CN115277185A - Operation and maintenance system anomaly detection method based on graph neural network - Google Patents

Operation and maintenance system anomaly detection method based on graph neural network Download PDF

Info

Publication number
CN115277185A
CN115277185A CN202210885831.6A CN202210885831A CN115277185A CN 115277185 A CN115277185 A CN 115277185A CN 202210885831 A CN202210885831 A CN 202210885831A CN 115277185 A CN115277185 A CN 115277185A
Authority
CN
China
Prior art keywords
node
maintenance system
graph
neural network
denotes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210885831.6A
Other languages
Chinese (zh)
Other versions
CN115277185B (en
Inventor
刘东海
徐育毅
庞辉富
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Youyun Software Co ltd
Beijing Guangtong Youyun Technology Co ltd
Original Assignee
Hangzhou Youyun Software Co ltd
Beijing Guangtong Youyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Youyun Software Co ltd, Beijing Guangtong Youyun Technology Co ltd filed Critical Hangzhou Youyun Software Co ltd
Priority to CN202210885831.6A priority Critical patent/CN115277185B/en
Publication of CN115277185A publication Critical patent/CN115277185A/en
Application granted granted Critical
Publication of CN115277185B publication Critical patent/CN115277185B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Probability & Statistics with Applications (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Analysis (AREA)
  • Evolutionary Biology (AREA)
  • Algebra (AREA)
  • Pure & Applied Mathematics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Mathematical Optimization (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an operation and maintenance system anomaly detection method based on a graph neural network, which comprises the following steps: extracting monitoring characteristics of each device in the operation and maintenance system, and establishing an undirected graph of the operation and maintenance system based on the monitoring characteristics; extracting the running state characteristics of each device in the operation and maintenance system as the node attributes of the corresponding nodes; constructing an attribute relation graph of the operation and maintenance system according to the undirected graph and the node attributes; inputting the generated attribute relation diagram of the operation and maintenance system into a graph neural network model, and training through the graph neural network model; and acquiring an attribute relation graph of the operation and maintenance system to be classified, inputting the trained graph neural network model, and identifying abnormal behaviors of the operation and maintenance system. The invention has the beneficial effects that: the invention introduces the graph neural network, when judging whether a certain device is abnormal, not only the current device but also the characteristics of the associated devices are considered, and the characteristics of the current device and the associated devices are subjected to fusion analysis through an algorithm, so that more comprehensive detection accuracy is achieved.

Description

Operation and maintenance system anomaly detection method based on graph neural network
Technical Field
The invention relates to the technical field of network security, in particular to an operation and maintenance system anomaly detection method based on a graph neural network.
Background
In an IT analysis system, whether a certain device is abnormal or not can be generally judged according to the historical conditions of various operation indexes. For example, the flow rate suddenly becomes larger, smaller, and the like. There are also a number of artificial intelligence algorithms introduced into the anomaly analysis process. However, the current method can analyze the devices in isolation, and does not consider that when one device runs abnormally, the connected device can also be abnormal.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides an operation and maintenance system abnormity detection method based on a graph neural network.
The object of the present invention is achieved by the following technical means. An operation and maintenance system anomaly detection method based on a graph neural network comprises the following steps:
(1) Extracting the monitoring characteristics of each device in the operation and maintenance system, establishing an undirected graph of the operation and maintenance system based on the monitoring characteristics, wherein each node in the undirected graph represents one device;
(2) Extracting the running state characteristics of each device in the operation and maintenance system as the node attributes of the corresponding nodes;
(3) Constructing an attribute relation graph of the operation and maintenance system according to the undirected graph and the node attributes;
(4) Inputting the generated attribute relational graph of the operation and maintenance system into a graph neural network model, training through the graph neural network model, and obtaining an abnormal behavior detection classification result of the operation and maintenance system through the trained graph neural network model;
(5) And acquiring an attribute relation diagram of the operation and maintenance system to be classified, inputting the trained neural network model, and identifying abnormal behaviors of the operation and maintenance system.
Furthermore, in the step (1), the monitoring features of each device in the operation and maintenance system are extracted, and the specific method is as follows: extracting index data of each device, wherein the index data comprises disk space, disk occupancy rate, CPU occupancy rate, memory occupancy rate, firewall opening state, port use condition, starting items and database use condition; and recording the index data according to a time period to obtain monitoring characteristics.
Furthermore, in the step (2), the operation state features of each device in the operation and maintenance system are extracted, and the specific method is as follows: extracting operation state data of each device, wherein the operation state data comprises network traffic data, query rate per second QPS and network traffic data off-peak value of each device, and the network traffic data comprises received network traffic data volume, sent network traffic data volume, received network data packet total volume, sent network data packet total volume, discarded network data packet number and error network data packet number; and recording the running state data according to a time period to obtain running state characteristics.
Further, in step (3), an attribute relationship graph G, G = (V, E, X) of the operation and maintenance system is constructed according to the undirected graph and the node attributes, where V represents each device node set in the operation and maintenance system, and V = { V = }mH, m =1,2, …, n, where m denotes a node, n denotes the number of nodes, vmA device representing a node m; e denotes a set of undirected edges constructed based on monitoring characteristics of the device, E = { E = { E =ij},i,j=1,2,…,n,eijDenotes a non-directional edge of node i and node j, if viAnd vjIs associated with, then eij=1, otherwise 0,viDevice with node i, vjDisplay sectionA device with point j; x represents a set of node attributes, X = { X =m},m=1,2,…,n,xmRepresenting the operating state characteristics of node m.
Furthermore, the method for constructing the relationship graph specifically comprises the following steps of:
(1) Calculating viConstructing a similarity matrix S according to the similarity of the nodes and other nodes;
Figure BDA0003765839930000021
wherein s isijRepresents the similarity of node i and node j, s11=s22…=snn=1;
(2) Obtaining an adjacent matrix A according to the similarity matrix S;
Figure BDA0003765839930000031
wherein a isijRepresenting the similarity of node i and node j in the adjacency matrix, a11=a22…=ann=1;
(3) Calculating the network flow data deviation peak value U of each node in the running state characteristicsm
Um=f_m*ep_mM =1,2, …, n, where m denotes a node, n denotes the number of nodes, f _ m denotes the kurtosis of the network traffic data of the node m, and p _ m denotes the skewness of the network traffic data of the node m;
(4) Calculating the average value U of the partial peak values of the network traffic data of all the nodesavg
When the content is less than or equal to 1 (U)avg/Ui)/(Uavg/Uj)<1.05 or 1. Ltoreq. Uavg/Uj)/(Uavg/Ui) Less than or equal to 1.05, or sij>When lambda is determined, if the adjacent matrix A is modified, i is not equal to j, let aij=aji=1, otherwise aij=aji=0; when i = j, a11=a22…=ann=1;
Wherein, UiRepresents the network traffic data off-peak value, U, of node ijRepresents the network flow data of the node j is biased to the peak value, lambda is a threshold value, ajiRepresenting the similarity of a node j and a node i in the adjacency matrix;
(5) When a isij=ajiIf =1, then v is representediAnd vjHaving associations, modifying sets of undirected edges E, Eij=1。
The invention has the beneficial effects that: the invention introduces the graph neural network, when judging whether a certain device is abnormal, not only the current device but also the characteristics of the associated devices are considered, and the characteristics of the current device and the associated devices are subjected to fusion analysis through an algorithm, so that more comprehensive detection accuracy is achieved.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention will be described in detail below with reference to the following drawings:
as shown in fig. 1, an operation and maintenance system anomaly detection method based on a graph neural network includes the following steps:
(1) Extracting the monitoring characteristics of each device in the operation and maintenance system, establishing an undirected graph of the operation and maintenance system based on the monitoring characteristics, wherein each node in the undirected graph represents one device;
the method for extracting the monitoring characteristics of each device in the operation and maintenance system comprises the following steps: extracting index data of each device, wherein the index data comprises disk space, disk occupancy rate, CPU occupancy rate, memory occupancy rate, firewall opening state, port use condition, starting items and database use condition; since these data fluctuate with the service demand within one day, the index data need to be recorded in a time period to obtain monitoring characteristics.
In this embodiment, we only use several indexes, specifically, the monitoring feature vector of the device v can be expressed as: (Diskv _ t, diskv, CPUv, ROMv, wv, portv, sv);
wherein, diskv _ t represents the disk space of the device, diskxu represents the disk occupancy of the device v, CPUv represents the CPU occupancy of the device v, ROMv represents the memory occupancy of the device v, wv represents whether the device v opens the firewall (1 represents open, 0 represents not), portv represents the number of ports opened by the device v, and Sv represents the number of startup items of the device v.
(2) Extracting the running state characteristics of each device in the operation and maintenance system as the node attributes of the corresponding nodes, wherein the specific method comprises the following steps:
extracting operation state data of each device, wherein the operation state data comprises network traffic data, query rate per second QPS and network traffic data off-peak value of each device, and the network traffic data comprises received network traffic data volume, sent network traffic data volume, received network data packet total volume, sent network data packet total volume, discarded network data packet number and error network data packet number; since these data fluctuate with the service demand within one day, the operation state data needs to be recorded in a period of one hour to obtain the operation state characteristics.
In this embodiment, we only use several indexes, specifically, the running state feature vector of the device v may be represented as: (R _ v, S _ v, rp _ v, sp _ v, L _ v, wr _ v, QPS _ v, U _ v)
Wherein, R _ v represents the network traffic data volume received by the device, S _ v represents the network traffic data volume sent by the device v, rp _ v represents the total amount of network packets sent by the device v, sp _ v represents the total amount of network packets received, L _ v represents the total amount of packets discarded by the device v, wr _ v represents the total amount of packets with errors by the device v, QPS _ v represents the average value of the query rate per second of the device v within one hour, and U _ v represents the network traffic data off-peak value in the device v.
U_v=Um=f_m*ep_mM =1,2, …, n, where m denotes a node, n denotes the number of nodes, f _ m denotes the kurtosis of the network traffic data of node m, and p _ m denotes the skewness of the network traffic data of node m.
(3) Constructing an attribute relation graph G of the operation and maintenance system according to the undirected graph and the node attributes;
g = (V, E, X), wherein V represents in the operation and maintenance systemRespective device node sets, V = { V = { [ V ]mH, m =1,2, …, n, where m denotes a node, n denotes the number of nodes, vmA device representing a node m; e denotes a set of undirected edges constructed based on monitoring characteristics of the device, E = { E = {ij},i,j=1,2,…,n,eijDenotes a non-directional edge of node i and node j, if viAnd vjIs associated with, then eij=1, otherwise 0,viDevice with node i, vjA device representing a node j; x represents a set of node attributes, X = { X =m},m=1,2,…,n,xmRepresenting the operating state characteristics of the node m;
the method specifically comprises the following steps:
(3.1) regarding the monitoring characteristic and the running state characteristic of each device in the operation and maintenance system as a node viV is calculated by adopting Heat Kernel algorithmiThe similarity with the rest of the nodes can be defined as the similarity between the nodes. Calculating the similarity of each node with other nodes, and constructing a similarity matrix S;
Figure BDA0003765839930000051
wherein s isijRepresents the similarity of the node i and the node j, s11=s22…=snn=1;
(3.2) obtaining an adjacent matrix A according to the similarity matrix S;
Figure BDA0003765839930000052
wherein a isijRepresenting the similarity of node i and node j in the adjacency matrix, a11=a22…=ann=1;
(3.3) calculating the network flow data off-peak value U of each node in the running state characteristicsm
Um=f_m*ep_mM =1,2, …, n, where m denotes nodes and n denotes nodesThe number of points, f _ m represents the kurtosis of the network traffic data of the node m, and p _ m represents the skewness of the network traffic data of the node m;
(3.4) calculating the average value U of the network traffic data off-peak values of all the nodesavg
When the ratio of 1 to (U) is less than or equal toavg/Ui)/(Uavg/Uj)<1.05 or 1 ≦ (U)avg/Uj)/(Uavg/Ui) Less than or equal to 1.05, or sij>When lambda is determined, if the adjacent matrix A is modified, i is not equal to j, let aij=aji=1, otherwise aij=aji=0; i = j, a11=a22…=ann=1;
Wherein, UiRepresents the network traffic data off-peak value, U, of node ijRepresents the network traffic data off-peak value of the node j, ajiRepresenting the similarity of a node j and a node i in the adjacency matrix; lambda is a threshold value, which can be manually specified in advance, or can be obtained by training a small batch of samples.
(3.5) when aij=ajiIf =1, then v is representediAnd vjHaving associations, modifying sets of undirected edges E, Eij=1, i.e. updating the undirected edge set E. The core of the invention is the determination of E, the characteristics of the current equipment and the associated equipment are subjected to fusion analysis through an algorithm, the information of the nodes can be fully integrated, and new node representation is obtained by aggregating the characteristics of the nodes and the characteristics of the associated nodes.
(4) Inputting the generated attribute relation graph G of the operation and maintenance system into a graph neural network model, training through the graph neural network model, and obtaining abnormal behavior detection classification results of the operation and maintenance system through the trained graph neural network model; in some embodiments of the present invention, the used graph neural network model may be an existing neural network model such as a graph convolution neural network (GCN), graphSage, and a graph attention network (GAT), or may be another emerging graph neural network model suitable for the present invention. The input of the model can be expressed as [ label, node number, equipment monitoring characteristic, running state characteristic ], and the trained model is output and stored.
(5) And acquiring an attribute relation diagram of the operation and maintenance system to be classified (unknown equipment), inputting the trained neural network model of the diagram, and identifying abnormal behaviors of the operation and maintenance system, namely judging abnormal states of all the equipment of the operation and maintenance system.
It should be understood that equivalent substitutions and changes to the technical solution and the inventive concept of the present invention should be made by those skilled in the art to the protection scope of the appended claims.

Claims (5)

1. An operation and maintenance system anomaly detection method based on a graph neural network is characterized by comprising the following steps: the method comprises the following steps:
(1) Extracting monitoring characteristics of each device in the operation and maintenance system, and establishing an undirected graph of the operation and maintenance system based on the monitoring characteristics, wherein each node in the undirected graph represents one device;
(2) Extracting the running state characteristics of each device in the operation and maintenance system to be used as the node attributes of the corresponding nodes;
(3) Constructing an attribute relation graph of the operation and maintenance system according to the undirected graph and the node attributes;
(4) Inputting the generated attribute relational graph of the operation and maintenance system into a graph neural network model, training through the graph neural network model, and obtaining an abnormal behavior detection classification result of the operation and maintenance system through the trained graph neural network model;
(5) And acquiring an attribute relation diagram of the operation and maintenance system to be classified, inputting the trained neural network model, and identifying abnormal behaviors of the operation and maintenance system.
2. The abnormal detection method for the operation and maintenance system based on the graph neural network as claimed in claim 1, wherein the abnormal detection method comprises the following steps: in the step (1), the monitoring characteristics of each device in the operation and maintenance system are extracted, and the specific method comprises the following steps: extracting index data of each device, wherein the index data comprises disk space, disk occupancy rate, CPU occupancy rate, memory occupancy rate, firewall opening state, port use condition, starting items and database use condition; and recording the index data according to a time period to obtain monitoring characteristics.
3. The method for detecting the abnormity of the operation and maintenance system based on the graph neural network as claimed in claim 2, wherein: in the step (2), the operation state features of each device in the operation and maintenance system are extracted, and the specific method is as follows: extracting operation state data of each device, wherein the operation state data comprises network traffic data, query rate per second QPS and network traffic data off-peak value of each device, and the network traffic data comprises received network traffic data volume, sent network traffic data volume, received network data packet total volume, sent network data packet total volume, discarded network data packet number and error network data packet number; and recording the running state data according to a time period to obtain running state characteristics.
4. The method for detecting the abnormity of the operation and maintenance system based on the graph neural network as claimed in claim 3, wherein: in the step (3), an attribute relation graph G, G = (V, E, X) of the operation and maintenance system is constructed according to the undirected graph and the node attributes, where V represents each device node set in the operation and maintenance system, and V = { V = }mH, m =1,2, …, n, where m denotes a node, n denotes the number of nodes, vmA device representing a node m; e denotes a set of undirected edges constructed based on monitoring characteristics of the device, E = { E = {ij},i,j=1,2,…,n,eijDenotes a non-directional edge of node i and node j, if viAnd vjHas a relation of eij=1, otherwise 0,viDevice with node i, vjA device representing a node j; x represents a node attribute set, X = { X =m},m=1,2,…,n,xmRepresenting the operating state characteristics of node m.
5. The operation and maintenance system abnormality detection method based on the graph neural network according to claim 4, characterized in that: the method comprises the following steps:
(5.1) calculation of viConstructing a similarity matrix S according to the similarity of the nodes and other nodes;
Figure FDA0003765839920000021
wherein d isijRepresents the similarity of the node i and the node j, s11=s22…=snn=1;
(5.2) obtaining an adjacent matrix A according to the similarity matrix S;
Figure FDA0003765839920000022
wherein s isijRepresenting the similarity of node i and node j in the adjacency matrix, a11=a22…=ann=1;
(5.3) calculating the network flow data deviation peak value U of each node in the running state characteristicsm
Um=f_m*ep_mM =1,2, …, n, where m denotes a node, n denotes the number of nodes, f _ m denotes the kurtosis of the network traffic data of the node m, and p _ m denotes the skewness of the network traffic data of the node m;
(5.4) calculating the average value U of the network traffic data off-peak values of all the nodesavg
When the content is less than or equal to 1 (U)avg/Ui)/(Uavg/Uj)<1.05 or 1 ≦ (U)avg/Uj)/(Uavg/Ui) Less than or equal to 1.05, or sij>When lambda is determined, if the adjacent matrix A is modified, i is not equal to j, let aij=aji=1, otherwise aij=aji=0; when i = j, a11=a22…=ann=1;
Wherein, UiRepresents the network traffic data off-peak value, U, of node ijRepresents the network flow data of the node j is biased to the peak value, lambda is a threshold value, ajiRepresenting the similarity of a node j and a node i in the adjacency matrix;
(5.5) when aij=ajiIf =1, then v is representediAnd vjHaving associations, modifying undirected edge setsAnd E, Eij=1。
CN202210885831.6A 2022-07-26 2022-07-26 Operation and maintenance system anomaly detection method based on graph neural network Active CN115277185B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210885831.6A CN115277185B (en) 2022-07-26 2022-07-26 Operation and maintenance system anomaly detection method based on graph neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210885831.6A CN115277185B (en) 2022-07-26 2022-07-26 Operation and maintenance system anomaly detection method based on graph neural network

Publications (2)

Publication Number Publication Date
CN115277185A true CN115277185A (en) 2022-11-01
CN115277185B CN115277185B (en) 2024-02-20

Family

ID=83768329

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210885831.6A Active CN115277185B (en) 2022-07-26 2022-07-26 Operation and maintenance system anomaly detection method based on graph neural network

Country Status (1)

Country Link
CN (1) CN115277185B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113821793A (en) * 2021-08-27 2021-12-21 北京工业大学 Multi-stage attack scene construction method and system based on graph convolution neural network
CN113935034A (en) * 2021-09-14 2022-01-14 北京邮电大学 Malicious code family classification method and device based on graph neural network and storage medium
CN114389966A (en) * 2022-03-24 2022-04-22 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) Network traffic identification method and system based on graph neural network and stream space-time correlation
CN114513367A (en) * 2021-12-10 2022-05-17 西安电子科技大学 Cellular network anomaly detection method based on graph neural network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113821793A (en) * 2021-08-27 2021-12-21 北京工业大学 Multi-stage attack scene construction method and system based on graph convolution neural network
CN113935034A (en) * 2021-09-14 2022-01-14 北京邮电大学 Malicious code family classification method and device based on graph neural network and storage medium
CN114513367A (en) * 2021-12-10 2022-05-17 西安电子科技大学 Cellular network anomaly detection method based on graph neural network
CN114389966A (en) * 2022-03-24 2022-04-22 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) Network traffic identification method and system based on graph neural network and stream space-time correlation

Also Published As

Publication number Publication date
CN115277185B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
CN110691100B (en) Hierarchical network attack identification and unknown attack detection method based on deep learning
US8868985B2 (en) Supervised fault learning using rule-generated samples for machine condition monitoring
CN110830450A (en) Abnormal flow monitoring method, device and equipment based on statistics and storage medium
CN112910859B (en) Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis
CN113378990B (en) Flow data anomaly detection method based on deep learning
CN114114039B (en) Method and device for evaluating consistency of single battery cells of battery system
CN112134862B (en) Coarse-fine granularity hybrid network anomaly detection method and device based on machine learning
CN115858794B (en) Abnormal log data identification method for network operation safety monitoring
CN115684939A (en) Battery charging abnormal state monitoring method and system based on machine learning
CN110544047A (en) Bad data identification method
CN113259379A (en) Abnormal alarm identification method, device, server and storage medium based on incremental learning
CN117411703A (en) Modbus protocol-oriented industrial control network abnormal flow detection method
CN110022313B (en) Polymorphic worm feature extraction and polymorphic worm identification method based on machine learning
CN107977672A (en) SF6 equipment secondary failure diagnostic methods based on mass data concurrent operation
CN111428963B (en) Data processing method and device
CN113010394A (en) Machine room fault detection method for data center
CN117216713A (en) Fault delimiting method, device, electronic equipment and storage medium
CN117118693A (en) Abnormal flow detection method, device, computer equipment and storage medium
CN115514581B (en) Data analysis method and equipment for industrial internet data security platform
CN115277185A (en) Operation and maintenance system anomaly detection method based on graph neural network
CN115907954A (en) Account identification method and device, computer equipment and storage medium
Mogensen et al. Invariant ancestry search
Woodard et al. Online model-based clustering for crisis identification in distributed computing
CN114154548A (en) Sales data sequence classification method and device, computer equipment and storage medium
CN112099477B (en) Fault tracing method in lithium ion battery production process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant