CN114884688A - Federated anomaly detection method across multi-attribute network - Google Patents

Federated anomaly detection method across multi-attribute network Download PDF

Info

Publication number
CN114884688A
CN114884688A CN202210310593.6A CN202210310593A CN114884688A CN 114884688 A CN114884688 A CN 114884688A CN 202210310593 A CN202210310593 A CN 202210310593A CN 114884688 A CN114884688 A CN 114884688A
Authority
CN
China
Prior art keywords
network
abnormal
nodes
attribute
alignment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210310593.6A
Other languages
Chinese (zh)
Other versions
CN114884688B (en
Inventor
张宁
武南南
王文俊
张洁
张欣悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN202210310593.6A priority Critical patent/CN114884688B/en
Publication of CN114884688A publication Critical patent/CN114884688A/en
Application granted granted Critical
Publication of CN114884688B publication Critical patent/CN114884688B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Mining & Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a federal anomaly detection method across a multi-attribute network, which comprises the following steps: constructing a public network and a plurality of private networks, and calculating abnormal attribute values of nodes; setting an abnormal threshold value and an alignment threshold value, initializing a result set to be an empty set, setting the iteration times to be 0, and inputting an edge set and an abnormal attribute set of a public network and a private network; each private network downloads a public network to the local, and the private networks are respectively pre-aligned with the public network to obtain an alignment probability matrix set; obtaining the last iteration result, aligning each private network with it, detecting the maximum abnormal subgraph of each private network, the maximum abnormal subgraph of each private network and the public networkCommon network alignment to obtain U j Uploading to the cloud; merging the uploading results of the private networks at the cloud, aligning the uploading results with the public network to obtain all aligned abnormal subgraphs, and summarizing the abnormal subgraphs into a set U m+1 ;U m+1 Distributing each private network; u shape m =U m+1 Returning the aligned abnormal subgraph; otherwise, the above process is repeated until the stop condition is met.

