection data set, such as NSL-KDD and UNSW-NB15, and the specific common data set is not limited in the embodiments of the present specification.

In an embodiment of the present specification, the obtaining historical grid flow data with a classification flag includes:

It can be understood that, in the embodiment of the present specification, by determining a topology structure of an energy internet intelligent terminal in a designated area or a designated system, the number and connection relationship of the intelligent terminals in the designated area or the designated system can be quickly determined, so that an initial service packet related to each intelligent terminal can be obtained, and the initial service packet can be understood as a packet that has been subjected to historical abnormal verification, so that a classification flag of each initial service packet can be determined. And then according to the attribute characteristics of the preset service part, the initial service message is segmented to obtain historical power grid flow data with the same data source and the same target, so that training is performed through the data of the same source and the target, and the reliability of model training is improved.

The network traffic (or the grid service packet) generally includes traffic from a plurality of source IPs or source ports, traffic to a plurality of destination IPs or destination ports, and traffic of different protocols, and it is necessary to segment the traffic within a period of time according to the source IP, the source port, the destination IP, the destination port, and the protocol, and each segmented packet traffic is from the same IP, or from different ports and protocols to the same IP, or the same IP. After the segmentation, whether an independent data packet contains intrusion behavior can be analyzed, and whether intrusion or abnormality occurs can be judged by analyzing the flow statistical characteristics within a period of time.

The attribute characteristics of the preset service message can be a message format setting mode, different position fields in the message represent different attributes, for example, a data source and a data destination are in different positions, the attribute of the initial service message can be determined by extracting the different position fields, and the segmentation processing is performed at different positions to obtain the power grid flow data, for example, the message with the same data source and destination is segmented to obtain a corresponding flow data packet, the model is trained by using the flow data packet, the training process can be participated by using the dependency relationship between different flow data in the flow data packet, and the training reliability is improved.

After the initial service message is switched, the discrete message with the same data source and destination can be obtained, in order to improve the validity of the data, the effective data in the discrete message can be extracted, useless data such as an IP header and the like can be discarded, repeated data can be reduced, invalid data with the length of zero can be deleted, for example, effective data above a service transmission layer can be extracted, and the understanding efficiency and accuracy of the service can be improved.

In actual work, discrete messages obtained by segmentation all exist in a traditional hexadecimal form, so that data processing is facilitated, data identification difficulty is reduced, the discrete messages need to be converted to obtain text data, the text data are power grid flow data, and the data conversion mode is not limited in the embodiment of the specification.

In this embodiment of the present specification, as shown in fig. 3, the encoding the historical grid flow data to obtain a first feature vector includes:

s201: performing first coding processing on each byte in historical power grid flow data to obtain a word vector set consisting of a plurality of multi-dimensional word vectors;

s202: performing second coding processing on each word vector in the word vector set to obtain an initial characteristic vector set;

s203: and adding a learnable classification mark in each initial feature vector of the initial feature vector set to obtain a first feature vector set.

It can be understood that the historical grid flow data exists in the form of text data, where each text data includes a plurality of service bytes, that is, each historical grid flow data is composed of a sequence of service bytes, and a multidimensional (i.e., d-dimensional) word vector can be obtained by performing a first encoding process on each byte, where a set of word vectors obtained by encoding each byte in the historical grid flow data having the same data source and destination can be represented as:

wherein P represents the number (i.e. number) of historical grid flow data with the same data source and destination, K represents the length (i.e. number of bytes) of each historical grid flow data, d represents the length of byte encoding, and each word vector (i.e. each byte encoding) in the word vector set is represented as: x ═ X_(p，k)Wherein p represents the p-th historical grid flow data and k represents the k-th byte.

In this embodiment of the present specification, the first Encoding process may be One-Hot Encoding (One-Hot Encoding), or may have other Encoding manners, which is not limited in this embodiment of the present specification.

The second encoding process may be understood as assigning a unique position code to each byte code (i.e., word vector), so that the interdependence between bytes can be learned, and important information inside the service can be focused. Alternatively, the initial feature vector is represented by the following manner (1):

wherein the content of the first and second substances,

the initial characteristic vector of the kth byte in the pth historical power grid flow data is obtained; w is a learnable parameter matrix;

is a learnable position code.

In a further embodiment, a learnable classifier needs to be added to each initial feature vector to obtain the first feature vector, and preferably, the learnable classifier (classification token) can be added to the head of the sequence of the initial feature vector optionally

The learnable class flag ultimately classifies grid flow data and, therefore,

bonding of

Can be used as input for subsequent training of the model.

