CN114884688B - Federal anomaly detection method across multi-attribute networks - Google Patents

Federal anomaly detection method across multi-attribute networks Download PDF

Info

Publication number
CN114884688B
CN114884688B CN202210310593.6A CN202210310593A CN114884688B CN 114884688 B CN114884688 B CN 114884688B CN 202210310593 A CN202210310593 A CN 202210310593A CN 114884688 B CN114884688 B CN 114884688B
Authority
CN
China
Prior art keywords
network
abnormal
nodes
node
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210310593.6A
Other languages
Chinese (zh)
Other versions
CN114884688A (en
Inventor
张宁
武南南
王文俊
张洁
张欣悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN202210310593.6A priority Critical patent/CN114884688B/en
Publication of CN114884688A publication Critical patent/CN114884688A/en
Application granted granted Critical
Publication of CN114884688B publication Critical patent/CN114884688B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a federal anomaly detection method crossing a multi-attribute network, which comprises the following steps: constructing a public network and a plurality of private networks, and calculating abnormal attribute values of nodes; setting an abnormal threshold and an alignment threshold, initializing a result set to be an empty set, and inputting an edge set and an abnormal attribute set of a public network and a private network, wherein the iteration number is 0; downloading a public network to a local area by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set; obtaining the last iteration result, aligning each private network with the last iteration result, detecting the maximum abnormal subgraph of each private network, and aligning the maximum abnormal subgraph of each private network with the public network to obtain U j * Uploading to the cloud; merging the uploading results of all private networks at the cloud, aligning with the public network to obtain all aligned abnormal subgraphs, and summarizing into a set U m+1 ;U m+1 Distributing each private network; u (U) m =U m+1 When the abnormal subgraph is aligned, returning the aligned abnormal subgraph; otherwise, repeating the process until the stopping condition is met.

Description

Federal anomaly detection method across multi-attribute networks
Technical Field
The invention belongs to the field of anomaly detection of complex networks, and particularly relates to a federal anomaly detection method crossing a multi-attribute network.
Background
Abnormal subgraph detection has been widely used in various applications such as network attack detection in computer networks, malicious activity detection in social networks, and congestion detection in traffic networks. Although there is an increasing need for federal anomaly detection across multi-attribute networks, the number of methods available to address this problem is limited. Currently, federal anomaly detection faces two major challenges: firstly, isolated data in most industries is limited to sharing with other industries due to data privacy and security, and secondly, most centralized methods are trained based on data integration.
In recent years, without considering data privacy, many methods for multi-network anomaly detection have been proposed, which focus on detecting anomalies having the same anomaly characteristics on multi-attribute networks in a specific area, and on improving the overall anomaly detection accuracy. However, federal anomaly detection over multi-private attribute networks has been rarely studied.
Disclosure of Invention
The invention mainly aims to mine relevant anomalies among a plurality of private attribute networks on the premise of protecting privacy, guide formulation of corresponding policies and mine potential anomaly information at the same time, and provides a federal anomaly detection method for a multi-attribute network. The fixed network segments and attack modes of the fixed network segments can be obtained according to the real records. Therefore, the attacked website can avoid the risk of being attacked with high probability by only intercepting the IP of the network segment. In addition, IP that will launch an attack in the future can also be inferred by correlation between anomalies.
The aim of the invention is achieved by the following technical scheme.
The invention relates to a federal anomaly detection method crossing a multi-attribute network, which comprises the following steps:
step one, constructing a public network and a plurality of private networks according to requirements, and calculating abnormal attribute values of nodes;
constructing a plurality of attribute networks G according to requirements * ={G i I e {0,1,. }, N }, where G i =(V i ,P i ,E i ) Represents the ith network, V i 、P i 、E i Respectively represent G i Node set, edge set, exception attribute set, N is the number of attribute networks, G 0 Is a public network, and the rest of the networks are private networks; the multi-network can be formed by dividing data from the same source according to time, and can also be formed by directly adopting data from a plurality of different sources;
the calculation of the abnormal attribute value of the node adopts an empirical p value, so that the abnormal attribute value of the node is mapped in the range of [0,1], and the specific method is as follows:
if the node attribute is counted by time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is taken as a contrast value c l Calculating the p value of the node v at time t according to the following formula;
Figure BDA0003568034470000021
if not based on time statistics, the attribute value of v is taken as an observed value c v The attribute value of other nodes of the network is taken as a contrast value c d Calculating a p value according to the following formula;
Figure BDA0003568034470000022
wherein n is the number of nodes of the network to which the node belongs;
step two, an abnormal threshold value alpha and an alignment threshold value sigma are set, and a result set U is initialized m For the empty set, the iteration times m=0, inputting an edge set and an abnormal attribute set of a public network and all private networks;
marking the node with the abnormal attribute value less than or equal to alpha as an abnormal node;
pairs of nodes (v) with alignment probability greater than sigma i ,v j ),v i And v j Are all denoted as alignment nodes, where v i And v j The nodes v of the ith network and the jth network are respectively derived from different networks;
U m finally public for all private networksInitializing a set of aligned abnormal subgraphs on a network into an empty set;
step three, each private network downloads a public network to a local area and performs prealignment with the public network respectively to obtain an alignment probability matrix set H;
step four, obtaining the last iteration result, each private network G j First locally aligned with it, then each private network maximum anomaly subgraph S is detected i * Maximum anomaly subgraph S of each private network i * Alignment with public network to obtain U i * And U is combined with i * Uploading to the cloud;
in order to obtain the anomaly score of each private network anomaly subgraph, a non-parametric graph scan statistic F is introduced as a scoring function in the form of:
Figure BDA0003568034470000031
in the method, in the process of the invention,
Figure BDA0003568034470000032
is a statistical function, S i * Is G i Alpha is the anomaly threshold value of the node, N α (S i * ) Is S i * The number of abnormal nodes, N (S) i * ) Is S i * The number of all nodes in the network; furthermore, to guarantee maximum abnormality, +.>
Figure BDA0003568034470000033
Two attributes are satisfied: />
Figure BDA0003568034470000034
With N α (S i * ) Monotonically increasing; />
Figure BDA0003568034470000035
With N (S) i * )-N α (S i * ) Monotonically decreasing; thus use the Higher Criticum statistic as +.>
Figure BDA0003568034470000036
Figure BDA0003568034470000037
Fifthly, merging the results uploaded by each private network at the cloud end, aligning with the public network U, and obtaining all aligned abnormal subgraphs U * Summarizing into a set U m+1
In order to obtain the alignment score of the alignment anomaly subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000038
where σ is the alignment threshold, N σ (S i * U) is S i * With the number of aligned nodes in U, N (S i * ) Is S i * N (U) is the number of all nodes in U; the alignment probability of the node is from the pre-alignment matrix junction set h= (H) ij ),H ij Is G i And G j Ji Gailv matrix of pairs (i +.j);
step six, aligning the cloud end with the result U m+1 Distributing to each private network;
step seven, when U m =U m+1 At the time, the aligned abnormal subgraph S is returned i * And U * The method comprises the steps of carrying out a first treatment on the surface of the Otherwise, the iteration times m=m+1, and repeating the steps four to six until the stopping condition of the step seven is met.
The process of obtaining the alignment probability matrix set H in the third step: the method is realized by referring to a multi-network alignment method CrossMNA, a local private network, a downloaded public network edge set and a known anchor link are input, the training ratio is set to be 1.0, the training times are 400, and a pair Ji Maolian matrix H between networks is obtained ij Summarizing to obtain H; wherein H is ij Is G i And G j The pair Ji Gailv matrix of nodes between the nodes has the dimension of |V i |×|V j I, each value H in the matrix ij (v i ,v j ) Represented by node v i And node v j The alignment probability for the anchor node is in the range of [0,1]A larger value indicates a higher alignment probability and a 1 indicates that the two nodes are known anchor nodes.
Compared with the prior art, the method provided by the invention is an algorithm suitable for multi-scene federal anomaly detection under the premise of protecting privacy and not carrying out direct data exchange. The technical scheme of the invention has the following beneficial effects that a few specific scenes are briefly described:
(1) In a computer attack network, IP and websites are taken as nodes, access behaviors are taken as edges, and access frequency is taken as an abnormal attribute. Dividing the network into a plurality of networks according to time, and if all the networks have abnormal properties, the method can mine out abnormal IP groups with similar attack behaviors (figure 3); if the network in a certain time period has no abnormal attribute, the method can also search the abnormality of the network by aligning the abnormal subgraphs of other networks to the network so as to predict the effect of attacking the IP in the time period.
(2) In a network of multiple traffic types (fig. 4), the method of the invention can detect the similar location distribution and location types of traffic jams occurring in the same time period, which has reference significance for traffic control.
(3) In a multi-network comprising a criminal network, a communication network and a social network, the method of the invention can detect hidden criminal/group partner information.
The practice shows that the method is a related anomaly detection algorithm suitable for various scenes, has wide application range and strong expansibility, can be suitable for different scenes, and can be used for mining related anomaly information/potential anomaly information.
Drawings
FIG. 1 is a flow chart of a federal anomaly detection method across a multi-attribute network of the present invention;
FIG. 2 is a schematic diagram of the idea of a federal anomaly detection method across a multi-attribute network;
FIG. 3 is a schematic diagram of the application of the method of the present invention to a certain related anomaly IP group found in a plurality of computer attack networks;
FIG. 4 is a schematic diagram of the anomalies found in a network about a car/sharing a single car/subway network applying the method of the present invention to the same time period; (correlation anomaly detection was performed once in all three time periods of 8:00/12:00/18:00, respectively).
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The invention relates to a federal anomaly detection method across multiple attribute networks, which mainly aims at establishing an anomaly detection model based on data sets distributed on multiple attribute networks, wherein the networks consist of multiple private attribute networks and a public attribute network. In each private attribute network, the detected outlier sub-graph is aligned with the outlier sub-graph in the public attribute network. In the private attribute network, important public abnormal subgraphs are selected for abnormal subgraph alignment, and meanwhile data leakage is prevented.
The federal anomaly detection method across multiple attribute networks locally defines a certain event as an attribute network with mutually communicated nodes in each private attribute network, carries out maximum anomaly subgraph detection, and respectively aligns with anomalies on a public attribute network so as to mine the commonality of anomalies among the events. As shown in fig. 1, the specific implementation process is as follows:
step one, constructing a public network and a plurality of private networks according to requirements, and calculating abnormal attribute values of nodes.
Constructing a plurality of attribute networks G according to requirements * ={G i I e {0,1,. }, N }, where G i =(V i ,P i ,E i ) Represents the ith network, V i 、P i 、E i Respectively represent G i Node set, edge set, exception attribute set, N is the number of attribute networks, G 0 Is a public network and the remaining networks are private networks. Multiple networks may be formed by dividing data from the same source in time, or byDirectly from a plurality of data from different sources.
The calculation of the abnormal attribute value of the node generally adopts an empirical p value, so that the abnormal attribute value of the node can be mapped in the range of 0 and 1, namely, the abnormal attribute value of the node is between 0 and 1, the smaller the abnormal value is, the more abnormal the node is, the 1 is, the node is a normal node, and the abnormal attribute values of all nodes of the network are recorded as 1 for the network lacking the attribute. The specific method comprises the following steps:
if the node attribute is counted by time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is taken as a contrast value c l The p value of node v at time t is calculated according to the following equation.
Figure BDA0003568034470000051
If not based on time statistics, the attribute value of v is taken as an observed value c v The attribute value of other nodes of the network is taken as a contrast value c d The p value is calculated according to the following equation.
Figure BDA0003568034470000052
Wherein n is the number of nodes of the network to which the node belongs.
Step two, an abnormality threshold alpha (generally 0.15) and an alignment threshold sigma (generally 0.6) are set, and a result set U is initialized m For the empty set, the iteration number m=0, the edge set and the abnormal attribute set of one public network and all private networks are input.
And (3) marking the node with the abnormal attribute value less than or equal to alpha as an abnormal node.
Pairs of nodes (v) with alignment probability greater than sigma i ,v j ),v i And v j Are all denoted as alignment nodes, where v i And v j The nodes v of the i-th network and the j-th network respectively originate from different networks.
U m For all private networksInitializing a set of alignment abnormal subgraphs finally on a public network into an empty set;
and thirdly, downloading the public network to the local by each private network, and respectively pre-aligning with the public network to obtain an alignment probability matrix set H.
The invention is realized by referring to a multi-network alignment method CrossMNA, inputting the edge sets of a local private network and a downloaded public network and known anchor links (nodes with the same numbers are regarded as anchor nodes), setting the training ratio to be 1.0, and training the training times to be 400 to obtain a matrix H of a pair Ji Maolian between networks ij H is summarized in FIG. 2. Other network alignment algorithms may be employed to perform this step.
H ij Is G i And G j The pair Ji Gailv matrix of nodes between the nodes has the dimension of |V i |×|V j |,|V i |、|V j I are G respectively i 、G j Is the number of nodes; each value H in the matrix ij (v i ,v j ) Represented by node v i And node v j The alignment probability for the anchor node is in the range of [0,1]A larger value indicates a higher alignment probability and a 1 indicates that the two nodes are known anchor nodes.
Step four, obtaining the last iteration result from the cloud, and each private network G j First locally aligned with it, then each private network maximum anomaly subgraph S is detected i * (the maximum outlier sub-graph is a connected set of nodes, i.e., G i A connected subgraph including most abnormal nodes and least normal nodes), each private network maximum abnormal subgraph S i * Alignment with public network to obtain U i * And U is combined with i * Uploading to the cloud.
In order to obtain the anomaly score of each private network anomaly subgraph, a non-parametric graph scan statistic F is introduced as a scoring function in the form of:
Figure BDA0003568034470000061
in the method, in the process of the invention,
Figure BDA0003568034470000062
is a statistical function; s is S i * Is G i A subset of connected vertices (i.e., connected subgraphs); alpha is the anomaly threshold value of the node, and is generally 0.15; n (N) α (S i * ) Is S i * The number of the abnormal nodes (the abnormal attribute value is less than or equal to alpha), N (S) i * ) Is S i * All the nodes in the network. Furthermore, to guarantee maximum abnormality, +.>
Figure BDA0003568034470000063
Two attributes need to be satisfied: />
Figure BDA0003568034470000064
With N α (S i * ) Monotonically increasing; />
Figure BDA0003568034470000065
With N (S) i * )-N α (S i * ) Monotonically decreasing; thus use the Higher Criticum (HC) statistic (Donoho and Jin 2004) as +.>
Figure BDA0003568034470000066
Figure BDA0003568034470000067
Fifthly, merging the results uploaded by each private network at the cloud end, aligning with the public network U, and obtaining all aligned abnormal subgraphs U * Summarizing into a set U m+1
In order to obtain the alignment score of the alignment anomaly subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure BDA0003568034470000071
where σ is the alignment threshold, typically 0.8; n (N) σ (S i * U) is S i * With the number of aligned nodes in U, N (S i * ) Is S i * N (U) is the number of all nodes in U. The alignment probability of the node is from the pre-alignment matrix junction set h= (H) ij ),H ij Is G i And G j Ji Gailv matrix, and i+.j, see fig. 2.
Step six, aligning the cloud end with the result U m+1 Distributed to the individual private networks.
Step seven, when U m =U m+1 At the time, the aligned abnormal subgraph S is returned i * And U *
Otherwise, the iteration times m=m+1, and repeating the steps four to six until the stopping condition of the step seven is met.
Final result (S) * ,U * ) The relevant anomaly result that maximizes the objective function. The objective function is defined as follows:
Figure BDA0003568034470000072
although the function and operation of the present invention has been described above with reference to the accompanying drawings, the present invention is not limited to the above-described specific functions and operations, but the above-described specific embodiments are merely illustrative, not restrictive, and many forms can be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the appended claims, which are included in the protection of the present invention.

Claims (2)

1. The federal anomaly detection method across the multi-attribute network is characterized by comprising the following steps:
step one, constructing a public network and a plurality of private networks according to requirements, and calculating abnormal attribute values of nodes;
constructing a plurality ofAttribute network G * ={G i I e {0,1,. }, N }, where G i =(V i ,P i ,E i ) Represents the ith network, V i 、P i 、E i Respectively represent G i Node set, edge set, exception attribute set, N is the number of attribute networks, G 0 Is a public network, and the rest of the networks are private networks; the multi-network can be formed by dividing data from the same source according to time, and can also be formed by directly adopting data from a plurality of different sources;
the calculation of the abnormal attribute value of the node adopts an empirical p value, so that the abnormal attribute value of the node is mapped in the range of [0,1], and the specific method is as follows:
if the node attribute is counted by time, the attribute value of the node v in the time t is recorded as an observed value c t The attribute value of the node before the time t is taken as a contrast value c l Calculating the p value of the node v at time t according to the following formula;
Figure FDA0003568034460000011
if not based on time statistics, the attribute value of v is taken as an observed value c v The attribute value of other nodes of the network is taken as a contrast value c d Calculating a p value according to the following formula;
Figure FDA0003568034460000012
wherein n is the number of nodes of the network to which the node belongs;
step two, an abnormal threshold value alpha and an alignment threshold value sigma are set, and a result set U is initialized m For the empty set, the iteration times m=0, inputting an edge set and an abnormal attribute set of a public network and all private networks;
marking the node with the abnormal attribute value less than or equal to alpha as an abnormal node;
pairs of nodes (v) with alignment probability greater than sigma i ,v j ),v i And v j Are all denoted as alignment nodes, where v i And v j The nodes v of the ith network and the jth network are respectively derived from different networks;
U m initializing an empty set for a set of aligned abnormal subgraphs of all private networks on a public network finally;
step three, each private network downloads a public network to a local area and performs prealignment with the public network respectively to obtain an alignment probability matrix set H;
step four, obtaining the last iteration result, each private network G j First locally aligned with it, then each private network maximum anomaly subgraph S is detected i * Maximum anomaly subgraph S of each private network i * Alignment with public network to obtain U i * And U is combined with i * Uploading to the cloud;
in order to obtain the anomaly score of each private network anomaly subgraph, a non-parametric graph scan statistic F is introduced as a scoring function in the form of:
Figure FDA0003568034460000021
in the method, in the process of the invention,
Figure FDA0003568034460000022
is a statistical function, S i * Is G i Alpha is the anomaly threshold value of the node, N α (S i * ) Is S i * The number of abnormal nodes, N (S) i * ) Is S i * The number of all nodes in the network; furthermore, to guarantee maximum abnormality, +.>
Figure FDA0003568034460000023
Two attributes are satisfied: />
Figure FDA0003568034460000024
With N α (S i * ) Monotonically increasing; />
Figure FDA0003568034460000025
With N (S) i * )-N α (S i * ) Monotonically decreasing; thus use the Higher Criticum statistic as +.>
Figure FDA0003568034460000026
Figure FDA0003568034460000027
Fifthly, merging the results uploaded by each private network at the cloud end, aligning with the public network U, and obtaining all aligned abnormal subgraphs U * Summarizing into a set U m+1
In order to obtain the alignment score of the alignment anomaly subgraph corresponding to each network, a statistic Q is introduced as a scoring function, and the form is as follows:
Figure FDA0003568034460000028
where σ is the alignment threshold, N σ (S i * U) is S i * With the number of aligned nodes in U, N (S i * ) Is S i * N (U) is the number of all nodes in U; the alignment probability of the node is from the pre-alignment matrix junction set h= (H) ij ),H ij Is G i And G j Ji Gailv matrix of pairs (i +.j);
step six, aligning the cloud end with the result U m+1 Distributing to each private network;
step seven, when U m =U m+1 At the time, the aligned abnormal subgraph S is returned i * And U * The method comprises the steps of carrying out a first treatment on the surface of the Otherwise, the iteration times m=m+1, and repeating the steps four to six until the stopping condition of the step seven is met.
2. The method for federal anomaly detection across a multi-attribute network according to claim 1, wherein the step three is characterized by the process of obtaining the alignment probability matrix set H: the method is realized by referring to a multi-network alignment method CrossMNA, a local private network, a downloaded public network edge set and a known anchor link are input, the training ratio is set to be 1.0, the training times are 400, and a pair Ji Maolian matrix H between networks is obtained ij Summarizing to obtain H; wherein H is ij Is G i And G j The pair Ji Gailv matrix of nodes between the nodes has the dimension of |V i |×|V j I, each value H in the matrix ij (v i ,v j ) Represented by node v i And node v j The alignment probability for the anchor node is in the range of [0,1]A larger value indicates a higher alignment probability and a 1 indicates that the two nodes are known anchor nodes.
CN202210310593.6A 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks Active CN114884688B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210310593.6A CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210310593.6A CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Publications (2)

Publication Number Publication Date
CN114884688A CN114884688A (en) 2022-08-09
CN114884688B true CN114884688B (en) 2023-07-04

Family

ID=82668096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210310593.6A Active CN114884688B (en) 2022-03-28 2022-03-28 Federal anomaly detection method across multi-attribute networks

Country Status (1)

Country Link
CN (1) CN114884688B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104303153A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness
CN110795807A (en) * 2019-10-28 2020-02-14 天津大学 Complex network-based element abnormal structure detection model construction method
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112288094A (en) * 2020-10-09 2021-01-29 武汉大学 Federal network representation learning method and system
CN113469234A (en) * 2021-06-24 2021-10-01 成都卓拙科技有限公司 Network flow abnormity detection method based on model-free federal meta-learning
CN113656802A (en) * 2021-07-19 2021-11-16 同盾科技有限公司 Knowledge federation undirected graph-based federated loop detection method, system, device and medium

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10341253B2 (en) * 2016-09-19 2019-07-02 Accenture Global Solutions Limited Automatic consolidation of network resources
EP3333770A1 (en) * 2016-12-09 2018-06-13 Fujitsu Limited Matching graph entities in graph data
CN110569897A (en) * 2019-08-30 2019-12-13 天津大学 Community detection method in scale-free attribute network based on generative model
CN111737647A (en) * 2020-05-19 2020-10-02 北京明略软件系统有限公司 Method and device for detecting abnormal connected subgraph
CN112738015B (en) * 2020-10-28 2023-05-02 北京工业大学 Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN112650968B (en) * 2020-11-18 2022-07-12 天津大学 Abnormal subgraph detection method based on abnormal alignment model for multiple networks
CN112422571A (en) * 2020-11-19 2021-02-26 天津大学 Method for carrying out exception alignment across multiple attribute networks
CN112417303A (en) * 2020-12-09 2021-02-26 天津大学 Evolution algorithm for detecting multiple abnormal subgraphs from dynamic attribute graph
CN112836713A (en) * 2021-03-12 2021-05-25 南京大学 Image anchor-frame-free detection-based mesoscale convection system identification and tracking method
CN113468382B (en) * 2021-07-01 2024-04-02 同盾控股有限公司 Knowledge federation-based multiparty loop detection method, device and related equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104303153A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness
CN110795807A (en) * 2019-10-28 2020-02-14 天津大学 Complex network-based element abnormal structure detection model construction method
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN112288094A (en) * 2020-10-09 2021-01-29 武汉大学 Federal network representation learning method and system
CN113469234A (en) * 2021-06-24 2021-10-01 成都卓拙科技有限公司 Network flow abnormity detection method based on model-free federal meta-learning
CN113656802A (en) * 2021-07-19 2021-11-16 同盾科技有限公司 Knowledge federation undirected graph-based federated loop detection method, system, device and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Anomaly-Structured Maximization to Query in Attributed Networks";NanNan Wu等;《https://arxiv.org/abs/2108.07405》;全文 *
"基于联邦学习的网络异常检测";赵英等;《北京化工大学学报(自然科学版)》;全文 *
武南南等."基于GSA与DE优化混合核ELM的网络异常检测模型".《计算机工程》.2021,全文. *

Also Published As

Publication number Publication date
CN114884688A (en) 2022-08-09

Similar Documents

Publication Publication Date Title
Chen et al. Differentially private transit data publication: a case study on the montreal transportation system
Olszewski Fraud detection using self-organizing map visualizing the user profiles
CN109800573B (en) Social network protection method based on degree anonymity and link disturbance
Liu et al. Backdoor attacks and defenses in feature-partitioned collaborative learning
CN112422571A (en) Method for carrying out exception alignment across multiple attribute networks
Li et al. Retracted: Design of multimedia blockchain privacy protection system based on distributed trusted communication
Yin et al. GANs based density distribution privacy-preservation on mobility data
Zhao et al. Federatedreverse: A detection and defense method against backdoor attacks in federated learning
CN114401136B (en) Rapid anomaly detection method for multiple attribute networks
CN111475838B (en) Deep neural network-based graph data anonymizing method, device and storage medium
Jiang et al. Federated dynamic graph neural networks with secure aggregation for video-based distributed surveillance
Qian et al. Social network de-anonymization: More adversarial knowledge, more users re-identified?
Ding et al. AnoGLA: An efficient scheme to improve network anomaly detection
CN112560059B (en) Vertical federal model stealing defense method based on neural pathway feature extraction
CN114884688B (en) Federal anomaly detection method across multi-attribute networks
Zheng et al. Wmdefense: Using watermark to defense byzantine attacks in federated learning
CN117272195A (en) Block chain abnormal node detection method and system based on graph convolution attention network
Concone et al. A novel recruitment policy to defend against sybils in vehicular crowdsourcing
CN115883213A (en) APT detection method and system based on continuous time dynamic heterogeneous graph neural network
Srilatha et al. DDoSNet: A Deep Learning Model for detecting Network Attacks in Cloud Computing
Tang et al. A novel LDoS attack detection method based on reconstruction anomaly
WO2022146802A1 (en) Systems and methods for detecting malicious network traffic using multi-domain machine learning
Shen et al. Coordinated attacks against federated learning: A multi-agent reinforcement learning approach
Shah Understanding and study of intrusion detection systems for various networks and domains
Chinnici et al. The network topology of connecting things: defence of IoT graph in the smart city

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant