CN114401136A - Rapid anomaly detection method for multiple attribute networks - Google Patents

Abstract

The invention discloses a rapid anomaly detection method for multiple attribute networks, which is characterized in that an anomaly detection model is established in multiple private attribute networks based on local, an approximate optimal anomaly query method is adopted in each private network to detect abnormal subgraphs with specific shapes and align the abnormal subgraphs with the abnormal subgraphs in a public network, and the method specifically comprises the following steps: initializing an upper limit result set and a lower limit result set as an empty set, setting the iteration number i as 0, and selecting the first m nodes as an upper limit structure; decomposing the query graph Q into a star structure, and limiting the upper limit of the abnormal subgraph obtained by the last iteration

And lower limit

Merging to obtain a temporary optimal structure S; when the upper limit is reached

And lower limit

Returning approximate abnormal query results when the abnormal scores are close

Otherwise, iteration is carried out until the stopping condition is met, and the method can dig out the IP with similar attack behaviors at different times. Therefore, the attacked website can avoid the attack risk with high probability only by intercepting the IP of the network segment.

Description

Rapid anomaly detection method for multiple attribute networks

Technical Field

The invention belongs to the field of federal anomaly detection of multiple attribute networks, and particularly relates to a rapid anomaly detection method for multiple attribute networks.

Background

The federated anomaly detection problem is to find associated anomaly subgraphs on multiple layers of private property graph data. Abnormal subgraph detection has been widely applied to network attack detection in computer networks, public opinion outbreak detection in social networks, congestion detection in traffic networks and other various applications.

Currently, anomaly detection faces two major challenges: firstly, isolated data in most industries are limited to be shared with other industries due to data privacy and safety, secondly, the traditional anomaly detection needs to calculate the whole amount of network to judge the anomaly, and the data volume generated in the fields of the Internet and the like every day is increased by exponential level, so that the calculation result cannot be obtained quickly, and after the result is obtained, few methods can achieve the purpose of mining the relation of abnormal nodes and knowing the reason of the abnormal event.

A near-optimal federal anomaly detection method is generally adopted for private graph attribute data of a multi-layer attribute network. The approximate optimal abnormal query abstracts the existing spatio-temporal data into a connected private attribute network or attribute graph and matches the connected private attribute network or attribute graph with a known behavior pattern to obtain the most relevant and abnormal parts in the networks so as to explore the abnormal connection and abnormal cause between nodes under a single-layer network. Each private property network is aligned with an anomaly on the public property network, respectively, to mine the commonality of anomalies between these events.

Disclosure of Invention

Aiming at the problems in the prior art, the invention excavates the abnormity of a specific structure mode existing among a plurality of private attribute networks on the premise of protecting privacy, guides the formulation of corresponding policies and simultaneously excavates potential abnormal information. In a plurality of computer attack networks with different time periods, the method can excavate the IP with similar attack behaviors at different times. And obtaining the related fixed network segment and the attack mode according to the real record. Therefore, the attacked website can avoid the attack risk with high probability only by intercepting the IP of the network segment.

The invention is implemented by adopting the following technical scheme:

a quick abnormity detection method for a plurality of attribute networks comprises the following steps:

constructing a plurality of attribute networks according to requirements and calculating abnormal attribute values of network nodes according to the following formula;

wherein: n is the number of all nodes in the network; attribute network G^*＝{G_i},i∈{0,1,...,N}，G_i＝(V_i,E_i,P_i) Denotes the ith network, V_i,E_i,P_iEach represents G_iThe node set, the edge set and the abnormal attribute set of (1);

inputting an edge set and an abnormal attribute set of a public network and a plurality of private networks, and presetting parameters of a network to be tested, wherein the parameters comprise:

an anomaly threshold α and an alignment threshold σ; initialization result set UⁱThe iteration times i are 0 for the empty set;

the plurality of private networks G_iDownloading a public network to the local and respectively pre-aligning with the public network to obtain an alignment probability matrix set H_ij；

Obtaining the last iteration result, detecting the approximate optimal abnormal subgraph S of the private network_j ^*；

Aligning the public network to obtain a result set Uj, and uploading the result set Uj to a cloud end;

merging private networks at cloudUploading the result, aligning the result with a public network, and obtaining all aligned abnormal subgraphs U^*Summarized as set Uⁱ⁺¹；

Networking multiple layers of private attributes G_jOptimal abnormal subgraph S in_j ^*The nodes of (2) are regarded as normal nodes;

when U is turnedⁱ＝Uⁱ⁺¹Returning to the aligned abnormal subgraph set S^*Combining with the abnormal subgraph after U output alignment;

otherwise, the iteration number i is i +1, and 5) to 7) are repeated until the stop condition of 8) is satisfied.

Advantageous effects

The invention is based on the attribute network that distributes on a plurality of local private data sets and sets up the abnormal detection model, wherein the network is made up of a plurality of private attribute networks and a public attribute network. In each private property network, the detected special shape abnormal subgraph is aligned with the abnormal subgraph in the public property network. The algorithm for anomaly detection adopts an approximate optimal anomaly query method, utilizes the anomaly calculation characteristics of linear time subset scanning in the method and an approximate query method based on an anomaly mode, overcomes the defects that the traditional anomaly detection algorithm is low in speed, poor in robustness, high in data cost and incapable of explaining an operation result, and quickly mines a result by knowing an abnormal behavior mode in advance and has the capability of analyzing the cause of the anomaly. And in the public attribute network, selecting an important public abnormal subgraph to carry out abnormal subgraph alignment, and simultaneously preventing data leakage.

Drawings

FIG. 1 is a flow chart of the process of the present invention.

FIG. 2 is a schematic diagram of the concept of a rapid anomaly detection method based on the specific structure of Federal anomaly detection.

Fig. 3 is a schematic diagram of a near-optimal abnormal query method in a private network.

FIG. 4 is a schematic diagram of a query graph setup suitable for different data scenarios.

FIG. 5 is a schematic diagram of the method applied to private computer attribute network attack detection.

Fig. 6 is a schematic diagram of applying the method to a certain related abnormal IP group found in a plurality of computer attack networks.

FIG. 7 is a general flow diagram illustrating a federated exception alignment algorithm to which the present invention relates.

FIG. 8 is a flow chart illustrating a near optimal anomaly detection algorithm in accordance with the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the following detailed discussion of the present invention will be made with reference to the accompanying drawings and examples, which are only illustrative and not limiting, and the scope of the present invention is not limited thereby.

As shown in fig. 1, the present invention provides a method for fast detecting an anomaly in a multi-layer attribute network, which includes the following steps:

s1, constructing a public network, a plurality of private networks and a query graph mode according to requirements, and calculating abnormal attribute values of the nodes.

Building multiple attribute networks G as required^*＝{G_iJ, i ∈ {0, 1., N }, where G ∈_i＝(V_i,E_i,P_i) Denotes the ith network, V_i,E_i,P_iEach represents G_iThe set of nodes, the set of edges, and the set of exception attributes. N is the number of attribute networks. G₀Is a public network and the remaining networks are private networks. The multi-network may be formed by dividing data of the same source by time slices, or may be formed by directly using data of a plurality of different sources. The query graph is set as shown in fig. 4, and different behavior modes can select different query graph structures. For example, cyber attacks select a star configuration or a bipartite graph configuration, while river pollution selects a linear configuration.

The definition of the abnormal characteristic value of the node generally adopts an empirical p value, and the main meaning of the empirical p value of the node is that no network attack occursNull hypothesis H₀And if the probability of whether the network attack event occurs to the IP node is less than or equal to the abnormal threshold alpha, judging that the network attack event occurs. The empirical p-value for a node v for a certain feature d can be defined as:

wherein: i is a logic function, f_d(v^(t))≥f_d(v) If so, the value of I is 1, otherwise, the value of I is 0; the abnormal characteristic (such as IP access amount) of the node v before the t day is f_d(v^(t)) Day t abnormality characterized by f_d(v) (ii) a The lower the empirical p-value, the more anomalous the node.

If the attribute value of v itself is not counted according to time, the attribute value of v itself is used as an observed value c_vThe attribute values of other nodes of the network are used as comparison values c_iThe p-value is calculated according to the following equation.

And N is the number of all nodes in the network.

S2, an abnormality threshold α (typically 0.15) and an alignment threshold σ (typically 0.6) are set. Initialization result set UⁱFor the empty set, the iteration number i is 0.

And marking the nodes with the abnormal attribute values less than or equal to alpha as abnormal nodes. If the node pair (v)_i,v_j) Is greater than an alignment threshold σ, v_iAnd v_jWill be marked as closely related aligned nodes, where v_iAnd v_jMust originate from different networks. Initialization result set UⁱAnd inputting an edge set and an abnormal attribute set of a public network and a plurality of private networks as an empty set, wherein the iteration number i is 0. And U is a set of the abnormal alignment subgraphs of all the private networks on the public network, and needs to be initialized to an empty set.

And S3, downloading the public network to the local by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set H.

This step is implemented using a cross mna framework of the multi-network alignment method, by inputting edge sets of multiple networks and known anchor links (confirming the same entity in different attribute networks), setting the training ratio to 1.0, and the training times to 400. Obtaining an aligned anchor chain matrix H between networks_ijIn summary, H (FIG. 2) is obtained. Other network alignment algorithms may be used to perform this step.

H_ijIs G_iAnd G_jThe alignment probability matrix of the nodes in between has the dimension of | V_i|×|V_jL, each value H in the matrix_ij(v_i，v_j) Representing node v_iAnd node v_jIs the alignment probability of the anchor node, and has a range of [0,1 ]]The larger the value is, the higher the alignment probability is, and the value of 1 indicates that the two nodes are known anchor nodes.

S4, obtaining the last iteration result, each private network G_jLocally aligning with the private network, and detecting the near optimal abnormal subgraph S of the private network_j ^*。

In the step, in order to evaluate the abnormal degree of each private network abnormal subgraph, the application introduces a nonparametric graph scanning statistic F as an abnormal score function:

wherein

Is a statistical function. S is a set of connected vertex subsets of G (i.e., connected subgraphs), α is the anomaly threshold for a node (typically 0.15), N_α(S) is the number of abnormal nodes (the abnormal attribute value is less than or equal to alpha) in S, and N (S) is the number of all nodes in S. In addition, in order to guarantee the maximum abnormality,

two attributes need to be satisfied:

value with N_α(S) monotonically increasing and varying with N (S) -N_α(S) the number of normal nodes is increased and monotonously decreased; the present invention therefore uses the Higher Criticism (HC) statistic as

The steps of detecting the approximate optimal abnormal subgraph of the private network are as follows:

4.1) initializing the upper and lower limit result set to be an empty set, inputting the edge set, the abnormal feature set and the edge set of the query graph of the private attribute network when the iteration number i is 0.

4.2) calculating the abnormal priority of the node. g () is a priority function. And inputting an attribute graph G, and sorting the nodes in the graph according to the size of the abnormal characteristic value, wherein the nodes with higher priority are more abnormal. The function orders the nodes in graph G into post outputs.

4.3) selecting the first m nodes as an upper limit structure.

4.4) decomposing the query graph Q into a star structure, for an upper limit node set

Detecting the subgraph isomorphic with the star structure to obtain each point in the

MaxQ function constructs upper limit

The node set and the neighbors thereof match the part similar to the query graph Q in the attribute graph G and are converted into a lower limit structure

The query graph Q is decomposed into a star substructure, where each node will act as a central node or a leaf node of the star structure. When the query graph is a graph without attributes, the star structure with different leaf numbers only needs to be reserved. Star (v) sub-graph with function representing that return node v contains first-order neighbors on attribute graph G

Is a star-shaped subgraph of the maximized abnormal score function and is isomorphic with the star-shaped structure of the query graph decomposition. By using the idea of greedy algorithm

Splicing one by one, argmin

Obtaining the part most similar to the query graph, and using the splicing result as the lower limit

4.5) upper limit of abnormal subgraph obtained by last iteration

And lower limit

And combining to obtain the temporary optimal structure S.

4.6) updating the Upper bound result set

Step (ii) of

In (3), the update of the upper bound node set requires the addition of an uncomputed node such as v_(k+1)，v_(j)Is to reserve a centralized priorityThe node with the highest rank, and v_(k)Is the lowest priority node. The updated upper limit node set number is m.

4.7) when the upper limit

And lower limit

Returning approximate abnormal query results when the abnormal scores are close

Otherwise, the iteration number i is i +1 until the stop condition is met. End result

Namely, the abnormal detection result which is similar to the structure of the query graph while the target function F of a certain sub-graph in the attribute graph is maximized is obtained.

And S5, aligning the public network to obtain Uj, and uploading the Uj to the cloud.

S6, combining the results uploaded by each private network at the cloud end, aligning the results with the public network, and obtaining all aligned abnormal subgraphs U^*Summarized as set Uⁱ⁺¹。

In order to obtain the alignment score of abnormal subgraph alignment between networks, a function Q is defined as a scoring function of abnormal alignment, and the formula is as follows:

where σ is the alignment threshold (0.8 for this method setting), N_σ(S, U) is the number of aligned nodes in S and U, N (S) is the number of all nodes in S, and N (U) is the number of all nodes in U. The alignment probability of a node is derived from the pre-alignment matrix node set H ═ H (H)_ij)， H_ijIs G_iAnd G_jAnd i ≠ j (see fig. 2).

S7, mixing G_jAll of (A) belong toS_j ^*Is regarded as a normal node

The present invention accomplishes this by setting the node exception attribute values to 1.

S8, when Uⁱ＝Uⁱ⁺¹Returning to the aligned abnormal subgraph set S^*And U.

Otherwise, the iteration number i is i +1, and 4) to 7) are repeated until the stop condition of 8) is satisfied.

End result (S)^*U) is the set of anomaly sub-maps that maximizes the objective function and approximates a particular shape. The overall method objective function is defined as follows:

the invention discloses a process for locally detecting an optimal abnormal subgraph from each March network, which comprises the following steps:

for a given plurality of attributes network G^*＝{G_iJ, i ∈ {0, 1., N }, where G ∈_i＝(V_i,P_i,E_i) Denotes the ith network, V_i,P_i,E_iEach represents G_iThe set of nodes, the set of edges, and the set of exception attributes. N is the number of attribute networks. The abnormal characteristic value of the node is set to 0,1]Smaller means more abnormal node, larger than alpha_max0.15 indicates that the node is a normal node.

The invention searches the subgraph which contains the most abnormal node and is similar to the query graph structure in the private attribute network, thus setting the following objective function:

i.e., the sub-graph result that approximates the optimal exception query should maximize the function value F and satisfy the constraint that S is isomorphic to Q. For a given attribute network G ═ (V, E, W), where G denotes an attribute graph that contains (1) a set of nodes V ═ n]1, ·, n }; (2) edge set

Where | E | ═ p, i.e., the number of edge sets is p; (3) set of node exception attributes

Wherein the row vector

Is the value of the attribute observed within the time span T of the vertex V ∈ V. For node subsets

Only the row vector is retained in S. If V_S∈V，E_SE, and W_sSubject to the constraint of W, we then define the sub-graph S in G as

Setting simultaneously

Is a query graph. For time t and node v in the computer network, the number of records accessed by node v on the t day is recorded as an observed value

And expressing the average number of access logs of the node v in the time period T before the tth day as an expected value

In addition, normal access data and actual attack data are distinguished in the data records, and the actually occurring attack type, attack time and the IP addresses of the attack and the attacked can be known. The calculation of the node anomaly characteristic value (empirical p value) as an observed value c_vAnd expected value b_vComparison of (1). To test the robustness of the algorithm, a percentage K E {5 } in the random flip network,10. 20} empirical p-value of the node.

The invention has the general idea that the sub-graph structures of the upper bound and the lower bound in the iterative algorithm are calculated when the abnormal scores of the upper bound and the lower bound are smaller than a threshold value. In the experiment, the threshold value of the difference of the upper limit and the lower limit abnormal score is set to be epsilon 10^-6. When the condition is met, the approximate optimal solution can be found, the operation is finished, and the result is returned. The near-optimal anomaly detection of the private network specifically comprises the following steps:

1) root node selection given a private attribute graph G, a set of m root nodes need to be selected to begin the matching process with the query graph, where m means the number of nodes in the query graph Q. The idea of selecting a root node set is as follows: (1) the number of nodes which are as normal as possible is contained as little as possible; (2) the abnormal nodes are contained as many as possible, and the abnormal values calculated by the abnormal nodes are higher, so that the abnormal score of the whole subgraph can be guaranteed to be higher. In consideration of these two design goals, the priority function g () first constructs the matching order of the nodes in ascending order of the empirical p-value, and selects the first m nodes as root nodes, e.g., { v3, v6, v8, v7}, and the root node set enters the computation as the upper bound of the anomaly score function in the first iteration (see the specific implementation for the function definition).

2) Constructing an upper bound of the anomaly score function, wherein in the ith iteration, the next step is to pass the result of the last iteration

By updating the node set of the selected m nodes, i.e. by

Graph structure for constructing upper bound of anomaly score

In addition, the invention is provided with

It is not necessary to be a connected graph, and even if isolated points are included in the attribute graph G, the requirement is satisfied.

The number of nodes of the structure is the same as that of the nodes of the root node set constructed in the first iteration, and the structure consists of m nodes.

The node of (1) is composed of two parts, one part is iteration from the last time

And

the node set S formed by the top points with higher abnormal values needing to be reserved is obtained from the intersection set of the attribute graph G, and the other part is that the node set S which is subjected to priority sorting and has higher priority can be used for adding the candidate abnormal score upper limit node set

The vertex of (c) is denoted by max g ({ v) in the algorithm_(j),...,v_(k),v_(k+1)}). The update part of the node adopts a compact iterative mode, such as an algorithm maxg ({ v)_(j),...,v_(k),v_(k+1)} -S, m-S), assuming that the update reaches the kth vertex v after the i-1 th iteration_(k)(v_(k)Already exists

In) and calculate

And

the resulting intersection of (c) requires the preservation of | S | number of vertices. Node set at nodes requiring reservationIn S, assume the jth vertex v_(j)Is the vertex with the highest priority in S, and the kth vertex v_(k)As the vertex with the lowest priority and the last one to be retained. The node update is at v_(j)Then m-S-1 vertices are selected in priority order, and the non-calculated node v must be selected_(k+1)Entering an updated node set

To ensure that the next iteration is not trapped in an infinite loop. The invention adopts an optimization strategy when returning results, when the number of the vertexes in S is equal to the query graph Q and

and when the graph is a connected graph, directly returning S as a calculation result. If the number of the nodes of the node set S needing to be reserved is less than m, updating step by step in descending order

3) Constructing a lower bound for the anomaly score function: near-optimal anomaly query algorithm based on anomaly score upper-bound structure

Node set of (2) constructing its lower bound structure

The same star subgraph as the decomposition structure of the query graph is selected as the root. The matching star structure is then assembled into a sub-graph approximating the query graph, and the method selects heuristic search to construct

First, decomposition of the query graph is introduced

The step decomposes the query graph Q into

m is the number of nodes of the query graph. In the decomposition query graph, each node has an opportunity to serve as a central node of a star structure and a plurality of leaf nodes of the star structure. As an example of query graph decomposition is given in fig. 4, the query graph Q is decomposed into two star structures with 3 leaf nodes and two star structures with 2 leaf nodes, and only one star structure with the same number of nodes needs to be reserved in the calculation process. The Star function returns m Star structures. The function of Star

Vertex in (1) { v }_(j),...,v_(k-1),v_(k+1)As center, { v_(j),...,v_(k-1),v_(k+1)Constructing m star subgraphs by taking neighbors in an attribute graph G as leaf top points

Wherein. In order to further optimize the constructed result to be similar to the structure of the query graph, conditions are set

Query graph of m Star structures and decomposition returned by Star function

And (4) isomorphism. When { v }_(j),...,v_(k-1),v_(k+1)The leaf node number of the star structure in which the star structure is located is larger than that of the decomposition subgraph

When the number of leaves is small, only the most abnormal vertex is selected as a leaf, otherwise, all the neighbors of the vertex v are accepted.

Need to match each decomposed subgraph

And save the results. After obtaining the candidate subgraph, the method will

Combining the sub-images one by one, and calculating to obtain a sub-image with the highest abnormal score as

When two or more subgraphs have the same abnormal score, the subgraph with the minimum graph editing distance with the query graph is selected as the subgraph

After the private network performs approximate anomaly detection, the abnormal subgraph needs to be transmitted into the public attribute network and abnormal alignment is performed, and the specific method of the abnormal alignment is as follows:

and (4) public abnormal alignment, namely uploading the alignment result to the cloud end by each private network, executing abnormal alignment work again at the cloud end, and integrating to obtain an aligned abnormal sub-graph set without changing the alignment result. The aligned abnormal subgraph always contains the most aligned nodes and the least non-aligned nodes. And the node with the alignment probability larger than that is judged as the aligned node. The invention uses an alignment function to count the alignment score of the abnormal alignment subgraph (the function definition is shown in a specific embodiment).

The invention needs to optimize the contents of both the abnormal detection and the abnormal alignment, so the following objective functions are set:

optimal alignment anomaly subgraph result (S)^*,U^*) The function value should be maximized.

Wherein: definition of a near-optimal federal anomaly detection algorithm. According to the steps, in order to obtain an optimal solution, the invention further provides a federal anomaly detection algorithm spanning multiple attribute networks, and the specific algorithm design is shown in the following figure. The algorithm is defined as the Approximate Optimal analysis Max Query in ordered Networks, AnamalyMaxQ for short. The method runs under the framework of FADMAN federal abnormal alignment method, and results are initialized to be UⁱThe number of iterations i is 0, an abnormal threshold alpha and an alignment threshold sigma are predefined, edge set/attribute set data of a public network and a plurality of private networks are input, and an alignment abnormal subgraph set S is continuously expanded through multiple iterations^*And U^*The result set that maximizes the objective function is obtained.

The method provided by the invention is an algorithm suitable for multi-scene federal anomaly detection on the premise of protecting privacy and not carrying out direct data exchange. A few specific scenarios are briefly described here. In a computer attack network, an IP and a website are used as nodes, an access behavior is used as an edge, and an access frequency is used as an abnormal attribute. Dividing the network into a plurality of networks according to time, and if all the networks have abnormal attributes, excavating abnormal IP groups (shown in figure 5) with similar attack behaviors; if the network in a certain time period has no abnormal attribute, the method can excavate the abnormality of the network by aligning the abnormal subgraphs of other networks to the network, so as to predict the IP attack effect in the time period; 2. in the enterprise investment network, the invention can detect whether the enterprise has the behavior risk of false positive and money laundering, and help investors to make investment decisions.

The invention shows detection analysis aiming at one-to-many attack mode and many-to-many attack mode of a computer on a computer flow network data set. Although these IP addresses appear in different places and times, their attack behavior is similar. By utilizing the method, some abnormal IP groups can be obtained by querying a specific attack mode, so that the server is helped to actively intercept the attack of a certain IP section, such as a star-shaped query graph and a bipartite graph query graph. As shown in fig. 6, the AnomalyMaxQ algorithm successfully discovers the attack network without innocent nodes.

One-to-many attack mode. As shown in fig. 6, which is a network attack detected by the algorithm. The red nodes represent the attacking or attacked IP site in the real world, and the yellow areas represent the outlier vertices we compute. It can be clearly seen that the attack records are found by the star query graph. The test results show that a certain IP address x.x.223.66 from Jiangsu province in China from 3 months and 10 days 2015 attacks the other four server sites yysj. The attack is detected to be FckEditorAttack attack. One-to-many or many-to-one network attack patterns are also the most common form of attack in networks. Many-to-many attack patterns. FIG. 6 shows that the network attack of DedecsAttack type is initiated by abroad and China together with Jiangxi on days 3, 12 in 2015, detected by the query graph. Because an attacker typically does not use only a single IP address to perform a network attack, it is possible to discover IP groups that are attacked at the same time, as compared to a star architecture. By recording these IP addresses, it is found that they come from multiple fixed network segments and that the attack pattern and location remain unchanged, meaning that they may come from the same attack source. With this information, network attacks can be prevented by blocking the IP of these fixed IP segments.

Practice shows that the method is wide in application range, strong in expansibility and suitable for different scenes, and related abnormal information/potential abnormal information is mined.

The present invention is not limited to the above-described embodiments. The foregoing description of the specific embodiments is intended to describe and illustrate the technical solutions of the present invention, and the above specific embodiments are merely illustrative and not restrictive. Those skilled in the art can make many changes and modifications to the invention without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (2)

1. A rapid anomaly detection method aiming at a plurality of attribute networks, wherein an anomaly detection model is established based on a data set distributed on a plurality of local private attribute networks, the anomaly detection model comprises attribute networks consisting of a plurality of private attribute networks and a public attribute network, and each private attribute network aligns a detected abnormal subgraph with a specific shape with an abnormal subgraph in the public attribute network by adopting a near-optimal anomaly query method, and the method comprises the following steps:

initializing an upper and lower limit result set as an empty set, inputting an edge set of a private attribute network, an abnormal feature set and an edge set of a query graph when the iteration number i is 0

Calculating the abnormal priority of the edge set, the abnormal feature set and the edge set node of the query graph of the private attribute network;

selecting the first m nodes as an upper limit structure;

decomposing the query graph Q into a star structure for the upper limit node set

Detecting the subgraph isomorphic with the star structure to obtain each point in the

The upper limit of the abnormal subgraph obtained by the last iteration is used

And lower limit

Merging to obtain a temporary optimal structure S;

updating the upper bound result set

When the upper limit is reached

And lower limit

Returning approximate abnormal query results when the abnormal scores are close

Otherwise, the iteration number i is i +1 until the stop condition is met.

2. The application of the rapid anomaly detection method for multiple attribute networks in claim 1 is characterized by comprising the following steps:

s1, constructing a multilayer attribute network according to requirements and calculating the abnormal attribute value of the network node according to the following formula;

wherein: n is the number of all nodes in the network; attribute network G^*＝{G_i},i∈{0,1,...,N}，G_i＝(V_i,E_i,P_i) Denotes the ith network, V_i,E_i,P_iEach represents G_iThe node set, the edge set and the abnormal attribute set of (1);

s2, inputting an edge set and an abnormal attribute set of a public network and a plurality of private networks, and presetting parameters of the network to be tested, wherein the parameters comprise: an anomaly threshold α and an alignment threshold σ; initialization result set UⁱThe iteration times i are 0 when the set is empty;

s3, multiple private networks G_iDownloading a public network to the local and respectively pre-aligning with the public network to obtain an alignment probability matrix set H_ij；

S4, obtaining the last iteration result, detecting the approximate optimal abnormal subgraph S of the private network_j ^*

S5, aligning with the public network to obtain a result set Uj, and uploading the result set Uj to the cloud;

s6, combining the results uploaded by each private network at the cloud, aligning the results with the public network, and obtaining all aligned abnormal subgraphs U^*Summarized as result set Uⁱ⁺¹；

S7, network G with multi-layer private attributes_jOptimal abnormal subgraph S in_j ^*The nodes of (2) are regarded as normal nodes;

s8, when Uⁱ＝Uⁱ⁺¹Returning to the aligned abnormal subgraph set S^*Combining with the abnormal subgraph after U output alignment;

otherwise, the number of iterations i ═ i +1, and S5 through S7 are repeated until the stop condition of S8 is satisfied.

Images