In the embodiment of the present specification, as shown in fig. 4, the coding Block (Encoding Block) may include a transform matrix layer, an attention weight calculation layer, a weighting layer, and a feedforward neural network layer;

The number of layers L of the coding blocks determines the complexity, the number of parameters and the calculation amount of the model. In general, a larger L may lead to better detection accuracy, but also introduces more training parameters and more consumption of computational resources. Therefore, the decision can be balanced according to the hardware resource environment deployed by the model and the expected detection accuracy, the hardware configuration is high, a larger L can be used, the configuration is low, and a smaller L is considered. In the early experiments, the value of L is not more than 10, so that a better result can be obtained, and a lot of computing resources are not consumed, and the specific value of L is not limited in the embodiment of the specification.

In this embodiment, the feature vector N is actually a feature vector corresponding to each byte, and may be a first feature vector.

In the embodiment of the description, a Transformer method framework is integrally constructed, and the Transformer method is used for calculating the correlation between byte characteristics in each historical power grid flow data or between historical power grid flow data (namely messages) and establishing the attention degree between the characteristics or between services in a service byte sequence, because the correlation and the attention degree are the direct establishment of the relation between the characteristics or between the services and do not have too many transformations which cause information loss, a direct dependency relationship can be obtained no matter how long the characteristics are, so that the understanding capability of service data can be improved, and the reliability and the accuracy of model prediction are improved.

It can be understood that the attention-based energy internet traffic data anomaly detection Transformer model can be realized by arranging a plurality of layers of coding blocks, wherein inside each coding block, each service byte (i.e. a feature vector corresponding to a byte) coded by a lower layer coding block is transformed to obtain a corresponding transformation vector, and the transformation vector comprises a query transformation vector (query), a key transformation vector (key) and a value transformation vector (value). Accordingly, different strolling transformation vectors correspond to different transformation matrices. Alternatively, the above three transformation vectors may be represented by the following equations (2) to (4):

wherein the content of the first and second substances,

query transformation vectors corresponding to the a-th index of the coding block at the l-th layer of the characteristic vectors corresponding to the k-th byte in the p pieces of historical power grid flow data;

a key transformation vector corresponding to the a-th index of the coding block at the l-th layer is used as the characteristic vector corresponding to the k-th byte in the p pieces of historical power grid flow data;

converting a vector for a value corresponding to the a-th index of a characteristic vector corresponding to the k-th byte in the p historical power grid flow data in the l-th layer coding block; LN () represents the normalization process (LayerNorm), a ∈ { 1., A } represents the multi-head index of the multi-head attention (multi-head attention heads), D_hD is the vector dimension;

transforming the vector for the query of the a-th index of the l-th layer coding block;

a key transformation vector of the a index of the l layer coding block;

transforming a vector for the value of the a-th index of the l-th layer coding block;

and outputting the output result of the characteristic vector corresponding to the kth byte in the pth historical power grid flow data in an l-1 layer coding block.

Among them, the self-attention mechanism generally uses a multi-head (head) attention method, where a is the number of heads. The multi-head aims to split the input of the encoder block into A parts, and each part is a head (head), so that the model learns more characteristic patterns, and the service understanding capability is enhanced.

It should be noted that the transform matrix layer in the first-layer coding block is configured to calculate a transform vector of each eigenvector in the first-layer coding block according to each eigenvector in the first eigenvector set and the transform matrix of the first-layer coding block. That is to say, the linkage work of the multilayer coding blocks can be realized by inputting the first eigenvector obtained by coding the historical power grid flow data into the first layer coding block, and then the final second eigenvector is output.

In this embodiment of the present specification, the attention weight may be a correlation or attention degree between bytes in historical grid flow data (i.e. service packets) and a relationship between historical grid flow data, and is obtained by features between services and between bytes inside a service when calculating, and optionally, the attention weight of the feature vector in any coding block is represented by the following formula (5):

wherein the content of the first and second substances,

an attention weight value of a feature vector corresponding to a kth byte in the pth historical power grid flow data in a coding block at the l layer is represented, a is an index of multiple heads attention, and D_hD is the dimension of the feature vector, a is the amount of attention of the multiple head,

a query transformation vector of a characteristic vector corresponding to the kth byte in the pth historical power grid flow data in a l layer coding block,

for coding a classification token (i.e. a flag) in the l-th layer

) Key transformation after transformation by formula (3)The amount of the compound (A) is,

and the key transformation vector of the l layer coding block is the characteristic vector corresponding to the k 'th byte in the p' th historical power grid flow data.

It should be noted that, when the model is designed, the user hardware configuration environment needs to be considered, and although relatively high accuracy can be obtained through formula (5), a relatively large amount of calculation is required when the attention weight is calculated, so that the requirement on the configuration environment is relatively high, and smooth operation is difficult in some devices with relatively low configuration environments. Alternatively, the attention weight value may also be represented by the following formula (6):

the parameter definition in the formula (6) can refer to the formula (5), and the attention weight between the bytes in the service can be obtained through the formula (6), so that the device with a lower configuration environment can be adapted. In actual calculation, an appropriate attention weight calculation formula is selected according to the deployment situation of the hardware resource, and a specific selection process is not limited in the embodiment of the present specification.

In this embodiment of the present specification, when the attention weight is calculated by equation (5), the corresponding weight of the feature vector in any one coding block is expressed by equation (7) as follows:

wherein the content of the first and second substances,

the weighting value of the characteristic vector corresponding to the kth byte in the pth historical grid flow data in the l layer coding block,

the attention weight value of a feature vector corresponding to the kth byte in the pth historical grid flow data in a l layer coding block,

for class flags (i.e. for layer I code blocks)

) The value after the transformation of equation (4) transforms the vector,

and converting a vector for the value of a characteristic vector corresponding to the kth byte in the pth historical power grid flow data in a coding block at the l layer, wherein P is the number of the historical power grid flow data, and K is the number of bytes in each historical power grid flow data.

Accordingly, when the intention weight is calculated by equation (6), the corresponding weight of the feature vector in any coding block is expressed by equation (8) as follows:

the parameter definition in the formula (8) may refer to the formula (7), which is not described in detail in this embodiment of the present specification.

In the embodiment of the present specification, the output result of the feature vector in any one coding block is expressed by the following formula (9) to formula (10):

wherein the content of the first and second substances,

a middle vector of a coding block at the l layer of a characteristic vector corresponding to the kth byte in the pth historical power grid flow data; wo [ 2 ]]In the form of a linear transformation matrix, the transformation matrix,

outputting a result of a feature vector corresponding to the kth byte in the pth historical power grid flow data in an l layer coding block; LN () is a normalization process; MLP () is a feed-forward neural network.

In this embodiment, the multi-layer perceptron processes the second feature vector set to obtain a prediction result according to the following formula (11):

wherein, y is the result of the prediction,

the final value of the classification token (classification token) can be learned in the second feature vector output by the last layer of coding blocks.

Therefore, the anomaly detection model establishing method provided by the invention adopts a self-attention mechanism, not only can focus on key information, but also can establish the interdependence relationship among information, and is more accurate for service understanding. The attention mechanism is combined between the interior of the business and the business, so that the attention information is more comprehensive, and the obtained dependency relationship is more comprehensive. Therefore, the use of the self-attention mechanism enables the energy internet service traffic anomaly detection to be more accurate. Moreover, the self-attention mechanism can establish the dependency relationship between Long-distance service information, and the calculation cannot be increased along with the increase of the distance, so that the problems that a Recurrent Neural Network (RNN) and a Long Short-Term Memory Network (LSTM) cannot be trained and operated in parallel and the dependency relationship between Long-distance information is difficult to establish are solved.

Based on the same inventive concept, an embodiment of the present specification further provides a device for establishing a service traffic anomaly detection model, as shown in fig. 5, where the device includes:

a historical grid flow data acquiring module 110, configured to acquire historical grid flow data with a classification flag;

the encoding module 120 is configured to perform encoding processing on the historical grid flow data to obtain a first characteristic vector set;

a prediction result obtaining module 130, configured to input the first feature vector set into a multilayer coding block of an initial anomaly detection model for processing, so as to obtain a second feature vector set, and then input the second feature vector set into a multilayer perceptron of the initial anomaly detection model, so as to obtain a prediction result;

and the training module 140 is configured to train the initial anomaly detection model according to the prediction result and the classification flag of the historical grid flow data, so as to obtain a trained anomaly detection model.

The beneficial effects obtained by the above device are consistent with those obtained by the above scheme, and the embodiments of the present description are not repeated.

On the basis of the above-mentioned method for establishing an anomaly detection model, an embodiment of the present specification further provides a method for detecting an anomaly in a service flow, as shown in fig. 6, where the method includes:

s301: acquiring service flow data to be detected;

s302: coding the to-be-detected service flow data to obtain a first characteristic vector set;

s303: and inputting the first characteristic vector set into the anomaly detection model established by the method to obtain a classification result of the to-be-detected service flow data.

It can be understood that, in the embodiment of the present specification, the anomaly detection model established by the method is used for performing real-time detection on the energy internet service traffic, a suitable anomaly detection model is selected according to the operational capability that can be provided by the intelligent terminal or other nodes to be detected, and the anomaly detection model is deployed on the intelligent terminal or other nodes to be detected, so as to perform real-time detection and classification on the service traffic, thereby realizing efficient and reliable monitoring and alarm.

It should be noted that the encoding of the service flow data to be detected is consistent with the encoding of the historical power grid flow data during model training, and no further description is provided in the embodiments of the description.

The service traffic data to be detected may include one piece of data, or may be multiple pieces of data collected in a specified time period, where the multiple pieces of data may be service traffic data having the same data source and destination.

Correspondingly, an embodiment of the present specification further provides a device for detecting traffic flow anomaly, as shown in fig. 7, where the device includes:

a to-be-detected data acquisition module 210, configured to acquire to-be-detected service traffic data;

a to-be-detected data encoding module 220, configured to perform encoding processing on the to-be-detected traffic data to obtain a first characteristic vector set;

the predicting module 230 is configured to input the first feature vector set into the anomaly detection model established by the method, and obtain a classification result of the traffic data to be detected.

The beneficial effects obtained by the service traffic anomaly detection device are consistent with those obtained by the service traffic anomaly detection method, and the embodiments of the present specification are not described in detail.

As shown in fig. 8, for a computer device provided in this embodiment, an apparatus herein may be a computer device in this embodiment, and perform the method herein, the computer device 802 may include one or more processors 804, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 802 may also include any memory 806 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, memory 806 may include any one or more of the following in combination: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may use any technology to store information. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 802. In one case, when the processor 804 executes the associated instructions, which are stored in any memory or combination of memories, the computer device 802 can perform any of the operations of the associated instructions. The computer device 802 also includes one or more drive mechanisms 808, such as a hard disk drive mechanism, an optical disk drive mechanism, etc., for interacting with any memory.

Computer device 802 may also include an input/output module 810(I/O) for receiving various inputs (via input device 812) and for providing various outputs (via output device 814). One particular output mechanism may include a presentation device 816 and an associated Graphical User Interface (GUI) 818. In other embodiments, input/output module 810(I/O), input device 812, and output device 814 may also be excluded, as just one computer device in a network. Computer device 802 may also include one or more network interfaces 820 for exchanging data with other devices via one or more communication links 822. One or more communication buses 824 couple the above-described components together.

Communication link 822 may be implemented in any manner, such as over a local area network, a wide area network (e.g., the Internet), a point-to-point connection, etc., or any combination thereof. The communication link 822 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.

Corresponding to the methods in fig. 2-3 or fig. 6, the embodiments herein also provide a computer-readable storage medium having stored thereon a computer program, which, when executed by a processor, performs the steps of the above-described method.

Embodiments herein also provide computer readable instructions, wherein a program therein causes a processor to perform the method as shown in fig. 2-3 or fig. 6 when the instructions are executed by the processor.

It should be understood that, in various embodiments herein, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments herein.

It should also be understood that, in the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, meaning that three kinds of relations may exist. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided herein, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purposes of the embodiments herein.

In addition, functional units in the embodiments herein may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present invention may be implemented in a form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The principles and embodiments of this document are explained herein using specific examples, which are presented only to aid in understanding the methods and their core concepts; meanwhile, for the general technical personnel in the field, according to the idea of this document, there may be changes in the concrete implementation and the application scope, in summary, this description should not be understood as the limitation of this document.

Claims

1. A method for establishing a service flow anomaly detection model is characterized by comprising the following steps:

acquiring historical power grid flow data with classification marks;

2. The method of claim 1, wherein obtaining historical grid flow data with a signature comprises:

3. The method of claim 1, wherein the encoding the historical grid flow data to obtain a first eigenvector comprises:

4. The method of claim 1, wherein the coding block comprises a transform matrix layer, an attention weight calculation layer, a weighting layer, and a feedforward neural network layer;

5. The method of claim 4,

the transformation matrix comprises an inquiry transformation matrix, a key transformation matrix and a value transformation matrix;

6. The method of claim 4, wherein the transform matrix layer in the first layer coding block is configured to compute a transform vector of each eigenvector in the first layer coding block according to each eigenvector in the first set of eigenvectors and the transform matrix of the first layer coding block.

7. A method for detecting abnormal service flow is characterized in that the method comprises the following steps:

acquiring service flow data to be detected;

inputting the first feature vector set into an anomaly detection model established by the method of any one of claims 1 to 6, and obtaining a classification result of the traffic data to be detected.

8. A device for establishing a service traffic anomaly detection model, the device comprising:

9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 6 when executing the computer program.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 6.