Description

Federated anomaly detection method across multi-attribute network
Technical Field
The invention belongs to the field of anomaly detection of complex networks, and particularly relates to a federal anomaly detection method across multi-attribute networks.
Background
Abnormal subgraph detection has been widely applied to various applications such as network attack detection in computer networks, malicious activity detection in social networks, and congestion detection in traffic networks. Although there is an increasing demand for federal anomaly detection across multi-attribute networks, the number of methods available to solve this problem is limited. Currently, federal anomaly detection faces two major challenges: one is that isolated data in most industries is restricted from being shared with other industries due to data privacy and security, and the other is that most centralized approaches are trained based on data integration.
In recent years, without considering data privacy, many methods for multi-network anomaly detection have been proposed, which focus on detecting anomalies having the same anomaly characteristics on multi-attribute networks in a specific field, and on improving the overall anomaly detection accuracy. However, there has been little research on federal anomaly detection on multiple private property networks.
Disclosure of Invention
The invention mainly aims to dig out related anomalies existing among a plurality of private attribute networks on the premise of protecting privacy, guide the formulation of corresponding policies, and dig out potential anomaly information at the same time. And obtaining the fixed network segment and the attack mode of the fixed network segment according to the real record. Therefore, the attacked website can avoid the attack risk with high probability only by intercepting the IP of the network segment. Furthermore, it is also possible to presume an IP that will launch an attack in the future by correlation between anomalies.
The purpose of the invention is realized by the following technical scheme.
The invention relates to a federal anomaly detection method across a multi-attribute network, which comprises the following steps:
step one, a public network and a plurality of private networks are constructed according to requirements, and abnormal attribute values of nodes are calculated;
building multiple attribute networks G as required * ={G i J, i ∈ {0, 1., N }, where G ∈ i =(V i ,P i ,E i ) Denotes the ith network, V i 、P i 、E i Each represents G i Node set, edge set, abnormal attribute set, N is the number of attribute networks, G 0 Is a public network, and the rest of the networks are private networks; the multi-network can be formed by dividing data of the same source according to time, and can also be formed by directly adopting data of a plurality of different sources;
the node abnormal attribute value is calculated by adopting an empirical p value, so that the node abnormal attribute value is mapped in a range of [0,1], and the specific method is as follows:
if the node attribute is counted according to time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is used as a contrast value c l Calculating the p value of the node v at the time t according to the following formula;
Figure BDA0003568034470000021
if the attribute value of v is not counted according to time, the attribute value of v is taken as an observed value c v The attribute values of other nodes of the network are used as comparison values c d Calculating a p-value according to the following formula;
Figure BDA0003568034470000022
in the formula, n is the number of nodes of the network;
setting an abnormal threshold alpha and an alignment threshold sigma, and initializing the junctionFruit set U m Inputting an edge set and an abnormal attribute set of a public network and all private networks when the iteration number m is 0;
marking the nodes with the abnormal attribute values smaller than or equal to alpha as abnormal nodes;
node pairs (v) having alignment probabilities greater than σ i ,v j ),v i And v j Are all recorded as aligned nodes, where v i And v j The nodes v of the ith network and the jth network respectively originate from different networks;
U m initializing a set of the abnormal alignment subgraphs of all the private networks on the public network into an empty set;
downloading a public network to the local by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set H;
step four, obtaining the last iteration result and each private network G j First aligned locally with it, then detects the maximum abnormal subgraph S of each private network i Maximum anomaly subgraph S of each private network i Alignment with the public network to obtain U i And mixing U with i Uploading to the cloud;
in order to obtain the abnormal score of each private network abnormal subgraph, nonparametric graph scanning statistics F is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000031
in the formula (I), the compound is shown in the specification,
Figure BDA0003568034470000032
is a statistical function, S i Is G i A is the anomaly threshold for the node, N α (S i * ) Is S i Number of abnormal nodes in star, N (S) i * ) Is S i The number of all nodes in the star; in addition, in order to guarantee the maximum abnormality,
Figure BDA0003568034470000033
two attributes are satisfied:
Figure BDA0003568034470000034
with N α (S i * ) Monotonically increasing;
Figure BDA0003568034470000035
with N (S) i * )-N α (S i * ) Monotonically decreasing; therefore, the Higher Criticirm statistic was used as
Figure BDA0003568034470000036
Figure BDA0003568034470000037
Step five, combining the results uploaded by each private network at the cloud end, aligning the results with the public network U, and obtaining all aligned abnormal subgraphs U * Summarized as set U m+1
In order to obtain the alignment score of the abnormal alignment subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000038
where σ is the alignment threshold, N σ (S i * U) is S i * Number of aligned nodes with U, N (S) i * ) Is S i * The number of all nodes in the U, and N (U) is the number of all nodes in the U; the alignment probability of a node is derived from the pre-alignment matrix node set H ═ H (H) ij ),H ij Is G i And G j And i ≠ j;
step six, aligning the cloud end to a result U m+1 Distributing to each private network;
step seven, when U m =U m+1 Time-wise, return aligned abnormal subgraph S i * And U * (ii) a Otherwise, repeating the fourth step to the sixth step until the stop condition of the seventh step is met, wherein the iteration number m is m + 1.
The process of acquiring the alignment probability matrix set H in step three: introducing a cross MNA (multiple network alignment method), inputting edge sets of a local private network and a downloaded public network and known anchor links, setting the training ratio to be 1.0 and the training times to be 400, and obtaining an alignment anchor chain matrix H between networks ij H is obtained through summarizing; wherein H ij Is G i And G j The alignment probability matrix of the nodes in between has the dimension of | V i |×|V j L, each value H in the matrix ij (v i ,v j ) Representing node v i And node v j Is the alignment probability of the anchor node, and has a range of [0,1]]The larger the value is, the higher the alignment probability is, and the value of 1 indicates that the two nodes are known anchor nodes.
Compared with the prior art, the method provided by the invention is an algorithm suitable for multi-scene federal anomaly detection on the premise of protecting privacy and not carrying out direct data exchange. The technical scheme of the invention has the beneficial effects that the technical scheme is described in a few concrete scenes:
(1) in a computer attack network, an IP and a website are used as nodes, an access behavior is used as an edge, and an access frequency is used as an abnormal attribute. Dividing the network into a plurality of networks according to time, and if all the networks have abnormal attributes, excavating abnormal IP groups with similar attack behaviors (shown in figure 3); if the network in a certain time period has no abnormal attribute, the method can also find the abnormality of the network by aligning the abnormal subgraphs of other networks to the network, thereby achieving the effect of predicting the IP attack in the time period.
(2) In a network with a plurality of traffic types (figure 4), the method can detect the similar position distribution and position types of traffic jam in the same time period, which has reference significance to traffic control.
(3) In a multi-network composed of a criminal network, a communication network and a social network, the method can detect hidden criminal/group information.
The method is wide in application range, strong in expansibility and capable of being suitable for different scenes and mining related abnormal information/potential abnormal information.
Drawings
FIG. 1 is a flow chart of a federated anomaly detection method across multi-attribute networks of the present invention;
FIG. 2 is a schematic diagram of the concept of a federated anomaly detection method across a multi-attribute network;
FIG. 3 is a schematic diagram of the application of the method of the present invention to a related abnormal IP group found in a plurality of computer attack networks;
FIG. 4 is a schematic diagram of the application of the method of the present invention to finding relevant anomalies in a network appointment/shared bicycle/subway network for the same time period; (one detection of a relevant abnormality was performed for each of the three time periods 8:00/12:00/18:00, respectively).
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The invention relates to a federal anomaly detection method across multi-attribute networks, which is mainly characterized in that an anomaly detection model is established based on data sets distributed on a plurality of attribute networks, and the networks consist of a plurality of private attribute networks and a public attribute network. In each private attribute network, the detected abnormal subgraph is aligned with the abnormal subgraph in the public attribute network. In the private attribute network, an important public abnormal sub-graph is selected to carry out abnormal sub-graph alignment, and meanwhile, data leakage is prevented.
The invention discloses a federal anomaly detection method across multi-attribute networks, which defines a certain event as an attribute network with mutually communicated nodes locally in each private attribute network, carries out maximum anomaly subgraph detection, and respectively aligns with anomalies on a public attribute network so as to mine the commonalities of the anomalies. As shown in fig. 1, the specific implementation process is as follows:
step one, a public network and a plurality of private networks are constructed according to requirements, and abnormal attribute values of nodes are calculated.
Building multiple attribute networks G as required * ={G i J, i ∈ {0, 1., N }, where G ∈ i =(V i ,P i ,E i ) Denotes the ith network, V i 、P i 、E i Each represents G i Node set, edge set, abnormal attribute set, N is the number of attribute networks, G 0 Is a public network and the remaining networks are private networks. The multi-network may be formed by time-dividing data from the same source, or may be formed by directly using data from a plurality of different sources.
The node abnormal attribute value is generally calculated by adopting an empirical p value, so that the node abnormal attribute value can be mapped in a range of [0,1], namely the abnormal attribute value of the node is between 0 and 1, the smaller the abnormal value is, the more abnormal the node is, the 1 represents that the node is a normal node, and for a network lacking the attribute, the invention totally records the values of the abnormal attributes of all the nodes of the network as 1. The specific method comprises the following steps:
if the node attribute is counted according to time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is used as a contrast value c l The p value of node v at time t is calculated according to the following equation.
Figure BDA0003568034470000051
If the attribute value of v itself is not counted according to time, the attribute value of v itself is used as an observed value c v The attribute values of other nodes of the network are used as comparison values c d The p-value is calculated according to the following equation.
Figure BDA0003568034470000052
In the formula, n is the number of nodes of the network.
Step two, setting an abnormal threshold alpha (generally 0.15) and an alignment threshold sigma (generally 0.6), and initializing the resultCollection U m And inputting an edge set and an abnormal attribute set of a public network and all private networks, wherein the number of iterations m is 0.
And marking the nodes with the abnormal attribute values less than or equal to alpha as abnormal nodes.
Node pairs (v) having alignment probabilities greater than σ i ,v j ),v i And v j Are all recorded as aligned nodes, where v i And v j The nodes v, which are the ith network and the jth network respectively, originate from different networks.
U m Initializing a set of the abnormal alignment subgraphs of all the private networks on the public network into an empty set;
and step three, downloading the public network to the local by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set H.
The invention is realized by introducing a cross MNA (multiple network alignment method), inputting the edge sets of the local private network and the downloaded public network and the known anchor links (nodes with the same number are regarded as anchor nodes), setting the training ratio to be 1.0 and the training times to be 400, and obtaining an alignment anchor chain matrix H between networks ij In summary, H is shown in FIG. 2. Other network alignment algorithms may be used to perform this step.
H ij Is G i And G j The alignment probability matrix of the nodes in between has the dimension of | V i |×|V j |,|V i |、|V j Is each G i 、G j The number of nodes of (c); each value H in the matrix ij (v i ,v j ) Representing node v i And node v j Is the alignment probability of the anchor node, and has a range of [0,1]]The larger the value is, the higher the alignment probability is, and the value of 1 indicates that the two nodes are known anchor nodes.
Step four, obtaining the last iteration result from the cloud, and obtaining each private network G j First aligned locally with it, then detects the maximum abnormal subgraph S of each private network i (the most abnormal subgraph is the set of connected nodes, i.e. G i A connected subgraph of (1), which contains the most abnormal nodes,least normal nodes), maximum abnormal subgraph S of each private network i Alignment with the public network to obtain U i And mixing U with i Upload to cloud.
In order to obtain the abnormal score of each private network abnormal subgraph, nonparametric graph scanning statistics F is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000061
in the formula (I), the compound is shown in the specification,
Figure BDA0003568034470000062
is a statistical function; s i Is G i A set of connected vertex subsets (i.e., connected subgraphs); α is the anomaly threshold for the node, typically 0.15; n is a radical of α (S i * ) Is S i Number of abnormal nodes (abnormal attribute value less than or equal to alpha), N (S) i * ) Is S i Number of all nodes in the row. In addition, in order to guarantee the maximum abnormality,
Figure BDA0003568034470000063
two attributes need to be satisfied:
Figure BDA0003568034470000064
with N α (S i * ) Monotonically increasing;
Figure BDA0003568034470000065
with N (S) i * )-N α (S i * ) Monotonically decreasing; therefore, the Higher Criticism (HC) statistic (Donoho and Jin 2004) was used as
Figure BDA0003568034470000066
Figure BDA0003568034470000067
Step five, combining the results uploaded by each private network at the cloud end, aligning the results with the public network U, and obtaining all aligned abnormal subgraphs U * Summarized as set U m+1
In order to obtain the alignment score of the abnormal alignment subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000071
where σ is the alignment threshold, typically 0.8; n is a radical of σ (S i * U) is S i * Number of aligned nodes with U, N (S) i * ) Is S i * The number of all nodes in U, and N (U) is the number of all nodes in U. The alignment probability of a node is derived from the pre-alignment matrix node set H ═ H (H) ij ),H ij Is G i And G j And i ≠ j, see fig. 2.
Step six, aligning the cloud end with the result U m+1 To respective private networks.
Step seven, when U m =U m+1 Time-wise, return aligned abnormal subgraph S i * And U *
Otherwise, repeating the fourth step to the sixth step until the stop condition of the seventh step is met, wherein the iteration number m is m + 1.
End result (S) * ,U * ) Is the relevant abnormal result that maximizes the objective function. The objective function is defined as follows:
Figure BDA0003568034470000072
while the present invention has been described in terms of its functions and operations, which are illustrated in the accompanying drawings, it is to be understood that such embodiments are merely illustrative and not restrictive of the broad invention, and that this invention can be embodied in many forms without departing from the spirit and scope of the appended claims.

Claims (2)

1. A federal anomaly detection method across multi-attribute networks is characterized by comprising the following processes:
step one, a public network and a plurality of private networks are constructed according to requirements, and abnormal attribute values of nodes are calculated;
building multiple attribute networks G as required * ={G i J, i ∈ {0, 1., N }, where G ∈ i =(V i ,P i ,E i ) Denotes the ith network, V i 、P i 、E i Each represents G i Node set, edge set, abnormal attribute set, N is the number of attribute networks, G 0 Is a public network, and the rest of the networks are private networks; the multi-network can be formed by dividing data of the same source according to time, and can also be formed by directly adopting data of a plurality of different sources;
the node abnormal attribute value is calculated by adopting an empirical p value, so that the node abnormal attribute value is mapped in a range of [0,1], and the specific method is as follows:
if the node attribute is counted according to time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is used as a contrast value c l Calculating the p value of the node v at the time t according to the following formula;
Figure FDA0003568034460000011
if the attribute value of v itself is not counted according to time, the attribute value of v itself is used as an observed value c v The attribute values of other nodes of the network are used as comparison values c d Calculating a p-value according to the following formula;
Figure FDA0003568034460000012
in the formula, n is the number of nodes of the network;
step two, setting an abnormal threshold alpha and an alignment threshold sigma, and initializing a result set U m Inputting an edge set and an abnormal attribute set of a public network and all private networks when the iteration number m is 0;
marking the nodes with the abnormal attribute values smaller than or equal to alpha as abnormal nodes;
node pairs (v) having alignment probabilities greater than σ i ,v j ),v i And v j Are all recorded as aligned nodes, where v i And v j The nodes v of the ith network and the jth network respectively originate from different networks;
U m initializing a set of the abnormal alignment subgraphs of all the private networks on the public network into an empty set;
downloading a public network to the local by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set H;
step four, obtaining the last iteration result and each private network G j First aligned locally with it, then detects the maximum abnormal subgraph S of each private network i Maximum anomaly subgraph S of each private network i Alignment with the public network to obtain U i And mixing U with i Uploading to the cloud;
in order to obtain the abnormal score of each private network abnormal subgraph, nonparametric graph scanning statistics F is introduced as a scoring function, and the form is as follows:
Figure FDA0003568034460000021
in the formula (I), the compound is shown in the specification,
Figure FDA0003568034460000022
is a statistical function, S i Is G i A is the anomaly threshold for the node, N α (S i * ) Is S i InNumber of abnormal nodes, N (S) i * ) Is S i The number of all nodes in the star; in addition, in order to guarantee the maximum abnormality,
Figure FDA0003568034460000023
two attributes are satisfied:
Figure FDA0003568034460000024
with N α (S i * ) Monotonically increasing;
Figure FDA0003568034460000025
with N (S) i * )-N α (S i * ) Monotonically decreasing; therefore, the Higher Criticism statistic is used as
Figure FDA0003568034460000026
Figure FDA0003568034460000027
Step five, combining the results uploaded by each private network at the cloud end, aligning the results with the public network U, and obtaining all aligned abnormal subgraphs U * Summarized as set U m+1
In order to obtain the alignment score of the abnormal alignment subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure FDA0003568034460000028
where σ is the alignment threshold, N σ (S i * U) is S i * Number of aligned nodes with U, N (S) i * ) Is S i * The number of all nodes in the U, and N (U) is the number of all nodes in the U; the alignment probability of a node is derived from the pre-alignment matrix node set H ═ H (H) ij ),H ij Is G i And G j And i ≠ j;
step six, aligning the cloud end to a result U m+1 Distributing to each private network;
step seven, when U m =U m+1 Time-wise, return aligned abnormal subgraph S i * And U * (ii) a Otherwise, repeating the fourth step to the sixth step until the stop condition of the seventh step is met, wherein the iteration number m is m + 1.
2. The federated anomaly detection method across multi-attribute networks according to claim 1, wherein the process of acquiring the aligned probability matrix set H in step three is as follows: introducing a cross MNA (multiple network alignment method), inputting edge sets of a local private network and a downloaded public network and known anchor links, setting the training ratio to be 1.0 and the training times to be 400, and obtaining an alignment anchor chain matrix H between networks ij H is obtained through summarizing; wherein H ij Is G i And G j The alignment probability matrix of the nodes in between has the dimension of | V i |×|V j L, each value H in the matrix ij (v i ,v j ) Representing node v i And node v j Is the alignment probability of the anchor node, and has a range of [0,1]]The larger the value is, the higher the alignment probability is, and the value of 1 indicates that the two nodes are known anchor nodes.
CN202210310593.6A 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks Active CN114884688B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210310593.6A CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210310593.6A CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Publications (2)

Publication Number Publication Date
CN114884688A true CN114884688A (en) 2022-08-09
CN114884688B CN114884688B (en) 2023-07-04

Family

ID=82668096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210310593.6A Active CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Country Status (1)

Country Link
CN (1) CN114884688B (en)

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104303153A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness
US20180083887A1 (en) * 2016-09-19 2018-03-22 Accenture Global Solutions Limited Automatic consolidation of network resources
EP3333770A1 (en) * 2016-12-09 2018-06-13 Fujitsu Limited Matching graph entities in graph data
CN110569897A (en) * 2019-08-30 2019-12-13 天津大学 Community detection method in scale-free attribute network based on generative model
CN110795807A (en) * 2019-10-28 2020-02-14 天津大学 Complex network-based element abnormal structure detection model construction method
CN111737647A (en) * 2020-05-19 2020-10-02 北京明略软件系统有限公司 Method and device for detecting abnormal connected subgraph
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112288094A (en) * 2020-10-09 2021-01-29 武汉大学 Federal network representation learning method and system
CN112417303A (en) * 2020-12-09 2021-02-26 天津大学 Evolution algorithm for detecting multiple abnormal subgraphs from dynamic attribute graph
CN112422571A (en) * 2020-11-19 2021-02-26 天津大学 Method for carrying out exception alignment across multiple attribute networks
CN112650968A (en) * 2020-11-18 2021-04-13 天津大学 Abnormal subgraph detection method based on abnormal alignment model for multiple networks
CN112738015A (en) * 2020-10-28 2021-04-30 北京工业大学 Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN112836713A (en) * 2021-03-12 2021-05-25 南京大学 Image anchor-frame-free detection-based mesoscale convection system identification and tracking method
CN113468382A (en) * 2021-07-01 2021-10-01 同盾控股有限公司 Multi-party loop detection method, device and related equipment based on knowledge federation
CN113469234A (en) * 2021-06-24 2021-10-01 成都卓拙科技有限公司 Network flow abnormity detection method based on model-free federal meta-learning
CN113656802A (en) * 2021-07-19 2021-11-16 同盾科技有限公司 Knowledge federation undirected graph-based federated loop detection method, system, device and medium

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104303153A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness
US20180083887A1 (en) * 2016-09-19 2018-03-22 Accenture Global Solutions Limited Automatic consolidation of network resources
EP3333770A1 (en) * 2016-12-09 2018-06-13 Fujitsu Limited Matching graph entities in graph data
CN110569897A (en) * 2019-08-30 2019-12-13 天津大学 Community detection method in scale-free attribute network based on generative model
CN110795807A (en) * 2019-10-28 2020-02-14 天津大学 Complex network-based element abnormal structure detection model construction method
CN111737647A (en) * 2020-05-19 2020-10-02 北京明略软件系统有限公司 Method and device for detecting abnormal connected subgraph
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112288094A (en) * 2020-10-09 2021-01-29 武汉大学 Federal network representation learning method and system
CN112738015A (en) * 2020-10-28 2021-04-30 北京工业大学 Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN112650968A (en) * 2020-11-18 2021-04-13 天津大学 Abnormal subgraph detection method based on abnormal alignment model for multiple networks
CN112422571A (en) * 2020-11-19 2021-02-26 天津大学 Method for carrying out exception alignment across multiple attribute networks
CN112417303A (en) * 2020-12-09 2021-02-26 天津大学 Evolution algorithm for detecting multiple abnormal subgraphs from dynamic attribute graph
CN112836713A (en) * 2021-03-12 2021-05-25 南京大学 Image anchor-frame-free detection-based mesoscale convection system identification and tracking method
CN113469234A (en) * 2021-06-24 2021-10-01 成都卓拙科技有限公司 Network flow abnormity detection method based on model-free federal meta-learning
CN113468382A (en) * 2021-07-01 2021-10-01 同盾控股有限公司 Multi-party loop detection method, device and related equipment based on knowledge federation
CN113656802A (en) * 2021-07-19 2021-11-16 同盾科技有限公司 Knowledge federation undirected graph-based federated loop detection method, system, device and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
NANNAN WU等: ""Anomaly-Structured Maximization to Query in Attributed Networks"", 《HTTPS://ARXIV.ORG/ABS/2108.07405》 *
武南南等: "\"基于GSA与DE优化混合核ELM的网络异常检测模型\"", 《计算机工程》 *
赵英等: ""基于联邦学习的网络异常检测"", 《北京化工大学学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN114884688B (en) 2023-07-04

Similar Documents

Publication Publication Date Title
Wang et al. A dynamic MLP-based DDoS attack detection method using feature selection and feedback
Eubank et al. Structural and algorithmic aspects of massive social networks
CN111787000B (en) Network security evaluation method and electronic equipment
CN111459766A (en) Calling chain tracking and analyzing method for micro-service system
CN112422571A (en) Method for carrying out exception alignment across multiple attribute networks
CN114186237A (en) Truth-value discovery-based robust federated learning model aggregation method
Lin et al. Adversarial attacks on link prediction algorithms based on graph neural networks
AU2015201161A1 (en) Event correlation
Li et al. Retracted: Design of multimedia blockchain privacy protection system based on distributed trusted communication
CN112468347A (en) Security management method and device for cloud platform, electronic equipment and storage medium
CN114401136B (en) Rapid anomaly detection method for multiple attribute networks
CN112560059B (en) Vertical federal model stealing defense method based on neural pathway feature extraction
Wang et al. Time-variant graph classification
Li et al. A detection mechanism on malicious nodes in IoT
CN109413047A (en) Determination method, system, server and the storage medium of Behavior modeling
CN115883213A (en) APT detection method and system based on continuous time dynamic heterogeneous graph neural network
CN115114484A (en) Abnormal event detection method and device, computer equipment and storage medium
CN112887323B (en) Network protocol association and identification method for industrial internet boundary security
Fan et al. Cb-dsl: Communication-efficient and byzantine-robust distributed swarm learning on non-iid data
Zheng et al. WMDefense: Using watermark to defense Byzantine attacks in federated learning
CN111191683B (en) Network security situation assessment method based on random forest and Bayesian network
CN114884688A (en) Federated anomaly detection method across multi-attribute network
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
Saheed et al. An efficient machine learning and deep belief network models for wireless intrusion detection system
Feng et al. CoBC: A Blockchain-Based Collaborative Inference System for Internet of Things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant